On February 8, 2024, the U.S. Department of Health & Human Services (HHS) through the Substance Abuse and Mental Health Services Administration (SAMHSA) and the Office for Civil Rights announced a final rule modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (“Part 2”). With this final rule, HHS is implementing the confidentiality provisions of section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act (enacted March 27, 2020), which require the Department to align certain aspects of Part 2 with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the Health Information Technology for Economic and Clinical Health Act (HITECH).
The Part 2 statute (42 U.S.C. 290dd-2) protects “[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” Confidentiality protections help address concerns that discrimination and fear of prosecution deter people from entering treatment for SUD.
The modifications in this final rule reflect the proposals published in the December 2, 2022, Notice of Proposed Rulemaking (NPRM) and public comments received from: substance use disorder and other advocacy groups; trade and professional associations; behavioral and other health providers; health information technology vendors and health information exchanges; state, local, tribal and territorial governments; health plans; academic institutions, including academic health centers; and unaffiliated or anonymous individuals. Following a 60-day comment period, HHS analyzed and carefully considered all comments submitted from the public on the NPRM and made appropriate modifications before finalizing.
The final rule includes the following modifications to Part 2 that were proposed in the NPRM:
In addition to finalizing modifications to Part 2 that were proposed in the NPRM, the Final Rule includes further modifications informed by public comments, notably the following:
As has always been the case under Part 2, patients’ SUD treatment records cannot be used to investigate or prosecute the patient without written patient consent or a court order.
Records obtained in an audit or evaluation of a Part 2 program cannot be used to investigate or prosecute patients, absent written consent of the patients or a court order that meets Part 2 requirements.
The final rule may be downloaded at https://www.federalregister.gov/public-inspection/2024-02544/confidentiality-of-substance-use-disorder-patient-records. HHS will support implementation and enforcement of this new rule, including through resources related to behavioral health developed by the SAMHSA-sponsored Center of Excellence for Protected Health Information . Persons subject to this regulation must comply with the applicable requirements of this final rule two years after the date of its publication in the Federal Register. The Department will conduct outreach and develop guidance on how to comply with the new requirements, such as filing breach reports when required.
OCR plans to finalize changes to the HIPAA Notice of Privacy Practices (NPP) to address uses and disclosures of protected health information that is also protected by Part 2 along with other changes to the NPP requirements, in an upcoming final rule modifying the HIPAA Privacy Rule.
HHS planning to implement in separate rulemaking the CARES Act antidiscrimination provisions that prohibit the use of patients’ Part 2 records against them.
1 However, these records cannot be used in legal proceedings against the patient without specific consent or a court order, which is more stringent than the HIPAA standard.
2 See 42 U.S.C. 1320d–5 and 1320d-6.
3 Section 13400 of the HITECH Act (codified at 42 U.S.C. 17921) defined the term “Breach”. Section 13402 of the HITECH Act (codified at 42 U.S.C. 17932) enacted breach notification requirements, discussed in detail below.