Marti Arvin (marti.arvin@cynergistek.com) is Executive Advisor at Cynergistek in Austin, TX.
The Coronavirus Aid, Relief, and Economic Security (CARES) Act[1] not only provided needed pandemic financial relief for healthcare organizations, but it also made changes to the law for how substance use disorder (SUD) records are handled. The CARES Act changed 42 U.S.C. § 290dd-2 , the statutory basis for the regulations at 42 C.F.R. Part 2 . The language of the act states the U.S. Department of Health & Human Services must promulgate regulations that would be effective for disclosures after March 27, 2021. As of April 15, 2021, it has not proposed regulations to enact the provisions of the CARES act.
These changes are a bit of good news and a bit of not-so-good news. Providers who handle Part 2 information can more freely share patient information for treatment, payment, and certain healthcare operations with a one-time general consent from the patient. The current Part 2 regulations require specific consent language for each disclosure. It also changes how the recipient handles the information. Under the current regulations, the recipient’s further disclosure of the information is limited. The provisions of the CARES Act would allow for redisclosure of the information consistent with the Health Insurance Portability and Accountability Act (HIPAA). The disclosure for treatment, payment, and healthcare operations may only be made to a covered entity, a SUD provider, or a business associate. Any redisclosure of Part 2 information by a recipient would require an accounting of the disclosure.
Another change under the CARES Act would require a change to the notice of privacy practices (NPP), informing the patient that SUD records could be used in certain new ways. The update to the NPP appears to be directed to any Part 2 records maintained by the organization. This means a change to the NPP for covered entities who handle Part 2 information, but it will also mean Part 2 providers that are not covered entities under HIPAA will likely have a new burden to provide patients an NPP. Additionally, Part 2 providers, even if they are not HIPAA covered entities, will be required to provide notification of any breach.
The CARES Act also adds civil monetary penalties as a new enforcement mechanism against Part 2 providers. Historically, enforcement actions against Part 2 providers would have been handled by a criminal proceeding brought by the US attorney. These provisions brought the potential of a $5,000 fine for individuals and a $10,000 fine for organizations. The new civil monetary penalties under the CARES Act would impose the same civil monetary penalties as HIPAA.
The full impact of these changes is uncertain but definitely something for entities that must comply with Part 2 to watch closely.