Sign In
  • May 14, 2020

    Top 10 Takeaways from CARES Act Revisions to Substance Use Disorder Record Protections

    The recently-enacted CARES Act made several amendments to the law governing the confidentiality protections afforded to substance use disorder records. Stephane Fabus discusses the top 10 changes and offers advice on how providers should prepare before the changes become effective in 2021.

    Stephane P. Fabus

    The president signed the Coronavirus Aid, Relief, and Economic Security (CARES) Act into law on March 27, 2020.

    Among its many provisions are significant modifications to the Public Health Services (PHS) Act,1 which contains the federal confidentiality protections currently afforded to substance use disorder (SUD) records.

    The Substance Abuse and Mental Health Services Administration (SAMHSA) will need to incorporate these changes into its regulations contained at 42 C.F.R. Part 2 (Part 2) through the standard rulemaking process, so it is yet to be seen how these changes will be implemented and enforced against SUD treatment programs subject to Part 2 (Part 2 programs).

    Stephane Fabus Stephane Fabus, Marquette 2012, is an associate with Hall, Render, Killian, Heath & Lyman, PC in Milwaukee, where she focuses her practice on assisting health care clients in a wide range of areas.

    This article intends to preview the forthcoming changes, though such changes will not be effective until March 27, 2021, in order to assist providers in readying themselves for compliance.

    1) Uses and disclosures for treatment, payment, and health care operations purposes in accordance with Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA) will be permitted on an ongoing basis after initial patient consent and until consent is revoked.

    The CARES Act modifies PHS Act provisions to provide that once prior written consent of the patient has been obtained, SUD records may be used or disclosed by a covered entity, business associate, or a Part 2 program for purposes of treatment, payment, and health care operations as permitted by the HIPAA regulations.

    Importantly, the CARES Act clarifies that the patient’s prior written consent need only be obtained once for all future uses or disclosures for treatment, payment, and health care operations purposes, but that the patient has the right to revoke such consent in writing. Terms used, such as covered entity, business associate, treatment, payment, and health care operations, have the same definitions as provided by HIPAA.

    Information disclosed for treatment, payment and health care operations purposes may be redisclosed in accordance with the HIPAA regulations, instead of requiring the standard Part 2 prohibition on redisclosure.

    2) De-identified SUD record information may be disclosed to public health authorities without patient consent.

    The CARES Act adds language to the PHS Act expressly permitting the disclosure of de-identified SUD record information to public health authorities so long as the de-identification process conforms to the HIPAA standards.

    3) SUD records may not be used in criminal, civil, or administrative contexts without a valid court order or patient consent.

    The CARES Act expands the current language in the PHS Act regarding the limited use of SUD records in criminal proceedings to prohibit the use or disclosure of SUD records, or testimony relaying the information contained therein, in any civil, criminal, administrative, or legislative proceedings conducted by any Federal, State, or local authority, against a patient, absent an appropriate court order or the patient’s written consent. This includes:

    • not entering such information into evidence in any criminal prosecution or civil action;

    • such information not forming part of the record for decision or otherwise being taken into account in any proceeding before a government agency;

    • not using such information for law enforcement purposes or conducting any law enforcement investigation; and

    • not using such information in any application for a warrant.

    4) The penalties for violating the SUD record confidentiality provisions will be aligned with HIPAA’s penalties.

    While violations of the SUD confidentiality provisions were previously subject to the criminal penalty provisions under Title 18 of the U.S. Code, the CARES Act modifies the PHS Act to now make violations subject to the penalty provisions set forth in sections 1176 and 1177 of the Social Security Act. This means that violations of the SUD record confidentiality provisions will now be subject to the same penalty structure as applies to violations of HIPAA, including the tiered approach based on culpability.2

    5) The HIPAA Breach Notification Rule applies to all SUD records.

    The CARES Act requires that any breach of unsecured SUD record information be reported in accordance with HIPAA’s requirements, whether or not a Part 2 program is otherwise subject to HIPAA. This would include notification by qualified service organizations to Part 2 programs and notification by Part 2 programs to individuals, the media, and the government, unless subject to a law enforcement delay.

    6) Updates to HIPAA’s notice of privacy practices regulations forthcoming to assist Part 2 programs in providing proper patient notice.

    The CARES Acts directs that the provisions of HIPAA regarding issuance of a notice of privacy practices be updated to assist Part 2 programs in notifying patients of their rights and the program’s privacy practices with respect to SUD records.

    7) New provisions extend broad protections to individuals against discrimination based on their SUD diagnosis or treatment.

    The CARES Act adds a new section to the PHS Act prohibiting both Part 2 programs and other types of entities from discriminating against an individual on the basis of information received pursuant to an inadvertent or intentional disclosure of SUD records, or information contained in such records, with respect to:

    • admission, access to, or treatment for health care;

    • hiring, firing, or terms of employment, or receipt of worker’s compensation;

    • the sale, rental, or continued rental of housing;

    • access to federal, state, or local courts;

    • access to, approval of, or maintenance of social services and benefits provided or funded by federal, state, or local governments; or

    • with respect to recipients of federal funds, affording access to the services provided with such funds.

    8) Congress provided a statement of its “sense” with respect to state-based prescription drug monitoring programs (PDMPs).

    In the CARES Act, Congress also took the opportunity to discuss its sense with respect to Part 2 programs and state-based PDMPs. While not creating new obligations, these provisions were meant to provide a statement of Congress’s understanding of the current state with respect to Part 2 programs and PDMPs. Congress provided that, while any person treating a patient through a Part 2 program is encouraged to access the applicable state-based PDMP when clinically appropriate, Part 2 programs are limited in their ability to upload data into such repositories.

    Additionally, patients have the right to request a restriction on the use or disclosure of SUD records for treatment, payment, or health care operations purposes and covered entities should make every reasonable effort to the extent feasible to comply with a patient’s request for such a restriction. Therefore, data in such state-based PDMP databases may not always be accurate or complete. Obviously, PDMPs are better able to fulfill their purpose when data is complete and accurate.

    Congress provided that its sense is that Part 2 programs should receive positive incentives for discussing with their patients the benefits of consenting to share such records with PDMPs (including those related to the patient’s own health and safety). It is possible there may be future guidance regarding Part 2 programs and PDMPs to further address these considerations.

    9) All Part 2 programs should prepare to take advantage of the expanded allowance for treatment, payment and health care operations uses and disclosures.

    Part 2 programs will want to prepare to take advantage of the expanded allowances for treatment, payment and health care operations uses and disclosures, which have often posed a hurdle. This might include updating notices of privacy practices, consent documents and enrollment or admittance policies and procedures to address these changes. SAMHSA will likely issue additional guidance or regulatory changes regarding the new one-time consent requirement and the changes to the prohibitions on redisclosure as it applies to treatment, payment and health care operations disclosures.

    10) Part 2 programs that do not currently qualify as HIPAA covered entities will now likely be subject to certain requirements under HIPAA and the HITECH Act, regardless of their status as a covered entity.

    Because many of the CARES Act amendments do not deviate significantly from existing Part 2 and HIPAA requirements, the practical impact on many Part 2 programs that are also HIPAA covered entities will be somewhat limited in nature.

    However, Part 2 programs that are not presently covered entities will need to assess and prepare for compliance with CARES Act provisions that potentially extend the requirements of HIPAA and the HITECH Act to all Part 2 programs, regardless of their covered entity status. This includes breach notification requirements for the impermissible disclosure of unsecured SUD records, issuance of a compliant notice of privacy practices, and compliance with patient-requested restrictions and accountings of disclosure requirements, particularly with respect to treatment, payment and health care operations disclosures.

    Therefore, non-covered entity Part 2 programs should begin reviewing current policies and procedures to ensure that they are able to comply with HIPAA’s requirements with respect to these obligations when the changes become effective, in addition to those set forth in Part 2 and any applicable state law.

    Recommendation: Compliance Evaluation Needed

    Because additional regulations enacting these amendments are forthcoming by March 27, 2021, their impact at this point is not fully known. While awaiting regulations, all Part 2 programs should evaluate their current policies and procedures and assess their current status under applicable laws to determine how best to prepare for compliance.

    All entities within and without the health care sector need to be aware of the prohibition on discrimination with respect to individuals based on their status as an SUD patient, and take action to ensure compliance.


    1 42 U.S.C. 290dd-2.

    2 HIPAA’s tiered penalty approach based on culpability is as follows, with the initial statutory amounts shown updated annually based on inflation:


    Minimum penalty per violation

    Maximum penalty per violation

    Annual Limit

    No Knowledge




    Reasonable Cause




    Willful Neglect - Corrected




    Willful Neglect - Not Corrected



    $1.5 million


    Need help? Want to update your email address?
    Contact Customer Service, (800) 728-7788

    Health Law Section Blog is published by the State Bar of Wisconsin; blog posts are written by section members. To contribute to this blog, contact Kristen Nelson and review Author Submission Guidelines. Learn more about the Health Law Section or become a member.

    Disclaimer: Views presented in blog posts are those of the blog post authors, not necessarily those of the Section or the State Bar of Wisconsin. Due to the rapidly changing nature of law and our reliance on information provided by outside sources, the State Bar of Wisconsin makes no warranty or guarantee concerning the accuracy or completeness of this content.

    © 2024 State Bar of Wisconsin, P.O. Box 7158, Madison, WI 53707-7158.

    State Bar of Wisconsin Logo

Join the conversation! Log in to leave a comment.

News & Pubs Search

Format: MM/DD/YYYY