COVID-19 and Substance Abuse Records: Key Changes to 42 CFR Part 2 Requirements under the CARES Act

By Casey Moriarty

cmoriarty@omwlaw.com

206-447-7226

The recently enacted CARES Act includes important updates to the requirements governing the confidentiality of substance use disorder records under 42 CFR Part 2 (“Part 2”), including the following:

  1. Disclosures for Treatment, Payment, and Health Care Operations: After initial patient consent, the Cares Act permits substance use disorder programs, covered entities, and business associates to disclose Part 2 records for treatment, payment, and health care operations purposes as permitted by HIPAA without the need for additional consents from the patient. Below are examples illustrating a Part 2 program’s permissible disclosures upon receiving patient consent.

Treatment: The program may disclose the patient’s records as needed to any health care provider for the patient’s treatment, as permitted by HIPAA. There is no longer a requirement for the program to obtain the patient’s consent for the disclosure of records to each separate provider who may need to receive the records for treatment purposes.

Payment: The program can disclose the records to the patient’s current and future health insurers to obtain payment for services rendered as permitted by HIPAA.  There is no longer a need for the program to obtain patient consent for the disclosure of records to each specific insurer.

Health Care Operations: As permitted by HIPAA, the program can disclose the records for quality assurance or peer review purposes to another health care provider who has (or has had) a treatment relationship with the patient. Again, there is no need for the patient to consent to the disclosure to each provider.

While these changes certainly increase the ability of providers to disclose patient records, they also raise questions that need to be addressed in future regulations, including the following:

  • If substance use disorder records are disclosed in accordance with patient consent for a treatment, payment, or health care operations purpose, are the records still subject to Part 2 or are they only subject to HIPAA requirements?

This is a critical question because Part 2’s confidentiality protections are still greater than those in HIPAA, including stricter requirements on disclosures to family members of patients and disclosures related to court proceedings.  If Part 2 requirements continue to apply to the records after a disclosure for a treatment, payment, or health care operations purpose, providers need to continue segregating Part 2 records from other types of patient health information in order ensure that such records are not improperly disclosed in violation of Part 2.

  • Does a written patient consent for disclosure of records for treatment, payment, or health care operations need to list each of the intended recipient(s) of the records?

Current Part 2 regulations state that a written consent must list the permitted “recipient(s)” of the records. However, after a patient has signed an initial consent, the CARES Act appears to allow records to be broadly disclosed to any recipients for a treatment, payment, and health care operations purpose as permitted by HIPAA. Future regulations need to clarify whether a consent permitting disclosure of records for the purposes of treatment, payment, and/or health care operations must list permitted recipient(s) of the records.

  • Does the Part 2 notice prohibiting re-disclosure need to accompany records that are disclosed in accordance with patient consent for a treatment, payment, or health care operations purpose?

Future Part 2 regulations need to clarify whether the notice stating “42 CFR Part 2 prohibits unauthorized disclosure of these records” must be included with each disclosure of records for a treatment, payment, or health care operations purpose. Current Part 2 regulations require that this notice accompany each disclosure of substance use disorder records made with patient consent

  1. Disclosures to Public Health Authorities: The CARES Act permits a substance use disorder program to disclose patient records to a public health authority if the records have been de-identified in accordance with HIPAA requirements. On the surface, this change does not appear to be substantive because de-identified information technically is not subject to Part 2 disclosure restrictions in the first place.
  1. Use of Records in Court Proceedings: The CARES Act emphasizes the regulatory restrictions on the disclosure of substance use disorder records in criminal, civil, administrative, or legislative proceedings without patient consent or a court order. In addition, without patient consent or a court order, such records may not be used by law enforcement to conduct investigations, to apply for a warrant, or for other law enforcement purposes.
  1. Anti-Discrimination: The CARES Act prohibits any entity from discriminating against an individual based on substance use disorder records that the entity may have received through an inadvertent or intentional disclosure of such records. This includes discrimination related to (a) denying admission, access to, or treatment for health care; (b) hiring, firing, or terms of employment, or receipt of worker’s compensation; (c) the sale, rental, or continued rental of housing; (d) access to Federal, State, or local courts; or (e) access to, approval of, or maintenance of  social services and benefits provided or funded by Federal, State, or local governments.
  1. Breach of Records: The CARES Act incorporates the HIPAA breach notification rule requirements into the Part 2 statute. Therefore, substance use disorder programs must comply with the HIPAA Breach Notification Rule requirements when they discover an improper use or disclosure of patient records. In general, substance use disorder programs are already subject to HIPAA requirements as covered entities, so this modification is not a major change for many programs.
  1. New Regulations: As stated above, the CARES Act requires the Secretary of HHS to revise the Part 2 regulations as necessary to implement and enforce the CARES Act changes. In addition, the Secretary must update the HIPAA requirements related to the Notices of Privacy Practices of a substance use disorder program. The CARES Act instructs the Secretary to implement such regulations within twelve months from the enactment date of the Act.

Next Steps: The CARES Act’s most significant modification to Part 2 is the new ability for programs, covered entities, and business associates to disclose records for treatment, payment, and health care operations purposes after the patient has signed an initial consent. We recommend that Providers review and potentially revise their consent forms to comply with this change, as well as their associated policies pertaining to the use and disclosure of substance use disorder records.  Additionally, providers should be ready to make additional revisions to consent forms and their Notice of Privacy Practices when HHS releases updated Part 2 regulations to implement the CARES Act.

If you would like more information on the changes to the Part 2 requirements under the CARES Act, please contact Casey Moriarty at cmoriarty@omwlaw.com or 206-447-7226.

 

COVID-19 and Telehealth: Understanding the New Medicare and HIPAA Waivers

In response to the COVID-19 national emergency, the federal government has put forth temporary waivers to certain HIPAA and Medicare requirements to promote the use of telehealth.  These waivers provide an opportunity for health care providers to start or expand their telehealth service offerings to patients.  Here are a few key takeaways from these waivers that are described in detail below:

  • Medicare: During the COVID-19 national emergency, Medicare will pay for telehealth services without regard to where the patient is located. The patient could even be located inside his or her home during a telehealth session.
  • HIPAA: During the COVID-19 national emergency, providers can provide, without the threat of penalties from the Office of Civil Rights, telehealth services through common video conferencing vendors (e.g. FaceTime, Skype, etc.) who may not comply with HIPAA requirements.
  • Next Steps: If a provider wants to start or expand telehealth service offerings to patients, it is important to be mindful of the various legal issues described below, including appropriate licensure, informed consent, and payor reimbursement.

Expansion of Telehealth Reimbursement under Medicare

Starting on March 6, 2020 and continuing for the duration of the COVID-19 national emergency, Medicare will pay for professional telehealth services furnished to Medicare patients without regard to where the patient is located. A patient can receive telehealth services in any part of the country and from any location, including the patient’s home.  This is a significant change from prior Medicare telehealth billing requirements, which required patients to be located within a designated rural area and to receive telehealth services only in certain types of medical facilities.

Medicare will pay for telehealth services under the Physician Fee Schedule at the same amount as in-person services.  Patients are still subject to Medicare deductibles and coinsurance, but the waiver allows providers to reduce or waive cost-sharing requirements for telehealth services paid by Medicare.

To ensure that telehealth services qualify for Medicare reimbursement, the patient and provider must communicate with each other using an interactive audio and video telecommunications system that permits real-time communication between the “distant site” (where the provider is located) and the “originating site” (where the patient is located). Services such as Zoom, FaceTime, and Skype satisfy this requirement.

Medicare continues to restrict the types of “distant site” providers that may engage in telehealth services to: licensed physicians, nurse practitioners, physician assistants, nurse midwives, certified nurse anesthetists, clinical psychologists, clinical social workers, registered dietitians, and nutrition professionals.  Unfortunately, the list of professionals has not been broadened to include other licensees, such as mental health counselors and marriage and family therapists. As discussed below, Medicaid and some private commercial payors do not have these same licensure restrictions.

Changes to HIPAA Telehealth Requirements

To encourage the use of telehealth technology, the Office of Civil Rights (OCR) will, during the COVID-19 national emergency, waive HIPAA penalties against health care providers related to the good faith provision of telehealth services to patients through common video communication technology such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, and Skype. As described above, Medicare will pay for telehealth services provided via such systems if they permit real-time audio and video communication. However, OCR emphasizes that “public facing” video communication applications such as Facebook Live, Twitch, and TikTok may not be used by providers to render telehealth services to patients. 

Prior to the OCR’s waiver, providers faced HIPAA compliance issues in using popular video conferencing technology to provide telehealth services to patients.  Many video conferencing technology vendors will not represent that they comply with HIPAA security safeguards and refuse to sign a HIPAA business associate agreement (BAA).

Under the waiver, OCR states that it will not impose penalties against providers for the lack of a BAA with a video conferencing vendor or for noncompliance with HIPAA privacy or security requirements related to the good faith provision of telehealth during the COVID-19 national emergency. OCR does, however, encourage providers to notify patients that the use of video conferencing applications could cause risks to the privacy of patient information.  OCR also emphasizes that providers should also use any encryption technology if it is available with the video conferencing application.

Although OCR will not penalize providers who lack a BAA with telehealth technology vendors during the COVID-19 national emergency, OCR acknowledges that providers may want to enter into BAAs with vendors to ensure that the vendors take HIPAA requirements seriously. Despite the OCR’s waiver of penalties, patients could still file a lawsuit against a provider related to a security or privacy breach, so entering into a BAA with a telehealth vendor can be an important risk management strategy. To assist providers, OCR included a list of telehealth technology vendors who represent that they will enter into a BAA with providers:

  • Skype for Business
  • Updox
  • VSee
  • Zoom for Healthcare
  • me
  • Google G Suite Hangouts Meet

It is important to note that substance abuse providers who are subject to the confidentiality requirements of 42 CFR Part 2 need to continue entering into “Qualified Service Organization (QSO)” contracts with telehealth vendors.  SAMHSA, the agency that oversees 42 CFR Part 2, has not issued waivers to 42 CFR Part 2 QSO requirements.

Next Steps

The waivers to the Medicare and HIPAA requirements related to telehealth should be welcomed by health care providers. The waivers provide an opportunity for providers to continue treating their patients while limiting potential exposure to the novel coronavirus.

If you, as a Washington State healthcare provider, want to start providing telehealth services to patients, or if you are already providing telehealth services to patients, here are few concepts to consider:

  • Free Telehealth Technology: To encourage the use of telehealth, the Washington State Health Care Authority is providing a certain number of licenses to the Zoom video conferencing service at no charge. Information on applying for one of these licenses is located here: https://www.hca.wa.gov/billers-providers-partners/prior-authorization-claims-and-billing/request-zoom-license-connect. It appears that HCA is intending that these licenses be used by small providers.
  • Licensure: Under Washington State Medical Commission guidelines, a provider using telehealth to practice medicine on Washington State patients must be licensed to practice medicine in Washington. For example, a provider licensed in Oregon cannot provide telehealth services to a patient located in Washington.  Similarly, a provider licensed in Washington cannot provide telehealth services to a patient located in Oregon. However, a Washington provider may render telehealth services to a patient located outside of Washington if the patient has already met in-person with the provider, and the telehealth services are limited to clarification, advice, or follow-up related to the in-person visit.

Exception: During the COVID-19 emergency, the Washington State Department of Health (“DOH”) has stated that a health care entity in Washington State (e.g. hospital) may offer telehealth services to Washington patients that are provided by out-of-state providers employed by the entity if: (1) the providers do not have a pre-existing employment relationship with the entity, and (2) complete the application to register as an Emergency Volunteer Health Practitioner with the DOH.  More information about this process is here:

https://www.doh.wa.gov/Emergencies/NovelCoronavirusOutbreak2020/HealthcareProviders/EmergencyVolunteerHealthPractitioners.

  • HIPAA Requirements: As stated above, OCR is encouraging the use of telehealth services even if a BAA may not be in place between the provider and telehealth vendor. However, providers should still consider asking vendors to sign BAAs for risk management purposes because they contain important protections for patient information.  Providers should also try to provide a HIPAA Notice of Privacy Practices (“NPP”) to new telehealth patients that the provider has not seen in-person. But, as described above, OCR will not penalize providers for failing to comply with HIPAA requirements such as providing an NPP to a telehealth patient during the COVID-19 national emergency.
  • Informed Consent: Prior to rendering telehealth services to a patient, a provider should obtain the patient’s written informed consent to the telehealth services. An informed consent form should describe the services to be rendered, the anticipated results and benefits of the services, the risks related to the services, and any alternatives to the telehealth services. For the sake of efficiency, providers can ask patients to send a signed copy of the form via email (e.g. patient takes a picture of the form and then emails it with a smartphone) or via fax. Providers can also have patients sign the form via an electronic signature platform, such as Docusign.
  • New Patients: If a provider is seeing a new patient via telehealth, the provider should ensure that, in addition to an informed consent form, the patient completes the intake paperwork that new in-person patients must complete. The paperwork should include a demographic form where the patient provides contact information and a description of his or her medical problem, a financial agreement that describes the provider’s payment policies, and, as described above, an NPP.  Similar to the informed consent form, patients can submit the completed paperwork to providers electronically.
  • Health Insurance Other Than Medicare: The Medicare waiver does not apply to telehealth services provided to beneficiaries of Medicaid or commercial health insurance. However, the Washington State Medicaid program will cover telehealth services delivered by any provider licensed in Washington State that are: (1) within the provider’s scope of practice, and (2) provided via HIPAA-compliant, interactive, real-time audio and video telecommunications (including web- based applications). Based on the OCR’s HIPAA enforcement waiver, these systems appear to include common videoconferencing systems like Apple FaceTime, Zoom, and Skype.

Similar to the Medicare waiver, Washington State law requires Medicaid and all commercial insurers to reimburse any licensed Washington health care provider for medically necessary telehealth services without regard to where the patient is located (e.g. patient’s home).  However, commercial insurers have different coverage policies related to telehealth, so it is important for providers to verify coverage requirements with each of their contracted insurers.

The Medicare and HIPAA waivers provide important opportunities for providers to utilize telehealth services during the COVID-19 national emergency. Please reach out to Casey Moriarty at 206-447-7000 if you have any questions.