HHS, SAMHSA Recommend Update to Enhance HIPAA Privacy Rule and 42 CFR Part 2 Alignment

A Notice of Proposed Rulemaking (NPRM) has been released by the Department of Health and Human Services (HHS) and the Substance Abuse and Mental Health Services Administration (SAMHSA). It outlines modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records (42 CFR Part 2) and HIPAA to enhance coordination of care and better match Part 2 with the HIPAA Privacy Rules, as Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) demands.

Part 2 safeguards patient privacy and data associated with treatment for SUD. The HIPAA Privacy Rule involved the privacy of protected health information (PHI); nevertheless, SUD information is dealt with in a different way from other kinds of PHI. The HIPAA Privacy Regulation allows disclosures of PHI with no permission for treatment, transactions, or medical care procedures, nevertheless, Part 2 imposes increased limitations on SUD records disclosures. Usually, SUD records may only be revealed by a SUD treatment service provider after getting consent from the patient. Additionally, even if there’s an appropriate consent form, SUD treatment companies should have a written declaration that the data cannot be reshared. This is due to the fact that SUD records are specifically sensitive because of the impact of substance abuse and possibly discrimination, which could possibly bring about loss of insurance coverage and work.

Needing to take care of PHI and SUD records in a different way is troublesome since it creates limitations to data sharing that is beneficial to patients. Moreover, the two compliance responsibilities create compliance issues for covered entities. Different requirements of privacy regulations could delay treatment, hinder care, and spread bad stereotypes about people confronting substance use challenges. Therefore, a better application of Part 2 with the HIPAA Privacy Regulation is necessary. It is crucial, nevertheless, to protect patient privacy, since any decrease in the security for SUD records can discourage people struggling with SUD from getting treatment that may have deadly outcomes.

The presented rule hits a balance between the requirement for solid privacy protections and possessing the versatility to let data sharing enhance care coordination. One of SAMHSA’s goals is to try to make efficient treatments and help the SUD to be more available to all people in America. Taking Part 2 requirements into better positioning with HIPAA will enable more efficient coordination for individuals getting care. Simultaneously, the suggested rule mitigates the elegance and judgment that is often experienced by people with SUDs.

The major adjustments in the NPRM consist of:

  • Allowed use and disclosure of Part 2 records will depend on one patient’s authorization. When that permission is granted, it covers all potential uses and disclosures for healthcare operations, treatment, and payment.
  • Redisclosure of Part 2 records will be allowed – with a number of exceptions – if the HIPAA Privacy Rule allows the redisclosure.
  • Patients are presented with new rights covered by Part 2 to get an accounting of disclosures and to ask for limitations on selected disclosures, as likewise provided by the HIPAA Privacy Regulation.
  • Restrictions on the use and disclosure of Part 2 records in criminal, civil, legislative, and administrative proceedings were broadened.
  • The HHS got new enforcement power and can issue civil money penalties for Part 2 violations, consistent with HIPAA and the HITECH Act
  • Part 2 plans should create a process to receive complaints regarding violations of Part 2. Those programs are forbidden from taking negative action on complaints, and should not necessitate patients to waive the right to submit a complaint prior to getting treatment, registration, payment, or being eligible for services.
  • Requirements to send breach notifications to the HHS and impacted patients for Part 2 records will be consistent with the HIPAA Breach Notification Rule.
  • The requirements of the HIPAA Privacy Rule Notice of Privacy Practices were updated to deal with uses and disclosures of Part 2 records and personal rights with regard to those records.

The HHS and SAMHSA are pushing healthcare sector stakeholders as well as the public to send feedback on the recommended modifications. To be considered, they should be filed within 60 days of publication of the NPRM in the Federal Register. The estimated publication date is December 2, 2022. A fact sheet about the recommended revisions has been posted on the HHS website.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone