Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

Enhancing Privacy Protections for Substance Use Disorder Patient Records

Client Alert
February 16, 2024

On February 8, 2024, the U.S. Department of Health and Human Services (“HHS”) finalized updated rules to 42 CFR Part 2 (“Part 2”) for the protection of Substance Use Disorder (“SUD”) patient records. The updated rules reflect the requirement that the Part 2 rules be more closely aligned with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) privacy, breach notification, and enforcement rules as mandated by the Coronavirus Aid, Relief, and Economic Security Act of 2020.

Part 2 protects the SUD treatment records of patients who are treated at a Part 2 program. Part 2 programs are those that are (1) federally assisted (they receive federal funding) and (2) hold themselves out as providing, and do provide, substance use disorder diagnosis, treatment, or referral for treatment. The final rules released by HHS this month reflect the inclusion of the public comments from providers, trade associations, health information exchanges, health plans and others.

The final rules make the following modifications to Part 2 regulations, effective February 16, 2026:

  • Patient Consent: One single Part 2 consent will be sufficient for all future disclosures for payment, treatment, and health care operations. All disclosures made with patient consent must include a copy of the consent or a clear explanation of the scope of consent. Previously, a separate consent was needed for each disclosure of Part 2 information. However, the final rules do retain a prohibition on the use of Part 2 records in legal proceedings and testimony in civil, criminal, administrative, and legislative proceedings against a patient without specific consent or a court order.
  • Counseling Notes: Like HIPAA psychotherapy records, a separate patient consent for the use and disclosure of SUD counseling notes is now required. SUD counseling notes include those analyzing the conversation in a SUD counseling session that the clinician voluntarily maintains separately from the rest of the patient’s SUD treatment and medical record.
  • Patient Notice: Part 2 patient notice requirements now align with the requirements of the HIPAA Notice of Privacy Practices.
  • Redisclosure: HIPAA covered entities and business associates that receive records under a Part 2 consent may redisclose those records according to HIPAA regulations. Previously, Part 2 regulations required a specific disclosure that was stricter than HIPAA redisclosure regulations.
  • Public Health: Part 2 records may now be disclosed to public health authorities without patient consent as long as the records are de-identified.
  • Breach Notification: The HIPAA Breach Notification Rule requirements will also apply to breaches of records under Part 2.
  • Segregation of Part 2 Data: Part 2 records are no longer required to be segregated or segmented from other medical records.
  • Fundraising: Patients will be able to opt out of receiving fundraising communications from Part 2 programs.
  • Complaints: Patients will have a right to file a complaint directly with the Secretary of HHS for an alleged violation of Part 2 in addition to filing a complaint with the Part 2 program.
  • Penalties: Part 2 penalties will be aligned with HIPAA by replacing criminal penalties currently in Part 2 with civil and criminal enforcement authorities that also apply to HIPAA violations.

The text of the final rule can be found on the Federal Register. All Part 2 programs must comply with the new requirements by February 16, 2026. The BMD healthcare team can help ensure that you are compliant. Please reach out to Daphne Kackloudis (dlkackloudis@bmdllc.com) or Jordan Burdick (jaburdick@bmdllc.com) for questions or assistance.

Health LawHealthcare Policysubstance abuseDaphne KackloudisJordan Burdick
Client Alert

Ohio Supreme Court Clarifies Medical Statute of Limitations

February 1, 2021The Ohio Supreme Court issued a decision in late December that clarifies and finalizes the Ohio law regarding the period of time in which patients can assert claims for medical malpractice. The Court was examining the interplay between three different statutes being the statute of limitations, the statute of repose, and the savings statute.Client Alert

Ohio Hospitals and Healthcare Clinics: It’s Time to Revisit Your Billing and Collection Practices

February 1, 2021According to a recent Cuyahoga County case, certain healthcare entities may not be protected from liability when engaging in unfair or deceptive billing acts. This decision is consistent with the growing trend across the country to encourage price transparency and eliminate unfair surprise billing practices by health care organizations. Now is the time for hospitals and other health care organizations to revisit their billing and collection policies and procedures to confirm that they are legally defensible and consistent with best practices.Client Alert

HIPAA Business Associate Agreements: Why These Contracts Matter

January 27, 2021No one loves drafting, reading or negotiating HIPAA Business Associate Agreements (BAAs). Yet many of us need to do so, and some of us do so daily. They are often boring, dense and technical, but BAAs are important from both a legal and a business perspective, and they deserve our attention. Failure to enter a BAA when one is required can constitute a HIPAA violation that results in substantial liability, as demonstrated by certain recent Department of Health & Human Services (HHS) settlements.1 A business associate who makes a disclosure that is not authorized by the applicable BAA or required by law can be subject to civil and, in some cases, criminal penalties. Further, parties are often presented with BAAs that contain onerous one-sided indemnification and other provisions that can be devasting to an organization in the event of a HIPAA breach. The significance of a BAA is often not fully understood by the parties until something goes wrong (e.g., a HIPAA security incident or breach, an Office of Civil Rights (OCR) audit or a fracture in the relationship between the parties) and, at that point, there is limited opportunity to mitigate legal and business risk. Ideally, attention should be given at the commencement of the business associate relationship, when the parties are able, to thoughtfully addressing regulatory requirements, planning and preparing for potential adverse events and appropriately allocating risk among the parties. As with most healthcare regulatory compliance initiatives, a proactive approach with respect to BAAs is preferable. This article provides a broad overview of certain BAA requirements and some practical negotiating tips for the parties involved.Client Alert

“I’m Out Of Here!” Now What?

January 27, 2021We all know that the healthcare industry is experiencing a wave of integration. This trend has been evident for many years. Fewer physicians are willing to assume the legal, financial and other business risks associated with owning their own practices. More and more physicians, including anesthesiologists, are becoming employed by large physician groups, health systems and national providers. This shift necessarily involves not only entry into new employment arrangements but also the termination of existing relationships. And those terminations are often governed by written employment agreements, state and federal healthcare laws and employer benefit plans and other policies and procedures. Before pursuing their next opportunity, physicians should pause for a moment and first attend to the arrangement that they are leaving. Departing physicians need to understand their legal rights and obligations when leaving their current employment relationships in order to avoid unintended consequences and detrimental missteps along the way. Here are a few words of practical advice for physicians contemplating an exit from their current employment arrangements.Client Alert

Investment Training for the Second and Third Generations

January 19, 2021Consider this scenario. Mom and Dad started the business from the ground up. Over the decades it has expanded into a money-making machine. They are able to sell the business and it results in a multimillion-dollar payday for their labors. The excess money has allowed Mom and Dad to invest with various financial advising firms, several fund management groups, and directly with new startups and joint ventures. Their experience has made them savvy investors, with a detailed understanding of how much to invest, when, and where. They cannot justify formation of a full family office with dedicated investors to manage the funds, but Mom and Dad have set up a trust fund for the children to allow these investments to continue to grow over the years. Eventually, Mom and Dad pass. Their children enjoy the fruits of their labors, and, by the time the grandchildren are adults, Mom and Dad's savvy investments are gone.
Older posts
Newer posts