CARES Act Significantly Revises Part 2 Rules to Better Align with HIPAA

Alerts / April 1, 2020

On March 27, 2020, President Trump signed the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”) into law. While the focus of the CARES Act has been on direct financial aid to Americans, the Act also contains a number of material revisions to the Federal privacy provisions that govern the confidentiality of substance-use disorder (“SUD”) records.

SUD information is protected by the federal confidentiality law found at 42 U.S.C. §290dd-2, which is the statutory authority for the SUD confidentiality regulations under 42 CFR Part 2, commonly referred to as “Part 2.” The CARES Act revises certain provisions of the SUD statute to better conform with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), thereby minimizing the burden on providers of trying to comply with two somewhat conflicting regulatory schemes. Most notably, Section 3321 of the CARES Act provides that once prior written consent of the patient has been obtained, SUD records “may be used or disclosed by a covered entity, business associate, or a [Part 2] program for purposes of treatment, payment, and health care operations as permitted by the HIPAA regulations.”

This eliminates the prior requirement that a SUD patient’s consent must be obtained prior to each disclosure that identifies who can receive the information by name (rather than general category of recipients as permitted under HIPAA), which has been viewed as an obstacle to information sharing, and enables providers to re-disclose the records as permissible under HIPAA.

The CARES Act also expands privacy protections for SUD patients by:

  • Limiting use and disclosure of SUD information against the patient in judicial or administrative proceedings.
  • Prohibiting anyone who receives SUD records from using such information to discriminate against individuals, including with regards to access to treatment for health care, hiring or firing decisions, sale, rental, or continued rental of housing and access to government services and benefits.
  • Adopting several provisions from HIPAA, including the rules regarding breach notification, provision of Notice of Privacy Practices in plain language to SUD patients and granting SUD patients the right to an accounting of disclosures.

In addition, the civil and criminal penalties for violating Part 2 were increased under the CARES Act to be consistent with HIPAA. Violators now face a maximum fine of $50,000 and 1 year in prison for wrongful disclosure of SUD information with heighted penalties if false pretenses were involved or the information was used for personal gain or to cause malicious harm.

The CARES Act requires the Department of Health and Human Services (“HHS”) to revise the Part 2 regulations within 12 months to comply with the CARES Act. Finally, the CARES Act requires HHS to issue guidance regarding the sharing of patients’ PHI during the COVID-19 public health emergency within 180 days, but does not specify what this guidance must contain. As the HHS Office of Civil Rights (“OCR”) already issued a bulletin entitled “HIPAA Privacy and Coronavirus” in February of 2020, an 1135 waiver of certain HIPAA requirements for hospitals, as well as a Notice of Enforcement Discretion relaxing certain HIPAA requirements related to telehealth during this national emergency, it is unclear if the existing OCR guidance will satisfy the CARES Act requirements or if additional guidance will be forthcoming.

By: Kyle Gregory and Vimala Devassy

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.

Related Services

Related Industries

Related Emerging Issues