HHS Aligns Part 2 Rules with the HIPAA Privacy Rules – Effects on Self-Insured Plan Sponsors
In a December 2023 blog post, we discussed the HHS proposed revisions to the Part 2 regulations and that finalization of those regulations was imminent. On February 8, 2024, HHS through the Substance Abuse and Mental Health Services Administration (“SAMHSA”) and the Office for Civil Rights (“OCR”) announced final regulations modifying the confidentiality of substance use disorder patient records regulations at 42 CFR Part 2 (commonly referred to as “Part 2”). The updated Part 2 rules align certain aspects of Part 2 with the HIPAA privacy rules.
HIPAA and Part 2 Regulations
Some health plan sponsors may have not heard of the Part 2 regulations. Part 2 imposes requirements for substance use disorder (“SUD”) treatment records protected by Part 2. Most of the entities that have or maintain SUD treatment records are also HIPAA covered entities or business associates of HIPAA covered entities. Thus, both regulatory schemes apply and create dual obligations and compliance challenges for HIPAA covered entities and business associates.
The Part 2 regulations will come into play typically with employee assistance programs, as well as mental health and substance abuse disorder vendors for a medical plan. For self-insured health plan sponsors, this typically means that Part 2 regulations will be discussed in an EAP business associate agreement as well as a business associate agreement for a medical plan SUD vendor. Even though a self-insured health plan sponsor contracts with an EAP or SUD vendor and requires the EAP and SUD vendor to comply with Part 2 and the HIPAA privacy rules (as well as signing a BAA), under the HIPAA privacy rules, self-insured health plans remain responsible for HIPAA privacy compliance. As a result, self-insured health plan sponsors will need to determine how the revised Part 2 regulations affect their overall privacy compliance strategy.
Revisions to the Part 2 Regulations
The final Part 2 regulations make a number of revisions that align with the HIPAA rules, including the following:
· Breach of Unsecured Part 2 Records. The final Part 2 regulations add HIPAA's breach notification requirements into the Part 2 regulations. Part 2 programs are now required to comply with the HIPAA breach rule with respect to breaches of unsecured Part 2 records.
· Notice of Part 2 Privacy Practices. The final Part 2 regulations revise the Part 2 patient confidentiality notice requirements. However, an entity that is subject to both Part 2 and HIPAA would be required to do two separate notices.
· Accounting of Disclosures. Similar to the HIPAA rules, the final Part 2 regulations require that a patient, upon request, receive an accounting of all disclosures made with the patient's consent for the three years prior to the date of the request.
· Right to Request Privacy Protection for Part 2 Records. Similar to the HIPAA rules, the final Part 2 regulations permit a patient to request that the Part 2 program restrict uses and disclosures of the patient's SUD records. However, a Part 2 program is not required to agree to a restriction unless the request is to restrict disclosure to a health plan where the disclosure is for the purpose of carrying out payment or healthcare operations and is not otherwise required by law and the SUD record pertains solely to a healthcare item or service for which the patient, or a person other than the health plan on behalf of the patient, has paid the Part 2 program in full. This too follows the HIPAA rules.
The compliance date for all Part 2 regulation revisions is February 16, 2026 – two years after publication in the Federal Register.
Key Takeaways for Self-Insured Plan Sponsors
Depending on the existing wording of a self-insured plan sponsor’s HIPAA privacy documentation, minor or perhaps major changes may be needed. Key takeaways are as follows:
· Vendor Contracts. Plan sponsors as well as EAPs and SUD vendors should review their agreements to determine if changes are necessary.
· Business Associate Agreements. For vendors that are subject to both Part 2 and HIPAA, plan sponsors should review their business associate agreements to determine if revisions are necessary.
· HIPAA Policies and Procedures Manual. As noted above, a self-insured health plan sponsor is technically liable for all compliance with HIPAA even though sponsors delegate most administration to vendors, including EAPs and SUD vendors. These delegations should be set forth in the vendor contracts, BAAs, as well as the health plan’s policies and procedures manual. In addition, it may be necessary to address that Part 2 records are maintained solely by the health plan’s vendors.
· HIPAA Health Plan Document Provisions. Under HIPAA, a plan sponsor technically could obtain Part 2 records as part of its plan administration functions for the health plan. This would then implicate the Part 2 regulations. Therefore, a health plan sponsor should consider adding language to the health plan document that the health plan sponsor does not maintain or create any records that are subject to Part 2. This should be sufficient to indicate that Part 2 should not apply to a self-insured sponsor, as it relates to HIPAA plan administration.
· HIPAA Notice of Privacy Practices. A self-insured health plan should review its privacy notice to determine if Part 2 records need to be addressed.
Disclaimer
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.