Review & Update Medical Record Confidentiality Policies In Response To Newly Revised Federal Substance Abuse Disorder Confidentiality Rules |

Review & Update Medical Record Confidentiality Policies In Response To Newly Revised Federal Substance Abuse Disorder Confidentiality Rules

Physicians, substance abuse and mental health facilities, and other health care providers providing or handling substance abuse treatment records should review and update their medical privacy and confidentiality policies to comply with revisions (Final Rule) to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (“Part 2”) adopted by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) on February 8, 2024. Providers subject to Part 2 should move quickly to review and update their policies and practices to comply with Part 2 and other applicable federal and state confidentiality, privacy and data security requirements avoid the potentially serious and expensive consequences that can result from violations.

Part 2 Generally

The Part 2 statute (42 U.S.C. 290dd-2) protects “[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” Confidentiality protections help address concerns that discrimination and fear of prosecution deter people from entering treatment for SUD.

Like violation of HIPAA and other federal and state medical privacy and confidentiality rules, violation of Part 2 carries serious consequences, including:

Civil Penalties: Organizations or individuals found in violation may face fines or monetary penalties. These can vary depending on the severity of the breach and the specific circumstances.
Criminal Charges: In cases of intentional or willful violations, criminal charges may be filed. This could result in imprisonment or probation for the responsible parties.
License Revocation: Medical professionals, facilities, or organizations may have their licenses revoked or suspended if they fail to protect patient confidentiality.
Legal Liability: Violations can lead to lawsuits and legal claims by affected individuals. This may result in financial damages awarded to the aggrieved parties.
Reputation Damage: Breaches of confidentiality can harm an organization’s reputation and trust among patients, clients, and the public.

It is crucial for covered healthcare providers and programs to adhere to confidentiality regulations, as well as otherwise applicable HIPAA and other legal and ethical standards to avoid these consequences.

The requirements of Part 2 run in tandem with, and where applicable, apply in addition to the much more broadly privacy, security, data breach, and patient rights requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applicable to health care providers, health plans, health care clearinghouses and their business associates. Part 2 Part 2 directly applies to all records relating to the identity, diagnosis, prognosis, or treatment of any patient in a substance abuse program that either is federally assisted and holds itself out as providing, and provide, alcohol or drug abuse diagnosis, treatment or referral for treatment. A program is “federally assisted” if it is:

Any entity that receives federal funding
Certified by Medicare
Registered to distribute controlled substances
A tax exempt non-profit.

Since most physicians and many other treatment providers register with the Drug Enforcement Agency (DEA) to distribute controlled substances, this includes most prescribers. Providers that do not directly fall within the scope of the rule also need to confirm that their state licensure or other rules do not require their compliance with the Part 2 rules.

While the restrictions and requirements for covered health care providers of Part 2 and HIPAA both can affect the hoops that employers may have to negotiate to access applicants’ and employees’ substance abuse treatment records, neither Part 2 or HIPAA applies to employers to implement and administer Drug Free Workplace Act or other workplace-related substance abuse policies. However, the Americans with Disabilities Act (ADA) of 1990, the Civil Rights Act of 1964, the Family and Medical Leave Act (FMLA) of 1993, the National Labor Relations Act (NRLA) of 1935, state common law or statutory privacy, confidentiality, employment and other laws, and a variety of other federal and state laws may restrict employer use and access to, and require employers to protect the confidentiality of drug testing and other substance use and abuse screening, treatment and other substance abuse related records. Consequently, while employers are not directly subject to Part 2 and HIPAA, they nevertheless need to ensure compliance with other applicable requirements, particularly since violations of these employer rules tend also to carry potentially substantial liability.

New Part 2 Revisions

The revisions will bring the Part 2 program privacy and confidentiality requirements into closer alignment with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Breach Notification, and Enforcement Rules, as well as require enhanced coordination among providers treating patients for substance abuse disorders (SUDs), and enhance integration of behavioral health information with other medical records in response to provisions of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). that, among other things, required HHS to bring the Part 2 program into closer alignment with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Breach Notification, and Enforcement Rules.

Among other things, the Final Rule makes the following modifications to Part 2:

Allows a single patient consent for all future uses and disclosures for treatment, payment, and health care operations.
Allows HIPAA covered entities and business associates that receive records under this consent to redisclose the records in accordance with the HIPAA regulations.¹
Aligns Part 2 penalties with HIPAA by replacing criminal penalties currently in Part 2 with civil and criminal enforcement authorities that also apply to HIPAA violations.²
Applies the same requirements of the HIPAA Breach Notification Rule³ to breaches of records under Part 2.
Aligns Part 2 Patient Notice requirements with the requirements of the HIPAA Notice of Privacy Practices.
Creates a limit on civil or criminal liability for investigative agencies that act with reasonable diligence to determine whether a provider is subject to Part 2 before making a demand for records in the course of an investigation. The safe harbor requires investigative agencies to take certain steps in the event they discover they received Part 2 records without having first obtained the requisite court order.
Clarifies and strengthens the reasonable diligence steps that investigative agencies must follow to be eligible for the safe harbor: before requesting records, an investigative agency must look for a provider in SAMHSA’s online treatment facility locator and check a provider’s Patient Notice or HIPAA Notice of Privacy Practices to determine whether the provider is subject to Part2.
Adds an express statement that segregating or segmenting Part 2 records is not required.
Adds a right to file a complaint directly with the Secretary for an alleged violation of Part 2. Patients may also concurrently file a complaint with the Part 2 program.
Creates a new definition for an SUD clinician’s notes analyzing the conversation in an SUD counseling session that the clinician voluntarily maintains separately from the rest of the patient’s SUD treatment and medical record and that require specific consent from an individual and cannot be used or disclosed based on a broad TPO consent. This is analogous to protections in HIPAA for psychotherapy notes.⁴
Prohibits combining patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.
Creates a new right for patients to opt out of receiving fundraising communications.
Permits disclosure of records without patient consent to public health authorities, provided that the records disclosed are de-identified according to the standards established in the HIPAA Privacy Rule.
Restricts the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order.
Requires a separate patient consent for the use and disclosure of SUD counseling notes.
Requires that each disclosure made with patient consent include a copy of the consent or a clear explanation of the scope of the consent.

Given the concurrent applicability of Part 2 and HIPAA and the Part 2 revisions’ incorporation of HIPAA standards and requirements, providers subject to Part 2 should confirm the compliance of their policies and practices with both the specific requirements of Part 2 and HIPAA generally. When evaluating compliance, covered entities should keep in mind that along with the Part 2 changes, OCR’s applicable regulatory and enforcement HIPAA guidance also has undergone significant change in recent months. The review and update will need to validate compliance with current requirements of both Part 2 and HIPAA, as well as all otherwise applicable federal and state laws and ethical standards. Verifying compliance is particularly important because the Biden Administration has made expansion and enforcement of federal rules protecting access to treatment and safeguarding the confidentiality of mental health and substance abuse treatment records a top priority. In light of this emphasis, all health care providers should act promptly to review and update their policies with these Part 2 changes.as well as other HIPAA and related federal and state changes.

For More Informational

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

This entry was posted on Thursday, February 29th, 2024 at 11:50 am and is filed under Health Care. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.