Healthcare Law Blog

The 2020 CARES Act: Caring About Substance Abuse Treatment Document ("SUD") Privacy

As of March 8^th, 2021 there were more than 28,813,424 cases and 523,850 COVID-19-related deaths in the U.S., representing 20% of the world's known COVID-19 deaths, and the most deaths of any country.[1]

While the pandemic rages on, the nation’s opioid crisis has grown into an even more complicated and deadly drug overdose epidemic.  The American Medical Association issued a report in October of 2020 describing how more than 40 states have reported increases in opioid-related mortality during this ongoing health crisis.[2]  The concerns for those with mental illness or substance use disorders have been overshadowed by the persisting coronavirus crisis.

The Coronavirus Aid, Relief, and Economic Security Act, or “CARES Act”, was passed to support the economic wellbeing of American workers, families, small businesses, and industries that have been impacted by COVID-19.  However, the Act covers far more than economic impact, addressing some longstanding concerns about the use of substance use disorder (“SUD”) patients’ medical records.  While patient privacy is only a small portion of the larger economic stimulus package, these amendments have far reaching implications once they become effective on March 27, 2021.

BACKGROUND

Part of the regulatory scheme meant to encourage Americans to seek professional assistance for substance abuse problems is set forth in § 543(b) of the Public Health Service Act (42 U.S.C. 290dd-2(b)), the basis for the SUD confidentiality regulations codified at 42 C.F.R. Part 2 (“Part 2”).  Part 2 presents strict guidelines for protecting information about SUD patients, with the goal of preventing any intentional or unintentional disclosures of SUD in treatment information.  Congress deliberately limited disclosures of medical records related to SUD treatment due to the high level of stigma and potential criminal penalties associated with the release of those records.  Historically, as the use of heroin and other opioids increased in the 1970s, advocates wanted to ensure that substance use disorder patients in recovery did not face barriers to treatment including the fear of criminal prosecution and social stigma. 

Over the years, the protection of SUD records and penalties for disclosure has been subject to growing criticism and challenge and proven to hamper payment for services.  Essentially, under Part 2, a patient’s SUD diagnosis is known only by the healthcare program responsible for the patient’s healthcare.  But some health care providers have argued that this model breaks down when a patient receives care from many different providers.  Their argument asserts that it is difficult to coordinate information among health care providers given the current regulatory scheme.  In 2018, the U.S. House of Representatives passed legislation that largely mirrors the recently adopted § 3221, but it did not pass the Senate.  Two years later, the provision was added to the CARES Act, which was quickly adopted with bipartisan support.

THE CARES ACT MODIFIED PATIENT CONSENT OF “SUD” RELEASE

The enhanced privacy accorded SUD records remain in place, but the CARES Act broadens the opportunity for disclosure and consent.  The key provisions changed by the CARES Act relate to privacy of SUD treatment records and the consent required before disclosure.  While § 3221 of the CARES Act still requires specific written consent for the disclosure of SUD records, it reflects a very different vision of how such consent is obtained when compared to Part 2 regulations.

Previously, under Part 2 regulations, SUD providers were requested to offer patients narrow consent forms addressing who they consent to see SUD treatment documents.  If the patient wanted to allow a disclosure of records to the patient’s health insurer so that the insurer would cover the SUD treatment, the SUD program would offer a consent form that allowed for disclosure to the health insurer and no one else.  If the patient thought records should be shared with a primary care physician, a separate consent form was required naming the particular primary care physician.  If the patient later switched doctors, a new form would be needed. In short, the prevailing requirement modified by § 3221 was that patients would need to specifically consent to each type of disclosure.  In practice, this meant that a patient may end up executing many different forms for different recipients and different purposes.

Section 3221 significantly revises the consent requirements eliminating much of the redundancy that mandated specific consent for each disclosure.   Now, once a patient’s written consent for disclosure has been obtained, the SUD record may be used or disclosed by any covered entity, business associate or SUD program for purposes of treatment, payment or healthcare operations defined by HIPAA.  In other words, the statute envisions a world in which a patient signs one consent form, after which the patient’s SUD information can be used and redisclosed by the initial recipient of that consent so long as the subsequent disclosure(s) are in compliance with HIPAA.  Under § 3221, a patient now may issue a “blanket” consent for health plans or other covered entities to disclose and redisclose their treatment information, for payment and treatment purposes so long as HIPAA privacy regulations are followed.  Unlike HIPAA, patients, however, may stop the disclosure of records for ‘Treatment, Payment and Healthcare Operations’ at any time by revoking that consent.   The CARES Act, however, still allows a patient to exercise discretion to limit disclosures allowing disclosure for treatment, but not for payment and vice versa.  

CHANGES TO THE RELEASE OF SUD DOCUMENTS WITHOUT PATIENT CONSENT

Before the enactment of the CARES Act, Part 2 regulations specified three circumstances when the content of a patient’s medical record otherwise protected under this section may be made available without the patient’s prior written consent, such as to medical personnel for a bona fide medical emergency.  The CARES Act adds a fourth: disclosure to a public health authority as long as the disclosure meets requirements for de-identified information under section 164.514(b) of title 45, Code of Federal Regulations.

The CARES Act also supports disclosure of information to support § 3221 also says it is the sense of Congress that by “any person treating a patient through a program or activity [subject to the SUD Confidentiality Law] is encouraged to access the applicable State-based prescription drug monitoring program when clinically appropriate.”   In other words, SUD programs that provide drugs such as methadone are encouraged under the Act to ensure that their patients have not been prescribed substances such as benzodiazepines that may lead to dangerous pharmacological interactions.  But the law provides no mechanism for other providers, such as primary care physicians, to obtain information on drugs prescribed or administered by an SUD program if the patient has not provided written consent.

ENFORCEMENT OF THESE LAWS

Prior to the CARES Act, the Department of Justice (“DOJ”) was responsible for enforcing the statute which included criminal rather than civil penalties.  Because the DOJ is not a privacy oversight agency, it historically demonstrated little interest in enforcing violations of the law.  Consequently, federal enforcement of the statute has been virtually nonexistent, and it has been up to state agencies to determine whether the law should be enforced under their own jurisdiction.

Under the CARES Act, violations of the SUD Confidentiality Statute are now subject to penalties under § 1176 and 1177 of the Social Security Act.  These are two statutory provisions that permit the federal government to impose civil and criminal penalties for violations of HIPAA.  Aligning enforcement of the SUD Confidentiality Law with HIPAA enforcement will result in greater federal scrutiny of disclosures of SUD records.  Other provisions in § 3221 further align the SUD Confidentiality Law with HIPAA.  Importantly, SUD providers are made subject to HIPAA requirements regarding any breach which means that breach notification must occur.  Most SUD providers are already subject to HIPAA; therefore, this statutory change will make no difference to them.  However, there are some SUD providers who—because they do not submit electronic claims to health insurers—may not already be subject to HIPAA, in which case they would be subject to this HIPAA requirement for the first time.  In addition, notices of privacy practices, required under HIPAA, would need to describe the entity’s policies regarding SUD information.

CONCLUSION

While the CARES Act addressed problems with the Part 2 regulations, we can expect “revisions to regulations as may be necessary for implementing and enforcing the amendments made by this section [3221], such that such amendments shall apply with respect to uses and disclosures of information occurring on or after the date that is 12 months after the date of enactment of this Act.”  This means, of course, that the Department of Health and Human Services may continue to issue and modify privacy regulations to enhance consistency with existing regulations. 

Notes:

[1] "Center for Disease Control and Prevention, COVID Data Tracker.

[2] https://www.ama-assn.org/system/files/2020-10/issue-brief-increases-in-opioid-related-overdose.pdf

Lisa English Hinkle is a Member of McBrayer law. Ms. Hinkle chairs the healthcare law practice and is located in the firm’s Lexington office. Contact Ms. Hinkle at lhinkle@mcbrayerfirm.com or (859) 231-8780, ext. 1256.

Services may be performed by others.
This article does not constitute legal advice.