CARES Act Overhauls Federal Law Governing Privacy of Substance Use Disorder Treatment Information


By: Jason Gregoire

April 21, 2020

In 1975, Congress enacted a law (42 U.S.C. § 290-dd2) and corresponding regulations (42 C.F.R. Part 2) to protect the confidentiality of substance use disorder (“SUD”) treatment records known colloquially as “Part 2”.  For 45 years, Part 2 has required SUD treatment programs—and anyone receiving SUD records—to follow strict rules when using, disclosing, and re-disclosing these records.  Although Part 2 was passed to ensure those with SUDs are not discriminated against based on the stigma associated with receiving SUD treatment, Part 2 has not aged well given significant advances in technology and health care delivery.  While Part 2 was amended in 2017 and 2018, the amendments were relatively minor and did not do what many requested—align Part 2 with the less stringent rules for use and disclosure of garden-variety health information in the Health Insurance Portability and Accountability Act (“HIPAA”).

In recent years, bills have been introduced in Congress to align Part 2 with HIPAA and remove barriers presented by Part 2’s restrictive consent requirements.  Many have complained that Part 2 is overly restrictive, prohibits a truly integrated health system, and prevents providers from treating the “whole patient.”  In response to the COVID-19 pandemic, Congress passed the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”), which significantly overhauls Part 2 and relaxes existing confidentiality standards.

The key provisions of the CARES Act Part 2 amendments (“CAAs”) are described below.  The CAAs amend 42 U.S.C. § 290dd-2, not the regulations codified at 42 C.F.R. Part 2.  Congress gave the U.S. Department of Health and Human Services (“HHS”) until March 27, 2021 to promulgate revised Part 2 regulations, and the CAAs are not effective until that time.  Consequently, until March 2021, Part 2 continues to apply in its current form. It bears noting, however, that all Part 2 programs should evaluate these amendments now and consider how their internal operations may be affected.

Consent – Disclosures for Treatment, Payment and Operations

Under HIPAA, covered entities such as health care providers and health plans may disclose a patient’s protected health information (“PHI”) for treatment, payment, and health care operations purposes without obtaining prior patient consent.  The rationale is that these disclosures are likely expected and encouraged by patients.  For example, a primary care doctor can disclose a patient’s medical records to a specialist, or the patient’s health insurer, without patient consent.  This broad HIPAA exception authorizes many disclosures of PHI.

Unlike HIPAA covered entities, SUD treatment programs subject to Part 2 (“Part 2 Programs”) are currently required to obtain a separate written patient consent in order to disclose treatment records for treatment, payment, operations, and nearly every other purpose.  For some disclosures, the patient must list the name of the individual person authorized to receive the SUD records once disclosed (e.g., “Josh Smith, Program Coordinator at the Coos County Drug Court”).  This onerous requirement has been a significant administrative burden for treatment programs and has prevented some providers from using health information exchanges or engaging in necessary care coordination and population health initiatives.

The CAAs amend Part 2 to allow a one-time patient consent for all future treatment, payment, and operations disclosures and re-disclosures by Part 2 Programs, covered entities, and business associates (contractors who have a need to obtain PHI in the course of their work).  This change is, by far, the most significant in the CAAs and in Part 2’s history.  Although patient consent is still required, a single patient consent at the start of treatment for all treatment, payment, and operations disclosures is far better than having to obtain separate written consents for each disclosure.  As a safeguard, the CAAs allow patients to revoke this consent at any time.  It is unclear how DHHS will revise the current consent requirements in 42 C.F.R. § 2.31 in order to effectuate this change.

Incorporation of HIPAA Provisions into Part 2

Part 2 is distinct from HIPAA in many ways.  For one thing, Part 2 does not use the same definitions or terminology as HIPAA.  For example, Part 2 refers to “Part 2 Programs”, not “Covered Entities.”  However, the CAAs import several HIPAA definitions and concepts into Part 2 as described below.

  • Terminology: Because the CAAs attempt to bring Part 2 into closer alignment with HIPAA, these amendments amend Part 2 to use defined terms from HIPAA such as “Covered Entity”, “Breach”, “Treatment”, “Business Associate”, and more.
  • Breach Notification: Part 2 does not currently require breach notification in the event a Part 2 Program (not otherwise covered by HIPAA) breaches a patient’s privacy by improperly using or disclosing health information. The CAAs incorporate the HIPAA Breach Notification Rule into Part 2 and require Part 2 Programs to notify patients and others of breaches in the same manner as required under HIPAA.
  • Notice of Privacy Practices: Part 2 currently requires treatment programs to provide patients with a brief notice of confidentiality rights at the start of treatment. The required elements of this notice pale in comparison to the detailed requirements of HIPAA’s Notice of Privacy Practices.  The CAAs require Part 2 Programs to distribute and post a Notice of Privacy Practices that satisfies HIPAA requirements.  This notice describes for patients the manner in which their PHI may be used and disclosed during and following treatment.
  • Accounting of Disclosures: Under HIPAA, patients can request a list (“accounting”) of certain uses and disclosures of their PHI by HIPAA covered entities. Part 2 has no analogous requirement.  The CAAs require Part 2 Programs to provide HIPAA-style accountings to patients.  Importantly, these accountings need to specify disclosures made for treatment, payment, and operations as well as other purposes.
  • Penalties: Part 2 is currently a criminal statute enforced by local United States Attorney’s Offices. A violation of Part 2 currently subjects a Part 2 program to criminal fines and penalties under Title 18 of the U.S. Code.  The CAAs change the enforcement structure entirely and make Part 2 violations subject to HIPAA’s primarily civil penalties structure.  It is unclear whether HHS will transition enforcement authority in next year’s regulations from local US Attorney’s Offices to the HHS Office of Civil Rights, the HIPAA enforcement authority.
  • Non-Discrimination: Given that Part 2’s original purpose was to prevent discrimination against those seeking or who have obtained SUD treatment, the CAAs include a comprehensive non-discrimination provision that makes it a violation of federal law to discriminate against someone in employment, housing, benefits, access to healthcare, and more based on the patient being in, or having obtained, SUD treatment.
  • Disclosures of De-Identified Information to Public Health Authorities: The COVID-19 pandemic has revealed there is no clear mechanism for Part 2 Programs to disclose necessary information to public health authorities. Therefore, the CAAs permit Part 2 Programs to disclose de-identified PHI to public health authorities such as the Centers for Disease Control and local health departments.  Because the CAAs do not take effect until March 2021, this provision does not apply to COVID-19 related disclosures between now and then.


The CAAs, once in effect, will materially change Part 2.  Although many have applauded Congress’s bold actions, others are not pleased with what they see as the degradation of time-tested confidentiality protections for a vulnerable population.  Until HHS promulgates the required regulations next year, it remains to be seen how these legislative changes will be implemented and what steps Part 2 programs, covered entities, business associates and others will need to take to ensure compliance.