Important changes are coming to 42 CFR Part 2 (Part 2), which deals with the confidentiality of patients’ substance use disorder (SUD) records. On April 16, 2024, the US Department of Health and Human Services (HHS) published a new final rule to update Part 2 (New Rule) in an effort to align the requirements of Part 2 with those found in the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
Part 2 will now allow patients to sign a single consent for future uses and disclosures of Part 2 records, as opposed to patients previously having to sign individualized consents prior to each disclosure. Following such consent from the patient, a HIPAA-regulated recipient of the Part 2 records may further use and disclose those records as permitted under HIPAA, except for civil, criminal, administrative or legislative proceedings against the individual who is the subject of the Part 2 records. Additionally, breaches of Part 2 information now must be addressed in the same manner as other breaches involving unsecured protected health information (for instance, by requiring certain notifications be made within no more than 60 calendar days from the discovery of the breach). Finally, civil penalties for violations of Part 2 have been added, thus making the penalties consistent with those available under HIPAA. Any entities or providers who are subject to Part 2 must comply with the New Rule by February 16, 2026, or risk incurring significant penalties under the new Part 2 regime.
One of the most notable changes under the New Rule is that Part 2 violation penalties and HIPAA violation penalties are now aligned. Previously, Part 2 violations were only subject to criminal penalties. The disciplinary framework under the New Rule allows for both civil and criminal penalties for a Part 2 violation. On the civil side, penalty fines can be up to $1.5 million per calendar year, depending on the severity of the violation. On the criminal side, penalty fines can be up to $250,000, with imprisonment from one to 10 years, depending on the severity of the violation.
Given the significant changes to Part 2 and the approaching date for compliance, entities and providers subject to Part 2 should, at a minimum, review and update their materials and procedures related to:
- Patient consent;
- Disclosure of patient information;
- Medical records/documentation;
- Patient rights;
- Breach notification;
- Patient notices (i.e., Notice of Privacy Practices); and
- Data storage and segregation.
Some next steps are purely internal but will require collaboration to ensure that the technical and administrative aspects align. Other steps are patient-facing and will require updates to documentation, combined with operationalizing communications to patients. In addition, internal training materials should be updated to account for the various Part 2 changes, and staff should be educated about the updated requirements and the severity of consequences that could result from willful or inadvertent non-compliance.
The New Rule’s updated penalties represent a distinct shift towards stricter and more punitive enforcement regarding the confidentiality of SUD records and compliance with Part 2 generally. Entities and providers subject to Part 2 should begin reviewing and revising their policies and procedures now to ensure compliance with the New Rule by 2026 in light of the expected more punitive enforcement landscape.
Dallas
