HHS Proposed Rule Aligns Regulation on Confidentiality of Substance Use Disorder Treatment Records with HIPAA

by Kathie McDonald-McClure

On November 28, 2022, the Secretary for the United States Department of Health & Human Services (HHS) released a Proposed Rule to amend the requirements in Title 42, Part 2, on confidentiality of substance use disorder (SUD) patient records in federally assisted Part 2 Programs.  Part 2 protects the confidentiality of SUD patient records (which generally include alcoholism, alcohol abuse, and drug abuse treatment and prevention records) by restricting the circumstances under which Part 2 Programs or other lawful holders can disclose such records.

Section 3221 of the CARES Act of 2020, enacted by Congress on March 27, 2020, in response to the COVID-19 pandemic, in effect, had amended Title 42, Part 2, to align it with HIPAA but also required HHS to implement these amendments in the Part 2 regulation through the rule-making process. The 260-page Proposed Rule, in sum, would incorporate requirements and definitions from the HIPAA rules into the 40-year-old Part 2 regulation, including HIPAA’s consent, disclosure, de-identification, unsecured PHI and breach notification requirements, as well as HIPAA penalties for noncompliance.

Part 2 Compliance Challenges. For years, providers who are subject to both HIPAA and Part 2’s separate privacy requirements for SUD records have had to grapple with identifying and segregating SUD records that are subject to Part 2 from records that are subject only to HIPAA. In the Proposed Rule, HHS acknowledges that this has contributed to ongoing operational and compliance challenges for providers. HHS notes several examples of this challenge, including the following:  

For example, once a HIPAA covered entity or business associate disclosed PHI to a person who was not a covered entity or business associate, the information was no longer protected by the Privacy Rule, and thus the Privacy Rule’s limitations on uses and disclosures did not apply. In contrast, Part 2 strictly limited the re-disclosure of Part 2 records by any individual or entity that received a Part 2 record directly from a Part 2 program or other “lawful holder” of patient identifying information, absent written patient consent or as otherwise permitted under the regulations.

(Proposed Rule, pp. 19-20.)

SUD Treatment De-Stigmatization & Coordination. HHS additionally notes that the continued segregation of Part 2 Program SUD records sets these records apart in ways that perpetuate the stigma surrounding a person with SUDs.

Prior to passage of the CARES Act, Congressional hearings on the Opioid Crisis had already highlighted the need for HHS to promulgate regulations modifying the confidentiality requirements for Part 2 records to align with HIPAA. Testimony before Congress was that SUD records were being withheld in ways that inhibit care coordination between providers of a person’s mental health and physical health, conditions that are inextricably linked. In the HHS Announcement of the Proposed Rule, Secretary Becerra says, “This proposed rule would improve coordination of care for patients receiving treatment while strengthening critical privacy protections to help ensure individuals do not forego life-saving care due to concerns about records disclosure.” 

Summary of Changes. Some of the most significant changes would include:

Continue reading

A Supreme Development in Employer Computer Protection

By: Courtney Samfordcontributing author Blake Sims, Wyatt Summer Associate

This image has an empty alt attribute; its file name is pexels-mikhail-nilov-6930431-1024x617.jpg

Employers commonly supply computer and work devices to employees and state that the electronics may only be used for business related purposes, and employers have always had the ability to discipline employees who violate computer use policies through improper use. In some Federal Court of Appeals Circuits, employers may have been able to rely on threats of criminal and civil liabilities under 18 U.S.C. § 1030 to further deter improper use. On June 3, 2021, however, an evenly split conservative-liberal majority of the Supreme Court reversed the Eleventh Circuit Court of Appeals in Van Buren v. United States, holding that an individual only violates the Section 1030 of Computer Fraud and Abuse Act “when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” Van Buren v. United States, No. 19-783 (Sup. Ct. June 3, 2021).

Continue reading


By Kathie McDonald-McClure and Margaret Young Levi

The Information Blocking Final Rule, a provision of the 21st Century Cures Act geared towards ensuring access, exchange and use of electronic health information (EHI), was published on May 1, 2020, and became effective on June 20, 2020.  However, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) extended the compliance effective dates for the Final Rule several times over the last year—and most providers were hopeful that it would be extended once again—but there are no more delays.  Information Blocking compliance is now effective, as of April 5, 2021.  Health care providers should take immediate steps to ensure compliance.

Continue reading

Federal Agencies Warn of Cyberattacks on U.S. Hospitals

By Margaret Young Levi and Kathie McDonald-McClure

On October 28, 2020,  the Federal Bureau of Investigation (FBI), the U.S. Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a Joint Cybersecurity Advisory warning hospitals and the health care community about coordinated ransomware attacks on hospitals designed to steal data and freeze hospital information systems for financial gain. 

Six U.S. hospitals fell victim to this attack on October 27th and the FBI, HHS, and CISA have credible information that more hospitals will be targeted in this attack. The ransomware behind these attacks is known as Ryuk, which utilizes TrickBot malware and other malware to execute the attack. The Ryuk ransomware is designed to allow the cybercriminals to stealthily access, map and move laterally across the victim’s network before encrypting critical data files and deleting connected backups.

Continue reading

The EPCS Mandate: Kentucky Requires Electronic Prescribing Of Controlled Substances

by Lindsay K. Scott

In an ongoing effort to battle the opioid crisis, Kentucky House Bill 342 was signed into law on March 26, 2019.  This bill created a new statute, KRS 218A.182, to require that all prescriptions for controlled substances be submitted electronically, unless certain exceptions apply (the “EPCS Mandate”).  Effective January 1, 2021, practitioners who prescribe controlled substances to be dispensed by a Kentucky pharmacy must issue the prescription electronically (“e-prescribe”) directly to the pharmacy unless an exception applies. Continue reading