Health Privacy, HIPAA, Privacy Laws

Three Important Take-Aways from the Proposed Changes to 42 CFR Part 2

Posted on by Dena M. Castricone, CIPP/US, CIPM

On November 28, 2022, the Department of Health and Human Services (HHS) issued proposed changes to regulations implementing amendments Congress made in 2020 to the confidentiality of substance use disorder (SUD) records law.  These long-awaited (and overdue) proposals paint an important picture of things to come, especially with respect to enforcement.

Below are three key take-aways from the proposed regulatory changes and related commentary from HHS:

  1. HHS seeks to align 42 CFR Part 2, the relevant federal regulations, with the Health Insurance Portability and Accountability Act (HIPAA) regulations to the maximum extent possible. HHS proposes to adopt many HIPAA concepts, definitions, and rules, which will streamline compliance and assist HHS with enforcement.
  2. HHS plans to undertake vigorous enforcement of 42 CFR Part 2, which has seen virtually no enforcement. Its creation of a safe harbor for investigative agencies and the alignment with HIPAA will help HHS jump-start enforcement efforts.
  3. Coordination of care concerns tied to the opioid epidemic drove Congress’ action in 2020. It passed an amendment that allows providers subject to the law to obtain a single written consent from a patient to share SUD records for treatment, payment or healthcare operations.  There are unanswered questions, however, about whether providers can begin relying on the critical single consent concept or whether they must wait until HHS issues the final regulations, which are likely at least another year away.

The official Federal Register version of HHS’ notice of proposed rulemaking (NPRM) will be available today here.  Interested individuals have 60-days to submit comments to HHS regarding the proposed changes.

Background

Nearly half a century ago, Congress passed a law to encourage people to seek treatment for substance use disorder (SUD) without fear that treatment records would be used for criminal prosecution.  In 1975, the implementing regulations at 42 CFR Part 2 followed.  These regulations impose strict rules on the disclosure of SUD treatment information by any federally assisted SUD providers (Part 2 Providers).  Far more stringent than HIPAA, 42 CFR Part 2 essentially requires specific and written patient consent for most all disclosures.

The strict rules under 42 CFR Part 2 have often been at odds with HIPAA and have made treatment and information sharing challenging for providers, especially as the healthcare system has moved toward a coordination of care model.  Recent amendments provide some limited flexibilities but only for limited payment and healthcare operations, but not treatment.

The COVID-19 pandemic highlighted the need for improved sharing of SUD treatment information to combat the raging opioid epidemic and to facilitate coordination of care.   Congress responded with §3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), enacted on March 27, 2020.

Through the CARES Act, Congress made changes to 42 CFR Part 2’s enabling legislation.  The changes:

  • Permit uses and disclosures by and among covered entities, business associates and Part 2 Providers for treatment, payment and healthcare operations, as those terms are defined under HIPAA, with a single, initial written consent from the patient. This single consent permits future uses and disclosures unless the patient revokes consent.
  • Permit disclosures to a public health authority, as defined under HIPAA, without consent so long as the data shared is de-identified in accordance with HIPAA’s standards.
  • Expand protections of the use of SUD information in criminal proceedings without patient consent or a specific court order to civil or administrative contexts as well. Those protections apply not only to the records but also to any testimony that would relay information in the record.
  • Adopt criminal and civil enforcement provisions under HIPAA’s Enforcement Rule and abandons solely criminal enforcement by the Department of Justice.
  • Adopt the HITECH Act’s breach notification provisions and nine of HIPAA’s definitions.
  • Direct HHS to update HIPAA’s Notice of Privacy Practices provision to require that covered entities and Part 2 Providers provide an easily understandable notice of privacy practices.
  • Add a nondiscrimination provision, which HHS will address in future rulemaking.

Proposed Changes to Regulations

Because the CARES Act outlined the major areas of change to be fleshed out in regulations, most of the proposed regulations were not surprising.  HHS’s commentary and emphasis on certain changes, however, highlight some notable themes and signs of what is to come.

I.  Substantial, But not Complete, Alignment with HIPAA

While the CARES Act language directs HHS to adopt certain rights, nine definitions, notice of privacy practices concepts and enforcement from HIPAA, HHS seeks to maximize that alignment by weaving HIPAA elements into the fabric of 42 CFR Part 2 in other areas as well.

A. Single Consent for TPO With Notable HIPAA Similarities and Differences

Congress recognized the obstacle that 42 CFR Part 2 created to facilitating coordination of care for people suffering from a SUD.  As a result, it changed the federal statute to allow a single, initial written patient consent for treatment, payment or healthcare operations (TPO), as defined under HIPAA, to be used for future uses or disclosures unless the patient revokes the consent.  This is a game-changer.

While not as permissive as HIPAA, which allows the use and disclosure of patient information for TPO without written consent, the single consent requirement will not only improve coordination of care but will also streamline operations.

  1. Proposed Changes That Are Notably Different than HIPAA

First, for implementing single TPO consents, HHS proposes that an acceptable recipient could be described in the consent as “my treating providers, health plans, third-party payers, and people helping to operate this program” or in a similar manner.  Further, HHS proposes to require a single TPO consent to state that the patient’s information may be redisclosed in accordance with HIPAA “except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient.”

Additionally, single TPO consents would have to include statements about: (1) the potential for a recipient to redisclose the records, which may then have no protection under the regulation and (2) the consequences of refusing to sign the consent.  Notably, HHS pointed out that, unlike a HIPAA authorization, a 42 CFR Part 2 consent to share for TPO could be a condition of receiving care.

  1. Proposed Changes that Adopt HIPAA Concepts

For all other elements of the consent under 42 CFR Part 2, HHS seeks to integrate the following core elements from HIPAA’s authorization regulation: the name of the entity/individual permitted to make the disclosure, description of information, purpose, and expiration.

Some form of these elements already existed under 42 CFR Part 2.  The proposed changes evidence HHS’ effort to streamline requirements and slightly relax the rigidity in some of those existing elements.  These changes would create operational efficiencies for Part 2 providers that are also covered under HIPAA as well as assist HHS with enforcement efforts.

B.  Expanded Rights and Notice that Mirror Those in HIPAA

At Congress’s direction, HHS seeks to impose HIPAA’s right to request restrictions and the right for an accounting on uses and disclosures of information pursuant to patient consent.  The proposed rights to request restrictions and an accounting mirror the current HIPAA regulation.

Notably, HIPAA requires that covered entities only honor a very limited type of requested restriction.  In the “Sense of Congress” section of the CARES Act, Congress urges providers, to “make every reasonable effort to the extent feasible to comply with a patient’s request for a restriction regarding such use or disclosure.”

C.  Notice of Privacy Practices

The CARES Act requires HHS to revise its Notice of Privacy Practices (NPP) regulation under HIPAA to require more easily understandable language and to set forth patient rights under 42 CFR Part 2 when a covered entity is also a Part 2 Provider.  These proposed changes include the changes HHS already proposed to HIPAA in January 2021 and include some 42 CFR Part 2 specific changes.  Further, for Part 2 Providers not subject to HIPAA, HHS seeks to align the patient notice requirement under 42 CFR Part 2 more closely with the NPP requirements.

D.  Many Other Proposed Changes to Align with HIPAA

While the goal of alignment with HIPAA was evident in the CARES Act and in the above areas, the concept permeates the entire NPRM.  Below are other proposed changes that incorporate or adopt HIPAA language or concepts.

  • There is no breach notification requirement under the current 42 CFR Part 2 rule. HHS proposes that HIPAA’s Breach Notification Rule to apply to Part 2 Providers in the same manner it applies to covered entities under HIPAA.
  • HHS proposes to add 13 new definitions and modify 10 others and the majority of those additions and modifications are to align defined terms with HIPAA.
  • HHS seeks to add HIPAA’s de-identification standard to the security of records and research provisions as well as in the new provision on disclosures to public health authorities.
  • HHS proposes a revised complaint submission process that mirrors the process in HIPAA, which likely will serve as the primary trigger for HHS investigations.

II. Enforcement

The biggest take-away for me from these proposed changes is the clear signal from HHS that it intends to enforce 42 CFR Part 2 as vigorously as it enforces HIPAA.  Congress directed that the HIPAA civil and criminal penalties apply, which leaves HHS in charge of civil enforcement.

As anticipated, HHS proposes to change to the rules to reflect the adoption of the HIPAA Enforcement Rule.  It does not stop there, however.  HHS seeks to establish a new definition for “Investigative Agency,” which is a government agency investigating Part 2 Providers or others holding Part 2 records for 42 CFR Part 2 compliance purposes.

HHS proposes a safe harbor from penalties for investigative agencies that unknowingly obtain Part 2 records without a court order so long as the agency exercised reasonable diligence before requesting records.  It offers examples of reasonable diligence such as checking a provider’s website/physical location or searching in the prescription drug monitoring database when permitted by law.

Throughout the NPRM, investigative agencies are mentioned over 40 times and HHS said that “the need for investigation and prosecution of bad actors has increased in accordance with the intensity and duration of the opioid overdose epidemic.”  Through substantial alignment with HIPAA and some level of immunity for its investigators, it appears that HHS is gearing up to enforce 42 CFR Part 2, which has seen virtually no enforcement since its inception.

III.   When Does the Single Consent for TPO Take Effect?

Congress directed HHS to revise regulations necessary to implement the changes detailed in the CARES Act within 12 months.  Twenty months after that due date (2 years and 8 months after the CARES Act became law), HHS issued the proposed rule.  Urgency prompted the addition of the SUD treatment information language to the CARES Act, yet the regulatory process is moving at a snail’s pace.

I was expecting this to be addressed in HHS’ commentary in the NPRM.  It was not.  This leaves Part 2 Providers wondering when they can begin relying on the critically important single consent concept.  After the CARES Act became law, many opined that Part 2 Providers must wait for HHS to issue rules before relying on the changes in the federal law.  That may have been true in the first 12 months.

It is now 20 months beyond the due date for regulations.  Most importantly, the language in the CARES Act provides support for taking advantage of the consent and other provisions without further delay.  The CARES Act directed HHS to:

“make such revisions to regulations as may be necessary for implementing and enforcing the amendments made by this section, such that such amendments shall apply with respect to uses and disclosures of information occurring on or after the date that is 12 months after the date of enactment of this Act.” (Emphasis added).

I read this as making the language related to consent effective one year after the Act became law.

Certainly, Congress provided enough detail in the statutory language to direct implementation of the single TPO consent.  Further, with direction from HHS in the proposed changes, Part 2 Providers could follow those proposals and begin implementing the critically important single TPO consent concept.  Of course, there is a risk that HHS would disagree, but I think the public policy reasons that triggered these changes temper that risk.  Compliance with the proposed regulations would temper any risk even further. Otherwise, it will be well over three years from the CARES Act’s enactment before this important weapon in the fight against the opioid epidemic is available.

Conclusion

In a nutshell, in addition to the important single TPO consent change, HHS’ proposed changes to 42 CFR Part 2 signal much more harmony with HIPAA and a new era of stepped-up enforcement.  As for when Part 2 Providers can incorporate the single TPO consent into practice, there is an untested argument that supports moving forward with that change before HHS issues the final rule.