HIPAA (Health Insurance Portability and Accountability Act) has evolved over the years to adapt to advancements in healthcare and technology. The 2013 HIPAA Omnibus Final Rule expanded its scope, and now the HIPAA Privacy Rule is set to change again in 2023. This article explores the changes related to Protected Health Information (PHI).
HIPAA has been crucial in U.S. healthcare since its enactment. The 2013 HIPAA Omnibus Final Rule expanded it to include business associates, enhanced patient rights, increased penalties for noncompliance, modified breach notification rules, and incorporated elements of the Genetic Information Nondiscrimination Act (GINA).
42 CFR Part 2
There’s been a growing emphasis on managing and protecting PHI related to substance use disorder (SUD) and mental health treatment records that also include information related to SUD. Regulations outlined in the Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2).
Programs and organizations that receive federal assistance, such as federally funded substance use disorder treatment facilities,m are required to safeguard the confidentiality of patient records and ensure that they are not disclosed without patient consent. Some key provisions of the regulation include:
- Consent requirements: Prior written consent is generally required from patients for any disclosure of their SUD treatment records, except in limited circumstances specified by the regulation.
- Purpose of the disclosure: The disclosure of SUD patient records should be limited to purposes directly related to the patient’s treatment, payment, or healthcare operations unless otherwise authorized by specific regulations.
- Redisclosure prohibition: Part 2 places restrictions on the redisclosure of patient records received from a Part 2 program. Recipients of Part 2 information are generally prohibited from further disclosing it without patient consent, except in limited circumstances.
- Court-ordered disclosures: Procedures are outlined for disclosing patient records under court orders or subpoenas. Court orders must meet specific requirements to ensure patient privacy is protected.
- Security and auditing: Part 2 requires organizations to implement safeguards to protect patient records from unauthorized access, including the use of secure electronic systems. It also mandates audit controls to monitor and track access to patient records.
Changes Influenced by the Legacy Act:
Proposed changes to Part 2 regulations draw inspiration from the Legacy Act (1), allowing SUD patients to provide broad consent for sharing their SUD records. The principle of ‘minimum necessary information’ applies, and patients can revoke consent at any time.
Enhanced Protections and New Patient Rights:
The proposed changes aim to strengthen protections for SUD patients and introduce two new patient rights, aligning Part 2 more closely with the HIPAA Privacy Rule. These rights include knowing who accessed their SUD records and requesting limits on disclosures. Breach notification requirements under HIPAA will also apply to breaches of Part 2 records.
Updates to HIPAA Requirements:
Besides changes to Part 2 regulations, updates to HIPAA requirements have been proposed. Covered entities receiving or maintaining Part 2 records will need to revise their HIPAA Notice of Privacy Practices.
The Notice of Privacy Practices informs individuals about their rights regarding the privacy and security of their health information. Covered entities must update it to reflect the new requirements and align with Part 2 changes. The updated notice should inform individuals about SUD-related information handling and their rights.
By updating the Notice of Privacy Practices, covered entities provide clear information about SUD-related information protection, access, and disclosure. Individuals can make informed decisions about their healthcare and exercise their privacy rights.
The updated notice should also address new patient rights, such as knowing who accessed their SUD records and requesting disclosure limits. Instructions on how to exercise these rights should be included.
Updating the Notice of Privacy Practices ensures individuals are well-informed about their privacy rights, including those related to SUD-related information. This promotes transparency, accountability, and patient engagement.
Covered entities should stay informed about finalized changes to the HIPAA Privacy Rule and Part 2 regulations and promptly update their Notice of Privacy Practices for compliance. Consulting legal or compliance professionals can provide guidance.
The anticipated changes to HIPAA and Part 2 regulations will significantly impact PHI handling, especially concerning SUD and mental health. Further exploration is needed regarding access to health information. Stay tuned for updates. For assistance understanding how these changes affect your organization’s HIPAA compliance, book a Clarity Call.
- The Legacy Act, formally known as the Overdose Prevention and Patient Safety (OPPS) Act, is a significant piece of legislation that aims to improve the care of patients with substance use disorder (SUD). The act introduced a significant change to the treatment of substance use disorder (SUD) patients’ health records in a way that relates closely to the provisions of the Health Insurance Portability and Accountability Act (HIPAA). While HIPAA provides the foundation for patient privacy and the handling of Protected Health Information (PHI), the Legacy Act expands this framework specifically for SUD patients. It allows for the sharing of patient SUD records with the patient’s consent, this aligns the confidentiality regulations around SUD and the broader HIPAA regulations. This move enables better healthcare coordination while reinforcing the privacy protections from HIPAA. Furthermore, it requires entities handling these records to comply with the HIPAA Notice of Privacy Practices, ensuring patients are informed about how their SUD-related information is handled.