Contact Us
Categories
- Workplace Violence
- Assisted Living Facilities
- Department of Health and Human Services' Office of Civil Rights
- Medical Residents
- EMTALA
- FDA
- Reproductive Rights
- Roe v. Wade
- SCOTUS
- Medical Spas
- medical billing
- No Surprises Act
- Mandatory vaccination policies
- Workplace health
- Coronavirus Aid, Relief and Economic Security Act
- Code Enforcement
- Department of Labor ("DOL")
- Employment Law
- FFCRA
- CARES Act
- Nursing Home Reform Act
- Acute Care Beds
- Clinical Support
- Coronavirus
- COVID-19
- Emergency Medical Services
- Emergency Preparedness
- Families First Coronavirus Response Act
- Family and Medical Leave Act (“FMLA”)
- KBML
- medication assisted therapy
- SB 150
- Department of Health and Human Services
- Legislative Developments
- Corporate
- United States Department of Justice ("DOJ")
- Employee Contracts
- Non-Compete Agreement
- Opioid Epidemic
- Sexual Harassment
- Health Resource and Services Administration
- Litigation
- Medical Malpractice
- House Bill 333
- Senate Bill 79
- Locum Tenens
- Physician Prescribing Authority
- Senate Bill 4
- Chronic Pain Management
- HIPAA
- Prescription Drugs
- "Two Midnights Rule"
- 340B Program
- EHR Systems
- Hospice
- ICD-10
- Kentucky minimum wage
- Minimum wage
- Primary Care Physicians ("PCPs")
- Skilled Nursing Facilities (“SNFs”)
- Uncategorized
- Affordable Insurance Exchanges
- Drug Screening
- Electronic Health Records (“EHR")
- Fraud
- Health Care Fraud
- HIPAA Risk Assessment
- KASPER
- Kentucky Board of Medical Licensure
- Kentucky’s Department for Medicaid Services
- Mental Health Care
- Office for Civil Rights ("OCR")
- Physician Assistants
- Qui Tam
- Stark Laws
- Urinalysis
- Accountable Care Organizations (“ACO”)
- Affordable Care Act
- Alternative Payment Models
- Anti-Kickback Statute
- Centers for Medicare & Medicaid Services (“CMS”)
- Certificate of Need ("CON")
- Charitable Hospitals
- Compliance
- Data Breach
- Department of Health and Human Services (HHS)
- Electronic Protected Health Information (ePHI)
- False Claims Act
- Federally Qualified Health Centers (“FQHCs”)
- Fee for Service
- Health Information Technology for Economic and Clinical Health Act (HITECH Act)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Health Professional Shortage Area ("HPSA")
- Hospitals
- HPSA
- HRSA
- Limited Services Clinics
- Medicaid
- Medical Staff By-Laws
- Medically Underserved Area ("MUA")
- Medicare
- Mid-Level Practitioners
- Office of Inspector General of the United States Department of Health and Human Services (OIG)
- Part D
- Patient Protection and Affordable Care Act (“ACA”)
- Pharmacists
- Rural Health Centers (“RHCs”)
- Rural Health Clinic
- Telehealth
- American Telemedicine Association (“ATA”)
- Criminal Division of the Department of Justice (“DOJ”)
- Health Care Fraud Prevention and Enforcement Action Team (“HEAT”)
- Hydrocodone
- Kentucky Board of Nursing
- Kentucky Pharmacists Association
- Qualified Health Care Centers (“FQHC”)
- Telemedicine
- Agreed Order
- APRNs
- Chain and Organization System (“PECOS”)
- Douglas v. Independent Living Center of Southern California
- Drug Enforcement Agency ("DEA")
- Emergency Rooms
- Enrollment
- Hinchy v. Walgreen Co.
- Jimmo v. Sebelius
- Maintenance Standard
- Overpayments
- Re-validation
- United States ex. Rel. Kane v. Continuum Health Partners
- Vitas Innovative Hospice Care
- Webinar
- 2014 Medicare Physician Fee Schedule (“PFS”)
- 501(c)(3)
- All-Payer Claims Database ("APCD")
- Appeal
- Chiropractic services
- Chronic Care Management
- Clinical Laboratory Improvement Amendments of 1988 (“CLIA”)
- Compliance Officer
- Compounding
- CPR
- Dispenser
- Drug Quality and Security Act (“DQSA”)
- Essential Health Benefits
- HealthCare.gov
- House Bill 3204
- ICD-9
- Kentucky Senate Bill 7
- Kindred v. Cherolis
- Long-term care communities
- Medicare Part D
- Minors
- National Drug Code ("NDC")
- New England Compounding Center ("NECC")
- Ophthalmological services
- Outsourcing facility
- Physician Compare website
- Ping v. Beverly Enterprises
- Power of Attorney ("POA")
- Prescriber
- State Health Plan
- Sustainable Growth Rate (“SGR”)
- Texting
- "Plan of Correction"
- Affinity Health Plan
- Arbitration
- Audit
- Cadillac tax
- Centers for Disease Control and Prevention
- Community health needs assessment (“CHNA”)
- Condition of Participation ("CoP")
- Daycare centers
- Decertification
- Denied Claims
- Department of Medicaid Services’ (“DMS”)
- Division of Regulated Child Care
- Doe v. Guthrie Clinic
- EHR vendor
- Employer Group Health Plans
- Employer Mandate
- ERISA
- Fair Labor Standards Act (FLSA)
- False Billings
- Federation of State Medical Boards (“FSMB”)
- Food and Drug Administratio
- Form 4720
- Grace Period
- Health Professional Shortage Areas (“HPSA”)
- Health Reform
- Home Health Prospective Payment System
- Home Medical Equipment Providers
- Hospitalists
- Individual mandate
- Inpatient Care
- Intermediate Sanctions Agreement
- Kentucky Health Benefit Exchange
- Kentucky Medical Practice Act
- Kynect
- Licensed practical nurses (LPN)
- Licensure Requirements
- List of Excluded Individuals and Entities
- LLC v. Sutter
- Long-Term Care Providers ("LTC")
- Low-utilization payment adjustment ("LUPA")
- Meaningful use incentives
- Medicare Administrative Coordinators
- Medicare Benefit Policy Manual
- Medicare Shared Saving Program (MSSP)
- Mobile medical applications ("apps")
- Model Policy for the Appropriate Use of Social Media and Social Networking in Medical Practice (“Model Policy”)
- National Institutes of Health
- Network provider agreement
- Nonprofit hospitals
- Nonroutine medical supplies conversion factor (“NRS”)
- Nurse practitioners (NP)
- Office of the National Coordinator for Health Information Technology (“ONC”)
- Part A
- Part B
- Patient Privacy
- Payors
- Personal Service Entities
- Physician Payments
- Physician Recruitment
- Physician shortages
- Provider Self Disclosure Protocol
- Qualified Health Plan ("QHP")
- Quality reporting
- Registered nurses (RN)
- Residency Programs
- Self-Disclosure Protocol
- Social Media
- Spousal coverage
- Statement of Deficiency ("SOD")
- Trade Association Group Coverage
- Upcoding
- UPS
- “Superuser”
- Advanced Practice Registered Nurses
- Autism/ASD
- Business Associate Agreements
- Business Associates
- Call Coverage
- Compliance Programs
- Critical Access Hospitals (“CAHs”)
- Essential Health Benefits (“EHBs”)
- Genetic Information Nondiscrimination Act ("GINA")
- Group Purchasing Organizations ("GPO")
- House Bill 104
- Kentucky House Bill 159
- Kentucky House Bill 217
- Kentucky Primary Care Centers (“PCCs”)
- Managed Care Organizations (“MCOs”)
- Medicare Audit Improvement Act of 2012
- Patient Autonomy
- Personal Health Information
- Recovery Audit Contractors (“RAC”)
- Senate Bill 39
- Senate Finance Committee Report
- Small Business Health Options Program (“SHOP”)
- State Medicaid Expansion
- Abuse and Waste
- Center for Disease Control
- Consumer Operated and Oriented Plan programs (“CO-OPS”)
- Free Conference Committee Report
- Healthcare Information and Management Systems Society (HIMSS)
- House Bill 1
- House Bill 4
- Kentucky Cabinet for Health and Family Services
- Kentucky Health Care Co-Op
- Kentucky Health Cooperative (“KYHC”)
- Kentucky “Pill Mill Bill”
- Occupational Safety and Health Administration (“OSHA”)
- Pain Management Facilities
- Sunshine Act
- Employee Agreement
- Health Care Fraud and Abuse Control Program
- Health Insurance
- Healthcare Regulation
- Health Care Law
McBrayer Blogs
The 2020 CARES Act: Caring About Substance Abuse Treatment Document ("SUD") Privacy
As of March 8th, 2021 there were more than 28,813,424 cases and 523,850 COVID-19-related deaths in the U.S., representing 20% of the world's known COVID-19 deaths, and the most deaths of any country.[1]
While the pandemic rages on, the nation’s opioid crisis has grown into an even more complicated and deadly drug overdose epidemic. The American Medical Association issued a report in October of 2020 describing how more than 40 states have reported increases in opioid-related mortality during this ongoing health crisis.[2] The concerns for those with mental illness or substance use disorders have been overshadowed by the persisting coronavirus crisis.
The Coronavirus Aid, Relief, and Economic Security Act, or “CARES Act”, was passed to support the economic wellbeing of American workers, families, small businesses, and industries that have been impacted by COVID-19. However, the Act covers far more than economic impact, addressing some longstanding concerns about the use of substance use disorder (“SUD”) patients’ medical records. While patient privacy is only a small portion of the larger economic stimulus package, these amendments have far reaching implications once they become effective on March 27, 2021.
BACKGROUND
Part of the regulatory scheme meant to encourage Americans to seek professional assistance for substance abuse problems is set forth in § 543(b) of the Public Health Service Act (42 U.S.C. 290dd-2(b)), the basis for the SUD confidentiality regulations codified at 42 C.F.R. Part 2 (“Part 2”). Part 2 presents strict guidelines for protecting information about SUD patients, with the goal of preventing any intentional or unintentional disclosures of SUD in treatment information. Congress deliberately limited disclosures of medical records related to SUD treatment due to the high level of stigma and potential criminal penalties associated with the release of those records. Historically, as the use of heroin and other opioids increased in the 1970s, advocates wanted to ensure that substance use disorder patients in recovery did not face barriers to treatment including the fear of criminal prosecution and social stigma.
Over the years, the protection of SUD records and penalties for disclosure has been subject to growing criticism and challenge and proven to hamper payment for services. Essentially, under Part 2, a patient’s SUD diagnosis is known only by the healthcare program responsible for the patient’s healthcare. But some health care providers have argued that this model breaks down when a patient receives care from many different providers. Their argument asserts that it is difficult to coordinate information among health care providers given the current regulatory scheme. In 2018, the U.S. House of Representatives passed legislation that largely mirrors the recently adopted § 3221, but it did not pass the Senate. Two years later, the provision was added to the CARES Act, which was quickly adopted with bipartisan support.
THE CARES ACT MODIFIED PATIENT CONSENT OF “SUD” RELEASE
The enhanced privacy accorded SUD records remain in place, but the CARES Act broadens the opportunity for disclosure and consent. The key provisions changed by the CARES Act relate to privacy of SUD treatment records and the consent required before disclosure. While § 3221 of the CARES Act still requires specific written consent for the disclosure of SUD records, it reflects a very different vision of how such consent is obtained when compared to Part 2 regulations.
Previously, under Part 2 regulations, SUD providers were requested to offer patients narrow consent forms addressing who they consent to see SUD treatment documents. If the patient wanted to allow a disclosure of records to the patient’s health insurer so that the insurer would cover the SUD treatment, the SUD program would offer a consent form that allowed for disclosure to the health insurer and no one else. If the patient thought records should be shared with a primary care physician, a separate consent form was required naming the particular primary care physician. If the patient later switched doctors, a new form would be needed. In short, the prevailing requirement modified by § 3221 was that patients would need to specifically consent to each type of disclosure. In practice, this meant that a patient may end up executing many different forms for different recipients and different purposes.
Section 3221 significantly revises the consent requirements eliminating much of the redundancy that mandated specific consent for each disclosure. Now, once a patient’s written consent for disclosure has been obtained, the SUD record may be used or disclosed by any covered entity, business associate or SUD program for purposes of treatment, payment or healthcare operations defined by HIPAA. In other words, the statute envisions a world in which a patient signs one consent form, after which the patient’s SUD information can be used and redisclosed by the initial recipient of that consent so long as the subsequent disclosure(s) are in compliance with HIPAA. Under § 3221, a patient now may issue a “blanket” consent for health plans or other covered entities to disclose and redisclose their treatment information, for payment and treatment purposes so long as HIPAA privacy regulations are followed. Unlike HIPAA, patients, however, may stop the disclosure of records for ‘Treatment, Payment and Healthcare Operations’ at any time by revoking that consent. The CARES Act, however, still allows a patient to exercise discretion to limit disclosures allowing disclosure for treatment, but not for payment and vice versa.
CHANGES TO THE RELEASE OF SUD DOCUMENTS WITHOUT PATIENT CONSENT
Before the enactment of the CARES Act, Part 2 regulations specified three circumstances when the content of a patient’s medical record otherwise protected under this section may be made available without the patient’s prior written consent, such as to medical personnel for a bona fide medical emergency. The CARES Act adds a fourth: disclosure to a public health authority as long as the disclosure meets requirements for de-identified information under section 164.514(b) of title 45, Code of Federal Regulations.
The CARES Act also supports disclosure of information to support § 3221 also says it is the sense of Congress that by “any person treating a patient through a program or activity [subject to the SUD Confidentiality Law] is encouraged to access the applicable State-based prescription drug monitoring program when clinically appropriate.” In other words, SUD programs that provide drugs such as methadone are encouraged under the Act to ensure that their patients have not been prescribed substances such as benzodiazepines that may lead to dangerous pharmacological interactions. But the law provides no mechanism for other providers, such as primary care physicians, to obtain information on drugs prescribed or administered by an SUD program if the patient has not provided written consent.
ENFORCEMENT OF THESE LAWS
Prior to the CARES Act, the Department of Justice (“DOJ”) was responsible for enforcing the statute which included criminal rather than civil penalties. Because the DOJ is not a privacy oversight agency, it historically demonstrated little interest in enforcing violations of the law. Consequently, federal enforcement of the statute has been virtually nonexistent, and it has been up to state agencies to determine whether the law should be enforced under their own jurisdiction.
Under the CARES Act, violations of the SUD Confidentiality Statute are now subject to penalties under § 1176 and 1177 of the Social Security Act. These are two statutory provisions that permit the federal government to impose civil and criminal penalties for violations of HIPAA. Aligning enforcement of the SUD Confidentiality Law with HIPAA enforcement will result in greater federal scrutiny of disclosures of SUD records. Other provisions in § 3221 further align the SUD Confidentiality Law with HIPAA. Importantly, SUD providers are made subject to HIPAA requirements regarding any breach which means that breach notification must occur. Most SUD providers are already subject to HIPAA; therefore, this statutory change will make no difference to them. However, there are some SUD providers who—because they do not submit electronic claims to health insurers—may not already be subject to HIPAA, in which case they would be subject to this HIPAA requirement for the first time. In addition, notices of privacy practices, required under HIPAA, would need to describe the entity’s policies regarding SUD information.
CONCLUSION
While the CARES Act addressed problems with the Part 2 regulations, we can expect “revisions to regulations as may be necessary for implementing and enforcing the amendments made by this section [3221], such that such amendments shall apply with respect to uses and disclosures of information occurring on or after the date that is 12 months after the date of enactment of this Act.” This means, of course, that the Department of Health and Human Services may continue to issue and modify privacy regulations to enhance consistency with existing regulations.
Notes:
[1] "Center for Disease Control and Prevention, COVID Data Tracker.
[2] https://www.ama-assn.org/system/files/2020-10/issue-brief-increases-in-opioid-related-overdose.pdf
Lisa English Hinkle is a Member of McBrayer law. Ms. Hinkle chairs the healthcare law practice and is located in the firm’s Lexington office. Contact Ms. Hinkle at lhinkle@mcbrayerfirm.com or (859) 231-8780, ext. 1256.
Services may be performed by others.
This article does not constitute legal advice.