With the continuing integration of hospitals and outpatient services into health systems unabated, as well as mergers of providers, payers, and even retail pharmacy chains in the mix, now is the time to finally address the overlapping and conflicting requirements of HIPAA and 42 CFR Part 2. Even if a HIPAA covered entity doesn't offer services qualifying as a Part 2 program, the widespread impact of the opioid crisis has made it increasingly likely that many hospitals and medical providers have become what 42 CFR Part 2 defines as a lawful holder. Lawful holders must figure out how to compliantly track and manage those parts of the patient medical record that contain Part 2 protected information and ensure they abide by Part 2, not HIPAA in respect to what may be a very minute part of their overall business.
Organizations that do have Part 2 programs have a different set of compliance challenges in respect to exchanging information for continuity of care. HIPAA allows this without specific patient authorization, Part 2 requires consent except in cases of bonafide emergency. HIPAA requires revocation of authorization in writing, Part 2 requires providers accept verbal revocation if the patient is unable or refuses to put it in writing. I could go on and on. The 21st Century Cures Act imposes obligations on providers to attest that they are not blocking the exchange of data or putting up barriers to Health Information Exchange (HIE). How is that going to work when Part 2 protected records are comingled in an integrated care setting? Congress is considering resolving these conflicts through the Overdose Prevention and Patient Safety Act. Hopefully partisan concerns won't gridlock this legislation and a common sense set of protections that continue to protect patient privacy and do not impede patient care will be the result.