Welcome to the Ledger
The seventh issue of Greenberg Traurig’s quarterly Behavioral Health Law Ledger addresses the modifications to the Part 2 regulations pursuant to HHS’s proposed rule implementing changes to the substance use disorder regulations pursuant to the CARES Act, and CMS’s new proposed rule to increase access to behavioral health services for Medicare Advantage plan enrollees.
Part 2 Regulatory Changes Relating to Confidentiality of Substance Use Disorder Patient Records Are Here
By Julie Sullivan and Tyler Strobel ˘
In 2020, Section 3221 of the Coronavirus Aid, Relief and Economic Security Act (CARES Act) required the U.S. Department of Health and Human Services (HHS) to bring the regulations codified at 42 CFR Part 2 pertaining to confidentiality of substance use disorder (SUD) patient records into greater alignment with certain aspects of HIPAA. After some delay in releasing those proposed changes to the Part 2 regulations, HHS, through the Office of Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) published its Notice of Proposed Rule Making Dec. 2, 2022 (the “Proposed Rule”), with the comment period regarding such proposed rule closing Jan. 31, 2023. Stakeholders are awaiting the release of the Final Rule, which is anticipated to mirror much of the Proposed Rule. Accordingly, below is a summary of the Proposed Rule and the key changes to the Part 2 Regulations that Part 2 Programs should know.
Part 2 Program-Friendly Changes
1. Single Patient Consent for TPO Uses and Disclosures of Part 2 Records
Perhaps the most operations-friendly change to the Part 2 Regulations stemming from the Proposed Rule and the CARES Act is proposed allowance of a one-time written consent to disclose SUD records for treatment, payment, and health care operations activities (collectively, “TPO”) purposes. Unlike HIPAA, which allows for the use or disclosure of protected health information (PHI) without patient authorization for TPO activities, Part 2 has previously required patient consent for each use or disclosure of Part 2 records, creating a significant administrative burden on Part 2 Programs to perform daily activities like referrals to other treatment providers, seeking payment from health insurers, or coordinating care with the patient’s physician, etc. The Proposed Rule seeks to require only a one-time patient consent for these activities which would thus authorize all future uses and disclosures for TPO activities, subject to the patient’s revocation of that consent and the Part 2 Program’s compliance with the HIPAA Privacy Rule. This significant change may also pave the way for Part 2 Programs to not need to segregate Part 2 records from the rest of a patient’s medical record, facilitating better care management for SUD patients.
2. Modification of the Redisclosure Rules to Align with HIPAA
Another Part 2 Program-friendly change under the Proposed Rule is to permit redisclosures of Part 2 records by recipients in a few common circumstances: (i) if records are disclosed for TPO activities to a Part 2 Program or a party subject to HIPAA either as a covered entity or a business associate, the recipient is permitted to further use or disclose the records as permitted under HIPAA; (ii) if Part 2 records are disclosed to a Part 2 Program that is not subject to HIPAA (i.e., does not engage in HIPAA-covered transactions), the recipient may use or disclose the records in any manner or for any purpose consistent with the patient’s initial consent; and (iii) if records are disclosed to a “lawful holder” that is not subject to HIPAA, the lawful holder may further use or disclose the records for payment or health care operations purposes to its contractors, subcontractors or legal representatives.
3. Modification of Part 2 Consent Requirements to Better Align with HIPAA Authorization Requirements
The Proposed Rule also seeks to modify the required elements of a valid Part 2 patient consent to better align with HIPAA’s patient authorization requirements. The Proposed Rule requires Part 2 patient consent to be written, but expressly includes electronic consent. Additionally, should the patient withdraw their consent of the use or disclosure of their Part 2 records, the patient’s revocation can be oral or written. By harmonizing these requirements, Part 2 Programs should be able to streamline the patient consent/authorization processes without duplicative forms to meet competing regulatory requirements to ensure validity or risk invalidating a HIPAA authorization for being a compound authorization.
The Proposed Rule also creates a new category of entity or person that receives Part 2 records called “intermediaries,” defined to mean a party “who has received records under a general designation in a written patient consent to be disclosed to one or more of its member participant(s) who has a treating provider relationship with the patient.” Notably, when an intermediary is also a Business Associate, it would be subject to the requirements of both an intermediary and a Business Associate.
Part 2 Patient-Friendly Changes
1. Expansion of Patient Rights re: Part 2 Records
Perhaps the most patient-friendly change to the Part 2 Regulations stemming from the Proposed Rule and the CARES Act is the proposed expansion of patient rights to request histories of uses and disclosures of their Part 2 records and to restrict uses and disclosures from occurring.
The Proposed Rule seeks to align patient rights with those codified in the HITECH Act. First, HHS has proposed giving patients the right to request an accounting of all uses and disclosures made by all intermediaries who had access to the patient’s Part 2 records over the past three years. Second, the Proposed Rule seeks to enable patients to request restrictions of the use or disclosure of their Part 2 records for TPO reasons and to obtain restrictions on disclosures to health plans for services paid in full.
2. Additional Restrictions on the Use/Disclosure of Part 2 Records in Legal Proceedings
Another patient-friendly change stemming from the CARES Act and codified in the Proposed Rule is a restriction on the use and disclosure of Part 2 records in civil and criminal proceedings. Absent patient consent, a subpoena, or a court order, Part 2 records may not be introduced as evidence or testimony or relied upon to form any part of the record in state or federal proceedings, used for criminal investigations or law enforcement purposes, or used in any application for a warrant. Additionally, court orders for Part 2 records are limited to only the most essential parts of the record to fulfill the objective of the order.
3. The Addition of HHS Enforcement Authority including CMPs for Part 2 Violations
The Proposed Rule aligns the enforcement provisions of Part 2 with the HIPAA Enforcement Rule, which permits civil and criminal penalties. Previously, although a Part 2 violation was a criminal offense, civil penalties and Civil Monetary Penalties (CMPs) could not be applied to noncompliant Part 2 Programs. Under the Proposed Rule, CMPs may be applied when a Part 2 Program has unknowingly violated Part 2 requirements.
4. HIPAA Notice of Privacy Practices Requirements re Part 2 Records
The Proposed Rule also seeks to update the Part 2 Patient Notice requirements to more closely align with HIPAA’s Notice of Privacy Practices (NPP) requirements. The revised Patient Notice would include most key features of the NPP, including the required Header, Uses and Disclosures, Duties, and Patient Notice sections. HHS also seeks to include a statement of Part 2 Program duties to afford Part 2 patients as much transparency and notice as is afforded under HIPAA and align both notices in terms of content and structure for covered entities that are also Part 2 Programs.
5. Breach Notification Obligations
The Proposed Rule seeks to apply the HIPAA Breach Notification Rule to Part 2. In doing so, Part 2 Programs would be required not only to have policies and procedures addressing breach notification but also to report breaches of Part 2 Records to HHS, affected individuals, and in certain situations, media outlets.
The Proposed Rule proposes that most “lawful holders” would also be subject to these breach notification obligations. Lawful holders are individuals or entities who have received Part 2 records as the result of a Part 2-compliant consent or other permissible use/disclosure under Part 2. Most lawful holders of Part 2 Records would similarly be required to comply with the Breach Notification Rule if HHS determined that such lawful holder had a duty to reasonably protect against unauthorized uses or disclosures of the SUD records based on the facts and circumstance surrounding the breach. Stakeholders are hopeful HHS will clarify the circumstances under which they would seek to extend the HIPAA Security Rule and Breach Notification Rule to recipients of SUD records who may not otherwise be subject to Part 2 or HIPAA.
New CMS Proposed Rule Would Increase Access to Behavioral Health Services for Medicare Advantage Plan Enrollees
By Nancy Taylor and Nicole Baptista
According to data from the Commonwealth Fund and the National Library of Medicine, one in four Medicare beneficiaries suffers from a mental health condition, and approximately 1.7 million beneficiaries have been diagnosed with a substance use disorder (SUD). Additionally, a study published by J.D. Power in 2022 found that only 38% of the Medicare Advantage (MA) enrollees surveyed believe they have adequate coverage for mental health treatment, compared to 91% who believe they have adequate coverage for routine diagnostic care. While some beneficiaries may be unaware of the extent of their MA plan coverage, studies show that many beneficiaries encounter significant barriers to accessing mental and behavioral health care services, for reasons such as prior authorization and/or referral requirements, insufficient in-network provider options, and/or cost-sharing obligations for covered benefits.
In light of these barriers, the Centers for Medicare & Medicaid Services (CMS) issued the Contract Year 2024 Policy and Technical Changes to the Medicare Advantage Program, Medicare Prescription Drug Benefit Program, Medicare Cost Plan Program Proposed Rule Dec. 27, 2022. The stated purpose of this proposed rule is to strengthen beneficiary protections, improve access to behavioral health care, and promote equity for the millions of Americans enrolled in MA and Medicare Part D plans. Some highlights from the proposed rule applicable to MA plans include provisions that would:
- Institute an electronic prior authorization (PA) process for MA plans and increase the speed at which MA plans must respond to PA requests;
- Require MA plans to follow traditional Medicare coverage guidelines for medical necessity when making PA determinations and allow PA approval to remain valid for the full course of treatment;
- Require MA plans to maintain and monitor an adequate network of behavioral health providers, including clinical psychologists, licensed clinical social workers, and prescribers of medication for opioid use disorders;
- Require MA plans to apply the same appointment wait time standards used for primary care services to behavioral health services;
- Require MA plans to comply with stringent enrollee notification requirements when an organization terminates a behavioral health provider network participation contract;
- Extend MA network adequacy requirements to clinical psychologists, clinical social workers, and prescribers of medication for opioid use disorder;
- Require MA plans to reimburse providers for the treatment of certain behavioral health conditions as “emergency medical conditions” without regard to the provider’s contractual relationship with the MA plan or whether the enrollee obtained a PA; and
- Require MA plans to maintain policies and procedures for coordinating enrollees’ behavioral health services with community and social services, collecting information necessary for effective and continuous patient care and quality review, and educate enrollees on follow-up care for their health care needs.
The public comment period closed Feb. 13, 2023.
Let’s Stay in Touch
GT’s Behavioral Health Law Ledger keeps behavioral health and integrated health providers current on behavioral health legal and regulatory developments. Each quarter we highlight recent legal developments, including but not limited to audit risks, significant litigation, enforcement actions, and changes to behavioral-health-related laws or regulations such as health privacy, confidentiality, and/or security issues, consent issues, data-sharing allowances, and other cutting-edge arrangements and issues facing behavioral and integrated health care providers.
If you know someone who would appreciate receiving GT’s Behavioral Health Law Ledger, please forward this newsletter to them, or they can subscribe here.
* Special thanks to Law Clerk Tyler Strobel ˘ for his valuable contributions to this newsletter.
˘ Not admitted to the practice of law.