The Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”),  signed into law March 27, 2020, significantly overhauls the federal law that governs the confidentiality of substance use disorder (“SUD”) records at 42 U.S.C. §290dd-2, commonly referred to as “Part 2.” While much remains to be seen in terms of rulemaking, the new SUD confidentiality law furthers the movement to interoperability, which has become increasingly important in today’s electronic and integrated health care system, while attempting to balance the sensitivity of SUD records and the risk to patients of impermissible disclosures. Whether this new approach goes far enough in either direction is still unclear at this point, and much will depend on rules promulgated by the Substance Abuse and Mental Health Services Administration (SAMHSA).
The changes are of great significance as SAMHSA has promulgated three proposed and two final rules in the last four years.  Almost without fail, in response to comments to align Part 2 with HIPAA, SAMHSA has pointed to Congress, reminding stakeholders that regulations are bound by statutory requirements. Despite several proposed statutory amendments over the past three years and hours of public testimony, Congress has not amended the law — until now.
The changes to the SUD confidentiality law are effective immediately, with implementing regulations to come sometime in 2020 or first quarter 2021.
Partial Alignment with HIPAA
The most significant change to the SUD confidentiality law imposed by the CARES Act, both from a policy and practical perspective, is to more closely align the underlying statute with the privacy regulations under the Health Insurance Portability and Accountable Act of 1996 (“HIPAA”). Under the prior law, the identity, diagnosis, prognosis, or treatment of any patient maintained by a Part 2 program in association with SUD treatment, rehabilitation, or research could be disclosed consistent with the patient’s written consent, but only as allowed under the Part 2 regulations at 42 C.F.R. Part 2.  The Part 2 regulations required, with narrow exceptions, separate patient consent each time records were disclosed to a new entity, since the name of the recipient entity and, in some instances, the name of the recipient individual or a general designation of individuals, had to be included on the patient consent form.  Unlike HIPAA, neither the previous law nor the implementing regulations contained a broad exception for treatment, payment, or health care operations (“TPO”), so every disclosure, with limited exceptions,  even if related to continuity of care or obtaining payment for treatment, required specific consent.
The CARES Act replaces the consent requirements in Part 2. While still requiring patient consent, this new consent provision provides that, once consent has been obtained, the contents of the record may be used or disclosed by a covered entity, business associate, or a Part 2 program “for purposes of treatment, payment, and health care operations as permitted by the HIPAA regulations.”  The law further states that a patient’s one-time Part 2 written consent will be sufficient “for all such future uses or disclosures for purposes of treatment, payment, and health care operations,” unless the patient restricts redisclosure, and the consent will apply until the patient revokes it in writing. Information disclosed for TPO may be redisclosed pursuant to the HIPAA regulations, but subject to certain restrictions required by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. 
While the new law allows disclosure of Part 2 records for TPO with patient consent, it does not outline the required elements of a Part 2 consent. HIPAA permits but does not require consent for use and disclosure for TPO, and in practice, most health care providers do not obtain consent for TPO uses and disclosures. For uses and disclosures that require an authorization under HIPAA, such as to a patient’s school or employer, HIPAA’s Privacy Rule outlines the required elements of a valid HIPAA-compliant authorization.  Although the new SUD consent law does not provide details regarding what will constitute a valid Part 2 consent, the HIPAA authorization is arguably the closest comparator, and it is feasible that SAMHSA will model the Part 2 consent on the HIPAA authorization. The elements of a HIPAA-compliant authorization include a description of the records to be used or disclosed, a specific individual or class of persons authorized to make such use or disclosure, a specific individual or class of persons to whom the covered entity may make the disclosure, an expiration date, and a description of the purpose for which the information may be used or disclosed. The HIPAA regulations also require certain language protective of the patient, such as a warning that records disclosed pursuant to the patient’s authorization may no longer be protected under federal law, and a reminder of the patient’s right to revoke such authorization in writing. 
It is important to note that the new SUD confidentiality law does not totally align Part 2 with HIPAA. Like HIPAA, it allows for the use and disclosure of SUD records for TPO, but unlike HIPAA, it requires patient consent for such use and disclosure. In fact, the original statutory exceptions that allowed for disclosure absent the patient’s consent — in the event of a medical emergency, for research and audits, and pursuant to court order — still apply; though, disclosure for medical emergencies and most audits would otherwise fit under HIPAA’s treatment and health care operations exceptions.
Other changes that bring Part 2 closer to HIPAA include a new exception for disclosures to a public health authority, as long as such disclosure meets HIPAA’s de-identification standards at 45 C.F.R. section 164.514(b).  The law also requires the Secretary of Health and Human Services (“HHS”) to update HIPAA regulations to require references to Part 2 records in a covered entities’ notice of privacy practices. 
Additional Key Statutory Changes
A consistent voice in the public discourse over the past several years as our nation has struggled with the growing opioid epidemic is that of patients and their advocates, who argue that liberal disclosure, including alignment with HIPAA, will harm those seeking SUD treatment. They argue that weakening the protections of Part 2 will result in fewer patients seeking treatment, with extreme consequences such as discrimination in housing, employment, health care, and in the receipt of social and legal services. In recognition of these risks, in addition to requiring consent for TPO uses and disclosures, the new SUD confidentiality provision reinforces its prohibition on the use of SUD records in criminal contexts, adds antidiscrimination provisions, revises the penalty structure, and imposes breach notification requirements, as further outlined below.
Use of Records in Criminal Contexts
The prohibition on use for criminal, civil, and administrative contexts restates that disclosure in such contexts may only occur pursuant to court order, as outlined in the statute. The new law doubles down on this prohibition by explicitly stating that records (including testimony relaying information contained in records) may not be entered into evidence in any criminal prosecution or civil action; may not form part of the record for decision or otherwise be considered in any proceeding before a federal, state, or local agency; may not be used by federal, state, or local agencies for law enforcement purposes or to conduct a law enforcement investigation; and may not be used in any application for a warrant. 
The antidiscrimination provision prohibits discrimination on the basis of information received unintentionally or intentionally in the provision of health care; in relation to employment, including receipt of worker’s compensation; in housing; in access to the courts of any jurisdiction; and in the provision of social services and government benefits.  Moreover, no recipient of federal funding shall discriminate against an individual on the basis of records disclosed intentionally or unintentionally in accessing services provided by such funds. 
Elimination of Criminal Fines
Unlike HIPAA, the Part 2 rules have historically carried criminal fines, as the penalties outlined in the enabling statute were tied to the criminal code of the United States Code at Title 18. The revised penalties provision deletes the reference to criminal fines under Title 18 and aligns penalties with HIPAA.  While civil monetary penalties under HIPAA are frequently significant, often millions of dollars for egregious violations, the elimination of a criminal fine represents a significant relief valve for compliance and privacy officers concerned about the imposition of criminal fines following a violation of Part 2.
Regulations to Come
Given the sweeping statutory changes, the current regulatory regime for Part 2 is now in flux. Accordingly, the CARES Act mandates that the Secretary of HHS shall make revisions to the Part 2 regulations to implement and enforce the statutory changes, such regulations to be effective no later than March 27, 2021. In the meantime, entities subject to Part 2 will be in a twilight period, since the statutory changes go into effect immediately, but the current regulations remain in place. Some providers may elect to take a conservative approach and continue to follow the current Part 2 regulatory requirements in relation to patient consent until the new regulations are promulgated, particularly given that the CARES Act does not make clear what elements of a patient consent form will be required under this new statutory regime. However, given the clear Congressional mandate to better align Part 2 with HIPAA, many providers may elect to rely on the law immediately given the operational challenges associated with managing Part 2 records.
 Coronavirus Aid, Relief, and Economic Security Act, Pub. L. No 116-136, 134 Stat 281 (March 27, 2020) (“CARES Act”).
 (Proposed: 81 FR 6988; 84 FR 44566; 84 FR 44568); (Final: 82 FR 6052; 83 FR 239)
 42 U.S.C. § 290dd-2; see also Confidentiality of Substance Use Disorder Records, 42 C.F.R. Part 2 (2017).
 42 C.F.R. § 2.33
 Exceptions include, but are not limited to, disclosures to entities having direct administrative control over a Part 2 program, communications between a Part 2 program and a qualified service organization of information needed by the qualified service organization to provide services to the program, and disclosures necessary to meet a bona fine medical emergency in which patient informed consent cannot be obtained. 42 C.F.R. §§ 2.12(c), 2.51.
 CARES Act.
 Specifically, the new law requires that the patient must be allowed to limit disclosures to a health plan for payment or health care operations purposes if the provider has been paid out of pocket in full, and must have certain rights to an accounting of disclosures if the covered entity maintains an electronic health record.
 42 C.F.R. § 164.508.
 CARES Act.