A newly proposed HHS regulation on the confidentiality of substance use disorder (SUD) patient records underwould bring requirements further in line with HIPAA—but that is somewhat of a double-edged sword, say attorneys.
Published last month and open for comments until Jan. 31, the proposed rule may make consent less burdensome for Part 2 providers; however, it would also subject them to the breach notification obligations of HIPAA and its civil and criminal penalties if it is finalized as proposed.
Part 2 applies to organizations that hold themselves out as providing drug and alcohol diagnosis and treatment and receive federal assistance—potentially including providers participating in Medicare or Medicaid. Part 2 provisions also apply to recipients of the records, such as health plans, from Part 2 providers.
“Part 2 has been this rule for decades that is very difficult to comply with, but the counterbalance is it wasn’t actively enforced through criminal penalties,” said attorney Adam Hepworth with Foley & Lardner in Los Angeles. “Now by aligning more closely with HIPAA, it might be easier to comply with, but probably will have more enforcement.”
If the proposed rule seems familiar, it should: HHS finalized significant changes to Part 2 in 2020. This time around, however, HHS is interpreting revisions imposed by the CARES Act. “There’s a lot of tweaking to reconcile the definitions and terms between HIPAA and Part 2,” said attorney Adam Greene with Davis Wright Tremaine in Washington, D.C. “The huge change is now we will have HHS enforcing in the same manner as HIPAA.”
Questions Surround Notification Provisions
Prior to the CARES Act, responsibility for enforcement rested with U.S. attorneys, but there has never been a criminal enforcement action for a Part 2 violation, Hepworth said. HHS has experience investigating breaches, imposing penalties and requiring corrective action, which suggests Part 2 providers will face enforcement actions down the road for violations, he said.
Regarding breach notification, Greene said the proposed rule incorporates the definition of a breach from the HIPAA Breach Notification rule, which defines a breach as a violation of the Privacy Rule.
“It’s a little unclear how breach notification will play out here,” he said. Will a Part 2 breach only be reportable if the Part 2 information is disclosed in violation of the HIPAA Privacy Rule? “There are plenty of circumstances where uses and disclosures are prohibited by Part 2 but permitted by the privacy rule,” Greene noted. “Is it a breach of the Privacy Rule or Part 2 rule that triggers the breach notification rule?”
As noted, the proposed rule builds on earlier efforts to harmonize Part 2 and HIPAA. In the 2020 rule, HHS added care coordination and case management to a list of 17 activities—including billing and fraud, and waste and abuse activities—that are now considered as payment and health care operations.
Along with other provisions, this means a patient can consent to share SUD information with a Part 2 entity—and that entity can further disclose the information to its contractors for payment and health care operations.
Consent Allows Information to Be Treated Like PHI
The proposed rule goes further to mesh with HIPAA, although “it’s not a total alignment,” Hepworth noted. “Part 2 is still a privacy law with its own requirements and still in some cases imposes stricter standards. The burden reduction is largely in the consent process.”
Greene explained that the proposed rule allows for a one-time consent for treatment, payment and operations (TPO) under Part 2.
When Part 2 patients sign the broader consent for the use and disclosure of their SUD information, a receiving Part 2 program, covered entity or business associate is permitted to treat it like protected health information (PHI) under HIPAA, he said. For example, the information can be shared with health plans as part of TPO “and treated like any other PHI, and they wouldn’t have to segment their systems,” Greene said.
But compliance may still be an uphill battle. Patients could say no to the broader consent in favor of a limited consent that only allows Part 2 providers to disclose SUD information to a specific health plan, for example, he said. That information may need to be segmented from other PHI in the recipient’s information systems.
“There are really big challenges here with respect to the insurance company,” Greene noted. “Do they have to find out the basis for the consent so they know whether they can treat it like PHI? We will still see some operational challenges as long as the consent is voluntary. Electronic medical records often don’t allow for the data segmentation that Part 2 requires.”
There are other implications. While HIPAA covered entities generally can’t refuse to treat patients who won’t sign HIPAA authorizations, it’s not quite the same under Part 2, Greene said. “Consent can be a condition of treatment. It begs the question of whether providers will require TPO consents as a condition of treatment.”
Greene is particularly excited about HHS’s proposed changes to some of the consent terms, which make them “similar or identical to HIPAA.” One of them is the addition of the phrase “class of persons” to describe the recipient of a consent form.
“To accommodate TPO written consents, the recipient may be a class of persons, rather than only an identified person,” the proposed rule states. “In addition, for a single consent for all future uses and disclosures for TPO, the recipient may be described as ‘my treating providers, health plans, third-party payers, and people helping to operate this program’ or a similar statement.”
The reason this matters so much is that it makes consents “a lot more reasonable and consistent with pretty much every other consent regime out there,” Greene said.
The Part 2 rule has gone “through this rollercoaster: you used to have to identify a specific entity,” such as ABC Health Plan in the consent form, and then HHS required the identification of a specific person at the entity in certain circumstances, and then the rule went back to just naming the entity, he said. Now the consent form is permitted to only name a class of persons, health plans, for example.
Part 2 Notice Would Resemble NPP
The proposed rule also makes some changes to the Part 2 confidentiality notice, which is analogous to HIPAA’s notice of privacy practices (NPP). “In the past, they were completely distinct. There were no references to HIPAA in the Part 2 privacy notices and no references to Part 2 in the NPP,” Greene said.
That left most Part 2 programs—which will be HIPAA covered entities—to decide whether to give patients a combination notice or separate notices. It’s a fact-specific determination because, for example, 95% of a health system may not be subject to Part 2 except for its small chemical dependency treatment unit. Maybe the health system has a separate Part 2 notice for patients on the unit or maybe it incorporates the Part 2 notice into the NPP; therefore, all patients receive a notice that includes language to the effect of “to the extent you received services from the chemical dependency unit, X, Y and Z also apply,” he said.
But now the Part 2 notice will resemble the NPP, although Greene said that as a practical matter this isn’t a big deal. “There’s not a huge sea change here. What they have done is revised the notice requirements in the Part 2 rule to look a lot more like the structure in the HIPAA NPP.” For example, the proposed rule requires a new header—Notice of Privacy Practices (Part 2 Program)—and must contain an explanation of the uses and disclosures of the patient information.
HHS explained that “while the CARES Act only expressly requires the modification of the NPP requirements at [, the Department proposes to also modify the Part 2 Patient Notice at [ ] ] to align more closely with the NPP requirements. The proposal to modify § 2.22 would ensure that patients of Part 2 programs that are not covered by HIPAA are afforded as much notice and transparency as is provided to individuals in the NPP.”
But it’s complicated by the fact that OCR proposed its own rule last year that revises the NPP. HHS must ensure its Part 2 proposals match any final rule when published.
“At the end of the day, Part 2 programs will have a choice to maintain separate notices or one that is combined,” Green said. “You still have the choice.”