HHS Proposes New Privacy Rules for Substance Abuse Patient Records
Laboratories may have to revise their own medical records disclosure policies to ensure compliance.
Heads up to labs that provide drug testing or other substance abuse services. The federal government has just issued new rules to beef up privacy protections for substance abuse patients. Result: You may have to revise your own medical records disclosure policies to ensure compliance. Here’s a set of FAQs to provide an overview of the new requirements and how to comply with them.
Q1. Which Privacy Laws Are Changing?
Answer: The newly proposed requirements relate to a set of privacy regulations designed to protect the confidentiality of Substance Use Disorder (SUD) patient records. While parallel to the HIPAA Privacy Rule, these requirements, which are contained in 42 CFR Part 2 (which we’ll refer to as “Part 2”), impose different requirements for disclosure of SUD treatment records.
Q2. What’s the Difference between Part 2 and HIPAA?
While both laws impose restrictions on the collection, use, and disclosure of protected health information (PHI), HIPAA applies to a broad range of PHI, not just SUD information. Part 2 covers just SUD and is stricter than HIPAA to the extent that its privacy protections attach to SUD records even after they’re disclosed.
Q3. Does Part 2 Affect My Lab?
Answer: In a nutshell, yes, if you provide SUD diagnosis or treatment services to patients in Medicare and other federal health programs. It may also extend to your staff, payors, and business associates. To be precise, Part 2 applies to four kinds of covered entities:
- Federally assisted programs that hold themselves out as providing and which do provide alcohol or drug abuse diagnosis, treatment, or referral (see the shaded box below);
- Third-party payors who receive information from Part 2 programs;
- Entities having direct administrative control of such programs or payors; or
- “Lawful holders,” i.e., persons who receive information and notice from Part 2 programs.
|Definition of “Program”|
Under 42 CFR Part 2, the definition of “program” includes:
· An individual or entity that holds itself out as providing SUD diagnosis, treatment, or referral
· An identified unit in a general medical facility that holds itself out as providing SUD diagnosis, treatment, or referral
Medical personnel in a general medical facility whose primary function is providing SUD diagnosis, treatment, or referral and who are identified as such providers
Q4. Why Is Part 2 Changing?
Answer: In addition to being confusing, the current differences between Part 2 and the HIPAA Privacy Rule discourage sharing of SUD information among regulated entities and patients. So, when Congress adopted the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), the massive COVID-19 relief bill at the start of the public health emergency (PHE), it added a provision (Section 3221) requiring the U.S. Department of Health & Human Services (HHS) to bring Part 2 into closer alignment with the HIPAA Privacy Rule. The proposed rule published by the HHS Office for Civil Rights (OCR) and Substance Abuse and Mental Health Services Administration (SAMHSA) on November 28, 2022, are the response to that CARES Act mandate.1
“HHS understands how critical it is for patients to better align the Part 2 rules and program with HIPPA,” noted OCR director Melanie Fontes Rainer, in a statement released when the rule was published. “This proposed rule helps decrease burdens on patients and providers, improves coordination, and increases access to care and treatment, while protecting confidentiality of treatment records.”2
Q5. What Are the Changes?
Answer: The proposed rule contains five key changes that will affect how your lab collects, uses, and discloses SUD information:
- Single Patient Consent for All TPO Uses
Perhaps the most significant change is the relaxation of privacy restrictions that allow Part 2 programs to use a single patient consent permitting all current uses and disclosures of SUD for treatment, payment, and healthcare operations (TPO) purposes.
Practical Impact: Once the proposed rule takes effect, Part 2 programs, covered entities, and business associates that receive Part 2 records under a written consent for TPO purposes will be able to redisclose the records in any way the HIPAA Privacy Rule allows, with exceptions for certain proceedings against the patient. Thus, SUD consent forms will look a lot more like HIPAA consents.
2. Patient Right to Limit Disclosure to Health Plans
The single TPO consent form won’t necessarily be a blank check. Patients can ask Part 2 programs to restrict their use and disclosure of SUD information for TPO purposes, such as that the information be disclosed only to their own treating providers or payors.
Practical Impact: Your obligation is simply to allow patients to request restrictions. You’re not required to accept those restrictions. Exception: You must grant a patient’s request to restrict disclosure of records to a health plan for payment or healthcare operations purposes if the record pertains solely to a healthcare item or service for which the patient (or someone on the patient’s behalf), other than the health plan, has paid the Part 2 program in full.
3. Notice of Privacy Practice Required for SUD Patients
While HIPAA requires covered entities to provide each patient a full Notice of Privacy Practices (NPP) describing the PHI they collect, how and for what purposes they use it, and to whom they disclose it, Part 2 requires entities to furnish a “summary.” The proposed rule aligns Part 2 with HIPAA by requiring a so-called “Patient Notice” for SUD listing the same information that an NPP must contain, along with notification of the lab’s complaint process and the patient’s right to revoke consent to disclosure of SUD information.
Practical Impact: While the Patient Notice will be much more detailed and comprehensive than the summary, you should be able to create it without much problem by making a few fairly minor adjustments to the current NPP you use to satisfy HIPAA requirements. On the flip side, the proposed rule also tweaks the HIPAA NPP requirements. Specifically, entities that aren’t Part 2 programs but still receive and maintain SUD records covered by Part 2 must add language to their NPP that describes the restrictions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings against the individual.
4. Part 2 Privacy Violations Subject to HIPAA Breach Notification Rules
The proposed rule would extend the current HIPAA Breach Notification Rule to breaches involving SUD information.3
Practical Impact: Labs covered by Part 2 will have to implement policies and procedures to notify HHS and affected patients of SUD data breaches. The good news is that you probably already have such policies and protocols in place as part of your HIPAA compliance program. (See “10 Things to Include in Your HIPAA Breach Notification Policy,” LCA, January 30, 2017.)4
5. New Penalties for Part 2 Violations
The proposed rule gives HHS authority to impose civil penalties to enforce Part 2, the way it currently does for HIPAA violations. As before, the Department of Justice (DOJ) will also be able to bring criminal actions against Part 2 violators.
Practical Impact: While the risk of criminal penalties is no idle threat, as the proposed rule itself notes, there’s never been a DOJ criminal action to enforce Part 2. So, adding the potential for civil penalties from the OCR should significantly increase the risks for noncompliance.
Q6. When Will the Changes Take Effect?
A: The proposed rule could go into effect as early as 2023. The proposed rule was published in the Federal Register on Dec. 2. HHS will take public comments on the rule for 60 days—or through February 1, 2023, unless the comments period is extended. The agency will then have to consider the feedback and publish a final rule for another 60 days of public comment.
This content is exclusive to Lab Compliance Advisor subscribers
Start a Free Trial for immediate access to this article and our entire archive of over 20 years of LCA reports.