Included in this newsletter
- HIPAA 2026 changes: Understanding Confidentiality of Substance Use Disorder (SUD) Patient Records
- Optum and M3P Compliance
- Healthcare’s Reliance on Outdated IT Putting Patient Safety and Cybersecurity at Risk
- Tutorial to Reconcile MTF and Beacon MFP Data
- Medicare Part B Billing
- New Compliance Advisor, Pharmacist Charles Heal, RPh
HIPAA 2026 changes: Understanding Confidentiality of Substance Use Disorder (SUD) Patient Records
By February 16, 2026, covered entities must be in full compliance with the updated 42 CFR Part 2 rule, which governs the confidentiality of substance use disorder (SUD) patient records. This update aligns Part 2 more closely with HIPAA, although it maintains heightened protections for SUD records. A significant change allows patients to provide a single consent for future uses and disclosures of their SUD records for treatment, payment, and healthcare operations. All HIPAA covered entities that handle any SUD treatment information are impacted and should have updated their Notice of Privacy Practices (NPP) by this date.
A retail pharmacy is not typically considered a "Part 2 program" and therefore is not automatically subject to the stringent privacy rules of 42 CFR Part 2 simply for dispensing medications for substance use disorder (SUD), such as buprenorphine or methadone. This is because the pharmacy is not holding itself out as a specialized provider of SUD diagnosis, treatment, or referral for treatment.
However, the pharmacy's obligations can change depending on how it receives the prescription and related patient information.
Key Distinctions for Pharmacies:
- "Lawful Holder" of Part 2 Information: Even though the pharmacy itself is not a Part 2 program, if it receives a prescription or other patient-identifying information directly from a Part 2 program, that specific information retains its protected status. In this scenario, the pharmacy becomes a "lawful holder" of Part 2 data.
- Obligations as a Lawful Holder: As a lawful holder, the pharmacy must protect the received Part 2 information according to the regulation's strict confidentiality requirements. This means the information cannot be redisclosed without specific patient consent that meets Part 2's detailed requirements. A general HIPAA authorization is not sufficient.
For pharmacies, this means that while they operate primarily under HIPAA, they must have procedures in place to identify and provide heightened protection for any SUD-related information that originates from a Part 2 program. All pharmacies are considered HIPAA covered entities and must comply with its privacy, security, and breach notification rules.
We have posted an updated NOPP to the R.J. Hedges Portal HIPAA Program, Chapter 1, a. Notice of Privacy Practices (F0210). You should post prominently in the pharmacy, make available on any web site you maintain that provides information about your customer services or benefits and make copies available to any person who asks for it. You are not required to redistribute to all patients when the notice is revised.
Understanding Confidentiality of Substance Use Disorder (SUD) Patient Records or “Part 2” | HHS.gov
Optum and M3P Compliance
If you've been relying on phone calls from Optum or other Medicare Part D Plans to get opt-in updates and processing information for the Medicare Prescription Payment Program (M3P), you need to take immediate action to make automated notifications in paid claim responses do the work for you. NCPA is aware of compliance notices sent to pharmacies in recent days that mention termination from the Part D network as a potential penalty.
Contact your dispensing system vendor's customer support to learn about solutions for Approved Message Code 057, Beneficiary participating in Prescription Payment Plan. Patients who switched plans or opted in to M3P for the first time this year will need to have the processing information added to their profile — and your vendor can help you get the processing information out of the paid claim responses too. Patients who change their mind and no longer want to participate in M3P can contact their plan to opt out.
Healthcare’s Reliance on Outdated IT Putting Patient Safety and Cybersecurity at Risk
HIPAA compliance training is essential for preventing inadvertent disclosures, improving incident reporting, and keeping workflows on the right side of privacy law. But protecting patient PHI extends to your software and network infrastructure.
The HIPAA regulations are scheduled to change this year. The biggest challenge will be cybersecurity requirements, which are already out of date. The government cannot keep up with the fast changing technology landscape. The responsibility of securing your patients PHI within your network lies with the owner of the healthcare practice, be it a pharmacy, DMEPOS facility, or medical office. If your healthcare software provider is stating their software is secure and safe, it might be. However, the network starts with your router and includes the firewall and modems. If you are not working with an IT company, we recommend you enlist an IT company with a reputable reputation and ask them to come and do an On-Site evaluation of your network and do this annually. There maybe additional security measures they recommend to keep your network more secure and prevent potential PHI breaches or cybersecurity issues.
Please take a couple minutes to review this HIPAA Journal article “Healthcare’s Reliance on Outdated IT Putting Patient Safety and Cybersecurity at Risk”
Tutorial to Reconcile MTF and Beacon MFP Data
View this step-by-step tutorial and take control of reconciling manufacturer refund payments for claims that are eligible for the Medicare Drug Price Negotiation Program. Apex Consulting's no-paywall tutorial will let you compare the estimated standard default refund amount (SDRA) with the actual refund authorized by the manufacturer for each individual ICN assigned by the Medicare Transaction Facilitator (MTF).
Medicare Part B Billing
Have you been having issues with billing for your DMEPOS items? Medicare Part B billing software does not capture the mandatory HCPCS codes and modifiers for proper billing and the electronic billing services don’t ask for the information.
CMS has a FREE software called PC-ACE Pro32 that can help with this issue. PC-ACE is a billing software provided by EDISS for creating claims and reviewing acknowledgement reports and remittance advices. All the information needed to run this software is found on the prescription and the Detailed Product Descriptions for the dispensed product that are located on the Compliance Portal® in DMEPOS, Section 2A – Supplement, including HCPCS codes and the correct modifiers to use.
The prescription is entered as a cash item through pharmacy software. The claim is then entered into the PC-ACE Pro 32 software. The EOBs will also be in this software. In addition, there are training modules on CMS’ websites for the staff to use. PC-ACE tracks payment status, denials, and resubmissions of claims. It is a bit more work, but you will receive your funds and not pay anyone for their services. You can find additional information, guides, and frequently asked questions at this link.
https://cgsmedicare.com/hhh/edi/pro32/
New Compliance Advisor, Pharmacist Charles Heal, RPh
We would like to introduce Charles “Chuck” Heal, RPh as our new Pharmacy Compliance Advisor. He has assisted as one of our peer reviewers in the past and has worked with the staff for several years. Chuck is currently learning the R.J. Hedges & Associates’ internal processes, software, and structure. He has started to review and research regulations and will be assisting with general compliance knowledge, updates, and solutions. He will gradually replace former owner and Compliance Consultant Jeff Hedges as he continues to ease into retirement.
