Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

Enhancing Privacy Protections for Substance Use Disorder Patient Records

Client Alert
February 16, 2024

On February 8, 2024, the U.S. Department of Health and Human Services (“HHS”) finalized updated rules to 42 CFR Part 2 (“Part 2”) for the protection of Substance Use Disorder (“SUD”) patient records. The updated rules reflect the requirement that the Part 2 rules be more closely aligned with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) privacy, breach notification, and enforcement rules as mandated by the Coronavirus Aid, Relief, and Economic Security Act of 2020.

Part 2 protects the SUD treatment records of patients who are treated at a Part 2 program. Part 2 programs are those that are (1) federally assisted (they receive federal funding) and (2) hold themselves out as providing, and do provide, substance use disorder diagnosis, treatment, or referral for treatment. The final rules released by HHS this month reflect the inclusion of the public comments from providers, trade associations, health information exchanges, health plans and others.

The final rules make the following modifications to Part 2 regulations, effective February 16, 2026:

  • Patient Consent: One single Part 2 consent will be sufficient for all future disclosures for payment, treatment, and health care operations. All disclosures made with patient consent must include a copy of the consent or a clear explanation of the scope of consent. Previously, a separate consent was needed for each disclosure of Part 2 information. However, the final rules do retain a prohibition on the use of Part 2 records in legal proceedings and testimony in civil, criminal, administrative, and legislative proceedings against a patient without specific consent or a court order.
  • Counseling Notes: Like HIPAA psychotherapy records, a separate patient consent for the use and disclosure of SUD counseling notes is now required. SUD counseling notes include those analyzing the conversation in a SUD counseling session that the clinician voluntarily maintains separately from the rest of the patient’s SUD treatment and medical record.
  • Patient Notice: Part 2 patient notice requirements now align with the requirements of the HIPAA Notice of Privacy Practices.
  • Redisclosure: HIPAA covered entities and business associates that receive records under a Part 2 consent may redisclose those records according to HIPAA regulations. Previously, Part 2 regulations required a specific disclosure that was stricter than HIPAA redisclosure regulations.
  • Public Health: Part 2 records may now be disclosed to public health authorities without patient consent as long as the records are de-identified.
  • Breach Notification: The HIPAA Breach Notification Rule requirements will also apply to breaches of records under Part 2.
  • Segregation of Part 2 Data: Part 2 records are no longer required to be segregated or segmented from other medical records.
  • Fundraising: Patients will be able to opt out of receiving fundraising communications from Part 2 programs.
  • Complaints: Patients will have a right to file a complaint directly with the Secretary of HHS for an alleged violation of Part 2 in addition to filing a complaint with the Part 2 program.
  • Penalties: Part 2 penalties will be aligned with HIPAA by replacing criminal penalties currently in Part 2 with civil and criminal enforcement authorities that also apply to HIPAA violations.

The text of the final rule can be found on the Federal Register. All Part 2 programs must comply with the new requirements by February 16, 2026. The BMD healthcare team can help ensure that you are compliant. Please reach out to Daphne Kackloudis (dlkackloudis@bmdllc.com) or Jordan Burdick (jaburdick@bmdllc.com) for questions or assistance.

Health LawHealthcare Policysubstance abuseDaphne KackloudisJordan Burdick
Client Alert

In Cybersecurity– A Good Offense is the Best Defense

November 16, 20212021 has been a watershed moment for cybersecurity incidents as cybercrime has become a frequent headline and cyber criminals have thrived on unsuspecting and/or unprepared businesses and institutions. For example, the Solar Winds attack exposed sensitive data from top companies like Microsoft as well government agencies[1] and the Colonial Pipeline attack substantially disrupted the petroleum supply chain[2]. We have seen an almost 20% increase in data breaches and attacks since last year.Client Alert

Changes to Medicare’s Physician Fee Schedule and Outpatient Prospective Payment System

November 15, 2021Come the beginning of 2022, both the Medicare Physician Fee Schedule (“MPFS”) and Outpatient Prospective Payment System (“OPPS”) will look a little different. As a refresher, the MPFS lists the fees associated with reimbursement of services to providers at certain facilities, taking into account geography and costs. By contrast, OPPS sets reimbursement rates for hospitals and community mental health centers for outpatient services, which are determined in advance. A summary of some of the more pertinent changes to each rule will be outlined below.Client Alert

CMS to Once Again Reprocess Outpatient Clinic Claims

November 11, 2021The Hospital Outpatient Prospective Payment System (OPPS) Rule was passed in November 2018, which was intended to prevent the Centers for Medicare and Medicaid Services (CMS) from paying more for services rendered in outpatient settings than what they paid for the same services rendered in physician offices that are simply owned by hospitals or health systems.[1]Client Alert

New Vaccine Requirement for Select CMS-Participating Facilities

November 10, 2021On November 4, 2021, the Centers for Medicare and Medicaid (“CMS”) released a new rule requiring certain healthcare facilities to implement policies requiring employees to be vaccinated against COVID-19. It does not matter if a staff member does not perform patient treatment services, they must still be vaccinated if an employee of an applicable facility.Client Alert

OSHA COVID-19 EMERGENCY TEMPORARY STANDARD (ETS) Vaccination, Testing, Recordkeeping, and Reporting

November 5, 2021The Occupational Safety and Health Administration has issued its long-awaited COVID-19 Emergency Temporary Standard (ETS). Note that the ETS does not apply to employers covered under the Safer Federal Workforce Task Force COVID-19 Workplace Safety: Guidance for Federal Contractors or Subcontractors (see here), or to settings where employees provide healthcare services subject to OSHA’s ETS for the healthcare industry (see here).
Older posts
Newer posts