By Casey Moriarty
The recently enacted CARES Act includes important updates to the requirements governing the confidentiality of substance use disorder records under 42 CFR Part 2 (“Part 2”), including the following:
- Disclosures for Treatment, Payment, and Health Care Operations: After initial patient consent, the Cares Act permits substance use disorder programs, covered entities, and business associates to disclose Part 2 records for treatment, payment, and health care operations purposes as permitted by HIPAA without the need for additional consents from the patient. Below are examples illustrating a Part 2 program’s permissible disclosures upon receiving patient consent.
Treatment: The program may disclose the patient’s records as needed to any health care provider for the patient’s treatment, as permitted by HIPAA. There is no longer a requirement for the program to obtain the patient’s consent for the disclosure of records to each separate provider who may need to receive the records for treatment purposes.
Payment: The program can disclose the records to the patient’s current and future health insurers to obtain payment for services rendered as permitted by HIPAA. There is no longer a need for the program to obtain patient consent for the disclosure of records to each specific insurer.
Health Care Operations: As permitted by HIPAA, the program can disclose the records for quality assurance or peer review purposes to another health care provider who has (or has had) a treatment relationship with the patient. Again, there is no need for the patient to consent to the disclosure to each provider.
While these changes certainly increase the ability of providers to disclose patient records, they also raise questions that need to be addressed in future regulations, including the following:
- If substance use disorder records are disclosed in accordance with patient consent for a treatment, payment, or health care operations purpose, are the records still subject to Part 2 or are they only subject to HIPAA requirements?
This is a critical question because Part 2’s confidentiality protections are still greater than those in HIPAA, including stricter requirements on disclosures to family members of patients and disclosures related to court proceedings. If Part 2 requirements continue to apply to the records after a disclosure for a treatment, payment, or health care operations purpose, providers need to continue segregating Part 2 records from other types of patient health information in order ensure that such records are not improperly disclosed in violation of Part 2.
- Does a written patient consent for disclosure of records for treatment, payment, or health care operations need to list each of the intended recipient(s) of the records?
Current Part 2 regulations state that a written consent must list the permitted “recipient(s)” of the records. However, after a patient has signed an initial consent, the CARES Act appears to allow records to be broadly disclosed to any recipients for a treatment, payment, and health care operations purpose as permitted by HIPAA. Future regulations need to clarify whether a consent permitting disclosure of records for the purposes of treatment, payment, and/or health care operations must list permitted recipient(s) of the records.
- Does the Part 2 notice prohibiting re-disclosure need to accompany records that are disclosed in accordance with patient consent for a treatment, payment, or health care operations purpose?
Future Part 2 regulations need to clarify whether the notice stating “42 CFR Part 2 prohibits unauthorized disclosure of these records” must be included with each disclosure of records for a treatment, payment, or health care operations purpose. Current Part 2 regulations require that this notice accompany each disclosure of substance use disorder records made with patient consent
- Disclosures to Public Health Authorities: The CARES Act permits a substance use disorder program to disclose patient records to a public health authority if the records have been de-identified in accordance with HIPAA requirements. On the surface, this change does not appear to be substantive because de-identified information technically is not subject to Part 2 disclosure restrictions in the first place.
- Use of Records in Court Proceedings: The CARES Act emphasizes the regulatory restrictions on the disclosure of substance use disorder records in criminal, civil, administrative, or legislative proceedings without patient consent or a court order. In addition, without patient consent or a court order, such records may not be used by law enforcement to conduct investigations, to apply for a warrant, or for other law enforcement purposes.
- Anti-Discrimination: The CARES Act prohibits any entity from discriminating against an individual based on substance use disorder records that the entity may have received through an inadvertent or intentional disclosure of such records. This includes discrimination related to (a) denying admission, access to, or treatment for health care; (b) hiring, firing, or terms of employment, or receipt of worker’s compensation; (c) the sale, rental, or continued rental of housing; (d) access to Federal, State, or local courts; or (e) access to, approval of, or maintenance of social services and benefits provided or funded by Federal, State, or local governments.
- Breach of Records: The CARES Act incorporates the HIPAA breach notification rule requirements into the Part 2 statute. Therefore, substance use disorder programs must comply with the HIPAA Breach Notification Rule requirements when they discover an improper use or disclosure of patient records. In general, substance use disorder programs are already subject to HIPAA requirements as covered entities, so this modification is not a major change for many programs.
- New Regulations: As stated above, the CARES Act requires the Secretary of HHS to revise the Part 2 regulations as necessary to implement and enforce the CARES Act changes. In addition, the Secretary must update the HIPAA requirements related to the Notices of Privacy Practices of a substance use disorder program. The CARES Act instructs the Secretary to implement such regulations within twelve months from the enactment date of the Act.
Next Steps: The CARES Act’s most significant modification to Part 2 is the new ability for programs, covered entities, and business associates to disclose records for treatment, payment, and health care operations purposes after the patient has signed an initial consent. We recommend that Providers review and potentially revise their consent forms to comply with this change, as well as their associated policies pertaining to the use and disclosure of substance use disorder records. Additionally, providers should be ready to make additional revisions to consent forms and their Notice of Privacy Practices when HHS releases updated Part 2 regulations to implement the CARES Act.
If you would like more information on the changes to the Part 2 requirements under the CARES Act, please contact Casey Moriarty at email@example.com or 206-447-7226.