View Rule

This final rule, to be issued in coordination with the Substance Abuse and Mental Health Services Administration (SAMHSA), would implement provisions of section 3221 of the CARES Act. Section 3221 amended 42 U.S.C. 290dd-2 to better harmonize the 42 CFR part 2 (part 2) confidentiality requirements with certain permissions and requirements of the HIPAA Rules and the HITECH Act.

Overall Description of Deadline: The CARES Act requires revisions to regulations with respect to uses and disclosures of information occurring on or after the date that is 12 months after the date of enactment of the Act (March 27, 2021); and not later than one year after the date of enactment, an update to the Notice of Privacy Practices (NPP) provisions of the HIPAA Privacy Rule at 45 CFR 164.520.

Statement of Need:

Rulemaking is needed to implement section 3221 of the CARES Act, which modified the statute that establishes protections for the confidentiality of substance use disorder (SUD) treatment records and authorizes the implementing regulations at 42 CFR part 2 (part 2). As required by the CARES Act, this regulation will: (1) Align certain provisions of part 2 with aspects of the HIPAA Privacy, Breach Notification, and Enforcement Rules. (2) Strengthen part 2 protections against uses and disclosures of patients’ SUD records for civil, criminal, administrative, and legislative proceedings. (3) Require that a HIPAA Notice of Privacy Practices address privacy practices with respect to part 2 records.

Summary of the Legal Basis:

Section 3221(i) of the CARES Act requires rulemaking as may be necessary to implement and enforce section 3221.

Alternatives:

HHS considered whether the CARES Act provisions could be implemented through guidance. However, rulemaking is required because the current part 2 regulations are inconsistent with the authorizing statute, as amended by the CARES Act. HHS considered whether to include the anti-discrimination provisions of section 3221(g) in this rulemaking. However, because implementation of the anti-discrimination provisions implicates numerous civil rights authorities, which require collaboration with the Department of Justice, HHS will address the anti-discrimination provisions in a separate rulemaking.

Anticipated Costs and Benefits:

HHS estimates that the effects of the requirements for regulated entities would result in new costs of $64,299,891 within 12 months of implementing the final rule, followed by $2,514,756 of recurring annual costs in years two through five. HHS estimates these first-year costs would be partially offset by $12,755,378 annual cost savings, resulting in overall net costs of $10,582,027 over 5 years.

Risks:

To be determined.