COVID-19: CARES Act Overhauls Federal Substance Use Disorder Privacy Law

26 March 2020 Blog
Author(s): Adam J. Hepworth Jennifer J. Hennessy
Published To: Coronavirus Resource Center:Back to Business Health Care Law Today

The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) enacted into law on March 27, 2020 makes fundamental changes to the federal law, 42 U.S.C. § 290dd-2, implemented at 42 C.F.R. Part 2 that governs the confidentiality of substance-use disorder records (Part 2).  Most critically, the CARES Act dramatically eases the ability of health care providers to share protected substance-use disorder information with patient consent, going far beyond both the finalized 2017 revisions to the Part 2 rules and the proposed 2019 changes.  It also makes several important changes to align certain Part 2 requirements with the Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA). 

The federal substance-use disorder privacy law has typically been associated more closely with its implementing regulations than the underlying statute because of how much critical detail was left to the discretion of the Substance Abuse and Mental Health Services Administration (SAMHSA).  While the changes in the CARES Act override some of the regulatory decisions SAMHSA has made in the past, the law also directs the Secretary of the Department of Health and Human Services to implement its provisions in regulations that would be effective 12 months after the date the CARES Act is enacted.  Given that Congress still envisions a significant role for SAMHSA, it remains to be seen how the changes will ultimately be implemented through agency-drafted regulation.

The most significant changes are summarized in more detail below:

Eases the Ability of Part 2 Programs to Disclose Information with Patient Consent

The CARES Act amends the statutory authority for disclosures with patient consent to provide that once a patient gives prior written consent, the contents of a record “may be used or disclosed by a covered entity, business associate, or a [Part 2 program] for purposes of treatment, payment, and health care operations as permitted by the HIPAA regulations.”  It makes explicit that redisclosures may then be made in accordance with HIPAA, until the patient revokes the consent.  That is, unlike HIPAA, patients have the right under Part 2 to prohibit or cut off disclosures for treatment, payment, and health care operations by withholding or revoking their written consent.

This represents the single most far-reaching change in the law.  Part 2 has long been considered a barrier to information sharing because of the regulatory requirement that a patient’s consent  must identify who can receive the information by name (as opposed to a general category or description of the recipient as is permitted under HIPAA).  Even though this requirement was relaxed to some extent in 2017 for disclosures to treating providers, it remains a significant obstacle to information sharing. Congress has ensured through these changes that there will no longer be a requirement to identify by name the individual or entity who may receive information pursuant to a written consent.

Incorporates Select HIPAA Provisions into Part 2

The CARES Act aligns Part 2 more closely with HIPAA in several ways:

  • Breach Notification.  It incorporates the requirements of the HIPAA Breach Notification Rule such that breaches of records of Part 2 programs are subject to the same breach notification requirements that apply to breaches of HIPAA protected health information (PHI). Part 2 does not currently contain a breach notification provision. 
  • Civil and Criminal Penalties.  It makes the statutory civil and criminal penalties that apply to violations of HIPAA applicable to violations of Part 2.
  • Notice of Privacy Practices.  It requires Part 2 programs to provide notices of privacy practices that include, in plain language, a statement of patient’s rights and a description of each purpose for which the entity is permitted or required to use or disclose protected information. Part 2 currently requires Part 2 programs to provide a written summary of Part 2’s restrictions to patients, but does not require providing a full notice of privacy practices.
  • Accounting of Disclosures.  It provides that all disclosures for treatment, payment, and health care operations pursuant to its enhanced disclosure authority are subject to HIPAA rules guaranteeing individuals the right to an accounting of disclosures of PHI.

Adds New Antidiscrimination Provision

The CARES Act also adds a new provision that prohibits discriminating against an individual for the following purposes on the basis of information received—whether intentionally or inadvertently—from Part 2 records: 

  • Admission, access to, or treatment for health care;
  • Hiring, firing, or terms of employment, or receipt of worker’s compensation;
  • The sale, rental, or continued rental of housing;
  • Access to federal, state, or local courts; 
  • Access to, approval of, or maintenance of social services and benefits provided or funded by federal, state, or local government; and
  • Affording access to services provided with federal funds.

Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries.  Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time.  To receive this content directly in your inbox, click here and submit the form. 

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services