HIPAA and Part 2


Issuance of the 2022 Notice of Proposed Rulemaking

On November 28, 2022, the U.S. Department of Health & Human Services, through the Office for Civil Rights (OCR) in coordination with the Substance Abuse and Mental Health Services Administration (SAMHSA), issued a Notice of Proposed Rulemaking to revise the Confidentiality of Substance Use Disorder Patient Records regulations. The regulations at 42 CFR part 2 (“Part 2”) protect the confidentiality of substance use disorder (SUD) treatment records. Part 2 protects “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” Confidentiality protections help address concerns that discrimination and fear of prosecution deter people from entering treatment for SUD.

Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act (enacted March 27, 2020) requires the Secretary to align certain aspects of Part 2 with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Section 3221 of the CARES Act also requires the Secretary to update the HIPAA Privacy Rule Notice of Privacy Practices requirements to address Part 2 protections and individual rights.

The NPRM proposes to: 

  • Permit Part 2 programs to use and disclose Part 2 records based on a single prior consent signed by the patient for all future uses and disclosures for treatment, payment, and health care operations.
  • Permit the redisclosure of Part 2 records as permitted by the HIPAA Privacy Rule by recipients that are Part 2 programs, HIPAA covered entities, and business associates, with certain exceptions.
  • Expand prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, or legislative proceedings conducted by a federal, state, or local authority against a patient, absent a court order or the consent of the patient.
  • Create two patient rights under Part 2 that align with individual rights under the HIPAA Privacy Rule:
    • Right to an accounting of disclosures
    • Right to request restrictions on disclosures for treatment, payment, and health care operations.
  • Require disclosures to the Secretary for enforcement.
  • Apply HIPAA and HITECH Act civil and criminal penalties to Part 2 violations.
  • Require Part 2 programs to establish a process to receive complaints of Part 2 violations.
  • Prohibit Part 2 programs from taking adverse action against patients who file complaints.
  • Prohibit Part 2 programs from requiring patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.
  • Apply the standards in the HITECH Act and the HIPAA Breach Notification Rule to breaches of Part 2 records by Part 2 programs.
  • Modify the Part 2 confidentiality notice requirements (“Patient Notice”) to align with the HIPAA Notice of Privacy Practices.
  • Modify the HIPAA Notice of Privacy Practices requirements for covered entities who receive or maintain Part 2 records to include a provision limiting redisclosure of Part 2 records for legal proceedings according to the Part 2 standards.
  • Permit investigative agencies to apply for a court order to use or disclose Part 2 records after they unknowingly receive Part 2 records in the course of investigating or prosecuting a Part 2 program, when certain preconditions are met.

While the Department is undertaking this rulemaking, the current Part 2 regulations remain in effect.

HHS encourages all stakeholders, including patients and their families, health plans, health care providers, health care professional associations, consumer advocates, and government entities, to submit comments through regulations.gov.

Public comments on the NPRM are due 60 days after publication of the NPRM in the Federal Register.

The NPRM may be viewed or downloaded at: https://www.federalregister.gov/public-inspection/2022-25784/confidentiality-of-substance-use-disorder-patient-records

Content created by Office for Civil Rights (OCR)
Content last reviewed