For anyone who has tried to navigate the outdated and cumbersome regulations governing the use and disclosure of substance use disorder (SUD) treatment records, a major overhaul to these regulations may provide a clearer path to improve care coordination, eliminate barriers to access, and reduce the stigma that has historically accompanied SUD diagnosis and treatment. In a Final Rule published on February 16, 2024, the U.S. Department of Health and Human Services (HHS), through the Substance Abuse and Mental Health Services Administration (SAMHSA) and the HHS Office for Civil Rights (OCR), implemented comprehensive revisions to the existing Confidentiality of Substance Use Disorder Patient Records regulations contained in 42 C.F.R. Part 2 (Part 2). The Part 2 Final Rule implements provisions of the 2020 Coronavirus Aid, Relief, and Economic Security Act (CARES Act) and includes modifications proposed in the November 2022 Proposed Rulemaking. As required by changes to the underlying SUD confidentiality statute that the CARES Act made, the Final Rule aligns a variety of key aspects of Part 2 with corresponding HIPAA regulations, and attempts to reduce the administrative burden on both patients and providers by easing certain restrictions on the use and disclosure of protected SUD information. However, continuing differences between Part 2 protections and HIPAA requirements mean that regulated entities must continue to analyze compliance separately under each distinct regulatory framework. They will need separate, specialized strategies to ensure their use and disclosure of SUD treatment records comply with the updated Part 2 requirements.
Summary of key changes
From a compliance perspective, perhaps the most essential aspect of the amended Part 2 regulations is what the Final Rule did not change. Most notably, Part 2 programs must obtain written patient consent before sharing SUD treatment records protected under Part 2 for most purposes, including treatment, payment, and healthcare operations (TPO). This stands in contrast to HIPAA’s treatment of protected health information (PHI), which is not a Part 2 record that can be shared for TPO purposes without needing patient authorization or consent. Note that most records that meet the Part 2 definition for patient identifying information (PII), as incorporated into the definition of Part 2 “record,” will also meet the HIPAA definition for PHI. However, because the definitions for Part 2 records and PHI are not identical, regulated entities should separately analyze whether a given record qualifies as a Part 2 record and/or PHI pursuant to these separate definitions. The requirement to obtain patient consent to share Part 2 records remains embedded in federal statute at 42 U.S.C. § 290dd–2. These statutory protections for SUD treatment information date back to a series of laws that were passed in the 1970s, starting with the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970, which were intended to encourage people with alcohol and drug addictions to participate in treatment without fear that their treatment records would be used against them in criminal or civil proceedings. According to amendments to 42 U.S.C. § 290dd-2 under the CARES Act, HHS has taken several necessary steps to better align the Part 2 regulations with many corresponding regulatory requirements under HIPAA. However, the foundational consent requirement and related statutory protections for Part 2 information mean that SUD treatment records will continue to need to be treated differently from other PHI for as long as the underlying statutes continue to differ.
Despite these fundamental differences in how HIPAA and 42 C.F.R. Part 2 protect patient records, the latest Final Rule implements several changes to the Part 2 regulations that significantly enhance the alignment with HIPAA. This comprehensive revision of the Part 2 regulations also includes a wide variety of minor and technical edits. Some of the most significant changes to the Part 2 requirements include:
Updated terms and definitions
The Final Rule introduces or amends several key terms and definitions that expressly mirror corresponding terms under the HIPAA regulations, including “business associate” (BA), “covered entity,” “use,” “breach,” “treatment,” “payment,” and “health care operations.”
Many of these definitional changes have critical substantive implications. For example, the Final Rule amends the definition of a “qualified service organization” (QSO)—a service provider that contracts with a Part 2 provider and can receive Part 2 records without patient consent—to include BAs as defined under HIPAA. Two caveats apply: first, a BA can only be a QSO for a Part 2 provider that is also a covered entity under HIPAA, and second, the definition only applies to sharing Part 2 records that are also PHI. Examples of BAs include administrative service organizations and third-party administrators that process service claims on behalf of a health plan; pharmacy benefits managers and related delegated benefits management organizations; vendors to a provider that offer services including legal, accounting, and utilization management; and healthcare clearinghouses that translate claims from nonstandard formats into standard transactions on behalf of a healthcare provider and forwards the processed transactions to a payer. According to the updated definition for a QSO under Part 2, any entity that qualifies as a BA under HIPAA can now also receive Part 2 records under a QSO agreement without needing specific patient consent. However, it is vital to consider several limits on the use and disclosure of Part 2 records shared with a QSO. First, the QSO’s ability to use and disclose Part 2 information is limited to the terms of the QSO Agreement. Second, the QSO can only redisclose Part 2 information to its contract agents to provide the services described in the QSO Agreement. Third, a contract agent of the QSO cannot further redisclose Part 2 information. This final restriction may be quite limiting in the context of complex business arrangements.
The Final Rule also excludes BAs and covered entities from the Part 2 definition of “intermediary.” Because Part 2 includes a variety of specific requirements for intermediaries, this definitional change significantly reduces the scope of application of these nuances. In particular, for example, a health information exchange that is also a BA and a QSO for a Part 2 provider would not be subject to the intermediary requirements.
Another significant change is that Part 2 now defines the terms of TPO: “treatment,” “payment,” and “healthcare operations” to have the same meaning as they do under HIPAA. This is significant because under the amended Part 2 rules, where patients consent to the sharing of their Part 2 records for TPO purposes, most of the limits on use and redisclosure of those records under Part 2 now mirror the HIPAA protections for PHI that have been shared for TPO purposes.
Requirement to share the patient consent form along with the Part 2 records
Perhaps the most consequential requirement added by the Final Rule that was not proposed in the Notice of Proposed Rulemaking (NPRM) is a new obligation for a copy of the patient’s written consent to accompany each disclosure of a Part 2 record. HHS determined that this was necessary to ensure that recipients are aware of any limitation on use or redisclosure that the patient may have included in completing the consent form. The Final Rule does not address the fact that the consent form itself would constitute Part 2 information or the fact that, as a practical matter, significant updates will be needed to current electronic health records platforms and regulations governing standard transactions of such records to enable these consent forms to be attached to Part 2 records.
Patient consent to share counseling notes
Another new requirement under the Final Rule that the NPRM did not propose requires separate consent for using or disclosing SUD counseling notes. This requirement parallels the limits on sharing psychotherapy notes under HIPAA. Consent to share counseling notes cannot be combined with consent to share other Part 2 records for any other purpose.
Patient consent to share for TPO
For sharing Part 2 records with entities that are not QSOs and, therefore, require consent, the Final Rule permits sharing Part 2 records with single patient consent for “all TPO purposes.” Where the patient grants blanket consent to share Part 2 records for TPO purposes, a recipient that is a BA or covered entity can use and redisclose the Part 2 records to the same extent as permitted by HIPAA (except where otherwise prohibited by Part 2, Subpart E, with regard to civil and criminal proceedings). Use and disclosure by other recipients would be governed by the consent form (again, except where otherwise prohibited by Part 2, Subpart E). This aligns Part 2 more closely with information-sharing practices under HIPAA and is intended to facilitate and enhance integrating a patient’s SUD treatment with their physical and mental health treatment.
New language added by the Final Rule also expressly states that covered entities and BAs are not required to segregate records or segment Part 2 data received from a Part 2 program based on a TPO consent. Nonetheless, it does remain necessary for recipients to continue to be able to identify records as Part 2 information due to the ongoing need to comply with the prohibition on the use and disclosure of the records in investigations or proceedings against the patient to ensure that the consent form is redisclosed along with any redisclosure of the Part 2 record, and to be able to operationalize any revocation of such consent.
Accounting of disclosures
The Final Rule creates a new right for Part 2 patients to obtain an accounting of all disclosures made with consent for up to three years. Where a patient has provided blanket consent to share records for TPO purposes, the accounting must only identify disclosures made through an electronic health record in alignment with regulatory requirements under HIPAA that have been proposed but not finalized. The Final Rule signals that the compliance date for this Part 2 requirement will be tolled until the HIPAA Accounting of Disclosures provision is finalized.
Breach Notification obligations
The Final Rule incorporates HIPAA’s Breach Notification requirements for breaches of Part 2 records. This section also aligns data de-identification requirements with HIPAA.
Restrictions on use and disclosure for legal proceedings
To better protect patients from the unauthorized use of Part 2 records against them in civil, criminal, administrative, and legislative proceedings, the Final Rule significantly expands the restrictions on the use and disclosure of Part 2 records in such proceedings without patient consent. The Final Rule also creates a new limitation on liability for government agencies that investigate and prosecute Part 2 programs and unknowingly receive records subject to Part 2.
Changes to enforcement
Although SUD treatment records have been subject to special protections since the 1970s, to date, only criminal penalties have been available for violations, and these criminal penalties have never been enforced. In this context, it is especially noteworthy that the Final Rule implements new authority to impose civil monetary penalties (CMPs) for violations of Part 2 and aligns all criminal and civil penalties under Part 2 with HIPAA. Whereas the preexisting criminal penalties can only be enforced by the U.S. Department of Justice, HHS regulators can impose CMPs, and it seems likely that operational divisions of OCR that currently enforce HIPAA will be newly tasked with enforcing Part 2 as well. Moreover, in alignment with HIPAA enforcement, HHS will not limit Part 2 oversight to formal findings of violations but will also pursue informal resolutions for potential noncompliance, which may entail corrective action plans and/or settlements. The Final Rule also creates a new right for patients to file a complaint directly with HHS for alleged violations of Part 2.
Some ambiguity may exist about the timeline for enforcement. The Final Rule includes a two-year compliance period, meaning that HHS will not enforce the revised requirements until February 16, 2026. This allows an extended period for regulated entities to make the operational and systems changes necessary for compliance. Further, HHS has specifically acknowledged that this compliance date may be extended if the expected changes to the HIPAA rules alter any of the obligations of a Part 2 program under the Final Rule. However, many of the core requirements of Part 2 predate the Final Rule, and it is possible that HHS may initiate investigations regarding these preexisting requirements before the end of the compliance period. Regulated entities may find it useful to review federal budgets, appropriations, and related guidance to better understand the evolving use of HHS resources for Part 2 and HIPAA enforcement.
Next steps for Part 2 programs
As a practical matter, operationalizing certain of these obligations may require evolving industry-wide best practices and technologies. Combined with uncertainty about the timeline for enforcement and the need for complementary rulemaking under HIPAA, Part 2 programs face significant strategic and operational challenges for navigating compliance with the Final Rule.
That being said, Part 2 programs should consider taking the following steps toward Part 2 Final Rule compliance:
-
Review and update policies and procedures for using and disclosing Part 2 records, including requiring a copy of the patient consent form to accompany any such disclosures.
-
Collaborate with vendors and partners to ensure that technology solutions for attaching the Part 2 consent form to all disclosures of Part 2 records will be operational before the end of the compliance period.
-
Implement a policy regarding the right to request restrictions on use and disclosure for treatment, payment, and healthcare operations, including a policy requiring a Part 2 program to honor a request to restrict disclosures of SUD records to health plans for services paid in full by the patient. Note, however, that a Part 2 program is not generally required to agree to a requested restriction. In addition, a requested restriction would not be effective to prevent uses or disclosures required by law or permitted for purposes other than TPO. However, a Part 2 program is required to agree to restrict the disclosure of a patient record to a health plan, even for payment or healthcare operations if the record pertains solely to an item or service for which the patient has paid in full.
-
Update the policy on the permitted redisclosures of Part 2 records to allow, with a single consent for all future TPO purposes, disclosures of SUD records as permitted by the HIPAA Privacy Rule by recipients that are Part 2 programs, HIPAA-covered entities, and BAs until the patient revokes the consent.
-
Update the policy specifying the prohibitions on using and disclosing Part 2 records in civil, criminal, administrative, or legislative proceedings conducted by a federal, state, or local authority against a patient, absent a court order or the patient’s consent.
-
Update patient consent forms to address the following:
-
Single consent for all future uses and disclosures for TPO
-
Separate consent for SUD counseling records
-
Separate consent for disclosure of records in legal proceedings.
-
Separate consent for all other non-TPO disclosures.
-
-
Update and align QSO and HIPAA BA agreements as necessary.
-
Update and streamline the Notice of Privacy Practices to align with both the new Part 2 requirements and HIPAA.
-
Implement a breach notification policy to align with the HIPAA Breach Notification requirements.
-
Adopt the HIPAA de-identification standards contained in 45 C.F.R. § 164.514(b) to de-identify SUD records prior to certain disclosures (i.e., disclosures to a health authority).
-
Implement an accounting of disclosures policy to meet the new Part 2 accounting of disclosures requirement contained in Section 2.25.
-
Update HIPAA and Part 2 training of Part 2 personnel. This training should also include data security awareness training to allow the Part 2 program to ensure compliance with the HIPAA Security Rule standards.
-
Collaborate with IT personnel and vendors to develop a strategy for segmenting, flagging, or otherwise enabling identification of Part 2 records and restrictions on their use for nonpermitted purposes.
Conclusion
The next two years, leading up to the February 16, 2026, compliance date, are sure to be a little bumpy. First, operationalizing some of these changes will require changes in data collection and storage policies to address when and where Part 2 data must still be segmented and where the new TPO exception would allow this to be relaxed. Second, the burden on Part 2 programs may actually increase—at least in the short term—by requiring changes to Part 2 consents, notices, and other policies that may need to be further altered after the release of the expected HIPAA rule revisions. Third, Part 2 programs must prioritize their compliance programs, training, and documentation to prepare for increased enforcement efforts and the risk of penalties for any wrongful use and disclosure of SUD records.
Ultimately, however, the changes to Part 2’s final rules will almost certainly streamline privacy compliance for Part 2 programs (most of which are also HIPAA-covered entities) as well as ease many of the administrative burdens these programs face day-to-day in trying to comply with both HIPAA and Part 2’s varying requirements. In addition, these changes should also improve the coordination of care for SUD patients as well as increase their access to care and treatment.
Takeaways
-
New rules for substance use disorder (SUD) treatment information sharing under 42 C.F.R. Part 2 make significant steps toward alignment of Part 2 with HIPAA.
-
However, fundamental differences in the statutes will continue to require special protections and data management strategies for Part 2 records.
-
One key, unexpected requirement in the Final Rule requires the Part 2 consent form itself to be included with most disclosures of Part 2 information.
-
Although many core requirements of Part 2 remain essentially unchanged, new authorities and enforcement mechanisms significantly transform the risks of noncompliance.
-
The Final Rule provides a two-year compliance period, during which additional rulemaking under HIPAA will be needed to clarify best practices for compliance.