Health Care Check-Up

Reform of privacy rules related to substance use disorder treatment

Global Publication December 2020

In recent months, there have been several major changes to 42 U.S.C. §290dd–2, often referred to as "Part 2." Part 2 regulations are intended to protect individuals' identifying information and health records obtained by federally assisted treatment programs for substance use disorders ("SUD"). Federally assisted treatment SUD programs are broadly defined and include any SUD programs that receive governmental reimbursement, such as Medicare or that are tax exempt, and thus the applicability of Part 2 is quite broad. The added privacy protocols are a way to encourage individuals to seek and enter treatment without fear of stigma associated with unnecessary disclosure, but were often criticized for hindering coordination of care for patients who suffer from both SUD and other medical conditions. Many healthcare policy experts also questioned whether a separate and more rigid set of rules related to SUD, in fact, reinforced the stigma traditionally associated with SUD as compared to other medical conditions.

The escalation of the opioid crises in recent years, the increased use of technology in treatment and medical record creation, and the increased focus on coordinated care culminated in ongoing pressure from the industry to reform the Part 2 rules. Like many things, the trend towards reform was accelerated during the pandemic and, among other things, the current reforms are intended to increase provider access for patient care coordination and simplify the patient consent process for sharing Part 2 records.

This article examines both the effective and proposed changes to Part 2 and their impact on M&A transactions, enforcement, and telehealth providers.

Explanation of changes

2020 Final Rule

The first set of changes to Part 2 were announced on July 15, 2020, by the Substance Abuse and Mental Health Services Administration ("SAMHSA") (part of HHS) and became effective as of August 14, 2020 (the "Final Rule").1 Key changes include:

  • Consent requirements: Although the restriction on the disclosure of SUD treatment records without written patient consent remains intact,2 the Final Rule allows for patients to consent to disclosure of their records more broadly without naming a specific individual or entity receiving the record. Previously, separate written consent was required for each use of the patient's Part 2 records.
  • Applicability and re-disclosure: Previously, treatment records created by non-Part 2 providers became subject to Part 2 restrictions if they incorporated any Part 2 SUD records. Now, segmentation or holding a part of any Part 2 patient record previously received can be used to ensure that new records created by non-Part 2 providers will not become subject to Part 2. This section was modified to facilitate coordination with non-part-2 providers.
  • Permitted disclosures: In response to confusion regarding what activities fall under "payment and health care operations," a list of expanded examples has been moved from the preamble into the body of the regulation.

CARES Act

As the Final Rule was being finalized, the Coronavirus Aid, Relief, and Economic Security Act (the CARES Act)3 further overhauled Part 2. Although the legislative changes to Part 2 are effective immediately, HHS has until March 27, 2021, to finalize the implementing regulations. Key changes include:

  • Consent requirements: The CARES Act changes go further than the Final Rule and more closely aligns Part 2 with HIPAA regulations. Although written patient consent is still required, once consent has been obtained, the record may be used or disclosed "for purposes of treatment, payment, and health care operations by covered entities (as defined by the HIPAA regulations), business associates, or a Part 2 program as permitted by the HIPAA regulations, which replaces the requirement to obtain patient consent for each use of their Part 2 record.
  • Elimination of criminal fines: The CARES Act legislation adopts HIPAA fines and penalties in place of the Part 2 criminal enforcement mechanism and obligates providers and facilities to comply with HIPAA breach notification requirements.

Impact of Part 2 Changes

Impact on M&A transactions

The Final Rule clarifies provisions related to disclosure of SUD information for treatment, payment and health care operational activities, as there had previously been uncertainty surrounding what activities were covered. Although SAMHSA further clarified that the list is meant to be illustrative and not an exhaustive list of all payment and health care operations activities, the revised list of permitted activities specifically includes "the sale, transfer, merger, consolidation, or dissolution of an organization." The clarification that patient consent is not needed for specific uses, including due diligence (which was not clear prior to this change) gives Part 2 entities (and their counsel) assurance that the use of the Part 2 records throughout the course of due diligence and other activities associated with the sale, merger, or closure of a Part 2 entity will not run afoul of Part 2 regulations. This clarification combined with the CARES Act changes that push Part 2 to align more closely with HIPAA may allow dealmakers to be less burdened by no longer having to comply with two regulatory regimes and feel more comfortable following standard HIPAA procedures concerning due diligence, disclosure of protected health information (PHI), etc.

Impact on enforcement

The current Part 2 enforcement structure requires a US Attorney to initiate criminal charges and seek fines under the US Criminal Code, which limits fines to $5,000 to $10,000 per violation. The CARES Act legislation establishes civil money penalties for violations of Part 2, replacing the current criminal enforcement mechanism. The legislation adopts HIPAA fines and penalties, which can range from $100 to $50,000 per violation (which can result in massive monetary penalties). Additionally, pursuant to the CARES Act, Part 2 entities are obligated to comply with HIPAA breach notification requirements. If the final regulations promulgated by SAMHSA apply this enforcement authority similarly to how HHS enforces HIPAA, providers will be at greater risk for financial penalties resulting from Part 2 violations. On the other hand, the elimination of a criminal fine should provide relief to Part 2 entities and providers will no longer face the threat of criminal prosecution. Providers should note that Part 2 programs that were not already subject to HIPAA will need to create or review their privacy and security incident plans.

Impact on providers and telehealth

The Part 2 regulations have been slow to adapt to the increased use of technology for things such as electronic medical record and for treatment via electronic means. The COVID-19 pandemic caused a surge in the need for accessible telebehavioral health services. Both the CARES Act and the Final Rule make it easier for behavioral health providers to coordinate with non-Part 2 providers by streamlining the consent process to allow for broader use of patient records with a single written consent and removing other operational roadblocks.

The CARES Act changes clarify that treatment records created by non-Part 2 providers are not covered by Part 2. Now, Part 2 patient records previously received can be segregated to ensure that new records created by non-Part 2 providers will not become subject to Part 2. This facilitates coordination of care activities among non-Part-2 providers without the fear of inadvertently violating Part 2 by sharing the record with other providers that are part of a SUD patient's non-SUD treatment.

The cumulative changes in consent requirements and re-disclosure rules allow telehealth providers, with patients' written consent, to more easily coordinate care with non-Part 2 providers and conduct efforts such as quality improvement, claims management, and patient safety.

Conclusion

Overall these reformations to Part 2 should streamline the compliance process by more closely aligning the consent and disclosure process with HIPAA rules that are already familiar to healthcare providers and facilities. However, the potential ramifications of non-compliance are now quite significant and the likelihood of enforcement is higher, so care must be taken to ensure compliance policies and trainings are up to date with these new regulations.

 

1 85 Fed. Reg. 42,987 (July 15, 2020)

2 Statutory exceptions to consent still apply in the context of a bona fide medical emergency; or for the purpose of scientific research, audit, or program evaluation; or based on an appropriate court order.

3 Coronavirus Aid, Relief, and Economic Security Act, Pub. L. No 116-136, 134 Stat 281 (March 27, 2020) (the "Cares Act")

 


Recent publications

Subscribe and stay up to date with the latest legal news, information and events...