CARES Act: Dramatic Changes Made to Substance Use Disorder Confidentiality Protections
March 30, 2020
By: Neil C. Brown
On March 27, President Trump signed H.R. 748, the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”) into law. Much attention has been given to the economic relief features of the CARES Act. However, Section 3221 of the CARES Act has also made sweeping and dramatic changes to requirements pertaining to the confidentiality of substance use disorder (“SUD”) data. The COVID-19 pandemic has obviously served as a catalyst to change these SUD confidentiality laws. Yet, unlike some other governmental action brought about by the COVID-19 pandemic, these changes are permanent, and are not limited to the time that the pandemic is in effect.
For applicable SUD treatment providers, SUD data has long been afforded stringent protection against disclosure by federal law, pursuant to 42 U.S.C. § 290dd-2 et seq. and its implementing regulations (commonly known as “Part 2”). Some SUD providers have voiced their concerns that these stringent protections were unnecessarily complex and burdensome, and that SUD records were already adequately protected by the Health Information Portability and Accountability Act (“HIPAA”). Yet others maintained that - since SUD information is especially sensitive to patients - additional protections were necessary to ensure the privacy of those seeking SUD treatment.
In the CARES Act, Congress has balanced these competing policy considerations in the amendments to the Part 2 requirements. As detailed below, Congress has partially aligned it with HIPAA, while also adding new provisions designed to protect SUD data against disclosure.
- Partial Alignment with HIPAA
Perhaps one of the most significant changes made by the CARES Act is to allow for the disclosure of SUD information for treatment, payment, or health care operations purposes upon receiving written patient consent.1 The disclosure of health information for these three (3) purposes (commonly known as the “TPO” exceptions) is a familiar concept to many providers who are subject to HIPAA, and allow for the disclosure of HIPAA-protected health information in many routine operational situations. The CARES Act further provides that, once SUD data is disclosed for a TPO reason, such data can then be redisclosed as permitted by HIPAA.2 The CARES Act adopts another HIPAA concept by giving patients the right to request a restriction on the use or disclosure of SUD data for TPO purposes, and further requires entities to “make every reasonable effort to the extent feasible to comply with a patient’s request” to restrict such disclosure.3
However, there are some critical differences between what is permissible under the new CARES Act and the HIPAA TPO exceptions. Unlike the HIPAA TPO exceptions, providers will be required to obtain written patient consent before disclosing SUD for any TPO purpose.4 Additionally, even if written consent for TPO is obtained, providers cannot utilize SUD data to create de-identified health information, to create a limited data set, or to conduct fundraising for the provider as part of its “health care operations.”5
The CARES Act also allows for the disclosure of SUD data to certain public health authorities, so long as such disclosures are consistent with HIPAA.6 Finally, the CARES Act requires SUD entities to follow HIPAA-required breach notification procedures when SUD data is breached.7
- Additional Protections of the New Part 2 Law:
The new CARES Act creates additional protections to SUD data that are not similarly afforded by HIPAA. Perhaps the most important of these protections is the new “anti-discrimination” provision.8 This provision prohibits using SUD data (even when such data was disclosed inadvertently) to discriminate against individuals, including but not limited to the contexts of, health care provision, employment, and the sale/rental of housing.9 This prohibition applies even more broadly to any instance of “discrimination” for recipients of federal funds.10 The CARES Act also provides in detail that SUD data cannot be used in various civil, criminal, administrative, or legislative proceedings without a court order or patient consent.11
The legislation calls upon the United States Department of Health and Human Services to revise and issue additional regulations, which will become effective one year from the CARES Act’s date of enactment.12 Providers must stay keenly aware of further changes and requirements, and should eventually consider revising their policies and procedures to be consistent with the dramatic changes made by the CARES Act.
1 Coronavirus Aid, Relief, and Economic Security Act, H.R. 748, 116th Congress § 3221(b) (2020).
3 Id. at §3221(k)(2)-(3).
4 Id. at §3221(b).
5 Id. at §3221(k)(4).
6 Id. at §3221(e).
7 Id. at §3221(h).
8 Id. at §3221(g).
11 Id. at §3221(e).
12 Id. at §3221(i)(1).