Editor’s Note: Privacy is among the many areas of our lives that COVID-19 is radically changing. While some new developments are short-term solutions to help us navigate the immediate impacts of this unprecedented crisis, others will bring lasting change that will affect us long after the pandemic recedes.
In our recent CLE-eligible webinar, Manatt Health explored the range of legal changes to healthcare privacy that the COVID-19 pandemic is driving, including both immediate effects and long-term consequences. We examined how COVID-19 is reshaping our privacy laws, standards and obligations, today and tomorrow. During the program, we received so many excellent questions from participants that we did not have time to address them all. Below are some of those questions, with the responses from our presenters. To view the full webinar free on demand and download a free copy of the presentation, click here.
Q1: Do the new substance use disorder privacy requirements in the CARES Act apply to all providers or only to substance use disorder facilities?
A1: Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act did not change the scope of providers that are subject to the requirement to obtain written patient consent before disclosing substance use disorder (SUD) information. Currently, not all providers of SUD services are subject to the Part 2 regulations. A provider is subject to Part 2 only if the provider is federally assisted and “holds itself out” as a provider of SUD services. Many providers that treat some SUD patients but do not advertise their SUD services—such as hospital emergency rooms—are therefore not directly subject to 42 CFR Part 2 (although they may be subject to limitations on re-disclosures if they receive Part 2 information).
This framework could remain in place going forward. However, it is also possible that when HHS revises the Part 2 regulations, it will reconsider what providers are subject to the written consent requirement.
Importantly, however, there are some provisions of Section 3221 that extend beyond SUD providers. The new anti-discrimination provision applies broadly to all entities, and therefore could be enforced in regards to providers that are not SUD facilities. Moreover, all covered entities will need to amend their notice of privacy practices to describe the protections that apply to SUD information.
Q2: Is there any flexibility in providing SUD clinical data to a managed care organization (MCO) under the new CARES Act provision?
A2: Section 3221 of the CARES Act still requires SUD providers who are subject to the statute to obtain written consent before disclosing their patient information to an MCO, even if the disclosure is for purposes of obtaining payment, treatment or healthcare operations (e.g., assisting the MCO in conducting care management for the patient). The statute, however, does give more flexibility to MCOs regarding their uses and re-disclosures of that data, as it suggests that an MCO can use or disclose that data without obtaining further consent of the patient so long as the use or disclosure is for purposes of treatment, payment or healthcare operations, and the patient has not revoked consent.
Q3: Regarding HHS enforcement of 42 CFR Part 2, do you imagine more self-reporting of disclosures and more fines, consistent with how the Health Insurance Portability and Accountability Act (HIPAA) has enforced other breaches?
A3: One potential impact of Section 3221 of the CARES Act is that SUD providers are more likely to be subject to civil monetary penalties for the disclosure of SUD information in a manner that violates 42 CFR Part 2. Currently, the federal government generally does not impose fines for Part 2 violations. HHS will now have the authority to impose civil monetary penalties.
A key question is how HHS will approach fines in cases where the provider violated Part 2 but complied with HIPAA. HIPAA violations might occur in cases where a covered entity is subject to a data breach or where the covered entity makes a disclosure that is clearly inconsistent with patient privacy, such as accidentally making a public disclosure of protected health information. However, in many cases a Part 2 violation could occur where disclosures are made for purposes of payment, treatment or healthcare operations, but either the entity failed to document written consent or the consent form used did not meet all Part 2 requirements. It is possible that HHS will provide more leniency in cases where a covered entity complied with HIPAA.
Another issue regarding enforcement of Part 2 is which agency will be responsible for the SUD regulations going forward. The Substance Abuse and Mental Health Services Administration (SAMHSA) has promulgated the Part 2 regulations. But now that the CARES Act aligns the SUD confidentiality statute with HIPAA in many respects, including with regard to enforcement, it is possible that the authority to revise the Part 2 regulations may be shifted to HHS Office of Civil Rights (OCR). Alternatively, SAMHSA may still issue the Part 2 regulations, but OCR could be responsible for enforcing them. The decision of which agency will revise the regulations will impact how the new statutory changes are ultimately enforced.
The level of funding for enforcement is another key issue. The CARES Act contains no appropriation for increased enforcement of 42 CFR Part 2. Even if OCR has the authority to levy fines for Part 2 violations, it may rarely do so in practice if it lacks the staff to monitor Part 2 compliance.
Q4: Can a funder require a Community Based Organization (CBO) to release client information to them due to the COVID-19 public health emergency?
A4: A CBO’s obligations depend on whether the CBO is subject to HIPAA. Some CBOs are covered entities. Others are business associates of covered entities. If a CBO is not subject to HIPAA, then its privacy practices will depend on what it has promised to its clients (in the form of a privacy bill of rights, for example), its contractual obligations and other privacy laws that may apply to the CBO’s conduct.
If a CBO is a covered entity subject to HIPAA, it may comply with a funder’s request for protected health information if the data is being disclosed for purposes of treatment, payment or healthcare operations; the funder must be a covered entity or healthcare provider depending on the specific purpose. Disclosure is also permitted for limited other purposes (e.g., if the funder is a public health authority requiring disclosures for public health purposes). Whether the CBO is obligated to respond to that request depends on the terms of the agreement between the CBO and the funder, as well as any laws that may mandate disclosure.
If a CBO is a business associate of a covered entity, its obligations to disclose protected health information will depend on the terms of its business associate agreement.
Q5: Are there any HIPAA waivers or modifications for disclosures to family members? For example, I have a client who wants to speak with his mother’s health insurance. His mother did not sign a HIPAA form and does not have capacity to do so now.
A5: None of the notices of enforcement discretion issued so far apply to disclosures of protected health information (PHI) by health plans. Thus, to the extent a family member seeks PHI from a patient’s health plan, the requirements at 45 CFR 164.510(b) would govern.
Under Section 1135 of the Social Security Act, HHS has waived the requirement for hospitals operating under disaster protocols to comply with HIPAA requirements regarding disclosures to family members, although a hospital can only use this waiver during the 72-hour period after the hospital has implemented a disaster protocol. In addition, OCR’s notice of enforcement discretion governing telehealth applies to providers operating telehealth services and applies to all of the HIPAA privacy rule, including 45 CFR 164.510(b) regarding family member disclosures. If a provider seeks to disclose PHI to a family member and if such disclosure is necessary for a telehealth encounter, then the provider may do so if the provider complies with the terms of the notice of enforcement discretion, including the requirement to act in good faith.
Q6: How will interoperability rules impact contact tracing apps?
A6: The new interoperability rules issued by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator (ONC) have not yet taken effect. The earliest the information blocking provisions of the ONC rule could go into effect is November 1, 2020, and the requirement of health plans to implement application programming interfaces (APIs) to exchange patient data will not take effect until July 1, 2021.
However, if contact tracing apps are in use when those rules are in effect, then these rules will encourage the provision of patient data to these apps. For example, health information exchanges potentially could engage in information blocking if they decline to share their data with these apps upon the request of a patient, and therefore may make disclosures to contact tracing apps in such a situation in order to avoid an information blocking penalty. Similarly, health plans would need to make their patient data available to these apps via APIs after July 1, 2021. The interoperability rules therefore could make it easier for contact tracing apps to obtain needed health information.
Q7: Regarding contact tracing, does it look like privacy protections will be solely or primarily subject to the app providers’ terms of service, or is further regulatory action anticipated by the Federal Trade Commission (FTC) or others?
A7: Assuming that the app is not acting as a business associate and therefore is not subject to HIPAA, the app’s providers’ terms of service are likely to be the primary restriction on uses and disclosures by such apps. Those terms of service can be enforced by the FTC, which can take action if it determines the companies behind those apps engaged in unfair or deceptive practices.
While it is possible that states could adopt legislation that regulates these apps, they may not have time to enact such legislation before these apps proliferate. Likewise, it may be difficult for the FTC to issue regulations governing these apps in a timely manner. It may be more feasible for the FTC to issue guidance to these app developers on recommended privacy practices, rather than going through a notice and comment process.