June 6, 2020

June 05, 2020

Subscribe to Latest Legal News and Analysis

June 04, 2020

Subscribe to Latest Legal News and Analysis

CARES Act Brings Changes to Federal Substance Use Disorder Privacy Law

The Coronavirus Aid, Relief, and Economic Security Act (CARES Act), enacted March 27, 2020, rewrote significant portions of 42 U.S.C. § 290dd-2, the federal statute governing the confidentiality of substance use disorder (SUD) records that is more commonly known by its implementing regulations at 42 C.F.R. Part 2 (Part 2). Among other changes, the CARES Act revises the permissible uses and disclosures of SUD records to more closely align with the HIPAA Privacy Rule, 45 C.F.R. § 164.500, et seq., when a Part 2 program obtains the patient’s prior written consent.

Historically, Part 2 programs have been restricted in their ability to share SUD records by the Part 2 regulations, which require written patient consent for each disclosure of SUD records and prohibit re-disclosure of such SUD records except in limited circumstances. The CARES Act directs the Secretary of the U.S. Department of Health and Human Services (HHS), in consultation with appropriate federal agencies (which may include the Substance Abuse and Mental Health Services Administration (SAMHSA)) to revise the Part 2 regulations as necessary to implement and enforce the statutory revisions contained in the CARES Act effective March 27, 2021. The forthcoming revisions to the Part 2 regulations may be substantial given these CARES Act changes to the federal statute.

Another significant change to the federal SUD confidentiality statute addresses the ability of health care providers to use SUD records for treatment, payment, and health care operations purposes (except for certain provider fundraising activities) in a manner more consistent with the allowances provided for protected health information under HIPAA. Specifically, the CARES Act authorizes a Covered Entity or Business Associate (as those terms are defined in the HIPAA Privacy Rule) or Part 2 Program (as defined by the Part 2 regulations) to use, disclose, or re-disclose SUD records with the patient’s written consent for treatment, payment, and health care operations as permitted by the HIPAA regulations, 45 C.F.R. Parts 160, 162, and 164, and Sections 13405(a) and (c) of the Health Information Technology and Clinical Health Act (42 U.S.C. § 17935(c)) (HITECH Act). Under the revised statute, a patient can provide written consent once that will then authorize all such future uses or disclosures for purposes of treatment, payment, and health care operations until such time as the patient revokes such consent in writing.

Additionally, the CARES Act incorporates the following privacy protections for SUD records:

  • Except as otherwise authorized by court order or by written patient consent, SUD records or testimony relaying information from the SUD records may not be disclosed or used in any civil, criminal, administrative, or legislative proceedings conducted by any federal, state, or local authority.

  • Penalties applicable to HIPAA violations (42 U.S.C. §§ 1320d-5 and 6) shall apply to a violation of 42 U.S.C. § 290dd-2.

  • The breach notification provisions of Section 13402 of the HITECH Act shall apply to SUD records.

  • By March 27, 2021, HHS will update the HIPAA Privacy Rule to require that Part 2 programs provide notice of privacy practices, written in plain language, describing the patient’s rights with respect to the Part 2 records and how the patient may exercise those rights, and describing each purpose for which the Part 2 program is permitted or required to use or disclose the SUD records without the patient’s written authorization.

  • Part 2 providers can disclose information, regardless of whether the patient gives written consent, to a public health authority (as defined by HIPAA), if the content is de-identified in accordance with the HIPAA de-identification standards set forth at 45 C.F.R. § 164.514(b).

  • Patients shall have the right to request a restriction on the use or disclosure of SUD records for treatment, payment, or health care operations.

  • Patients shall have the right to request an accounting of disclosures of SUD records consistent with the HITECH Act and HIPAA.

  • Entities shall be prohibited from discriminating against an individual on the basis of information received, whether intentionally or inadvertently, from SUD records in: (a) admission, access to, or treatment for health care; (b) hiring, firing, or terms of employment, or receipt of worker’s compensation; (c) the sale, rental, or continued rental of housing; (d) access to federal, state, or local courts; or (e) access to, approval of, or maintenance of social services and benefits provided or funded by federal, state, or local governments.

  • Recipients of federal funds shall be prohibited from discriminating against an individual on the basis of information received, whether intentionally or inadvertently, from SUD records, when offering access to services provided with such funds.

The CARES Act provides that the above-summarized amendments to the federal SUD statute will apply to uses and disclosures of information on or after March 27, 2021. While these changes implement long-awaited alignment efforts to enable data sharing across providers in a manner consistent with the allowances permitted under HIPAA, the real impact of these changes will come from the forthcoming implementing agency regulations from, which are also due to be issued by March 27, 2021.

©2020 Greenberg Traurig, LLP. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Julie Sullivan, Greenberg Traurig Law Firm, Healthcare Law Attorney, Denver
Shareholder

Julie A. Sullivan is a health care regulatory and compliance attorney concentrating her practice on state and federal health care fraud, waste and abuse guidance, as well as health privacy and security law. She represents health care providers and suppliers in complex regulatory and transactional matters, and routinely advises on issues such as corporate practice of medicine, fee splitting, licensure and certification, Medicare and Medicaid reimbursement, and medical staffing. Julie also structures mergers and acquisitions in the health care space to comply with the vast...

303-685-7412
Renae M. Nanna Associate Healthcare FDA Denver
Associate

Renae M. Nanna advises health care providers on a range of regulatory and transactional matters, including the licensure and certification of health care facilities, Medicare and Medicaid program participation requirements, and federal and state health care fraud, abuse, and self-referral laws. She also counsels clients on corporate practice prohibitions, fee-splitting, accreditation, credentialing, scope of practice, professional services agreements, management services agreements, and supervision and delegation requirements.

Renae conducts compliance audits and regulatory due diligence for mergers and acquisitions in the health care industry and advises clients on planning and structuring health care transactions and business arrangements.

303-572-6575