The Federal Privacy Law for Substance Use Disorder Records (Part 2) Amended to More Closely Align with HIPAA as Part of the CARES Act

5 min

On March 27, 2020, Congress passed the third stimulus package in response to the COVID-19 pandemic, titled the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). The stimulus package includes a small, seemingly unrelated provision that amends the federal law governing the confidentiality and disclosure of records for patients with substance use disorders who are being, or have been, treated by a program conducted, regulated, or directly or indirectly assisted by the federal government. This federal law is known commonly as "Part 2" because its implementing regulations are found under 42 C.F.R. Part 2.

In contrast to the Health Insurance Portability and Accountability Act (HIPAA), which more generally governs the use and disclosure of individually identifiable health information maintained by health plans (including health insurance companies), most healthcare providers, and their service providers, Part 2 is based upon a detailed statutory framework under 42 U.S.C. § 290dd-2. With the opioid epidemic as a backdrop, there has been a push to more closely align Part 2 with HIPAA to ensure that substance use disorder records can be more freely shared outside the Part 2 program with community providers to promote proper treatment and holistic care. A statutory amendment, however, was needed because of Part 2's statutory nature, and Section 3221 of the CARES Act does that and more.

While some may want these amendments to Part 2 to be immediately effective, Part 2 programs have until March 2021 to update their policies, procedures, and operations to comply. Moreover, the Secretary of HHS will be issuing revised Part 2 regulations to conform with these changes and provide more detail and clarification.

The more significant changes to Part 2 include the following:

  • Part 2 programs can more easily disclose substance use disorder records for treatment, payment, and healthcare operations with patient consent. Before passage of the CARES Act, Part 2 required that a patient provide a detailed written consent for each disclosure of his or her treatment records by the Part 2 program. Such consents were required to identify the name or entity authorized to receive the patient's information and the purpose of each disclosure of patient information, which posed a significant impediment to the ability of a Part 2 program to disclose information to other healthcare providers, third-party payors, and others involved in the patient's care and the Part 2 program's operations. The CARES Act now provides that a Covered Entity, Business Associate, or Part 2 program may disclose patient information for purposes of treatment, payment, and healthcare operations as permitted by the HIPAA regulations once the patient has provided one initial written consent. Unlike under HIPAA, however, the patient has the right to withhold or revoke consent for such disclosures.

    The CARES Act further provides that the entity that receives the patient's information can then re-disclose that information in compliance with HIPAA until the patient revokes his or her consent, which significantly loosens the prior Part 2 requirement that each recipient of Part 2 information obtain the patient's consent for any subsequent re-disclosure of the patient's information. So, with the CARES Act amendment, patients need only provide their written consent once for all future disclosures of their information for treatment, payment, and healthcare operations. There is, however, one logistical detail: all disclosures of Part 2 information for treatment, payment, and healthcare operations must be recorded in the disclosing entity's accounting of disclosures log, which the patient has the right to review.

    Importantly, while Congress has relaxed the use and disclosure of substance use disorder records for treatment, payment, and healthcare operations, it has recognized the importance of strengthening certain protections for patients with substance use disorders so as not to discourage them from seeking treatment. Further details regarding these new protections are summarized below.
  • Part 2 programs are required to provide notices of privacy practices and comply with HIPAA breach notification requirements. Part 2 programs must now provide easily understandable notices of privacy practices that include a statement of patients' rights and a description of each purpose for which the program is permitted or required to use or disclose patient information. Part 2 programs must also comply with the HIPAA Breach Notification Rule, even if the program is not a Covered Entity subject to HIPAA.
  • Discrimination against an individual based on Part 2 records is not permitted. The CARES Act adds a new antidiscrimination provision to prohibit any entity that receives Part 2 records from discriminating against an individual regarding admission, access to, or treatment for healthcare; hiring, firing, or terms of employment, or receipt of workers' compensation; the sale, rental, or continued rental of housing; access to federal, state, or local courts; access to, approval of, or maintenance of social services and benefits provided or funded by federal, state, or local government; and affording access to services provided with federal funds.
  • Disclosure of Part 2 information is prohibited in civil, administrative, and legislative proceedings in addition to criminal proceedings. Unless authorized by a court order or patient consent, Part 2 records may not be "disclosed or used in any civil, criminal, administrative, or legislative proceedings conducted by any Federal, State, or local authority, against a patient" as evidence in any criminal prosecution or civil action, for law enforcement purposes or investigation, and in any application for a warrant.
  • De-identified health information may be disclosed to public health authorities. Provided the HIPAA requirements for de-identification are met, a Part 2 program may disclose de-identified health information, including de-identified substance use disorder information, to public health authorities.
  • Penalties for violation of Part 2 will now be enforced by the U.S. Department of Health and Human Services (HHS). While violations were previously enforced under the federal criminal code, the CARES Act provides that HHS has the authority to enforce violations of Part 2, using the same civil and criminal penalties that apply to violations of HIPAA.

If you have any questions regarding this client alert, or if you would like assistance determining what these changes mean for your Part 2 program, please contact a member of Venable's Healthcare Practice Group.