42 U.S.C. § 1320d(6). [2] See 42 U.S.C. § 1320d‒6; see also U.S. Dep’t of Just., Scope of Criminal Enforcement Under 42 U.S.C. § 1320d‒6 (June 1, 2005), https://www.justice.gov/sites/default/files/olc/opinions/attachments/2014/11/17/hipaa_final.htm. [3] See id. [4] U.S. Dep’t of Just., Scope of Criminal Enforcement Under 42 U.S.C. § 1320d‒6 (June 1, 2005), https://www.justice.gov/sites/default/files/olc/opinions/attachments/2014/11/17/hipaa_final.htm. [5] 42 U.S.C. § 1320d‒6. [6] See id. [7] See U.S. Dep’t of Just., Aegerion Pharmaceuticals and Dr. Gerritts’ Complaint and Information, https://www.justice.gov/opa/press-release/file/998181/download. [8] U.S. v. Montaña, No. 18-CR-10044 (D. Mass. Feb. 26, 2018), https://www.law360.com/articles/1015998/attachments/0. [9] Id.

The clinic may discloseonlythe PHI expressly authorized by the court order.Given the current administration’s vehement opposition to Dobbs, we may see HIPAA’s individual criminal liability section leveraged to punish such voluntary disclosures by workforce members. See 42 U.S.C. § 1320d-6(a) (making it a federal criminal offense to knowingly and in violation of HIPAA disclose PHI to a third party); and see 42 U.S.C. § 1320d-6 (setting out penalties of imprisonment ranging from not more than one to not more than 10 years, and fines ranging from not more than $50,000 to not more than $250,000).Disclosures to avert a serious threat to health or safetySubsection 512(j) permits a covered entity to disclose PHI, “consistent with applicable law andstandardsof ethical conduct,” if thecovered entity has a good faith belief that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is made to someone who can prevent or lessen the threat.

The HIPAA Criminal StatuteWhile virtually all health care providers are familiar with HIPAA, many may not realize that violations can be punished as federal crimes. The relevant statute is 42 U.S.C. § 1320d-6, which makes it illegal to knowingly “use or cause to be used a unique health identifier,” obtain individually identifiable health information, or disclose such information to another person. A person illegally “obtains” or “discloses” information if it is maintained by a HIPAA “covered entity” (as defined in HIPAA privacy regulations) and the person obtains or discloses it without authorization.

According to news reports, the theft was uncovered in February 2004, at which point Gibson was fired from his job as a phlebotomist/lab technician at the cancer center. The U.S. Attorney’s Office for the Western District of Washington charged Gibson under 42 U.S.C. § 1320d-6(a)(3) and (b)(3). These provisions provide that a person who knowingly, and in violation of HIPAA, discloses individually identifiable health information to another person with intent to “sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm,” may be fined not more than $250,000, imprisoned not more than 10 years, or both.

or if the covered entity reasonably believes that disclosure to the personal representative could endanger the individual.Attestation Required for Certain Uses and DisclosuresA covered entity or business associate must receive a valid attestation before using or disclosing PHI potentially related to reproductive health care if the PHI is to be used for any of the following purposes:Health oversight activitiesJudicial and administrative proceedingsLaw enforcementCoroners and medical examinersThe attestation must include the following elements:A description of the information requestedThe name of any individual(s) or a description of the class of individuals whose PHI is being soughtThe identity of the person(s) or class of persons being asked to disclose the PHIThe identity of the person(s) or class of persons asking for the PHIA clear statement that the recipient will not use or disclose the PHI for a prohibited purposeA statement that a person may be subject to penalties pursuant to 42 USC 1320d-6 if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another personThe attestation must also be written in plain language and may not be combined with any other document, such as a general authorization form.The Final Rule requires strict compliance with the attestation rules. An attestation may be deemed invalid if it contains less or more information than what is required. OCR notes that it intends to publish a model attestation form prior to the Final Rule’s compliance date.Notice of Privacy PracticesCovered entities must revise their Notice of Privacy Practices to include, among other things, information regarding the types of uses and disclosures prohibited by the Final Rule, as well as the scenarios in which an attestation will be required. Covered entities have until February 16, 2026 to comply with the updated Notice of Privacy Practices req

ns and requirements, it would be prudent to limit business associates’ involvement in some of the more complex requests.The new Section 164.509 specifies the content requirements of a valid attestation:A description of the information requested that identifies the information in a specific fashion, including either the name of any individual(s) whose PHI is sought, if practicable, or if including the name(s) of any individual(s) whose PHI is sought is not practicable, a description of the class of individuals whose PHI is sought.The name or other specific identification of the person(s), or class of persons, who are requested to make the use or disclosure.The name or other specific identification of the person(s), or class of persons, to whom the covered entity is to make the requested use or disclosure.A clear statement that the use or disclosure is not for a purpose prohibited under Section 164.502(a)(5)(iii).A statement that a person may be subject to criminal penalties pursuant to 42 U.S.C. 1320d-6 if that person knowingly and in violation of HIPAA obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person.The signature of the person requesting the protected health information, which may be an electronic signature, and date. If the attestation is signed by a representative of the person requesting the information, a description of such representative’s authority to act for the person must also be provided.While the attestation itself is fairly straightforward, simply receiving the attestation is not the end of the work for covered entities and business associates. While the commentary makes clear that regulated entities are not requiredto investigate the validity of an attestation, reliance is only appropriate “if, under the circumstances, a regulated entity reasonably determines that the request is not for investigating or imposing liability for the mere act of seeking, obtaining, pr

iolations of Part 2, in addition to concurrently filing a complaint directly with the Part 2 treatment program. Consistent with this requirement, the Final Rule requires Part 2 programs to develop a process to receive complaints from patients, similar to HIPAA’s complaint process requirement, and prohibits retaliation against patients for filing a complaint.Violators of Part 2 requirements may also now face the same civil and criminal enforcement authorities that apply to HIPAA violators, including possible application of civil monetary penalties and imprisonment. Under the Final Rule, a Part 2 program will be subject to the civil penalties promulgated at 42 USC 1320d–5 for violations of Part 2 in which either the violator did not know (and by exercising reasonable diligence would not have known) of the violation, or in instances where the requirements were violated through reasonable cause or willful neglect.Part 2 programs may also be subject to the criminal penalties promulgated at 42 U.S.C. 1320d–6 for knowingly using, obtaining, or disclosing individually identifiable information in violation of Part 2.Safe HarborRelatedly, the Final Rule also creates a safe harbor from civil or criminal liability for investigative agencies (i.e., state or federal administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agencies having jurisdiction over the activities of Part 2 programs or other person holding Part 2 records) that act with reasonable diligence in determining whether a provider is subject to Part 2 before making a request for records. To exercise reasonable diligence, an investigative agency must review SAMHSA’s online treatment facility locator and check a provider’s Patient Notice or HIPAA Notice of Privacy Practices to determine whether the provider is subject to Part 2.The safe harbor also requires investigative agencies to take certain protective steps in the event the agency discovers Part 2 records were received without the requisite court

t breaches. HHS OCR is required to investigate any breach reported to it that impacts 500+ patients, but it has investigated entities reporting smaller breaches as well.Qualified Service Organizations and Business AssociatesThe Final Rule revises the definition of Qualified Service Organization to include a person/entity that meets the definition of “business associate” in 45 CFR 160.103 of a Part 2 program that is also a covered entity, with respect to the use and disclosure of PHI that also constitutes a Part 2 record. Note that a business associate agreement can also include the language required for a Qualified Service Organization Agreement.PenaltiesCivil and criminal penalties for violations of Part 2 will be enforced as they are under HIPAA. Penalties will be assessed as they are under the HIPAA Enforcement Rule, as implemented by HITECH (see 42 USC 1320d-5, explaining the four tiers of civil penalty assessments ranging from $100 per violation to $50,000 per violation; see also 42 USC 1320d-6, explaining potential criminal penalties of up to 10 years’ imprisonment and/or a $250,000 fine).Special Notes for Tribal EntitiesGiven the critical need for SUD care in Indian Country and the fact that SUD care is often provided incidental to primary medical care in remote settings, tribal health experts advocated for an exemption from the Part 2 requirements in tribal health settings. In a move that will undoubtedly create compliance challenges for tribal health providers, HHS declined to explicitly carve out Indian Health Service (IHS) and tribal facilities that provide medications for opioid use disorder incident to general medical care. Instead, HHS performed a tribal consultation in summer 2023 and will reportedly continue to consider additional ways to clarify the distinction between a Part 2 program and incidental treatment for SUD within a general medical care setting, along with considering additional ways to provide technical guidance to IHS and tribal facilities on Part 2

ons, similar to the HIPAA complaint process. Patients can also simultaneously file a complaint directly with the Part 2 program. Part 2 programs cannot take adverse action (such as intimidating or retaliating) against patients who file such complaints and cannot require patients to waive the right to file such complaints. Patient complaints submitted to the Secretary of HHS can allege a Part 2 violation by a Part 2 program, a covered entity, business associate, qualified service organization, or other lawful holder of Part 2 records. HHS stated a patient can complain to either HHS or a Part 2 program, or both—there is no “wrong door” to complain. Part 2 programs must comply with HHS requests to investigate or determine their Part 2 compliance.Applies HIPAA enforcement approach and authorities (including the HITECH culpability tiers) to noncompliance with Part 2 regulations. Any person who violates the Part 2 regulations would be subject to applicable penalties under 42 USC 1302d-5 and 1320d-6. HHS clarified in commentary that such penalties would not be harsher than HIPAA violations, and HIPAA’s mitigating factors and affirmative defenses would apply. HHS also stated an entity could be subject to both Part 2 and HIPAA and therefore potentially subject to penalty provisions of both laws for violations.Adds many definitions borrowed in large part from HIPAA definitions to the Part 2 regulations, including breach, business associate, covered entity, health care operations, HIPAA, payment, personal representative, public health authority, unsecured protected health information, and unsecured record. (The definitions of unsecured protected health information and unsecured record are consistent with HIPAA to help align new breach reporting obligations for Part 2 records.)Added other formal definitions, such as intermediary and lawful holder, both of which have varying obligations and exceptions. The definition of intermediary is based on function: “a person, other than a [Part

atient consent, or a court order. SUD providers often receive subpoenas for patient records for use in legal proceedings. To properly respond to those subpoenas, SUD providers have had to carefully determine whether the request includes SUD records, which require specific patient consent or a special Part 2 court order. Although the Final Rule relaxes the patient consent requirements for disclosures for TPO purposes, Part 2 remains stricter than HIPAA when it comes to the use of SUD records in legal proceedings.This special restriction is another important and often forgotten topic SUD providers should highlight as they revise their policies and procedures and establish new training.Penalty StructurePreviously, Part 2 stated that any person in violation of the Part 2 regulations would be subject to criminal penalties, which were not heavily enforced by the U.S. Department of Justice. The Final Rule has adopted HIPAA's criminal and civil penalty structure found in 42 U.S.C. 1320d–5 and 1320d-6, which now means there will be a consistent enforcement process for HIPAA and Part 2. The Final Rule states that HHS will identify the enforcing agency prior to February 16, 2026.Other Key ChangesIn addition to the above changes, the Final Rule also:Creates a right for patients to file a complaint for an alleged violation of Part 2 directly with the Secretary of HHS;Aligns Part 2 Patient Notice requirements with the HIPAA Notice of Privacy Practices requirements; andCreates a safe harbor limit to the criminal and civil penalties that can be imposed on investigative agencies for violating Part 2 if the agencies act with reasonable diligence.Next StepsProviders have two years to come into compliance with the Final Rule but may voluntarily comply with the new provisions any time after its effective date. For those SUD providers seeking to take advantage of the beneficial changes in the Final Rule sooner, be mindful of the importance of implementing new practices consistently and cohesive