A proposed regulation aims to make it easier for providers to coordinate care among patients suffering from substance use disorder (SUD) by harmonizing privacy protections for those patients’ medical records. The notice of proposed rulemaking, released on November 28, 2022, by the Department of Health and Human Services (HHS), strives for a balance between protecting privacy but also facilitating information sharing between providers.
“Varying requirements of privacy laws can slow treatment, inhibit care and perpetuate negative stereotypes about people facing substance use challenges,” said HHS Secretary Xavier Becerra in a statement. The goal of the proposal is to bring regulations that protect patient records in federally run SUD programs into greater alignment with parts of the Health Insurance Portability and Accountability Act (HIPAA).
More on Proposed Rule
Proposed changes include modifying consent requirements so that rather than requiring specific patient consent for each new disclosure, Part 2 programs will be able to obtain a single patient consent for all future treatment, payment and operational (TPO) disclosures. Rather than listing specific receiving entities, programs will be able to list categories of permissible recipients, such as “my providers.”
This modification also allows Part 2 programs, HIPAA-covered entities and business associates in receipt of Part 2 records to redisclose Part 2 records for any permissible purpose under HIPAA, except in certain legal proceedings against the patient. This is a significant change that will ease the ability to share meaningful patient information without consent barriers.
The proposed rule will also increase HHS’ enforcement authority, and specifically applying enforcement capabilities permitted under HIPAA to violations of Part 2. Further, the proposed rule institutes processes for complaints and certain prohibitions. It would require Part 2 programs to create a process for receiving complaints regarding its compliance with Part 2, prohibiting discrimination and retaliation against patients for exercising their rights to complain, and prohibiting Part 2 programs from requiring patients to waive their right to file a complaint as a condition for treatment, payment or enrollment in the Part 2 program.
The proposed rule will also broaden certain restrictions on the use of Part 2 records as evidence in criminal proceedings against patients, and expanding the protections to cover civil, administrative or legislative proceedings. Additionally, the rule would change the de-identification standard for Part 2 records to align with the de-identification standard found in the HIPAA regulations. Currently, Part 2’s de-identification standard is met by “[r]endering the patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers).” The HIPAA standard is significantly more proscriptive, requiring the removal of 18 specific identifiers or the certification by a de-identification expert that there is no reasonable basis to believe a patient could be identified based on the available data elements.
Regarding breach notification, the proposed rule would require Part 2 programs to implement policies and procedures for notifications of breaches of unsecured (i.e., unencrypted) Part 2 records consistent with the HIPAA regulations. Part 2 programs that were not subject to HIPAA did not previously have a notification obligation in the event there was an unauthorized disclosure of Part 2 records.
Finally the proposed rule would align the patient notice requirements under Part 2 and the HIPAA regulations to incorporate much of the content requirements imposed by HIPAA into the Patient Notice required by Part 2. Currently, Part 2 only requires that the Patient Notice include a summary of Part 2’s restrictions. The proposed rule would require Part 2 programs to incorporate the same key elements of a HIPAA notice of privacy practices (NPP), including a full description of the permitted uses and disclosures of Part 2 records and in what circumstances separate patient consent must be obtained.