The U.S. Department of Health and Human Services (HHS) is launching a new breach reporting website and program specifically designed to help protect substance use disorder records.
What happened
On February 16th, the HHS’ Office for Civil Rights launched a new program to provide enforcement mechanisms for protecting the confidentiality of substance use disorder (SUD) patient records, which are covered by a regulation titled 42 CFR Part 2.
When users go to the HHS breach report portal, they will now see an option for reporting and viewing “Part 2” cases, although no cases are visible on the portal at this time.
Organizations had until February 16th to comply with the changes, which include updating patient consent and privacy notices to reflect the change.
Going deeper
The portal is part of a larger enforcement program to ensure that organizations that face a breach involving SUD take corrective actions and face penalties or settlements as needed. 42 CFR Part 2 rules apply to any federally assisted programs that provide diagnosis or treatment for SUDs. Requirements also apply to any organizations that receive SUD records, including other service providers.
The new program and portal follow several changes the HHS implemented in 2024 to ensure Part 2 aligned with HIPAA requirements. The major goal of the changes was to enable easy coordination of care among providers while maintaining data protection.
What was said
Paula Stannard, director of the HHS OCR stated, “OCR’s civil enforcement program will instill confidence in patients and encourage them to seek SUD treatment from covered SUD providers. At the same time, compliance with the updated Part 2 regulation will improve care coordination and reduce administrative burdens.”
Regulatory attorney Aleksandra Vold critiqued the news, stating, “We would like to see OCR provide guidance regarding what language it considers sufficient when providing description of the scope of the consent.” Vold also requested guidance for specific scenarios, such as if a doctor is being investigated for intoxication while providing care. Lastly, Vold says she believes having two separate forms could result in confusion from healthcare organizations.
The big picture
Some experts are concerned about the HHS OCR’s ability to enforce mandates with the new Part 2 mandates, but the efforts show the office’s growing concern for privacy regarding records that are considered highly intimate and private. A 2023 study, Cybersecurity: A Critical Priority for Digital Mental Health, noted that cyberattacks against any mental health institution, including providers of substance abuse treatment, can be especially detrimental. The researchers stated, "Cyber-attacks not only negatively impact victims of the crime, but they can also impact all other service users who are no longer able to access the support they need from their provider.”
FAQs
Are reporting requirements the same across both portals?
The two portals are very similar. Just like with other HIPAA breaches, organizations with a Part 2 breach will need to report it if it impacts 500 or more. These breaches will need to be reported with 60 days of discovery. Breaches impacting less than 500 individuals will need to be reported within 60 days of the end of the calendar year.
When will we start seeing breach reports in the portal?
While the portal is live, no reports have been added yet. The HHS receives a high volume of reports alongside other duties related to enforcement and awareness that can cause delays for when reports become available.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Abby Grifno
