03.12.2024

Providers face prep work under regulatory changes for SUD confidentiality

Providers of substance use disorder (SUD) services can expect to undergo major housekeeping tasks for their records and forms to comply with new, overhauled regulations for SUD patient record confidentiality.

A top to bottom review and refresh of everything from consent forms to privacy notices and records handling processes will be required — and not just for SUD providers. Their business associates, covered entities, and anyone who receives patient records governed by 42 CFR Part 2 will also be affected. In February, the U.S. Department of Health and Human Services issued a Final Rule updating 42 CFR Part 2 in accordance with the CARES Act.

The Part 2 statute protects “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.”

The changes set out in the Final Rule were made to align federal regulations for the confidentiality of SUD patient records with Health Insurance Portability and Accountability Act (HIPAA) regulations for privacy, breach notification, and enforcement.

Don’t delay the prep work

Technically, the enforcement date is still two years away — two years from the date the Final Rule is published to the federal register — but that doesn’t mean providers can wait to get started.

Implementation of all the changes will be a major undertaking for organizations, requiring a commitment of both time and resources.

The Department of Health and Human Resources is expecting technical challenges as well. It has established a five-page Fact Sheet detailing information about the regulatory changes and has promised to provide additional guidance.

SimiTree’s certified healthcare compliance experts have been gearing up to help providers with everything from reviewing and revising forms and policies to implementing the process changes that may be required.

Whether your organization works with us to implement these changes or does it yourself, we’re recommending providers get started sooner rather than later on the daunting task ahead.

Where to start with 42 CFR Part 2 changes?

As is the case more often than not with regulatory and compliance matters, there’s no one-size-fits-all set of regulations for behavioral health providers to follow. State and federal statutes must be observed, and the Final Rule overhauling 42 CFR Part 2 does not supersede existing state regulations.

This means the best starting point for implementing the 42 CFR Part 2 regulatory changes is to check your state regulations to learn whether there are additional, more stringent regulations that must also be met.

Remember that statutes vary from state to state. This means behavioral health providers operating in multiple states may have to meet varying sets of compliance standards for their organizations. Always adhere to the most stringent that apply.

Here’s a basic checklist for some other action items to get started.

_1) Evaluate your existing NPP. Review your organization’s current Notice of Privacy Practices and determine whether changes and updates will be needed to conform to the new provisions set out under the Final Rule. Some organizations may need to develop a new Privacy Notice to inform patients and clients about their rights regarding Protected Health Information (PHI), including details about how relevant information will be collected, processed, stored and used.

_2) Patient Complaint Process. Existing complaint processes may require some restructuring to conform to changes set out under the Final Rule. One new patient right added under the Final Rule is the right to file a complaint directly with the Secretary for an alleged violation of Part 2. Patients may also concurrently file a complaint with the Part 2 program.

_3) Update consent forms and notices. The Final Rule allows a single consent for all future uses and disclosures for treatment, payment, and health care operations. It also allows HIPAA-covered entities and business associates that receive records under this consent to redisclose the records in accordance with the HIPAA regulations. However, regulatory changes prohibit combining patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.

Each disclosure made with patient consent must include a copy of the consent or a clear explanation of the scope of the consent. In addition, a separate patient consent will be required for the use and disclosure of SUD counseling notes.

_4) Revise policies or draft new policies to reflect changes. Many of the changes mentioned here will require organizational policy revision or the drafting of new policies. This is expected to be one of the most labor-intensive tasks associated with implementation of the regulatory changes. All policies will need to be reviewed to ensure they comply with and reflect the Final Rule’s provisions applicable to your organization.

_5) Don’t overlook business associates. Any of your organization’s business associates who receive Part 2 records (such as third-party payers) will need to review and update forms and processes to fully adhere to the provisions, too.

How SimiTree can help

The scope of the work ahead may seem overwhelming to many providers, but the certified healthcare experts at SimiTree are ready to assist. We work with providers across healthcare settings to ensure regulatory compliance, and we’re ready to help organizations align HIPAA and new 42 CFR Part 2 regulations for full compliance.

Reach out to us today and let’s work together to shore up your organization’s records confidentiality, ensuring full compliance with the new 42 CFR Part 2 regulatory changes, HIPAA, and the most recent compliance guidance issued in November 2023 by the OIG.

Make sure you’re subscribed

It's more important than ever to stay abreast of compliance issues in 2024 — and I don’t want you to miss any of my Weekly Compliance Reports.

Be sure to add your name to the subscription list.

Why not invite the compliance officers you know to sign up as well?

Have a compliance question?

SimiTree’s healthcare experts can help! Our team is made up of former auditors and surveyors from across healthcare settings who help behavioral health organizations achieve JCAHO and CARF accreditation, understand regulatory and compliance demands, and meet quality goals.

We have the know-how and the experience to help your organization mitigate risk. Contact us today with all your compliance needs.

J’non Griffin serves as Senior Vice President for the Compliance as well as Coding divisions at SimiTree. With a healthcare career that spans three decades, she has a track record of helping many provider types implement effective compliance programs. She has worked with organizations nationwide  to develop compliant emergency preparedness and operation plans, implement fully compliant plans of care, and meet regulatory demands. As an AHIMA ambassador, Griffin was instrumental in preparing the coding community for the launch of ICD-10.