Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

Enhancing Privacy Protections for Substance Use Disorder Patient Records

Client Alert
February 16, 2024

On February 8, 2024, the U.S. Department of Health and Human Services (“HHS”) finalized updated rules to 42 CFR Part 2 (“Part 2”) for the protection of Substance Use Disorder (“SUD”) patient records. The updated rules reflect the requirement that the Part 2 rules be more closely aligned with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) privacy, breach notification, and enforcement rules as mandated by the Coronavirus Aid, Relief, and Economic Security Act of 2020.

Part 2 protects the SUD treatment records of patients who are treated at a Part 2 program. Part 2 programs are those that are (1) federally assisted (they receive federal funding) and (2) hold themselves out as providing, and do provide, substance use disorder diagnosis, treatment, or referral for treatment. The final rules released by HHS this month reflect the inclusion of the public comments from providers, trade associations, health information exchanges, health plans and others.

The final rules make the following modifications to Part 2 regulations, effective February 16, 2026:

  • Patient Consent: One single Part 2 consent will be sufficient for all future disclosures for payment, treatment, and health care operations. All disclosures made with patient consent must include a copy of the consent or a clear explanation of the scope of consent. Previously, a separate consent was needed for each disclosure of Part 2 information. However, the final rules do retain a prohibition on the use of Part 2 records in legal proceedings and testimony in civil, criminal, administrative, and legislative proceedings against a patient without specific consent or a court order.
  • Counseling Notes: Like HIPAA psychotherapy records, a separate patient consent for the use and disclosure of SUD counseling notes is now required. SUD counseling notes include those analyzing the conversation in a SUD counseling session that the clinician voluntarily maintains separately from the rest of the patient’s SUD treatment and medical record.
  • Patient Notice: Part 2 patient notice requirements now align with the requirements of the HIPAA Notice of Privacy Practices.
  • Redisclosure: HIPAA covered entities and business associates that receive records under a Part 2 consent may redisclose those records according to HIPAA regulations. Previously, Part 2 regulations required a specific disclosure that was stricter than HIPAA redisclosure regulations.
  • Public Health: Part 2 records may now be disclosed to public health authorities without patient consent as long as the records are de-identified.
  • Breach Notification: The HIPAA Breach Notification Rule requirements will also apply to breaches of records under Part 2.
  • Segregation of Part 2 Data: Part 2 records are no longer required to be segregated or segmented from other medical records.
  • Fundraising: Patients will be able to opt out of receiving fundraising communications from Part 2 programs.
  • Complaints: Patients will have a right to file a complaint directly with the Secretary of HHS for an alleged violation of Part 2 in addition to filing a complaint with the Part 2 program.
  • Penalties: Part 2 penalties will be aligned with HIPAA by replacing criminal penalties currently in Part 2 with civil and criminal enforcement authorities that also apply to HIPAA violations.

The text of the final rule can be found on the Federal Register. All Part 2 programs must comply with the new requirements by February 16, 2026. The BMD healthcare team can help ensure that you are compliant. Please reach out to Daphne Kackloudis (dlkackloudis@bmdllc.com) or Jordan Burdick (jaburdick@bmdllc.com) for questions or assistance.

Health LawHealthcare Policysubstance abuseDaphne KackloudisJordan Burdick
Client Alert

Recent HIPAA Breach Settlements - Lessons Learned

June 19, 2023According to the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), the consequences for providers may include settlements of $30,000 to $240,000. OCR recently released two settlements for improper breaches of protected health information (PHI) that are good examples of the major monetary penalties that can result from common HIPAA mistakes.Client Alert

Supreme Court Issues Major False Claims Act Decision

June 5, 2023Client Alert

Telehealth Flexibility Updates: HIPAA, DEA, and CMS

May 12, 2023The Covid-19 Public Health Emergency (PHE) officially ended on May 11, 2023. But what does that mean for telehealth, a field that expanded exponentially during the PHE? Fortunately, many of the flexibilities will remain intact, at least temporarily. This client alert presents a brief overview of the timelines that providers need to follow, but for a more comprehensive review of telehealth flexibilities and when they will endClient Alert, Multimedia

WEBINAR SERIES RECAP | Ending the Public Health Emergency + Post-Pandemic Check-Up

May 10, 2023Some may take the position that the rest of the country already returned to a new “normal” following the COVID-19 pandemic.  But healthcare providers continue to implement COVID protocols and navigate the ever-changing healthcare regulations at both the federal and state levels.  It is important for healthcare providers to take time for a “Healthcare Check-Up” with the start of 2023 and the ending of the Public Health Emergency (“PHE”).Client Alert

Sharp Rise in False Claims Act Cases - Navigating the FCA Waters

May 5, 2023Recently, on April 18, 2023, the United States Supreme Court heard arguments regarding the FCA’s scienter, or mental state, requirement. To prove violation of the FCA, the statute requires that a defendant “knowingly” file false claims for payment. The term “knowingly” is defined within the statute to mean a person that acts with actual knowledge, deliberate ignorance, or reckless disregard. Circuit courts are split on how to interpret and apply the knowledge element of the FCA, and based on the Supreme Court’s decision, there will be a large impact on healthcare defendants and their businesses as well as anyone who contracts with, or receives money from, a federal program. A broader interpretation of the FCA would unnecessarily target and stifle healthcare, and other businesses, for simple errors in daily operations. This goes against the intended application of the FCA, which was to prevent fraudulent activity.
Older posts
Newer posts