Want to read more content like this? Subscribe to Addiction Treatment Business today!
The newly finalized 42 CFR Part 2 rule, focused on the privacy rights of patients seeking addiction treatment care, creates new opportunities and risks for behavioral health providers.
The federal government released the finalized rule at the beginning of the month. It’s intended to smooth out the historic friction between the patient protection regulations provided by 42 CFR Part 2 and by the Health Insurance Portability and Accountability Act (HIPAA). In short, Part 2’s regulation of addiction treatment records now looks more like HIPAA.
42 CFR Part 2 came into effect in the mid-1970s in order to protect addiction treatment patients from having their health care data used against them in legal, administrative and legislative proceedings. But decades later, those regulations are now seen as a huge roadblock to innovation in behavioral health. This includes integrating behavioral health into the wider health care system via technology, such as electronic health records (EHRs). Some point to Part 2 as one reason behind the slow adoption of EHRs in behavioral health.
“There are still information management mandates that apply to Part 2 records,” Rebecca Frigy Romine, a shareholder in the health care department of the law firm Polsinelli, told Behavioral Health Business. “But the major care coordination benefit will likely outweigh some of the operational resources and technology resources necessary to implement the change.”
The hoped-for simplification of managing addiction treatment records comes with a major trade-off.
Jéna Grady, a partner with the law firm Nixon Peabody’s health care group, told BHB that the federal government “hardly, if ever,” enforced 42 CFR Part 2 provisions. Now that the government has effectively simplified these regulations and brought their enforcement under the same part of the government that handles HIPAA enforcement, behavioral health providers governed by Part 2 may face added compliance risk.
Entities covered by 42 CFR Part 2 must be in compliance by April 16, 2026, two years after the rule’s effective date. This provides behavioral health organizations with a runway to reach compliance. Grady also expects federal officials to provide some leniency in the early days of the new rule.
“Anyone that disregards it in the future after a few months or a year could face enforcement,” Grady said. “Because we’re providing more leeway for the sharing of these records, we have to respect they do have more privacy-heightened risks.
“This can affect people’s livelihood if it’s not used the proper way.”
The U.S. Department of Health and Human Services (HHS) Department, along with the Substance Abuse and Mental Health Services Administration (SAMHSA), unveiled the proposed version of the rule in November.
The changes in the final rule have been years in the making and have been a point of advocacy for the behavioral health industry for many years before that. The Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020 included legislative language requiring federal agencies to change 42 CFR Part 2.
What the final rule does
The provision covers providers that receive any federal funding (including Medicare and Medicaid) and “holds itself out” as providing treatment, diagnosis or referral for treatment for SUDs. This rule applies to most behavioral health entities that treat SUDs.
The most significant change is this: Records governed by 42 CFR Part 2 can now be disclosed for “treatment, payment, or health care operations (TPO)” and to a limited extent redisclosed based on a single patient consent. Historically, patients needed to consent to every disclosure and redisclosure of their records.
Records protected by 42 CFR Part 2 still cannot be disclosed in legal or legislative proceedings without patient consent or a court order. It also forbids the coupling of patient consent to share Part 2 data with waivers related to those issues.
Any records shared must include a copy of the original patient consent form or language dictating the bounds of the patient’s consent. Those receiving the records are to respect those bounds of the consent agreement.
It also enumerated additional patient rights, including:
— That health care providers withhold disclosure to payers for services patients paid for on their own if so requested by the patient
— Disclosure and redisclosure auditing for up to three years following agreeing to a disclosure consent
— Allows non-solicitation requests for fundraisers
The new final rule also defines a specific new type of record: substance use disorder (SUD) counseling notes. They are similar to how HIPAA defines psychotherapy notes.
“This addition is especially important because many providers often forget the special treatment psychotherapy notes and SUD counseling notes require,” Bahati Mutisya, an associate at the law firm Baker Donelson, said in a blog post.
Despite harmonization with HIPAA, patients do not have similarly wide and easy access to their own medical records at entities covered by 42 CFR Part 2. In the commentary within the final rule notice, the federal government said this “falls outside the scope of the Part 2 rulemaking” as a response to concerns raised during the rulemaking comment period. But organizations that HIPAA also covers must follow its provision’s rules for record disclosure.
Impact of 42 CFR Part 2 reform
Entities covered by 42 CFR Part 2 also no longer have to segregate protected records when they are received via the single consent form.
Removing these administrative and technological issues allows business processes and systems to unify physical and behavioral health data, allowing for a more holistic view of patients.
“Value-based care, ACOs, care coordination — these changes really do promote these. Without them, including substance use disorder information in those types of programs was very burdensome and almost impossible to manage in a compliant way,” Romine said. “This really opens the door for substance use disorder providers themselves to participate more in those types of arrangements.”
Internally, simplifying consents may reduce administrative burdens, a major challenge in the behavioral health industry’s workforce issues.
Even though the commentary in the rule explicitly says Part 2 records no longer need to be segmented from the rest of the health records, behavioral health providers, EHR vendors and other tech services must ensure that Part 2 records are identifiable and treated with special attention.
But with more addiction treatment records in more places, mistakes and outright malicious action are more likely to happen. Further, other considerations make the new final rule much more nuanced than the administrative and compliance panacea the industry has long hoped for.
Other considerations
While some see the new final rule as progress, others see it weakens patient rights to control how addiction treatment records are handled.
The Legal Action Center — a nonprofit advocacy group that focuses on health equity, the carceral system, SUDs and HIV/AIDS — told BHB that the new final rule excluded anti-discrimination protections that were spelled out in the CARES Act. Further, the new rule only includes limited protections after a violation occurs.
“There is still no legal remedy to make someone whole after a breach because the rule does not have a private right of action and there is no suppression remedy for records that were improperly disclosed,” Jacqueline Seitz, deputy director of health privacy for the Legal Action Center, said.
Leaning on HIPAA is not appropriate for the protection of addiction treatment records because it does not include the same protections against criminalization or other stigmatizing uses, Setiz added.
Some concerns expressed by the Legal Action Center and other advocates were addressed, she said. Still, the end result of the rule is likely to include “more sensitive health data in more places” and may “blindside” patients in other care settings. This may result in discouraging people from getting care in the first place, Seitz said.
Grady said the new rules require behavioral health providers to give all due to protecting patient privacy while ensuring better care integration.
“We’re going to have the same enforcement authorization that we do under HIPAA for civil and criminal penalties,” Grady said. “You will have Part 2 providers now that could see penalties that they never would have seen under Part 2 before. When a law has more teeth, you’re going to have more compliance.”