CLIENT ALERT: Patient Confidentiality and the CARES Act

By Published On: April 8, 2020

On March 27, 2020, the President signed the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act, which is aimed at addressing the COVID-19 pandemic through over $2 trillion in spending on public health, immediate and direct cash relief for individual citizens, a small business lending program, and targeted relief for certain severely affected industries.

The CARES Act includes significant amendments to federal confidentiality laws and regulations and requires the Secretary of Health and Human Services (HHS) to issue revised regulations to 42 CFR Part 2 and to revise certain parts of the HIPAA Rules.  While the CARES Act includes timeframes for HHS to issue these revised regulations, it is unclear whether they will be released along with other changes to Part 2 and HIPAA expected this year.

Below is a summary of the key amendments under the CARES Act:

  1. Consent: After signing an initial written consent, a patient’s Part 2-protected records may be used or disclosed by a Part 2 Program, covered entity, or business associate for purposes of treatment, payment, and health care operations as permitted by the HIPAA Rules, except that health care operations shall not include creating de-identified health information or a limited data set, or fundraising.  A patient’s written consent may be given once for such future uses and disclosures, until the patients revokes their consent in writing. Patients may request an accounting of disclosures and request restrictions on the use and disclosure of their information, as permitted by the HIPAA Rules.
  2. Disclosures to Public Health Authorities: De-identified information may be disclosed to public health authorities.  Such information must meet the standards under 45 CFR §164.514(b) which require either: (1) an appropriately knowledgeable and experienced individual apply generally accepted statistical and scientific principles and methods to determine (and document) that the risk of reidentification is very small; or (2) the covered entity to remove the 18 identifiers listed at 45 CFR §164.514(b)(2)(i) and to have no actual knowledge that reidentification of the patient information is possible.
  3. Disclosures in Criminal, Civil, or Administrative Investigations, Actions or Proceedings: Disclosure of Part 2-protected records or testimony relaying information in such records for criminal, civil, or administrative investigations, actions, or proceedings may only be authorized by a court order or with the consent of the patient.
  4. Antidiscrimination: Entities are prohibited from discriminating against an individual on the basis of Part 2-protected information received either intentionally or inadvertently in providing or providing access to health care, employment and worker’s compensation, housing, courts, or social services and benefits provided by federal, state, or local governments.
  5. Breaches: The HIPAA notification requirements and penalties for breaches apply to breaches of Part 2-protected information.

For now, health centers must continue to comply with the Part 2 regulations (last updated in 2018*) and the HIPAA regulations (last updated in 2013).  The CARES Act states that the Secretary of HHS is to revise the regulations to apply to uses and disclosures of Part 2-protected information on or after March 27, 2021 (12 months after the enactment of the CARES Act) and update the HIPAA notice of privacy practices requirements by no later than March 27, 2021 (one year after the enactment of the CARES Act).

*UPDATE: On July 15, 2020, the Substance Abuse and Mental Health Services Administration (“SAMHSA”) issued the latest changes to the regulations governing the Confidentiality of Substance Use Disorder Patient Records (“42 CFR Part 2” or “Part 2”). To learn more about the changes under 2020 Final Rule, read our blog post here.

Questions? If you have questions about this Client Alert or other matters, please contact Dianne Pledgie, or call FTLF at (202) 466-8960.