Questions Loom Ahead of Substance Abuse Privacy Rules Shift

I'm Mary Ann Kolbessak-Miggy, Executive Editor at Information Security Media Group.

Today, I'm speaking with regulatory attorney Alex Bold of the law firm Baker Hostetler.

We're going to be discussing revisions and new enforcement activities that are going into effect

to better align 42 CFR Part 2, which pertains to the federal rules protecting the confidentiality

of substance use disorder records with HIPAA.

The changes to better align the privacy of Part 2 records with HIPAA was cold for

to ultimately improve care coordination of substance disorder use patients who obtain care

under certain federal programs. But what do these changes mean for Part 2 and HIPAA regulated

entities? So Alex, the Part 2 revisions go into effect soon. That includes Part 2 programs that

are not considered HIPAA-covered entities and business associates to now be subject to the HIPAA

breach notification rule. Is that correct? And if so, what does that mean for the Part 2 entities

in terms of the new compliance duties under the HIPAA breach notification rule?

Yes, that is correct. So previously, and I think sometimes there's a misconception that every

health care provider is a HIPAA-covered entity that is not the case. So in order to be a HIPAA-covered

entity, you have to perform some standard transaction, which is defined by the rules, but the shortcut

is essentially you have to do something related to insurance. Normally, it is that you build insurance,

but it's kind of things that are tangentially related to health insurance. So, you know,

your private pay, when you're paying your mental health provider out of pocket, or if you go to

like a Botox place that doesn't accept insurance, those places are not covered by HIPAA. They're only

subject to state privacy laws, not HIPAA. And so they have different obligations and different

triggers for things like breaches and notification of breaches. So now, and if you think about that,

it's a little strange to think especially because there's a lot of private pay mental health,

a lot of private pay substance use disorder clinics. It doesn't make a ton of sense that a lot of

our most sensitive treatment areas are not covered by these more by HIPAA, which is kind of the most

prescriptive breach notification rule we've got. It's a little bit crazy. So we now are seeing

part two align with HIPAA so that in those more sensitive areas, and a lot of times because of

comorbidities between substance use disorder and mental health treatment, a lot of these

kind of wrap into part two programs. So they will now be subject to some of the same or these

same breach notification obligations. And maybe more importantly, there's actually going to be

oversight and enforcement by HHS OCR, where before the enforcement was of part two,

again, did not pertain to that point to breach notification was only by the DOJ and SAMHSA. So

that essentially meant nobody was enforcing anything and there's been part two enforcement. So

now kind of coming into this is HHS OCR, which is our HIPAA enforcer, very knowledgeable about

how to enforce and how to conduct investigations. So there's a lot of teeth to this. It's not like

the prior days of part two where non-compliance went unchecked. Now non-compliance will be very much

checked on and investigated. So Alex, with part two compliance, now falling under the

enforcement authority of HHS OCR, what will that potentially mean for part two entities?

What should part two entities expect to see from HHS OCR from an enforcement standpoint? And

you know, if they report a breach and it affects more than 500 people, will that be something that

shows up on that HIPAA breach reporting tool as in other HIPAA breaches? What do we know about

how this enforcement might work? That's a great question too. I think that's something that we are

wondering ourselves in the legal world, how slash if OCR really has bandwidth to take on another

enforcement arm in an era I was talking to someone high up at OCR the other day and

they were saying you know how they they're really focusing internally on part two and the

enforcement deadline coming February 16th and how they were going to in find ways to enforce

in an era of downsizing they're not entirely sure but I think what one important thing to think

about is I would say probably most of our part two programs are covered entities and so I think

in their mind they're thinking oh we've always had breach notification obligations under HIPAA

so like there's not much new to this wrong. I think the missing piece there is again

there was no one to check up on and OCR OCR itself had no ability to check up on general part

two compliance outside of breach notification so how are you getting consent? How are you sharing

records? Is the consent going with records? Is the notice to accompany the disclosures going

with records? Are you keeping your records in a certain kind of way? There was no one checking

up on that so it's not as if HIPAA covered entities are not at an increased risk here too because

really due to the fact there's been no enforcement of part two it's it's kind of just been

forgotten about for a long time it's just it's just kind of there and that's partially because

the way part two has been architected previously is that it's really difficult it has been very

difficult to share part two records outside of a program and so there wasn't a lot to think about

in terms of oh if because records were often segregated and not brought into the general EMR

or EHR there wasn't a lot to be concerned about in terms of being a lawful holder which is basically

anybody who receives a part two record whether they want them or not they're also subject to part

two as a lawful holder now with this new revision it's a lot easier for part two programs to get

a general consent they can now get a consent for any future disclosure for payment treatment

or operations it's a big deal instead of getting a single consent each time and that means that

I think there's going to be a deluge of records into so for instance if if the bold hospital

is you know a general hospital but the bold hospital has a part two program I think the

bold hospital generally is going to become a lawful holder on a larger scale because now the part

two program can use and disclose these records in the general EHR and now the bold hospital has

a lot more skin in the game in terms of being a lawful holder we really need to think about

what we're doing with these records because on top of getting more of these records because

that's more possible now or easier now under the new rule we also are able to use and disclose

as a lawful holder these records for any purpose that's permissible under HIPAA so all of the data

analytics that we're missing part two records before now we can do that now we can include those

part two records in our analytics programs and our value-based care analyses and all of the things

that we've been using before previously so I think the the real issue is looking at do we even have a

part two program policy do we have a lawful holder policy in place do we actually have do our HIM

professionals know what to look for do they understand what is a part two program but on the

on the breach notification part in specific yes so that'll we think we're not sure yet but we

think there's going to be now maybe a checkbox or something where they're not at HIPAA covered entity

they're just a part two program that's reporting interestingly the the wall of shame is not something

that's statutorily required under HIPAA there's some external reporting that is required but not

necessarily in that specific format but I wouldn't expect they would treat part two programs

differently then they would cover entities because it's all the breach notification rule so I

would expect that but you know on top of that for entities that are not HIPAA covered who haven't

dealt with breach notification before it's you know it's the 60-day time it's the fact that you have

to do substitute notice where you're missing records it's the media notice in areas of in jurisdictions

where you have 500 more patients impacted so it's just a lot more public of a breach notification

than under state law the triggers are a lot lower and on top of that the because it's more public

there's more class action possibilities or probabilities because it's such a fruitful resource

for plaintiffs attorneys to look at that wall of shame so Alex you had mentioned you know this

part two data perhaps being used for analytics how about for use with AI are there going to be any

restraints on you know the sensitive information being used to like train models or is this

something that's an area of the unknown right now so I am of the opinion and I think there is

a healthy discourse right now about whether this is the right or wrong opinion to have but

I'm of the opinion that it does training AI generally in lessons for your own specific instance

of a tool is not an appropriate use by a business associate and I've gone back and forth with

business associates on this when I am sitting with the hospital side and I've talked with my

business associate clients about this in my opinion you know there's a there's a paraphrase

the rule a bit there's the ability for a business associate to use PHI for its own business

administrative purposes before the era of AI was upon us I think that meant logically things like

you know auditing making sure that you're billing correctly so on and so forth not the idea that

you're bettering a piece of software for everyone's benefit and I engaged in during a negotiation

where I was sitting with the hospital with an AI vendor on this and they they wrote like a five-page

memo about how of course it was allowed the boiled down to the arguments boiled down to literally

like OCR hasn't said it isn't allowed and they've never done an any enforcement action about this

before you know and I'm thinking okay the average OCR enforcement action takes years so we

haven't been here that long that we can say that just like the absence of enforcement means anything

but also OCR is behind right we know that the rules lag the FAQ's lag behind what is actually

happening in the world but I have seen really great uses of AI we were dealing with another

business associate who figured out a way to train only the hospital's instance of the AI tool using

live PHI but then federated the learning to the AI tool which I think is a wonderful way to talk

about it federating the learning not federating the PHI generally but we also I think one thing to

remember about part two information is that unlike other PHI we are always subject to the minimum

necessary requirement even for purposes of treatment and usually you know for purposes of

treatment that is the minimum necessary rule doesn't apply but it does apply here for part two

data and so I do think we are just talking to a client yesterday about they're doing a great job

they've got their policies and procedures in place they're thinking about how they're going to

record all this in the in the EHR and they said are we are we not thinking of anything else and I

was like well the only thing you're not thinking of at this point is the thing that is probably unsolvable

which is when you have structured data disclosures assuming that it's a minimum necessary so when I

when I'm talking about structured data disclosures I'm thinking about when you are like piping data

to you know to a business associate to an analytics provider there's a requirement under part two

that when you disclose part two data you include the patient's consent or a summary of the consent

and you have to include specific language we call the notice to accompany disclosures that specifically

says this is this is subject to part two again that's a that's a paraphrase there's actually two very

specific examples of language in the rule and to do that in a structured data set I don't know how

they are going to do that and they need to work with their the recipients of that data so that's

kind of the other piece of this too is even if you were to do AI modeling or training on it

how how would you ensure and as a lawful holder the AI tool would be required to continue to use

and disclose with that consent language following the data I don't know how that's operational

so Alex with that said are there any technical or technology changes

that entities might need to consider implementing in order to comply with this whole alignment

of part two with HIPAA and if so what are they and the part two entities are they having to

comply with the HIPAA security rule or is there a separate set of technology or security controls

they are expected to so they don't have to comply with the security rule there are specific

policy and procedures that that need to be in place with respect to technical controls and it's

a lot lighter of a lift than the security rule so it's like they need that policies of procedures

around transferring and removing part two records destroying the records you know your data

destruction policies the maintenance of records in a locked file cabinet or kind of safe for

something that so you know just addressing physical security the access and use of work stations

and and rooms where data part two data is de-identification is one that is also getting aligned to

to HIPAA where now the de-identification standard is the HIPAA standard so you've got your

the room either the removal of the 18 identifiers or the expert or the expert opinions standard

those are the only real specific with respect to kind of general maintenance of records so it's

not as prescriptive at all it's not as robust as the security rule there are a lot of specifications

around when a part two program sunsets or discontinues really really specific they spend a lot of

time talking about what what should happen to records in this kind of sunset period where they

have to be retained for some amount of time but their sunsetting including like what language

should be written on an envelope containing a thumb drive but it's otherwise not as not as

prescriptive as as the security rule with respect to general technology though I think when we talk

about that language to accompany a disclosure and the consent itself following the disclosure

and that's really to ensure that everyone down the line every lawful holder that gets this record

understands what the patient what the scope of the patient's consent was at the time if we think

about that in pre-internet world that's essentially stapling a copy of the consent and like a

phase sheet saying this record is protected by a part two and can only be disclosed in accordance

with you know with the patient's consent that's a lot easier to think about it's being stapled right

when we think about what an EHR looks like and especially where the part two encounters are

in the mix with other non part two encounters how do you ensure that one that consent is not

going if you're only disclosing non part two records you don't want to you don't want to say

that they are part two records so we only want to include it for the specific piece of the record

that is a part two record that stapling becomes very difficult that like electronic stapling

because you can't just like disclose a pile of records you know 700 pages of an EHR

and then put it the front or the back this is subject to part two that's not accurate it's only

you know maybe three pages in the middle there and that's really what my clients are struggling with

there's not a lot of support at this point from any of the major EHR vendors unfortunately

there's been a clamoring for assistance on this with kind of shrugged shoulders not being helpful

and so I don't know I have one client that has really figured it out on their own

you know that way I just I got modeled for earlier this week it looks great

but that's just one client that's their own kind of house rules that they created an epic

but a lot of it is trying to figure out can we use what the you know EHR calls dot phrases

is there some general language that we could put in and encounter notes it's really difficult

and that's really what the hardest part is going to be for these entities when they're thinking

about yay we use them to disclose this in ways HIPAA allows and then like oh no oh no we get to use

them to disclose it and how are we going to exercise restraint and maturity in a compliant way here

so I would really recommend that entities start thinking about this now and I do I do think that

there will be some grace with HHS OCR around this issue because we don't have the

technology industry support that we need at the very least get your policies and procedures

in place at the very least get some training in place and then keep working on the technology

aspects of it for sure and Alex any predictions on when we might see the first enforcement action

by OCR on this you know as mentioned they you know their years behind on certain things you know

these things take a while but they often also like to sometimes pick a case to make an example

for the rest of the industry you know how many months or years do you think entities have before

that might happen you know the very first action that's such a good question I think the this part

to world is really an interesting nexus of a lot of or maybe not a lot at least two kind of central

pieces in RFK's general platform we've got interoperability right wanting to ensure

that patients are being seen holistically and and you know the relevant piece of the records

are being considered early on in his administration came out talking about the desire to protect

in kind of further how as a nation we treat substance use disorder patients and kind of

you know being a central piece of of the concern of the whole country with the opioid epidemic

and so we see both of those things combining here in a really interesting way and so I

and in one in in some ways I think that this is really going to be an exciting place for OCR to look

because again like I said before part two has really been ignored for so long because there was

no one to enforce it and it was just not top of mind because of how difficult it was to share

records so I can see this being an exciting place to find like very easy to find violations

but truly I don't know how many non hippocovard part two programs are out there that are knowledgeable

about this change in a meaningful way and that's always the kind of weirdest part about breach

notification is that when breaches happen it takes the it takes knowledge of the rules to know what

to do and how to disclose and there's there's inherently a reward for being ignorant to it right like

if you don't know and you don't notify you can't get in trouble right and so I think there's what

I would love to see is because this really sensitive information has fallen outside of any kind

of enforcement action I really would like to see OCR take more of a proactive approach on

on enforcement and start looking at okay what are our large substance use providers in the country

that aren't covered entities let's just check up and make sure they understand this because

you know I don't I don't love the gacha of the of the breach investigation the OCR often only

starts to investigate when a breach happens and I think there's a misconception that breach

investigations are primarily into the breach itself but that's really not the case those investigations

are 25 questions who of which are about the incident and the rest are about your general hippocompliance

and it's a tough moment in the that entities history when you are reeling from being attacked

by the threat actor you've been shut down potentially by ransomware data has been stolen you've

got a class action rolling because of the theft of data and now OCR wants to check in on your

compliance it's like oh salt in the wound right and it's not that OCR is never done compliance checks

outside of breach notification we had desk audits for a couple of years but really most of the

hippocompliance so the the settlements we see the resolution agreements we see you don't get

fined for having a breach if you look at them right you get fined for very failure to conduct a

risk analysis or training or your business associate program is not up to up to snuff right I would

love for those situations those findings to happen outside of breach investigations because it's

just such a difficult time for the entities at that point already like that's not what's helpful

and so I'm hopeful that OCR takes a more proactive approach and does some desk audits on part two

and what they well we heard about before the reproductive health privacy final rule was

vacated we heard from the pride administration is that they were going to take a light

approach at first and do technical assistance like start looking into things but issue mostly

technical assistance because they understood that the rule was hard to comply with my hope is

that that's what we see here like let's let's not like take a you know take the stick approach let's

take care of approach let's do some technical assistance because what everyone wants here

is to be compliant and to do what's best for patients it's not that anybody's out here like

trying to be non-compliant or like trying to skirt the rules they they're doing what they

think is right and they just need to be told when it's not and given the opportunity to do better

well thank you so much Alex I've been speaking to Alex Fold I'm Mary Ann Kolbasek McGee

of Information Security Media Group thanks for joining us

bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb