Recently, the President signed the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”) into law. Among many changes is a significant modification to the federal confidentiality protections currently afforded substance use disorder (“SUD”) records pursuant to the Public Health Services Act at 42 U.S.C. 290dd-2 (“PHS Act”). Most notable, the amendments to the PHS Act permit SUD records to be shared for treatment, payment and health care operations purposes in accordance with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) on an on-going basis after the program has received initial consent from the patient, which consent may be revoked at any time.
However, it is yet to be seen how the Substance Abuse and Mental Health Services Administration (“SAMHSA”) will incorporate such changes into its regulations contained at 42 C.F.R. Part 2, which are intended to implement and enforce the SUD provisions of the PHS Act against SUD treatment programs (“Part 2 programs”). Unlike other provisions of the CARES Act, these amendments to the PHS Act will not take effect until the Secretary of Health and Human Services consults with other federal agencies (including SAMHSA) to implement and enforce the amendments. These amendments will apply to uses and disclosures of SUD records that occur “on or after” March 27, 2021, which is twelve months from the date of enactment of the CARES Act.
The CARES Act Modifications
Treatment, Payment and Health Care Operations Uses and Disclosures Permitted After Initial Patient Consent in Accordance with HIPAA
The CARES Act modifies the provisions of the PHS Act related to permitted disclosure of SUD records pursuant to patient consent by adding language providing that:
- Once prior written consent of the patient has been obtained, SUD records may be used or disclosed by a HIPAA covered entity, business associate or a Part 2 program for purposes of treatment, payment and health care operations as permitted by the HIPAA regulations, which previously was not a permissible basis to share SUD records;
- Information disclosed for treatment, payment and health care operations purposes may then be redisclosed in accordance with the HIPAA regulations, instead of the standard Part 2 prohibition on redisclosure;
- Disclosures of SUD records for treatment, payment and health care operations purposes remain subject to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act provisions regarding accountings of disclosures from electronic health records, meaning, Part 2 programs that elect to obtain this consent and share SUD records for these purposes must provide such accounting of disclosures, even if otherwise not required to comply with HITECH;
- The HITECH Act provisions related to required restrictions on disclosures to health plans for payment or health care operations when the patient paid out-of-pocket in full continue to apply. Patients are free to request, and programs are permitted to agree to, other restrictions on use or disclosure for treatment, payment and health care operations purposes.
Terms used, such as covered entity, business associate, treatment, payment and health care operations, have the same definitions as provided by HIPAA.
Importantly, the CARES Act clarifies that it is permissible to obtain the patient’s prior written consent once for all future uses or disclosures for treatment, payment and health care operations, but that the patient has the right to revoke such consent in writing. However, HIPAA covered entities continue to be permitted to obtain patient consents for specific uses or disclosures for treatment, payment or health care operations purposes in accordance with HIPAA.
Disclosure of De-Identified Information Permitted to Public Health Authorities Without Patient Consent
The CARES Act adds language expressly permitting the disclosure of de-identified SUD record information to public health authorities so long as de-identification conforms to HIPAA standards.
Use of SUD Records in Criminal, Civil or Administrative Contexts Prohibited Without Court Order or Patient Consent
The CARES Act expands the current language regarding the limited use of SUD records in criminal proceedings to prohibit the use or disclosure of SUD records, or testimony relaying the information contained therein, in any civil, criminal, administrative or legislative proceedings conducted by any federal, state or local authority, against a patient, absent an appropriate court order or the patient’s written consent. This includes:
- Such information not being entered into evidence in any criminal prosecution or civil action;
- Such information not forming part of the record for decision or otherwise being taken into account in any proceeding before a government agency;
- Such information not being used for law enforcement purposes or conducting any law enforcement investigation; and
- Such information not being used in any application for a warrant.
Penalties Aligned with HIPAA Violations
The CARES Act also modifies the penalties applicable to violations of the SUD record confidentiality provisions. While violations were previously subject to the criminal penalty provisions under Title 18 of the U.S. Code, the CARES Act modifies the law such that violations are now subject to the penalty provisions set forth in sections 1176 and 1177 of the Social Security Act. This means that violations of the SUD record confidentiality provisions will now be subject to the same penalty structure as applies to violations of HIPAA, including the tiered approach based on culpability.
Provisions Added to Protect Patients from Discrimination Based on SUD Diagnosis or Treatment
The CARES Act adds a new section to the law prohibiting any entity from discriminating against an individual on the basis of information received pursuant to an inadvertent or intentional disclosure of SUD records, or information contained in such records, with respect to:
- Admission, access to or treatment for health care;
- Hiring, firing or terms of employment, or receipt of worker’s compensation;
- The sale, rental or continued rental of housing;
- Access to federal, state or local courts;
- Access to, approval of or maintenance of social services and benefits provided or funded by federal, state or local governments; or
- With respect to recipients of federal funds, affording access to the services provided with such funds.
HIPAA Breach Notification Rule Applies to SUD Records
The CARES Act requires that any breach of unsecured SUD record information be reported in accordance with HIPAA’s requirements, whether or not a Part 2 program is otherwise subject to HIPAA. This would include notification by qualified service organizations to Part 2 programs and notification by Part 2 programs to individuals, the media and the government, unless subject to a law enforcement delay.
Modifications to Part 2 and HIPAA Notice of Privacy Practices Regulations
The CARES Acts directs that the provisions of HIPAA regarding issuance of a notice of privacy practices be updated to assist Part 2 programs in notifying patients of their rights and the entity’s privacy practices with respect to SUD records.
Sense of Congress with Respect to State-Based Prescription Drug Monitoring Programs
The CARES Act also discusses Congress’s sense with respect to Part 2 programs and state-based prescription drug monitoring programs. Congress’s sense is that any person treating a patient through a Part 2 Program is encouraged to access the applicable state-based prescription drug monitoring program when clinically appropriate.
However, Part 2 programs are limited in their ability to upload data into such repositories. Additionally, patients have the right to request a restriction on the use or disclosure of SUD records for treatment, payment or health care operations purposes and covered entities should make every reasonable effort to the extent feasible to comply with a patient’s request for such a restriction. Therefore, data in such state-based prescription drug monitoring databases may not always be accurate or complete. Obviously, prescription drug monitoring programs are better able to compare to their purpose when data is complete and accurate. Therefore, Congressional sense is that Part 2 Programs should receive positive incentives for discussing with their patients the benefits (including those related to health and safety) of consenting to share such records with prescription drug monitoring programs. It is possible there may be future guidance regarding Part 2 programs and prescription drug monitoring programs to further address these concerns.
Because additional regulations enacting these amendments are forthcoming by March 27, 2021, the impact of these amendments at this point in time is not fully known. However, the impact will differ as between Part 2 programs subject to HIPAA and those that are not currently subject to HIPAA. While awaiting regulations, Part 2 programs should evaluate their current policies and procedures and assess their current status.
For Part 2 Programs Already Subject to HIPAA
Because many of the CARES Act amendments do not deviate significantly from existing Part 2 and HIPAA requirements, the practical impact on many Part 2 programs that are also HIPAA covered entities will be somewhat limited in nature. The major impacts of the CARES Act are as follows:
- Part 2 programs will now be able to use and disclose Part 2 records for treatment, payment and health care operations in accordance with HIPAA as long as they have received the patient’s initial written consent, which only needs to be obtained once, but may be revoked by the patient at any time.
- The current standards for written consent contained in Part 2 would appear to need to be relaxed to permit a one-time, ongoing consent for such purposes.
- Once disclosed for such purposes, the information no longer appears to be subject to the more stringent Part 2 requirements and would rather only be subject to HIPAA’s requirements, but this is not entirely clear.
- Breach Notification will be required for the impermissible disclosure of unsecured SUD records. This will not be a new obligation for covered entities whose SUD records were already protected health information subject to HIPAA.
- Review and confirm that the Notice of Privacy Practices specifically address SUD records. Modify the Notice of Privacy Practices if this is not already addressed.
- Additional guidance from SAMHSA is forthcoming and will hopefully address outstanding questions, such as what that written consent must look like and contain, and whether disclosures for such purposes continue to be subject to Part 2 or only the requirements of HIPAA.
- The penalties for a violation of the Part 2 requirements will now be the same as what a covered entity faces for a HIPAA violation.
Part 2 Programs Not Currently Subject to HIPAA
In addition to the considerations above, Part 2 programs that are not presently HIPAA covered entities will be impacted more significantly due to the CARES Act provisions that extend requirements of HIPAA and the HITECH Act to all Part 2 programs, apparently regardless of their covered entity status.
- Breach notification will now be required for the impermissible disclosure of unsecured SUD records;
- Issuance of notice of privacy practices; and
- Compliance with patient-requested restrictions and accountings of disclosures.
While the Part 2 regulations currently address some of these concepts generally, and state law may already require similar actions by Part 2 programs, HIPAA requirements may be more robust. Therefore, non-covered entity Part 2 programs should begin reviewing current policies and procedures to ensure that they are able to comply with HIPAA’s requirements with respect to these obligations, in addition to those set forth in Part 2 and any applicable state law, when the changes become effective.
All entities need to be aware of the prohibition on discrimination with respect to individuals based on their status as an SUD patient, and take action to ensure compliance.
If you have any questions or would like additional information about this topic, please contact:
- Mark Swearingen at (317) 977-1458 or firstname.lastname@example.org;
- Charise Frazier at (317) 977-1406 or email@example.com;
- Stephane Fabus at (414) 721-0904 or firstname.lastname@example.org;
- Patricia Connelly at (317) 429-3654 or email@example.com; or
- Your regular Hall Render attorney.
For more information on Hall Render’s HIPAA, Privacy & Security services, click here.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.