The COVID-19 pandemic requires improved care coordination to ensure patients undergoing substance use disorder (SUD) treatment receive appropriate care, while maintaining and respecting their privacy. To accomplish this, Congress in the recently enacted Coronavirus Aid, Relief, and Economic Security Act (CARES Act) broadened the scope of permissible disclosures of SUD information protected under 42 CFR Part 2 (commonly referred to as “Part 2”).
HIPAA and Part 2, Generally Speaking
The use and disclosure of most protected health information (PHI) is governed by the HIPAA Privacy Rule and, in some limited cases, more stringent state laws. PHI relating to SUD, however, is subject to the more restrictive provisions of Part 2.
The federal regulations defined within Part 2 govern the confidentiality of SUD records and the use and disclosure of the same. Unlike the HIPAA Privacy Rule, which does not require authorization for disclosures related to treatment, payment, and healthcare operations (TPO), Part 2 requires the patient’s specific written consent for almost all disclosures, including those for TPO purposes.
SUD treatment providers emphasize that affected individuals are more likely to pursue treatment if they believe their personal information will be adequately and respectfully safeguarded.
New Provisions of the CARES Act
As noted earlier, the passage of the CARES Act broadens the scope of permissible SUD disclosures. Most importantly, once a patient gives written consent for disclosure, information may be used or disclosed by a covered entity, business associate, or a Part 2 program for TPO purposes as permitted by the HIPAA Privacy Rule.
Section 3221 of the CARES Act also aligns Part 2 with the HIPAA Privacy Rule in the following ways:
- Permits redisclosures of Part 2 information in accordance with the HIPAA Privacy Rule.
- Subjects Part 2 programs to the same breach notification requirements that apply to breaches of PHI under HIPAA.
- Makes the HIPAA statutory civil and criminal penalties applicable to violations of Part 2.
- Requires Part 2 programs to provide a Notice of Privacy Practices consistent with the HIPAA Privacy Rule.
- Makes all disclosures of Part-2-protected information for TPO subject to the HIPAA Privacy Rule’s accounting of disclosures requirements.
What It Means
Although permitting wider disclosures of SUD-related PHI, the CARES Act affords greater patient protections by prohibiting discrimination in access to healthcare, employment, housing, courts, and social services and benefits provided by governmental agencies based on SUD information.
With these changes, providers should make appropriate revisions to policies and procedures regarding use and disclosure of PHI, including updated consent forms for Part 2 information. The CARES Act did not fully align Part 2 with the HIPAA Privacy Rule, and providers must maintain existing processes regarding the use and disclosure of Part 2 information beyond TPO.
If you have any questions regarding this information, require assistance with HIPAA and compliance-related matters, or would like additional guidance related to COVID-19, visit our COVID-19 hub, or contact one of our PYA executives below at (800) 270-9629.
Disclaimer: To the best of our knowledge, this information was correct at the time of publication. Given the fluid situation, and with rapidly changing new guidance issued daily, be aware that some or all of this information may no longer apply. Please visit our COVID-19 hub frequently for the latest updates, as we are working diligently to put forth the most relevant helpful guidance as it becomes available.
