On March 27, 2020, President Trump signed the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”) into law. While the focus of the CARES Act has been on direct financial aid to Americans, the Act also contains a number of material revisions to the Federal privacy provisions that govern the confidentiality of substance-use disorder (“SUD”) records.
SUD information is protected by the federal confidentiality law found at 42 U.S.C. §290dd-2, which is the statutory authority for the SUD confidentiality regulations under 42 CFR Part 2, commonly referred to as “Part 2.” The CARES Act revises certain provisions of the SUD statute to better conform with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), thereby minimizing the burden on providers of trying to comply with two somewhat conflicting regulatory schemes. Most notably, Section 3321 of the CARES Act provides that once prior written consent of the patient has been obtained, SUD records “may be used or disclosed by a covered entity, business associate, or a [Part 2] program for purposes of treatment, payment, and health care operations as permitted by the HIPAA regulations.”
This eliminates the prior requirement that a SUD patient’s consent must be obtained prior to each disclosure that identifies who can receive the information by name (rather than general category of recipients as permitted under HIPAA), which has been viewed as an obstacle to information sharing, and enables providers to re-disclose the records as permissible under HIPAA.
The CARES Act also expands privacy protections for SUD patients by:
- Limiting use and disclosure of SUD information against the patient in judicial or administrative proceedings.
- Prohibiting anyone who receives SUD records from using such information to discriminate against individuals, including with regards to access to treatment for health care, hiring or firing decisions, sale, rental, or continued rental of housing and access to government services and benefits.
- Adopting several provisions from HIPAA, including the rules regarding breach notification, provision of Notice of Privacy Practices in plain language to SUD patients and granting SUD patients the right to an accounting of disclosures.
In addition, the civil and criminal penalties for violating Part 2 were increased under the CARES Act to be consistent with HIPAA. Violators now face a maximum fine of $50,000 and 1 year in prison for wrongful disclosure of SUD information with heighted penalties if false pretenses were involved or the information was used for personal gain or to cause malicious harm.
The CARES Act requires the Department of Health and Human Services (“HHS”) to revise the Part 2 regulations within 12 months to comply with the CARES Act. Finally, the CARES Act requires HHS to issue guidance regarding the sharing of patients’ PHI during the COVID-19 public health emergency within 180 days, but does not specify what this guidance must contain. As the HHS Office of Civil Rights (“OCR”) already issued a bulletin entitled “HIPAA Privacy and Coronavirus” in February of 2020, an 1135 waiver of certain HIPAA requirements for hospitals, as well as a Notice of Enforcement Discretion relaxing certain HIPAA requirements related to telehealth during this national emergency, it is unclear if the existing OCR guidance will satisfy the CARES Act requirements or if additional guidance will be forthcoming.