Skip to Content

Proposed Rule

Confidentiality of Substance Use Disorder Patient Records

Document Details

Information about this document as published in the Federal Register.

Enhanced Content

Relevant information about this document from Regulations.gov provides additional context. This information is not part of the official Federal Register document.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 6988

AGENCY:

Substance Abuse and Mental Health Services Administration (SAMHSA), HHS.

ACTION:

Proposed rule.

SUMMARY:

This proposed rule addresses changes to the Confidentiality of Alcohol and Drug Abuse Patient Records regulations. This proposal was prompted by the need to update and modernize the regulations. These laws and regulations governing the confidentiality of substance abuse records were written out of great concern about the potential use of substance abuse information against an individual, preventing those individuals with substance use disorders from seeking needed treatment. The last substantive update to these regulations was in 1987. Over the last 25 years, significant changes have occurred within the U.S. health care system that were not envisioned by the current regulations, including new models of integrated care that are built on a foundation of information sharing to support coordination of patient care, the development of an electronic infrastructure for managing and exchanging patient information, and a new focus on performance measurement within the health care system. SAMHSA wants to ensure that patients with substance use disorders have the ability to participate in, and benefit from new integrated health care models without fear of putting themselves at risk of adverse consequences. These new integrated models are foundational to HHS's triple aim of improving health care quality, improving population health, and reducing unnecessary health care costs. SAMHSA strives to facilitate information exchange within new health care models while addressing the legitimate privacy concerns of patients seeking treatment for a substance use disorder. These concerns include: The potential for loss of employment, loss of housing, loss of child custody, discrimination by medical professionals and insurers, arrest, prosecution, and incarceration. This proposal is also an effort to make the regulations more understandable and less burdensome. We welcome public comment on this proposed rule.

DATES:

To be assured consideration, comments must be received at one of the ADDRESSES provided below, no later than 5 p.m. on April 11, 2016.

ADDRESSES:

In commenting, please refer to file code SAMHSA 4162-20.

Because of staff and resource limitations, we cannot accept comments by facsimile (FAX) transmission.

You may submit comments in one of four ways (to avoid duplication, please submit your comments in only one of the ways listed):

1. Electronically: Federal eRulemaking Portal. You may submit comments electronically to http://www.regulations.gov. Follow the “Submit a comment” instructions.

2. By regular mail. Written comments mailed by regular mail must be sent to the following address ONLY: The Substance Abuse and Mental Health Services Administration, Department of Health and Human Services, Attn: SAMHSA-4162-20, 5600 Fishers Lane, Room 13N02B, Rockville, Maryland 20857.

Please allow sufficient time for mailed comments to be received before the close of the comment period.

3. By express or overnight mail. Written comments sent by express or overnight mail must be sent to the following address ONLY: The Substance Abuse and Mental Health Services Administration, Department of Health and Human Services, Attn: SAMHSA-4162-20, 5600 Fishers Lane, Room 13N02B, Rockville, Maryland 20852.

4. By hand or courier. Written comments delivered by hand or courier must be delivered to the following address ONLY: The Substance Abuse and Mental Health Services Administration, Department of Health and Human Services, Attn: SAMHSA-4162-20, 5600 Fishers Lane, Room 13N02B, Rockville, Maryland 20857.

For information on viewing public comments, see the beginning of the SUPPLEMENTARY INFORMATION section.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Kate Tipping, 240-276-1652, Email address: PrivacyRegulations@samhsa.hhs.gov.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

Inspection of Public Comments: ALL COMMENTS received before the close of the comment period are available for viewing by the public, including any personally identifiable and/or confidential information that is included in a comment. We post all comments received as soon as possible after they have been received on the following Web site: http://www.regulations.gov. Follow the search instructions on that Web site to view public comments.

Comments received before the close of the comment period will also be available for public inspection, generally beginning approximately 3 weeks after publication of a document, at the headquarters of the Substance Abuse and Mental Health Services Administration, 5600 Fishers Lane, Rockville, Maryland 20857, Monday through Friday of each week from 8:30 a.m. to 4 p.m. To schedule an appointment to view public comments, phone 240-276-1660.

We will consider all comments we receive by the date and time specified in the DATES section of this preamble, and will respond to the comments in the preamble of the final rule.

Effective date of proposed § 2.13(d): As discussed in the preamble, the proposed § 2.13(d) shall not go into effect until two years after the effective date of the final rule.

Table of Contents

To assist readers in referencing sections contained in this preamble, we are providing a table of contents.

I. Executive Summary

A. Purpose

B. Summary of the Major Provisions

C. Summary of Impacts

II. Background

A. Significant Technology Changes

B. Statutory and Rulemaking History

III. Provisions of This Proposed Rule

A. Reports of Violations (§ 2.4)

1. Overview

2. Proposed Revisions

B. Definitions (§ 2.11)

1. Overview

2. Proposed Revisions

a. New Definitions

i. Part 2 Program

ii. Part 2 Program Director

iii. Substance Use Disorder

iv. Treating Provider Relationship

v. Withdrawal Management

b. Existing Definitions

i. Central Registry

ii. Disclose or Disclosure

iii. Maintenance Treatment

iv. Member Program

v. Patient

vi. Patient Identifying Information

vii. Person

viii. Program

ix. Qualified Service Organization

x. Records

xi. Treatment

c. Terminology Changes

C. Applicability (§ 2.12)

1. Overview

2. Proposed Revisions

D. Confidentiality Restrictions and Safeguards (§ 2.13)

1. Overview

2. Proposed Revisions

E. Security for Records (§ 2.16)

1. Overview

2. Proposed Revisions

F. Disposition of Records by Discontinued Programs (§ 2.19)Start Printed Page 6989

1. Overview

2. Proposed Revisions

G. Notice to Patients of Federal Confidentiality Requirements (§ 2.22)

1. Overview

2. Proposed Revisions

H. Consent Requirements (§ 2.31)

1. Overview

2. Proposed Revisions

a. To Whom

i. Overview

ii. Proposed Revisions

b. Amount and Kind

i. Overview

ii. Proposed Revisions

c. From Whom

i. Overview

ii. Proposed Revisions

d. New Requirements

i. Overview

ii. Proposed Revisions

I. Prohibition on Re-disclosure (§ 2.32)

1. Overview

2. Proposed Revisions

J. Disclosures to Prevent Multiple Enrollments (§ 2.34)

1. Overview

2. Proposed Revisions

K. Medical Emergencies (§ 2.51)

1. Overview

2. Proposed Revisions

L. Research (§ 2.52)

1. Overview

2. Proposed Revisions

M. Audit and Evaluation (§ 2.53)

1. Overview

2. Proposed Revisions

IV. Collection of Information Requirements

V. Response to Comments

VI. Regulatory Impact Analysis

A. Statement of Need

B. Overall Impact

1. Direct Costs of Implementing the Proposed Regulations

a. Staff Training

b. Updates to Consent Forms

c. List of Disclosures Costs

d. IT Updates

C. Conclusion

Acronyms

ACO Accountable Care Organization

ABAM American Board of Addiction Medicine

ADAMHA Alcohol, Drug Abuse and Mental Health Administration

ANSI American National Standards Institute

ARRA American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5)

ATR Access to Recovery

CCO Coordinated Care Organization

CFR Code of Federal Regulations

CHIP Children's Health Insurance Program

CMS Centers for Medicare & Medicaid Services

DS4P Data Segmentation for Privacy

EHR Electronic Health Record

FAX Facsimile

FDA Food and Drug Administration

FR Federal Register

FWA Federalwide Assurance

HHS Department of Health and Human Services

HIE Health Information Exchange

HIPAA Health Insurance Portability and Accountability Act of 1996 (Pub. L. 104-191)

HITECH Health Information Technology for Economic and Clinical Health

HL7 Health Level 7

IG Implementation Guide

IT Information Technology

IRB Institutional Review Board

NPRM Notice of Proposed Rulemaking

N-SSATS National Survey of Substance Abuse Treatment Services

OECD Organization for Economic Cooperation and Development

OHRP Office for Human Research Protections

OMB Office of Management and Budget

ONC Office of the National Coordinator for Health Information Technology

PDMP Prescription Drug Monitoring Program

QE Qualified Entity

QSO Qualified Service Organization

QSOA Qualified Service Organization Agreement

RFA Regulatory Flexibility Act

SAMHSA Substance Abuse and Mental Health Services Administration

S&I Standards and Interoperability

TEDS Treatment Episode Data Set

U.S.C. United States Code

VA Department of Veterans Affairs

I. Executive Summary

A. Purpose

This proposed rule would revise title 42 of the Code of Federal Regulations part 2 (42 CFR part 2), Confidentiality of Alcohol and Drug Abuse Patient Records regulations. The authorizing statute (Title 42, United States Code, Section 290dd-2) protects the confidentiality of the identity, diagnosis, prognosis, or treatment of any patient records which are maintained in connection with the performance of any federally assisted program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research. Title 42 of the CFR part 2 was first promulgated in 1975 (40 FR 27802) and last substantively updated in 1987 (52 FR 21796).

The laws and regulations governing the confidentiality of substance abuse records were written out of great concern about the potential use of substance abuse information against individuals, causing individuals with substance use disorders to not seek needed treatment. The disclosure of records of individuals with substance use disorders has the potential to lead to a host of negative consequences including: Loss of employment, loss of housing, loss of child custody, discrimination by medical professionals and insurers, arrest, prosecution, and incarceration. The purpose of the regulations at 42 CFR part 2 is to ensure that a patient receiving treatment for a substance use disorder in a part 2 program is not made more vulnerable by reason of the availability of their patient record than an individual with a substance use disorder who does not seek treatment. Under the current regulations, a federally assisted substance use disorder program generally may only release identifiable information related to substance use disorder diagnosis, treatment, or referral for treatment with the individual's express consent. Now over 25 years later, this proposed rule would make policy changes to the regulations to better align them with advances in the U.S. health care delivery system while retaining important privacy protections.

Unless otherwise noted, these changes would be applicable beginning 180 days after the publication of the final rule. If programs that were required to comply with 42 CFR part 2 prior to the effective date of the final rule continue to fall within the scope of 42 CFR part 2 as outlined in the final rule, they would be required to come into compliance with any revised regulations by the effective date of the final rule. However, signed consent forms in place prior to the effective date of the final rule would be valid until they expire. Nonetheless, part 2 programs may update signed consent forms consistent with the final rule, prior to the effective date of the final rule if they so choose. Consents obtained after the effective date would need to comply with the final rule, regardless of whether the consents involve patient identifying information obtained prior to or after the effective date of the final rule.

B. Summary of the Major Provisions

This proposed rule is intended to modernize the 42 CFR part 2 (part 2) rules by facilitating the electronic exchange of substance use disorder information for treatment and other legitimate health care purposes while ensuring appropriate confidentiality protections for records that might identify an individual, directly or indirectly, as having or having had a substance use disorder. To achieve this goal, we propose the following modifications.

We propose, in Section III.A., Reports of Violations (§ 2.4), to revise the requirement for reporting violations of these regulations by methadone programs (now referred to as opioid treatment programs) to the Food and Drug Administration (FDA) because the authority over these programs was transferred from the FDA to Substance Abuse and Mental Health Services Administration (SAMHSA) in 2001.Start Printed Page 6990

In Section III.B., Definitions (§ 2.11), we propose to revise some existing definitions, add new definitions of key terms that apply to 42 CFR part 2, and consolidate all but one of the definitions that are currently in other sections in § 2.11. We propose to revise the definitions of “Central registry,” “Disclose or disclosure,” “Maintenance treatment,” “Member program,” “Patient,” “Patient identifying information,” “Person,” “Program,” “Qualified service organization (QSO),” “Records,” and “Treatment.” We also propose to add definitions of “Part 2 program,” “Part 2 program director,” “Substance use disorder,” “Treating provider relationship,” and “Withdrawal management.” Some of these new definitions replace existing definitions. In addition, we propose to revise the regulatory text to use terminology in a consistent manner.

In Section III.C., Applicability (§ 2.12), SAMHSA proposes to continue to apply the 42 CFR part 2 regulations to a program that is federally assisted and holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment, but, where currently paragraph (1) of the definition of “Program” does not apply to general medical facilities, SAMHSA now proposes that paragraph (1) would not apply to either general medical facilities or general medical practices. The proposed language goes on to clarify that paragraph (2) and (3) of the definition of Program would apply to “general medical facilities” and “general medical practices” under certain conditions. For example, an identified unit within a general medical facility or general medical practice will be subject to part 2 if it holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment, or if the primary function of medical personnel or other staff in the general medical facility or general medical practice is the provision of such services and they are identified as providing such services.

In Section III.D., Confidentiality Restrictions and Safeguards (§ 2.13), SAMHSA proposes to add a requirement that, upon request, patients who have included a general designation in the “To Whom” section of their consent form (see § 2.31) must be provided a list of entities to which their information has been disclosed pursuant to the general designation.

In Section III.E., Security for Records (§ 2.16), SAMHSA proposes to clarify that this section requires both part 2 programs and other lawful holders of patient identifying information to have in place formal policies and procedures addressing security, including sanitization of associated media, for both paper and electronic records.

In Section III.F., Disposition of Records by Discontinued Programs (§ 2.19), we propose to address both paper and electronic records. SAMHSA also is proposing to add requirements for sanitizing associated media.

In Section III.G., Notice to Patients of Federal Confidentiality Requirements (§ 2.22), we propose to clarify that the written summary of federal law and regulations may be provided to patients in either paper or electronic format. SAMHSA also proposes to require the statement regarding the reporting of violations include contact information for the appropriate authorities.

In Section III.H., Consent Requirements (§ 2.31), SAMHSA is proposing to allow, in certain circumstances, a patient to include a general designation in the “To Whom” section of the consent form, in conjunction with requirements that: (1) The consent form include an explicit description of the amount and kind of substance use disorder treatment information that may be disclosed; and (2) the “From Whom” section of the consent form specifically name the part 2 program or other lawful holder of the patient identifying information permitted to make the disclosure. SAMHSA also is proposing to require the part 2 program or other lawful holder of patient identifying information to include a statement on the consent form that the patient understands the terms of their consent and, when using a general designation in the “To Whom” section of the consent form, that they have a right to obtain, upon request, a list of entities to which their information has been disclosed pursuant to the general designation (see § 2.13). In addition, SAMHSA is proposing to permit electronic signatures to the extent that they are not prohibited by any applicable law.

In Section III.I., Prohibition on Re-disclosure (§ 2.32), we propose to clarify that the prohibition on re-disclosure only applies to information that would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment for a substance use disorder, such as indicated through standard medical codes, descriptive language, or both, and allows other health-related information shared by the part 2 program to be re-disclosed, if permissible under other applicable laws.

In Section III.J., Disclosures to Prevent Multiple Enrollments (§ 2.34), we propose to modernize the terminology and definitions and move the definitions to § 2.11, Definitions.

In Section III.K., Medical Emergencies (§ 2.51), we propose to revise the medical emergency exception to make it consistent with the statutory language and to give providers more discretion to determine when a “bona fide medical emergency” exists.

In Section III.L., Research (§ 2.52), SAMHSA proposes to revise the research exception to permit data protected by 42 CFR part 2 to be disclosed to qualified personnel for the purpose of conducting scientific research by a part 2 program or any other individual or entity that is in lawful possession of part 2 data if the researcher provides documentation of meeting certain requirements related to other existing protections for human research. SAMHSA also is proposing to address data linkages to enable researchers holding part 2 data to link to data sets from federal data repositories, and is seeking comment on expanding this provision to non-federal data repositories.

We propose, in Section III.M., Audit and Evaluation (§ 2.53), to modernize the requirements to include provisions for governing both paper and electronic patient records. SAMHSA also proposes to permit an audit or evaluation necessary to meet the requirements of a Centers for Medicare & Medicaid Services (CMS)-regulated accountable care organization (CMS-regulated ACO) or similar CMS-regulated organization (including a CMS-regulated Qualified Entity (QE)), under certain conditions.

C. Summary of Impacts

Our goal in modernizing the part 2 regulations is to increase opportunities for individuals with substance use disorders to participate in new and emerging health and health care models and health information technology (IT). Our intent is to facilitate the sharing of information within the health care system to support new models of integrated health care which, among other things, improve patient safety while maintaining or strengthening privacy protections for individuals seeking treatment for substance use disorders. We expect the proposed changes to 42 CFR part 2 to result in a decrease in the burdens associated with several aspects of this rule, including consent requirements. Moreover, as patients are allowed, in certain circumstances, to include a general designation in the “To Whom” section of the consent form, we anticipate there Start Printed Page 6991would be more individuals with substance use disorders participating in organizations that facilitate the exchange of health information (e.g., health information exchanges (HIEs)) and organizations that coordinate care (e.g., accountable care organizations (ACOs) and coordinated care organizations (CCOs)), leading to increased efficiency and quality in the provision of health care for this population.

When estimating the total costs associated with changes to the 42 CFR part 2 regulations, we assumed five sets of costs: Updates to health IT system costs, costs for staff training and updates to training curricula, costs to update patient consent forms, costs associated with providing patients a list of entities to which their information has been disclosed pursuant to a general designation on the consent form (i.e., the List of Disclosures requirement), and implementation costs associated with the List of Disclosure requirements. We assumed that costs associated with modifications to existing health IT systems, staff training costs associated with updating staff training materials, and costs to update consent forms would be one-time costs the first year the final rule is in effect and would not carry forward into future years. Staff training costs other than those associated with updating training materials are assumed to be ongoing annual costs to part 2 programs, also beginning in the first year that the final rule is in effect. The List of Disclosures costs are assumed to be ongoing annual costs to entities named on a consent form that disclose patient identifying information to their participants under the general designation. The List of Disclosures requirement, however, does not go into effect until two years after the final rule is in effect. Therefore, in years 1 and 2, the costs associated with the List of Disclosures provision are limited to implementation costs for entities that chose to upgrade their health IT systems in order to comply with the List of Disclosure requirements.

We estimate, therefore, that in the first year that the final rule is in effect, the costs associated with updates to 42 CFR part 2 would be $74,217,979. In year two, we estimate that costs would be $47,021,182. In years 3 through 10, we estimate the annual costs would be $14,835,444. Over the 10-year period 2015-2024, the total undiscounted cost of the proposed changes would be $239,922,716 in 2015 dollars. When future costs are discounted at 3 percent or 7 percent per year, the total costs become approximately $220.9 million or $200.9 million, respectively.

Based on data from the 2013 National Survey of Substance Abuse Treatment Services (N-SSATS), we estimate that 12,034 hospitals, outpatient treatment centers, and residential treatment facilities are covered by part 2. N-SSATS is an annual survey of U.S. substance abuse treatment facilities. Data is collected on facility location, characteristics, and service utilization. Not all treatment providers included in N-SSATs are believed to be under the jurisdiction of the part 2 regulations. The 12,034 number is a subset of the 14,148 substance abuse treatment facilities that responded to the 2013 N-SSATS, and includes all federally operated facilities, facilities that reported receiving public funding other than Medicare and Medicaid, facilities that reported accepting Medicare, Medicaid, TRICARE, and/or Access to Recovery (ATR) voucher payments, or were SAMHSA-certified Opioid Treatment Programs.

If an independently practicing clinician does not meet the requirements of paragraph (1) of the definition of Program (an individual or entity (other than a general medical facility or general medical practice) who holds itself out as providing and provides substance use disorder diagnosis, treatment or referral for treatment), they may be subject to 42 CFR part 2 if they constitute an identified unit within a general medical facility or general medical practice which holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment, or if their primary function in the facility or practice is the provision of such services and they are identified by the facility or practice as providing such services. Due to data limitations, it was not possible to estimate the costs for independently practicing providers covered by part 2 that did not participate in the 2013 N-SSATS. For example, data from the American Board of Addiction Medicine (ABAM) provides the number of physicians since 2000, who have active ABAM certification. However, there is no source for the number of physicians who have not participated in the ABAM certification process. In addition, it is not possible to determine which ABAM-certified physicians practice in a general medical setting rather than in a specialty treatment facility that was already counted in the N-SSATS data.

Several provisions in the Notice of Proposed Rulemaking (NPRM) reference other lawful holders of patient identifying information in combination with part 2 programs. These other lawful holders must comply with part 2 requirements with respect to information they maintain that is covered by part 2 regulations. However, because this group is not clearly defined with respect to the range of organizations it may include, we are unable to include estimates regarding the number and type of these organizations and are only including part 2 programs in this analysis.

In addition to the part 2 programs described above, entities named on a consent form that disclose patient identifying information to their participants under the general designation must provide patients, upon request, a list of entities to which their information has been disclosed pursuant to a general designation. These entities primarily would include organizations that facilitate the exchange of health information (e.g., HIEs), and also may include organizations responsible for care coordination (e.g., ACOs, CCOs, and patient-centered medical homes (sometimes called health homes)). While these types of organizations were the primary focus of this provision on the consent form, other types of entities, such as research institutions, also may disclose patient identifying information to their participants (e.g., clinical researchers) pursuant to the general designation on the consent form. Because there are no definitive data sources for this potential range of organizations, we are not associating List of Disclosures requests with any particular type of organization. Instead, we chose to estimate the number of organizations that must respond to List of Disclosures requests based on the total number of requests each year.

II. Background

A. Significant Technology Changes

Since the promulgation of 42 CFR part 2, significant technology changes have impacted the delivery of health care. The Office of the National Coordinator for Health Information Technology (ONC) was established as an office within the Department of Health and Human Services (HHS) under Executive Order 13335 on April 27, 2004. Subsequently, on February 17, 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5) expanded the Department's health IT work, including the expansion of ONC's authority and the provision of federal funds for ONC's activities consistent with the Start Printed Page 6992development of a nationwide health IT infrastructure. This work included the certification of health IT; the authorization of CMS' Electronic Health Record (EHR) Incentive Program, including payments to eligible providers for the adoption and meaningful use of certified EHR technology; and numerous other federal agencies' programs—all of which served the objective of ensuring patient health information is secure, private, accurate, and available where and when needed.

SAMHSA has played a role in encouraging the use of health IT by behavioral health (substance use disorders and mental health) providers. SAMHSA's efforts included collaborating with ONC to develop two sets of Frequently Asked Questions and convening a number of stakeholder meetings to provide guidance on the application of 42 CFR part 2 within HIE models. In addition, SAMHSA funded a one-year pilot project in 2012 with five state HIEs to support the exchange of health information among behavioral health and physical health providers. SAMHSA also worked with ONC and other federal agencies on several projects to support behavioral health and health information exchange.

The Data Segmentation for Privacy (DS4P) initiative within ONC's Standards and Interoperability (S&I) Framework facilitated the development of standards to improve the interoperability of EHRs containing sensitive information that must be protected to a greater degree than other health information due to 42 CFR part 2 and similar state laws. The DS4P initiative met its two goals, which were to: Demonstrate how standards can be used to support current privacy policies for sharing sensitive health information across organizational boundaries; and develop standards that will enable sensitive electronic health information to flow more freely to authorized users while improving the ability of health IT systems to implement current privacy protection requirements for certain types of health care data, such as substance use disorder patient records. The S&I Framework is a collaborative community of contributors from the public and private sectors who are focused on providing the tools, services, and guidance to facilitate the electronic exchange of health information. The DS4P initiative involved 344 volunteers, including, but not limited to, federal and state government agencies, behavioral health providers, EHR and other IT companies, health information exchanges, patient advocacy groups, professional societies/associations, consultants, health systems, health insurers, and universities.

Through the DS4P initiative, federal and community stakeholders developed standards and guidelines for enabling data segmentation and managing patient consent preferences. The technical approach outlined in the DS4P Implementation Guide (IG) is based on the experience of the six pilot projects and the solutions they developed to meet the DS4P project requirements. The DS4P IG is an American National Standards Institute (ANSI) approved standard. It was also voted on and approved at the highest level to become what Health Level 7 (HL7) calls a normative standard (a foundational part of the technology needed to meet the global challenge of integrating health care information). The HL7 balloting process included 155 stakeholders, including HL7 affiliates, vendors, consultants, payers, providers, non-profit organizations, and federal government representatives. The HL7 standard is the currently acceptable standard for data segmentation and consent management. In addition, it is in compliance with 42 CFR part 2.

The six DS4P IG use case pilot projects that were conducted in accordance with ONC's S&I Framework included the Department of Veterans Affairs (VA)/Substance Abuse and Mental Health Services Administration (SAMHSA) Pilot. The VA/SAMHSA Pilot implemented all the DS4P use cases and passed all conformance tests. The VA/SAMHSA Pilot was also the first application to show that managing consents and patient directives, as well as segmenting structured data in a patient record, can be done. SAMHSA used these DS4P standards to develop the application branded Consent2Share, an open-source health IT solution which assists in consent management and data segmentation. Consent2Share validates that the DS4P IG can be used to build a production-based application to manage the patient consent lifecycle electronically. The Consent2Share software is currently being used by the Prince Georges County (Maryland) Health Department to manage patient consent directives while sharing substance use disorder information with an HIE. While this technology is not perfect, it provides a foundational standard and shows promise for sharing substance use disorder information while complying with 42 CFR part 2.

Notwithstanding these efforts, SAMHSA is aware that technology adoption is an ongoing process and the majority of current EHR and HIE applications may not have the capability to support the DS4P initiative. In addition, paper records are still used today in some part 2 programs and shared through facsimile (FAX). Despite SAMHSA's efforts to clarify the part 2 regulations through guidance and to demonstrate that exchange of sensitive health information can be accomplished through pilot projects that adhere to the regulations, some stakeholders continued to request modernization of 42 CFR part 2. These stakeholders are concerned that part 2, as currently written, continues to be a barrier to the integration of substance use disorder treatment and physical health care. For example, some substance use disorder treatment centers cannot participate in integrated care models because they have not implemented data segmentation and consent management functionalities necessary to comply with the part 2 rules. Further, under the current regulations, the part 2 program director is the only individual authorized to release of information for scientific research purposes. In addition, under the current regulatory framework, absent consent, organizations that store patient health data, including data that are subject to part 2, do not have the authority to disclose part 2 data for scientific research purposes to qualified researchers or research organizations. This could hinder a full understanding of impacts of treatment for addiction and other health issues. Finally, some stakeholders continue to request modernization of the part 2 rules, in media and other public and private forums.

B. Statutory and Rulemaking History

The Confidentiality of Alcohol and Drug Abuse Patient Records regulations, 42 CFR part 2, implement section 543 of the Public Health Service Act, 42 United States Code (U.S.C.) § 290dd-2, as amended by section 131 of the Alcohol, Drug Abuse and Mental Health Administration Reorganization Act (ADAMHA Reorganization Act), Pub. L. 102-321 (July 10, 1992). The regulations were promulgated as a final rule on July 1, 1975 (40 FR 27802). In 1980, the Department invited public comment on 15 substantive issues arising out of its experience interpreting and implementing the regulations (45 FR 53). More than 450 public responses to that invitation were received and taken into consideration in the preparation of a 1983 NPRM (48 FR 38758). Approximately 150 comments were received in response to the NPRM and were taken into consideration in the preparation of the final rule released on June 9, 1987 (52 FR 21798).Start Printed Page 6993

The Department published a NPRM again in the Federal Register (FR) on August 18, 1994 (59 FR 42561), which proposed a clarification of the definition of “Program” in the regulations. Specifically, the Department proposed to clarify that, as to general medical care facilities, these regulations cover only specialized individuals or units in such facilities that hold themselves out as providing and provide alcohol or drug abuse diagnosis, treatment, or referral for treatment and which are federally assisted, directly or indirectly. On May 5, 1995, the final rule was released (60 FR 22296).

SAMHSA posted a document in the Federal Register on May 12, 2014, (79 FR 26929) announcing a public Listening Session planned for June 11, 2014, to solicit feedback on the Confidentiality of Alcohol and Drug Abuse Patient Records regulations, 42 CFR part 2. SAMHSA accepted written comments until June 25, 2014.

In the Federal Register notification for the public Listening Session (79 FR 26929), SAMHSA invited general comments, as well as comments on six key provisions of 42 CFR part 2: Applicability, Consent requirements, Re-disclosure, Medical emergency, QSO, and Research. In addition, SAMHSA solicited input on electronic prescribing and Prescription Drug Monitoring Programs (PDMPs), areas that could potentially impact part 2 programs. Approximately 1,800 individuals participated in the listening session, either in person or by phone. During the session, 112 oral comments were made, while another 635 written comments were submitted during the written comment period. The Listening Session comments are posted on the SAMHSA Web site at http://www.samhsa.gov/​about-us/​who-we-are/​laws-regulations/​public-comments-confidentiality-regulations. In general, commenters supported updating the regulations or opposed it. Some commenters proposed aligning 42 CFR part 2 with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. However, due to its targeted population, part 2 provides more stringent federal protections than most other health privacy laws, including HIPAA. We are choosing not to address any specific comments or summarize comments in detail in this proposed rule. However, all the feedback received from the Listening Session was considered and helped to inform the development of this NPRM. In addition, SAMHSA collaborated with its federal partner experts in developing this NPRM.

SAMHSA decided not to address issues pertaining to e-prescribing and PDMPs in this NPRM. SAMHSA concluded that the part 2 program e-prescribing and PDMPs are not ripe for rulemaking at this time due to the state of technology and because the majority of part 2 programs are not prescribing controlled substances electronically. SAMHSA intends to monitor developments in this area to see whether further action may be warranted in the future.

III. Provisions of This Proposed Rule

The intent of this NPRM is to propose revisions to key provisions of 42 CFR part 2 to modernize the regulations adopted in the June 1987 final rule and amended by the May 1995 final rule. This modernization is necessary because behavioral health, including substance use disorder treatment, is essential to overall health; the costs of untreated substance use disorders, both personal and societal, are substantial; and there continues to be a need for confidentiality protections that encourage patients to seek treatment without fear of compromising their privacy.

Individuals seeking treatment for substance use disorders often are met with a host of negative reactions including discrimination and harm to their reputations and relationships. In addition, there is a potential for serious civil and criminal consequences for the disclosure of patient identifying information associated with substance use disorders beyond the health care context. We are mindful of the intent of the governing statute (42 U.S.C. 290dd-2) and regulations at 42 CFR part 2, which is to protect the confidentiality of substance abuse patient records so as not to make an individual receiving treatment for a substance use disorder in a part 2 program more vulnerable by virtue of seeking treatment than an individual with a substance use disorder who does not seek treatment. SAMHSA strives to facilitate information exchange within new and emerging health and health care models, which promote integrated care and patient safety, while respecting the legitimate privacy concerns of patients seeking treatment for a substance use disorder due to the potential for discrimination, harm to their reputations and relationships, and serious civil and criminal consequences. SAMHSA also is mindful that any regulatory changes contemplated must be consistent with the authorizing legislation (42 U.S.C. 290dd-2) and its statutory intent.

This proposed rule also proposes editorial changes. SAMHSA deleted references to 42 U.S.C. 290ee-3 and 42 U.S.C. 290dd-3 in § 2.1, Statutory authority for confidentiality of drug abuse patient records, and § 2.2, Statutory authority for confidentiality of alcohol abuse patient records. Sections 290dd-3 and 290ee-3 were omitted by Public Law 102-321 and combined and renamed into Sections 290dd-2, Confidentiality of records. We also combined §§ 2.1 and 2.2 and propose to rename the new § 2.1 (Statutory authority for confidentiality of substance abuse patient records) and re-designate §§ 2.2-2.5. In addition, we deleted references to laws and regulations that have been repealed in § 2.21. Finally, we made editorial changes throughout the regulations to increase clarity and consistency.

Along with proposing substantive revisions to various sections of 42 CFR part 2, SAMHSA has proposed a number of technical, non-substantive changes for clarity and consistency that are reflected throughout the regulations. For the convenience of the public, SAMHSA is reprinting the text of 42 CFR part 2 in its entirety, which includes the proposed modifications incorporated into the existing provisions. SAMHSA, however, is only seeking comment on the proposed changes to the regulations that are discussed in the preamble of this NPRM. Sections of 42 CFR part 2 that have not been proposed for revision are not subject to review or comment under this NPRM.

A. Reports of Violations (§ 2.4)

1. Overview

In the current regulations, methadone programs are required to report violations of these regulations to the FDA.

2. Proposed Revisions

We propose to revise the requirement (§ 2.5(b)) of reporting violations of these regulations by a methadone program to the FDA. The authority over methadone programs (now referred to as opioid treatment programs) was transferred from the FDA to SAMHSA in 2001 (66 FR 4076). Suspected violations of 42 CFR part 2 by opioid treatment programs may be reported to the U.S. Attorney's Office for the judicial district in which the violation occurred, as well as the SAMHSA office responsible for opioid treatment program oversight.Start Printed Page 6994

B. Definitions (§ 2.11)

1. Overview

Certain defined terms in the current regulations are used inconsistently. SAMHSA also received inquiries regarding certain terms and how they apply to new health care models. In addition, the current regulations include definitions in four different sections (§§ 2.11, 2.12, 2.14 and 2.34).

2. Proposed Revisions

SAMHSA proposes to consolidate all of the definitions, with the exception the definition of the term “Federally assisted,” in a single section at § 2.11. SAMHSA proposes to retain the definition of the term “Federally assisted” in the Applicability provision at § 2.12 for the purpose of clarity because it is key to understanding the applicability of 42 CFR part 2. We encourage readers to review all of the definitions, since a clear understanding of the regulations builds on an understanding of the definitions and their inter-relationships.

a. New Definitions

i. Part 2 Program

The current regulations define “Federally assisted” separately from the term “Program” but do not define the term “Part 2 program.” In addition, the terms “Program” and “federally assisted alcohol or drug abuse program” are used interchangeably. Therefore, SAMHSA proposes to define a “Part 2 program” as a federally assisted program (federally assisted as defined in § 2.12(b) and program as defined in § 2.11). See § 2.12(e)(1) for examples.

We proposed to retain the examples provided in § 2.12(e)(1) of the current regulations, with a clarification, because they explain the part 2 applicability and coverage.

SAMHSA proposes to replace the term “Program” with “Part 2 program,” where appropriate. For example, we propose to revise the definition of QSO, including replacing “Program” with “Part 2 program,” which is discussed in depth below (see Section III.B.2.b., Existing Definitions). We also propose to replace “Program” with “Part 2 program” in several other definitions, while making no additional changes.

ii. Part 2 Program Director

Because of the addition of the “Part 2 program” definition, we also are proposing to define a “Part 2 program director” as:

  • In the case of a part 2 program which is an individual, that individual, and
  • In the case of a part 2 program which is an entity, the individual designated as director or managing director, or individual otherwise vested with authority to act as chief executive officer of the part 2 program.

We propose to delete the definition of “Program director.”

iii. Substance Use Disorder

SAMHSA proposes to refer to alcohol abuse and drug abuse collectively as “Substance use disorder” and, when referring to the authorizing statute, use “substance abuse” since that is the term used in Title 42, United States Code, Section 290dd-2. SAMHSA also uses the term “substance abuse” when referencing information from other publications that use that term. SAMHSA proposes to use the term “Substance use disorder” to be consistent with recognized classification manuals, current diagnostic lexicon, and commonly used descriptive terminology, and, for consistency, proposes to revise the title of 42 CFR part 2 from “Confidentiality of Alcohol and Drug Abuse Patient Records” to “Confidentiality of Substance Use Disorder Patient Records.”

While SAMHSA proposes to delete the definitions of “Alcohol abuse” and “Drug abuse,” we continue to use the terms “Alcohol abuse” and “Drug abuse” when referring to 42 U.S.C. 290dd-3 and 42 U.S.C. 290ee-3 (omitted by Pub. L. 102-321 and combined and renamed into Section 290dd-2), respectively, because they are the terms used in the outdated statutes. See § 2.11 of the current regulations for definitions of the terms “Alcohol abuse” and “Drug abuse”.

SAMHSA proposes to define the term “Substance use disorder” in such a manner as to cover substance use disorders that can be associated with altered mental status that has the potential to lead to risky and/or socially prohibited behaviors, including, but not limited to, substances such as, alcohol, cannabis, hallucinogens, inhalants, opioids, sedatives, hypnotics, anxiolytics, and stimulants. In addition, SAMHSA proposes to clarify that, for the purposes of these regulations, the definition excludes both tobacco and caffeine.

iv. Treating Provider Relationship

As noted in more detail in Section III.H., Consent Requirements, SAMHSA has heard a number of concerns from stakeholders regarding the current consent requirements in § 2.31 of the regulations. SAMHSA is proposing to revise the consent requirements to permit, in certain circumstances, a more general description of the individuals or entities to which a disclosure is made, but only if the individuals or entities have a treating provider relationship with the patient whose information is being disclosed. This change, therefore, creates a need to define a treating provider relationship.

A treating provider relationship begins when an individual seeks health-related assistance from an individual or entity who may provide assistance. However, the relationship is clearly established when the individual or entity agrees to undertake diagnosis, evaluation and/or treatment of the patient, or consultation with the patient, and the patient agrees to be treated, whether or not there has been an actual in-person encounter between the individual or entity and patient. A treating provider relationship with a patient may be established by a health care provider or another member of a health care team as long as the relationship meets the definition of “Treating provider relationship.”

A treating provider relationship means that, regardless of whether there has been an actual in-person encounter:

  • A patient agrees to be diagnosed, evaluated and/or treated for any condition by an individual or entity, and
  • The individual or entity agrees to undertake diagnosis, evaluation and/or treatment of the patient, or consultation with the patient, for any condition.

The term “agrees” as used in the definition does not necessarily imply a formal written agreement. An agreement might be evidenced, among other things, by making an appointment or by a telephone consultation.

v. Withdrawal Management

SAMHSA proposes to update the terminology in § 2.34. We propose to delete the definition of “Detoxification treatment” and replace it with the definition of the currently acceptable term, “Withdrawal management.” We also propose to move this definition from § 2.34 to § 2.11 to consolidate definitions in one section of the regulations.

b. Existing Definitions

SAMHSA proposes to update terminology in existing definitions to accurately convey the meaning of terms and increase the understandability of the proposed rule. In addition, SAMHSA proposes to consolidate all but one of the defined terms in § 2.11.

i. Central Registry

SAMHSA proposes to update the terminology in § 2.34 and move this Start Printed Page 6995definition from § 2.34 to § 2.11 to consolidate definitions.

We are proposing to revise the definition to incorporate currently accepted terminology.

ii. Disclose or Disclosure

We propose to define only one word, “Disclose,” since it is implied that the same definition applies to other forms of the word. We also propose to update terminology and make the definition clearer.

iii. Maintenance Treatment

SAMHSA proposes to update the terminology in § 2.34 and move this definition from § 2.34 to § 2.11 to consolidate definitions.

iv. Member Program

SAMHSA proposes to update the terminology in § 2.34 and move this definition from § 2.34 to § 2.11 to consolidate definitions.

v. Patient

To emphasize that the term “Patient” refers to both current and former patients, SAMHSA proposes to revise the definition to provide that a patient is any individual who has applied for or been given diagnosis, treatment, or referral for treatment for a substance use disorder at a part 2 program. Patient includes any individual who, after arrest on a criminal charge, is identified as an individual with a substance use disorder in order to determine that individual's eligibility to participate in a part 2 program. This definition includes both current and former patients.

vi. Patient Identifying Information

SAMHSA proposes to clarify that “Patient,” as used in this definition, is a defined term in § 2.11. In addition, SAMHSA deleted the words “and speed.” If the information could identify the patient, the speed with which it identifies the patient is not relevant.

vii. Person

The current definition of “Person” includes both individuals and entities. For the purpose of this proposed regulation, SAMHSA considers an “individual” to be a human being. SAMHSA proposes to revise the definition of “Person” to clearly indicate that “Person” is also referred to as individual and/or entity.

viii. Program

SAMHSA is proposing to make the following changes to the “Program” definition. First, because the current definition of “Program” includes both the terms “general medical care facility” and “general medical facility,” and because these terms are used interchangeably, we are proposing to consistently use the term “general medical facility.”

Second, more substance use disorder treatment services are occurring in general health care and integrated care settings, which are typically not covered under the current regulations. Providers who in the past offered only general or specialized health care services (other than substance use disorder services) now, on occasion, provide substance use disorder treatment services, but only as incident to the provision of general health care. Therefore, SAMHSA proposes to make clear that paragraph (1) of the definition of “Program” would not apply to “general medical facilities” and “general medical practices.” However, paragraphs (2) and (3) of the definition of “Program” would apply to “general medical facilities” and “general medical practices.” Finally, SAMHSA is proposing to move the reference to examples from the definition of “Program” to the definition of “Part 2 program” because 42 CFR part 2 would apply only to “Part 2 programs” as defined in the proposed regulations.

The inclusion of general medical practices with general medical facilities is consistent with SAMHSA's intention to ensure confidentiality protections and access to treatment for individuals whose identity as substance use disorder patients would be compromised if records of the specialized programs from which they seek treatment were not covered by these regulations while not unnecessarily imposing requirements on general medical facilities or practices in an overly broad manner.

Consistent with the definition of “Program”:

1. If a provider is not a general medical facility or general medical practice, then the provider meets the part 2 definition of a “Program” if it is an individual or entity who holds itself out as providing, and provides substance use disorder diagnosis, treatment, or referral for treatment.

2. If the provider is an identified unit within a general medical facility or general medical practice, it is a “Program” if it holds itself out as providing, and provides, substance use disorder diagnosis, treatment or referral for treatment.

3. If the provider consists of medical personnel or other staff in a general medical facility or general medical practice, it is a “Program” if its primary function is the provision of substance use disorder diagnosis, treatment, or referral for treatment and is identified as such specialized medical personnel or other staff by the general medical facility or general medical practice.

While the term “general medical facility” is not defined at 42 CFR 2.11 (Definitions), hospitals, trauma centers, or federally qualified health centers would generally be considered “general medical facilities.” Therefore, primary care providers who work in such facilities would only be covered by the part 2 definition of a “Program” if: (1) They work in an identified unit within such general medical facility that holds itself out as providing, and provides, substance use disorder diagnosis, treatment or referral for treatment, or (2) the primary function of the providers is substance use disorder diagnosis, treatment or referral for treatment and they are identified as providers of such services by the general medical facility.

In addition, a practice comprised of primary care providers could be considered a “general medical practice.” As such, an identified unit within that general medical practice that holds itself out as providing and provides substance use disorder diagnosis, treatment, or referral for treatment would be considered a “Program” as defined in § 2.11 of these regulations. In addition, medical personnel or staff within that general medical practice whose primary function is the provision of substance use disorder services and who are identified as such providers by the general medical practice would qualify as a “Program” under the definition in these part 2 regulations.

Finally, “Holds itself out” is currently not defined in § 2.11, Definitions. SAMHSA has previously published guidance relative to the term and proposes to add an explanation of “Holds itself out” to the Preamble discussion in § 2.12, Applicability. Consistent with that guidance, “Holds itself out” means any activity that would lead one to reasonably conclude that the individual or entity provides substance use disorder diagnosis, treatment, or referral for treatment including but not limited to:

  • Authorization by the state or federal government (e.g. licensed, certified, registered) to provide, and provides, such services,
  • Advertisements, notices, or statements relative to such services, or
  • Consultation activities relative to such services.

As is the case throughout these regulations, understanding all defined terms is important. In the case of the definition of “Program” and how it Start Printed Page 6996relates to the applicability of these regulations (see § 2.12), two other definitions are particularly relevant: “Diagnosis,” and “Treatment.” See § 2.11 of the proposed regulations for the definitions of “Diagnosis” and “Treatment.”

ix. Qualified Service Organization

A qualified service organization (QSO) is an individual or entity (see definition of “Person,” above) that provides a service to a part 2 program consistent with a qualified service organization agreement (QSOA). A QSOA is a two-way agreement between a part 2 program and the individual or entity providing the desired service. Under the current statutory authority, patient records pertaining to substance abuse may be shared only with the prior written consent of the patient or under a few limited exceptions that are specifically enumerated in 42 U.S.C. 290dd-2. However, § 2.12(c)(4) indicates that these restrictions on disclosure do not apply to communications between a part 2 program and a QSO regarding information needed by the QSO to provide services to the part 2 program consistent with the QSOA. Accordingly, SAMHSA has consistently articulated in applicable guidance that a QSO would be permitted to disclose the part 2 information to a contract agent if it needs to do so in order to provide the services described in the QSOA, and as long as the agent only discloses the information back to the QSO or the part 2 program from which the information originated. If a disclosure is made by the QSO to an agent acting on its behalf to perform the service, both the QSO and the agent are bound by the part 2 regulations, and neither organization can disclose the information except as permitted by part 2 and SAMHSA's interpretive guidance.

Recognizing the importance of population health management, SAMHSA proposes to revise the definition of QSO to include population health management in the list of examples of services a QSO may provide. Population health management refers to increasing desired health outcomes and conditions through monitoring and identifying individual patients within a group. To achieve the best outcomes, providers must supply proactive, preventive, and chronic care to all of their patients, both during and between encounters with the health care system. For patients with substance use disorders, who often have comorbid conditions, proactive, preventive, and chronic care is important to achieving desired outcomes.

Any QSOA executed between a part 2 program and an organization providing population health management services would be limited to the office or unit responsible for population health management in the organization (e.g., the ACO, CCO, patient-centered medical home (sometimes called health home), or managed care organization), not the entire organization and not its participants (e.g., case managers, physicians, addiction counselors, hospitals, and clinics). Once a QSOA is in place, 42 CFR part 2 permits the part 2 program to communicate information from patients' records to the organization providing population health management services as long as it is limited to information needed by the organization to provide such services to the part 2 program. An organization providing population health management services may disclose part 2 information that it has received from a part 2 program to its participants (other than the originating part 2 program) only if the patient signs a part 2-compliant consent form agreeing to those disclosures.

SAMHSA's proposal to add population health management to the list of examples of the services that may be offered by a QSO is consistent with the Affordable Care Act (Patient Protection and Affordable Care Act of 2010 (Pub. L. 111-148)) and the HHS Strategic Plan FY 2014-2018 which includes the goals of improving health care and population health through meaningful use of health IT. We believe this revision would benefit patients' health, safety, and quality of life while maintaining the confidentiality protections that attach to the part 2 program's patient records.

SAMHSA also proposes to revise the term “medical services” as listed in the examples of permissible services offered by a QSO to clarify that it is limited to “medical staffing services.” SAMHSA proposes to make this revision to emphasize that QSOAs should not be used to avoid obtaining patient consent. Accordingly, a QSOA could be used by a part 2 program to contract with a provider of on-call coverage services (previously clarified in guidance) or other medical staffing services but could not be used to disclose John Doe's patient identifying information to his primary care doctor for the purpose of treatment (other than that provided under a QSOA for medical staffing services). However, an individual or entity who is prohibited from providing treatment to an individual patient under a QSOA, may still meet the requirements of having a treating provider relationship (based on the definition in § 2.11) with respect to the Consent Requirements in § 2.31. Likewise, care coordination was not added to the list of examples of permissible services offered by a QSO because care coordination has a patient treatment component.

x. Records

Consistent with the goal of modernizing the regulations, SAMHSA proposes to revise the definition of “Records” to include any information, whether recorded or not, received or acquired by a part 2 program relating to a patient. For the purpose of these regulations, records include both paper and electronic records.

xi. Treatment

As part of its effort to modernize these regulations, SAMHSA is proposing to delete the term, “management,” from the “Treatment” definition. In today's health care environment, “management” has a much broader meaning than it did when the regulations were last revised.

c. Terminology Changes

In addition to proposing changes to several definitions, we propose the following terminology changes. These changes are intended to ensure consistency in the use of terms throughout the regulations, and to increase the understandability of the proposed rule.

The current regulations use a variety of terms to refer to law enforcement (e.g., “office,” “agency or official,” and “authorities”) as well as using related terms (e.g., “persons or individuals within the criminal justice system”. We propose to consistently refer to law enforcement as “law enforcement agencies or officials.” In addition, the current regulations use the terms “organization” and “entity.” Neither term is defined but “entity” is included in both the definition of “Program” and “Person.” For this reason, we propose to use the term “entity” instead of “organization” wherever possible. Finally, because we have revised the definition of “Patient” to clarify that it includes both current and former patients, we have revised the grammar, where appropriate.

For the purposes of this regulation, we also propose that the term “written” include both paper and electronic documentation. In addition, we propose to use the phrase “part 2 program or other lawful holder of patient identifying information” to refer to a part 2 program or other individual or entity that is in lawful possession of patient identifying information. A Start Printed Page 6997“lawful holder” of patient identifying information is an individual or entity who has received such information as the result of a part 2-compliant patient consent (with a re-disclosure notice) or as a result of one of the limited exceptions to the consent requirements specified in the regulations and, therefore, is bound by 42 CFR part 2. Examples of such “lawful holders” of patient identifying information include a patient's treating provider, a hospital emergency room, an insurance company, an individual or entity performing an audit or evaluation, or an individual or entity conducting scientific research. We are not making any specific proposals with regard to “unlawful holders” of patient identifying information in this NPRM because unlawful holders are addressed in § 2.3 Criminal penalty for violation.

A patient who has obtained a copy of their records or a family member who has received such information from a patient would not be considered a “lawful holder of patient identifying information” in this context. As stated in § 2.23(a), the regulations do not prohibit a part 2 program from giving a patient access to their own records, including the opportunity to inspect and copy any records that the part 2 program maintains about the patient. The part 2 program is not required to obtain a patient's written consent or other authorization under these regulations in order to provide such access to the patient or their legal representative.

C. Applicability (§ 2.12)

1. Overview

The 1987 regulations (52 FR 21798) limited the applicability of 42 CFR part 2 to specialized programs, (i.e., to those federally assisted programs that hold themselves out as providing and which actually provide alcohol or drug abuse diagnosis, treatment, and referral for treatment). HHS took the position that limiting the applicability to specialized programs would simplify the administration of the regulations without significantly affecting the incentive to seek treatment provided by the confidentiality protections. Applicability to specialized programs lessened the adverse economic impact on a substantial number of facilities that provided substance use disorder care only as an incident to the provision of general medical care.

2. Proposed Revisions

SAMHSA considered options for defining what information is covered by 42 CFR part 2, including the option of defining covered information based on the type of substance use disorder treatment services provided instead of the type of facility providing the services. SAMHSA, however, rejected that approach because more substance use disorder treatment services are occurring in general health care and integrated care settings, which typically are not covered under the current regulations. Providers who in the past offered only general or specialized health care services (other than substance use disorder services) now, on occasion, provide substance use disorder treatment services, but only as incident to the provision of general health care.

As discussed in Section III.B.2.b., Existing Definitions, we propose to revise the definition of “Program” to align it more closely with current health care delivery models. SAMHSA proposes to make clear that paragraph (1) of the definition of “Program” would not apply to “general medical facilities” and “general medical practices.” However, paragraphs (2) and (3) of the definition of “Program” would apply to “general medical facilities” and “general medical practices.”

SAMHSA also proposes to include the term “Part 2 program,” as discussed in Section III.B.2.a.i. The definition of “Program” in § 2.11 did not explicitly include “Federally assisted as defined in § 2.12(b)”. As a result, we are proposing to add a definition of “Part 2 program.” We propose to define the term and to use the term “Part 2 program,” where appropriate, throughout the proposed regulations.

This approach is consistent with the approach taken in 1987 because it essentially limits the applicability of 42 CFR part 2 to specialized programs, which simplifies the administration of the regulations without significantly affecting the incentive to seek treatment provided by the confidentiality protections. We do not foresee that the exclusion from part 2 coverage of health care providers who work in general medical practices and provide substance use disorder treatment services as incident to the provision of general health care would act as a deterrent to individuals seeking assistance for substance use disorders.

In addition, in the current regulation, § 2.12(d)(2)(iii), restrictions on disclosures apply to individuals or entities who have received patient records directly from part 2 programs. SAMHSA proposes to revise § 2.12(d)(2)(iii) so that restrictions on disclosures also apply to individuals or entities who receive patient records directly from other lawful holders of patient identifying information. This change is consistent with the discussion of “other lawful holder of patient identifying information” in the preamble discussion in Terminology Changes in Section III.B.2.c. and the proposed inclusion of this term in other sections of this NPRM. Patient records subject to these regulations include patient records maintained by part 2 programs as well as those records in the possession of “other lawful holders of patient identifying information.”

D. Confidentiality Restrictions and Safeguards (§ 2.13)

1. Overview

Currently, 42 CFR part 2 does not include a way for patients to determine to whom their records have been disclosed.

2. Proposed Revisions

As discussed in Section G., Consent Requirements (§ 2.31), SAMHSA proposes to permit, in certain circumstances, the inclusion of a general designation in the “To Whom” section of the consent form. Specifically, in the case of an entity that does not have a treating provider relationship with the patient whose information is being disclosed, SAMHSA proposes to permit the designation of the name(s) of theentity(-ies) and a general designation of an individual or entity participant(s) or a class of participants that must be limited to those participants who have a treating provider relationship with the patient whose information is being disclosed. An entity without a treating provider relationship includes, for example, an entity that facilitates the exchange of health information (e.g., HIE). The consent form, therefore, could designate the HIE (an entity that does not have a treating provider relationship with the patient whose information is being disclosed) and “my treating providers” (a general designation of a class of individual and/or entity participants with a treating provider relationship with that same patient). Under this proposal, the consent form could not, however, include the general function “HIE” without specifying the name of the HIE entity used by the treating provider. Under this proposal, merely listing a function is not sufficient for consent because it would not sufficiently identify the recipient of the patient identifying information. Since SAMHSA is proposing to allow a general designation in the circumstances discussed above, we are proposing that, upon request, patients who have included a general Start Printed Page 6998designation in the “To Whom” section of their consent form must be provided, by the entity without a treating provider relationship that serves as an intermediary (see § 2.31(a)(4)(iv)), a list of entities to which their information has been disclosed pursuant to the general designation (List of Disclosures).

SAMHSA is proposing to require that the list of disclosures include a list of the entities to which the information was disclosed pursuant a general designation. However, if entities that are required to comply with the List of Disclosures requirement wish to include individuals on the list of disclosures, in addition to the required data elements which are outlined in § 2.13(d)(2)(ii), nothing in this proposed rule prohibits it.

SAMHSA considered requiring both individuals and entities to be included on the list of disclosures but, after reviewing the Health Information Technology Privacy Committee's recommendations, decided to require, at a minimum, a list of entities. These recommendations addressed the HITECH requirement that HIPAA covered entities and business associates account for disclosures for treatment, payment, and health care operations made through an EHR. The Committee recommended, “that the content of the disclosure report be required to include only an entity name rather than a specific individual as proposed in the NPRM.” In addition, the report noted that the Organization for Economic Cooperation and Development (OECD) principles, the Fair Credit Reporting Act, and the Privacy Act of 1974 do not require that the names of individuals be provided.

SAMHSA proposes that individuals who received patient identifying information pursuant to the general designation on a consent form should be included on the List of Disclosures based on an entity affiliation, such as the name of their practice or place of employment. Patients who wish to know the name of the individual to whom their information was disclosed may ask the entity on the List of Disclosures to provide that information, however, 42 CFR part 2 would not require the entity to comply with a patient's request.

In order to allow time to develop, test, and implement advanced technology to more efficiently comply with this requirement, SAMHSA is proposing that the List of Disclosures requirement become effective two years after the effective date of the final rule. Some entities may be able to comply with this requirement without developing and implementing new technologies. In addition, entities that use and disclose primarily paper records could easily implement a system, if one does not already exist, such as a sign-out/sign-in log, that could be used to generate such a list. SAMHSA anticipates that there will be few requests based on the relatively small number of accounting requests that most covered entities have received to date under the HIPAA Accounting for Disclosures rule, according to some anecdotal reports.

SAMHSA is proposing that patient requests for a list of entities to which their information has been disclosed must be in writing and limited to disclosures made within the past two years. Consistent with the preamble discussion of terminology (§ 2.11, Definitions), “written” includes both paper and electronic documentation. A request letter addressed to the entity that disclosed the information might include language such as: “I am writing to request a list of the entities to which my information has been disclosed within the past two years. This request is consistent with 42 CFR 2.13, which also includes the requirements for your response. Thank you for your assistance.”

In addition, SAMHSA is proposing that entities named on the consent form that disclose information to their participants under the general designation (entities without a treating provider relationship that serve as intermediaries) must respond to requests for a list of disclosures in 30 or fewer calendar days of receipt of the request. Responses sent to the patient electronically may be sent by encrypted transmission (e.g., email), or by unencrypted email at the request of the patient, so long as the patient has been informed of the potential risks associated with unsecured transmission. Patients should be notified that there may be some level of risk that the information in an unencrypted email could be read by a third party. If patients are notified of the risks and still prefer unencrypted email, the patient has the right to receive the information in that way, and entities are not responsible for unauthorized access of the information while in transmission to the patient based on the patient's request.

Before using an unsecured method to respond to a request for a list of disclosures, an entity should take certain precautions, such as checking an email address for accuracy before sending it or sending an email alert to the patient for address confirmation to avoid unintended disclosures. Patients may also request that the entity communicate with them by an alternative means or at an alternative location. Responses sent by mail may be sent by United States Postal Service first class mail, an equivalent service, or a service with additional security features (e.g., tracking). The response must include the name of the entity to which each disclosure was made, the date of the disclosure, and a brief description of the information disclosed. The brief description of the information disclosed must have sufficient specificity to be understandable to the patient. An example of a brief description of the information disclosed is a copy of the written request for disclosure. This requirement to provide a list of disclosures cannot be satisfied by providing patients with a list (or web address) of entities that potentially could receive their patient identifying information.

This proposed revision would facilitate patients' participation in advances in the health care delivery system by increasing their confidence that they could be informed, upon request, of who received their information pursuant to a general designation on the consent form.

In addition, confirming the identity of an individual who is not and has never been a patient while remaining silent on the identity of an actual patient could, by inference, compromise patient privacy. For example, if a reporter is inquiring about five individuals and only Mr. Smith is not and never has been a patient, by confirming that Mr. Smith is not and never has been a patient and remaining silent on the other four individuals, the part 2 program could enable the reporter to conclude that the other four individuals either are patients or have been patients. Therefore, SAMHSA is proposing to remove the concept from § 2.13(c)(2) that the regulations do not restrict a disclosure that an identified individual is not and never has been a patient. If confirming the identity of an individual who is not and never has been a patient, caution should be used so as not to make an inadvertent disclosure with respect to one or more other individuals. This proposed rule does not prohibit entities that receive a request for information about an individual from refusing to disclose any information regardless of whether the individual is or ever has been a patient(s).

E. Security for Records (§ 2.16)

1. Overview

Currently, the Security for Written Records section in § 2.16 addresses the maintenance, disclosure, access to, and Start Printed Page 6999use of written records. This section, however, addresses paper, but not electronic records.

2. Proposed Revisions

SAMHSA is proposing to modernize this section to address both paper and, in light of the steady increase in the adoption of health IT, electronic records. Specifically, SAMHSA proposes to revise the heading by deleting the word “written” so that it now reads: Security for Records. SAMHSA also proposes to clarify that this section requires both part 2 programs and other lawful holders of patient identifying information to have in place formal policies and procedures for the security of both paper and electronic records. These formal policies and procedures are intended to ensure protection of patient identifying information when records are exchanged electronically using health IT as well as when they are exchanged using paper records. The formal policies and procedures must reasonably protect against unauthorized uses and disclosures of patient identifying information and protect against reasonably anticipated threats or hazards to the security of patient identifying information. The formal policies and procedures must address, among other things, the sanitization of hard copy and electronic media, which is addressed in the preamble discussion of Disposition of Records by Discontinued Programs (§ 2.19). Suggested resources for part 2 programs and other lawful holders developing formal policies and procedures include materials from the HHS Office for Civil Rights (e.g., Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule), and the National Institute of Standards and Technology (NIST) (e.g., the most current version of the Special Publication 800-88, Guidelines for Media Sanitization).

The proposed regulations provide further guidance for these policies and procedures. Finally, we are proposing to replace language in other sections of the proposed rule with a reference to the policies and procedures established under § 2.16, where applicable.

F. Disposition of Records by Discontinued Programs (§ 2.19)

1. Overview

As with § 2.16, the Disposition of Records by Discontinued Programs section in the current regulations do not address electronic records.

2. Proposed Revisions

SAMHSA proposes to modernize this section to address both paper and electronic records. Specifically, we propose to address the disposition of both paper and electronic records by discontinued programs, and add requirements for sanitizing paper and electronic media. By sanitizing paper or electronic media, we mean to render the data stored on the media non-retrievable. Sanitizing electronic media is distinctly different from deleting electronic records and may involve clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) the information from the electronic media. If circumstances warrant the destruction of the electronic media prior to disposal, destruction methods may include disintegrating, pulverizing, melting, incinerating, or shredding the media. Because failure to ensure total destruction of patient identifying information may lead to the unauthorized disclosure of sensitive information regarding a patient's substance use disorder history, SAMHSA expects the process of sanitizing paper (including printer and FAX ribbons, drums, etc.) or electronic media to be permanent and irreversible, so that there is no reasonable risk that the information may be recovered. This result is best achieved by sanitizing the paper or electronic media in a manner consistent with the most current version of the NIST Special Publication 800-88, Guidelines for Media Sanitization. SAMHSA also is proposing to reference the formal security policies and procedures for both paper and electronic records established under § 2.16.

G. Notice to Patients of Federal Confidentiality Requirements (§ 2.22)

1. Overview

Currently, § 2.22 lists the requirements of a notice to patients of the federal confidentiality requirements, including giving the patient a summary in writing of the federal law and regulations. As with other sections in the current regulations, this section requires that the notice to patients be in writing, but does not address electronic formats.

2. Proposed Revisions

SAMHSA proposes to continue to require that patients be given a summary in writing of the federal law and regulations. Consistent with the Preamble discussion in Terminology Changes in Section III.B.2.c., the term “written” includes both paper and electronic documentation. We, therefore, propose to permit the notice to patients to be either on paper or in an electronic format. SAMHSA also proposes to require the statement regarding the reporting of violations to include contact information for the appropriate authorities. The reporting of any violation of these regulations may be directed to the U.S. Attorney for the judicial district in which the violation occurs and the report of any violation of these regulations by an opioid treatment program may also be directed to the SAMHSA office responsible for opioid treatment program oversight (see § 2.4 of the proposed rule). SAMHSA is considering whether to issue guidance at a later date that includes a sample notice.

Although it is not a proposed requirement, SAMHSA encourages the part 2 program to be sensitive to the cultural composition of its patient population when considering whether the notice should also be provided in a language(s) other than English (e.g., Spanish).

H. Consent Requirements (§ 2.31)

1. Overview

SAMHSA has heard a number of concerns from individuals regarding the current consent requirements of 42 CFR part 2. In particular, stakeholders expressed concern that the current requirements for sharing patient records covered by part 2 deter patients from participating in HIEs, ACOs, CCOs, and similar organizations. While technical solutions for managing consent collection, such as data segmentation, are possible, they are not widely incorporated into existing systems.

2. Proposed Revisions

SAMHSA examined the consent requirements in § 2.31 to explore options for facilitating the sharing of information within the health care context while ensuring the patient is fully informed and the necessary protections are in place. As a result, we propose several changes to this section. First, we propose to revise the section heading from “Form of written consent” to “Consent requirements.” SAMHSA also proposes to make revisions in three sections of the consent form requirements: The “To Whom” section, the “Amount and Kind” section, and the “From Whom” section. SAMHSA also is proposing to require a part 2 program or other lawful holder of patient identifying information to obtain written confirmation from the patient Start Printed Page 7000that they understand both the terms of their consent and, when using a general designation in the “To Whom” section of the consent form (see Section III.H.2.a., To Whom, below), that they have the right to obtain, upon request, a list of entities to which their information has been disclosed pursuant to the general designation. In addition, SAMHSA is proposing to permit electronic signatures to the extent that they are not prohibited by any applicable law. SAMHSA is considering whether to issue guidance at a later date that includes a sample consent form.

As mentioned in Section III.C.2.a., New Definitions, SAMHSA is proposing to include a new definition of “Treating provider relationship” in § 2.11. Finally, as a result of these proposed revisions, we renumbered the subsections accordingly.

a. To Whom

i. Overview

Section 2.31(a)(2) of the current regulations requires that a consent form include the name or title of the individual or the name of the organization to which disclosure is to be made as part of the patient's written consent to the disclosure of their records regulated by 42 CFR part 2. The intent of the specificity required in the “To Whom” section was for the patient to be able to identify, at the point of consent, exactly who they are authorizing to receive their information.

Some stakeholders have reported that the requirement in 42 CFR 2.31(a)(2) for the name of the individual or organization that will be the recipient of the patient identifying information makes it difficult to include programs covered by the regulations in organizations that facilitate the exchange of health information or coordinate care (e.g., HIEs, ACOs, and CCOs). These organizations have a large and growing number of participants and may not have consent management capabilities. Under the current regulations, if a new participant joins an HIE, ACO, CCO, or other similar entity after a consent is signed, and a patient later goes to that new participant for treatment, part 2 would require that the new participant obtain the patient's consent to receive the patient's information. Because of the reported burdens associated with the collection of updated consent forms whenever new participants join one of these organizations, some stakeholders have indicated that they are currently not including substance use disorder treatment information in their systems.

ii. Proposed Revisions

SAMHSA is proposing to move the current § 2.31(a)(2), “To Whom,” to § 2.31(a)(4). In the following discussion of the “To Whom” section of the consent form and in the regulatory text, SAMHSA makes a distinction between individuals and entities who have a treating provider relationship with the patient and those who do not. As discussed in § 2.11, SAMHSA proposes to define the term “Treating provider relationship” to provide that regardless of whether there has been an actual in-person encounter, (a) a patient agrees to be diagnosed, evaluated and/or treated for any condition by an individual or entity and (b) the individual or entity agrees to undertake diagnosis, evaluation and/or treatment of the patient, or consultation with the patient, for any condition.

Based on this definition, SAMHSA considers an entity to have a treating provider relationship with a patient if the entity employs or privileges one or more individuals who have a treating provider relationship with the patient.

SAMHSA is continuing to permit the name(s) of the individual(s) to whom a disclosure is to be made to be designated in the “To Whom” section of the consent form (e.g., Jane Doe, MD; John Doe; or George Jones, JD). Because SAMHSA also is proposing to allow, in certain circumstances, a general designation, we propose to eliminate the current option of designating only a title of an individual (e.g., Chief of Pediatrics at Lakeview County Hospital). SAMHSA also proposes to revise the requirements for designating the name of an entity, as discussed below.

In the case of an entity that has a treating provider relationship with the patient whose information is being disclosed, SAMHSA is proposing to permit the designation of the name of the entity without requiring any further designations (as is required for an entity that does not have a treating provider relationship with the patient whose information is being disclosed, see below). For example, the consent form could specify any of the following names of entities: Lakeview County Hospital, ABC Health Care Clinic, or Jane Doe & Associates Medical Practice.

In the case of an entity that does not have a treating provider relationship with the patient whose information is being disclosed and is a third-party payer that requires patient identifying information for the purpose of reimbursement for services rendered to the patient by the part 2 program, SAMHSA proposes to permit the designation of the name of the entity (e.g., Medicare).

In the case of an entity that does not have a treating provider relationship with the patient whose information is being disclosed and is not covered by § 2.31(a)(4)(iii) (i.e., the provision regarding third-party payers), SAMHSA proposes to permit the designation of the name(s) of the entity(-ies) and at least one of the following: (1) The name(s) of an individual participant(s); (2) the name(s) of an entity participant(s) that has a treating provider relationship with the patient whose information is being disclosed; or (3) a general designation of an individual or entity participant(s) or a class of participants that must be limited to those participants who have a treating provider relationship with the patient whose information is being disclosed. Examples of an entity without a treating provider relationship include an entity that facilitates the exchange of health information (e.g., HIE) or a research institution. The consent form, therefore, could designate the HIE (an entity that does not have a treating provider relationship with the patient whose information is being disclosed) and Drs. Jones and Smith, and County Memorial Hospital (all participants in the HIE with a treating provider relationship with that same patient). Likewise, the consent form could designate the HIE (an entity that does not have a treating provider relationship with the patient whose information is being disclosed) and “my treating providers” (a general designation of an individual or entity) participant(s) or a class of individual and/or entity participants with a treating provider relationship with the patient whose information is being disclosed).

In the case of a research institution, a “participant” could be a clinical researcher with a treating provider relationship with the patient whose information is being disclosed, or a general researcher who does not have a treating provider relationship with the patient whose information is being disclosed. The clinical researcher could be included as “my treating provider” in a general designation on the consent form, whereas the general researcher would have to be named on the consent form. Alternatively, a research institution could obtain patient identifying information without consent if it meets the requirements in § 2.52.

If a general designation is used, the entity must have a mechanism in place to determine whether a treating provider relationship exists with the patient whose information is being disclosed. Start Printed Page 7001We encourage innovative solutions to implement this provision. For example, the HIE in the aforementioned example could have a policy in place requiring their participating providers to attest to having a treating provider relationship with the patient. Likewise, the HIE could provide a patient portal that permits patients to designate treating providers as members of “my health care team” or “my treating providers.”

Improving the quality of substance use disorder care depends on effective collaboration of mental health, substance use disorder, general health care, and other service providers in coordinating patient care. However, the composition of a health care team varies widely among entities. Because SAMHSA wants to ensure that patient identifying information is only disclosed to those individuals and entities on the health care team with a need to know this sensitive information, we are limiting a general designation to those individuals or entities with a treating provider relationship. Patients may further designate their treating providers as “past,” “current,” and/or “future” treating providers. In addition, a patient may designate, by name, one or more individuals on their health care team with whom they do not have a treating provider relationship.

SAMHSA proposes to balance the flexibility afforded by the general designation in the “To Whom” section by adding a new confidentiality safeguard: List of Disclosures (§ 2.13(d)). The List of Disclosures provision allows patients who have included a general designation in the “To Whom” section of their consent form to request and be provided a list of entities to which their information has been disclosed pursuant to the general designation. In addition, when using a general designation, a statement must be included on the consent form noting that, by signing the consent form, the patient confirms their understanding of the List of Disclosures provision.

Many new integrated care models rely on interoperable health IT and these proposed changes are expected to support the integration of substance use disorder treatment into primary and other specialty care, improving the patient experience, clinical outcomes, and patient safety while at the same time ensuring patient choice, confidentiality, and privacy.

The following table provides an overview of the options permitted when completing the designation in the “To Whom” section of the proposed consent form.

Designating Individuals and Organizations in the “To Whom” Section of the Consent Form

42 CFR 2.31Individual or entity to whom disclosure is to be madeTreating provider relationship with patient whose information is being disclosedPrimary designationAdditional designation
(a)(4)(i)IndividualYesName of individual(s) (e.g., Jane Doe, MD)None.
(a)(4)(i)IndividualNoName of individual(s) (e.g., John Doe)None.
(a)(4)(ii)EntityYesName of entity (e.g., Lakeview County Hospital)None.
(a)(4)(iii)EntityNoName of entity that is a third-party payer as specified under § 2.31(a)(4)(iii) (e.g., Medicare)None.
(a)(4)(iv)EntityNoName of entity that is not covered by § 2.31(a)(4)(iii) (e.g., HIE, or research institution)At least one of the following: 1. The name(s) of an individual participant(s) (e.g. Jane Doe, MD, or John Doe). 2. The name(s) of an entity participant(s) with a treating provider relationship with the patient whose information is being disclosed (e.g., Lakeview County Hospital).
3. A general designation of an individual or entity participant(s) or a class of participants limited to those participants who have a treating provider relationship with the patient whose information is being disclosed (e.g., my current and future treating providers).

SAMHSA is seeking public comment on an alternative approach to the proposed required elements for the “To Whom” section of the consent form. The current part 2 required elements for the “To Whom” section of written consent are the name or title of the individual or the name of the organization to which the disclosure is to be made. The term “organization” is not defined in the current regulations, but SAMHSA has interpreted the term narrowly in guidance to mean that information can be sent to a lead organization but the information cannot flow from the lead organization to organization members or participants. Historically, that meant that all members or participants of an organization would need to be listed on the consent form and a new consent form would need to be obtained each time a new provider joined the organization.

SAMHSA's alternative approach reflects the same policy goal as the proposed regulation text (i.e., allowing more flexibility in the “To Whom” section of the consent form) while attempting to simplify the language that would appear on the consent form. This alternative approach would not change the existing language in the “To Whom” section of the consent form.

Under this alternative approach, SAMHSA would add a definition of “organization” to § 2.11. Organization would mean, for purposes of § 2.31, (a) an organization that is a treating provider of the patient whose Start Printed Page 7002information is being disclosed; or (b) an organization that is a third-party payer that requires patient identifying information for the purpose of reimbursement for services rendered to the patient by a part 2 program; or (c) an organization that is not a treating provider of the patient whose information is being disclosed but that serves as an intermediary in implementing the patient's consent by providing patient identifying information to its members or participants that have a treating provider relationship, as defined in § 2.11, or as otherwise specified by the patient.

Paragraph (a) of this definition relies on the definition of “Treating provider relationship” as defined in § 2.11. SAMHSA considers an organization to be a treating provider of a patient if the organization employs or privileges one or more individuals who have a treating provider relationship(s) with the “patient.”

Paragraph (b) of this definition refers to an organization that is not a treating provider of the patient whose information is being disclosed but that requires patient identifying information in connection with its role as a third-party payer for the purpose of reimbursement for services rendered to the patient (e.g., Medicare).

Paragraph (c) of this definition refers to an organization that is not a treating provider of the patient whose information is being disclosed but that serves as an intermediary in implementing the patient consent. It permits these organizations to further disclose patient identifying information to its members or participants that have a treating provider relationship with the patient. It also allows the patient to specify further instructions for re-disclosure to the organization's members or participants.

In all instances, patient identifying information should only be disclosed to those individuals and organizations in accordance with the purpose stated by the patient on the signed consent form and only to those individuals with a need to know this sensitive information.

SAMHSA is seeking public comment on the advantages and disadvantages of this alternative approach as compared to SAMHSA's proposed approach. If commenters believe the definition of “organization” in the alternative approach should be broader, please include proposals for alternate or additional required elements for the consent form that facilitate the sharing of information within the health care context while ensuring the patient is fully informed of the individuals and organizations that potentially could receive their patient identifying information and that the necessary protections are in place.

To consider this alternative approach, SAMHSA would require resolution of several issues. Therefore, SAMHSA is also seeking public comment on the following questions:

(1) To allow patients to determine which specific members or participants are authorized to receive their information from an organization that serves an intermediary in paragraph (c) of the proposed organization definition in SAMSHA's alternative approach, what additional elements would need to be required on the consent form?

(2) How would the List of Disclosures requirement be applied under a broad definition of organization? Should the requirement be applied only to paragraph (c) of the proposed organization definition in SAMHSA's alternative approach or should different safeguards replace or supplement the List of Disclosures requirement?

b. Amount and Kind

i. Overview

Section 2.31(a)(5) currently requires the consent to include how much and what kind of information is to be disclosed. Because we are proposing to allow the “To Whom” section of the consent form to include a general designation under certain circumstances, we want patients to be aware of the information they are authorizing to disclose when they sign the consent form.

ii. Proposed Revisions

SAMHSA is proposing to move the current § 2.31(a)(5), “Amount and Kind,” to § 2.31(a)(3) and revise the provision to require the consent form to explicitly describe the substance use disorder-related information to be disclosed. The types of information that might be requested include diagnostic information, medications and dosages, lab tests, allergies, substance use history summaries, trauma history summary, employment information, living situation and social supports, and claims/encounter data. The designation of the “Amount and Kind” of information to be disclosed must have sufficient specificity to allow the disclosing program or other entity to comply with the request. For example, the description may include: “medications and dosages, including substance use disorder-related medications,” or “all of my substance use disorder-related claims/encounter data.” Examples of unacceptable descriptions would be “all of my records” (does not address the substance use disorder-related information to be disclosed) and “only my substance use disorder records my family knows about” (lacks specificity).

c. From Whom

i. Overview

Section 2.31 currently requires the specific name or general designation of the program or person permitted to make the disclosure. In 1987, the requirement for the “From Whom” section of the consent form was broadened to the current requirement to permit a patient to consent to either a disclosure from a category of facilities or from a single specified program.

ii. Proposed Revisions

SAMHSA is proposing to move the current § 2.31(a)(1), “From Whom,” to § 2.31(a)(2). Because SAMHSA is now allowing, in certain instances, a general designation in the “To Whom” section of the consent form, we propose to require the “From Whom” section of the consent form to specifically name the part 2 program(s) or other lawful holder(s) of the patient identifying information permitted to make the disclosure. This revision would avoid any unintended consequences of including general designations in both the “From Whom” and “To Whom” sections. For example, the patient may be unaware of possible permutations of combining the two broad designations to which they are consenting, especially if these designations include future unnamed treating providers.

d. New Requirements

i. Overview

Currently, the consent requirements do not include any requirement that the patient confirms their understanding of the information on the consent form.

ii. Proposed Revisions

As discussed in the proposed revisions to the “To Whom” section, SAMHSA proposes to add two new requirements related to the patient's signing of the consent form. The first would require the part 2 program or other lawful holder of patient identifying information to include a statement on the consent form that the patient understands the terms of their consent. The second would require the part 2 program or other lawful holder of patient identifying information to include a statement on the consent form that the patient understands their right, pursuant to § 2.13(d), to request and be provided a list of entities to which their Start Printed Page 7003information has been disclosed when the patient includes a general designation on the consent form. In addition, the part 2 program or other lawful holder of patient identifying information would have to include a statement on the consent form that the patient confirms their understanding of the terms of consent and § 2.13(d) by signing the consent form.

I. Prohibition on Re-disclosure (§ 2.32)

1. Overview

There is confusion on the part of some providers as to how much of a patient's record is subject to 42 CFR part 2, which often leads to a decision to protect the entire record.

2. Proposed Revisions

SAMHSA proposes to clarify that the prohibition on re-disclosure provision (§ 2.32) only applies to information that would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment for a substance use disorder, such as indicated through standard medical codes, descriptive language, or both, and allows other health-related information shared by the part 2 program to be re-disclosed, if permissible under the applicable law. For example, if an individual receives substance use disorder treatment from a part 2 program and also receives treatment for a health condition such as high blood pressure, the individual's record would include information unrelated to their substance use disorder (i.e., high blood pressure). Part 2 does not prohibit re-disclosure of the information related to the high blood pressure as long as it does not include information that would identify the individual as having or having had a substance use disorder.

However, illnesses that are brought about by drug or alcohol abuse may reveal that a patient has a substance use disorder. For example, cirrhosis of the liver or pancreatitis could reveal a substance use disorder. Also, if a prescription for a medication used for substance use disorder treatment is revealed without further clarification of a non-substance disorder use (e.g., methadone used for the treatment of cancer), it would suggest that the individual has a substance use disorder and also would be prohibited.

If data provenance (the historical record of the data and its origins) reveals information that would identify, directly or indirectly, and individual as having or having had a substance use disorder, the information would be prohibited from being re-disclosed. For example, if the treatment location is a substance use disorder treatment clinic, this information would identify an individual as having had a substance use disorder and is therefore prohibited.

SAMHSA also proposed to clarify that the federal rules restrict any use of the information to criminally investigate or prosecute any patient with a substance use disorder, except as provided in § 2.12(c)(5).

J. Disclosures To Prevent Multiple Enrollments (§ 2.34)

1. Overview

In the current regulations, special rules are included for disclosures to prevent multiple enrollments in detoxification and maintenance treatment programs because these types of disclosure necessitate some adjustment of the basic written consent procedures in order to ensure maximum protection for patients. Under § 2.34, the timing, content, and use of the patient information is strictly limited in accordance with the purpose of the disclosure.

2. Proposed Revisions

SAMHSA proposes to modernize section § 2.34 by updating terminology and revising corresponding definitions. SAMHSA also proposes to consolidate definitions by moving definitions from this section to Definitions in § 2.11, as discussed in Section III.B., Definitions.

K. Medical Emergencies (§ 2.51)

1. Overview

SAMHSA is considering aligning the regulatory language with the statutory language regarding the medical emergency exception of 42 CFR part 2 (§ 2.51). The current regulations state that information may be disclosed without consent for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention. The statute, however, states that records may be disclosed “to medical personnel to the extent necessary to meet a bona fide medical emergency.”

2. Proposed Revisions

SAMHSA proposes to adapt the medical emergency exception to give providers more discretion to determine when a “bona fide medical emergency” (42 U.S.C. 290dd-2(b)(2)(A)) exists. The proposed language states that patient identifying information may be disclosed to medical personnel to the extent necessary to meet a bona fide medical emergency, in which the patient's prior informed consent cannot be obtained.

SAMHSA proposes to continue to require the part 2 program to immediately document, in writing, specific information related to the medical emergency. Before a part 2 program enters into an affiliation with an HIE, it should consider whether the HIE has the capability to comply with all part 2 requirements, including the capacity to immediately notify the part 2 program when its records have been disclosed pursuant to a medical emergency. To promote compliance, SAMHSA recommends that the notification include all the information that the part 2 program is required to document in the patient's records (e.g., date and time of disclosure, the nature of the emergency). Similarly, SAMHSA recommends that the part 2 program consider whether the HIE has the technology, rules, and procedures to appropriately protect patient identifying information.

L. Research (§ 2.52)

1. Overview

Under the current regulations at § 2.52, only the program director (part 2 program director) may authorize the disclosure of patient identifying information for scientific research purposes to qualified personnel. Part 2 data may be derived from a variety of sources, including federal or state agencies that administer Medicare, Medicaid, or Children's Health Insurance Program (CHIP), part 2 programs, or other individuals or entities that have lawfully obtained the information and may wish to facilitate a sharing of the information for purposes of scientific research that would ultimately benefit substance use disorder patients/beneficiaries.

Along with fifteen other federal departments and agencies, HHS has announced proposed revisions to the regulations for protection of human subjects in research (Common Rule). An NPRM was published in the Federal Register on September 8, 2015. In this part 2 NPRM, SAMHSA proposes certain revisions that are predicated on the current version of the Common Rule (45 CFR part 46, Protection of Human Subjects, promulgated in 1991). Although SAMHSA does not anticipate that the Common Rule provisions referenced in this part 2 NPRM will change substantially during the Common Rule rulemaking process, should conflicting policies be created, SAMHSA will take appropriate action (e.g., issue an NPRM or technical correction).Start Printed Page 7004

2. Proposed Revisions

First, we propose to revise the section heading by deleting the word “activities” (§ 2.52, Research). SAMHSA also proposes to revise the research exception to permit data protected by 42 CFR part 2 to be disclosed to qualified personnel for the purpose of conducting scientific research by a part 2 program or any other individual or entity that is in lawful possession of part 2 data (lawful holder of part 2 data). For example, these lawful holders of part 2 data could include third-party payers, HIEs, ACOs, and CCOs. Qualified personnel are those individuals who meet the requirements specified in the Research provision to receive part 2 data for the purpose of conducting scientific research. SAMHSA examined the existing regulations that protect human subjects in research and concluded that, if those requirements were fulfilled, 42 CFR part 2 would ensure confidentiality protections consistent with the Congressional intent, while providing the expanded authority for disclosing patient identifying information.

Under 42 CFR part 2, part 2 programs or other lawful holders of part 2 data are permitted to disclose patient identifying information for research with patient consent, or without patient consent under limited circumstances. SAMHSA is proposing to allow patient identifying information to be disclosed for purposes of scientific research: (1) If the researcher is a HIPAA covered entity or business associate and provides documentation that the researcher obtained research participants' authorization, or a waiver of research participants' authorization by an Institutional Review Board (IRB) or privacy board, for use or disclosure of information about them for research purposes consistent with the HIPAA Privacy Rule, (45 CFR 164.512(i)); or (2) if the researcher is subject to just the HHS Common Rule (45 CFR part 46, subpart A) and provides documentation that the researcher is in compliance with the requirements of the HHS Common Rule, including requirements relating to informed consent or a waiver of consent (45 CFR 46.111 and 46.116); or (3) if the researcher is both a HIPAA covered entity or business associate and subject to the HHS Common Rule, the researcher has met the requirements of both (1) and (2).

IRBs that are designated by an institution under an assurance of compliance approved for Federalwide use (referred to as Federalwide Assurance, or FWA) by HHS Office for Human Research Protections (OHRP) under § 46.103(a) and that review research involving human subjects conducted or supported by HHS must be registered with HHS. The FWA is the assurance from an institution engaging in HHS-conducted or -supported human subjects research regarding compliance with 45 CFR part 46. An institution must have an FWA to receive HHS support for research involving human subjects, and the FWA has to designate an IRB registered with OHRP, whether it is an internal or external IRB.

A privacy board is a review body that may be established to act upon requests for a waiver or an alteration of the requirement under the HIPAA Privacy Rule to obtain an individual's authorization for uses and disclosures of protected health information for a particular research study. Like an IRB, a privacy board may waive or alter all or part of the HIPAA authorization requirements for a specified research project or protocol, provided certain conditions are met as provided in 45 CFR 164.512(i).

Currently, much research involving human subjects operates under the HHS Common Rule (45 CFR part 46, subpart A). These regulations, which apply to HHS-conducted or -supported research or to institutions that have voluntarily extended their FWA to apply to all research regardless of funding, include protections to help ensure confidentiality. Under this rule, IRBs determine that, when appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data before approving the research (45 CFR 46.111(a)(7)). IRBs can therefore address the requirements under the HIPAA Privacy Rule and the HHS Common Rule, which contain somewhat similar, but different sets of requirements. The proposed part 2 rules set out the requirements for a researcher conducting research with patient identifying information. Compliance with the HIPAA Privacy Rule and/or federal human subjects research protections, as set forth in the HHS Common Rule, where they apply, as well as the specific additional requirements in § 2.52(b) discussed below, is sufficient to meet the requirements for research disclosures under part 2.

SAMHSA also is proposing to address data linkages because the process of linking two or more streams of data opens up new research opportunities. For example, the practice of requesting data linkages from other data sources to study the longitudinal effects of treatment on patients is becoming widespread. SAMHSA is interested in affording patients protected by 42 CFR part 2 the same opportunity to benefit from these advanced research protocols while continuing to safeguard their privacy.

We propose to permit researchers to request to link data sets that include patient identifying information if: (1) The data linkage uses data from a federal data repository; and (2) the project, including a data protection plan, is reviewed and approved by an IRB registered with OHRP in accordance with 45 CFR part 46. This permissible disclosure would allow a researcher to disclose patient identifying information to a federal data repository and permit the federal data repository to link the patient identifying information to data held by that repository and return the linked data file back to the researcher. It would also ensure that patient privacy is considered, that the disclosure and use of identifiable data is justified, and that the research protocol includes an appropriate data protection plan. SAMHSA is proposing to limit the data repositories from which a researcher may request data for data linkages purposes to federal data repositories because federal agencies that maintain data repositories have policies and procedures in place to protect the security and confidentiality of the patient identifying information that must be submitted by a researcher in order to link the data sets. For example, in addition to meeting requirements under the HIPAA Rules and/or the HHS Common Rule, as applicable, requests for “research identifiable files” data from CMS require a Data Use Agreement and are reviewed by CMS's Privacy Board. CMS also has internal policies to protect the privacy and security of data received from the researcher, including the retention and destruction of that data. In addition, all federal agencies must comply with directives that protect sensitive data such as Office of Management and Budget Circular No. A-130, Appendix III—Security of Federal Automated Information and NIST Federal Information Processing Standard 200 entitled Minimum Security Requirements for Federal Information and Information Systems.

SAMHSA is soliciting public input regarding whether to expand the data linkages provision beyond federal data repositories, what confidentiality, privacy, and security safeguards are in place for those non-federal data repositories, and whether those safeguards are sufficient to protect the security and confidentiality of the patient identifying information.

We invite stakeholders to provide input and recommendations on the specific policies, procedures, and other safeguards that non-federal data Start Printed Page 7005repositories should have in place including, but not limited to:

1. Data use agreements (e.g., a data use agreement or contract between the researcher and the data repository with written provisions to uphold security and confidentiality of the data and provide for sanctions or penalties for breaches of confidentiality);

2. A review by a privacy board or other regulatory body(-ies);

3. Internal security and privacy protections (both physical and electronic) for the confidentiality and security of data, including the retention and destruction of data received for data linkage purposes (e.g., a requirement to destroy, in a manner to render the data non-retrievable, all patient identifying information provided by the researcher for data linkage purposes after performing the match).

4. Security and privacy protections (both physical and electronic) for receiving and linking data (e.g., a requirement that transmission of data between the researcher and the data repository must occur through the use of secure methods and use the most current encryption technology, such as the most current version of the Advanced Encryption Standard (NIST Federal Information Processing Standards (FIPS 197)).

5. Internal confidentiality agreements for staff members who have access to patient identifying information and other confidential data;

6. Laws and regulations governing functions and operations, including those that address security and privacy;

7. Capability to perform data linkages according to recognized standards; and

8. Other relevant safeguards.

SAMHSA also is requesting public comment on the following three sets of questions:

First, should state government, local government, private, and/or other non-federal data repositories (please address separately) that meet the criteria above be permitted to conduct data linkages?

Second, are there additional or alternative criteria that should be included in the list above? Are there specific categories of data repositories that are already required to provide similar safeguards? When providing categories of data repositories, please describe the safeguards that are already in place for those entities.

Third, how could it be ensured that data repositories providing data linkages are in compliance with criteria or standards concerning confidentiality, privacy, and security safeguards? Are there any regulatory or oversight bodies (including non-governmental and governmental) that currently oversee compliance with criteria or standards concerning confidentiality, privacy, and security safeguards of data in non-federal repositories?

A researcher may report findings in aggregate form from patient information that has been rendered non-identifiable as long as there are assurances in place that the information cannot be re-identified and possibly serve as an unauthorized means to identify a patient, directly or indirectly, as having or having had a substance use disorder.

SAMHSA is proposing to require any individual or entity conducting scientific research using patient identifying information to meet additional requirements to ensure compliance with confidentiality provisions under part 2. Among these are a provision (§ 2.52(b)(1)) that requires researchers to be fully bound by these regulations and, if necessary, to resist in judicial proceedings any efforts to obtain access to patient records except as permitted by these regulations. This requirement means that researchers involved in a judicial proceeding are only required to disclose patient identifying information pursuant to a subpoena that is accompanied by a court order. In addition, we have included a provision (§ 2.52(b)(2)) prohibiting researchers from re-disclosing patient identifying information except back to the individual or entity from whom that patient identifying information was obtained or as permitted under § 2.52(b)(4), the data linkages provision. With respect to this re-disclosure provision, an individual or entity from whom the patient identifying information was obtained does not refer to patients.

Finally, SAMHSA is proposing to address, in addition to the maintenance of part 2 data, the retention and disposal of such information used in research. SAMHSA is proposing to do so by expanding the provisions in § 2.16, Security for Records and referencing the policies and procedures established under § 2.16 in this section.

These proposed revisions would allow additional scientific research to be conducted that would facilitate continual quality improvement of part 2 programs and the important services they offer. In doing so, SAMHSA proposes to incorporate existing protections for human subjects research that are widely accepted.

M. Audit and Evaluation (§ 2.53)

1. Overview

Under the current Medicare or Medicaid audit or evaluation section at § 2.53, an audit or evaluation is limited to a civil investigation or administrative remedy by any federal, state, or local agency responsible for oversight of the Medicare or Medicaid program. It also includes administrative enforcement, against the program by the agency, or any remedy authorized by law to be imposed as a result of the findings of the investigation.

2. Proposed Revisions

First, we propose to revise the section heading by deleting the word “activities” (§ 2.53, Audit and Evaluation). SAMHSA also proposes to modernize this section to include provisions for governing both paper and electronic patient records. In addition, we propose to revise the requirements for destroying patient identifying information by citing the expanded Security for Records section (§ 2.16). Furthermore, we propose to update the Medicare or Medicaid audit or evaluation subsection title to include CHIP and, in subsequent language, refer to Medicare, Medicaid and CHIP (SAMHSA has always applied this section to CHIP and is proposing to explicitly refer to it in the proposed regulation text).

SAMHSA proposes to permit the part 2 program, not just the part 2 program director, to determine who is qualified to conduct an audit or evaluation of the part 2 program in paragraph (a)(2). SAMHSA also proposes to permit an audit or evaluation necessary to meet the requirements of a CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE), under certain conditions. To ensure that patient identifying information is protected, the CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) that is the subject of, or is conducting, the audit or evaluation must have a signed Participation Agreement with CMS which provides that the CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must comply with all applicable provisions of 42 U.S.C 290dd-2 and 42 CFR part 2.

IV. Collection of Information Requirements

Under the Paperwork Reduction Act of 1995 (PRA), agencies are required to provide a 60-day notice in the Federal Register and solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. Currently, the information collection is approved under OMB Control No. 0930-0092. In Start Printed Page 7006order to fairly evaluate whether changes to an information collection should be approved by OMB, section 3506(c)(2)(A) of the PRA requires that we solicit comment on the following issues: (a) Whether the information collection is necessary and useful to carry out the proper functions of the agency; (b) The accuracy of the agency's estimate of the information collection burden; (c) The quality, utility, and clarity of the information to be collected; and (d) Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.

Under the PRA, the time, effort, and financial resources necessary to meet the information collection requirements referenced in this section are to be considered in rule making. We explicitly seek, and will consider, public comment on our assumptions as they relate to the PRA requirements summarized in this section.

This proposed rule includes changes to information collection requirements, that is, reporting, recordkeeping or third-party disclosure requirements, as defined under the PRA (5 CFR part 1320). Some of the provisions involve changes from the information collections set out in the previous regulations. Information collection requirements are: (1) Section 2.13(d)—Disclosure: Requires entities named on a consent form that disclose patient identifying information to their participants under the general designation to make a disclosure, to each patient who requests a list of disclosures, in the form of a list of entities to which their information has been disclosed pursuant to the general designation, (2) Section 2.22—Disclosure: Requires each program to make public disclosure in the form of communication to each patient that federal law and regulations protect the confidentiality of each patient and includes a written summary of the effect of this law and these regulations, (3) Section 2.51—Recordkeeping: This provision requires the program to document a disclosure of a patient record to authorized medical personnel in a medical emergency. The regulation is silent on retention period for keeping these records as this will vary according to state laws. It is expected that these records will be kept as part of the patients' health records. Annual burden estimates for these requirements are summarized in the table below:

Annualized Burden Estimates

Annual number of respondentsResponses per respondentTotal responsesHours per responseTotal hour burdenHourly wage costTotal hour cost
Disclosures
42 CFR 2.13 (d)1 19,548119,5482 4.1581,1243 $36.9175$2,994,895
42 CFR 2.224 12,0341555 1,861,693.20372,338.66 40.2614,990,352
Recordkeeping
42 CFR 2.5112,034224,068.1674,0197 34.16137,289
Total8 31,5821,905,309457,48218,122,536
1 The number of entities required to generate a list of disclosures based on the number of estimated patient requests. Patient requests are based the total number of annual treatment admissions from SAMHSA's 2010-2012 Treatment Episode Data Set (TEDS) (see footnote 5). The estimated patient requests equal the average of the total number of requests for a 0.1% request rate and a 2% request rate.
2 The estimated time for developing a list of disclosures is 4 hours for entities collecting the information electronically using an audit log and 3 hours for entities that produce such a list from paper records. Because 90% of entities are estimated to collect the information electronically using an audit log and 10% are estimated to use paper records, the average weighted time to develop a list of disclosures is 3.9 hours [(0.9 × 4 hours) + (0.1 × 3 hours)]. Including the estimated 15 minutes to prepare each list of disclosures for mailing or transmitting, the total estimated time for providing a patient a list of disclosures is 4.15 hours (3.9 hours + 0.25 hours).
3 The weighted hourly rate for health information technicians, medical technicians and administrative staff who will be preparing the list of disclosures. The hourly rate is weighted to reflect the fact that health information and medical technicians, who will be generating the list of disclosures, have a higher wage rate than administrative staff and will contribute more hours to generating the list of disclosures. Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed June 3, 2015], Standard Occupations Classification codes (29-2071, 31-9092) [www.bls.gov/​oes/​]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
4 The number of publicly funded alcohol and drug facilities based on SAMHSA's 2013 National Survey of Substance Abuse Treatment Services (N-SSATS).
5 The average number of annual treatment admissions from SAMHSA's 2010-2012 Treatment Episode Data Set (TEDS).
6 Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations Classification code (21-1011) [www.bls.gov/​oes/​]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
7 Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations Classification code (43-0000) [www.bls.gov/​oes/​]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
8 The combined total of the number of publicly funded alcohol and drug facilities and the number of entities required to generate a list of disclosures.

As described in greater detail in Section VI., Regulatory Impact Analysis, the respondents for the collection of information under 42 CFR 2.22 and 2.51 are publicly (federal, state, or local) funded, assisted, or regulated substance use disorder treatment programs. The estimate of the number of such programs (respondents) is based on the results of the 2013 N-SSATS, and the average number of annual total responses is based on 2010-2012 information on patient admissions reported to the Treatment Episode Data Set (TEDS), approved under OMB Control No. 0930-0106 and OMB Control No. 0930-0335.

The respondents for the collection of information under 42 CFR 2.13(d) are entities named on the consent form that disclose information to their participants pursuant to the general designation. These entities primarily would be organizations that facilitate the exchange of health information (e.g., HIEs) or coordinate care (e.g., ACOs, CCOs, and patient-centered medical homes (sometimes called health homes)), but other organizations, such as research institutions, also may disclose patient identifying information to their participants (e.g., clinical researchers) pursuant to the general Start Printed Page 7007designation on the consent form. Because there are no definitive data sources for this potential range of organizations, we are not associating requests for a list of disclosures with any particular type of organization. Consequently, the number of organizations that must respond to list of disclosures requests is based on the total number of requests each year.

V. Response to Comments

Because of the large number of public comments, we anticipate receiving on this Federal Register document, we are not going to be able to acknowledge or respond to them individually. We will consider all comments we receive by the date and time specified in the DATES section of this proposed rule, and, when we proceed with a subsequent document, we will respond to the comments in the preamble to that document.

VI. Regulatory Impact Analysis

A. Statement of Need

This proposed rule is necessary to modernize the Confidentiality of Alcohol and Drug Abuse Patient Records regulations at 42 CFR part 2. The last substantive update to 42 CFR part 2 was in 1987. The part 2 laws were written out of great concern about the potential use of substance use disorder treatment information causing individuals with substance use disorders from seeking needed treatment. Over the last 25 years, significant changes have occurred within the U.S. health care system that were not envisioned by the current regulations, including new models of integrated care that are built on a foundation of information sharing to support coordination of patient care, the development of an electronic infrastructure for managing and exchanging patient data, and a new focus on performance measurement within the health care system. The goal of this proposed rule is to update 42 CFR part 2, and clarify the requirements associated with information exchange in these new health care models.

B. Overall Impact

We have examined the impacts of this rule as required by Executive Order 12866 on Regulatory Planning and Review (September 30, 1993), Executive Order 13563 on Improving Regulation and Regulatory Review (January 18, 2011), the Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96-354), section 1102(b) of the Social Security Act, section 202 of the Unfunded Mandates Reform Act of 1995 (March 22, 1995; Pub. L. 104-4), Executive Order 13132 on Federalism (August 4, 1999) and the Congressional Review Act (5 U.S.C. 804(2)). Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Section 3(f) of Executive Order 12866 defines a “significant regulatory action” as an action that is likely to result in a rule: (1) Having an annual effect on the economy of $100 million or more in any 1 year, or adversely and materially affecting a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or state, local or tribal governments or communities (also referred to as “economically significant”); (2) creating a serious inconsistency or otherwise interfering with an action taken or planned by another agency; (3) materially altering the budgetary impacts of entitlement grants, user fees, or loan programs or the rights and obligations of recipients thereof; or (4) raising novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order.

A regulatory impact analysis must be prepared for major rules with economically significant effects ($100 million or more in any 1 year). This rule does not reach the economic threshold and thus is not considered a major rule.

When estimating the total costs associated with changes to the 42 CFR part 2 regulations, we assumed five sets of costs: updates to health IT systems costs, costs for staff training and updates to training curriculum, costs to update patient consent forms, costs associated with providing patients a list of entities to which their information has been disclosed pursuant to a general designation on the consent form (i.e., the List of Disclosures requirement), and implementation costs associated with the List of Disclosure requirements. We assumed that costs associated with modifications to existing health IT systems, staff training costs associated with updating staff training materials, and costs to update consent forms would be one-time costs the first year the final rule is in effect and would not carry forward into future years. Staff training costs other than those associated with updating training materials are assumed to be ongoing annual costs to part 2 programs, also beginning in the first year that the final rule is in effect. The List of Disclosures costs are assumed to be ongoing annual costs to entities named on a consent form that disclose patient identifying information to their participants under the general designation. The List of Disclosures requirement, however, does not go into effect until two years after the final rule is in effect. Therefore, in years 1 and 2, the costs associated with the List of Disclosures provision are limited to implementation costs for entities that chose to upgrade their health IT systems in order to comply with the List of Disclosure requirements.

We estimate, therefore, that in the first year that the final rule is in effect, the costs associated with updates to 42 CFR part 2 would be $74,217,979. In year two, we estimate that costs would be $47,021,182. In years 3 through 10, we estimate the annual costs would be $14,835,444. Over the 10-year period of 2015-2024, the total undiscounted cost of the proposed changes would be $239,922,716 in 2015 dollars. When future costs are discounted at 3 percent or 7 percent per year, the total costs become approximately $220.9 million or $200.9 million, respectively. These costs are presented in the tables below.

Total Cost of 42 CFR Part 2 Revisions

[2015 dollars]

YearStaff training costsConsent form updatesList of disclosuresHealth IT costsTotal costs
(A)(B)(C)(D)(E)
2015$14,881,443$204,786$10,995,750$48,136,000$74,217,979
201611,834,782035,186,400047,021,182
201711,834,78203,000,662014,835,444
Start Printed Page 7008
201811,834,78203,000,662014,835,444
201911,834,78203,000,662014,835,444
202011,834,78203,000,662014,835,444
202111,834,78203,000,662014,835,444
202211,834,78203,000,662014,835,444
202311,834,78203,000,662014,835,444
202411,834,78203,000,662014,835,444
Total121,394,485204,78670,187,44548,136,000239,922,716

Total Cost of 42 CFR Part 2 Revisions—Annual Discounting

[2015 dollars]

YearTotal costsTotal with 3% annual discountingTotal with 7% annual discounting
(E)(F)(G)
2015$74,217,979$74,217,979$74,217,979
201647,021,18245,651,63343,945,030
201714,835,44413,983,82912,957,852
201814,835,44413,576,53312,110,142
201914,835,44413,181,10011,317,889
202014,835,44412,797,18510,577,467
202114,835,44412,424,4519,885,483
202214,835,44412,062,5749,238,769
202314,835,44411,711,2378,634,364
202414,835,44411,370,1338,069,499
Total239,922,716220,976,654200,954,473

The costs associated with the proposed revisions stem from staff training and updates to training curriculum, updates to patient consent forms, compliance with the List of Disclosures requirement (including implementation costs), and updates to health IT infrastructure for information exchange. Based on data from the 2013 N-SSATS, we estimate that 12,034 hospitals, outpatient treatment centers, and residential treatment facilities are covered by part 2. N-SSATS is an annual survey of U.S. substance abuse treatment facilities. Data is collected on facility location, characteristics, and service utilization. Not all treatment providers included in N-SSATs are believed to be under the jurisdiction of the part 2 regulations. The 12,034 number is a subset of the 14,148 substance abuse treatment facilities that responded to the 2013 N-SSATS, and includes all federally operated facilities, facilities that reported receiving public funding other than Medicare and Medicaid, facilities that reported accepting Medicare, Medicaid, TRICARE, and/or ATR voucher payments, or were SAMHSA-certified Opioid Treatment Programs. If a facility did not have at least one of these conditions, it was interpreted not to have received any federal funding and, therefore, not included in the estimate.

If an independently practicing clinician does not meet the requirements of paragraph (1) of the definition of Program (an individual or entity (other than a general medical facility or general medical practice) who holds itself out as providing and provides substance use disorder diagnosis, treatment or referral for treatment), they may be subject to 42 CFR part 2 if they constitute an identified unit within a general medical facility or general medical practice which holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment or if their primary function in the facility or practice is the provision of such services and they are identified as providing such services. Due to data limitations, it was not possible to estimate the costs for independently practicing providers covered by part 2 that did not participate in the 2013 N-SSATS. For example, data from ABAM provides the number of physicians since 2000 who have active ABAM certification. However, there is no source for the number of physicians who have not participated in the ABAM certification process. In addition, it is not possible to determine which ABAM-certified physicians practice in a general medical setting rather than in a specialty treatment facility that was already counted in the N-SSATS data.

Several provisions in the draft NPRM reference “other lawful holders of patient identifying information” in combination with part 2 programs. These other lawful holders must comply with part 2 requirements with respect to information they maintain that is covered by part 2 regulations. However, because this group could encompass a wide range of organizations, depending on whether they received part 2 data via patient consent or as a result of one of the limited exceptions to the consent requirement specified in the regulations, we are unable to include estimates regarding the number and type of these organizations and are only including part 2 programs in this analysis.Start Printed Page 7009

In addition to the part 2 programs described above, entities named on a consent form that disclose patient identifying information to their participants under the general designation must provide patients, upon request, a list of entities to which their information has been disclosed pursuant to a general designation. These entities primarily would include organizations that facilitate the exchange of health information (e.g., HIEs), and may also include organizations responsible for care coordination (e.g., ACOs, CCOs, and patient-centered medical homes (sometimes called health homes)). The most recent estimates of these types of entities are 67 functional, publicly funded HIEs and 161 functional, privately funded HIEs in 2013.[1] As of January 2015, there were an estimated 744 ACOs covering approximately 23.5 million individuals.[2] Finally, in 2014, the Accreditation Association for Ambulatory Health Care, Inc., reported that 7,000 medical practices have been accredited as patient-centered medical homes.[3] While these types of organizations were the primary focus of this provision on the consent form, other types of entities, such as research institutions, may also disclose patient identifying information to their participants (e.g., clinical researchers) pursuant to the general designation on the consent form. Because there are no definitive data sources for this potential range of organizations, we are not associating requests for lists of disclosures with any particular type of organization. We, instead, chose to estimate the number of organizations that must respond to list of disclosures requests based on the total number of requests each year.

1. Direct Costs of Implementing the Proposed Regulations

There is no known baseline estimate of the current costs associated with 42 CFR part 2 compliance. Instead, SAMHSA estimated these cost based on a range of published costs associated with HIPAA implementation and compliance.[4 5]

a. Staff Training

A Standard HIPAA training that meets or exceeds the federal training requirements is, on average, one hour long.[6] Therefore, we also estimated one hour of training per staff to achieve proficiency in the 42 CFR part 2 regulations. To estimate the labor costs associated with staff training, we averaged the average hourly costs for counseling staff in specialty treatment centers ($19.48 [7] ), hospital treatment centers ($21.47 [8] ), and solo practice offices ($22.61 [9] ). The resulting blended rate was $21.19 per hour. In order to account for benefits and overhead costs associated with staff time, we multiplied the blended hourly rate by two. These estimates are only for training costs associated with counseling staff, who we assume will have primary responsibility for executing the functions associated with the NPRM revisions.

With regard to training materials, most part 2 programs are assumed to already have training curricula in place that covers current 42 CFR part 2 regulations, and, therefore, these facilities would only need to update existing training materials rather than develop new materials. The American Hospital Association estimated that the costs for the development of Privacy and Confidentiality training, which would include the development of training materials and instructor labor costs, was $16 per employee training hour in 2000.[10] Because we assumed that part 2 programs would be updating rather than developing training materials, we estimated the cost of training development to be one-half of the cost of developing new materials, or $8 per employee. Adjusted for inflation,[11] training development costs in 2015 would be $10.91 per employee.

Using SAMHSA's 2010-2012 TEDS average annual number of treatment admissions (n=1,861,693) as an estimate of the annual number of patients at part 2 programs and calculated staffing numbers based on a range of counseling staff-to-client ratios (i.e., 1 to 10 [12] and 1 to 5 [13] ). Based on these assumptions, staff training costs associated with part 2 patient consent procedures were projected to range from $9.9 million to $19.8 million in 2015. We averaged the two estimated costs for staff training to determine the final overall estimate of $14,881,443. We assumed the costs associated with updating training materials will be a one-time cost. Therefore, in subsequent years, we assumed the costs associated with staff training will be a function of the blended hourly rate (multiplied by two to account for benefits and overhead costs) and the estimated number of staff (developed based on the same two staff-to-client ratios described above multiplied by estimated patient counts). Staff training costs associated with part 2 revisions are projected to range from $7.9 million to $15.8 million after 2015. We averaged the two estimated costs for staff training to determine the final overall estimate of $11,834,782.

b. Updates to Consent Forms

Updates to the 42 CFR part 2 regulations will need to be reflected in patient consent forms. Results from a 2008 study from the Mayo Clinic Health Care Systems [14] reported actuarial costs for HIPAA implementation activities. The reported cost to update Start Printed Page 7010authorization forms was $0.10 per patient. Adjusted for inflation, costs associated with updating the patient consent forms in 2015 would be $0.11 per patient. We used the average number of substance abuse treatment admissions from SAMHSA's 2010-2012 TEDS as our estimate of the number of clients treated on an annual basis by part 2 facilities. The total cost burden associated with updating the consent forms to reflect to the updated 42 CFR part 2 regulations would be $204,786 (1,861,693 * $0.11).

c. List of Disclosures Costs

The updated part 2 regulations allow patients who have consented to disclose their identifying information using a general designation to request a list of entities to which their information has been disclosed pursuant to the general designation. Under this proposed rule, entities named on a consent form that disclose patient identifying information to their participants under the general designation would be required to provide a list of disclosures after receiving a patient request. Under the List of Disclosure requirements, a patient could make a request, for example, to an organization that facilitates the exchange of health information (e.g., an HIE) or an organization responsible for coordinating care (e.g., an ACO) for a list of disclosures that would include the name of the entity to whom each disclosure was made, the date of the disclosure, and a brief description of the patient identifying information disclosed, and include this information for all entities to whom the patient identifying information has been disclosed pursuant to the general designation in the past two years.

For purposes of this analysis, we assumed that entities disclosing patient identifying information to their participants pursuant to a patient's general designation on a consent form are already collecting the information necessary to comply with the List of Disclosure requirement, in some form, either electronically or using paper records. We also assumed that these entities could comply with the List of Disclosures requirement by either collecting this information electronically by using audit logs to obtain the required information or by keeping a paper record. However, to address possible concerns about technical feasibility and other implementation issues, SAMHSA is proposing that the List of Disclosures requirement become effective two years after the effective date of the final rule to allow entities collecting this information time to review their operations and business processes and to decide whether technological solutions are needed to enable them to more efficiently comply with the requirement.

In order to make preliminary estimates of the implementation costs, we first estimated the number of potentially impacted entities based on the anticipated number of patient requests for a disclosure report in a calendar year. We used the average number of substance abuse treatment admissions from SAMHSA's 2010-2012 TEDS (n = 1,861,693) as the number of patients treated annually by part 2 programs. We then used the average of a 0.1 and 2 percent patient request rate as our estimate of the number of impacted entities (n = 19,548).

From there, we assumed ten percent of the impacted entities would use paper records to comply with the disclosure reporting requirements (n = 1,995) and would have minimal implementation costs in years 1 and 2. Among the remaining entities, many may be able to comply with the disclosure reporting requirements without developing or implementing new technologies. For entities that do choose to either update their existing capabilities or develop and implement new technologies to facilitate compliance, we assumed two sets of costs: (1) Planning and policy development costs in year 1 and (2) system update costs in year 2.

Absent any data on the number of facilities that would require new technology or the type of technology to be implemented, we assumed that twenty-five percent (n = 4,398) of the remaining entities would choose to upgrade their existing health IT systems. The actual system upgrade costs will vary considerably based on the type of upgrades that are required. Some entities may only require minor system updates to streamline the reporting requirements, while others may choose to implement an entirely new system. Given these data limitations, we assumed an average, per-entity cost, of $2,500 for planning development costs in year 1 and an average, per-entity cost, of $8,000 for system upgrades in year 2. The implementation costs for List of Disclosure reporting compliance across are estimated to be $10,995,750 in year 1 (4,398 * $2,500) and $35,186,400 (4,398 * $8,000) in year 2.

Once the disclosure reporting requirements go into effect, we assumed that the majority of the costs associated with the List of Disclosures requirement would primarily come from staff time needed to prepare a list of disclosures upon a patient's request. We also assumed that the information would need to be converted to a format that is accessible to patients.

For those entities with a health IT system, we expected that disclosure information would be available in the system's audit log. We also assumed that, unless the audit log has some sort of electronic filtering system, it would contain information above and beyond the requirements for complying with a request for a list of disclosures. We have also assumed that the staff accessing and filtering an audit log to compile the information for lists of disclosures would be health information technicians. The average hourly rate for health information technicians is $18.68 an hour.[15] In order to account for benefits and overhead costs associated with staff time, we multiplied the hourly wage rate by two. Absent any existing information on the amount of time associated with producing a list of disclosures from an audit log, we assumed it would take a health information technician half a day (or four hours) on average, to produce the list from an audit log.

For entities using paper records to track disclosures, we expected that a staff member would need to gather and aggregate the requested list of disclosures from paper records. We assumed medical record technicians would be the staff with the primary responsibility for compiling the information for a list of disclosures. The average hourly rate for medical record technicians is $18.68 an hour.[16] In order to account for benefits and overhead costs associated with staff time, we multiplied the hourly wage rate by two. Absent any existing information on the amount of time associated with producing a list of disclosures from paper records, we assumed it would take a medical record technician three hours, on average, to produce the list from paper records.[17]

Start Printed Page 7011

The number of requests for a list of disclosures will determine the overall burden associated with the List of Disclosures reporting requirements. However, because this is a new requirement, there were no data on which to base an estimated number of requests per year. We expect that the rate of requests will be relatively low. We therefore calculated the total costs for two rates, 0.1 percent and 2 percent of patients per year.

We used the average number of substance abuse treatment admissions from SAMHSA's 2010-2012 TEDS as the number of patients treated annually by part 2 programs. Assuming that 10 percent of patients making requests (n = 186.17 to n = 3,723.39) would request a list of disclosures from entities that track disclosures through paper records and 90 percent of patients making requests (n = 1,675.52 to n = 33,510.47) would make such a request of entities that track disclosures through health IT audit logs, the estimated costs to develop lists of disclosures range from $20,865.86 to $417,317.10 for entities using paper records, and $250,390.26 to $5,007,805.23 for entities using audit logs. (These ranges reflect the costs based on the two estimated patient rates of request referenced above (i.e., 0.1 percent and 2 percent of patients per year)).

Once a list of disclosures has been produced, it can be returned to the patient either by email or mail. Since the method of sending the list of disclosures depends on patient preference, we assumed that 50 percent of the lists of disclosures would be sent by email and 50 percent by first-class mail. We assumed that mailing and supply costs related to list of disclosures notifications were $0.10 supply cost per notification and $0.49 postage cost per mailing. We also estimated that it would take an administrative staff member 15 minutes to prepare each list of disclosures for mailing and/or transmitting, and that staff preparing the letters earn $15.01 [18] per hour. In order to account for benefits and overhead costs associated with staff time, we multiplied the hourly wage rate by two. The estimated costs for list of disclosures notifications range from $7,535.20 to $150,704.05 for notifications sent by first-class mail, and $6,986 to $139,720.06 for notifications sent by email.

To produce the final overall cost estimate, we took the average of the minimum and maximum estimated costs to develop lists of disclosures by entities collecting the information electronically by using an audit log, and the average of the minimum and maximum estimated costs to develop lists of disclosures by entities using paper records. We then added the averages together to produce our estimate of the total cost to entities to develop lists of disclosures. Next we took the average of the minimum and maximum estimated costs for list of disclosures notifications sent via email and the minimum and maximum estimated costs for such notifications sent via first-class mail. We then added these two averages together to produce our estimate of the total cost to entities for list of disclosures notifications. Finally, the development and notification costs for these lists of disclosures were added together for the final estimate of costs associated with complying with List of Disclosure reporting requirements. The total cost for List of Disclosure reporting compliance across all entities was $3,000,661.88 in 2015 dollars. Complying with List of Disclosure requirements is assumed to be an ongoing, annual activity. Across the ten-year period, the total costs associated with the List of Disclosure reporting includes $10,995,750 in year 1, $35,186,400 in year 2, and $3,000,662 annually in years 3-10 for a total cost of $70,187,445 across the ten-year period.

Total Disclosure Reporting Costs in 2015

Minimum estimated costMaximum estimated costAverage estimated cost
Facilities with a Health IT System$250,390$5,007,805$2,629,098
Facilities without a Health IT System20,865417,317219,091
Total Costs2,848,189
Average Number of Facilities19,548

Total Disclosure Notification Costs in 2015

Minimum estimated costMaximum estimated costAverage estimated cost
Email Notification$6,986$139,720$73,353
First Class Mail Notification7,535150,70479,120
Total Costs152,473

d. IT Updates

SAMHSA, in collaboration with ONC and Federal and community stakeholders, has developed Consent2Share which is an open source tool for consent management and data segmentation that is designed to integrate with existing EHR and HIE systems. The Consent2Share architecture has a front-end, patient facing system known as Patient Consent Management and a backend control system known as Access Control Services. Communications with EHR vendors indicate that the cost to facilities of purchasing and installing additional functionality to existing electronic medical records applications, such as Consent2Share, typically range from $2,500 to $5,000. Because the add-on systems for part 2 programs may be more complex than standard patient monitoring systems, we estimate that the cost of adding the new functionality would be approximately $8,000 per facility. We also assumed that this Start Printed Page 7012would be a one-time expense, rather than a recurring cost, for each provider.

Furthermore, national estimates indicated that no more than 50 percent of substance use disorder treatment facilities have an operational “computerized administrative information system.” [19] We, therefore, estimated that only half of the 12,034 part 2 programs (i.e., 6,017 facilities) would have operational health IT systems that would require modifications to account for the changes to 42 CFR part 2. With 6,017 part 2 programs with operational information systems, we estimated that each facility would need to spend $8,000 to modify their health IT system, which would lead to a total burden for updating health IT systems of $48,136,000. Updating health IT systems would be a one-time cost, and maintenance costs should be part of general health IT maintenance costs in later years. The proposed rules do not require that part 2 programs adopt health IT systems so there are no health IT costs associated with the estimated 50 percent of substance use disorder treatment facilities that continue to use paper records.

The RFA requires agencies to analyze options for regulatory relief of small entities. For purposes of the RFA, small entities include small businesses, nonprofit organizations, and small governmental jurisdictions. Most hospitals and most other providers are small entities, either by nonprofit status or by having revenues of less than $7.5 million to $38.5 million in any 1 year. Individuals and states are not included in the definition of a small entity. We are not preparing an analysis for the RFA because we have determined, and the Secretary certifies, that this proposed rule would not have a significant economic impact on a substantial number of small entities. While the changes in the regulations would apply to all part 2 programs, the impact on these entities would be quite small. Specifically, as described in the Overall Impact section, the cost to part 2 programs associated with updates to 42 CFR part 2 in the first year that the final rule is in effect would be $74,217,979, a figure that, due to a number of one-time updates, is the highest for any of the 10 years estimated. The per-entity economic impact in the first year would be approximately $6,167 ($74,217,979 ÷ 12,034), a figure that is unlikely to represent 3% of revenues for 5% of impacted small entities. Consequently, it has been determined that the proposed regulations would not have a significant economic impact on small entities.

In addition, section 1102(b) of the Act requires us to prepare a regulatory impact analysis if a rule may have a significant impact on the operations of a substantial number of small rural hospitals. This analysis must conform to the provisions of section 603 of the RFA. For purposes of section 1102(b) of the Act, we define a small rural hospital as a hospital that is located outside of a Metropolitan Statistical Area for Medicare payment regulations and has fewer than 100 beds. We are not preparing an analysis for section 1102(b) of the Act because we have determined, and the Secretary certifies, that this proposed rule would not have a significant impact on the operations of a substantial number of small rural hospitals.

Section 202 of the Unfunded Mandates Reform Act of 1995 also requires that agencies assess anticipated costs and benefits before issuing any rule whose mandates require spending in any 1 year of $100 million in 1995 dollars, updated annually for inflation. In 2014, that threshold is approximately $141 million. This rule would have no consequential effect on state, local, or tribal governments or on the private sector.

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on state and local governments, preempts state law, or otherwise has Federalism implications. Since this rule does not impose any costs on state or local governments, the requirements of Executive Order 13132 are not applicable.

SAMHSA is proposing to modernize 42 CFR part 2. With respect to our proposal to revise the regulations, we do not believe that this proposal would have a significant impact as it gives more flexibility to individuals and entities covered by 42 CFR part 2 but also adds privacy protections within the consent requirements for the patient. We are making this proposal in response to concerns that 42 CFR part 2 is outdated and burdensome.

Executive Order 13132 on Federalism (August 4, 1999) establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on state and local governments, preempts state law, or otherwise has Federalism implications. We have reviewed this proposed rule under the threshold criteria of Executive Order 13132, Federalism, and have determined that it would not have substantial direct effects on the rights, roles, and responsibilities of states, local or tribal governments.

C. Conclusion

SAMHSA is proposing to modernize 42 CFR part 2. With respect to our proposal to revise the regulations, we do not believe that this proposal would have a significant impact as it gives more flexibility to individuals and entities covered by 42 CFR part 2 but also increases privacy protections within the consent requirements and adds an additional confidentiality safeguard for patients. This proposed rule does not reach the economic threshold for requiring a regulatory impact by Executive Orders 12866 and 13563 and thus is not considered a major rule. Likewise, we are not preparing an analysis for the RFA because we have determined, and the Secretary certifies, that this proposed rule would not have a significant economic impact on a substantial number of small entities. We are not preparing an analysis for section 1102(b) of the RFA because we have determined, and the Secretary certifies, that this proposed rule would not have a significant impact on the operations of a substantial number of small rural hospitals. This proposed rule would have no consequential effect on state, local, or tribal governments or on the private sector. Since this rule does not impose any costs on state or local governments, the requirements of Executive Order 13132 on federalism are not applicable.

We invite public comments on this section and request any additional data that would help us determine more accurately the impact on individuals and entities by the proposed rule. In accordance with the provisions of Executive Order 12866, this rule was reviewed by the OMB.

Start List of Subjects

List of Subjects in 42 CFR Part 2

  • Alcohol abuse
  • Alcoholism
  • Drug abuse
  • Grant programs-health
  • Health records
  • Privacy
  • Reporting, and Recordkeeping requirements
End List of Subjects

Regulations Text

For the reasons stated in the preamble of this proposed rule, 42 CFR part 2 is proposed to be revised as follows:

Start Part Start Printed Page 7013

PART 2—CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS

Subpart A—Introduction
2.1
Statutory authority for confidentiality of substance use disorder patient records.
2.2
Purpose and effect.
2.3
Criminal penalty for violation.
2.4
Reports of violations.
Subpart B—General Provisions
2.11
Definitions.
2.12
Applicability.
2.13
Confidentiality restrictions and safeguards.
2.14
Minor patients.
2.15
Incompetent and deceased patients.
2.16
Security for records.
2.17
Undercover agents and informants.
2.18
Restrictions on the use of identification cards.
2.19
Disposition of records by discontinued programs.
2.20
Relationship to state laws.
2.21
Relationship to federal statutes protecting research subjects against compulsory disclosure of their identity.
2.22
Notice to patients of federal confidentiality requirements.
2.23
Patient access and restrictions on use.
Subpart C—Disclosures with Patient Consent
2.31
Consent requirements.
2.32
Prohibition on re-disclosure.
2.33
Disclosures permitted with written consent.
2.34
Disclosures to prevent multiple enrollments.
2.35
Disclosures to elements of the criminal justice system which have referred patients.
Subpart D—Disclosures without Patient Consent
2.51
Medical emergencies.
2.52
Research.
2.53
Audit and evaluation.
Subpart E—Court Orders Authorizing Disclosure and Use
2.61
Legal effect of order.
2.62
Order not applicable to records disclosed without consent to researchers, auditors and evaluators.
2.63
Confidential communications.
2.64
Procedures and criteria for orders authorizing disclosures for noncriminal purposes.
2.65
Procedures and criteria for orders authorizing disclosure and use of records to criminally investigate or prosecute patients.
2.66
Procedures and criteria for orders authorizing disclosure and use of records to investigate or prosecute a part 2 program or the person holding the records.
2.67
Orders authorizing the use of undercover agents and informants to criminally investigate employees or agents of a part 2 program.
Start Authority

Authority: 42 U.S.C. 290dd-2.

End Authority

Subpart A—Introduction

Statutory authority for confidentiality of substance use disorder patient records.

Title 42, United States Code, Section 290dd-2(g) authorizes the Secretary to prescribe regulations. Such regulations may contain such definitions, and may provide for such safeguards and procedures, including procedures and criteria for the issuance and scope of orders, as in the judgment of the Secretary are necessary or proper to effectuate the purposes of this statute, to prevent circumvention or evasion thereof, or to facilitate compliance therewith.

Purpose and effect.

(a) Purpose. Under the statutory provisions quoted in § 2.1, these regulations impose restrictions upon the disclosure and use of substance abuse patient records which are maintained in connection with the performance of any part 2 program. The regulations specify in:

(1) Subpart B of this part: General Provisions, including definitions, applicability, and general restrictions;

(2) Subpart C of this part: Disclosures with Patient Consent, including disclosures which require patient consent and the consent form requirements;

(3) Subpart D of this part: Disclosures without Patient Consent, including disclosures which do not require patient consent or an authorizing court order; and

(4) Subpart E of this part: Court Orders Authorizing Disclosure and Use, including disclosures and uses of patient records which may be made with an authorizing court order and the procedures and criteria for the entry and scope of those orders.

(b) Effect. (1) These regulations prohibit the disclosure and use of patient records unless certain circumstances exist. If any circumstance exists under which disclosure is permitted, that circumstance acts to remove the prohibition on disclosure but it does not compel disclosure. Thus, the regulations do not require disclosure under any circumstances.

(2) These regulations are not intended to direct the manner in which substantive functions such as research, treatment, and evaluation are carried out. They are intended to ensure that a patient receiving treatment for a substance use disorder in a part 2 program is not made more vulnerable by reason of the availability of their patient record than an individual with a substance use disorder who does not seek treatment.

(3) Because there is a criminal penalty (a fine—see 42 U.S.C. 290dd-2(f) and § 2.3) for violating the regulations, they are to be construed strictly in favor of the potential violator in the same manner as a criminal statute (see M. Kraus & Brothers v. United States, 327 U.S. 614, 621-22, 66 S. Ct. 705, 707-08 (1946)).

Criminal penalty for violation.

Under 42 U.S.C. 290dd-2(f), any person who violates any provision of that statute or these regulations shall be fined not more than $500 in the case of a first offense, and not more than $5,000 in the case of each subsequent offense.

Reports of violations.

(a) The report of any violation of these regulations may be directed to the United States Attorney for the judicial district in which the violation occurs.

(b) The report of any violation of these regulations by an opioid treatment program may be directed to the United States Attorney for the judicial district in which the violation occurs as well as to the Substance Abuse and Mental Health Services Administration (SAMHSA) office responsible for opioid treatment program oversight.

Subpart B—General Provisions

Definitions.

For purposes of these regulations:

Central registry means an organization which obtains from two or more member programs patient identifying information about individuals applying for withdrawal management or maintenance treatment for the purpose of avoiding an individual's concurrent enrollment in more than one treatment program.

Diagnosis means any reference to an individual's substance use disorder or to a condition which is identified as having been caused by that substance use disorder which is made for the purpose of treatment or referral for treatment.

Disclose means to communicate any information identifying a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person.

Federally assisted— see § 2.12(b).

Informant means an individual:

(1) Who is a patient or employee of a part 2 program or who becomes a patient or employee of a part 2 program at the request of a law enforcement agency or official; and

(2) Who at the request of a law enforcement agency or official observes Start Printed Page 7014one or more patients or employees of the part 2 program for the purpose of reporting the information obtained to the law enforcement agency or official.

Maintenance treatment means pharmacotherapy for individuals with substance use disorders which reduces the pathological pursuit of reward and/or relief and supports remission of substance use disorder-related symptoms.

Member program means a withdrawal management or maintenance treatment program which reports patient identifying information to a central registry and which is in the same state as that central registry or is not more than 125 miles from any border of the state in which the central registry is located.

Minor, as used in these regulations, means an individual who has not attained the age of majority specified in the applicable state law, or if no age of majority is specified in the applicable state law, the age of eighteen years.

Part 2 program means a federally assisted program (federally assisted as defined in § 2.12(b) and program as defined in this section). See § 2.12(e)(1) for examples.

Part 2 program director means:

(1) In the case of a part 2 program which is an individual, that individual.

(2) In the case of a part 2 program which is an entity, the individual designated as director or managing director, or individual otherwise vested with authority to act as chief executive officer of the part 2 program.

Patient means any individual who has applied for or been given diagnosis, treatment, or referral for treatment for a substance use disorder at a part 2 program. Patient includes any individual who, after arrest on a criminal charge, is identified as an individual with a substance use disorder in order to determine that individual's eligibility to participate in a part 2 program. This definition includes both current and former patients.

Patient identifying information means the name, address, social security number, fingerprints, photograph, or similar information by which the identity of a patient, as defined in this section, can be determined with reasonable accuracy either directly or by reference to other publicly available information. The term does not include a number assigned to a patient by a part 2 program, if that number does not consist of, or contain numbers (such as a social security, or driver's license number) which could be used to identify a patient with reasonable accuracy from sources external to the part 2 program.

Person means an individual, partnership, corporation, federal, state or local government agency, or any other legal entity, (also referred to as individual and/or entity).

Program means:

(1) An individual or entity (other than a general medical facility or general medical practice) who holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or

(2) An identified unit within a general medical facility or general medical practice that holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or

(3) Medical personnel or other staff in a general medical facility or general medical practice whose primary function is the provision of substance use disorder diagnosis, treatment, or referral for treatment and who are identified as such providers.

Qualified service organization means an individual or entity who:

(1) Provides services to a part 2 program, such as data processing, bill collecting, dosage preparation, laboratory analyses, or legal, accounting, population health management, medical staffing, or other professional services, or services to prevent or treat child abuse or neglect, including training on nutrition and child care and individual and group therapy, and

(2) Has entered into a written agreement with a part 2 program under which that individual or entity:

(i) Acknowledges that in receiving, storing, processing, or otherwise dealing with any patient records from the part 2 program, it is fully bound by these regulations; and

(ii) If necessary, will resist in judicial proceedings any efforts to obtain access to patient identifying information related to substance use disorder diagnosis, treatment, or referral for treatment except as permitted by these regulations.

Records means any information, whether recorded or not, received or acquired by a part 2 program relating to a patient. For the purpose of these regulations, records include both paper and electronic records.

Substance use disorder means a cluster of cognitive, behavioral, and physiological symptoms indicating that the individual continues using the substance despite significant substance-related problems such as impaired control, social impairment, risky use, and pharmacological tolerance and withdrawal. For the purposes of these regulations, this definition does not include tobacco or caffeine use. (Also referred to as substance abuse.)

Third-party payer means a person who pays, or agrees to pay, for diagnosis or treatment furnished to a patient on the basis of a contractual relationship with the patient or a member of their family or on the basis of the patient's eligibility for federal, state, or local governmental benefits.

Treating provider relationship means that, regardless of whether there has been an actual in-person encounter:

(1) A patient agrees to be diagnosed, evaluated and/or treated for any condition by an individual or entity; and

(2) The individual or entity agrees to undertake diagnosis, evaluation and/or treatment of the patient, or consultation with the patient, for any condition.

Treatment means the care of a patient suffering from a substance use disorder, a condition which is identified as having been caused by the substance use disorder, or both, in order to reduce or eliminate the adverse effects upon the patient.

Undercover agent means any federal, state, or local law enforcement agency or official who enrolls in or becomes an employee of a part 2 program for the purpose of investigating a suspected violation of law or who pursues that purpose after enrolling or becoming employed for other purposes.

Withdrawal management means the use of pharmacotherapies to treat or attenuate the problematic signs and symptoms arising when heavy and/or prolonged substance use is reduced or discontinued.

Applicability.

(a) General—(1) Restrictions on disclosure. The restrictions on disclosure in these regulations apply to any information, whether or not recorded, which:

(i) Would identify a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person; and

(ii) Is drug abuse information obtained by a federally assisted drug abuse program after March 20, 1972 (part 2 program), or is alcohol abuse information obtained by a federally assisted alcohol abuse program after May 13, 1974 (part 2 program); or if obtained before the pertinent date, is maintained by a part 2 program after that date as part of an ongoing treatment episode which extends past that date; for the purpose of treating a substance use disorder, making a diagnosis for that Start Printed Page 7015treatment, or making a referral for that treatment.

(2) Restriction on use. The restriction on use of information to initiate or substantiate any criminal charges against a patient or to conduct any criminal investigation of a patient (42 U.S.C. 290dd-2(c)) applies to any information, whether or not recorded which is drug abuse information obtained by a federally assisted drug abuse program after March 20, 1972 (part 2 program), or is alcohol abuse information obtained by a federally assisted alcohol abuse program after May 13, 1974 (part 2 program); or if obtained before the pertinent date, is maintained by a part 2 program after that date as part of an ongoing treatment episode which extends past that date; for the purpose of treating a substance use disorder, making a diagnosis for the treatment, or making a referral for the treatment.

(b) Federal assistance. A program is considered to be federally assisted if:

(1) It is conducted in whole or in part, whether directly or by contract or otherwise by any department or agency of the United States (but see paragraphs (c)(1) and (2) of this section relating to the Department of Veterans Affairs and the Armed Forces);

(2) It is being carried out under a license, certification, registration, or other authorization granted by any department or agency of the United States including but not limited to:

(i) Participating provider in the Medicare program;

(ii) Authorization to conduct maintenance treatment or withdrawal management; or

(iii) Registration to dispense a substance under the Controlled Substances Act to the extent the controlled substance is used in the treatment of substance use disorders;

(3) It is supported by funds provided by any department or agency of the United States by being:

(i) A recipient of federal financial assistance in any form, including financial assistance which does not directly pay for the substance use disorder diagnosis, treatment, or referral for treatment; or

(ii) Conducted by a state or local government unit which, through general or special revenue sharing or other forms of assistance, receives federal funds which could be (but are not necessarily) spent for the substance use disorder program; or

(4) It is assisted by the Internal Revenue Service of the Department of the Treasury through the allowance of income tax deductions for contributions to the program or through the granting of tax exempt status to the program.

(c) Exceptions— (1) Department of Veterans Affairs. These regulations do not apply to information on patients receiving substance use disorder treatment who are maintained in connection with the Department of Veterans Affairs provisions of hospital care, nursing home care, domiciliary care, and medical services under Title 38, U.S.C. Those records are governed by 38 U.S.C. 7332 and regulations issued under that authority by the Secretary of Veterans Affairs.

(2) Armed Forces. These regulations apply to any information described in paragraph (a) of this section which was obtained by any component of the Armed Forces during a period when the patient was subject to the Uniform Code of Military Justice except:

(i) Any interchange of that information within the Armed Forces; and

(ii) Any interchange of that information between the Armed Forces and those components of the Department of Veterans Affairs furnishing health care to veterans.

(3) Communication within a part 2 program or between a part 2 program and an entity having direct administrative control over that part 2 program. The restrictions on disclosure in these regulations do not apply to communications of information between or among personnel having a need for the information in connection with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment of patients with substance use disorders if the communications are:

(i) Within a part 2 program; or

(ii) Between a part 2 program and an entity that has direct administrative control over the program.

(4) Qualified service organizations. The restrictions on disclosure in these regulations do not apply to communications between a part 2 program and a qualified service organization of information needed by the qualified service organization to provide services to the program.

(5) Crimes on part 2 program premises or against part 2 program personnel. The restrictions on disclosure and use in these regulations do not apply to communications from part 2 program personnel to law enforcement agencies or officials which:

(i) Are directly related to a patient's commission of a crime on the premises of the part 2 program or against part 2 program personnel or to a threat to commit such a crime; and

(ii) Are limited to the circumstances of the incident, including the patient status of the individual committing or threatening to commit the crime, that individual's name and address, and that individual's last known whereabouts.

(6) Reports of suspected child abuse and neglect. The restrictions on disclosure and use in these regulations do not apply to the reporting under state law of incidents of suspected child abuse and neglect to the appropriate state or local authorities. However, the restrictions continue to apply to the original substance use disorder patient records maintained by the part 2 program including their disclosure and use for civil or criminal proceedings which may arise out of the report of suspected child abuse and neglect.

(d) Applicability to recipients of information— (1) Restriction on use of information. The restriction on the use of any information subject to these regulations to initiate or substantiate any criminal charges against a patient or to conduct any criminal investigation of a patient applies to any person who obtains that information from a part 2 program, regardless of the status of the person obtaining the information or whether the information was obtained in accordance with these regulations. This restriction on use bars, among other things, the introduction of that information as evidence in a criminal proceeding and any other use of the information to investigate or prosecute a patient with respect to a suspected crime. Information obtained by undercover agents or informants (see § 2.17) or through patient access (see § 2.23) is subject to the restriction on use.

(2) Restrictions on disclosures—(i) Third-party payers, administrative entities, and others. The restrictions on disclosure in these regulations apply to:

(A) Third-party payers with regard to records disclosed to them by part 2 programs;

(B) Entities having direct administrative control over part 2 programs with regard to information that is subject to these regulations communicated to them by the part 2 program under paragraph (c)(3) of this section; and

(C) Individuals or entities who receive patient records directly from a part 2 program or other lawful holder of patient identifying information and who are notified of the prohibition on re-disclosure in accordance with § 2.32.

(ii) [Reserved]

(e) Explanation of applicability— (1) Coverage. These regulations cover any information (including information on referral and intake) about patients receiving a diagnosis, treatment, or referral for treatment for a substance use Start Printed Page 7016disorder obtained by a part 2 program. Coverage includes, but is not limited to, those treatment or rehabilitation programs, employee assistance programs, programs within general hospitals, school-based programs, and private practitioners (other than general medical practices) who hold themselves out as providing, and provide substance use disorder diagnosis, treatment, or referral for treatment. However, these regulations would not apply, for example, to emergency room personnel who refer a patient to the intensive care unit for an apparent overdose, unless the primary function of such personnel is the provision of substance use disorder diagnosis, treatment, or referral for treatment and they are identified as providing such services or the emergency room has promoted itself to the community as a provider of such services.

(2) Federal assistance to program required. If a patient's substance use disorder diagnosis, treatment, or referral for treatment is not provided by a part 2 program, that patient's record is not covered by these regulations. Thus, it is possible for an individual patient to benefit from federal support and not be covered by the confidentiality regulations because the program in which the patient is enrolled is not federally assisted as defined in paragraph (b) of this section. For example, if a federal court placed an individual in a private for-profit program and made a payment to the program on behalf of that individual, that patient's record would not be covered by these regulations unless the program itself received federal assistance as defined by paragraph (b) of this section.

(3) Information to which restrictions are applicable. Whether a restriction is on use or disclosure affects the type of information which may be available. The restrictions on disclosure apply to any information which would identify a patient as having or having had a substance use disorder. The restriction on use of information to bring criminal charges against a patient for a crime applies to any information obtained by the part 2 program for the purpose of diagnosis, treatment, or referral for treatment of patients with substance use disorders. (Note that restrictions on use and disclosure apply to recipients of information under paragraph (d) of this section.)

(4) How type of diagnosis affects coverage. These regulations cover any record of a diagnosis identifying a patient as having or having had a substance use disorder which is prepared in connection with the treatment or referral for treatment of a patient with a substance use disorder. A diagnosis prepared for the purpose of treatment or referral for treatment but which is not so used is covered by these regulations. The following are not covered by these regulations:

(i) Diagnosis which is made solely for the purpose of providing evidence for use by law enforcement agencies or officials; or

(ii) A diagnosis of drug overdose or alcohol intoxication which clearly shows that the individual involved does not have a substance use disorder (e.g., involuntary ingestion of alcohol or drugs or reaction to a prescribed dosage of one or more drugs).

Confidentiality restrictions and safeguards.

(a) General. The patient records subject to these regulations may be disclosed or used only as permitted by these regulations and may not otherwise be disclosed or used in any civil, criminal, administrative, or legislative proceedings conducted by any federal, state, or local authority. Any disclosure made under these regulations must be limited to that information which is necessary to carry out the purpose of the disclosure.

(b) Unconditional compliance required. The restrictions on disclosure and use in these regulations apply whether or not the part 2 program or other lawful holder of the patient identifying information believes that the person seeking the information already has it, has other means of obtaining it, is a law enforcement agency or official or other government official, has obtained a subpoena, or asserts any other justification for a disclosure or use which is not permitted by these regulations.

(c) Acknowledging the presence of patients: Responding to requests. (1) The presence of an identified patient in a health care facility or component of a health care facility which is publicly identified as a place where only substance use disorder diagnosis, treatment, or referral for treatment is provided may be acknowledged only if the patient's written consent is obtained in accordance with subpart C of this part or if an authorizing court order is entered in accordance with subpart E of this part. The regulations permit acknowledgement of the presence of an identified patient in a health care facility or part of a health care facility if the health care facility is not publicly identified as only a substance use disorder diagnosis, treatment, or referral for treatment facility, and if the acknowledgement does not reveal that the patient has a substance use disorder.

(2) Any answer to a request for a disclosure of patient records which is not permissible under these regulations must be made in a way that will not affirmatively reveal that an identified individual has been, or is being, diagnosed or treated for a substance use disorder. An inquiring party may be provided a copy of these regulations and advised that they restrict the disclosure of substance use disorder patient records, but may not be told affirmatively that the regulations restrict the disclosure of the records of an identified patient.

(d) List of disclosures. Upon request, patients who have consented to disclose their patient identifying information using a general designation pursuant to § 2.31(a)(4)(iv)(C) must be provided a list of entities to which their information has been disclosed pursuant to the general designation.

(1) Under this paragraph (d), patient requests:

(i) Must be made in writing; and

(ii) Are limited to disclosures made within the past two years;

(2) Under this paragraph (d), the entity named on the consent form that discloses information pursuant to a patient's general designation (the entity without a treating provider relationship that serves as an intermediary, as described in § 2.31(a)(4)(iv)) must:

(i) Respond in 30 or fewer days of receipt of the written request; and

(ii) Provide, for each disclosure, the name(s) of the entity(-ies) to which the disclosure was made, the date of the disclosure, and a brief description of the patient identifying information disclosed.

Minor patients.

(a) State law not requiring parental consent to treatment. If a minor patient acting alone has the legal capacity under the applicable state law to apply for and obtain substance use disorder treatment, any written consent for disclosure authorized under subpart C of this part may be given only by the minor patient. This restriction includes, but is not limited to, any disclosure of patient identifying information to the parent or guardian of a minor patient for the purpose of obtaining financial reimbursement. These regulations do not prohibit a part 2 program from refusing to provide treatment until the minor patient consents to the disclosure necessary to obtain reimbursement, but refusal to provide treatment may be prohibited under a state or local law requiring the program to furnish the service irrespective of ability to pay.Start Printed Page 7017

(b) State law requiring parental consent to treatment. (1) Where state law requires consent of a parent, guardian, or other individual for a minor to obtain treatment for a substance use disorder, any written consent for disclosure authorized under subpart C of this part must be given by both the minor and their parent, guardian, or other individual authorized under state law to act in the minor's behalf.

(2) Where state law requires parental consent to treatment, the fact of a minor's application for treatment may be communicated to the minor's parent, guardian, or other individual authorized under state law to act in the minor's behalf only if:

(i) The minor has given written consent to the disclosure in accordance with subpart C of this part; or

(ii) The minor lacks the capacity to make a rational choice regarding such consent as judged by the part 2 program director under paragraph (c) of this section.

(c) Minor applicant for services lacks capacity for rational choice. Facts relevant to reducing a threat to the life or physical well-being of the applicant or any other individual may be disclosed to the parent, guardian, or other individual authorized under state law to act in the minor's behalf if the part 2 program director judges that:

(1) A minor applicant for services lacks capacity because of extreme youth or mental or physical condition to make a rational decision on whether to consent to a disclosure under subpart C of this part to their parent, guardian, or other individual authorized under state law to act in the minor's behalf; and

(2) The applicant's situation poses a substantial threat to the life or physical well-being of the applicant or any other individual which may be reduced by communicating relevant facts to the minor's parent, guardian, or other individual authorized under state law to act in the minor's behalf.

Incompetent and deceased patients.

(a) Incompetent patients other than minors—(1) Adjudication of incompetence. In the case of a patient who has been adjudicated as lacking the capacity, for any reason other than insufficient age, to manage their own affairs, any consent which is required under these regulations may be given by the guardian or other individual authorized under state law to act in the patient's behalf.

(2) No adjudication of incompetency. In the case of a patient, other than a minor or one who has been adjudicated incompetent, that for any period suffers from a medical condition that prevents knowing or effective action on their own behalf, the part 2 program director may exercise the right of the patient to consent to a disclosure under subpart C of this part for the sole purpose of obtaining payment for services from a third-party payer.

(b) Deceased patients—(1) Vital statistics. These regulations do not restrict the disclosure of patient identifying information relating to the cause of death of a patient under laws requiring the collection of death or other vital statistics or permitting inquiry into the cause of death.

(2) Consent by personal representative. Any other disclosure of information identifying a deceased patient as having a substance use disorder is subject to these regulations. If a written consent to the disclosure is required, that consent may be given by an executor, administrator, or other personal representative appointed under applicable state law. If there is no such applicable state law appointment, the consent may be given by the patient's spouse or, if none, by any responsible member of the patient's family.

Security for records.

(a) The part 2 program or other lawful holder of patient identifying information must have in place formal policies and procedures to reasonably protect against unauthorized uses and disclosures of patient identifying information and to protect against reasonably anticipated threats or hazards to the security of patient identifying information. These formal policies and procedures must address:

(1) Paper records, including:

(i) Transferring and removing such records; and

(ii) Destroying such records, including sanitizing the hard copy media associated with the paper printouts, to render the patient identifying information non-retrievable; and

(iii) Maintaining such records in a secure room, locked file cabinet, safe, or other similar container, or storage facility when not in use; and

(iv) Using and accessing workstations, secure rooms, locked file cabinets, safes, or other similar containers, and storage facilities that use or store such information; and

(v) Rendering patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers).

(2) Electronic records, including:

(i) Copying, downloading, forwarding, transferring, and removing such records; and

(ii) Destroying such records, including sanitizing the electronic media on which it was stored, to render the patient identifying information non-retrievable; and

(iii) Maintaining such records; and

(iv) Using and accessing electronic records or other electronic media containing patient identifying information; and

(v) Rendering the patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers).

(b) [Reserved]

Undercover agents and informants.

(a) Restrictions on placement. Except as specifically authorized by a court order granted under § 2.67, no part 2 program may knowingly employ, or enroll as a patient, any undercover agent or informant.

(b) Restriction on use of information. No information obtained by an undercover agent or informant, whether or not that undercover agent or informant is placed in a part 2 program pursuant to an authorizing court order, may be used to criminally investigate or prosecute any patient.

Restrictions on the use of identification cards.

No person may require any patient to carry in their immediate possession while away from the part 2 program premises any card or other object which would identify the patient as having a substance use disorder. This section does not prohibit a person from requiring patients to use or carry cards or other identification objects on the premises of a part 2 program.

Disposition of records by discontinued programs.

(a) General. If a part 2 program discontinues operations or is taken over or acquired by another program, it must remove patient identifying information from its records or destroy its records, including sanitizing any associated hard copy or electronic media, to render the patient identifying information non-retrievable in a manner consistent with the policies and procedures established under § 2.16, unless:

(1) The patient who is the subject of the records gives written consent (meeting the requirements of § 2.31) to a transfer of the records to the acquiring program or to any other program designated in the consent (the manner of obtaining this consent must minimize the likelihood of a disclosure of patient identifying information to a third party); orStart Printed Page 7018

(2) There is a legal requirement that the records be kept for a period specified by law which does not expire until after the discontinuation or acquisition of the part 2 program.

(b) Special procedure where retention period required by law. If paragraph (a)(2) of this section applies:

(1) Records, which are paper, must be:

(i) Sealed in envelopes or other containers labeled as follows: “Records of [insert name of program] required to be maintained under [insert citation to statute, regulation, court order or other legal authority requiring that records be kept] until a date not later than [insert appropriate date]”; and

(A) All hard copy media from which the paper records were produced, such as printer and facsimile ribbons, drums, etc., must be sanitized to render the data non-retrievable; and

(B) [Reserved]

(ii) Held under the restrictions of these regulations by a responsible person who must, as soon as practicable after the end of the retention period specified on the label, destroy the records and sanitize any associated hard copy media to render the patient identifying information non-retrievable in a manner consistent with the discontinued program's or acquiring program's policies and procedures established under § 2.16.

(2) Records, which are electronic, must be:

(i) Transferred to a portable electronic device with implemented encryption to encrypt the data at rest so that there is a low probability of assigning meaning without the use of a confidential process or key and implemented access controls for the confidential process or key; and

(A) All electronic media on which the patient records or patient identifying information resided prior to being transferred to the device, including email and other electronic communications, must be sanitized to render the patient identifying information non-retrievable in a manner consistent with the discontinued program's or acquiring program's policies and procedures established under § 2.16; and

(B) The device must be:

(1) Sealed in a container along with any equipment needed to read or access the information, and labeled as follows: “Records of [insert name of program] required to be maintained under [insert citation to statute, regulation, court order or other legal authority requiring that records be kept] until a date not later than [insert appropriate date];” and

(2) Held under the restrictions of these regulations by a responsible person who must store the container in a manner that will protect the information (e.g., climate controlled environment); and

(C) The responsible person must be included on the access control list and be provided a means for decrypting the data. The responsible person must store the decryption tools on a device or at a location separate from the data they are used to encrypt or decrypt; and

(D) As soon as practicable after the end of the retention period specified on the label, the portable electronic device must be sanitized to render the patient identifying information non-retrievable consistent with the policies established under § 2.16.

(ii) [Reserved]

Relationship to state laws.

The statute authorizing these regulations (42 U.S.C. 290dd-2) does not preempt the field of law which they cover to the exclusion of all state laws in that field. If a disclosure permitted under these regulations is prohibited under state law, neither these regulations nor the authorizing statute may be construed to authorize any violation of that state law. However, no state law may either authorize or compel any disclosure prohibited by these regulations.

Relationship to federal statutes protecting research subjects against compulsory disclosure of their identity.

(a) Research privilege description. There may be concurrent coverage of patient identifying information by these regulations and by administrative action taken under section 502(c) of the Controlled Substances Act (21 U.S.C. 872(c) and the implementing regulations at 21 CFR part 1316); or section 301(d) of the Public Health Service Act (42 U.S.C. 241(d) and the implementing regulations at 42 CFR part 2a). These research privilege statutes confer on the Secretary of Health and Human Services and on the Attorney General, respectively, the power to authorize researchers conducting certain types of research to withhold from all persons not connected with the research the names and other identifying information concerning individuals who are the subjects of the research.

(b) Effect of concurrent coverage. These regulations restrict the disclosure and use of information about patients, while administrative action taken under the research privilege statutes and implementing regulations protects a person engaged in applicable research from being compelled to disclose any identifying characteristics of the individuals who are the subjects of that research. The issuance under subpart E of this part of a court order authorizing a disclosure of information about a patient does not affect an exercise of authority under these research privilege statutes.

Notice to patients of federal confidentiality requirements.

(a) Notice required. At the time of admission to a part 2 program or as soon thereafter as the patient is capable of rational communication, each part 2 program shall:

(1) Communicate to the patient that federal law and regulations protect the confidentiality of substance use disorder patient records; and

(2) Give to the patient a summary in writing of the federal law and regulations.

(b) Required elements of written summary. The written summary of the federal law and regulations must include:

(1) A general description of the limited circumstances under which a part 2 program may acknowledge that an individual is present or disclose outside the part 2 program information identifying a patient as having or having had a substance use disorder.

(2) A statement that violation of the federal law and regulations by a part 2 program is a crime and that suspected violations may be reported to appropriate authorities consistent with § 2.4, along with contact information.

(3) A statement that information related to a patient's commission of a crime on the premises of the part 2 program or against personnel of the part 2 program is not protected.

(4) A statement that reports of suspected child abuse and neglect made under state law to appropriate state or local authorities are not protected.

(5) A citation to the federal law and regulations.

(c) Program options. The part 2 program must devise a notice to comply with the requirement to provide the patient with a summary in writing of the federal law and regulations. In this written summary, the part 2 program also may include information concerning state law and any of the part 2 program's policies that are not inconsistent with state and federal law on the subject of confidentiality of substance use disorder patient records.

Patient access and restrictions on use.

(a) Patient access not prohibited. These regulations do not prohibit a part 2 program from giving a patient access to their own records, including the opportunity to inspect and copy any records that the part 2 program Start Printed Page 7019maintains about the patient. The part 2 program is not required to obtain a patient's written consent or other authorization under these regulations in order to provide such access to the patient.

(b) Restriction on use of information. Information obtained by patient access to their patient record is subject to the restriction on use of this information to initiate or substantiate any criminal charges against the patient or to conduct any criminal investigation of the patient as provided for under § 2.12(d)(1).

Subpart C—Disclosures With Patient Consent

Consent requirements.

(a) Required elements for written consent. A written consent to a disclosure under these regulations may be paper or electronic and must include:

(1) The name of the patient.

(2) The name of the part 2 program(s) or other lawful holder(s) of the patient identifying information permitted to make the disclosure.

(3) How much and what kind of information is to be disclosed, including an explicit description of the substance use disorder information that may be disclosed.

(4)(i) The name(s) of the individual(s) to whom a disclosure is to be made; or

(ii) If the entity has a treating provider relationship with the patient whose information is being disclosed, such as a hospital, a health care clinic, or a private practice, the name of that entity; or

(iii) If the entity does not have a treating provider relationship with the patient whose information is being disclosed and is a third-party payer that requires patient identifying information for the purpose of reimbursement for services rendered to the patient by the part 2 program, the name of the entity; or

(iv) If the entity does not have a treating provider relationship with the patient whose information is being disclosed and is not covered by paragraph (a)(4)(iii) of this section, such as an entity that facilitates the exchange of health information or a research institution, the name(s) of the entity(-ies); and

(A) The name(s) of an individual participant(s); or

(B) The name(s) of an entity participant(s) that has a treating provider relationship with the patient whose information is being disclosed; or

(C) A general designation of an individual or entity participant(s) or class of participants that must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being disclosed.

(1) When using a general designation, a statement must be included on the consent form that the patient (or other individual authorized to sign in lieu of the patient), confirms their understanding that, upon their request and consistent with this part, they must be provided a list of entities to which their information has been disclosed pursuant to the general designation (see § 2.13(d)).

(2) [Reserved]

(5) The purpose of the disclosure.

(6) A statement that the patient (or other individual authorized to sign in lieu of the patient) confirms their understanding of the terms of their consent.

(7) A statement that the consent is subject to revocation at any time except to the extent that the part 2 program or other lawful holder of patient identifying information that is permitted to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance on a valid consent to disclose information to a third-party payer.

(8) The date, event, or condition upon which the consent will expire if not revoked before. This date, event, or condition must ensure that the consent will last no longer than reasonably necessary to serve the purpose for which it is provided.

(9) The signature of the patient and, when required for a patient who is a minor, the signature of an individual authorized to give consent under § 2.14; or, when required for a patient who is incompetent or deceased, the signature of an individual authorized to sign under § 2.15. Electronic signatures are permitted to the extent that they are not prohibited by any applicable law.

(10) The date on which the consent is signed.

(b) Expired, deficient, or false consent. A disclosure may not be made on the basis of a consent which:

(1) Has expired;

(2) On its face substantially fails to conform to any of the requirements set forth in paragraph (a) of this section;

(3) Is known to have been revoked; or

(4) Is known, or through reasonable diligence could be known, by the individual or entity holding the records to be materially false.

Prohibition on re-disclosure.

(a) Notice to accompany disclosure. Each disclosure made with the patient's written consent must be accompanied by the following written statement:

This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR part 2). The federal rules prohibit you from making any further disclosure of information in this record that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 CFR part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The federal rules restrict any use of the information to criminally investigate or prosecute any patient with a substance use disorder, except as provided at § 2.12(c)(5).

(b) [Reserved]

Disclosures permitted with written consent.

If a patient consents to a disclosure of their records under § 2.31, a program may disclose those records in accordance with that consent to any person identified in the consent, except that disclosures to central registries and in connection with criminal justice referrals must meet the requirements of §§ 2.34 and 2.35, respectively.

Disclosures to prevent multiple enrollments.

(a) Restrictions on disclosure. A part 2 program, as defined in § 2.11, may disclose patient records to a central registry or to any withdrawal management or maintenance treatment program not more than 200 miles away for the purpose of preventing the multiple enrollment of a patient only if:

(1) The disclosure is made when:

(i) The patient is accepted for treatment;

(ii) The type or dosage of the drug is changed; or

(iii) The treatment is interrupted, resumed or terminated.

(2) The disclosure is limited to:

(i) Patient identifying information;

(ii) Type and dosage of the drug; and

(iii) Relevant dates.

(3) The disclosure is made with the patient's written consent meeting the requirements of § 2.31, except that:

(i) The consent must list the name and address of each central registry and each known withdrawal management or maintenance treatment program to which a disclosure will be made; and

(ii) The consent may authorize a disclosure to any withdrawal management or maintenance treatment Start Printed Page 7020program established within 200 miles of the program after the consent is given without naming any such program.

(b) Use of information limited to prevention of multiple enrollments. A central registry and any withdrawal management or maintenance treatment program to which information is disclosed to prevent multiple enrollments may not re-disclose or use patient identifying information for any purpose other than the prevention of multiple enrollments unless authorized by a court order under subpart E of this part.

(c) Permitted disclosure by a central registry to prevent a multiple enrollment. When a member program asks a central registry if an identified patient is enrolled in another member program and the registry determines that the patient is so enrolled, the registry may disclose:

(1) The name, address, and telephone number of the member program(s) in which the patient is already enrolled to the inquiring member program; and

(2) The name, address, and telephone number of the inquiring member program to the member program(s) in which the patient is already enrolled. The member programs may communicate as necessary to verify that no error has been made and to prevent or eliminate any multiple enrollments.

(d) Permitted disclosure by a withdrawal management or maintenance treatment program to prevent a multiple enrollment. A withdrawal management or maintenance treatment program which has received a disclosure under this section and has determined that the patient is already enrolled may communicate as necessary with the program making the disclosure to verify that no error has been made and to prevent or eliminate any multiple enrollments.

Disclosures to elements of the criminal justice system which have referred patients.

(a) A part 2 program may disclose information about a patient to those individuals within the criminal justice system who have made participation in the part 2 program a condition of the disposition of any criminal proceedings against the patient or of the patient's parole or other release from custody if:

(1) The disclosure is made only to those individuals within the criminal justice system who have a need for the information in connection with their duty to monitor the patient's progress (e.g., a prosecuting attorney who is withholding charges against the patient, a court granting pretrial or post-trial release, probation or parole officers responsible for supervision of the patient); and

(2) The patient has signed a written consent meeting the requirements of § 2.31 (except paragraph (a)(8) which is inconsistent with the revocation provisions of paragraph (c) of this section) and the requirements of paragraphs (b) and (c) of this section.

(b) Duration of consent. The written consent must state the period during which it remains in effect. This period must be reasonable, taking into account:

(1) The anticipated length of the treatment;

(2) The type of criminal proceeding involved, the need for the information in connection with the final disposition of that proceeding, and when the final disposition will occur; and

(3) Such other factors as the part 2 program, the patient, and the individual(s) within the criminal justice system who will receive the disclosure consider pertinent.

(c) Revocation of consent. The written consent must state that it is revocable upon the passage of a specified amount of time or the occurrence of a specified, ascertainable event. The time or occurrence upon which consent becomes revocable may be no later than the final disposition of the conditional release or other action in connection with which consent was given.

(d) Restrictions on re-disclosure and use. An individual within the criminal justice system who receives patient information under this section may re-disclose and use it only to carry out that individual's official duties with regard to the patient's conditional release or other action in connection with which the consent was given.

Subpart D—Disclosures Without Patient Consent

Medical emergencies.

(a) General rule. Under the procedures required by paragraph (c) of this section, patient identifying information may be disclosed to medical personnel to the extent necessary to meet a bona fide medical emergency in which the patient's prior informed consent cannot be obtained.

(b) Special rule. Patient identifying information may be disclosed to medical personnel of the Food and Drug Administration (FDA) who assert a reason to believe that the health of any individual may be threatened by an error in the manufacture, labeling, or sale of a product under FDA jurisdiction, and that the information will be used for the exclusive purpose of notifying patients or their physicians of potential dangers.

(c) Procedures. Immediately following disclosure, the part 2 program shall document, in writing, the disclosure in the patient's records, including:

(1) The name of the medical personnel to whom disclosure was made and their affiliation with any health care facility;

(2) The name of the individual making the disclosure;

(3) The date and time of the disclosure; and

(4) The nature of the emergency (or error, if the report was to FDA).

Research.

(a) Patient identifying information may be disclosed by the part 2 program or other lawful holder of part 2 data for the purpose of conducting scientific research if the individual designated as director or managing director, or individual otherwise vested with authority to act as chief executive officer or their designee makes a determination that the recipient of the patient identifying information:

(1) If a Health Insurance Portability and Accountability Act (HIPAA) covered entity or business associate, has obtained and documented authorization, or a waiver or alteration of authorization, consistent with the HIPAA privacy rule at 45 CFR 164.512(i); or

(2) If subject to the HHS regulations regarding the protection of human subjects (45 CFR part 46), provides documentation that the researcher is in compliance with the requirements of the HHS regulations, including the requirements related to informed consent or a waiver of consent (45 CFR 46.111 and 46.116); or

(3) If both a HIPAA covered entity or business associate and subject to the HHS regulations regarding the protection of human subjects, has met the requirements of paragraphs (a)(1) and (2) of this section; and

(b) Any individual or entity conducting scientific research using patient identifying information obtained under paragraph (a) of this section:

(1) Is fully bound by these regulations and, if necessary, will resist in judicial proceedings any efforts to obtain access to patient records except as permitted by these regulations.

(2) Must not re-disclose patient identifying information except back to the individual or entity from whom that patient identifying information was obtained or as permitted under paragraph (b)(4) of this section.

(3) May include part 2 data in reports only in aggregate form to limit the Start Printed Page 7021potential for the disclosure of patient identities.

(4) That requests linkages to data sets from a federal data repository(-ies) holding patient identifying information must have the request reviewed and approved by an Institutional Review Board (IRB) registered with the Department of Health and Human Services, Office for Human Research Protections in accordance with 45 CFR part 46 to ensure that patient privacy is considered and the need for identifiable data is justified.

(i) Upon request, the researcher may be required to provide evidence of the IRB approval of the research project that contains the data linkage component.

(ii) Except as provided in paragraph (b) of this section, a researcher may not use patient identifying information for data linkages purposes.

(5) Must maintain and destroy patient identifying information in accordance with the security policies and procedures established under § 2.16.

(6) Must retain records in compliance with applicable federal, state, and local record retention laws.

Audit and evaluation.

(a) Records not copied or removed. If patient records are not downloaded, copied or removed from the part 2 program premises or forwarded electronically to another electronic system or device, patient identifying information, as defined in § 2.11, may be disclosed in the course of a review of records on the part 2 program premises to any individual or entity who agrees in writing to comply with the limitations on re-disclosure and use in paragraph (d) of this section and who:

(1) Performs the audit or evaluation on behalf of:

(i) Any federal, state, or local government agency which provides financial assistance to the part 2 program or is authorized by law to regulate its activities; or

(ii) Any individual or entity who provides financial assistance to the part 2 program, which is a third-party payer covering patients in the part 2 program, or which is a quality improvement organization performing a utilization or quality control review; or

(2) Is determined by the part 2 program to be qualified to conduct an audit or evaluation of the part 2 program.

(b) Copying, removing, downloading, or forwarding patient records. Records containing patient identifying information, as defined in § 2.11, may be copied or removed from a part 2 program premises or downloaded or forwarded to another electronic system or device from the part 2 program's electronic records by any individual or entity who:

(1) Agrees in writing to:

(i) Maintain and destroy the patient identifying information in a manner consistent with the policies and procedures established under § 2.16;

(ii) Retain records in compliance with applicable federal, state, and local record retention laws; and

(iii) Comply with the limitations on disclosure and use in paragraph (d) of this section; and

(2) Performs the audit or evaluation on behalf of:

(i) Any federal, state, or local government agency which provides financial assistance to the part 2 program or is authorized by law to regulate its activities; or

(ii) Any individual or entity who provides financial assistance to the part 2 program, which is a third-party payer covering patients in the part 2 program, or which is a quality improvement organization performing a utilization or quality control review.

(c) Medicare, Medicaid, Children's Health Insurance Program (CHIP), or related audit or evaluation. (1) Patient identifying information, as defined in § 2.11, may be disclosed under paragraph (c) of this section to any individual or entity for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation, including an audit or evaluation necessary to meet the requirements for a Centers for Medicare & Medicaid Services (CMS)-regulated accountable care organization (CMS-regulated ACO) or similar CMS-regulated organization (including a CMS-regulated Qualified Entity (QE)), if the individual or entity agrees in writing to comply with the following:

(i) Maintain and destroy the patient identifying information in a manner consistent with the policies and procedures established under § 2.16;

(ii) Retain records in compliance with applicable federal, state, and local record retention laws; and

(iii) Comply with the limitations on disclosure and use in paragraph (d) of this section.

(2) A Medicare, Medicaid, or CHIP audit or evaluation under this section includes a civil or administrative investigation of a part 2 program by any federal, state, or local government agency with oversight responsibilities for Medicare, Medicaid, or CHIP and includes administrative enforcement, against the part 2 program by the government agency, of any remedy authorized by law to be imposed as a result of the findings of the investigation.

(3) An audit or evaluation necessary to meet the requirements for a CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must be conducted in accordance with the following:

(i) A CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must:

(A) Have in place administrative and clinical systems; and

(B) Have in place a leadership and management structure, including a governing body and chief executive officer with responsibility for oversight of the organization's management and for ensuring compliance with and adherence to the terms and conditions of the Participation Agreement with CMS; and

(ii) A CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must have a signed Participation Agreement with CMS, which provides that the CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE):

(A) Is subject to periodic evaluations by CMS, or is required by CMS to evaluate participants in the CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) relative to CMS-defined or approved quality and/or cost measures;

(B) Must designate an executive who has the authority to legally bind the organization to ensure compliance with 42 U.S.C. 290dd-2 and this part and the terms and conditions of the Participation Agreement in order to receive patient identifying information from CMS;

(C) Agrees to comply with all applicable provisions of 42 U.S.C. 290dd-2 and this part;

(D) Must ensure that any audit or evaluation involving patient identifying information occurs in a confidential and controlled setting approved by the designated executive;

(E) Must ensure that any communications or reports or other documents resulting from an audit or evaluation under this section do not allow for the direct or indirect identification of a patient as having or having had a substance use disorder; and

(F) Must establish policies and procedures to protect the confidentiality of the patient identifying information consistent with this part, the terms and conditions of the Participation Agreement, and the requirements set forth in paragraph (c)(1) of this section.

(4) Program, as defined in § 2.11, includes an employee of, or provider of medical services under the program Start Printed Page 7022when the employee or provider is the subject of a civil investigation or administrative remedy, as those terms are used in paragraph (c)(2) of this section.

(5) If a disclosure to an individual or entity is authorized under this section for a Medicare, Medicaid, or CHIP audit or evaluation, including a civil investigation or administrative remedy, as those terms are used in paragraph (c)(2) of this section, then a quality improvement organization which obtains the information under paragraph (a) or (b) of this section may disclose the information to that individual or entity but only for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation.

(6) The provisions of this paragraph do not authorize the part 2 program, the federal, state, or local government agency, or any other individual or entity to disclose or use patient identifying information obtained during the audit or evaluation for any purposes other than those necessary to complete the audit or evaluation as specified in paragraph (c) of this section.

(d) Limitations on disclosure and use. Except as provided in paragraph (c) of this section, patient identifying information disclosed under this section may be disclosed only back to the program from which it was obtained and used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by a court order entered under § 2.66.

Subpart E—Court Orders Authorizing Disclosure and Use

Legal effect of order.

(a) Effect. An order of a court of competent jurisdiction entered under this subpart is a unique kind of court order. Its only purpose is to authorize a disclosure or use of patient information which would otherwise be prohibited by 42 U.S.C. 290dd-2 and these regulations. Such an order does not compel disclosure. A subpoena or a similar legal mandate must be issued in order to compel disclosure. This mandate may be entered at the same time as and accompany an authorizing court order entered under these regulations.

(b) Examples. (1) A person holding records subject to these regulations receives a subpoena for those records. The person may not disclose the records in response to the subpoena unless a court of competent jurisdiction enters an authorizing order under these regulations.

(2) An authorizing court order is entered under these regulations, but the person authorized does not want to make the disclosure. If there is no subpoena or other compulsory process or a subpoena for the records has expired or been quashed, that person may refuse to make the disclosure. Upon the entry of a valid subpoena or other compulsory process the person authorized to disclose must disclose, unless there is a valid legal defense to the process other than the confidentiality restrictions of these regulations.

Order not applicable to records disclosed without consent to researchers, auditors and evaluators.

A court order under these regulations may not authorize qualified personnel, who have received patient identifying information without consent for the purpose of conducting research, audit or evaluation, to disclose that information or use it to conduct any criminal investigation or prosecution of a patient. However, a court order under § 2.66 may authorize disclosure and use of records to investigate or prosecute qualified personnel holding the records.

Confidential communications.

(a) A court order under these regulations may authorize disclosure of confidential communications made by a patient to a part 2 program in the course of diagnosis, treatment, or referral for treatment only if:

(1) The disclosure is necessary to protect against an existing threat to life or of serious bodily injury, including circumstances which constitute suspected child abuse and neglect and verbal threats against third parties;

(2) The disclosure is necessary in connection with investigation or prosecution of an extremely serious crime, such as one which directly threatens loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, or child abuse and neglect; or

(3) The disclosure is in connection with litigation or an administrative proceeding in which the patient offers testimony or other evidence pertaining to the content of the confidential communications.

(b) [Reserved]

Procedures and criteria for orders authorizing disclosures for noncriminal purposes.

(a) Application. An order authorizing the disclosure of patient records for purposes other than criminal investigation or prosecution may be applied for by any person having a legally recognized interest in the disclosure which is sought. The application may be filed separately or as part of a pending civil action in which it appears that the patient records are needed to provide evidence. An application must use a fictitious name, such as John Doe, to refer to any patient and may not contain or otherwise disclose any patient identifying information unless the patient is the applicant or has given a written consent (meeting the requirements of these regulations) to disclosure or the court has ordered the record of the proceeding sealed from public scrutiny.

(b) Notice. The patient and the person holding the records from whom disclosure is sought must be provided:

(1) Adequate notice in a manner which will not disclose patient identifying information to other persons; and

(2) An opportunity to file a written response to the application, or to appear in person, for the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of the court order.

(c) Review of evidence: Conduct of hearing. Any oral argument, review of evidence, or hearing on the application must be held in the judge's chambers or in some manner which ensures that patient identifying information is not disclosed to anyone other than a party to the proceeding, the patient, or the person holding the record, unless the patient requests an open hearing in a manner which meets the written consent requirements of these regulations. The proceeding may include an examination by the judge of the patient records referred to in the application.

(d) Criteria for entry of order. An order under this section may be entered only if the court determines that good cause exists. To make this determination the court must find that:

(1) Other ways of obtaining the information are not available or would not be effective; and

(2) The public interest and need for the disclosure outweigh the potential injury to the patient, the physician-patient relationship and the treatment services.

(e) Content of order. An order authorizing a disclosure must:

(1) Limit disclosure to those parts of the patient's record which are essential to fulfill the objective of the order;

(2) Limit disclosure to those persons whose need for information is the basis for the order; and

(3) Include such other measures as are necessary to limit disclosure for the protection of the patient, the physician-Start Printed Page 7023patient relationship and the treatment services; for example, sealing from public scrutiny the record of any proceeding for which disclosure of a patient's record has been ordered.

Procedures and criteria for orders authorizing disclosure and use of records to criminally investigate or prosecute patients.

(a) Application. An order authorizing the disclosure or use of patient records to criminally investigate or prosecute a patient may be applied for by the person holding the records or by any law enforcement or prosecutorial officials who are responsible for conducting investigative or prosecutorial activities with respect to the enforcement of criminal laws. The application may be filed separately, as part of an application for a subpoena or other compulsory process, or in a pending criminal action. An application must use a fictitious name such as John Doe, to refer to any patient and may not contain or otherwise disclose patient identifying information unless the court has ordered the record of the proceeding sealed from public scrutiny.

(b) Notice and hearing. Unless an order under § 2.66 is sought with an order under this section, the person holding the records must be provided

(1) Adequate notice (in a manner which will not disclose patient identifying information to other persons) of an application by a law enforcement agency or official;

(2) An opportunity to appear and be heard for the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of the court order; and

(3) An opportunity to be represented by counsel independent of counsel for an applicant who is a law enforcement agency or official.

(c) Review of evidence: Conduct of hearings. Any oral argument, review of evidence, or hearing on the application shall be held in the judge's chambers or in some other manner which ensures that patient identifying information is not disclosed to anyone other than a party to the proceedings, the patient, or the person holding the records. The proceeding may include an examination by the judge of the patient records referred to in the application.

(d) Criteria. A court may authorize the disclosure and use of patient records for the purpose of conducting a criminal investigation or prosecution of a patient only if the court finds that all of the following criteria are met:

(1) The crime involved is extremely serious, such as one which causes or directly threatens loss of life or serious bodily injury including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, and child abuse and neglect.

(2) There is a reasonable likelihood that the records will disclose information of substantial value in the investigation or prosecution.

(3) Other ways of obtaining the information are not available or would not be effective.

(4) The potential injury to the patient, to the physician-patient relationship and to the ability of the part 2 program to provide services to other patients is outweighed by the public interest and the need for the disclosure.

(5) If the applicant is a law enforcement agency or official that:

(i) The person holding the records has been afforded the opportunity to be represented by independent counsel; and

(ii) Any person holding the records which is an entity within federal, state, or local government has in fact been represented by counsel independent of the applicant.

(e) Content of order. Any order authorizing a disclosure or use of patient records under this section must:

(1) Limit disclosure and use to those parts of the patient's record which are essential to fulfill the objective of the order;

(2) Limit disclosure to those law enforcement and prosecutorial officials who are responsible for, or are conducting, the investigation or prosecution, and limit their use of the records to investigation and prosecution of extremely serious crime or suspected crime specified in the application; and

(3) Include such other measures as are necessary to limit disclosure and use to the fulfillment of only that public interest and need found by the court.

Procedures and criteria for orders authorizing disclosure and use of records to investigate or prosecute a part 2 program or the person holding the records.

(a) Application. (1) An order authorizing the disclosure or use of patient records to criminally or administratively investigate or prosecute a part 2 program or the person holding the records (or employees or agents of that part 2 program or person holding the records) may be applied for by any administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agency having jurisdiction over the program's or person's activities.

(2) The application may be filed separately or as part of a pending civil or criminal action against a part 2 program or the person holding the records (or agents or employees of the part 2 program or person holding the records) in which it appears that the patient records are needed to provide material evidence. The application must use a fictitious name, such as John Doe, to refer to any patient and may not contain or otherwise disclose any patient identifying information unless the court has ordered the record of the proceeding sealed from public scrutiny or the patient has provided a written consent (meeting the requirements of § 2.31) to that disclosure.

(b) Notice not required. An application under this section may, in the discretion of the court, be granted without notice. Although no express notice is required to the part 2 program, to the person holding the records, or to any patient whose records are to be disclosed, upon implementation of an order so granted any of the above persons must be afforded an opportunity to seek revocation or amendment of that order, limited to the presentation of evidence on the statutory and regulatory criteria for the issuance of the court order.

(c) Requirements for order. An order under this section must be entered in accordance with, and comply with the requirements of, paragraphs (d) and (e) of § 2.64.

(d) Limitations on disclosure and use of patient identifying information. (1) An order entered under this section must require the deletion of patient identifying information from any documents made available to the public.

(2) No information obtained under this section may be used to conduct any investigation or prosecution of a patient, or be used as the basis for an application for an order under § 2.65.

Orders authorizing the use of undercover agents and informants to criminally investigate employees or agents of a part 2 program.

(a) Application. A court order authorizing the placement of an undercover agent or informant in a part 2 program as an employee or patient may be applied for by any law enforcement or prosecutorial agency which has reason to believe that employees or agents of the part 2 program are engaged in criminal misconduct.

(b) Notice. The part 2 program director must be given adequate notice of the application and an opportunity to appear and be heard (for the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of the court order), unless the application asserts a belief that:Start Printed Page 7024

(1) The part 2 program director is involved in the criminal activities to be investigated by the undercover agent or informant; or

(2) The part 2 program director will intentionally or unintentionally disclose the proposed placement of an undercover agent or informant to the employees or agents who are suspected of criminal activities.

(c) Criteria. An order under this section may be entered only if the court determines that good cause exists. To make this determination the court must find:

(1) There is reason to believe that an employee or agent of the part 2 program is engaged in criminal activity;

(2) Other ways of obtaining evidence of this criminal activity are not available or would not be effective; and

(3) The public interest and need for the placement of an undercover agent or informant in the part 2 program outweigh the potential injury to patients of the part 2 program, physician-patient relationships and the treatment services.

(d) Content of order. An order authorizing the placement of an undercover agent or informant in a part 2 program must:

(1) Specifically authorize the placement of an undercover agent or an informant;

(2) Limit the total period of the placement to six months;

(3) Prohibit the undercover agent or informant from disclosing any patient identifying information obtained from the placement except as necessary to criminally investigate or prosecute employees or agents of the part 2 program; and

(4) Include any other measures which are appropriate to limit any potential disruption of the part 2 program by the placement and any potential for a real or apparent breach of patient confidentiality; for example, sealing from public scrutiny the record of any proceeding for which disclosure of a patient's record has been ordered.

(e) Limitation on use of information. No information obtained by an undercover agent or informant placed in a part 2 program under this section may be used to criminally investigate or prosecute any patient or as the basis for an application for an order under § 2.65.

Start Signature

Dated: February 2, 2016.

Kana Enomoto,

Acting Administrator, Substance Abuse and Mental Health Services Administration.

Approved: February 4, 2016.

Sylvia M. Burwell,

Secretary, Department of Health and Human Services.

End Signature End Part End Supplemental Information

Footnotes

1.  Trends in Health Information Exchanges (Trends in Health Information Exchanges) https://innovations.ahrq.gov/​perspectives/​trends-health-information-exchanges#3.

Back to Citation

2.  Muhlestein, D. (2015). Growth and Dispersion of Accountable Care Organizations in 2015. Health Affairs Blog, 19.

Back to Citation

3.  Accreditation Association for Ambulatory Health Care. “The Medical Home—Avoiding the Rush to Judgment, Growing Model is a Transformative Process Requiring Perseverance, Patience . . . and Time, Body of Evidence Illustrating Success is Surging” White Paper.

Back to Citation

4.  Kilbridge, P. (2003). The cost of HIPAA compliance. New England Journal of Medicine, 348(15), 1423-1477.

5.  Williams, A.R., Herman, D.C., Moriarty, J.P., Beebe, T.J., Bruggeman, S.K., Klavetter, E.W. & Bartz, J.K. (2008). HIPAA costs and patient perceptions of privacy safeguards at Mayo Clinic. Joint Commission Journal on Quality and Patient Safety, 34 (1), 27-35.

Back to Citation

6.  65 FR 82462, 82770 (Dec. 28, 2000) (Standards for Privacy of Individually Identifiable Health Information).

Back to Citation

7.  Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics, [accessed May 2, 2015] Outpatient Mental Health and Substance Abuse Centers (NAICS code 621420), Standard Occupations Classification code (211011) [www.bls.gov/​oes/​].

Back to Citation

8.  Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics, [accessed May 2, 2014] Psychiatric and Substance Abuse Hospitals (NAICS code 622200), Standard Occupations Classification code (211011) [www.bls.gov/​oes/​].

Back to Citation

9.  Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics, [accessed September 23, 2014] Offices of Mental Health Practitioners (except Physicians) (NAICS code 621330), Standard Occupations Classification code (211011) [www.bls.gov/​oes/​].

Back to Citation

10.  These estimates are not HHS estimates nor are they HHS-endorsed cost estimates of HIPAA implementation and compliance.

Back to Citation

11.  Calculated using the Consumer Price Index.

Back to Citation

13.  Commonwealth of Pennsylvania—Department of Health Staffing Requirements for Drug and Alcohol Treatment Activities [accessed September 23, 2014]. [http://www.pacode.com/​secure/​data/​028/​chapter704/​s704.12.html.]

Back to Citation

14.  Williams, A.R., Herman, D.C., Moriarty, J.P., Beebe, T.J., Bruggeman, S.K., Klavetter, E.W. & Bartz, J.K. (2008). HIPAA costs and patient perceptions of privacy safeguards at Mayo Clinic. Joint Commission Journal on Quality and Patient Safety, 34 (1), 27-35.

Back to Citation

15.  Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics, [accessed June 3, 2015], Standard Occupations Classification code (29-2071) [www.bls.gov/​oes/​].

Back to Citation

16.  IBID.

Back to Citation

17.  For facilities that maintain paper records, consent forms would indicate who has been given access to the record. By contrast, our understanding of health IT audit logs is that they include a record of all instances in which a record has been accessed. The audit log will include a record of who accessed the system, the date the record was accessed, and what operations were performed. The audit logs, therefore, will include considerably more data than what we would anticipate finding in paper records. Unless the audit log has an electronic filtering system, we are assuming that a health information technician will need to manually review all records in an audit log in order to compile the necessary information for a list of disclosures.

Back to Citation

18.  Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics, [accessed June 3, 2015], Standard Occupations Classification code (31-9092) [www.bls.gov/​oes/​].

Back to Citation

19.  McLellan, AT, Kathleen Meyers, K, Contemporary addiction treatment: A review of systems problems for adults and adolescents, Biological Psychiatry, Volume 56, Issue 10, 15 November 2004, Pages 764-770, ISSN 0006-3223, http://dx.doi.org/​10.1016/​j.biopsych.2004.06.018.

Back to Citation

[FR Doc. 2016-01841 Filed 2-5-16; 11:15 am]

BILLING CODE 4162-20-P