View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

HHS/OCR RIN: 0945-AA16 Publication ID: Fall 2023 
Title: Confidentiality of Substance Use Disorder Patient Records 

This final rule, to be issued in coordination with the Substance Abuse and Mental Health Services Administration (SAMHSA), would implement provisions of section 3221 of the CARES Act. Section 3221 amended 42 U.S.C. 290dd-2 to better harmonize the 42 CFR part 2 (part 2) confidentiality requirements with certain permissions and requirements of the HIPAA Rules and the HITECH Act.

Agency: Department of Health and Human Services(HHS)  Priority: Other Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Final Rule Stage 
Major: No  Unfunded Mandates: No 
CFR Citation: 42 CFR 2    45 CFR 160    45 CFR 164   
Legal Authority: 42 U.S.C. 290dd-2 amended by the Coronavirus Aid, Relief, and Economic Security Act (the CARES Act), Pub. L. 116-136, sec. 3221 (March 27, 2020)    Health Information Technology for Economic and Clinical Health (HITECH) Act, Pub. L. 111-5, sec. 13402 and 13405 (February 17, 2009)    Health Insurance Portability and Accountability Act of 1996 (HIPAA) Pub. L. 104-191, sec. 264 (August 21, 1996)    Social Security Act, Pub. L. 74-271 (August 14, 1935) (see secs. 1171 to 1179 of the Social Security Act, 42 U.S.C. 1320d to 1320d–8).   
Legal Deadline:
Action Source Description Date
NPRM  Statutory    03/27/2021 

Overall Description of Deadline: The CARES Act requires revisions to regulations with respect to uses and disclosures of information occurring on or after the date that is 12 months after the date of enactment of the Act (March 27, 2021); and not later than one year after the date of enactment, an update to the Notice of Privacy Practices (NPP) provisions of the HIPAA Privacy Rule at 45 CFR 164.520.

Statement of Need:

Rulemaking is needed to implement section 3221 of the CARES Act, which modified the statute that establishes protections for the confidentiality of substance use disorder (SUD) treatment records and authorizes the implementing regulations at 42 CFR part 2 (part 2). As required by the CARES Act, this regulation will: (1) Align certain provisions of part 2 with aspects of the HIPAA Privacy, Breach Notification, and Enforcement Rules. (2) Strengthen part 2 protections against uses and disclosures of patients’ SUD records for civil, criminal, administrative, and legislative proceedings. (3) Require that a HIPAA Notice of Privacy Practices address privacy practices with respect to part 2 records.

Summary of the Legal Basis:

Section 3221(i) of the CARES Act requires rulemaking as may be necessary to implement and enforce section 3221.


HHS considered whether the CARES Act provisions could be implemented through guidance. However, rulemaking is required because the current part 2 regulations are inconsistent with the authorizing statute, as amended by the CARES Act. HHS considered whether to include the anti-discrimination provisions of section 3221(g) in this rulemaking. However, because implementation of the anti-discrimination provisions implicates numerous civil rights authorities, which require collaboration with the Department of Justice, HHS will address the anti-discrimination provisions in a separate rulemaking.

Anticipated Costs and Benefits:

HHS estimates that the effects of the requirements for regulated entities would result in new costs of $64,299,891 within 12 months of implementing the final rule, followed by $2,514,756 of recurring annual costs in years two through five. HHS estimates these first-year costs would be partially offset by $12,755,378 annual cost savings, resulting in overall net costs of $10,582,027 over 5 years.


To be determined.

Action Date FR Cite
NPRM  12/02/2022  87 FR 74216   
NPRM Comment Period End  01/31/2023 
Final Action  11/00/2023 
Regulatory Flexibility Analysis Required: No  Government Levels Affected: Federal, Local, State, Tribal 
Small Entities Affected: Businesses, Governmental Jurisdictions, Organizations  Federalism: No 
Included in the Regulatory Plan: Yes 
RIN Data Printed in the FR: No 
Agency Contact:
Marissa Gordon-Nguyen
Senior Advisor for Health Information Privacy, Data, and Cybersecurity Policy
Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue SW,
Washington, DC 20201
Phone:800 368-1019
TDD Phone:800 537-7697