42 C.F.R. Part 2 Final Rule Amending Privacy of Substance Use Disorder Records Released.

by | Feb 9, 2024 | Other

  • The Final Rule amending 42 CFR Part 2 finalizes changes that will align uses and disclosures of Part 2 information with HIPAA for treatment, payment and health care operations.

  • Part 2 providers and others who must comply with Part 2 and this Final Rule have two (2) years to get into compliance. 

  • An unofficial copy of the Final Rule can be downloaded here.  The official version will be published in the Federal Register on February 16, 2024. There would be no further substantive changes.

Subscribe HERE to Legal HIE’s backend compliance library to gain access to tools, checklists, whitepapers, sample policies and a lot more to help your organization stay on top of the newest compliance challenges in 2023! 

Yesterday, SAMHSA and OCR released the looooooooong awaited Final Rule modifying 42 CFR Part 2. A quick and dirty list of the key aspects of the Final Rule changes appears further below.  For those who are subscribed to our Legal HIE Compliance Library, updated turn-key documents (e.g., tools, checklists, policies, documentation, training PowerPoint) reflecting the Part 2 Final Rule changes are planned for “go live” by the end of next week!

Those who have been watching Part 2 closely know that these rules have been amended multiple times over the last few years in a painstaking effort to try and bring Part 2 information into the electronic health information exchange fold in a manageable way. You can read my prior blog post summarizing the history of the multiple amendments to the Part 2 Rules since 2017. The Final Rule brings much anticipated “finality” to how Part 2 data can be used in disclosed, particularly in the electronic HIE context.

Here are the key aspects of the new rule:

Patient Consent

  • Organizations will now be able to use one single consent for all future uses and disclosures for treatment, payment, and health care operations.  HALLELUJAH!
  • HIPAA covered entities and business associates that receive records pursuant to a Part 2 compliant consent may then redisclose the records and this information in accordance with the HIPAA regulations. THIS. IS. HUGE!
  • Patient consent obtained for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings cannot be combined with patient consent for any other use or disclosure.
  • A separate patient consent for the use and disclosure of SUD counseling notes (these are like psychotherapy notes) will be required.  (Queue panicked question flooding my inbox: “Are SUD counseling notes like clinical notes, progress notes ???” — answer, generally “no.”)
  • Requires that each disclosure made with patient consent include a copy of the consent or a clear explanation of the scope of the consent.  Closer look on how to operationalize this will be necessary.

Other Uses and Disclosures

  • Part 2 records may be disclosed without patient consent to public health authorities; however, the records disclosed must be de-identified according to the standards established in the HIPAA Privacy Rule. NOTE, this is stricter than HIPAA’s standards which do NOT require deidentification to share PHI with a public health authority.  With a lot of public health/SDOH initiatives burgeoning, this needs to be considered carefully.
  • Use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients continues to be prohibited without the patient’s consent or a court order.

Penalties: The Final Rule does away with the prior enforcement structure of criminal penalties (which, btw, was NEVER used). Replacing that is a new civil and criminal enforcement analogous to HIPAA.  This means that FOR THE FIRST TIME EVER, organizations can be assessed monetary penalties for violating the use and disclosure of Part 2 records.  GAME CHANGER x 10. 

Breach Notification: The Final Rule will now apply the same requirements of the HIPAA Breach Notification Rule to breaches of records under Part 2. This is also a huge change because before if Part 2 information was disclosed in violation of Part 2, this was not considered a Breach under the HIPAA Breach Notification Rule (UNLESS it was ALSO considered an unauthorized use and disclosure of PHI under HIPAA – which could happen, but this used to be a big loophole when it didn’t).

Patient Notice: Aligns Part 2 Patient Notice requirements with the requirements of the HIPAA Notice of Privacy Practices.

Safe Harbor:

  • Creates a limit on civil or criminal liability for investigative agencies that act with reasonable diligence to determine whether a provider is subject to Part 2 before making a demand for records in the course of an investigation. The safe harbor requires investigative agencies to take certain steps in the event they discover they received Part 2 records without having first obtained the requisite court order.
  • Clarifies and strengthens the reasonable diligence steps that investigative agencies must follow to be eligible for the safe harbor: before requesting records, an investigative agency must look for a provider in SAMHSA’s online treatment facility locator and check a provider’s Patient Notice or HIPAA Notice of Privacy Practices to determine whether the provider is subject to Part 2.

Segregation of Part 2 Data: Segregating or segmenting Part 2 records is not required.  However, NOTE: while segregation and segmentation may not be required, in certain cases (depending on the particular use case for sharing information and for what purpose(s)) practically speaking, segmentation and segmenting may still need to be implemented.

Complaints: Adds a right to file a complaint directly with the Secretary for an alleged violation of Part 2. This will then drive enforcement! We will likely begin seeing HIPAA-like settlement agreements for violations of Part 2 now. Again, GAME CHANGER.

SUD Counseling Notes: Creates a new definition for an SUD clinician’s notes analyzing the conversation in an SUD counseling session that the clinician voluntarily maintains separately from the rest of the patient’s SUD treatment and medical record and that require specific consent from an individual and cannot be used or disclosed based on a broad TPO consent. This is analogous to protections in HIPAA for psychotherapy notes.  (See my comment above, these are not clinical notes and progress notes).

Fundraising: Create a new right for patients to opt out of receiving fundraising communications. Technically, this was already required under HIPAA if the Part 2 provider was part of a covered entity organization with an affiliated foundation.

For those looking for an excellent turn-key resource to get their 42 CFR Part 2 policies and documents up to speed with this Final Rule, below is a current inventory of Part 2 materials subscribers can find in our library. Updates to all of these Part 2 documents to align with the Final Rule are expected to be released by the end of next week.  Subscribe now to get access!

Checklists & Tools

1A: Checklist for HIPAA/Part 2 Compliance

1B: HIPAA Gap Self-Assessment

1C: Security Risk Analysis: Administrative Safeguards (OCR/ONC SRA Tool links)

1D: Security Risk Analysis: Technical Safeguards (OCR/ONC SRA Tool links)

1E: Security Risk Analysis: Physical Safeguards(OCR/ONC SRA Tool links)

1F: 42 CFR Part 2 Combined Amendments

1G: Crosswalk HIPAA-42 CFR Part 2 Notice of Privacy Practices

1H: Crosswalk HIPAA 42 CFR Part 2 Permitted Use of Information

1I:  Crosswalk HIPAA 42 CFR Part 2 Business Associate & QSO Agreement

1J:  Checklist for Reviewing 3rd Party BAA/QSOA

1J:  Checklist for Reviewing 3rd Party HIPAA Authorization/Part 2 Consent

1K: HIPAA BAA/QSOA Tracking Tool

1L: Accounting of Disclosures (AOD) Log

1M: Compliant/Report of Non-Compliance (with Log)

1N: HIPAA Breach Assessment (with “Low Probability” scoring tool)

1O: HIPAA De-Identification and Limited Data Set (LDS) Standards Checklist

1P: Destruction of ePHI Checklist

1Q: HIPAA Security Reminders (samples)

1R: HIPAA + Part 2 Workforce Training (PowerPoint)

Sample Forms

2A: HIPAA Authorization+Part 2 Consent to Disclose PHI/Part 2 Records

2B: HIPAA Business Associate Agreement (with Part 2 QSOA language)

2C: Subcontractor Sub-BAA (w/Part 2 QSOA language)

2D: QSOA for Population Health/HIPAA Data Use Agreement (Limited Data Set)

2E: Notice of Privacy Practices

2F: Privacy Officer Job Description

2G: Security Officer Job Description

2H: Resolution of Board of Trustees

2I: Workforce Acknowledgment and Agreement of HIPAA+Part 2 Obligations

2J: Confidentiality Agreement for 3rd Party to not Re-Disclose PHI

2K: Certification by Entity to Destroy PHI

Policies & Procedures

General – Governance & Oversight

Policy#G01:  Privacy & Security Compliance Program

Policy#G02:  Privacy Officer

Policy#G03:  Security Officer

Policy#G04:  HIPAA+Part 2 Training (Workforce)

Policy#G05:  Complaints and Reporting Non-Compliance

Policy#G06:  Sanctions for Non-Compliance

Privacy – Individual Rights

Policy#PP-01:  Right to Access

Policy#PP-02:  Right to Request Amendment

Policy#PP-03:  Right to an Accountings of Disclosures

Policy#PP-04:  Right to Request Restrictions and Confidential Communications

Policy#PP-05:  Right to Notice of Privacy Practices

Policy#PP-06:  Personal Representatives

Privacy – Uses & Disclosures of SUD Information

Policy#PP-07:  Business Associates (BA) and Qualified Service Organizaitons (QSOs)

Policy#PP-08:  Treatment, Payment, Health Care Operations

Policy#PP-09:  Family Members, Friends and Others Involved in the Individual’s Care

Policy#PP-10:  Emergency Situations

Policy#PP-11:  Victims of Abuse, Neglect or Violence

Policy#PP-12:  Public Health

Policy#PP-13:  Research

Policy#PP-14:  De-Identified Information

Policy#PP-15:  Prohibition on “Sale” of PHI

Policy#PP-16:  Marketing

Policy#PP-17:  Healthcare Oversight Activities

Policy#PP-18:  Required by Law

Policy#PP-19:  Judicial and Administrative Requests

Policy#PP-20:  Law Enforcement Requests

Policy#PP-21:  Minimum Necessary

Policy#PP-22:  Reasonable Safeguards

Policy#PP-23:  Deceased Individuals

Security  – Administrative

Policy#SAP-01:  Security Management Process

Policy#SAP-02:  Security Risk Analysis

Policy#SAP-03:  Information System Activity Review

Policy#SAP-04:  Workforce Security

Policy#SAP-05:  Information Access Management

Policy#SAP-06:  Scope of Access by Workforce

Policy#SAP-07:  Authentication & Verification

Policy#SAP-08:  Security Incidents

Policy#SAP-09:  Data Breach Response & Notification

Policy#SAP-10:  Contingency Plan

Policy#SAP-11:  Security Awareness & Training

Security  – Technical

Policy#STP-01:  Access Controls

Policy#STP-02:  Audit Controls

Policy#STP-03:  Data Integrity

Policy#STP-04:  Person/Entiyt Authentication

Policy#STP-05:  Transmission & Encryption (incl. email)

Security  – Physical

Policy#SPP-01: Facility Access Controls

Policy#SPP-02: Workstation Use and Security

Policy#SPP-03:  Device and Media Control

Policy#SPP-04:  Backup and Recovery

Policy#SPP-05:  Disposal of Information & Records

 

 

 

 

 

 

 

 

 

 

 

Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives