Proteus Consulting works with a handful of substance use disorder (SUD) Covered Entity clients and we know that it's hard to balance all of the obligations to comply with the rules that protect peoples' most personal information. Making things more complicated is that the Rules established to protect SUD information are less clear (although understandable) than the HIPAA Rules.
DoHHS (the Substance Abuse and Mental Health Services Administration specifically) released their "final rule" and a fact sheet to communicate recent changes to managing SUD information, protected by CFR 42, Part 2. Historically, SUD information has been discussed as a special subset of protected health information. Covered Entities should consult with their legal team to ensure that all Part 2 regulations and that the relationship between HIPAA and SUD information are understood.
To summarize, HHS has changed:
protection and management of SUD information
SUD patient consent rules, and
how programs monitor enrollment and activities
One of the main goals of these changes is to "...reduce opioid misuse and abuse and to support patients and their families confronting substance use disorders..." and to more effectively align SUD protected information with HIPAA.
Stay (HIPAA) safe,