What Are the Proposed Rule Changes to HIPAA Coming in 2023?

HIPAA CFR Part 2 featured

In response to changes in the medical industry due to COVID-19, the Department of Health and Human Services (HHS) and Substance Abuse and Mental Health Services Administration (SAMHSA) have put forth a Notice of Proposed Rulemaking to streamline how doctors can access mental health information. 

This article will discuss this rule change and why it seeks to address the gaps between HIPAA disclosure and mental health information protections.


What Is the Code of Federal Regulations Title 42 Part 2?

42 CFR Part 2, titled “Confidentiality of Substance Use Disorder Patient Records,” is a set of requirements outlining the responsibility of maintaining mental health and Substance Abuse Disorder (SUD) information. This regulation is a federal law that applies to any program or person that is federally assisted and providing substance use disorder treatment of any form.

This regulation sets strict guidelines for the confidentiality of substance use disorder patient records to protect patients’ privacy and encourage underserved individuals to pursue treatment for often-stigmatized conditions.

Under 42 CFR Part 2, SUD patient records cannot be disclosed without the individual’s written consent. Individuals receiving treatment for substance use disorder must be informed about their confidentiality rights and the circumstances under which their information can be disclosed. Additionally, any disclosures of SUD patient records must include a statement indicating that the information disclosed is protected by Part 2 and cannot be disclosed without the individual’s written consent, except as permitted by this regulation.


What Does HIPAA Say About Sharing Confidential Medical Information?


HIPAA regulations function similarly to 42 CFR Part 2 in that they dictate patient records’ privacy in healthcare settings. More importantly, HIPAA regulations allow healthcare providers to share patient information in certain limited circumstances, including:

  • Treatment: In some cases, healthcare providers can share information without consent if treatment is needed in emergencies or where consent cannot be obtained due to this health emergency.
  • Payment: Healthcare providers may share payment information with insurance companies for reimbursement.
  • Operations: Healthcare providers may share patient information for healthcare operations, such as quality improvement activities, conducting audits or evaluations, or training staff.
  • Public Safety: Healthcare providers may share patient information in cases of a public health crisis or where there could be an impact on general welfare.
  • Legal Requirements: Healthcare providers must disclose PHI under the dictate of courts or law enforcement while maintaining patient privacy outside of that context.

        It’s important to note that even when patient information is shared for these purposes, healthcare providers must still protect patient privacy and ensure that the data is only shared with those who need to know the information. 


        What Are the New (Potential) HIPAA Rules Attempting to Accomplish?

        One of the major challenges between 42 CFR Part 2 and HIPAA is that the former is more strict than the latter regarding mental health information or SUD data. The general exceptions allowing unauthorized access to health information for emergency health care don’t touch on the information protected by 42 CFR Part 2. 

        This presents a significant problem, one that was laid bare during the COVID-19 pandemic. Often healthcare provided by covered entities would need, or would have benefited, from knowing an individual’s mental health or SUD information… but they cannot get it without patient consent. If this consent is not provided, or the patient cannot provide, that information is off-limits. 

        The new rules, which will take effect in 2023, would address and align these two regulations so doctors can better serve their patients. 

        The key changes suggested in the NPRM are:

        • Permitting disclosure of Part 2 records such that once consent is given it covers all disclosures in the future.
        • Creating new rights under Part 2 such that patients can get a full account of disclosures and to request restrictions on certain disclosures–rights that would align with those in HIPAA regulations.
        • Naming a new authority to enforce civil penalties for violations of 42 CFR Part 2.
        • Outlining a new process to receive and process complaints about 42 CFR Part 2 violations that can address programmatic issues and disallow restrictions to treatment or waiving rights as a precondition for filing complaints. 
        • Breach notifications to the HHS and affected patients for Part 2 records will fall under the Breach Notification Rule.

        In the long term, this new rule will align rules contained in HIPAA with 42 CFR Part 2 such that providers can streamline treatment using important mental and addiction data without compromising patient privacy. 


        Stay Ahead of HIPAA Rule Changes with Lazarus Alliance

        HIPAA rules seldom change; when they do, it’s a big deal. When these changes occur, they can slip under the radar for healthcare providers who aren’t up-to-date on new rulemaking. 

        When you work with Lazarus Alliance, you can trust that we’ve got you covered, no matter the rule. Our team of experts can help you streamline HIPAA compliance right now, where your organization is. 

        Lazarus Alliance