Part III: Changes to 42 CFR Part 2 –Enforcement Like Never Before

Buckle up.  The 42 CFR Part 2 enforcement ride is about to begin.  In the 2020 CARES Act, Congress directed that the civil and criminal penalties under the Health Insurance Portability and Accountability Act (HIPAA) apply to the federal regulations protecting substance use disorder (SUD) records.

The Department of Health and Human Services (HHS) issued a final rule on February 16, 2024 that changed 42 CFR Part 2 to implement Congress’s directive (Part 2 Final Rule).  However, as I explain below, HHS went a step further and made other changes that Congress did not direct, indicating that HHS is gearing up for enforcement.

In this third installment of our three-part series on the recent changes to 42 CFR Part 2, we examine the changes related to enforcement and what to expect from HHS as it picks up the civil enforcement reins.  Parts I and II of this series addressed the history of 42 CFR Part 2, the single consent for treatment, payment and healthcare operations and a discussion of how the changes to 42 CFR Part 2 align it more closely with HIPAA.

Shift From Criminal to Civil and Criminal Enforcement

Historically, only criminal penalties were available for violations of 42 CFR Part 2 and the Department of Justice was responsible for enforcement.  There has been virtually no enforcement of 42 CFR Part 2 in its nearly 50-year history.  That’s about to change.

As noted above, through the CARES Act, Congress added HIPAA’s civil and criminal enforcement statutes to the federal SUD records confidentiality law.  This leaves HHS in charge of civil enforcement.

Expect Vigorous Civil Enforcement of 42 CFR Part 2

All indications are that HHS intends to enforce 42 CFR Part 2 as vigorously as it enforces HIPAA.  First, the Part 2 Final Rule applies the HIPAA Enforcement Rule to noncompliance with 42 CFR Part 2.  This is key for HHS enforcement, as HHS is familiar with and has been enforcing under these rules for decades.

Second, the extensive efforts to align 42 CFR Part 2 more closely with HIPAA in the Part 2 Final Rule, as described in Part II of this series, will streamline enforcement efforts.  Again, HHS already knows and understands the HIPAA rules.

Third, HHS built in protections for agencies with authority to investigate Part 2 programs to shield them from civil or criminal liability if they obtain SUD records as part of an investigation when the agency did not believe, in good faith, that the entity was a Part 2 program.  More on this below.

Finally and importantly, HHS made clear in the final rule that entities subject to both 42 CFR Part 2 and HIPAA can be held separately accountable under each set of regulations for the same or similar violation.

The Complaint Process

As noted in Part II of this series, the complaint process for 42 CFR Part 2 is virtually identical to the process under HIPAA.  A Part 2 Program must have a process for receiving complaints regarding compliance with 42 CFR Part 2.  Also, patients have a right to file a complaint with HHS “in the same manner as a person may file a complaint” for an alleged violation of HIPAA.  Finally, the patient privacy notice must now include a statement about a patient’s right to file a complaint with the Part 2 Program or with HHS.

As with HIPAA enforcement, patient-initiated complaints are one of the primary triggers for investigations and then enforcement actions.

The Safe Harbor for Investigators

HHS adopts a safe harbor from penalties for investigative agencies that unknowingly obtain Part 2 records without a court order so long as the agency exercised “reasonable diligence” before requesting records.  The message here is that enforcement of any type against a Part 2 program (e.g., fraud, waste and abuse, etc.) is challenging due and investigative agencies want protection.

The Part 2 Final Rule defines an “investigative agency” as a governmental agency having jurisdiction over the activities of a part 2 program or other holder of SUD records under 42 CFR Part 2.  This “safe harbor” was not a change directed by Congress in the CARES Act, but HHS believes that the changes are consistent with the purpose and intent of the amendments in the CARES Act.

Despite the many comments and concerns about the limitation on liability, HHS finalized the rule largely as proposed with one exception.  It revised the definition of “reasonable diligence.”  “Reasonable diligence” under the proposed rule involved merely checking the prescription drug monitoring program (PDMP) in the state where the provider is located, if available, or checking the website or physical location of the provider.

Recognizing the lack of diligence required in the proposed definition, in the Part 2 Final Rule, “reasonable diligence” involves all the following when it is reasonable to believe that the provider offers SUD diagnostic, treatment or referral services:

  1. searching for the practice or provider among the SUD treatment facilities in SAMHSA’s online treatment locator;
  2. searching in a similar state database of treatment facilities where available;
  3. checking a practice or program’s website, where available, or physical location;
  4. viewing the entity’s Patient Notice or HIPAA NPP if it is available; and
  5. taking all these steps within no more than 60 days before seeking information.

HHS also made clear that investigative agencies would be required to follow 42 CFR Part 2 requirements for obtaining, using, and disclosing SUD records as part of an investigation.  This includes seeking a court order, filing protective orders, maintaining security for records, and ensuring that records obtained in program investigations are not used in legal actions against patients who are the subjects of the records.

When Will Enforcement Start?

The effective date of the final rule is 60 days after the February 16, 2024 publication date (April 16, 2024), and the compliance date is twenty-two months later (February 16, 2026).  This means that HHS takes enforcement control on April 16, 2024, but compliance with the Part 2 Final Rule is not required for about two years.

It is unclear whether HHS will begin enforcing the current 42 CFR Part 2 requirements.  I think it is reasonable to expect that HHS, through its enforcement arm, the Office for Civil Rights (OCR), may send technical assistance letters to Part 2 programs about basic compliance.  Regardless of when HHS/OCR begin enforcement activities, it is prudent to assess compliance now and begin efforts to comply with new requirements.