Privacy of Substance Use Disorder Records and The CARES Act: Steps Toward Harmonizing Part 2 Privacy Laws with HIPAA
The recently-enacted Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”) is generally known for providing relief funds and other resources to help individuals, small businesses, state and local governments, and hospitals and healthcare providers address the COVID-19 public health emergency. However, among the lesser-known of the CARES Act provisions are changes to federal law that will allow a significant harmonization of rules governing the confidentiality of substance use disorder patient records with the general federal rules governing the privacy of individually identifiable health information (i.e., the HIPAA privacy rules).
Currently, a unique set of federal regulations found at 42 C.F.R. Part 2 restrict the disclosure and use of substance use disorder patient records that are maintained in connection with any federally-assisted substance use disorder program. These “Part 2” rules are far stricter than the federal HIPAA privacy rules that apply generally to health plans and health care providers. For example, whereas the HIPAA privacy rules allow health plans and health care providers to use and disclose protected health information (“PHI”) for purposes of treatment, payment, and health care operations without a patient’s written or oral consent, the Part 2 rules do not. Another important distinction between the Part 2 rules and HIPAA is that if a patient authorizes the disclosure of PHI under HIPAA to an entity that is not regulated by HIPAA, then the PHI disclosed to that recipient falls outside the protections of HIPAA. In contrast, when a patient consents to the disclosure of their substance use disorder records under Part 2, the Part 2 rules continue to apply to the records disclosed, even when the recipient is not a regulated Part 2 SUD program.
Section 3221 of the CARES Act modifies the statute governing the confidentiality of SUD records in various and important ways. First, a Part 2 SUD program will be allowed to obtain the prior written consent of a patient to use and disclose SUD records for purposes of treatment, payment, and health care operations as permitted by the HIPAA privacy rules. An SUD program will need to obtain that patient consent only once, and the consent will apply to all future uses and disclosures of SUD records until a patient revokes the consent in writing.
The statute goes on to state that any information disclosed pursuant to such a consent may then be redisclosed in accordance with the HIPAA regulations. Although not entirely clear, this appears to mean that an entity not regulated by HIPAA that receives SUD records pursuant to a consent may redisclose the records without limitation under either HIPAA or the Part 2 rules.
The CARES Act also states explicitly that the HIPAA breach notification provisions apply to SUD records held by a Part 2 program in the same manner that those rules apply to HIPAA covered entities.
Furthermore, the CARES Act extends HIPAA’s penalty and enforcement provisions to violations of the Part 2 rules. Although the Department of Health and Human Services (“HHS”) will need to issue regulations to confirm the operation of these enforcement provisions, this appears to mean that the HHS Office for Civil Rights may take on the civil enforcement of the Part 2 rules, in addition to enforcing the HIPAA rules.
The primary reason for the historically strict privacy rules applicable to SUD records is to ensure that a patient receiving treatment for a substance use disorder in a Part 2 program is not more vulnerable because of the availability of their patient record than an individual with a substance use disorder who does not seek treatment. In an effort to maintain this public policy goal while at the same time making the Part 2 rules more consistent with the HIPAA rules, the CARES Act enacts a general antidiscrimination provision prohibiting any entity from discriminating against an individual on the basis of information in Part 2 SUD records in: (a) admission, access to, or treatment for health care; (b) hiring, firing, or terms of employment or receipt of worker’s compensation; (c) the sale, rental, or continued rental of housing; (d) access to federal, state, or local courts; or (e) access to, approval of, or maintenance of government social services and benefits.
Furthermore, other than as authorized by a court order or consented to by the patient, no SUD records or testimony relaying the information contained in such records, may be disclosed or used in any civil, criminal, administrative, or legislative proceedings conducted by any governmental authority against a patient.
The statute mandates that regulations to implement and enforce these CARES Act provisions be issued to facilitate their application to all uses and disclosure of SUD records occurring on or after one (1) year following the enactment of the CARES Act (which would be March 27th, 2021).
Once implemented, the CARES Act provisions will be helpful to Part 2 programs, many of which struggle with the complexity of complying with both HIPAA and the Part 2 privacy rules. But the new Part 2 law will by no means alleviate all of that complexity. For example, a Part 2 program will be required to obtain a patient’s written consent in order to use and disclose SUD records for treatment, payment, and health care operations purposes; for those Part 2 program patients that refuse to sign such a consent, the Part 2 program will likely need to segregate those SUD records in order to manage the stricter limitations on their use and disclosure. Moreover, the CARES Act does not harmonize Part 2 and HIPAA entirely; there will remain many uses and disclosures that are permitted under HIPAA but not permitted with regard to SUD records under Part 2. Ultimately the CARES Act provisions modifying the Part 2 confidentiality rules will mitigate, but not eliminate, the complexities of managing patient records regulated by two separate sets of federal privacy rules.
If you have questions about the CARES Act, HIPAA, or the Part 2 rules, please contact the author or any attorney in the Dorsey & Whitney health transactions and regulations practice group.