McDermottPlus is pleased to bring you Regs & Eggs, a weekly Regulatory Affairs blog by Jeffrey Davis. Click here to subscribe to future blog posts.
February 15, 2024 – Last week, the Substance Abuse and Mental Health Services Administration (SAMHSA) within the US Department of Health and Human Services (HHS) issued a long-awaited final reg that aims to better align 42 CFR Part 2. This esoteric, but extremely important, reg governs the confidentiality of patient records for the treatment of substance use disorder (SUD), with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). SAMHSA also released a fact sheet on the reg.
To help provide background on Part 2 and this final rule, I’m bringing in my colleague Katie Waldo.
Part 2 in general covers SUD treatment and rehabilitation programs, employee assistance programs, programs within general hospitals, school-based programs, and clinicians who “provide substance use disorder diagnosis, treatment, or referral for treatment.” Over the years, a major policy debate has centered on whether 42 CFR Part 2 should be modified to align more closely with the HIPAA rules and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
Under 42 CFR Part 2 requirements, sharing medical records of patients seeking treatment for SUD requires patient consent except under limited circumstances, including bona fide medical emergencies. Conversely, under HIPAA, healthcare “providers” and other “covered entities” can use protected health information about a patient for treatment, payment or healthcare operations without the patient’s consent. Many stakeholders have expressed the belief that these inconsistent rules between Part 2 and HIPAA create barriers to information sharing by patients and clinicians.
In March 2020, Congress passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which includes a provision that aligns certain Part 2 requirements more closely to HIPAA. Specifically, section 3221 of the law modifies Part 2 by permitting uses and disclosures for treatment, payment or healthcare operations and establishing certain patient rights with respect to patients’ Part 2 records. Section 3221 also restricts the use and disclosure of Part 2 records in legal proceedings and sets civil and criminal penalties for violations. Finally, section 3221 requires HHS to modify the Notice of Privacy Practices requirements so that HIPAA covered entities and Part 2 programs provide notice to individuals regarding privacy practices related to Part 2 records, including patients’ rights and the uses and disclosures that are allowed or required without authorization.
As is the case for many complicated policies, even after Congress passed the law, it took a long time for HHS to determine how to implement it. HHS issued a proposed regulation in 2022 to carry out this provision, and now, more than a year later, has finalized the reg.
Major policies in the final reg include:
HHS plans to provide a two-year compliance buffer to give entities subject to the final reg enough time to establish and implement all the final policies and practices. The compliance date is February 16, 2026.
McDermott+Consulting and McDermott Will & Emery are still reviewing this final reg and will produce a more comprehensive summary in the coming weeks.
Until next week, this is Jeffrey (and Katie) saying, enjoy reading regs with your eggs!
For more information, please contact Jeffrey Davis. To access the full archive of Regs & Eggs, visit the American College of Emergency Physicians.
To subscribe to Regs & Eggs, please CLICK HERE.
