HIPAA & 42 CFR Part 2
If you don’t have the HIPAA program or Forms app, reach out to MedSafe to discuss how to add the program.
Question 1.
Where do I find the new HIPAA Notice of Privacy Practices?
– Log into your MedSafe Compliance account. Click on the Forms application.
In the Search Box type in the key word “Notice” and your will see the updated forms.
A 5-page document for those offices that have utilized this format.
A tri fold for patients to take home.
A 2-page document to hang up on the wall in your waiting room.
- Remember this is the same version you can place on your website.
All 3 are customizable so you can add your name, address, etc.
Question 2.
Do I need to Hand all patients the new Notice of Privacy Practices?
No.
Question 3.
Do I need all patients to sign the Patient Acknowledge of NPP form?
Yes.
– All patients must be notified that there has been an update and sign the Patient Acknowledge of NPP form (which is also available in the Forms application)
(If you don’t have the HIPAA program or Forms app reach out MedSafe to discuss how to add the program)
Question 4.
Where do I find the new Business Associate Agreement?
– Log into your MedSafe Compliance account. Click on the Forms application.
In the Search Box type in the key work Business and your will see the updated forms.
Question 5
Are covered entities required to update all of their Business Associate Agreements?
Answer: Health and Human Services strongly recommends that covered entities update their Business Associate Agreements. If a Business Associate were to ever handle, store or use Part 2 records, they must comply with the enhanced Part 2 privacy requirements. Health and Human Services, through the Substance Abuse and Mental Health Services Organization and the Office for Civil Rights, has finalized a rule that aligns 42 CFR Part 2 Substance Use Disorder (SUD) records with HIPAA. The practice must also adhere to the updated consent and re-disclosure requirements.
Question 6.
What if a pediatric office only receives records from a dedicated Part 2 program but does not provide specialized SUD treatment?
Answer: The pediatric office must still adhere to the updated rules regarding re-disclosure and compliance with patient’s consent.
Substance Abuse and Mental Health Services Organization and the Office for Civil Rights, has finalized a rule that aligns 42 CFR Part 2 Substance Use Disorder (SUD) records with HIPAA. The practice must also adhere to the updated consent and re-disclosure requirements.
Question 7.
When a patient shares information, what should a medical practice or dental practice consider Part 2 information?
Answer: Information that a patient shares informally with a dentist or doctor, which is not obtained from a specialized Part 2 treatment program, may only be subject to standard HIPAA rules rather than the more stringent Part 2 rules. Health and Human Services best practice often treats this information as highly sensitive. This means that the practice should handle this information as required by Part 2.
Question 8.
What is the training requirement for the new CFR Part 2 rules and is there a deadline for the training?
Part 2 HIPAA training must cover all aspects of 42 CFR Part 2. The deadline for training is February 16, 2026. Missing the deadline means potential liability. If training is not completed by the deadline, organizations should train the staff immediately as possible. The training should be documented, including the date it was completed, and maintain records to demonstrate a good faith effort to comply, even if delayed.
This means that the practice should handle this information as required by Part 2.
Ready to Get Started?
Contact us today to learn how we can help your practice maintain complete compliance.