Last week, President Trump signed the Coronavirus Aid, Relief, and Economic Security Act, or CARES Act (H.R. 748). The bill is one of the largest stimulus packages in U.S. history and contains measures designed to promote mental health care, including $425 million in funding for the Substance Abuse and Mental Health Services Administration (SAMHSA) programs designed to prevent, prepare for, and respond to COVID-19, as well as long-awaited alignment of many of 42 CFR Part 2 provisions with HIPAA.
Under current regulations, Part 2 generally requires a federally-assisted substance use disorder program (a “Part 2 Program”) to obtain a patient’s consent before disclosing his or her identifying information outside of the program, including before disclosing to other health care providers. Given the inability to share information between health care providers under most circumstances, many providers have pushed for changes to align Part 2 with HIPAA, even while substance use disorder advocates raised concerns due to privacy protections. Section 3221 of the CARES Act, which amends Part 2’s underlying statute, strikes a balance—the amendments allow for disclosures for treatment, payment, and healthcare operations as permitted by HIPAA regulations, but require an initial consent from the patient that can be revoked.
Section 3221 also directs the Secretary of Health and Human Services (HHS) to issue revised regulations to implement and enforce the amendments, as well as to revise the HIPAA regulations regarding notice of privacy practices to encompass Part 2 Programs. Notably, the amendments to Part 2 from Section 3221 will not take effect until at least March 2021.
Summarized below are the key ways in which the CARES Act aligns Part 2 more closely with HIPAA:
Uses or Disclosures for Treatment, Payment, and Healthcare Operations. The most onerous provision of Part 2 was its broad prohibition on uses or disclosures, without patient consent, of substance use disorder records outside of a Part 2 Program. Part 2 providers could not even share such patient information for treatment purposes outside of a Part 2 Program, without patient consent. In addition, there were requirements for patient consent that were viewed as overly burdensome, including a requirement in some instances to identify a specific recipient by name.
Section 3221 now partially aligns Part 2 with HIPAA by allowing covered entities, business associates, or Part 2 Programs to use or disclose Part 2 records for purposes of treatment, payment, and health care operations as permitted by HIPAA regulations, once prior written consent of the patient is obtained. Such consent need only be given once for all future uses or disclosures for these purposes. Part 2 Programs are permitted to withhold or revoke their initial consent, as well as to request restrictions on disclosure of protected health information under certain circumstances.
Section 3221 did not provide specifics on what is required to obtain the initial patient consent—Part 2 Programs will need to wait to see how SAMHSA defines consent, and what, if any, specific consent requirements are included, in future regulations.
Redisclosures. In addition to aligning Part 2 with HIPAA’s permissive disclosures for treatment, payment, and healthcare operations, Section 3221 also permits redisclosure of Part 2 records in accordance with HIPAA regulations. (Note also that state law may still prohibit redisclosure. For example, California law prohibits further disclosure of medical information, except in accordance with a new authorization that meets Civil Code, section 56.11, or as specifically required or permitted by law.)
Uses or Disclosures Without Patient Consent. Under the CARES Act, Part 2 Programs will be able to disclose information without patient consent to a public health authority, so long as such disclosure is consistent with the HIPAA standards for creating de-identified information.
In addition, Section 3221 clarified Part 2’s prohibition on the use or disclosure of Part 2 records, as well as testimony relaying the information contained therein, without authorization by a court order or by the consent of the patient, against a patient, including, specifically that:
- Such record or testimony shall not be entered into evidence in any criminal prosecution or civil action before a Federal or State court.
- Such record or testimony shall not form part of the record for decision or otherwise be considered in any proceeding before a Federal, State, or local agency.
- Such record or testimony shall not be used by any Federal, State, or local agency for a law enforcement purpose or to conduct any law enforcement investigation.
- Such record or testimony shall not be used in any application for a warrant.
Notice of Privacy Practices. Existing regulations require Part 2 Programs to provide patients with a written summary of Part 2’s restrictions. Under Section 3221, Part 2 Programs will also be required to provide patients with notices of privacy practices, that state in plain language a patient’s rights and a description of each purpose for which the program must or may use or disclose a patient’s substance use disorder records.
Breach Reporting Requirement. Section 3221 draws in the HIPAA breach reporting requirements for all Part 2 Programs now, including those programs that may not be “covered entities.” Part 2 does not currently contain its own breach notification provision, but in general, information protected by Part 2 is already subject to HIPAA’s breach reporting requirements.
Penalties. Part 2 always contained a provision addressing penalties, however, Section 3221 adds clarity around the potential penalties, as well as the potential for criminal penalties. Under the amended language, Part 2 Programs are now subject to the same penalties as covered entities under HIPAA – civil monetary penalties, and potentially criminal penalties for wrongful disclosures.
Anti-Discrimination Provisions. To bolster existing patient protections, Section 3221 includes provisions designed to prevent discrimination on the basis of information received—whether intentionally or inadvertently—from Part 2 records in relation to: access to health care treatment; employment or worker’s compensation; housing; access to courts; and, access to government-provided social services and benefits.
As noted above, these changes will not go into effect for 12 months. In addition, the regulations ultimately promulgated by SAMHSA will likely flesh out additional requirements, for example, what is required for the initial patient consent. In the meantime, Part 2 Programs and providers should continue to follow current Part 2 regulations and monitor for additional guidance leading up to the eventual effective date. Notably, SAHMSA recently issued guidance regarding the use of telehealth in the substance use disorder treatment space, and clarification regarding the current medical emergency exception to the general prohibition on use or disclosure of substance use disorder records.
For further information, please contact Alicia Macklin in Los Angeles, Andrea Frey, Steve Phillips or Paul Smith in San Francisco, Amy Joseph in Boston, or your regular Hooper, Lundy & Bookman contact
 HLB’s summary of the key provisions of the CARES Act can be found at: http://www.health-law.com/newsroom-advisories-250.html.
 Section 543 of the Public Health Service Act established the rules for the confidentiality and privacy of substance use disorder records receiving services at certain facilities. The implementing regulations governing the confidentiality of health information in federally-assisted substance use disorder (SUD) programs are found in 42 CFR Part 2 and known as “Part 2.”
 Section 3221 draws in HIPAA defined terms, including breach, business associate, covered entity, health care operations, payment, public health authority, treatment, and unsecured protected health information.