View Rule
View EO 12866 Meetings | Printer-Friendly Version Download RIN Data in XML |
HHS/OCR | RIN: 0945-AA16 | Publication ID: Fall 2023 |
Title: Confidentiality of Substance Use Disorder Patient Records | |
Abstract:
This final rule, to be issued in coordination with the Substance Abuse and Mental Health Services Administration (SAMHSA), would implement provisions of section 3221 of the CARES Act. Section 3221 amended 42 U.S.C. 290dd-2 to better harmonize the 42 CFR part 2 (part 2) confidentiality requirements with certain permissions and requirements of the HIPAA Rules and the HITECH Act. |
|
Agency: Department of Health and Human Services(HHS) | Priority: Other Significant |
RIN Status: Previously published in the Unified Agenda | Agenda Stage of Rulemaking: Final Rule Stage |
Major: No | Unfunded Mandates: No |
CFR Citation: 42 CFR 2 45 CFR 160 45 CFR 164 | |
Legal Authority: 42 U.S.C. 290dd-2 amended by the Coronavirus Aid, Relief, and Economic Security Act (the CARES Act), Pub. L. 116-136, sec. 3221 (March 27, 2020) Health Information Technology for Economic and Clinical Health (HITECH) Act, Pub. L. 111-5, sec. 13402 and 13405 (February 17, 2009) Health Insurance Portability and Accountability Act of 1996 (HIPAA) Pub. L. 104-191, sec. 264 (August 21, 1996) Social Security Act, Pub. L. 74-271 (August 14, 1935) (see secs. 1171 to 1179 of the Social Security Act, 42 U.S.C. 1320d to 1320d–8). |
Legal Deadline:
|
||||||||||||
Overall Description of Deadline: The CARES Act requires revisions to regulations with respect to uses and disclosures of information occurring on or after the date that is 12 months after the date of enactment of the Act (March 27, 2021); and not later than one year after the date of enactment, an update to the Notice of Privacy Practices (NPP) provisions of the HIPAA Privacy Rule at 45 CFR 164.520. |
||||||||||||
Statement of Need: Rulemaking is needed to implement section 3221 of the CARES Act, which modified the statute that establishes protections for the confidentiality of substance use disorder (SUD) treatment records and authorizes the implementing regulations at 42 CFR part 2 (part 2). As required by the CARES Act, this regulation will: (1) Align certain provisions of part 2 with aspects of the HIPAA Privacy, Breach Notification, and Enforcement Rules. (2) Strengthen part 2 protections against uses and disclosures of patients’ SUD records for civil, criminal, administrative, and legislative proceedings. (3) Require that a HIPAA Notice of Privacy Practices address privacy practices with respect to part 2 records. |
||||||||||||
Summary of the Legal Basis: Section 3221(i) of the CARES Act requires rulemaking as may be necessary to implement and enforce section 3221. |
||||||||||||
Alternatives: HHS considered whether the CARES Act provisions could be implemented through guidance. However, rulemaking is required because the current part 2 regulations are inconsistent with the authorizing statute, as amended by the CARES Act. HHS considered whether to include the anti-discrimination provisions of section 3221(g) in this rulemaking. However, because implementation of the anti-discrimination provisions implicates numerous civil rights authorities, which require collaboration with the Department of Justice, HHS will address the anti-discrimination provisions in a separate rulemaking. |
||||||||||||
Anticipated Costs and Benefits: HHS estimates that the effects of the requirements for regulated entities would result in new costs of $64,299,891 within 12 months of implementing the final rule, followed by $2,514,756 of recurring annual costs in years two through five. HHS estimates these first-year costs would be partially offset by $12,755,378 annual cost savings, resulting in overall net costs of $10,582,027 over 5 years. |
||||||||||||
Risks: To be determined. |
||||||||||||
Timetable:
|
Regulatory Flexibility Analysis Required: No | Government Levels Affected: Federal, Local, State, Tribal |
Small Entities Affected: Businesses, Governmental Jurisdictions, Organizations | Federalism: No |
Included in the Regulatory Plan: Yes | |
RIN Data Printed in the FR: No | |
Agency Contact: Marissa Gordon-Nguyen Senior Advisor for Health Information Privacy, Data, and Cybersecurity Policy Department of Health and Human Services Office for Civil Rights 200 Independence Avenue SW, Washington, DC 20201 Phone:800 368-1019 TDD Phone:800 537-7697 Email: ocrprivacy@hhs.gov |