Confidentiality of Substance Use Disorder Patient Records: What to Know About Updates to Part 2

5 minute read | February.15.2024

The U.S. Department of Health & Human Services (HHS), through the Substance Abuse and Mental Health Services Administration (SAMHSA) and the Office for Civil Rights (OCR), has announced a final rule (the Rule) updating the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR Part 2 (Part 2). 

The Rule implements the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which requires HHS to align certain aspects of Part 2 with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information and Technology for Economic and Clinical Health Act (HITECH). 

Here are ten things to know about the new, major changes to the Part 2 regulations, including new patient rights, provider responsibilities, and penalties for noncompliance:

What is the purpose of updating Part 2? 

Part 2 applies to any federally assisted program that provides diagnosis, treatment or referral for treatment of a substance abuse disorder (SUD). Its goal is to increase access to treatment by protecting patient confidentiality.

By restricting the disclosure of SUD records, Part 2 protects patients against potential adverse consequences from seeking treatment. However, these restrictions can also limit the ability of providers to share information necessary to coordinate care, leading to lower efficiency and higher costs.

In response, the new Rule aligns Part 2 requirements with those of HIPAA to improve coordination of care while safeguarding patient privacy. 

How does the Rule modify patient consent requirements?

Previously, Part 2 required a patient’s separate written consent for each disclosure of SUD treatment records. The new Rule allows a patient to give written consent a single time for all future uses and disclosures for treatment, payment and health care operations. Patients may revoke consent at any time.

By simplifying the requirements to use and disclose SUD records, the Rule seeks to make it easier for healthcare providers to share treatment information without compromising patient confidentiality. That may make it easier for providers to coordinate care. 

When can providers redisclose SUD records?

The Rule permits redisclosure of SUD records to some entities without additional patient consent. HIPAA-covered entities and business associates that receive SUD records may redisclose those records in accordance with the HIPAA Privacy Rule. In the rare instance that a provider is covered by Part 2 but not HIPAA, the provider may redisclose SUD records consistent with the scope of the patient’s consent. This also may contribute to coordinated care, but providers should understand limitations on when they can and cannot redisclose SUD records.

What are SUD counseling notes, and how are they protected?

The revised Rule adds a definition for SUD counseling notes, which were not previously defined under Part 2. The new provision mirrors the HIPAA protections for psychotherapy notes. SUD counseling notes are notes recorded by a SUD or mental health professional during a SUD counseling session and that are separated from the rest of the patient’s record. Providers must obtain separate written consent to use or disclose a patient’s SUD counseling notes, and they cannot be used or disclosed based on a broad consent for treatment, payment and health care operations. Part 2 providers’ policies should account for this new category of SUD records.

What new rights will patients have?

The Rule creates two new patient rights, based on rights under the HIPAA Privacy Rule, that providers must honor. Patients will have the right to:

  • Receive an accounting of any disclosures of their SUD records in the three years prior to their request. Unlike HIPAA, this includes disclosures of records for treatment, payment and health care operations if they are made through an electronic health record.
  • Request restrictions on disclosures of their records for treatment, payment and health care operations. Patients also have the right to obtain restricts on disclosures to the patient’s health plan for services for which the patient has paid in full.

How will Patient Notice requirements change?

The new Rule expands the Patient Notice requirements under Part 2 to require a broader Notice of Privacy Practices based on the requirements of the HIPAA Notice of Privacy Practices. Part 2 programs will now need to provide a written notice of the program’s legal duties and privacy practices to inform patients about their rights and the protections of their records, including the permitted uses and disclosures under the Rule and limitations on disclosures for legal proceedings. 

We expect HHS OCR to modify the HIPAA Notice of Privacy Practices in an upcoming rulemaking to address uses and disclosures of protected health information that is also covered by Part 2.  

How does the Rule expand patient privacy in legal proceedings?

The new Rule narrows the scope of when providers can disclose records for legal proceedings. Previously, Part 2 prohibited the use and disclosure of SUD records in criminal proceedings. The new Rule extends this prohibition to include all criminal, civil, administrative and legislative proceedings against a patient. Under the Rule, neither SUD records nor testimony relaying the contents of SUD records may be introduced into evidence, relied upon to inform any administrative decision, taken into account in any administrative proceeding, used for any law enforcement purpose or investigation or used to apply for a warrant without a court order or the consent of the patient.

How will the Rule be enforced?

Previously, Part 2 violations were only punishable by criminal charges. The new Rule authorizes civil in addition to criminal penalties. The civil penalties will correspond to the value of civil penalties under HIPAA.

What must providers do if SUD records are breached?

The Rule now applies the same requirements as the HIPAA Breach Notification Rule to breaches of patient records subject to Part 2. In the event of a breach, providers must notify affected individuals, the Secretary of HHS and in some cases the media. Any provider that handles SUD records should have an incident response plan before a breach occurs.

When does the Rule become applicable?

The Rule will become effective 60 days after the date of its publication in the Federal Register, scheduled for February 16, 2024. Anyone subject to the Rule must comply with its applicable requirements two years after publication, on February 16, 2026.

We expect HHS to release additional guidance regarding compliance with the new Rule, such as how to file breach reports. 

The Orrick Team is monitoring updates and is available to support your organization’s compliance needs. We can help clients build and enhance HIPAA and/or consumer health-data compliance programs that are tailored to their organization’s needs. Please contact the authors (Thora Johnson, Kyle Kessler, Cosmas Robless, and Michaela Frai) or another Orrick team member if you have questions.