- Part 2 Rule gets 4th overhaul in five years.
- CARES Act required SAMHSA to revise rule one more time to support care coordination.
- Rule proposes a one-time consent, and alignment with HIPAA on downstream disclosures.
- Tighter restrictions on use of Part 2 info for civil/criminal proceedings and NEW enforcement levers allowing, for the first time, civil monetary penalties to be assessed for violations of Part 2
Subscribe HERE to Legal HIE’s backend compliance library to gain access to tools, checklists, sample policies, whitepapers and a lot more to help your organization stay on top of the newest compliance challenges in 2023!
Yesterday, November 28, 2022, the Substance Abuse and Mental Health Agency (SAMHSA) finally fulfilled its duty under the CARES Act and released a Proposed Rule “Confidentiality of Substance Use Disorder (SUD) Patient Records” (published in Federal Register on December 2, 2022) amending the Part 2 rules in line with the CARES Act’s requirements.
After four years and three new rules (in 2017, 2018, and then again in 2020!) amending the Part regulations in an attempt to better support care coordination and beneficial health information exchange, SAMHSA finally hit a wall. It was unable to do more because it was limited by the restrictions found in the language of the statutory authority passed over 45 years ago. However, in March of 2020, Congress came to the rescue when it passed the CARES Act amending the underlying enabling federal statute 42 U.S.C. 290dd-2 for the first time since 1975 and attempted, among other things, to better align Part 2 and HIPAA’s standards.
The new Proposed Rule for the most part tracks the CARES Act in its proposed changes. Here is a bullet summary of the changes reflected in the Proposed Rule:
- Permitted use and disclosure of Part 2 records can be based on a single patient consent given once for all future uses and disclosures for treatment, payment, and health care operations. [no more need to worry about downstream consent! — especially in the HIE context]
- Permitted re-disclosure of Part 2 records in any manner permitted by the HIPAA Privacy Rule, with certain exceptions. [huge alignment]
- New patient rights under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule. [this was technically already something that was required by HIPAA, even for Part 2 providers, but now it will also be reflected in the Part 2 rules]
- Expanded prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings. [this is an understandable balance needed since this sensitive information will be more freely shared under less restrictive standards, this is now countered with greater restrictions on how it can be used against the individual/patient]
- New HHS enforcement authority, including the imposition of civil money penalties for violations of Part 2. [huge new stick because historically, enforcement of Part 2 had no teeth]
- Updated breach notification requirements to HHS and affected patients. [although HIPAA required notification of a Breach, many may not realize that HIPAA’s Breach Notification Rule did not cover unauthorized disclosures in violation of Part 2 (i.e., notifications of a Breach are only required under the HIPAA Breach Notification Rule if a disclosure was in violation of the HIPAA Privacy Rule, not Part 2); So, now Part 2 will have its own Breach Notification obligation]
- Updated HIPAA Privacy Rule Notice of Privacy Practices requirements to address uses and disclosures of Part 2 records and individual rights with respect to those records. [after we see a Final Rule, HIPAA NPPs will need to be updated accordingly]
The deadline to submit public comments to the Proposed Rule is January 31, 2023.
