Fact Sheet 42 CFR Part 2 Final Rule 

Date: February 8, 2024

On February 8, 2024, the U.S. Department of Health & Human Services (HHS) through the Substance Abuse and Mental Health Services Administration (SAMHSA) and the Office for Civil Rights announced a final rule modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (“Part 2”). With this final rule, HHS is implementing the confidentiality provisions of section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act (enacted March 27, 2020), which require the Department to align certain aspects of Part 2 with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the Health Information Technology for Economic and Clinical Health Act (HITECH).

Background

The Part 2 statute (42 U.S.C. 290dd-2) protects “[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” Confidentiality protections help address concerns that discrimination and fear of prosecution deter people from entering treatment for SUD.

The modifications in this final rule reflect the proposals published in the December 2, 2022, Notice of Proposed Rulemaking (NPRM) and public comments received from: substance use disorder and other advocacy groups; trade and professional associations; behavioral and other health providers; health information technology vendors and health information exchanges; state, local, tribal and territorial governments; health plans; academic institutions, including academic health centers; and unaffiliated or anonymous individuals. Following a 60-day comment period, HHS analyzed and carefully considered all comments submitted from the public on the NPRM and made appropriate modifications before finalizing.

Major Changes in the New Part 2 Rule

The final rule includes the following modifications to Part 2 that were proposed in the NPRM:

• Patient Consent
  • Allows a single consent for all future uses and disclosures for treatment, payment, and health care operations.
  • Allows HIPAA covered entities and business associates that receive records under this consent to redisclose the records in accordance with the HIPAA regulations.¹
• Other Uses and Disclosures
  • Permits disclosure of records without patient consent to public health authorities, provided that the records disclosed are de-identified according to the standards established in the HIPAA Privacy Rule.
  • Restricts the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order.
• Penalties: Aligns Part 2 penalties with HIPAA by replacing criminal penalties currently in Part 2 with civil and criminal enforcement authorities that also apply to HIPAA violations.²
• Breach Notification: Applies the same requirements of the HIPAA Breach Notification Rule³ to breaches of records under Part 2.
• Patient Notice: Aligns Part 2 Patient Notice requirements with the requirements of the HIPAA Notice of Privacy Practices.
• Safe Harbor: Creates a limit on civil or criminal liability for investigative agencies that act with reasonable diligence to determine whether a provider is subject to Part 2 before making a demand for records in the course of an investigation. The safe harbor requires investigative agencies to take certain steps in the event they discover they received Part 2 records without having first obtained the requisite court order.

Substantive Changes Made Since the NPRM

In addition to finalizing modifications to Part 2 that were proposed in the NPRM, the Final Rule includes further modifications informed by public comments, notably the following:

• Safe Harbor: Clarifies and strengthens the reasonable diligence steps that investigative agencies must follow to be eligible for the safe harbor: before requesting records, an investigative agency must look for a provider in SAMHSA’s online treatment facility locator and check a provider’s Patient Notice or HIPAA Notice of Privacy Practices to determine whether the provider is subject to Part 2.
• Segregation of Part 2 Data: Adds an express statement that segregating or segmenting Part 2 records is not required.
• Complaints: Adds a right to file a complaint directly with the Secretary for an alleged violation of Part 2. Patients may also concurrently file a complaint with the Part 2 program.
• SUD Counseling Notes: Creates a new definition for an SUD clinician’s notes analyzing the conversation in an SUD counseling session that the clinician voluntarily maintains separately from the rest of the patient’s SUD treatment and medical record and that require specific consent from an individual and cannot be used or disclosed based on a broad TPO consent. This is analogous to protections in HIPAA for psychotherapy notes.⁴
• Patient Consent:
  • Prohibits combining patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.
  • Requires a separate patient consent for the use and disclosure of SUD counseling notes.
  • Requires that each disclosure made with patient consent include a copy of the consent or a clear explanation of the scope of the consent.
• Fundraising: Create a new right for patients to opt out of receiving fundraising communications.

What has not changed in Part 2?

As has always been the case under Part 2, patients’ SUD treatment records cannot be used to investigate or prosecute the patient without written patient consent or a court order.

Records obtained in an audit or evaluation of a Part 2 program cannot be used to investigate or prosecute patients, absent written consent of the patients or a court order that meets Part 2 requirements.

What comes next?

The final rule may be downloaded at https://www.federalregister.gov/public-inspection/2024-02544/confidentiality-of-substance-use-disorder-patient-records. HHS will support implementation and enforcement of this new rule, including through resources related to behavioral health developed by the SAMHSA-sponsored Center of Excellence for Protected Health Information . Persons subject to this regulation must comply with the applicable requirements of this final rule two years after the date of its publication in the Federal Register. The Department will conduct outreach and develop guidance on how to comply with the new requirements, such as filing breach reports when required.

OCR plans to finalize changes to the HIPAA Notice of Privacy Practices (NPP) to address uses and disclosures of protected health information that is also protected by Part 2 along with other changes to the NPP requirements, in an upcoming final rule modifying the HIPAA Privacy Rule.

HHS planning to implement in separate rulemaking the CARES Act antidiscrimination provisions that prohibit the use of patients’ Part 2 records against them.

Endnotes:

¹  However, these records cannot be used in legal proceedings against the patient without specific consent or a court order, which is more stringent than the HIPAA standard.

²  See 42 U.S.C. 1320d–5 and 1320d-6.

³  Section 13400 of the HITECH Act (codified at 42 U.S.C. 17921) defined the term “Breach”. Section 13402 of the HITECH Act (codified at 42 U.S.C. 17932) enacted breach notification requirements, discussed in detail below.

⁴  See https://www.hhs.gov/hipaa/for-professionals/faq/2088/does-hipaa-provide-extra-protections-mental-health-information-compared-other-health.html.