COVID-19: CARES Act Overhauls Federal Substance Use Disorder Privacy Law
The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) passed by the Senate on March 25, 2020 would make fundamental changes to the federal law, 42 U.S.C. § 290dd-2, implemented at 42 C.F.R. Part 2 that governs the confidentiality of substance-use disorder records (Part 2). Most critically, the CARES Act would dramatically ease the ability of health care providers to share protected substance-use disorder information with patient consent, going far beyond both the finalized 2017 revisions to the Part 2 rules and the proposed 2019 changes. It would also make several important changes to align certain Part 2 requirements with the Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA). The CARES Act has not yet been passed by the House of Representatives or signed by the President, but it is expected to be enacted without further changes. We will update this article to reflect subsequent developments.
The federal substance-use disorder privacy law has typically been associated more closely with its implementing regulations than the underlying statute because of how much critical detail was left to the discretion of the Substance Abuse and Mental Health Services Administration (SAMHSA). While the changes in the CARES Act override some of the regulatory decisions SAMHSA has made in the past, the law also directs the Secretary of the Department of Health and Human Services to implement its provisions in regulations that would be effective 12 months after the date the CARES Act is enacted. Given that Congress still envisions a significant role for SAMHSA, it remains to be seen how the changes will ultimately be implemented through agency-drafted regulation.
The most significant changes are summarized in more detail below:
Eases the Ability of Part 2 Programs to Disclose Information with Patient Consent
The CARES Act amends the statutory authority for disclosures with patient consent to provide that once a patient gives prior written consent, the contents of a record “may be used or disclosed by a covered entity, business associate, or a [Part 2 program] for purposes of treatment, payment, and health care operations as permitted by the HIPAA regulations.” It makes explicit that redisclosures may then be made in accordance with HIPAA, until the patient revokes the consent. That is, unlike HIPAA, patients have the right under Part 2 to prohibit or cut off disclosures for treatment, payment, and health care operations by withholding or revoking their written consent.
This represents the single most far-reaching change in the law. Part 2 has long been considered a barrier to information sharing because of the regulatory requirement that a patient’s consent must identify who can receive the information by name (as opposed to a general category or description of the recipient as is permitted under HIPAA). Even though this requirement was relaxed to some extent in 2017 for disclosures to treating providers, it remains a significant obstacle to information sharing. If the CARES Act is signed into law, Congress will have ensured through these changes that there will no longer be a requirement to identify by name the individual or entity who may receive information pursuant to a written consent.
Incorporates Select HIPAA Provisions into Part 2
The CARES Act aligns Part 2 more closely with HIPAA in several ways:
Breach Notification. It incorporates the requirements of the HIPAA Breach Notification Rule such that breaches of records of Part 2 programs are subject to the same breach notification requirements that apply to breaches of HIPAA protected health information (PHI). Part 2 does not currently contain a breach notification provision.
Civil and Criminal Penalties. It makes the statutory civil and criminal penalties that apply to violations of HIPAA applicable to violations of Part 2.
Notice of Privacy Practices. It requires Part 2 programs to provide notices of privacy practices that include, in plain language, a statement of patient’s rights and a description of each purpose for which the entity is permitted or required to use or disclose protected information. Part 2 currently requires Part 2 programs to provide a written summary of Part 2’s restrictions to patients, but does not require providing a full notice of privacy practices.
Accounting of Disclosures. It provides that all disclosures for treatment, payment, and health care operations pursuant to its enhanced disclosure authority are subject to HIPAA rules guaranteeing individuals the right to an accounting of disclosures of PHI.
Adds New Antidiscrimination Provision
The CARES Act also adds a new provision that prohibits discriminating against an individual for the following purposes on the basis of information received—whether intentionally or inadvertently—from Part 2 records:
Admission, access to, or treatment for health care;
Hiring, firing, or terms of employment, or receipt of worker’s compensation;
The sale, rental, or continued rental of housing;
Access to federal, state, or local courts;
Access to, approval of, or maintenance of social services and benefits provided or funded by federal, state, or local government; and
Affording access to services provided with federal funds.