Skip to main content
Categories

Published: 07/03/24

Author: and

This post was co-authored by School of Government faculty member Kirsten Leloudis and three of the School’s 2024 Summer Law Fellows: Rose Chang, Nevaeh Haddock, and Sheridan King.

 

On February 16, 2024, the U.S. Department of Health and Human Services (HHS) published a Final Rule that modifies the regulations found at 42 CFR Part 2, which govern the confidentiality of certain substance use disorder (SUD) treatment records. The Final Rule made numerous significant changes to how SUD records that are protected by 42 CFR Part 2 may be used and disclosed. This blog post focuses on just one of those changes: a new provision that allows SUD records to be shared with public health authorities (PHAs) if the information has been deidentified in accordance with HIPAA.

Background

Origins of 42 CFR Part 2

The regulations codified at 42 CFR Part 2 were promulgated in 1975 and are officially known as the “Confidentiality of Substance Use Disorder Patient Records” regulations; however, the regulations are more often colloquially referred to as the “Part 2” laws. At the time of their inception, the regulations were intended to ensure that patients seeking SUD treatment from federally supported programs would not have their treatment records used against them, which could deter existing and potential future SUD treatment patients from obtaining care.

Nearly 50 years later, the regulations at 42 CFR Part 2 remain relevant. According to the most recent data from the HHS National Survey on Drug Use and Health (NSDUH), in 2021, 46.3 million people age 12 or older (or approximately 16.5% of the national population) met the diagnostic criteria for a SUD in the past year. In 2021, 94% of people over age 12 who had a SUD did not receive treatment. Although SUDs are common and can affect people from all walks of life, SUDs continue to be stigmatized and SUD-related behaviors (e.g., purchase of illicit substances, possession of injection supplies) are often criminalized. For people living with a SUD, stigma and concern about legal consequences can be barriers to accessing SUD treatment. Today, the regulations at 42 CFR Part 2 continue to provide stringent protections around how an individual’s SUD records can be used and disclosed with and without the patient’s consent.

Timeline of the Final Rule

In December 2022, HHS issued a notice of proposed rulemaking (NPRM) and sought public comments on the agency’s vision for modifying the regulations at 42 CFR Part 2. As HHS explained in the NPRM, the agency’s proposed changes to 42 CFR Part 2 were prompted by requirements in section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which instructed HHS to align parts of 42 CFR Part 2 more closely with HIPAA. The alignment of these two sets of federal regulations is meant to support interoperability and facilitate lawful information sharing in the health and mental health care fields, all while still protecting patient privacy.

The Final Rule went into effect immediately upon its publication on February 16, 2024. Individuals and entities that must abide by 42 CFR Part 2 have until February 16, 2026 to come into compliance with the law’s new requirements.

Sharing Deidentified Part 2 SUD Records with PHAs

The Final Rule created a new provision- 42 CFR 2.54– which allows (but does not require) “Part 2 programs” to disclose Part 2 SUD records to PHAs without patient consent, as long as the records have been deidentified in accordance with HIPAA. Having access to deidentified, high-level data is expected to aid PHAs in carrying out their public health duties. This might include, for example, a PHA’s involvement in responding to the opioid epidemic, supporting harm reduction work, or expanding access to SUD treatment services.

Successful implementation of this new pathway for sharing deidentified SUD records with PHAs requires an understanding of the following: who/what is governed by 42 CFR Part 2, what constitutes a PHA, and the HIPAA standards for deidentifying records. These three concepts are addressed separately in the sections below.

Who and What is Subject to 42 CFR Part 2?

42 CFR Part 2 applies to “Part 2 programs” and “lawful holders,” both of whom must comply with the regulations’ protections related to using and disclosing SUD records. The term “Part 2 program” is defined at 42 CFR 2.11 as a “federally assisted program.” A “program” is an individual or entity that holds itself out as providing SUD diagnosis, treatment, or referral for treatment. A program is “federally assisted” if it meets any of the criteria set forth at 42 CFR 2.12(b) (see 42 CFR Part 2.12.(c)) for exceptions to those criteria). A “lawful holder” is an individual or entity that lawfully received SUD records protected by 42 CFR Part 2 and, as a result, must comply with 42 CFR Part 2 when it comes to the use and disclosure of those records. SUD records that are protected by 42 CFR Part include any information, recorded in writing or not, that is created, received, or acquired by a Part 2 Program that relates to and identifies a SUD patient (hereinafter, “Part 2 SUD records”).

Not all health professionals who care for people living with a SUD will meet the definition of a “Part 2 program.” For example, a licensed clinical social worker who does not specialize in or advertise themselves as offering SUD treatment; who provides counseling to a patient with depression; and who happens to discuss the patient’s substance use during therapy is probably not a Part 2 program. Similarly, a hospital emergency room that treats all kinds of injuries and ailments- including by occasionally delivering naloxone for patients experiencing overdose- is not likely a Part 2 program. In most instances, a health professional will know whether they are a Part 2 program.

Note: The new 42 CFR 2.54 authorizes Part 2 programs- but not lawful holders- to disclose deidentified Part 2 SUD records to PHAs.

What is a Public Health Authority (PHA)?

The Final Rule amended 42 CFR 2.11 to adopt the term “public health authority” as it is defined under HIPAA at 45 CFR 164.501. A PHA is a federal, state, local, or tribal governmental entity that is responsible for public health matters as part of its official mandate. This includes a person or entity acting under a grant of the PHA’s authority to carry out public health work on the PHA’s behalf. A person or entity alleging to have been granted PHA authority should be able to provide documentation of the grant of authority, such as a contract with the PHA. Examples of a PHA include the U.S. Centers for Disease Control and Prevention (CDC), the Division of Public Health (DPH) within the North Carolina Department of Health and Human Services (NCDHHS), and North Carolina’s 86 local health departments.

HIPAA’s Deidentification Standards

Under the new 42 CFR 2.54, Part 2 SUD records may be shared with PHAs if those records

have been deidentified using HIPAA’s deidentification methods. HIPAA’s two approaches to deidentification- the “Safe Harbor” method and the “Expert Determination” method- are set out at 45 CFR 164.514(b).

The Safe Harbor Method

The Safe Harbor method requires that 18 types of identifying information about the patient, their relatives, their employers, or their household members be removed from the record. If even one of the 18 identifiers are retained in the record- for example, if the patient’s county of residence is not removed- then the record does not meet the Safe Harbor standard for deidentification. This method also requires that the Part 2 program have no “actual knowledge” that the information that remains after the 18 identifiers are removed could be used to identify an individual patient.

The Expert Determination Method

To satisfy the Expert Determination method, the Part 2 program must hire an expert- someone who knows, and has experience with, scientific methods for deidentifying information- to assess the risk of an individual patient being identified based on the information included in a record or data set. If the expert finds that there is only a “very small” risk of the information being used to identify a patient, then the Expert Determination standard for deidentification would be satisfied and the newly deidentified information could be shared with PHAs. The expert must document their methods and results to justify their determination that the risk of re-identifying individual patients is “very small.” If the expert determines that there is more than a “very small” risk of identification, then the Expert Determination method would not be satisfied, and further actions would be required to fully deidentify the data.

Note: Many entities choose to use the Safe Harbor method to deidentify protected information because hiring an expert to conduct an Expert Determination can be costly.

Additional Resources

HHS has published a fact sheet about the recent changes 42 CFR Part 2 as well as extensive guidance on the HIPAA deidentification methods.

Questions?

Do you have questions about sharing deidentified SUD records with PHAs, or the HIPAA deidentification methods? Feel free to send me an email at kirsten@sog.unc.edu.

 

This blog post is published and posted online by the School of Government for educational purposes. For more information, visit the School’s website at www.sog.unc.edu.

Coates Canons
All rights reserved.