CARES Act Changes to Federal Substance Use Privacy Law

April 9, 2020
A summary of the changes to Part 2 under the CARES Act

On March 27, 2020, President Trump signed the Coronavirus Aid, Relief and Economic Security Act (the CARES Act) into law.

Section 3221 of the CARES Act ratified fundamental changes to the Public Health Service Act, codified at 42 U.S.C. § 290dd-2 and associated regulations, which govern the confidentiality requirements of substance use disorder records, commonly known as 42 C.F.R. Part 2, or simply, “Part 2.” Substance use disorder (SUD) records are defined broadly as “[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research.” The changes are significant and align with the increasing movement to align the Part 2 rules with the Health Insurance Portability and Accountability Act (HIPAA). The CARES Act requires the Department of Health and Human Services (HHS) to revise the Part 2 regulations within 12 months to comply with the CARES Act.

Below is a summary of the changes to Part 2 under the CARES Act:

  • Disclosure for Treatment. Part 2 currently requires that the content of any SUD record to be kept confidential, unless the individual authorized the disclosure. Instances where the records may be disclosed without authorization are extremely limited and only apply when necessary for a bona fide medical emergency or when required by court order after showing good cause. Section 3221 changes this to allow SUD records to be “used or disclosed by a covered entity, business associate, or a [Part 2] program … for purposes of treatment, payment, and health care operations as permitted by [HIPAA]” after the provider receives a broad consent (e.g. as discussed in the NPP below).
  • Accounting of Disclosure. Because the changes provide that all disclosures for treatment, payment, and health care operations of SUD records are subject to the HIPAA rules, individuals have the right to an accounting of disclosures of such records as they would under HIPAA.
  •  Breach Notification. Section 3221 carries over the breach notification requirements that apply to Covered Entities under HIPAA to also apply to Part 2 programs. From a practical perspective, this would only affect those providers who were not also Covered Entities under HIPAA.
  • Notice of Privacy Practices (NPP). Section 3221 requires the Secretary of Health and Human Services to update 45 C.F.R. § 164.520 (NPP requirements for Covered Entities) to require Part 2 programs to provide NPPs to patients.
  • De-Identified Information. Section 3221 allows the disclosure of de-identified SUD records to a public authority, so long as the de-identification complies with the HIPAA regulations at 45 CFR § 164.514(b).
  • The civil and criminal penalties for violating Part 2 were changed to be consistent with HIPAA, which means an increase in the penalties currently mandated by Part 2. Violators now face a maximum fine of $50,000 and one year in prison for wrongful disclosure of SUD information with heighted penalties if false pretenses were involved or the information was used for personal gain or to cause malicious harm.
  • Antidiscrimination. The CARES Act also added anti-discrimination provisions to 42 U.S.C. § 290dd-2. Regardless of whether the SUD record disclosure is intentional or inadvertent, no entity may discriminate against the individual as the result of such disclosure for (i) access to healthcare, (ii) employment (i.e. hiring, firing or workman’s compensation), (iii) housing, (iv) access to courts, or (v) social services provided by the federal, state, or local government. Further, if an entity receives federal funding to perform an activity, they may not discriminate against the individual “in affording access to the services provided with such funds.”

Wakaba Tessier is a partner and Erica Ash is an associate with Husch Blackwell LLP focusing on healthcare law and regulations

Sponsored Recommendations

Care Access Made Easy: A Guide to Digital Self Service

Embracing digital transformation in healthcare is crucial, and there is no one-size-fits-all strategy. Consider adopting a crawl, walk, run approach to digital projects, enabling...

Powering a Digital Front Door with a Comprehensive Provider Directory

Learn how Geisinger improved provider data accuracy, SEO, and patient acquisition with a comprehensive provider directory.

Data-driven, physician-focused approach to CDI improvement

Organizational profile Sisters of Charity of Leavenworth (SCL) Health* has been providing care since it originated in the 1600s in France as the Daughters of Charity. These religious...

Luminis Health improved quality and financial outcomes with advanced CDI technology and consulting from 3M

In the beginning, there were challengesBefore partnering with 3M Health Information Systems (HIS), Luminis Health’s clinical documentation integrity (CDI) program faced ...