The NPRM was triggered by amendments to the statute that authorizes the Part 2 rules contained in the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which was enacted on March 27, 2020. Congressional support for revisions to the Part 2 rules was due, in part, to concerns that the rules impeded providers’ efforts to provide coordinated and integrated care to patients with substance use disorders, including those affected by the opioid epidemic.
The Part 2 rules have a long history. Federal rules governing SUD treatment records were first introduced in the 1970s, years before HIPAA was enacted or electronic medical records were widely available. Because most SUD providers are regulated by both HIPAA and Part 2, as well as similar state laws, compliance with the relevant rules can be challenging and require complex strategies.
For example, unlike the standards for routine disclosures under HIPAA, Part 2 records can only be released with the patient’s written consent, with very limited exceptions. Further, once the patient consents to the release of certain records, the recipient is then subject to the same restrictions as the disclosing entity and is not permitted to share the Part 2 records without going back to the patient to request another signed consent form.
The NPRM includes a more pragmatic approach. The revised statute and proposed rules now specify that, once the patient has provided consent, SUD providers may share the Part 2 records for “treatment, payment, and health care operations,” as those terms are defined and understood in the context of HIPAA. This should make it much easier for providers to coordinate care, bill the patient’s health plan, and manage the information as needed for their own internal operations, without repeatedly returning to the patient to request consent.
The proposed rules also align a number of terms, concepts, and obligations with the HIPAA Privacy Rule, including
- conforming de-identification standards,
- adding breach notification requirements consistent with HIPAA’s Breach Notification Rule, and
- pursuant to the CARES Act, adding
- a right to request an accounting, consistent with the HITECH’s accounting of disclosures provisions, which have not yet been implemented, and
- a right to request restrictions on disclosures.
The NPRM also includes revisions to the HIPAA Privacy Rule, requiring Notices of Privacy Practices to include specific requirements for covered entities that operate a Part 2 program. Importantly, the NPRM also reissues many proposed changes to the HIPAA Notice of Privacy Practices requirements that HHS previously issued in a 2020 proposed rule but has not yet finalized. These proposals are now open for comment again.
Part 2 programs will have significant work to do to align their practices and policies with the new rules, if adopted, including:
Revising consent forms. The NPRM includes several detailed changes for consent forms, including some mandatory and some optional language.
Revising Part 2 Notices and HIPAA Notices of Privacy Practices. The NPRM outlines specific requirements for the notice that must be provided to any Part 2 patient upon admission. In addition to the current requirements, the notice must contain:
- A statement that the patient has the right to request restrictions on certain disclosures and an accounting of disclosures.
- Information about how the patient can complain to the provider and to HHS if they feel their rights have been violated.
- Specific words, in all caps, in the header.
Updating “formal policies and procedures.” Currently, § 2.16 requires “formal policies and procedures,” but it does not include any references to the HIPAA Privacy Rule. The proposed regulation will require the policies and procedures to also address:
- How records will be de-identified in accordance with the HIPAA Privacy Rule, and
- Breach reporting requirements.
In addition to requiring new privacy rules and standards, the revised statute now also restricts the use of regulated SUD records in criminal, civil, and administrative proceedings and includes antidiscrimination protections for patients treated at regulated facilities. The NPRM includes regulatory changes related to the use of these records in court proceedings, but HHS said that it plans to address the antidiscrimination rules in a separate rulemaking.
There are a number of other changes that regulated entities will likely want to review as they consider whether to comment on the NPRM and prepare for the implementation of the final rules, including a variety of new definitions and regulatory obligations on “intermediaries” and institutions.
Comments on the NPRM are due January 31, 2023. The proposed effective date of the final regulations is 60 days after the publication of the Final Rule, but HHS would not begin enforcement until 24 months after the publication of the Final Rule, giving regulated entities 22 months after the effective date to prepare for implementation by revising the relevant materials, as noted above, as well as updating systems and training staff.
Authored by Melissa Bianchi, Melissa Levine, Lindsey Johnson, and Donald DePass.