SAMHSA Issues Final Reg Aligning 42 CFR Part 2 With HIPAA - McDermott+

SAMHSA Issues Final Reg Aligning 42 CFR Part 2 With HIPAA

SAMHSA Issues Final Reg Aligning 42 CFR Part 2 With HIPAA


McDermottPlus is pleased to bring you Regs & Eggs, a weekly Regulatory Affairs blog by Jeffrey DavisClick here to subscribe to future blog posts.

February 15, 2024 – Last week, the Substance Abuse and Mental Health Services Administration (SAMHSA) within the US Department of Health and Human Services (HHS) issued a long-awaited final reg that aims to better align 42 CFR Part 2.  This esoteric, but extremely important, reg governs the confidentiality of patient records for the treatment of substance use disorder (SUD), with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). SAMHSA also released a fact sheet on the reg.

To help provide background on Part 2 and this final rule, I’m bringing in my colleague Katie Waldo.

Part 2 in general covers SUD treatment and rehabilitation programs, employee assistance programs, programs within general hospitals, school-based programs, and clinicians who “provide substance use disorder diagnosis, treatment, or referral for treatment.” Over the years, a major policy debate has centered on whether 42 CFR Part 2 should be modified to align more closely with the HIPAA rules and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.

Under 42 CFR Part 2 requirements, sharing medical records of patients seeking treatment for SUD requires patient consent except under limited circumstances, including bona fide medical emergencies. Conversely, under HIPAA, healthcare “providers” and other “covered entities” can use protected health information about a patient for treatment, payment or healthcare operations without the patient’s consent. Many stakeholders have expressed the belief that these inconsistent rules between Part 2 and HIPAA create barriers to information sharing by patients and clinicians.

In March 2020, Congress passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which includes a provision that aligns certain Part 2 requirements more closely to HIPAA. Specifically, section 3221 of the law modifies Part 2 by permitting uses and disclosures for treatment, payment or healthcare operations and establishing certain patient rights with respect to patients’ Part 2 records. Section 3221 also restricts the use and disclosure of Part 2 records in legal proceedings and sets civil and criminal penalties for violations. Finally, section 3221 requires HHS to modify the Notice of Privacy Practices requirements so that HIPAA covered entities and Part 2 programs provide notice to individuals regarding privacy practices related to Part 2 records, including patients’ rights and the uses and disclosures that are allowed or required without authorization.

As is the case for many complicated policies, even after Congress passed the law, it took a long time for HHS to determine how to implement it. HHS issued a proposed regulation in 2022 to carry out this provision, and now, more than a year later, has finalized the reg.

Major policies in the final reg include:

  • Permitting the use and disclosure of Part 2 records based on a single patient consent for treatment, payment and healthcare operations
  • Permitting re-disclosure of Part 2 records in any manner permitted by the HIPAA Privacy Rule, with certain exceptions
  • Creating new patient rights under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule
  • Expanding prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative and legislative proceedings
  • Creating new HHS enforcement authority, including replacing criminal penalties currently in Part 2 with civil and criminal enforcement authorities that apply to HIPAA violations
  • Applying the HITECH Act breach notification provisions that are currently implemented in the HIPAA Breach Notification Rule to breaches of records by Part 2 programs
  • Updating HIPAA Privacy Rule Notice of Privacy Practices requirements to address uses and disclosures of Part 2 records and individual rights with respect to those records
  • Creating a safe harbor for investigative agencies that receive Part 2 records without having first obtained a court order
  • Establishing new patient consent requirements, including requiring separate patient consent for the use and disclosure of SUD counseling notes

HHS plans to provide a two-year compliance buffer to give entities subject to the final reg enough time to establish and implement all the final policies and practices. The compliance date is February 16, 2026.

McDermott+Consulting and McDermott Will & Emery are still reviewing this final reg and will produce a more comprehensive summary in the coming weeks.

Until next week, this is Jeffrey (and Katie) saying, enjoy reading regs with your eggs!


For more information, please contact Jeffrey Davis. To access the full archive of Regs & Eggs, visit the American College of Emergency Physicians.

To subscribe to Regs & Eggs, please CLICK HERE.