0945-AA16 202110 The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions 0945 Office for Civil Rights OCR 0900 Department of Health and Human Services HHS Confidentiality of Substance Use Disorder Patient Records

This rulemaking, to be issued in coordination with the Substance Abuse and Mental Health Services Administration (SAMHSA), would implement provisions of section 3221 of the CARES Act. Section 3221 amended 42 U.S.C. 290dd-2 to better harmonize the 42 CFR part 2 (part 2) confidentiality requirements with certain permissions and requirements of the HIPAA Rules and the HITECH Act. This rulemaking also would implement the requirement in section 3221 of the CARES Act to modify the HIPAA Privacy Rule NPP provisions so that HIPAA covered entities and part 2 programs provide notice to individuals regarding part 2 records, including patients’ rights and uses and disclosures permitted or required without authorization.

]]> Other Significant Previously Published in The Unified Agenda Proposed Rule Stage No No 42 CFR 2 45 CFR 160 45 CFR 164 42 U.S.C. 290dd-2 amended by the Coronavirus Aid, Relief, and Economic Security Act (the CARES Act), Pub. L. 116-136, sec. 3221 (March 27, 2020) Health Information Technology for Economic and Clinical Health (HITECH) Act, Pub. L. 111-5, sec. 13402 and 13405 (February 17, 2009) Health Insurance Portability and Accountability Act of 1996 (HIPAA) Pub. L. 104-191, sec. 264 (August 21, 1996) Social Security Act, Pub. L. 74-271 (August 14, 1935) (see secs. 1171 to 1179 of the Social Security Act, 42 U.S.C. 1320d to 1320d–8). Statutory NPRM 03/27/2021 The CARES Act requires the revisions to regulations with respect to uses and disclosures of information occurring on or after the date that is 12 months after the date of enactment of the Act (March 27, 2021); and not later than one year after the date of enactment, an update to the Notice of Privacy Practices (NPP) provisions of the HIPAA Privacy Rule at 45 CFR 164.520. Yes

Rulemaking is needed to implement section 3221 of the CARES Act, which modified the statute that establishes protections for the confidentiality of substance use disorder (SUD) treatment records and authorizes the implementing regulations at 42 CFR part 2 (part 2). As required by the CARES Act, this NPRM proposes regulatory modifications to: (1) Align certain provisions of part 2 with aspects of the HIPAA Privacy, Breach Notification, and Enforcement Rules. (2) Strengthen part 2 protections against uses and disclosures of patients’ SUD records for civil, criminal, administrative, and legislative proceedings. (3) Require that a HIPAA Notice of Privacy Practices address privacy practices with respect to part 2 records.

]]>

Section 3221(i) of the CARES Act requires rulemaking as may be necessary to implement and enforce section 3221.

]]>

HHS considered whether the CARES Act provisions could be implemented through guidance. However, rulemaking is required because the current part 2 regulations are inconsistent with the authorizing statute, as amended by the CARES Act. HHS considered whether to include the anti discrimination provisions of section 3221(g) in this rulemaking. However, because implementation of the anti discrimination provisions implicates numerous civil rights authorities, which require collaboration with the Department of Justice, HHS will address the anti discrimination provisions in a separate rulemaking. HHS considered whether to propose additional changes to part 2 that are not required by section 3221 of the CARES Act. However, adding more proposals would delay publication of the proposed rule and eventual implementation of the CARES Act requirements.

]]>

HHS estimates that the effects of the proposed requirements for regulated entities would result in new costs of $16,872,779 within 12 months of implementing the final rule. HHS estimates these first-year costs would be partially offset by $11,182,618 of first year cost savings, followed by net savings of $9,612,567 annually in years two through five, resulting in overall net cost savings of $32,760,108 over 5 years.

]]>

To be determined.

]]> NPRM 01/00/2022 No No None No No No No Marissa Gordon-Nguyen Senior Advisor for Health Information Privacy, Data, and Cybersecurity Policy 0945 Office for Civil Rights OCR 800 368-1019 800 537-7697 ocrprivacy@hhs.gov 200 Independence Avenue SW, Washington DC 20201