Aligning Substance Use Privacy Regs With HIPAA Isn’t Simple

I'm Mary Ann Kolbysak-Miggy, Executive Editor at Information Security Media Group.

Today I'm speaking with Privacy Attorney David Holtzman, who is the retired founder of Consulting

firm HIT Privacy LLC. David is also a former senior advisor at the U.S. Department of Health

and Human Services Office for Civil Rights, which administers and enforces HIPAA.

We're going to be discussing regulatory changes coming soon to HHS related to 42 CFR Part 2,

which pertains to the federal rules protecting the confidentiality of substance use disorder records.

These changes are meant to better align 42 CFR Part 2 with HIPAA. So, David, February 16th is the

compliance date for changes to the confidentiality, security, and breach notification requirements

for Part 2 substance use disorder records. For our listeners, could you briefly please describe

what these changes mean for Part 2 substance use disorder treatment providers and HIPAA regulated

entities, what types of entities fall under both categories of providers, and who is affected by

the changes? Let me start by saying that 42 CFR Part 2 and HIPAA are two different regulatory

sets that are meant to apply to two different groups of folks. They're distinct, but overall

happened, and the goal is to protect health information. While HIPAA applies broadly across

the health care sector, Part 2 provides stricter specific protections for records of individuals

seeking treatment for substance use disorders at federally assisted programs. Those are magic words

like the definition of a covered entity under HIPAA. So, a federally assisted program is any

provider that accepts Medicare, Medicaid, or is a federally qualified health care provider.

Essentially, any provider that is not a private pay provider is a federally assisted

program. So, the CARES Act enacted in 2020 required HHS to update Part 2. As you said,

to align it more closely with HIPAA and to allow for the greater sharing of information purposes

for coordinating care of substance abuse disorder patients. But what it doesn't do, it doesn't

integrate the HIPAA privacy and security and breach notification rules into 42 Part 2,

or let's just call it Part 2. It maintains Part 2 as a separate and distinct regulatory set

that provides a mismatch, not a technical term, a mismatch of new regulations or new provisions

that seek to integrate parts of, but not all of, the HIPAA privacy and breach notification rules

into Part 2. So, what are some of the changes? So, to keep it simple, let's just go section by section

here. So, when we talk about disclosures for treatment payment and health care operations,

HIPAA permits disclosures for treatment payment and health care operations without a specific

patient authorization. Updated Part 2 now permits programs to obtain a single prior consent

for all future treatment payment and health care operations disclosures,

allowing records to follow the patient through the health care system as well as lowering some

barriers for health care claims and administrative oversight. As for re-disclosures, HIPAA generally

allows re-disclosures of protected health information for specified legitimate purposes.

Part 2 will now allow treatment programs and their business associates that receive treatment

records via the new TPO consent to now re-disclose protected information using the HIPAA standards

except for a prohibition on re-disclosure for use in any legal proceeding. So, Part 2 continues

its prohibition on re-disclosure of personal information for use in any legal proceeding.

Unlike HIPAA, Part 2 continues to strictly prohibit disclosure of sub-subuse treatment records

for use against a patient in any civil criminal or administrative proceeding,

without a specific court order that meets the standards established in Part 2 or a separate

written consent from the patient. The new Part 2 rule creates a category for sub-subuse

treatment records for counseling notes which are treated like HIPAA psychotherapy notes.

The sub-counselling notes must be kept separate from the rest of the medical record

and requires a separate specific consent for disclosure. A new provision of Part 2 will be

like HIPAA. Healthcare providers are required to provide patients with a notice how the organization

may use and disclose the PHI as well as how to file a complaint about privacy practices.

Part 2 providers must now develop and provide a notice to inform patients other federal privacy

rights and provide patients with a notice of the program's privacy practices. As for information

and security standards, Part 2 does not integrate the HIPAA security rule into Part 2.

Organizations are going to be required to have appropriate policies and procedures

to reasonably protect against unauthorized uses and disclosures and to protect against reasonably

anticipated threats or hazards to the security of PHI, whether it be in paper form or electronic

form. So for paper records, they must develop healthcare organizations, the programs,

and lawful holders must create physical and technical safeguards in accordance with the

standards set out in Part 2. For electronic records, programs that are creating receiving and

maintaining in transmitting records, they must have appropriate safeguards in place,

but there's no specific distinction for what those standards are. They're sort of how shall we

put it, Lucy Goosey, and there is a reasonableness standard that probably aligns with the risk-based

approach in the security management process standards of the security rule. But again, Part 2

does not go into a great detail of what the expectations are and what the requirements

are going to be. For the breach notification rule, the breach notification rule of HIPAA

applies only to Part 2 programs. Part 2 programs will be responsible for notification

of breaches by their qualified service organizations in BAs. But the QSOs in the BAs are not covered

by the breach provisions. SAMHSA in Part 2 advises that programs could include contractual

language with their business associates and QSOs to require these contractors to notify programs

in the case of a breach, but it's not required. This could prove to be a significant loophole

in the breach notification requirements that apply to Part 2 programs. So that is an overview

of the significant changes in Part 2 to integrate with the HIPAA regulations.

So David, with that all said, what's your advice to these entities, these Part 2 entities that now need

to comply with the changes? What steps should they be taking if they haven't already taken them,

especially because, you know, again, as we said at the onset, compliance is on February 16th.

I think the three key areas that organizations should be taking, both for programs and contractors

to these programs, is to, first of all, update their consent forms. The consent forms

now permit a single prior consent for disclosure of information, specifically for treatment,

payment, and healthcare operations, and any other disclosure that would be permitted by the individual.

Secondly, they should revise their organization's policies and procedures.

The Part 2 regulation is changing dramatically, but it's not changing in a way that's clear cut

or easy to understand. As I said, it's now a mismatch of what was already existing in Part 2

and provisions of the HIPAA rules that are being parachuted into this regulation,

and the fit is not always clean or concise. And the third step that is fundamental

to compliance with these new Part 2 regulations is for staff training.

Different components of your staff will need to be provided different levels of training in order

to ensure that they understand the rights and responsibilities of both the program,

a business associate, and a qualified service organization in regards to how they

handle patient information and how they safeguard it and the complicated process

by which disclosure and redisclosure may occur. There has not been a lot of guidance issued

by HHS on how to comply with the requirements of the new Part 2.

SAMHSA has contracted with the Center for Excellence for PHI or COEPHI.org.

This organization has developed a series of templates that can be used by organizations to

comply with the new Part 2. Templates for consent for uses and disclosures of Part 2 records,

a patient notice a privacy practice practices for Part 2 programs. They also have a very thorough

webinar about implementing changes to sub-privacy rules. I highly recommend that organizations go

to COEPHI.org for assistance on how to comply with the new Part 2 requirements.

And David, in terms of entities that must comply with Part 2 requirements and the changes

and existing HIPAA regulated entities, is there a lot of overlap? Are there many Part 2

providers that are also already needing to comply with HIPAA because they do more than just

programs that fall under Part 2? And if so, what changes for them if anything?

I think this goes into the evolution of the treatment for substance use disorders.

Many years ago, when the original Part 2 was implemented, substance use disorder treatment

was mostly inpatient and it was not widely reimbursed through health insurance.

Over the decades, substance use disorder treatment has evolved through the introduction

of pharmaceuticals and that are administered in the medical office or in a hospital

general hospital setting. And health insurance, in many cases, is now required to cover

treatment for substance use disorder. That is how the interaction between

the HIPAA covered entities and the Part 2 providers have sort of collided

in the stringent requirements of Part 2 were more hard for HIPAA covered entities who were

providing substance use disorder treatment. It was difficult for them to handle this information

as through the segmented requirements under Part 2 and also to manage the treatment payment

and healthcare operations that were now commonplace in the medical treatment of substance use

disorders. I think what we're seeing is that through the revised Part 2,

covered entities and business associates with their recognition through definitional changes

in Part 2, they will have an easier time to manage the business and the treatment of substance

use disorder and to better be able to manage these patients through the healthcare continuum.

Because substance use disorder treatment is now commonly recognized as one piece of the larger

healthcare treatment continuum of a patient. Part 2 now specifically recognizes the definition

under HIPAA of a covered entity and a business associate and adopts the same definitions

of treatment, payment, and healthcare operations. As we said earlier, the significant difference

is that under Part 2, the HIPAA covered entity must obtain a prior consent prior to disclosure

of information, even if it is for treatment, payment, and healthcare operations. That will require

some modification of how the HIPAA covered entity manages its consent process, but it is certainly

an easing of the requirements of Part 2 as it has been in place since 1987.

Is there anything else besides the changes coming to Part 2 that you're keeping a close eye on

right now when it comes to HIPAA-related issues for this year? I am looking forward to hearing from

OCR Director Paula Standard, the upcoming HIPAA Summit, where it should be given an opportunity

to share with us her vision of what she sees coming forward in the next year with regards to

proposed changes to the HIPAA security rule and the long proposed changes to the privacy rule.

The unified agenda for regulatory changes put out by OMB still shows that there will be final

rules issued for the HIPAA privacy rule, those proposed rules that were from the last Trump

administration in NPRM 2021, and also that there will be an upcoming final rule for modification

to the security rule. That proposed rule came out, I believe, in December of 2024.

So we'll be looking to Paula to provide insight as to what she sees over the horizon

with these proposed rule changes. We'd also like to hear about how OCR plans to enforce

the new Part 2. The new Part 2 regulations, OCR was delegated by HHS, the authority to enforce

Part 2, and we'll be looking forward to more information as to how policies OCR taking on this

new responsibility. Well, thank you so much, David. I've been speaking to David Hulsman.

I'm Mary Ann Kovasek McGee of Information Security Media Group. Thanks for joining us.