Privacy, Compliance Management

HHS looks to address HIPAA privacy challenges for substance-abuse patients

A vending machine with Narcan
Narcan nasal spray for the treatment of opioid overdoses is made available for free in a vending machine in Wheaton, Ill, on Sept. 1, 2022. (Photo by Scott Olson/Getty Images)

The Department of Health and Human Services Office for Civil Rights issued proposed rulemaking to address longstanding care coordination and privacy challenges of substance use disorder patients under 42 CFR part 2.

The Notice of Proposed Rulemaking (NPRM) seeks to leverage several provisions of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which would require HHS to align Part 2 with certain aspects of the Health Insurance Portability and Accountability Act.

The alignment would enable permitted re-disclosure of “Part 2 records in any manner permitted by the HIPAA Privacy Rule, with certain exceptions” and create new patient rights for an accounting of disclosures.

The proposal joins previous HHS and congressional efforts in the last decade to address challenges with Part 2: a rule designed to protect patient privacy and their health records. As it’s written, the rule prevents providers from sharing substance abuse histories with other providers unless the patient gives explicit consent.

The restrictions have negatively affected medical treatment for patients undergoing treatment for addiction and created barriers to information sharing by patients and providers, as the rule also imposes different requirements for SUD treatment records than HIPAA. The result has been dual obligations and compliance challenges for regulated entities.

Stakeholder groups and HHS itself have been asking for an amendment to address these issues. In fact, in 2018, a group of 40 healthcare organizations representing clinicians, pharmaceuticals, the mental health community, hospitals, pharmacists, vendors, and payers urged Congress to align Part 2 with HIPAA.

However, that effort and previous requests to Congress have stalled. 

HHS Secretary Xavier Becerra further explained that the varying requirements of state and federal privacy laws can delay treatment, “inhibit care, and perpetuate negative stereotypes about people facing substance use challenges.”

The hope is that the proposed changes would strengthen “critical privacy protections to help ensure individuals do not forego life-saving care due to concerns about records disclosure,” he said in a statement.

The proposed changes should also reduce patient and provider burdens, as it increases access to care and treatment, and protects the confidentiality of treatment records, explained OCR Director Melanie Fontes Rainer.

HHS is proposing changes to the permitted use and disclosure of Part 2 records based on a single patient consent. Meaning that once consent is given, it will apply for all future uses and disclosures of the patient’s treatment, payment, and healthcare operations.

In addition to privacy elements, HHS included several security elements with a focus on data breaches. In particular, HHS is seeking to apply the HITECH Act breach notification rule to records’ breaches of Part 2 programs and “re-title the provision to include breach notification to implement CARES Act provisions” and update the rule to include HIPAA standards.

The proposal also includes an update to data breach notification requirements and added requirements for uses and disclosures under Part 2, as well as patient rights regarding their health records.

Specifically, the rule creates two patient rights under Part 2 that wholly align with rights provided to individuals under HIPAA: a right to an accounting of disclosures and a right to request disclosure restrictions for data on their treatments, payments, and healthcare operations.

HHS is looking for stakeholder feedback on the extent Part 2 programs rely on the HIPAA Security Rule to inform security measures for Part 2 electronic records, as well as whether changes are needed to the rule to ensure the same or similar HIPAA security requirements are applied to electronic Part 2 records.

The proposed changes would also create both civil and criminal penalties for Part 2 violations under the HIPAA and HITECH Act, as well as new definitions for several statutory and regulatory definitions for host of HIPAA terms to include Part 2 elements, such as what constitutes unsecured protected health information and qualified service organization.

HHS officials believe the proposal should bolster care coordination for providers tasked with treatment of substance use, while increases privacy protections for patients in regards to the disclosure of their health records to reduce discrimination when it comes to treatment.

The proposal has already gained support from the American Hospital Association, a long-proponent of Part 2 and HIPAA alignment, as well as the Association for Behavioral Health and Wellness.

Healthcare stakeholders are being urged to submit their comments on these proposals, which are due 60 days after the rule is published on the Federal Register, scheduled for Dec. 2.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.