At the end of March, President Trump signed into law the third coronavirus stimulus legislation, a $2 trillion package known as the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). While the legislation focused on providing both economic stimulus to the nation’s beleaguered economy and assisting the healthcare sector in combating COVID-19, the expansive law also included a number of provisions that do not directly relate to the COVID-19 crisis.
One of the most important of such provisions is Section 3221, which changes federal law regarding the confidentiality of substance use disorder (SUD) records. Since the 1970s, the federal SUD confidentiality statute (the SUD Confidentiality Law) has been one of the strictest privacy laws in the country, requiring written consent for nearly all types of disclosures of information. This stands in contrast to the privacy rule under the Health Insurance Portability and Accountability Act (HIPAA), which allows for disclosures of protected health information without written authorization in a wide variety of circumstances.
While Section 3221 does not eliminate the written consent requirement, it does substantially modify how the consent process should be implemented. Further, it changes the nature of enforcement under the law and sets forth a more broad-based antidiscrimination provision. Over the long term, the revisions to the SUD Confidentiality Law may be one of the most consequential changes to privacy laws stemming from the COVID-19 pandemic.
For years, many providers and other participants in the healthcare system have pushed for a change to the federal SUD Confidentiality Law, set forth at 42 U.S.C. § 290dd–2, which is the basis for the SUD confidentiality regulations codified at 42 C.F.R. Part 2. While HIPAA allows for disclosures for purposes of treatment, payment or “health care operations” without patient authorization, there are no equivalent exceptions to the SUD Confidentiality Law.
Congress deliberately limited disclosures under the SUD Confidentiality Law due to the high level of stigma and potential criminal penalties associated with SUDss. Much like today, use of heroin and other opioids increased in the 1970s, and advocates for those with SUDs wanted to ensure that patients did not face barriers to treatment. If patients knew that those who provided them with care could rarely disclose their information outside of the treatment program, they would feel more comfortable getting care from such a program.
But over the years, this framework has been subject to growing criticism. A model where only an SUD program knows of a patient’s SUD diagnosis works well if that program is solely responsible for the patient’s healthcare. But some providers argue that this model breaks down if a patient is receiving care from many different providers who must coordinate care among one another.
As the opioid crisis reached its peak at the end of the last decade, some in Congress called for a reworking of the SUD Confidentiality Law. In 2018, the House passed language that largely mirrors the recently adopted Section 3221, but it did not pass the Senate. Two years later, the provision was added into the CARES Act, which was quickly adopted.
Consent for Disclosures
While Section 3221 still requires written consent for the disclosure of SUD records subject to the law, it reflects a very different vision of how such consent is obtained. SUD providers subject to the law often offer to their patients narrow consent forms. If the patient wanted to allow a disclosure of records to the patient’s health insurer so that the insurer would cover the SUD treatment, the SUD program would offer a consent form that allowed for disclosure to the health insurer and no one else. If the patient thought records should be shared with a primary care physician, a consent form would name that particular primary care physician. If the patient later switched doctors, a new form would be needed. In short, the principle was that the patient would need to consent to each type of disclosure, so that one patient may end up signing many different forms for different recipients and different purposes. The consent form requirements in the Part 2 regulations still largely reflect this model.
With the Section 3221 revisions, once a patient’s written consent has been obtained, the SUD record may be used or disclosed by any covered entity, business associate or SUD program for purposes of treatment, payment or healthcare operations under HIPAA. In other words, the statute envisions a world in which a patient signs one consent form, after which the patient’s SUD information can be used and redisclosed by the initial recipient so long as such disclosure is in compliance with HIPAA.
This increased flexibility regarding consent is counterbalanced by the potential for greater enforcement of the SUD Confidentiality Law. Prior to the CARES Act, it was the Department of Justice (DOJ) that was responsible for enforcing the statute. But DOJ is not a privacy oversight agency, and it showed little interest in investigating routine violations of the law. Thus, federal enforcement of the statute has been virtually nonexistent, and it has been up to state SUD agencies as to whether the law should be enforced under their own jurisdiction.
Under the CARES Act, violations of the SUD Confidentiality Statute are now subject to Sections 1176 and 1177 of the Social Security Act. These are the two statutory provisions that permit the federal government to impose civil and criminal penalties for violations of HIPAA. Aligning enforcement of the SUD Confidentiality Law with HIPAA enforcement could result in greater federal scrutiny of disclosures of SUD records.
Other provisions in Section 3221 also further align the SUD Confidentiality Law with HIPAA. SUD providers are made subject to HIPAA requirements regarding breach. Most SUD providers are already subject to HIPAA, and; therefore, this statutory change will make no difference to them. However, there are some SUD providers who—because they do not submit electronic claims to health insurers—may not already be subject to HIPAA, in which case they would be subject to this HIPAA requirement for the first time. In addition, notices of privacy practices, required under HIPAA, would need to describe the entity’s policies regarding SUD information.
Public Health Disclosures
Reflecting the fact that the provision was first proposed by Congress two years ago, Section 3221 notably does not directly address disclosures made to respond to the COVID-19 epidemic. Unlike with HIPAA, there is no exception under the SUD Confidentiality Law that allows for disclosures to public health agencies without written authorization. Section 3221 does not change this (the law does allow for disclosures of de-identified SUD information to public health agencies, but that arguably was already permitted under existing law). The exception permitting disclosures for purposes of emergency treatment, however, remains in the statute, so that hospitals treating COVID-19 patients that believe past SUD treatment may be relevant to emergency care for COVID-19 patients may access SUD information under this exception. The Substance Abuse and Mental Health Services Administration (SAMHSA) emphasized this exception in recent guidance, noting that it is up to providers—not SAMHSA—to determine whether a medical emergency exists.
Section 3221 also says that it is the sense of Congress that “any person treating a patient through a program or activity [subject to the SUD Confidentiality Law] is encouraged to access the applicable State-based prescription drug monitoring program when clinically appropriate.” In other words, SUD programs that provide drugs such as methadone are encouraged to check to make sure that their patients have not been prescribed substances such as benzodiazepines that have dangerous interactions with one another. But the law provides no mechanism for other providers, such as primary care physicians, to obtain information on drugs prescribed or administered by an SUD program if the patient has not provided written consent.
The CARES Act adds a nondiscrimination provision to the SUD Confidentiality Law. In particular, it prohibits any entity that receives SUD records subject to the law from engaging in discrimination based on SUD status in regard to the provision of healthcare, employment, worker’s compensation, the availability of housing, access to courts or publicly funded benefits. The change is intended to provide an additional privacy protection to those with SUDs.
The statute says that the Department of Health and Human Services (HHS) “shall make such revisions to regulations as may be necessary for implementing and enforcing the amendments made by this section , such that such amendments shall apply with respect to uses and disclosures of information occurring on or after the date that is 12 months after the date of enactment of this Act.” This appears to mean that HHS will not recognize these statutory changes until one year after enactment of the CARES Act, that is, until March 27, 2021.
While the revised SUD Confidentiality Law marks an important shift, there are still key open questions regarding the statute:
- What will happen if SUD providers continue to use narrowly written consent forms? If a patient signs a form that allows for disclosures only to health insurer X, for example, can the patient’s information be sent to other covered entities not named on the form, such as the patient’s primary care physician? Such disclosures would be consistent with the language of Section 3221, but not the consent form itself.
- How will SUD providers communicate consent revocations to recipients of SUD information?
- How will HHS exercise its discretion to enforce this law? Will it take the same approach to enforcement as it does with HIPAA, or will another framework be applied?
- Will SAMHSA remain the agency responsible for issuing guidance regarding the SUD Confidentiality Law? Or will HHS seek to shift this responsibility to the Office of Civil Rights, the agency that enforces HIPAA, now that the SUD Confidentiality Law incorporates many HIPAA requirements?
- How actively will HHS enforce the nondiscrimination requirement? Will it seek to bring cases against organizations outside the healthcare system, such as employers and housing providers?
- Can providers and other organizations act on some of the statutory changes immediately, despite the fact that new regulations will not take effect until March 2021?
HHS will need to address these and other questions in regulations or guidance.
After years of the opioid crisis and a month of the COVID-19 epidemic, Congress has acted to change the SUD Confidentiality Law. Congress left intact the requirement that SUD providers typically must obtain patients’ written consent in order to disclose their SUD information. But other changes to the law—primarily relaxing requirements related to redisclosures of such information and changes in enforcement—may eventually lead to critical changes in the way that SUD information is shared. These changes will not be felt immediately, but could have a lasting impact on the privacy of those with substance use disorders.