HHS final rule modifies confidentiality of SUD records

© yavdat - stock.adobe.com

Published February 16 with an effective date of April 16 and a compliance date of February 16, 2026, the U.S. Department of Health and Human Services issued its final rule, which considered the comments of the December 2, 2022 notice of proposed rule-making (NPRM) for the Confidentiality of Substance Use Disorder (SUD) Patient Records under 42 CFR Part 2. Additional modifications to “increase alignment with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to improve workability and decrease burden on programs, covered entities, and business associates.” 89 Fed. Reg. 12472 (Feb. 16). The impetus behind these amendments stem from the Coronavirus Aid, Relief, and Economic Security (CARES) Act, §3221, Confidentiality and Disclosure of Records Relating to Substance Use Disorder.

By way of background, 42 CFR Part 2: Confidentiality of Substance Use Disorder Patient Records (“Part 2”) was promulgated in 1975, nearly twenty-one (21) years before HIPAA passed, “to address concerns about the potential use of Substance Use Disorder (SUD) information in non-treatment based settings.” The agency tasked with the administration and oversight of Part 2 is the Substance Abuse and Mental Health Services Administration (SAMHSA). As set forth in the February 8 HHS Bulletin, “[t]he Part 2 statute (42 U.S.C. 290dd-2) protects “[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” Confidentiality protections help address concerns that discrimination and fear of prosecution deter people from entering treatment for SUD.”

What are some of the crucial changes in the New Part 2 Rule and how do they align with HIPAA and the HITECH Act?

The final rule includes the following modifications to Part 2 that were proposed in the NPRM:

• Patient Consent
  • Allows a single consent for all future uses and disclosures for treatment, payment, and health care operations.
  • Allows HIPAA covered entities and business associates that receive records under this consent to redisclose the records in accordance with the HIPAA regulations.1
• Other Uses and Disclosures
  • Permits disclosure of records without patient consent to public health authorities, provided that the records disclosed are de-identified according to the standards established in the HIPAA Privacy Rule.
  • Restricts the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order.
• Penalties: Aligns Part 2 penalties with HIPAA by replacing criminal penalties currently in Part 2 with civil and criminal enforcement authorities that also apply to HIPAA violations.2
• Breach Notification: Applies the same requirements of the HIPAA Breach Notification Rule3 to breaches of records under Part 2.
• Patient Notice: Aligns Part 2 Patient Notice requirements with the requirements of the HIPAA Notice of Privacy Practices.
• Safe Harbor: Creates a limit on civil or criminal liability for investigative agencies that act with reasonable diligence to determine whether a provider is subject to Part 2 before making a demand for records in the course of an investigation. The safe harbor requires investigative agencies to take certain steps in the event they discover they received Part 2 records without having first obtained the requisite court order.

And what substantive changes have occurred since the Notice of Proposed Rule Making, which are a direct result of the public comments during the NPRM period? The list follows:

• Safe Harbor: Clarifies and strengthens the reasonable diligence steps that investigative agencies must follow to be eligible for the safe harbor: before requesting records, an investigative agency must look for a provider in SAMHSA’s online treatment facility locator and check a provider’s Patient Notice or HIPAA Notice of Privacy Practices to determine whether the provider is subject to Part 2.
• Segregation of Part 2 Data: Adds an express statement that segregating or segmenting Part 2 records is not required.
• Complaints: Adds a right to file a complaint directly with the Secretary for an alleged violation of Part 2. Patients may also concurrently file a complaint with the Part 2 program.
• SUD Counseling Notes: Creates a new definition for an SUD clinician’s notes analyzing the conversation in an SUD counseling session that the clinician voluntarily maintains separately from the rest of the patient’s SUD treatment and medical record and that require specific consent from an individual and cannot be used or disclosed based on a broad TPO consent. This is analogous to protections in HIPAA for psychotherapy notes.
• Patient Consent:
  • Prohibits combining patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.
  • Requires a separate patient consent for the use and disclosure of SUD counseling notes.
  • Requires that each disclosure made with patient consent include a copy of the consent or a clear explanation of the scope of the consent.
• Fundraising: Create a new right for patients to opt out of receiving fundraising communications.

Importantly, just as HIPAA has law enforcement exceptions and patient consent requirements, so does Part 2. The longtime requirement that SUD treatment records cannot be used to investigate or prosecute a patient without patient consent or a court order remain intact. Covered entities and business associates alike should be on the lookout for final changes to the HIPAA Notice of Privacy Practices and the alignment with Part 2, as well as the impending HIPAA Privacy Rule Final Rule and a separate rule making related to anti-discrimination of Part 2 records in accordance with the CARES Act. Overall, these items cannot be overlooked and revamping internal policies and procedures and training cannot be understated.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.