Substance Abuse and Mental Health Services Administration, HHS.
Supplemental notice of proposed rulemaking.
On Feb. 9, 2016, the Substance Abuse and Mental Health Services Administration (SAMHSA) published a Notice of Proposed Rulemaking (NPRM) that proposed policy changes to update and modernize the Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR part 2). SAMHSA explained in the NPRM that these changes were intended to better align the regulations with advances in the U.S. health care delivery system while retaining important privacy protections for individuals seeking treatment for substance use disorders. The last substantive update to these regulations was in 1987. SAMHSA is issuing this Supplemental Notice of Proposed Rulemaking (SNPRM) to propose additional clarifications to the part 2 regulations as amended by the concurrently issued final rule. As noted in the final rule, 42 CFR part 2 Confidentiality of Substance Use Disorder Patient Records, questions raised by commenters highlighted varying interpretations of the 1987 rule's restrictions on lawful holders and their contractors and subcontractors' use and disclosure of part 2-covered data for purposes of carrying out payment, health care operations, and other health care related activities. In consideration of this feedback and given the critical role that third-party payers, other lawful holders, and their contractors, subcontractors, and legal representatives play in the provision of health care services, SAMHSA is issuing this SNPRM to seek further comments on our proposals to address and help clarify these matters before establishing any appropriate restrictions on disclosures to contractors, subcontractors and legal representatives.
To be assured consideration, comments must be received at one of the addresses provided below, no later than 5 p.m. on February 17, 2017.
You may submit comments, identified by Regulatory Information Number (RIN) 0930-AA21, by any of the following methods:
Electronically: Federal eRulemaking Portal: Go to http://www.regulations.gov and follow the instructions for submitting comments.
Regular, Express or Overnight Mail, or Hand Delivery or Courier: Written comments sent by hand delivery, or mailed by regular, express, or overnight mail must be sent to the following address ONLY: The Substance Abuse and Mental Health Services Administration, Department of Health and Human Services, Attn: Danielle Tarino, SAMHSA, 5600 Fishers Lane, Room 13E89A, Rockville, Maryland 20857.
Please allow sufficient time for mailed comments to be received before the close of the comment period.
Instructions: To avoid duplication, please submit only one copy of your comments by only one method. All submissions received must include the agency name and docket number or RIN for this rulemaking. All comments received will become a matter of public record and will be posted without change to http://www.regulations.gov, including any personal information provided. For detailed instructions on submitting comments and additional information on the rulemaking process and viewing public comments, see the “Request for Public Comments” heading of the SUPPLEMENTARY INFORMATION section of this document.
Docket: For access to the docket to read background documents or comments received, go to http://www.regulations.gov.
Start Further Info
FOR FURTHER INFORMATION CONTACT:
Danielle Tarino, SAMHSA, 5600 Fishers Lane, Room 13E89A, Rockville, Maryland 20857, 240-276-2857, Email address: Danielle.Tarino@samhsa.hhs.gov
End Further Info
Start Supplemental Information
On February 9, 2016, SAMHSA published an NPRM in the Federal Register (81 FR 6987) proposing updates to regulations for the Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR part 2). These regulations implement title 42, section Start Printed Page 5486290dd-2 of the United States Code pertaining to Confidentiality of Records. SAMHSA explained in that NPRM, it proposed to update these regulations, last substantively amended in 1987, to reflect development of integrated health care models and growing use of electronic means for exchanging patient information. At the same time, SAMHSA wished to maintain protections for (part 2) patient identifying information, as persons with substance use disorders still may encounter significant discrimination if their information is improperly disclosed.
Elsewhere in this issue of the Federal Register SAMHSA published a final rule. In response to public comments, the final rule provides for greater flexibility in disclosing (part 2) patient identifying information within the health care system while continuing to address the privacy concerns of patients seeking treatment for a substance use disorder. SAMHSA received 376 comments on the NPRM. SAMHSA received a number of comments to the NPRM that went beyond what SAMHSA was proposing. Some commenters to the NPRM urged SAMHSA to clarify the scope of permitted disclosures of (part 2) patient identifying information by third-party payers. Some commenters asked that the current and proposed Qualified Service Organization (QSO) (part 2) patient identifying information disclosure provisions be applied to disclosures by third-party payers and other lawful holders of (part 2) patient identifying information to support health care operations and payment. Some commenters suggested doing this through the expansion of the definition of QSO. For instance, one commenter suggested that the definition of qualified service organization include “lawful holders of [p]art 2 patient identifying information,” stating that ACOs often engage analytics companies to provide support in identifying those high-risk patients who would benefit from care management and other services. Another commenter suggested expanding provisions concerning audits and evaluations to permit CMS to disclose (part 2) patient identifying information to ACOs and bundled payment participating entities for program audit and evaluation purposes. Others noted that QSOs themselves, as well as state Medicaid programs often use software vendors and other contractors, subcontractors, and legal representatives to carry out administrative and claims processing functions. A commenter further urged that the tasks that could be carried out under the QSO policies not only be broadened to include population health management activities but also “clinical professional support services (e.g., quality improvement initiatives, utilization review and management services); third-party liability and coordination of benefit support services; activities related to preventing fraud, waste and abuse; and other activities and functions typically performed by contractors for or on behalf of third-party payers.”
In developing the final rule, SAMHSA responded directly to several of these public comments about the NPRM. For instance, the “To Whom” discussion in the preamble to the final rule provides that: “[f]or purposes of payment-related activities, to the extent that federal or state law authorizes or requires that the Medicaid or Medicare agency or program share data or enter into a contractual arrangement or other formal agreements to do so, written consent to disclose patient identifying information to the agencies or programs (as a third-party payer) under section 2.31(a)(4)(iii)(A) is considered to extend to the contractors, subcontractors, and legal representatives of the agencies or programs.” SAMHSA discussed in the final rule preamble that a “lawful holder” of (part 2) patient identifying information is an individual or entity who has received such information as the result of a part 2-compliant patient consent (with a prohibition on re-disclosure notice) or as permitted under the part 2 statute, regulations, or guidance and, therefore, is bound by 42 CFR part 2.
One commenter indicated that state Medicaid agencies hire contractors for a wide array of “administrative functions”; and that those contractors and vendors accessed (part 2) patient identifying information to carry out these activities. Other comments noted the role of third-parties in Medicaid program claims processing. Another commenter suggested that, given the role of MCOs, state Medicaid agencies and other programs, whether a patient designated the “name of the state agency, the MCO or simply Medicaid, the rule should consider consent to apply to the State and its contracted delivery system.” Another commenter similarly urged that “In order to ensure that Medicaid programs can carry out its operational requirements, consent that names the Medicaid agency or the MCO should permit disclosure to the entity's contractors, when necessary.”
With respect to lawful holders, certain commenters requested changes to or highlighted the need for additional guidance regarding how third-party payers may use and disclose (part 2) patient identifying information (as defined in 42 CFR 2.11) as they carry out their payment and health care operations. One commenter asked for explicit confirmation that Medicaid plans were allowed to process claims through a contracted entity (e.g., Medicaid managed care organizations (MCOs)). Similarly, another commenter recommended that the rule clarify that a patient's naming of the state agency, the MCO, or simply Medicaid were all adequate to consent to allowing the patient's information to be released to whichever entity actually conducted the required functions on behalf of the third-party payer. One commenter suggested that such payers should be viewed as intermediaries for purposes of sharing substance use disorder information with treating providers. Other commenters noted that Medicaid agencies and MCOs both require access to (part 2) patient identifying information for the purposes of payment. Another commenter discussed the history of the part 2 rules and asserted that the governing statute, 42 U.S.C. 290dd-2, does not require treating third-party payers differently than other payers. The commenter further asserted that “[e]ssentially all third-party payers contract with third parties to obtain services and perform activities that involve specialized expertise, equipment or other resources that the payer does not maintain in-house due to the associated administrative and other costs.”
These comments, while not addressing specific changes proposed in the NPRM, have prompted SAMHSA to propose additional clarifications and modifications to the part 2 rules to clarify the scope of permissible disclosures. In an effort to address some of the commenters' requests and recommendations for clarity SAMHSA is concurrently issuing this SNPRM with the final rule to elicit public comment on these additional proposals to further clarify and expound upon these pertinent comments. We seek comment on our proposals regarding the following concepts and provisions: The payment and health care operations-related disclosures that can be made to contractors, subcontractors, and legal representatives by lawful holders under the part 2 rule consent provisions; and the provisions governing disclosures for purposes of carrying out a Medicaid, Medicare or Children's Health Insurance Program (CHIP) audit or evaluation. SAMHSA will take any such comments under consideration if it engages in further rulemaking in the future.Start Printed Page 5487
SAMHSA will consider the public comments on this SNPRM, any relevant comments already received on these subjects in response to the February 9, 2016, NPRM and relevant comments made at the June 11, 2014 listening session on part 2 (see 79 FR 26929) before issuing a final rule.
SAMHSA seeks comment on proposals in this SNPRM to retain the notice found in § 2.32 but consider whether an abbreviated notice would be appropriate and in which circumstances, further revise § 2.33 (Disclosures permitted with written consent) define and limit the circumstances in which certain disclosures for the purposes of payment and health care operations can be made; and similarly to further revise § 2.53 (Audit and Evaluation) to expressly address further disclosures by contractors, subcontractors, and legal representatives for purposes of carrying out a Medicaid, Medicare, or CHIP audit or evaluation. SAMHSA also seeks comment on its proposals regarding the establishment of appropriate restrictions and safeguards on lawful holders and their contractors, subcontractors, and legal representatives' use and disclosure of (part 2) patient identifying information for the purposes discussed in this SNPRM. SAMHSA is not soliciting comments on any other issues relating to the final rule and will not consider comments at this time that address changes to part 2 other than those contemplated in this SNPRM.
Section 2.32 Prohibition on Re-Disclosure
SAMHSA does not propose to substantively modify the existing notice at 2.32, but seeks comment on whether it should add a shorter abbreviated statement in subsection (a) Notice to accompany re-disclosure to be used in certain circumstances (e.g., for particular types of disclosures or technical systems) where a shorter notice may be warranted. An abbreviated statement could read, for example, “Data is subject to 42 CFR part 2. Use/disclose in conformance with part 2.”
Section 2.33 Disclosures Permitted With Written Consent
SAMHSA understands that contractors, subcontractors, and legal representatives play an integral role in the management, delivery, and payment of health care services, but believes that limits should be placed on disclosures of (part 2) patient identifying information to such entities to carry out these activities. As such, SAMHSA seeks public comment on its proposal to explicitly list and limit under § 2.33(b), specific types of activities for which any lawful holder of (part 2) patient identifying information would be allowed to further disclose the minimal information necessary for specific payment and health care operations activities described below. While lawful holders may disclose (part 2) patient identifying information to contractors, subcontractors, and legal representatives for these purposes, this proposal makes clear the scope and requirements for those permitted disclosures. To the extent that a written consent permits the use of part 2 patient identifying information for payment or healthcare operations, this provision at § 2.33(b) specifies that the further disclosures specified below can be made. SAMHSA notes that this list of activities related to payment and health care operation is similar to the HIPAA Privacy Rule's definition of the terms “payment” and “health care operations,” although SAMHSA is not adopting those definitions in their entirety. The payment and health care operation activities listed in this section does not include activities that SAMHSA considers to be related to the patient's diagnosis, treatment, or referral for treatment. SAMHSA believes it is important to maintain patient choice in disclosing information to health care providers with whom they will have direct contact. For these reasons, this provision will not cover care coordination or case management and the proposal provides that disclosures to contractors, subcontractors, and legal representatives to carry out other purposes are not permitted under this section. SAMHSA will consider certain payment or health care operations-related activities permissible for lawful holders to disclose to contractors, subcontractors, or legal representatives as long as the activities fit within the overall purpose of the written consent. See paragraphs (b)(1) through (17) of § 2.33
SAMHSA also solicits comment on whether the proposed listing of explicitly permitted activities is adequate and appropriate to ensure the health care industry's ability to conduct necessary payment and the described health care operational functions, while still affording adequate privacy protections for the individuals who were diagnosed, treated, or referred for treatment. We note that contractors, subcontractors, and legal representatives that would receive data under this provision would become lawful holders upon receipt of such data, and, as such, would themselves be subject to the part 2 requirements. Moreover, consent would still be required and disclosures must be made in accordance with section 2.13(a), Confidentiality restrictions and safeguards, which states that “[a]ny disclosure made under these regulations must be limited to that information which is necessary to carry out the purpose of the disclosure.” Consequently, the stated purpose of a written consent limits the scope of the disclosures with respect to the (part 2) patient identifying information disclosed. In addition, lawful holders that disclose (part 2) patient identifying information to contractors, subcontractors, and legal representatives for payment and the described health care operations may only disclose (part 2) patient identifying information to contractors, subcontractors, and legal representatives that perform a function that is consistent with the stated purpose of the consent and only to perform that function. SAMHSA seeks comments on the proper mechanisms to convey the scope of the consent to lawful holders, contractors, subcontractors, and legal representatives, including those who are downstream recipients of (part 2) patient identifying information given current electronic data exchange technical designs.
SAMHSA also believes that it is critical that contractors, subcontractors, and legal representatives understand their obligations with respect to (part 2) patient identifying information. Accordingly, SAMHSA proposes new regulatory text under § 2.33(c) requiring that lawful holders that engage contractors and subcontractors to carry out payment and the described health care operations that will entail using or disclosing (part 2) patient identifying information include specific contract and subcontract provisions requiring contractors and subcontractors to comply with the provisions of part 2. An appropriate comparable instrument will suffice in cases where there is otherwise no contract between the lawful holder and a legal representative who is retained voluntarily (as opposed to one who is required to represent the lawful holder by law, in which case the requirement for a contract or comparable instrument in 2.33(c) shall not apply). SAMHSA proposes to amend subsection (b) and add a new subsection (c) to the disclosure permitted with written consent provisions at § 2.33. SAMHSA seeks comment on the proposal to revise Start Printed Page 5488disclosures permitted with written consent provision in § 2.33.
Section 2.53 Audit and Evaluation
SAMHSA recognized in the final rule the critical importance of audits and evaluations. Accordingly, SAMHSA made clear that disclosures of patient identifying information to ACO's and similar CMS-regulated entities to carry out Medicare, Medicaid and Children's Health Insurance Program (CHIP) audit and evaluation activities are permitted.
However, public comments requested further specification regarding the permitted disclosures of (part 2) patient identifying information for audit and evaluation purposes. Public commenters noted that, as with other payment and health care operations, contractors, subcontractors, and legal representatives may be tasked with conducting audit and evaluation activities. Such entities may not be CMS-regulated, and may be conducted for private payers as well as Medicare and Medicaid programs. In addition, commenters noted that audits and evaluations may include quality improvement activities, as well as efforts related to reimbursement and financing. As such, SAMHSA proposes further amendment as set out in the regulatory text of section 2.53.
Request for Public Comments
SAMHSA believes that the new proposals and clarifications discussed above will provide the desired solutions and understanding sought by commenters to the NPRM, while also offering patient protections appropriate to the current health care environment.
In making these proposals, SAMHSA notes that such payment and the described health care operations and audit and evaluation functions will still be governed by other applicable laws and regulations, such as the HIPAA Privacy and Security Rules, in addition to 42 CFR part 2.
SAMHSA notes that the fact that lawful holders and part 2 programs are permitted to disclose data in no way obviates the overarching purpose of part 2: to protect (part 2) patient identifying information for patients seeking diagnosis, treatment, or referral for treatment for substance use disorders. Lawful holders and part 2 programs have responsibility to exercise due diligence with respect to their contractors, subcontractors, or legal representatives to whom they disclose or with whom they exchange (part 2) patient identifying information. Should the changes in this SNPRM be adopted, SAMHSA anticipates issuing further guidance about these topics.
SAMHSA seeks specific comment on the implications of these proposed changes on the privacy and confidentiality of records concerning substance use disorder diagnosis, prognosis and treatment, and referral for treatment and overall goals of the part 2 rules, and the regulatory and financial impact, if any, of these proposals.
SAMHSA also seeks comments on the following for its consideration in future rulemaking and guidance:
(1) Additional purposes for which lawful holders should be able to disclose (part 2) patient identifying information,
(2) Further subregulatory guidance that SAMHSA and other agencies could provide to help facilitate implementation of 42 CFR part 2 in the current healthcare environment.
Regulatory Impact Analysis (RIA)
In this SNPRM, SAMHSA proposes clarifications and revisions of the following: The disclosures permitted with written consent (§ 2.33), the payment and health care operations activities for which lawful holders may disclose (part 2) patient identifying information to their contractors, subcontractors, and legal representatives; and the audit and evaluation provision that permit certain disclosures for purposes of carrying out a Medicaid, Medicare or CHIP audit and evaluation (§ 2.53).
SAMHSA has analyzed the costs of complying with the proposed regulations in this supplemental NPRM. SAMHSA does not believe these revisions, if ultimately adopted, will result in any additional costs to Part 2 programs. Based on public comments, SAMHSA anticipates that these modifications will enhance efficiency of such payment and health care operations as claims processing, business management, training and customer service. The proposal specifies that lawful holders who receive part 2 records under the terms of a patient's written consent are permitted to further disclose those records to their contractors, subcontractors, and legal representatives to carry out payment and certain health care operations described in the SNPRM. When information is shared with contractors, subcontractors, and legal representatives, contract and subcontract provisions (or provisions in an appropriate comparable instrument in the case of certain legal representatives) must be included requiring these entities to comply with the provisions of part 2. Changes proposed to the audit and evaluation provisions will make clear that the individual or entity receiving (part 2) patient identifying information for audit and evaluation or quality improvement purposes is permitted to further disclose this information to contractor(s) or subcontractor(s) to complete these activities. Should these proposals ultimately be adopted, SAMHSA does not anticipate entities will incur any additional costs beyond those analyzed in the Final Rule. Nonetheless, SAMHSA seeks comments on costs and benefits of this change for part 2 programs and any burdens these proposed changes may impose on regulated entities.
Under the Paperwork Reduction Act of 1995 (PRA), agencies are required to provide a 60-day notice in the Federal Register and solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. PRA issues are discussed in the final rule. SAMHSA anticipates no substantive changes in PRA requirements should changes proposed in the SNPRM be adopted. SAMHSA seeks and will consider public comment on our assumptions as they relate to the PRA requirements.
SAMHSA has examined the impact of this proposed rule under Executive Order 12866 on Regulatory Planning and Review (September 30, 1993), Executive Order 13563 on Improving Regulation and Regulatory Review (January 18, 2011), the Regulatory Flexibility Act of 1980 (Pub. L. 96-354, September 19, 1980), the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4, March 22, 1995), and Executive Order 13132 on Federalism (August 4, 1999).
Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health, and safety effects; distributive impacts; and equity). Executive Order 13563 is supplemental to and reaffirms the principles, structures, and definitions governing regulatory review as established in Executive Order 12866. SAMHSA expects that the changes proposed in this SNPRM, if adopted, will not have an annual effect on the economy of $100 million or more in at least 1 year. Therefore, this rule will not be an economically significant regulatory action as defined by Executive Order 12866.
The Regulatory Flexibility Act (RFA) requires agencies that issue a regulation to analyze options for regulatory relief of small businesses if a rule has a Start Printed Page 5489significant impact on a substantial number of small entities. The RFA generally defines a “small entity” as (1) a proprietary firm meeting the size standards of the Small Business Administration; (2) a nonprofit organization that is not dominant in its field; or (3) a small government jurisdiction with a population of less than 50,000 (States and individuals are not included in the definition of “small entity”). For similar rules, HHS considers a rule to have a significant economic impact on a substantial number of small entities if at least 5 percent of small entities experience an impact of more than 3 percent of revenue. SAMHSA anticipates that the proposals in this SNPRM, if adopted, will not have a significant economic impact on a substantial number of small entities.
Section 202(a) of the Unfunded Mandates Reform Act of 1995 requires that agencies prepare a written statement, which includes an assessment of anticipated costs and benefits, before proposing “any rule that includes any Federal mandate that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100,000,000 or more (adjusted annually for inflation) in any one year.” The current threshold after adjustment for inflation is $146 million, using the most current (2015) implicit price deflator for the gross domestic product. The proposals in this SNPRM, if adopted, would not trigger the Unfunded Mandate Reform Act because it will not result in expenditures of this magnitude by states or other government entities.
Start List of Subjects
End List of Subjects
- Alcohol abuse
- Drug abuse
- Grant programs—health
- Health records
- Reporting, and Recordkeeping requirements
For the reasons stated in the preamble, SAMHSA proposes to amend 42 CFR part 2 as follows:
PART 2—CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS
Start Amendment Part
1. The authority citation for part 2 continues to read as follows: End Amendment Part
Subpart B—General Provisions
Start Amendment Part
2. Revise § 2.33 to read as follows: End Amendment Part
Start Amendment Part
Disclosures permitted with written consent.
(a) If a patient consents to a disclosure of their records under § 2.31, a program may disclose those records in accordance with that consent to any person or category of persons identified or general designated in the consent, except that disclosures to central registries and in connection with criminal justice referrals must meet the requirements of §§ 2.34 and 2.35, respectively.
(b) If a patient consents to a disclosure of their records under § 2.31 for payment and/or health care operations activities, a lawful holder who receives such records under the terms of the written consent may further disclose those records as may be necessary for its contractors, subcontractors, or legal representatives to carry out payment and/or the following health care operations on behalf of such lawful holder. Disclosures to contractors, subcontractors, and legal representatives to carry out other purposes are not permitted under this section. In accordance with § 2.13(a), disclosures under this section must be limited to that information which is necessary to carry out the stated purpose of the disclosure.
(1) Billing, claims management, collections activities, obtaining payment under a contract for reinsurance, claims filing and related health care data processing;
(2) Clinical professional support services (e.g., quality assessment and improvement; initiatives, utilization review and management services);
(3) Patient safety activities;
(4) Activities pertaining to:
(i) The training of student trainees and health care professionals;
(ii) The assessment of practitioner competencies; and
(iii) The assessment of provider and/or health plan performance;
(iv) Training of non-health care professionals;
(5) Accreditation, certification, licensing, or credentialing activities;
(6) Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care;
(7) Third-party liability coverage;
(8) Activities related to addressing fraud, waste and abuse;
(9) Conducting or arranging for medical review, legal services, and auditing functions;
(10) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating, including formulary development and administration, development or improvement of methods of payment or coverage policies;
(11) Business management and general administrative activities, including, but not limited to, management activities relating to implementation of and compliance with the requirements of this or other statutes or regulations;
(12) Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers;
(13) Resolution of internal grievances;
(14) The sale, transfer, merger, consolidation, or dissolution of an organization;
(15) Determinations of eligibility or coverage (e.g. coordination of benefit services or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
(16) Risk adjusting amounts due based on enrollee health status and demographic characteristics;
(17) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges.
(c) Lawful holders who wish to disclose patient identifying information pursuant to subsection (b) of this section must enter into a written contract with the contractor (or appropriate comparable instrument in the case of a legal representative retained voluntarily by the lawful holder), which provides that the contractor and any subcontractor or legal representative are or will be fully bound by the provisions of part 2 upon receipt of the patient identifying data, and, as such that each disclosure shall be accompanied by the notice required under § 2.32. In making such disclosure, the lawful holder should specify permitted uses of patient identifying information consistent with the written consent, by the contractor and any subcontractors or legal Start Printed Page 5490representatives to carry out the payment and health care operations activities listed in the preceding subparagraph, require such recipients to implement appropriate safeguards to prevent unauthorized uses and disclosures and require such recipients to report any unauthorized uses, disclosures, or breaches of patient identifying information to the lawful holder. The lawful holder should only disclose information to the contractor or subcontractor or legal representative that is necessary for the contractor or subcontractor to perform its duties under the contract. Also, the contract does not permit a contractor or subcontractor or legal representative to re-disclose information to a third party unless that third party is a contract agent of the contractor or subcontractor, helping them provide services described in the contract, and only as long as the agent only further discloses the information back to the contractor or lawful holder from which the information originated.
3. Amend § 2.53 by: End Amendment Part
Start Amendment Part
a. Revising paragraph (a)(1)(i). End Amendment Part
Start Amendment Part
b. Revising paragraphs (b)(2)(i) and (ii). End Amendment Part
Start Amendment Part
c. Revising paragraph (c)(5). End Amendment Part
The revisions and addition read as follows:
Audit and evaluation.
(a) * * *
(1) * * *
(i) Any Federal, State, or local governmental agency which provides financial assistance to the program or is authorized by law to regulate the activities of the part 2 program or those of the lawful holder;
* * * * *
(b) * * *
(2) * * *
(i) Any federal, state, or local governmental agency which provides financial assistance to the program or is authorized by law to regulate the activities of the part 2 program or those of the lawful holder; or
(ii) Any individual or entity which provides financial assistance to the part 2 program, which is a third-party payer covering patients in the part 2 program, or which is a quality improvement organization performing a utilization or quality control review, or such individual's or entity's or quality improvement organization's contractors, subcontractors, or legal representatives.
* * * * *
(c) * * *
(5) If a disclosure to an individual or entity is authorized under this section for a Medicare, Medicaid, or CHIP audit or evaluation, including a civil investigation or administrative remedy, as those terms are used in paragraph (c)(2) of this section, the individual or entity may further disclose the patient identifying information that is received for such purposes to its contractor(s) or subcontractor(s) to carry out the audit or evaluation, and a quality improvement organization which obtains such information under paragraph (a) or (b) of this section may disclose the information to that individual or entity (or, to such individual's or entity's contractors, subcontractors, or legal representatives, but only for the purposes of this section.
* * * * *
End Supplemental Information
Dated: January 5, 2017.
Acting Deputy Assistant Secretary for Mental Health and Substance Use.
Sylvia M. Burwell,
[FR Doc. 2017-00742 Filed 1-13-17; 11:15 am]
BILLING CODE 4162-20-P