Health Privacy, HIPAA

Part I: Changes to 42 CFR Part 2 – The Single Consent for Treatment, Payment and Healthcare Operations

Posted on by Dena M. Castricone, CIPP/US, CIPM

In the 2020 Coronavirus Aid, Relief, and Economic Security Act (CARES Act), Congress amended the federal law protecting the confidentiality of substance use disorder (SUD) records to facilitate the coordination of care in an effort to combat the opioid epidemic.  It also directed the Department of Health and Human Services (HHS) to revise the related regulations at 42 CFR Part 2.  Last week, HHS issued a lengthy final rule finalizing changes to those regulations (Part 2 Final Rule).

This is the first part of a three-part series on the Part 2 Final Rule.  Part I will cover background information and the single consent for treatment, payment or healthcare operations, which is one of the most significant changes.  Part II will explore the final rule’s alignment with the Health Insurance Portability and Accountability Act (HIPAA), including patient rights and privacy and breach notice requirements.  Finally, Part III will delve into enforcement and what to expect once HHS begins civil enforcement.

The CARES Act Changes

The relevant changes Congress made in the CARES Act:

  • Permit uses and disclosures by and among covered entities, business associates and Part 2 Providers for treatment, payment or healthcare operations (TPO), as those terms are defined under HIPAA, with a single, initial written consent from the patient. This single consent permits future uses and disclosures unless the patient revokes consent.
  • Permit disclosures to a public health authority, as defined under HIPAA, without consent so long as the data is de-identified in accordance with HIPAA’s standards.
  • Expand protections of the use of SUD information in criminal proceedings without patient consent or a specific court order to civil or administrative contexts and includes records as well as testimony that would relay information in the record.
  • Adopt criminal and civil enforcement provisions under HIPAA’s Enforcement Rule.
  • Adopt the HITECH Act’s breach notification provisions and nine of HIPAA’s definitions.
  • Direct HHS to update HIPAA’s Notice of Privacy Practices provision to require that covered entities and Part 2 Providers provide an easily understandable notice of privacy practices.

History of 42 CFR Part 2

Nearly half a century ago, Congress passed a law to encourage people to seek treatment for SUD without fear that treatment records would be used for criminal prosecution.  The implementing regulations at 42 CFR Part 2 followed in 1975.  These regulations imposed strict rules on the disclosure of SUD records by any federally assisted SUD providers (Part 2 Providers).  More stringent than HIPAA, 42 CFR Part 2 requires specific and written patient consent for most all disclosures – including for treatment purposes.

The strict rules under 42 CFR Part 2 have often been at odds with HIPAA and have been a barrier to treatment.  But that is changing with the Part 2 Final Rule.

The Single Consent for All Future TPO Uses

This is a game-changer.  While not as permissive as HIPAA, which allows the use and disclosure of patient information for TPO without written consent, the single consent requirement will improve coordination of care and streamline operations, especially for Part 2 Providers that are also HIPAA covered entities.

A.  Format of Single Consent for TPO

So, how does it work?  The consent must contain the elements outlined below:

  1. Provide the name of the patient.
  2. Detail the person or entity authorized to make the requested use or disclosure.
  3. Describe the information to be used or disclosed in a specific and meaningful fashion.
  4. Describe the recipient as “my treating providers, health plans, third-party payers, and people helping to operate this program” or something similar.
  5. Note the purpose of the consent is “for treatment, payment and healthcare operations.”
  6. When the recipient is a covered entity or business associate under HIPAA, include a statement that the patient’s information may be redisclosed in accordance with HIPAA “except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient.”
  7. When the recipient is an “intermediary,” which does not include a Part 2 program, covered entity or business associate, additional information must be included (see 42 CFR 2.11 and 2.31(a)(4)(ii)). “Intermediary” is narrowly defined, so it may not be relevant in most cases.
  8. Explain the patient’s right to revoke the consent in writing except to the extent that the program or lawful holder has already acted in reliance on the consent. Also, explain how the patient can revoke the consent (e.g., where to send the written revocation etc.).
  9. Include an expiration date or event, which can be “none” or “the end of the treatment.”
  10. Obtain the signature of the patient or legal representative and the date signed.
  11. Include a statement regarding the potential for a recipient to redisclose the records, which may then have no protection under the regulation; and
  12. Describe the consequences of refusing to sign the consent (unlike a HIPAA authorization, a 42 CFR Part 2 consent to share for TPO can be a condition of receiving care).

B.  Important Considerations Regarding Redisclosure

The single consent for TPO will provide significant flexibility not only for the initial sharing of SUD records for TPO purposes but also for redisclosure of those records.  Once disclosed under a single consent for TPO, if the recipient is a covered entity or business associate the Part 2 Final Rule permits the redisclosure of the SUD records in accordance with the HIPAA Privacy Rule.  In other words, those SUD records can be treated like all other protected health information under HIPAA.  If the recipient is a Part 2 program, it can redisclose to the extent permitted by the consent.

C.  Timing

While the compliance deadline for this final rule is not for two years (February 16, 2024), many providers will want to implement this single consent for TPO as soon as possible.  These changes become effective on April 16, 2024.  At any point after the effective date, providers can begin to rely on the single consent for TPO.

Stay tuned for Parts II and III in this series!