Covid-19 Relief Law Includes Major Changes to Substance Use Disorder Confidentiality Law
As part of the CARES Act signed into law on March 27, 2020, Congress included a provision directing the secretary of Health and Human Services (HHS) to modify long-standing regulatory restrictions under the federal substance use disorder confidentiality rules at 42 C.F.R. Part 2 (Part 2) to permit disclosures of substance use disorder treatment records for treatment, payment and health care operations purposes under a general consent. Congress coupled these changes with additional privacy protections, including a prohibition on using the records in legal proceedings against a patient absent the patient’s consent or a court order, and the establishment of new civil money penalties for violations of Part 2. The provision requires HHS to issue conforming amendments to Part 2 effective for disclosures of records on or after March 27, 2021.
On March 27, 2020, as part of the Coronavirus Aid, Relief and Economic Security Act (CARES Act), Congress amended the Public Health Service Act to direct HHS to modify long-standing restrictions under 42 C.F.R. Part 2 (Part 2), which govern the confidentiality of substance use disorder patient records (Part 2 Records) created by certain federally assisted substance use disorder treatment programs (Part 2 Programs). The CARES Act Part 2 modifications were taken from legislation, S.3374, introduced March 3, 2020 by US Senators Shelley Moore Capito (R-WV) and Joe Manchin (D-WV), entitled the “Protecting Jessica Grubb’s Legacy Act” (the Legacy Act). According to the Senators, “[T]he goal of the legislation is to save lives by ensuring that medical providers do not accidentally give opioids to individuals in recovery like in the case of Jessica Grubb.” The language included in the CARES Act reflects changes from an earlier version of the Legacy Act.
HHS must now issue regulations that amend Part 2 to permit Part 2 Programs and recipients of Part 2 Records to disclose Part 2 Records for treatment, payment and health care operations purposes without first having to obtain a specific written consent for each disclosure. Once adopted, the amendments will better align Part 2 with the HIPAA Privacy Rule exception for disclosures of protected health information (PHI) for treatment, payment and health care operations.
Prior to the passage of the CARES Act, the Public Health Service Act required with only limited exceptions that Part 2 Programs obtain a prior written consent before disclosing records related to a patient’s treatment for substance use disorder. Unlike HIPAA, which permits health care providers to use and disclose PHI for treatment, payment and health care operations without prior written consent, the Public Health Service Act previously did not include such an exception for Part 2 Records. As a result, Part 2, which implements the Public Health Service Act provision, requires Part 2 Programs to seek a written consent from the patient before disclosing Part 2 Records for treatment, payment or health care operations. The written consent must meet stringent requirements, including a requirement to list the specific name of the individual or entity authorized to receive the records and an expiration date.
Due to these consent requirements, the Part 2 Program cannot currently obtain a general consent at the beginning of care to disclose Part 2 Records to other health care providers or health plans for treatment, payment or health care operations purposes. Stakeholders have expressed concerns that in the wake of the Coronavirus (COVID-19) public health crisis, where many health care providers have moved to remote care, Part 2 Programs and other recipients of Part 2 Records would be unable to obtain the required written consents needed to coordinate patient care. Even in the absence of a global pandemic, the consent requirement can be a barrier to coordination of care among the patient’s health care providers and interfere with appropriate disclosures of Part 2 Records by health plans.
Overview of Changes to the Public Health Services Act Included in the CARES Act
Congress has modified the Public Health Service Act to permit the following uses and disclosures of Part 2 Records:
The use and disclosure of Part 2 Records for treatment, payment and health care operations pursuant to a single prior written consent from the patient, unless the patient revokes the consent in writing. Notably, however, Congress indicated in the CARES Act that for the purpose of this amendment, HHS should not interpret “health care operations” to include de-identification or the creation of limited data sets for research or public health purposes.
The use of Part 2 records to create de-identified information for disclosure to public health authorities.
Congress also modified the Public Health Service Act to include the following additional confidentiality protections for Part 2 Records:
Prohibiting the use or disclosure of Part 2 Records for civil, criminal or legislative proceedings, including entering Part 2 Records into evidence or using Part 2 Records for a warrant application, absent a court order or written consent from the patient.
Prohibiting recipients of federal funds from discriminating against patients based on Part 2 Records intentionally or inadvertently disclosed to the recipient.
Requiring Part 2 Programs that are not covered entities under HIPAA to comply with the HIPAA breach notification requirements in the event of a breach of Part 2 Records.
Making violations of the confidentiality requirements for Part 2 Records subject to the same civil money penalties that apply to violations of HIPAA.
Requiring covered entity health care providers under HIPAA and Part 2 Programs to update their notices of privacy practices to clarify that patients may specifically request restrictions on how the covered entity or Part 2 Program uses or discloses Part 2 Records, and describe each purpose for which the covered entity or Part 2 Program may use or disclose Part 2 Records without the patient’s written authorization.
We discuss these modifications further below.
When will the CARES Act provisions become effective?
Importantly, the CARES Act requires HHS to modify Part 2 in accordance with these amendments to the Public Health Services Act by March 27, 2021, for disclosures of Part 2 Records occurring on and after that date. Until HHS (or the Substance Abuse and Mental Health Administration (SAMHSA), the HHS agency that administers Part 2) finalizes an amendment to Part 2, the current Part 2 policies will continue to apply. As a result, Part 2 Programs, other health care providers that receive Part 2 Records and health plans must wait for HHS to issue regulations before implementing the new general disclosure pathway.
To date, SAMHSA has issued guidance on the medical emergency exception to the Part 2 consent requirements in response to COVID-19. In this guidance, SAMHSA clarified that if a health care provider cannot obtain written consent because they are engaging with the patient through telehealth services and the provider determines that a bona-fide medical emergency exists, the health care provider may disclose Part 2 Records to other medical personnel without written consent. While this guidance provides some assurance to providers that are currently using telehealth to engage with patients that they may share Part 2 Records in response to bona-fide medical emergencies, SAMHSA will need to issue additional guidance or engage in rulemaking to implement the flexibilities outlined in the CARES Act.
The CARES Act also requires HHS to make modifications to HIPAA to implement the new requirements related to the HIPAA notice of privacy practices. This will presumably require the HHS Office for Civil Rights (OCR), in addition to SAMHSA, to engage in rulemaking to implement the changes mandated by Congress.
Benefits and Limitations of New Treatment, Payment and Health Care Operations Pathway
The modifications pursuant to the CARES Act could potentially make it easier for covered entities and their business associates to incorporate Part 2 Records they receive from Part 2 Programs into their general medical records. Previously, health care providers often set apart Part 2 Records from other medical records to prevent inadvertent disclosure of Part 2 Records without a written consent. Some health systems and accountable care organizations, for example, have actively excluded Part 2 Records from mechanisms they have established to exchange health information among participants in order to avoid non-compliance with Part 2.
Once SAMHSA implements the CARES Act modifications, Part 2 Programs may obtain a general consent from the patient at the beginning of treatment to allow the Part 2 Program, as well as any covered entities or business associates under HIPAA, to use or disclose the patient’s Part 2 Records for all future treatment, payment and health care operations purposes. If a Part 2 Program obtains such a general consent, Part 2 compliance will be greatly simplified for covered entities (such as coordinating health care providers and the patient’s health plan) that receive Part 2 Records from Part 2 Programs and need to re-disclose them for treatment, payment and health care operations.
The CARES Act does not fully align Part 2 with HIPAA, however. For example, covered entities and their business associates would still need to exercise caution before disclosing any records to federal, state and local government agencies, as well as law enforcement agents. While the HIPAA Privacy Rule permits covered entities to respond to subpoenas from government agencies and third parties if the subpoena meets certain conditions, Part 2 only permits holders of Part 2 Records to disclose such records pursuant to a special court order indicating that the court considered other ways of obtaining the information and determined that the public interest of obtaining the information outweighs the potential injury to the patient. HIPAA also includes additional exceptions permitting disclosure without written authorization, including disclosures to public health authorities and family members involved in the patient’s care (when the patient is not present to object).
Since the CARES Act maintains these remaining discrepancies between the HIPAA Privacy Rule and Part 2, health care providers and health plans will need to continue to maintain procedures for specially protecting the confidentiality of Part 2 Records. It may be easier, however, for health care providers and health plans to maintain different procedures for these types of uses and disclosures as they typically require more manual effort. For example, disclosures to public health authorities or law enforcement are typically one-off disclosures rather than day-to-day treatment or payment disclosures through an electronic health record or health information exchange.
To the extent, however, that a health care provider or health plan relies on automatic processes (e.g., health information exchange or view, download, transmit capabilities of an electronic health records system) to send information for purposes outside of treatment, payment or health care operations, compliance with Part 2 may remain a challenge. Although the Office of the National Coordinator for Health Information Technology has developed certification criteria for applying metadata tags to sensitive information such as Part 2 Records, health information technology developers have not widely adopted the criteria. Additionally, if sensitive information such as Part 2 Records are unstructured, it can be difficult to identify and appropriately tag the sensitive information with metadata. As a result, some health care providers and health plans may continue keeping Part 2 Records separate from other health information to avoid inadvertently disclosing them for non-treatment, payment or health care operations purposes without consent.
De-Identification of Part 2 Records
Currently, confidentiality protections under Part 2 only apply to “patient identifying information,” which Part 2 defines as “the name, address, social security number, fingerprints, photograph, or similar information by which the identity of a patient, as defined in this section, can be determined with reasonable accuracy either directly or by reference to other information.” Part 2 does not contain any restrictions preventing Part 2 Programs or other holders of Part 2 Records from removing identifiers so that the records no longer contain “patient identifying information.”
Congress included two provisions in the CARES Act, however, that call into question Part 2’s current policy towards de-identification. First, Congress amended the Public Health Service Act to permit the disclosure of de-identified information from Part 2 Records to public health authorities. Since SAMHSA stated in a 2019 rulemaking that disclosures of de-identified information to public health authorities are permissible, Congress was perhaps simply codifying SAMHSA’s guidance into statute.
The second provision that Congress included in the CARES Act, however, suggests that Congress intended a broader change to Part 2 that would limit the use of Part 2 Records to create de-identified information. CARES Act Section 3221(k) indicates that it is the “sense of Congress” that the definition of “health care operations” as applied to permissible uses and disclosures of Part 2 Records under the general consent pathway “shall not include” the portion of the HIPAA definition that permits covered entities to de-identify protected health information, create limited data sets or conduct fundraising activities. This sense of Congress provision suggests that in implementing the CARES Act, SAMHSA should create a new restriction preventing recipients of Part 2 Records under the general consent pathway from using the Part 2 Records to create de-identified information or limited data sets, unless the intended purpose is a permissible treatment, payment or health care operations purpose. However, it is important to note that a “sense of Congress” resolution only reflects the opinion of Congress, and is not necessarily legally binding on SAMHSA.
Congress may have included this provision due to concerns that the descriptions of an individual’s substance use disorder treatment could potentially be used to re-identify the patient even if the information is de-identified in accordance with the HIPAA de-identification standard or by removing “patient identifying information” as defined by Part 2. Alternatively, Congress may be opposed to entities leveraging de-identified Part 2 Records for research or other activities outside of the definition of “treatment” or “health care operations” without obtaining further consent from the patient.
Depending on how SAMHSA interprets and implements Congress’s directive, there is a risk that absent technology to segment or carve out Part 2 Records when de-identifying patient or plan member records, covered entities and business associates would violate Part 2 when de-identifying records. This could limit needed research on substance use disorder treatment, and cause health care providers and health plans that regularly de-identify PHI for research purposes to keep Part 2 Records separate from other patient information. Part 2 Programs, covered entities and their business associates should therefore examine their technological capabilities to determine if they can segment Part 2 Records from any de-identification processes for research or other purposes to prevent violation of Part 2.
New Breach Notification Requirements
Part 2 does not currently contain any obligation to notify affected patients or SAMHSA of any unauthorized uses or disclosures of Part 2 Records. The majority of Part 2 Programs are covered entities under HIPAA and therefore must comply with the HITECH Act’s breach notification requirements, which OCR implemented as part of the HIPAA regulations. Some Part 2 Programs are not covered entities under HIPAA, however, because they only accept out-of-pocket payments from patients and do not engage in HIPAA-standardized transactions. Despite not accepting payment from Medicare or Medicaid, these cash pay providers nevertheless meet the definition of “federally assisted” and are therefore Part 2 Programs if they have a license to prescribe and/or dispense medication-assisted treatment to patients. Part 2 Programs that are not covered entities under HIPAA do not currently have federal breach notification requirements, but may be required under state law to notify patients in the event of a breach affecting Part 2 Records.
In the CARES Act, Congress made the breach notification provisions of the HITECH Act applicable to all Part 2 Programs, regardless of whether or not they are covered entities under HIPAA. Under the HITECH Act, covered entities must notify affected individuals and HHS of all breaches of unsecured protected health information, and must notify prominent media outlets serving a state or jurisdiction if the breach affects more than 500 residents of the state or jurisdiction. Under HIPAA, OCR is responsible for receiving notifications directed to HHS. Under the CARES Act, HHS could potentially delegate breach notification enforcement for Part 2 Programs to OCR or SAMHSA. A delegation to OCR would require it to issue regulations that expand HIPAA’s breach notification rule to include Part 2 Programs that are not covered entities. A delegation to SAMHSA would require SAMHSA to add breach notification provisions to Part 2. In either delegation scenario, Part 2 Programs that were not already subject to HIPAA’s breach notification reporting obligations will need to review their privacy and security incident response plans or draft new plans to account for the applicability of HIPAA’s breach notification requirements to Part 2 Programs.
Notice of Privacy Practices
The CARES Act requires HHS to consult with legal, clinical, privacy and civil rights experts and update the content of the HIPAA notices of privacy practices so that both covered entities and Part 2 Programs that maintain Part 2 Records provide a notice in plain language that describes their privacy practices with respect to Part 2 Records. The required notice must include at minimum a statement of the patient’s rights with respect to PHI, and a description of each purpose for which the covered entity is permitted or required to use or disclose PHI without written authorization.
It is important to note that Congress instructed HHS to update HIPAA to accomplish this rather than Part 2. Although covered entities must already provide a notice of privacy practices that includes the two elements specified in the CARES Act (patient rights and a description of permissible disclosures), it may be that Congress intends for covered entities to specifically address these elements as they relate to the covered entity’s use and disclosure of Part 2 Records. Covered entities that receive Part 2 Records may be required to indicate, for example, that they may use or disclose such records for treatment, payment or health care operations unless the patient revokes his or her general consent.
Also, as the statute discusses updating the notice of privacy practices provision in HIPAA and not Part 2, it is unclear whether Part 2 Programs that are not covered entities will need to create a new notice of privacy practices to provide their patients that meets HIPAA’s requirements. Stakeholders will need to monitor how HHS addresses this requirement through its rulemaking to amend Part 2.
New Penalties for Violations of Part 2
The Public Health Services Act currently does not permit SAMHSA to issue civil money penalties for violations of Part 2. Instead, the US Attorney of the appropriate jurisdiction could initiate criminal charges against persons or entities that violate Part 2 and seek fines under the US Criminal Code, which limits fines for infractions to $5,000 per violation for individuals and $10,000 per violation for organizations. We are not aware of any criminal prosecution under Part 2 by a US Attorney.
Under the CARES Act, Congress gave HHS the authority to issue civil money penalties for violations of Part 2 in accordance with the civil money penalty provisions established for HIPAA violations, ranging from $100 to $50,000 per violation depending on the level of culpability. If HHS elects to use this enforcement authority similarly to how it enforces HIPAA, Part 2 Programs and recipients of Part 2 Records will face a greater risk of financial penalty from Part 2 violations. Currently, SAMHSA does not have an enforcement infrastructure like OCR to carry out enforcement of Part 2, and Congress would likely need to appropriate additional funds to SAMHSA to create such an infrastructure. HHS could potentially solve this by delegating enforcement authority to OCR, as many of the entities that would potentially be subject to Part 2 enforcement are also covered entities or business associates under HIPAA. Stakeholders will need to watch rulemaking activity by OCR and SAMHSA to see which agency will take the lead to implement this new enforcement tool. This may provide clues as to how actively HHS will issue civil monetary penalties for violations of Part 2.