The Final Rule amending 42 CFR Part 2 finalizes changes that will align uses and disclosures of Part 2 information with HIPAA for treatment, payment and health care operations.
Part 2 providers and others who must comply with Part 2 and this Final Rule have two (2) years to get into compliance.
An unofficial copy of the Final Rule can be downloaded here. The official version will be published in the Federal Register on February 16, 2024. There would be no further substantive changes.
Subscribe HERE to Legal HIE’s backend compliance library to gain access to tools, checklists, whitepapers, sample policies and a lot more to help your organization stay on top of the newest compliance challenges in 2023!
Yesterday, SAMHSA and OCR released the looooooooong awaited Final Rule modifying 42 CFR Part 2. A quick and dirty list of the key aspects of the Final Rule changes appears further below. For those who are subscribed to our Legal HIE Compliance Library, updated turn-key documents (e.g., tools, checklists, policies, documentation, training PowerPoint) reflecting the Part 2 Final Rule changes are planned for “go live” by the end of next week!
Those who have been watching Part 2 closely know that these rules have been amended multiple times over the last few years in a painstaking effort to try and bring Part 2 information into the electronic health information exchange fold in a manageable way. You can read my prior blog post summarizing the history of the multiple amendments to the Part 2 Rules since 2017. The Final Rule brings much anticipated “finality” to how Part 2 data can be used in disclosed, particularly in the electronic HIE context.
Here are the key aspects of the new rule:
Patient Consent
- Organizations will now be able to use one single consent for all future uses and disclosures for treatment, payment, and health care operations. HALLELUJAH!
- HIPAA covered entities and business associates that receive records pursuant to a Part 2 compliant consent may then redisclose the records and this information in accordance with the HIPAA regulations. THIS. IS. HUGE!
- Patient consent obtained for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings cannot be combined with patient consent for any other use or disclosure.
- A separate patient consent for the use and disclosure of SUD counseling notes (these are like psychotherapy notes) will be required. (Queue panicked question flooding my inbox: “Are SUD counseling notes like clinical notes, progress notes ???” — answer, generally “no.”)
- Requires that each disclosure made with patient consent include a copy of the consent or a clear explanation of the scope of the consent. Closer look on how to operationalize this will be necessary.
Other Uses and Disclosures
- Part 2 records may be disclosed without patient consent to public health authorities; however, the records disclosed must be de-identified according to the standards established in the HIPAA Privacy Rule. NOTE, this is stricter than HIPAA’s standards which do NOT require deidentification to share PHI with a public health authority. With a lot of public health/SDOH initiatives burgeoning, this needs to be considered carefully.
- Use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients continues to be prohibited without the patient’s consent or a court order.
Penalties: The Final Rule does away with the prior enforcement structure of criminal penalties (which, btw, was NEVER used). Replacing that is a new civil and criminal enforcement analogous to HIPAA. This means that FOR THE FIRST TIME EVER, organizations can be assessed monetary penalties for violating the use and disclosure of Part 2 records. GAME CHANGER x 10.
Breach Notification: The Final Rule will now apply the same requirements of the HIPAA Breach Notification Rule to breaches of records under Part 2. This is also a huge change because before if Part 2 information was disclosed in violation of Part 2, this was not considered a Breach under the HIPAA Breach Notification Rule (UNLESS it was ALSO considered an unauthorized use and disclosure of PHI under HIPAA – which could happen, but this used to be a big loophole when it didn’t).
Patient Notice: Aligns Part 2 Patient Notice requirements with the requirements of the HIPAA Notice of Privacy Practices.
Safe Harbor:
- Creates a limit on civil or criminal liability for investigative agencies that act with reasonable diligence to determine whether a provider is subject to Part 2 before making a demand for records in the course of an investigation. The safe harbor requires investigative agencies to take certain steps in the event they discover they received Part 2 records without having first obtained the requisite court order.
- Clarifies and strengthens the reasonable diligence steps that investigative agencies must follow to be eligible for the safe harbor: before requesting records, an investigative agency must look for a provider in SAMHSA’s online treatment facility locator and check a provider’s Patient Notice or HIPAA Notice of Privacy Practices to determine whether the provider is subject to Part 2.
Segregation of Part 2 Data: Segregating or segmenting Part 2 records is not required. However, NOTE: while segregation and segmentation may not be required, in certain cases (depending on the particular use case for sharing information and for what purpose(s)) practically speaking, segmentation and segmenting may still need to be implemented.
Complaints: Adds a right to file a complaint directly with the Secretary for an alleged violation of Part 2. This will then drive enforcement! We will likely begin seeing HIPAA-like settlement agreements for violations of Part 2 now. Again, GAME CHANGER.
SUD Counseling Notes: Creates a new definition for an SUD clinician’s notes analyzing the conversation in an SUD counseling session that the clinician voluntarily maintains separately from the rest of the patient’s SUD treatment and medical record and that require specific consent from an individual and cannot be used or disclosed based on a broad TPO consent. This is analogous to protections in HIPAA for psychotherapy notes. (See my comment above, these are not clinical notes and progress notes).
Fundraising: Create a new right for patients to opt out of receiving fundraising communications. Technically, this was already required under HIPAA if the Part 2 provider was part of a covered entity organization with an affiliated foundation.
For those looking for an excellent turn-key resource to get their 42 CFR Part 2 policies and documents up to speed with this Final Rule, below is a current inventory of Part 2 materials subscribers can find in our library. Updates to all of these Part 2 documents to align with the Final Rule are expected to be released by the end of next week. Subscribe now to get access!
Checklists & Tools
1A: Checklist for HIPAA/Part 2 Compliance
1B: HIPAA Gap Self-Assessment
1C: Security Risk Analysis: Administrative Safeguards (OCR/ONC SRA Tool links)
1D: Security Risk Analysis: Technical Safeguards (OCR/ONC SRA Tool links)
1E: Security Risk Analysis: Physical Safeguards(OCR/ONC SRA Tool links)
1F: 42 CFR Part 2 Combined Amendments
1G: Crosswalk HIPAA-42 CFR Part 2 Notice of Privacy Practices
1H: Crosswalk HIPAA 42 CFR Part 2 Permitted Use of Information
1I: Crosswalk HIPAA 42 CFR Part 2 Business Associate & QSO Agreement
1J: Checklist for Reviewing 3rd Party BAA/QSOA
1J: Checklist for Reviewing 3rd Party HIPAA Authorization/Part 2 Consent
1K: HIPAA BAA/QSOA Tracking Tool
1L: Accounting of Disclosures (AOD) Log
1M: Compliant/Report of Non-Compliance (with Log)
1N: HIPAA Breach Assessment (with “Low Probability” scoring tool)
1O: HIPAA De-Identification and Limited Data Set (LDS) Standards Checklist
1P: Destruction of ePHI Checklist
1Q: HIPAA Security Reminders (samples)
1R: HIPAA + Part 2 Workforce Training (PowerPoint)
Sample Forms
2A: HIPAA Authorization+Part 2 Consent to Disclose PHI/Part 2 Records
2B: HIPAA Business Associate Agreement (with Part 2 QSOA language)
2C: Subcontractor Sub-BAA (w/Part 2 QSOA language)
2D: QSOA for Population Health/HIPAA Data Use Agreement (Limited Data Set)
2E: Notice of Privacy Practices
2F: Privacy Officer Job Description
2G: Security Officer Job Description
2H: Resolution of Board of Trustees
2I: Workforce Acknowledgment and Agreement of HIPAA+Part 2 Obligations
2J: Confidentiality Agreement for 3rd Party to not Re-Disclose PHI
2K: Certification by Entity to Destroy PHI
Policies & Procedures
General – Governance & Oversight
Policy#G01: Privacy & Security Compliance Program
Policy#G02: Privacy Officer
Policy#G03: Security Officer
Policy#G04: HIPAA+Part 2 Training (Workforce)
Policy#G05: Complaints and Reporting Non-Compliance
Policy#G06: Sanctions for Non-Compliance
Privacy – Individual Rights
Policy#PP-01: Right to Access
Policy#PP-02: Right to Request Amendment
Policy#PP-03: Right to an Accountings of Disclosures
Policy#PP-04: Right to Request Restrictions and Confidential Communications
Policy#PP-05: Right to Notice of Privacy Practices
Policy#PP-06: Personal Representatives
Privacy – Uses & Disclosures of SUD Information
Policy#PP-07: Business Associates (BA) and Qualified Service Organizaitons (QSOs)
Policy#PP-08: Treatment, Payment, Health Care Operations
Policy#PP-09: Family Members, Friends and Others Involved in the Individual’s Care
Policy#PP-10: Emergency Situations
Policy#PP-11: Victims of Abuse, Neglect or Violence
Policy#PP-12: Public Health
Policy#PP-13: Research
Policy#PP-14: De-Identified Information
Policy#PP-15: Prohibition on “Sale” of PHI
Policy#PP-16: Marketing
Policy#PP-17: Healthcare Oversight Activities
Policy#PP-18: Required by Law
Policy#PP-19: Judicial and Administrative Requests
Policy#PP-20: Law Enforcement Requests
Policy#PP-21: Minimum Necessary
Policy#PP-22: Reasonable Safeguards
Policy#PP-23: Deceased Individuals
Security – Administrative
Policy#SAP-01: Security Management Process
Policy#SAP-02: Security Risk Analysis
Policy#SAP-03: Information System Activity Review
Policy#SAP-04: Workforce Security
Policy#SAP-05: Information Access Management
Policy#SAP-06: Scope of Access by Workforce
Policy#SAP-07: Authentication & Verification
Policy#SAP-08: Security Incidents
Policy#SAP-09: Data Breach Response & Notification
Policy#SAP-10: Contingency Plan
Policy#SAP-11: Security Awareness & Training
Security – Technical
Policy#STP-01: Access Controls
Policy#STP-02: Audit Controls
Policy#STP-03: Data Integrity
Policy#STP-04: Person/Entiyt Authentication
Policy#STP-05: Transmission & Encryption (incl. email)
Security – Physical
Policy#SPP-01: Facility Access Controls
Policy#SPP-02: Workstation Use and Security
Policy#SPP-03: Device and Media Control
Policy#SPP-04: Backup and Recovery
Policy#SPP-05: Disposal of Information & Records
