Skip to content

The Coronavirus Aid, Relief, and Economic Security Act (CARES Act), enacted March 27, 2020, rewrote significant portions of 42 U.S.C. § 290dd-2, the federal statute governing the confidentiality of substance use disorder (SUD) records that is more commonly known by its implementing regulations at 42 C.F.R. Part 2 (Part 2). Among other changes, the CARES Act revises the permissible uses and disclosures of SUD records to more closely align with the HIPAA Privacy Rule, 45 C.F.R. § 164.500, et seq., when a Part 2 program obtains the patient’s prior written consent.

Historically, Part 2 programs have been restricted in their ability to share SUD records by the Part 2 regulations, which require written patient consent for each disclosure of SUD records and prohibit re-disclosure of such SUD records except in limited circumstances. The CARES Act directs the Secretary of the U.S. Department of Health and Human Services (HHS), in consultation with appropriate federal agencies (which may include the Substance Abuse and Mental Health Services Administration (SAMHSA)) to revise the Part 2 regulations as necessary to implement and enforce the statutory revisions contained in the CARES Act effective March 27, 2021. The forthcoming revisions to the Part 2 regulations may be substantial given these CARES Act changes to the federal statute.

Another significant change to the federal SUD confidentiality statute addresses the ability of health care providers to use SUD records for treatment, payment, and health care operations purposes (except for certain provider fundraising activities) in a manner more consistent with the allowances provided for protected health information under HIPAA. Specifically, the CARES Act authorizes a Covered Entity or Business Associate (as those terms are defined in the HIPAA Privacy Rule) or Part 2 Program (as defined by the Part 2 regulations) to use, disclose, or re-disclose SUD records with the patient’s written consent for treatment, payment, and health care operations as permitted by the HIPAA regulations, 45 C.F.R. Parts 160, 162, and 164, and Sections 13405(a) and (c) of the Health Information Technology and Clinical Health Act (42 U.S.C. § 17935(c)) (HITECH Act). Under the revised statute, a patient can provide written consent once that will then authorize all such future uses or disclosures for purposes of treatment, payment, and health care operations until such time as the patient revokes such consent in writing.

Additionally, the CARES Act incorporates the following privacy protections for SUD records:

  • Except as otherwise authorized by court order or by written patient consent, SUD records or testimony relaying information from the SUD records may not be disclosed or used in any civil, criminal, administrative, or legislative proceedings conducted by any federal, state, or local authority.
  • Penalties applicable to HIPAA violations (42 U.S.C. §§ 1320d-5 and 6) shall apply to a violation of 42 U.S.C. § 290dd-2.
  • The breach notification provisions of Section 13402 of the HITECH Act shall apply to SUD records.
  • By March 27, 2021, HHS will update the HIPAA Privacy Rule to require that Part 2 programs provide notice of privacy practices, written in plain language, describing the patient’s rights with respect to the Part 2 records and how the patient may exercise those rights, and describing each purpose for which the Part 2 program is permitted or required to use or disclose the SUD records without the patient’s written authorization.
  • Part 2 providers can disclose information, regardless of whether the patient gives written consent, to a public health authority (as defined by HIPAA), if the content is de-identified in accordance with the HIPAA de-identification standards set forth at 45 C.F.R. § 164.514(b).
  • Patients shall have the right to request a restriction on the use or disclosure of SUD records for treatment, payment, or health care operations.
  • Patients shall have the right to request an accounting of disclosures of SUD records consistent with the HITECH Act and HIPAA.
  • Entities shall be prohibited from discriminating against an individual on the basis of information received, whether intentionally or inadvertently, from SUD records in: (a) admission, access to, or treatment for health care; (b) hiring, firing, or terms of employment, or receipt of worker’s compensation; (c) the sale, rental, or continued rental of housing; (d) access to federal, state, or local courts; or (e) access to, approval of, or maintenance of social services and benefits provided or funded by federal, state, or local governments.
  • Recipients of federal funds shall be prohibited from discriminating against an individual on the basis of information received, whether intentionally or inadvertently, from SUD records, when offering access to services provided with such funds.

The CARES Act provides that the above-summarized amendments to the federal SUD statute will apply to uses and disclosures of information on or after March 27, 2021. While these changes implement long-awaited alignment efforts to enable data sharing across providers in a manner consistent with the allowances permitted under HIPAA, the real impact of these changes will come from the forthcoming implementing agency regulations from, which are also due to be issued by March 27, 2021.

For more information and updates on the developing situation, visit GT’s Health Emergency Preparedness Task Force: Coronavirus Disease 2019.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Julie A. Sullivan Julie A. Sullivan

Julie A. Sullivan is a health care regulatory and compliance attorney concentrating her practice on state and federal health care fraud, waste and abuse guidance, reimbursement matters, as well as health privacy and security law. She represents health care providers and suppliers in…

Julie A. Sullivan is a health care regulatory and compliance attorney concentrating her practice on state and federal health care fraud, waste and abuse guidance, reimbursement matters, as well as health privacy and security law. She represents health care providers and suppliers in complex regulatory and transactional matters, and routinely advises on issues such as corporate practice of medicine, fee splitting, licensure and certification issues including Medicare revocation, payment suspension and exclusion matters, and Medicare and Medicaid reimbursement disputes. Julie also structures mergers and acquisitions and value-based arrangements in the health care space to comply with the vast legal and regulatory requirements applicable to business deals in the health care industry, and leads regulatory due diligence and diligence remediation efforts in connection with such transactions in tandem with the corporate M&A teams at GT and other law firms.

Julie has deep experience in the intricate and involved processes associated with over-payment refund processes and self-disclosures. She routinely assists provider clients, including behavioral health providers, substance use disorder providers, hospitals and health systems, long-term care providers, dialysis providers, ambulatory surgery centers, and ancillary service providers with referral source relationship compliance issues and internal or government investigations into billing issues and the handling of such matters requiring refunds and/or self-disclosures to government-funded health care programs or regulatory agencies.

Renae M. Nanna

Renae M. Nanna advises health care providers on a range of regulatory and transactional matters, including the licensure and certification of health care facilities, Medicare and Medicaid program participation requirements, and federal and state health care fraud, abuse, and self-referral laws. She also

Renae M. Nanna advises health care providers on a range of regulatory and transactional matters, including the licensure and certification of health care facilities, Medicare and Medicaid program participation requirements, and federal and state health care fraud, abuse, and self-referral laws. She also counsels clients on corporate practice prohibitions, fee-splitting, accreditation, credentialing, scope of practice, professional services agreements, management services agreements, and supervision and delegation requirements.