February 2024

Review & Update Medical Record Confidentiality Policies In Response To Newly Revised Federal Substance Abuse Disorder Confidentiality Rules

February 29, 2024

Physicians, substance abuse and mental health facilities, and other health care providers providing or handling substance abuse treatment records should review and update their medical privacy and confidentiality policies to comply with revisions (Final Rule) to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (“Part 2”) adopted by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) on February 8, 2024. Providers subject to Part 2 should move quickly to review and update their policies and practices to comply with Part 2 and other applicable federal and state confidentiality, privacy and data security requirements avoid the potentially serious and expensive consequences that can result from violations.

Part 2 Generally

The Part 2 statute (42 U.S.C. 290dd-2) protects “[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” Confidentiality protections help address concerns that discrimination and fear of prosecution deter people from entering treatment for SUD.

Like violation of HIPAA and other federal and state medical privacy and confidentiality rules, violation of Part 2 carries serious consequences, including:

Civil Penalties: Organizations or individuals found in violation may face fines or monetary penalties. These can vary depending on the severity of the breach and the specific circumstances.
Criminal Charges: In cases of intentional or willful violations, criminal charges may be filed. This could result in imprisonment or probation for the responsible parties.
License Revocation: Medical professionals, facilities, or organizations may have their licenses revoked or suspended if they fail to protect patient confidentiality.
Legal Liability: Violations can lead to lawsuits and legal claims by affected individuals. This may result in financial damages awarded to the aggrieved parties.
Reputation Damage: Breaches of confidentiality can harm an organization’s reputation and trust among patients, clients, and the public.

It is crucial for covered healthcare providers and programs to adhere to confidentiality regulations, as well as otherwise applicable HIPAA and other legal and ethical standards to avoid these consequences.

The requirements of Part 2 run in tandem with, and where applicable, apply in addition to the much more broadly privacy, security, data breach, and patient rights requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applicable to health care providers, health plans, health care clearinghouses and their business associates. Part 2 Part 2 directly applies to all records relating to the identity, diagnosis, prognosis, or treatment of any patient in a substance abuse program that either is federally assisted and holds itself out as providing, and provide, alcohol or drug abuse diagnosis, treatment or referral for treatment. A program is “federally assisted” if it is:

Any entity that receives federal funding
Certified by Medicare
Registered to distribute controlled substances
A tax exempt non-profit.

Since most physicians and many other treatment providers register with the Drug Enforcement Agency (DEA) to distribute controlled substances, this includes most prescribers. Providers that do not directly fall within the scope of the rule also need to confirm that their state licensure or other rules do not require their compliance with the Part 2 rules.

While the restrictions and requirements for covered health care providers of Part 2 and HIPAA both can affect the hoops that employers may have to negotiate to access applicants’ and employees’ substance abuse treatment records, neither Part 2 or HIPAA applies to employers to implement and administer Drug Free Workplace Act or other workplace-related substance abuse policies. However, the Americans with Disabilities Act (ADA) of 1990, the Civil Rights Act of 1964, the Family and Medical Leave Act (FMLA) of 1993, the National Labor Relations Act (NRLA) of 1935, state common law or statutory privacy, confidentiality, employment and other laws, and a variety of other federal and state laws may restrict employer use and access to, and require employers to protect the confidentiality of drug testing and other substance use and abuse screening, treatment and other substance abuse related records. Consequently, while employers are not directly subject to Part 2 and HIPAA, they nevertheless need to ensure compliance with other applicable requirements, particularly since violations of these employer rules tend also to carry potentially substantial liability.

New Part 2 Revisions

The revisions will bring the Part 2 program privacy and confidentiality requirements into closer alignment with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Breach Notification, and Enforcement Rules, as well as require enhanced coordination among providers treating patients for substance abuse disorders (SUDs), and enhance integration of behavioral health information with other medical records in response to provisions of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). that, among other things, required HHS to bring the Part 2 program into closer alignment with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Breach Notification, and Enforcement Rules.

Among other things, the Final Rule makes the following modifications to Part 2:

Allows a single patient consent for all future uses and disclosures for treatment, payment, and health care operations.
Allows HIPAA covered entities and business associates that receive records under this consent to redisclose the records in accordance with the HIPAA regulations.¹
Aligns Part 2 penalties with HIPAA by replacing criminal penalties currently in Part 2 with civil and criminal enforcement authorities that also apply to HIPAA violations.²
Applies the same requirements of the HIPAA Breach Notification Rule³ to breaches of records under Part 2.
Aligns Part 2 Patient Notice requirements with the requirements of the HIPAA Notice of Privacy Practices.
Creates a limit on civil or criminal liability for investigative agencies that act with reasonable diligence to determine whether a provider is subject to Part 2 before making a demand for records in the course of an investigation. The safe harbor requires investigative agencies to take certain steps in the event they discover they received Part 2 records without having first obtained the requisite court order.
Clarifies and strengthens the reasonable diligence steps that investigative agencies must follow to be eligible for the safe harbor: before requesting records, an investigative agency must look for a provider in SAMHSA’s online treatment facility locator and check a provider’s Patient Notice or HIPAA Notice of Privacy Practices to determine whether the provider is subject to Part2.
Adds an express statement that segregating or segmenting Part 2 records is not required.
Adds a right to file a complaint directly with the Secretary for an alleged violation of Part 2. Patients may also concurrently file a complaint with the Part 2 program.
Creates a new definition for an SUD clinician’s notes analyzing the conversation in an SUD counseling session that the clinician voluntarily maintains separately from the rest of the patient’s SUD treatment and medical record and that require specific consent from an individual and cannot be used or disclosed based on a broad TPO consent. This is analogous to protections in HIPAA for psychotherapy notes.⁴
Prohibits combining patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.
Creates a new right for patients to opt out of receiving fundraising communications.
Permits disclosure of records without patient consent to public health authorities, provided that the records disclosed are de-identified according to the standards established in the HIPAA Privacy Rule.
Restricts the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order.
Requires a separate patient consent for the use and disclosure of SUD counseling notes.
Requires that each disclosure made with patient consent include a copy of the consent or a clear explanation of the scope of the consent.

Given the concurrent applicability of Part 2 and HIPAA and the Part 2 revisions’ incorporation of HIPAA standards and requirements, providers subject to Part 2 should confirm the compliance of their policies and practices with both the specific requirements of Part 2 and HIPAA generally. When evaluating compliance, covered entities should keep in mind that along with the Part 2 changes, OCR’s applicable regulatory and enforcement HIPAA guidance also has undergone significant change in recent months. The review and update will need to validate compliance with current requirements of both Part 2 and HIPAA, as well as all otherwise applicable federal and state laws and ethical standards. Verifying compliance is particularly important because the Biden Administration has made expansion and enforcement of federal rules protecting access to treatment and safeguarding the confidentiality of mental health and substance abuse treatment records a top priority. In light of this emphasis, all health care providers should act promptly to review and update their policies with these Part 2 changes.as well as other HIPAA and related federal and state changes.

For More Informational

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Leave a Comment » | Health Care | Tagged: cybersecurity, healthcare, HIPAA, Privacy, Security | Permalink
Posted by Cynthia Marcotte Stamer

OCR Nails Second HIPAA Covered For Allowing Ransomware Breach

February 23, 2024

Health care providers, health plans, health care clearinghouses and their business associates (covered entities) that fail to appropriately safeguard their protected health information and systems against randomware and other malware threats as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) should expect to pay hefty amounts to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) if an attack occurs. That is the clear message sent by OCR’s February 22, 2022 announcement of its second ransomware settlement since October, 2023.

Duty To Guard Against Malware

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities (most health care providers, health plans, and health care clearinghouses) and their business associates must follow to protect the privacy and security of protected health information.

Ransomware and hacking are the primary cyber-threats in health care. A type of malware (malicious software) designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid, OCR has seen large breaches affecting more than 500 individuals reported to OCR involving hacking increase 256% and those from ransomware increase 264% increase over the past five years,

In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.

In light of the growing threat, OCR is prioritizing enforcement, education and compliance outreach to HIPAA covered entities.

OCR’s February 22, 2024 announcement of its second ever and second settlement of a malware related enforcement action in less than five months demonstrates OCR’s readiness to hold covered entities accountable for failing to fulfill this responsibility.

Green Ridge Ransomeware Breach

OCR’s February 22, 2022 announcement of its second ever ransomware related resolution agreement and corrective action plan reaffirms OCR’s readiness to hold covered entities accountable for failing to guard against ransomware and other cyber risks.

Green Ridge Behavioral Health, LLC, (Green Ridge), a Maryland-based practice that provides psychiatric evaluations, medication management, and psychotherapy. This marks the second settlement that OCR has reached with a HIPAA regulated entity for potential violations identified during an investigation following a ransomware attack.

The settlement resolves an investigation following a ransomware attack that affected the protected health information of more than 14,000 individuals.

OCR learned of the breach after Green Ridge filed a breach report with OCR in February 2019 that stated that its network server had been infected with ransomware resulting in the encryption of company files and the electronic health records of all patients.

In keeping with its policy of investigating all breaches affecting more that 500 individuals (large breaches), OCR opened an investigation in April, 2019.

OCR’s investigation of the breach found evidence of potential violations of the HIPAA Privacy and Security Rules leading up to and at the time of the breach. Other findings included that Green Ridge Behavioral Health failed to:

Have in place an accurate and through analysis to determine the potential risks and vulnerabilities to electronic protected health information;
Implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level; and
Have sufficient monitoring of its health information systems’ activity to protect against a cyber-attack.

Under the terms of the settlement, Green Ridge agreed to pay $40,000 and implement a corrective action plan that will be monitored by OCR for three years to avoid exposure to potentially much greater HIPAA monetary penalties.

The plan also requires Green Ridge to take many actions to resolve potential HIPAA violations and to protect electronic protected health information, including:

Conducting a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information;
Designing a Risk Management Plan to address and mitigate security risks and vulnerabilities found in the Risk Analysis;
Reviewing, and as necessary, developing, or revising its written policies and procedures to comply with the HIPAA Rules;
Providing workforce training on HIPAA policies and procedures;
Conducting an audit of all third-party arrangements to ensure appropriate business associate agreements are in place, where applicable; and
Reporting to OCR when workforce members fail to comply with HIPAA.

First Malware Settlement

Prior to this week’s announcement of the Green Ridge resolution agreement, OCR already had announced its first ever malware related resolution agreement on October 31, 2023.

That $100,000 settlement resolved a potentially much greater HIPAA liability business associate Doctors’ Management Services (DMS) could have faced for alleged HIPAA violations OCR found investigating a large breach report DMS filed on April 22, 2019.

The DMS breach report disclosed that a ransomware attack affected DMS’ network server with GandCrab ransomware beginning with an initial unauthorized access to the network that occurred on April 1, 2017; however, DMS did not detect the intrusion until December 24, 2018, Once the DNS system was accessed, ransomware was used to encrypt their files. The attack affected the electronic protected health information of 206,695 individuals

OCR’s investigation of the DNS breach found evidence of potential failures by DMS to have in place an analysis to determine the potential risks and vulnerabilities to electronic protected health information across the organization. Other findings included insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic protected health information.

Under the terms of the DMS settlement agreement paid $100,000 to OCR and agreed to implement a corrective action plan that requires:

DMS to submit to OCR monitoring for three years to ensure compliance with HIPAA
Review and update its Risk Analysis to identify the potential risks and vulnerabilities to Doctor’s Management Services data to protect the confidentiality, integrity, and availability of electronic protected health information.
Update its enterprise-wide Risk Management Plan (strategy to protect the confidentiality, integrity, and availability of ePHI) to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis.
Review and revise, if necessary, its written policies and procedures to comply with the Privacy and Security Rules.
Provide workforce training on HIPAA policies and procedures.

Warning To All Covered Entities

Along with announcing the two recent resolution agreements, OCR also is warning all covered entities to tighten their malware and ransomware safeguards.

OCR’s announcement of the Green Ridge resolution agreement, for instance, quotes OCR Director Melanie Fontes Rainer as stating, “Health care providers need to understand the seriousness of these attacks and must have practices in place to ensure patients’ protected health information is not subjected to cyber-attacks such as ransomware.”

To assist covered entities to meet this responsibility, OCR has developed Fact Sheet guidance that recommends covered entities to take at least the following steps to guard against breaches from ransomware and other malware attacks:

Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
Risk analysis and risk management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned.
Ensure audit controls are in place to record and examine information system activity.
Implement regular review of information system activity.
Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
Encrypt ePHI to guard against unauthorized access to ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.
two recent resolutions agreements and other guidance and enforcement actions make clear that all covered entities should ensure their ability to demonstrate their completion of these and other actions a risk analysis shows are needed to defend against a ransomware or other malware threats. This guidance also alerts covered entities to stay vigilant and update risk assessments and safeguards in response as to evolving threats.

Covered entities should not assume the relatively modest settlement amounts collected in the two new ransomware settlements compared to exponentially greater resolution settlements like the $4.75 million settlement payment New York based Montefiore Medical Center made last year reflect greater tolerance for ransomware related threats versus internal or external hacking. To the contrary, the Montefiore Medical Center resolution makes clear the randomware threat is one of a multitude of internal and external threats covered entities must defend their protected health information against to comply with HIPAA.

Moreover, covered entities and their leaders also should take steps to understand and fully address all other statutory, ethical, contractual or other privacy or confidentiality requirements beyond those imposed by HIPAA. For example, health care providers, health plans and their fiduciaries, brokers, administrators and insurers also may bear responsibilities under the Employee Retirement Income Security Act fiduciary responsibility rules, the Fair and Accurate Credit Transactions Act, federal and state electronic crimes, privacy data security, artificial intelligence, workforce, tax, and other laws.

Publicly traded organizations and their leaders also may face responsibilities and liability under new Securities and Exchange Commission regulations, clawback rules and other laws arising from the occurrence or bungled response to a breach.

Likewise, got businesses sponsoring or administering employment-based health plans, Employee Benefit Security Administration considers managing cybersecurity risks a part of the fiduciary obligations of fiduciaries of employment-based health plans. Meanwhile, health care providers, insurance organizations and brokers, third party administrators, government contractors, attorneys and other advisors and others also may be subject to medical confidentiality and other data privacy and security obligations under federal and state electronic crimes, identity theft, ethics, professional licensure, contractual, common law privacy and other statutory and common laws. Since HIPAA and many of these other laws involve potential criminal as well as civil liability, organizations and leaders in covered entities generally should ensure their HIPAA and other cybersecurity compliance efforts are included in and administered according to their Federal Sentencing Guidelines Compliance program.

While it commonly is necessary or advisable to involve consulting or other technical support in the conduct of these activities, HIPAA entities should keep in mind the likelihood that their analysis and review is likely to uncover and prompt discussion of potentially legally or politically sensitive information. For this reason, HIPAA entities and their leaders generally will want to engage experienced legal counsel for assistance in structuring and executing these activities to maximize their ability to claim attorney-client privilege or other evidentiary protections against discovery or disclosure of certain aspects of these activities.

In planning for an implementing these procedures, Covered Entities also are reminded that the effectiveness of these efforts requires that the Covered Entities incorporate appropriate processes and policies for monitoring and investigating compliance with the policies and procedures implemented to comply with HIPAA. Conducting this monitoring and investigation by necessity is likely to involve surveillance, investigation and cooperation of employees, contractors, vendors and others for which Fair Credit Reporting Act background check notification and consent and other procedures are necessary or advisable.

Finally, HIPAA entities should keep in mind that HIPAA and other cybersecurity compliance and risk management is an ongoing process requiring constant awareness and diligence. Consequently, HIPAA entities should both monitor OCR and other regulatory and enforcement developments as well as exercise ongoing vigilance to monitor and maintain compliance within their organizations.