May 31, 2020

May 30, 2020

Subscribe to Latest Legal News and Analysis

May 29, 2020

Subscribe to Latest Legal News and Analysis

May 28, 2020

Subscribe to Latest Legal News and Analysis

COVID-19: CARES Act Overhauls Federal Substance Use Disorder Privacy Law

The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) passed by the Senate on March 25, 2020 would make fundamental changes to the federal law, 42 U.S.C. § 290dd-2, implemented at 42 C.F.R. Part 2 that governs the confidentiality of substance-use disorder records (Part 2).  Most critically, the CARES Act would dramatically ease the ability of health care providers to share protected substance-use disorder information with patient consent, going far beyond both the finalized 2017 revisions to the Part 2 rules and the proposed 2019 changes.  It would also make several important changes to align certain Part 2 requirements with the Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA).  The CARES Act has not yet been passed by the House of Representatives or signed by the President, but it is expected to be enacted without further changes. We will update this article to reflect subsequent developments.

The federal substance-use disorder privacy law has typically been associated more closely with its implementing regulations than the underlying statute because of how much critical detail was left to the discretion of the Substance Abuse and Mental Health Services Administration (SAMHSA).  While the changes in the CARES Act override some of the regulatory decisions SAMHSA has made in the past, the law also directs the Secretary of the Department of Health and Human Services to implement its provisions in regulations that would be effective 12 months after the date the CARES Act is enacted.  Given that Congress still envisions a significant role for SAMHSA, it remains to be seen how the changes will ultimately be implemented through agency-drafted regulation.

The most significant changes are summarized in more detail below:

Eases the Ability of Part 2 Programs to Disclose Information with Patient Consent

The CARES Act amends the statutory authority for disclosures with patient consent to provide that once a patient gives prior written consent, the contents of a record “may be used or disclosed by a covered entity, business associate, or a [Part 2 program] for purposes of treatment, payment, and health care operations as permitted by the HIPAA regulations.”  It makes explicit that redisclosures may then be made in accordance with HIPAA, until the patient revokes the consent.  That is, unlike HIPAA, patients have the right under Part 2 to prohibit or cut off disclosures for treatment, payment, and health care operations by withholding or revoking their written consent.

This represents the single most far-reaching change in the law.  Part 2 has long been considered a barrier to information sharing because of the regulatory requirement that a patient’s consent  must identify who can receive the information by name (as opposed to a general category or description of the recipient as is permitted under HIPAA).  Even though this requirement was relaxed to some extent in 2017 for disclosures to treating providers, it remains a significant obstacle to information sharing.  If the CARES Act is signed into law, Congress will have ensured through these changes that there will no longer be a requirement to identify by name the individual or entity who may receive information pursuant to a written consent.

Incorporates Select HIPAA Provisions into Part 2

The CARES Act aligns Part 2 more closely with HIPAA in several ways:

  • Breach Notification.  It incorporates the requirements of the HIPAA Breach Notification Rule such that breaches of records of Part 2 programs are subject to the same breach notification requirements that apply to breaches of HIPAA protected health information (PHI). Part 2 does not currently contain a breach notification provision. 

  • Civil and Criminal Penalties.  It makes the statutory civil and criminal penalties that apply to violations of HIPAA applicable to violations of Part 2.

  • Notice of Privacy Practices.  It requires Part 2 programs to provide notices of privacy practices that include, in plain language, a statement of patient’s rights and a description of each purpose for which the entity is permitted or required to use or disclose protected information. Part 2 currently requires Part 2 programs to provide a written summary of Part 2’s restrictions to patients, but does not require providing a full notice of privacy practices.

  • Accounting of Disclosures.  It provides that all disclosures for treatment, payment, and health care operations pursuant to its enhanced disclosure authority are subject to HIPAA rules guaranteeing individuals the right to an accounting of disclosures of PHI.

Adds New Antidiscrimination Provision

The CARES Act also adds a new provision that prohibits discriminating against an individual for the following purposes on the basis of information received—whether intentionally or inadvertently—from Part 2 records: 

  • Admission, access to, or treatment for health care;

  • Hiring, firing, or terms of employment, or receipt of worker’s compensation;

  • The sale, rental, or continued rental of housing;

  • Access to federal, state, or local courts; 

  • Access to, approval of, or maintenance of social services and benefits provided or funded by federal, state, or local government; and

  • Affording access to services provided with federal funds.

© 2020 Foley & Lardner LLP

TRENDING LEGAL ANALYSIS


About this Author

Adam Hepworth,  Health Care Attorney, Foley Law Firm
Associate

Adam J. Hepworth is an associate and health care business lawyer with Foley & Lardner LLP. He is a member of the firm’s Health Care Industry Team.

Prior to joining Foley, Mr. Hepworth was a law clerk for Judge Harris L. Hartz on the United States Court of Appeals for the Tenth Circuit. He also interned in the San Francisco City Attorney’s health group and externed in the Civil Division of the United States Attorney’s Office in San Jose. Before he attended law school he was a policy intern for Sierra Health Foundation, where he worked on...

213-972-4604
Jennifer Hennessy, Foley Lardner Law Firm, Privacy Security and Healthcare Attorney
Associate

Jennifer J. Hennessy is a privacy and security and health care regulatory attorney with Foley & Lardner LLP. Her practice includes advising businesses on compliance with state and federal data privacy and security laws. She assists covered entities and business associates in complying with the HIPAA Privacy and Security Rules, and also advises businesses and individuals on compliance with state data privacy laws and federal law 42 C.F.R. Part 2, Confidentiality of Alcohol and Drug Abuse Treatment Records. She frequently guides clients through data incident management and the entire breach notification process, from the early stages of the investigation to the notification of affected individuals and state and federal government regulators. Her depth of experience in this area allows her to provide clients with practical and business-oriented solutions in the event of a data incident and in its aftermath. Prior to joining Foley, Ms. Hennessy was a health law associate with a large U.S. law firm based in Milwaukee.

617-502-3211