Part II: Changes to 42 CFR Part 2 – Alignment with HIPAA

As discussed in Part I of this series, Congress amended the federal law protecting the confidentiality of substance use disorder (SUD) records as part of the 2020 CARES Act and directed the Department of Health and Human Services (HHS) to revise the related regulations at 42 CFR Part 2.  Congress’s goal was to align the SUD record protections with HIPAA and create more flexibility around sharing records for treatment purposes.

HHS issued its final changes to 42 CFR Part 2 on February 16, 2024 (Part 2 Final Rule).  This article will focus on how those changes align 42 CFR Part 2 more closely with the Health Insurance Portability and Accountability Act (HIPAA).  Part I of this series provided background information and explained the single consent for treatment, payment or healthcare operations.  Finally, Part III will delve into enforcement and what to expect once HHS begins civil enforcement.

Alignment with HIPAA

While the CARES Act language directed HHS to adopt certain rights, nine definitions, the notice of privacy practices structure, breach notification and enforcement from HIPAA, HHS maximized that alignment by weaving HIPAA elements deep into the fabric of 42 CFR Part 2.  This not only streamlines compliance for providers subject to both sets of rules, but it also streamlines enforcement as HHS will enforce both (more on that in Part III).

Patient Rights

Right to Request A Privacy Restriction

The Part 2 Final Rule adopts HIPAA’s right to request restrictions including: (1) a patient’s right to request restrictions on disclosures of records otherwise permitted for treatment, payment or healthcare operations purposes (“TPO”), and (2) a patient’s right to obtain restrictions on disclosures to health plans for services paid in full by the patient.  Notably, in the “Sense of Congress” section of the CARES Act, Congress urged providers, to “make every reasonable effort to the extent feasible to comply with a patient’s request for a restriction regarding such use or disclosure” even when such a restriction is not required.

Right to Request an Accounting

There is a new right to an accounting of disclosures in the Part 2 Final Rule.  HHS looked to the 2009 HITECH Act to flesh out that right.  Specifically, the Part 2 Final Rule adds a right to an accounting of disclosures made with consent and for disclosures made for TPO through an electronic health record for up to three years prior to request.  This does not mirror the current HIPAA regulations on requests for an accounting.  In 2011 HHS proposed regulations to implement the HITECH Act accounting requirement, but HHS never finalized those regulations.

HHS’s implementation of the HITECH Act requirement in the Part 2 Final Rule signals that this will soon also be the rule under the HIPAA regulations as well.  In fact, HHS is tolling the compliance date on this one section pending the finalization of the related HIPAA rules.  Here is HHS’s explanation:

“We are tolling the effective and compliance dates [of the accounting right] for part 2 programs until the effective and compliance dates of a final rule on the HIPAA/HITECH accounting of disclosures standard (section 13405(c) of the HITECH Act) to ensure part 2 programs do not incur new compliance obligations before covered entities and business associates under the HIPAA Privacy Rule are obligated to comply. We are also mindful that the alignment of the part 2 and HIPAA compliance dates for the accounting of disclosures is most important for part 2 programs that are also covered entities. We also note [that] part 2 programs are not required to include the statement of a patient’s right to an accounting of disclosures in the Patient Notice under § 2.22 until the future compliance date of the accounting of disclosures.”

There is no clear indication of when HHS will finalize the accounting changes under HIPAA, but I suspect it will be part of the impending final rule related to the 2021 proposed changes to the HIPAA Privacy Rule.

Expanded Protections

At Congress’ direction, HHS expanded protections of the use of SUD information in criminal proceedings without patient consent or a specific court order to civil or administrative contexts as well.  Those protections apply not only to the records but also to any testimony that would relay information in the record.  While this is not identical to any HIPAA requirement, it provides more of a comprehensive approach to protecting SUD records, which aligns more generally with HIPAA’s protection of health information.

Patient Notice: The Notice of Privacy Practices-look-alike

The CARES Act requires HHS to revise its Notice of Privacy Practices (“NPP”) regulation under HIPAA to require more easily understandable language and to set forth patient rights under 42 CFR Part 2 when a covered entity is also a Part 2 Provider.  Those proposed changes were not finalized in this rule but will be finalized with a future HIPAA final rule (again, likely part of the impending final rule tied to the 2021 proposed HIPAA changes).

The Part 2 Final Rule makes notable changes to its required patient confidentiality notice to align its requirements more closely with the HIPAA NPP.  It provides the required language for the header and elements of the notice.  The required patient notice now shares many similar elements with the NPP, although they are not identical due to some of the substantive differences between 42 CFR Part 2 and HIPAA.  Providers that are both Part 2 programs and HIPAA covered entities will be able to satisfy both rules with one notice, but that notice must meet the requirements of both rules.

Many Other Changes to Align with HIPAA

Below are other finalized changes that incorporate or adopt HIPAA language or concepts.

  • There was no breach notification requirement under 42 CFR Part 2. HHS finalized the application of HIPAA’s Breach Notification Rule to Part 2 Providers in the same manner it applies to covered entities under HIPAA.  In a webinar after the final rule, OCR indicated that it would set up a breach reporting portal similar to the HIPAA breach reporting portal.
  • HHS finalized the addition of more than a dozen new definitions and modified a handful of others to align defined terms with HIPAA.
  • HHS created a parallel to psychotherapy notes for SUD counseling notes, which requires more explicit consent for use or disclosure.
  • HHS imposed HIPAA’s de-identification standard to the security of records and research provisions as well as in the new provision on disclosures to public health authorities.
  • HHS added HIPAA’s civil enforcement scheme to 42 CFR Part 2.
  • HHS finalized a revised complaint submission process that adopts the process under HIPAA, which likely will serve as the primary trigger for HHS investigations and is a good segue into Part III in this series.

Part III of this series will focus on HHS’s civil enforcement of 42 CFR Part 2 and what to expect, especially since there has been virtually no enforcement of 42 CFR Part 2 to date.  Stay tuned!