Confidentiality of Substance Use Disorder Patient Records, 6987-7024 [2016-01841]
Download as PDF
<![CDATA[
Vol. 81
Tuesday,
No. 26
February 9, 2016
Part III
Department of Health and Human Services
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
42 CFR Part 2
Confidentiality of Substance Use Disorder Patient Records; Proposed Rule
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
PO 00000
Frm 00001
Fmt 4717
Sfmt 4717
E:\FR\FM\09FEP3.SGM
09FEP3
6988
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
42 CFR Part 2
[SAMHSA–4162–20]
RIN 0930–AA21
Confidentiality of Substance Use
Disorder Patient Records
Substance Abuse and Mental
Health Services Administration
(SAMHSA), HHS.
ACTION: Proposed rule.
AGENCY:
This proposed rule addresses
changes to the Confidentiality of
Alcohol and Drug Abuse Patient
Records regulations. This proposal was
prompted by the need to update and
modernize the regulations. These laws
and regulations governing the
confidentiality of substance abuse
records were written out of great
concern about the potential use of
substance abuse information against an
individual, preventing those individuals
with substance use disorders from
seeking needed treatment. The last
substantive update to these regulations
was in 1987. Over the last 25 years,
significant changes have occurred
within the U.S. health care system that
were not envisioned by the current
regulations, including new models of
integrated care that are built on a
foundation of information sharing to
support coordination of patient care, the
development of an electronic
infrastructure for managing and
exchanging patient information, and a
new focus on performance measurement
within the health care system. SAMHSA
wants to ensure that patients with
substance use disorders have the ability
to participate in, and benefit from new
integrated health care models without
fear of putting themselves at risk of
adverse consequences. These new
integrated models are foundational to
HHS’s triple aim of improving health
care quality, improving population
health, and reducing unnecessary health
care costs. SAMHSA strives to facilitate
information exchange within new
health care models while addressing the
legitimate privacy concerns of patients
seeking treatment for a substance use
disorder. These concerns include: The
potential for loss of employment, loss of
housing, loss of child custody,
discrimination by medical professionals
and insurers, arrest, prosecution, and
incarceration. This proposal is also an
effort to make the regulations more
understandable and less burdensome.
We welcome public comment on this
proposed rule.
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
SUMMARY:
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
To be assured consideration,
comments must be received at one of
the ADDRESSES provided below, no later
than 5 p.m. on April 11, 2016.
ADDRESSES: In commenting, please refer
to file code SAMHSA 4162–20.
Because of staff and resource
limitations, we cannot accept comments
by facsimile (FAX) transmission.
You may submit comments in one of
four ways (to avoid duplication, please
submit your comments in only one of
the ways listed):
1. Electronically: Federal
eRulemaking Portal. You may submit
comments electronically to https://
www.regulations.gov. Follow the
‘‘Submit a comment’’ instructions.
2. By regular mail. Written comments
mailed by regular mail must be sent to
the following address ONLY: The
Substance Abuse and Mental Health
Services Administration, Department of
Health and Human Services, Attn:
SAMHSA–4162–20, 5600 Fishers Lane,
Room 13N02B, Rockville, Maryland
20857.
Please allow sufficient time for mailed
comments to be received before the
close of the comment period.
3. By express or overnight mail.
Written comments sent by express or
overnight mail must be sent to the
following address ONLY: The Substance
Abuse and Mental Health Services
Administration, Department of Health
and Human Services, Attn: SAMHSA–
4162–20, 5600 Fishers Lane, Room
13N02B, Rockville, Maryland 20852.
4. By hand or courier. Written
comments delivered by hand or courier
must be delivered to the following
address ONLY: The Substance Abuse
and Mental Health Services
Administration, Department of Health
and Human Services, Attn: SAMHSA–
4162–20, 5600 Fishers Lane, Room
13N02B, Rockville, Maryland 20857.
For information on viewing public
comments, see the beginning of the
SUPPLEMENTARY INFORMATION section.
FOR FURTHER INFORMATION CONTACT: Kate
Tipping, 240–276–1652, Email address:
PrivacyRegulations@samhsa.hhs.gov.
SUPPLEMENTARY INFORMATION:
Inspection of Public Comments: ALL
COMMENTS received before the close
of the comment period are available for
viewing by the public, including any
personally identifiable and/or
confidential information that is
included in a comment. We post all
comments received as soon as possible
after they have been received on the
following Web site: https://
www.regulations.gov. Follow the search
instructions on that Web site to view
public comments.
DATES:
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
PO 00000
Frm 00002
Fmt 4701
Sfmt 4702
Comments received before the close of
the comment period will also be
available for public inspection,
generally beginning approximately 3
weeks after publication of a document,
at the headquarters of the Substance
Abuse and Mental Health Services
Administration, 5600 Fishers Lane,
Rockville, Maryland 20857, Monday
through Friday of each week from 8:30
a.m. to 4 p.m. To schedule an
appointment to view public comments,
phone 240–276–1660.
We will consider all comments we
receive by the date and time specified
in the DATES section of this preamble,
and will respond to the comments in the
preamble of the final rule.
Effective date of proposed § 2.13(d):
As discussed in the preamble, the
proposed § 2.13(d) shall not go into
effect until two years after the effective
date of the final rule.
Table of Contents
To assist readers in referencing
sections contained in this preamble, we
are providing a table of contents.
I. Executive Summary
A. Purpose
B. Summary of the Major Provisions
C. Summary of Impacts
II. Background
A. Significant Technology Changes
B. Statutory and Rulemaking History
III. Provisions of This Proposed Rule
A. Reports of Violations (§ 2.4)
1. Overview
2. Proposed Revisions
B. Definitions (§ 2.11)
1. Overview
2. Proposed Revisions
a. New Definitions
i. Part 2 Program
ii. Part 2 Program Director
iii. Substance Use Disorder
iv. Treating Provider Relationship
v. Withdrawal Management
b. Existing Definitions
i. Central Registry
ii. Disclose or Disclosure
iii. Maintenance Treatment
iv. Member Program
v. Patient
vi. Patient Identifying Information
vii. Person
viii. Program
ix. Qualified Service Organization
x. Records
xi. Treatment
c. Terminology Changes
C. Applicability (§ 2.12)
1. Overview
2. Proposed Revisions
D. Confidentiality Restrictions and
Safeguards (§ 2.13)
1. Overview
2. Proposed Revisions
E. Security for Records (§ 2.16)
1. Overview
2. Proposed Revisions
F. Disposition of Records by Discontinued
Programs (§ 2.19)
E:\FR\FM\09FEP3.SGM
09FEP3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
1. Overview
2. Proposed Revisions
G. Notice to Patients of Federal
Confidentiality Requirements (§ 2.22)
1. Overview
2. Proposed Revisions
H. Consent Requirements (§ 2.31)
1. Overview
2. Proposed Revisions
a. To Whom
i. Overview
ii. Proposed Revisions
b. Amount and Kind
i. Overview
ii. Proposed Revisions
c. From Whom
i. Overview
ii. Proposed Revisions
d. New Requirements
i. Overview
ii. Proposed Revisions
I. Prohibition on Re-disclosure (§ 2.32)
1. Overview
2. Proposed Revisions
J. Disclosures to Prevent Multiple
Enrollments (§ 2.34)
1. Overview
2. Proposed Revisions
K. Medical Emergencies (§ 2.51)
1. Overview
2. Proposed Revisions
L. Research (§ 2.52)
1. Overview
2. Proposed Revisions
M. Audit and Evaluation (§ 2.53)
1. Overview
2. Proposed Revisions
IV. Collection of Information Requirements
V. Response to Comments
VI. Regulatory Impact Analysis
A. Statement of Need
B. Overall Impact
1. Direct Costs of Implementing the
Proposed Regulations
a. Staff Training
b. Updates to Consent Forms
c. List of Disclosures Costs
d. IT Updates
C. Conclusion
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
Acronyms
ACO Accountable Care Organization
ABAM American Board of Addiction
Medicine
ADAMHA Alcohol, Drug Abuse and Mental
Health Administration
ANSI American National Standards
Institute
ARRA American Recovery and
Reinvestment Act of 2009 (Pub. L. 111–5)
ATR Access to Recovery
CCO Coordinated Care Organization
CFR Code of Federal Regulations
CHIP Children’s Health Insurance Program
CMS Centers for Medicare & Medicaid
Services
DS4P Data Segmentation for Privacy
EHR Electronic Health Record
FAX Facsimile
FDA Food and Drug Administration
FR Federal Register
FWA Federalwide Assurance
HHS Department of Health and Human
Services
HIE Health Information Exchange
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
HIPAA Health Insurance Portability and
Accountability Act of 1996 (Pub. L. 104–
191)
HITECH Health Information Technology for
Economic and Clinical Health
HL7 Health Level 7
IG Implementation Guide
IT Information Technology
IRB Institutional Review Board
NPRM Notice of Proposed Rulemaking
N-SSATS National Survey of Substance
Abuse Treatment Services
OECD Organization for Economic
Cooperation and Development
OHRP Office for Human Research
Protections
OMB Office of Management and Budget
ONC Office of the National Coordinator for
Health Information Technology
PDMP Prescription Drug Monitoring
Program
QE Qualified Entity
QSO Qualified Service Organization
QSOA Qualified Service Organization
Agreement
RFA Regulatory Flexibility Act
SAMHSA Substance Abuse and Mental
Health Services Administration
S&I Standards and Interoperability
TEDS Treatment Episode Data Set
U.S.C. United States Code
VA Department of Veterans Affairs
I. Executive Summary
A. Purpose
This proposed rule would revise title
42 of the Code of Federal Regulations
part 2 (42 CFR part 2), Confidentiality
of Alcohol and Drug Abuse Patient
Records regulations. The authorizing
statute (Title 42, United States Code,
Section 290dd–2) protects the
confidentiality of the identity,
diagnosis, prognosis, or treatment of any
patient records which are maintained in
connection with the performance of any
federally assisted program or activity
relating to substance abuse education,
prevention, training, treatment,
rehabilitation, or research. Title 42 of
the CFR part 2 was first promulgated in
1975 (40 FR 27802) and last
substantively updated in 1987 (52 FR
21796).
The laws and regulations governing
the confidentiality of substance abuse
records were written out of great
concern about the potential use of
substance abuse information against
individuals, causing individuals with
substance use disorders to not seek
needed treatment. The disclosure of
records of individuals with substance
use disorders has the potential to lead
to a host of negative consequences
including: Loss of employment, loss of
housing, loss of child custody,
discrimination by medical professionals
and insurers, arrest, prosecution, and
incarceration. The purpose of the
regulations at 42 CFR part 2 is to ensure
PO 00000
Frm 00003
Fmt 4701
Sfmt 4702
6989
that a patient receiving treatment for a
substance use disorder in a part 2
program is not made more vulnerable by
reason of the availability of their patient
record than an individual with a
substance use disorder who does not
seek treatment. Under the current
regulations, a federally assisted
substance use disorder program
generally may only release identifiable
information related to substance use
disorder diagnosis, treatment, or referral
for treatment with the individual’s
express consent. Now over 25 years
later, this proposed rule would make
policy changes to the regulations to
better align them with advances in the
U.S. health care delivery system while
retaining important privacy protections.
Unless otherwise noted, these changes
would be applicable beginning 180 days
after the publication of the final rule. If
programs that were required to comply
with 42 CFR part 2 prior to the effective
date of the final rule continue to fall
within the scope of 42 CFR part 2 as
outlined in the final rule, they would be
required to come into compliance with
any revised regulations by the effective
date of the final rule. However, signed
consent forms in place prior to the
effective date of the final rule would be
valid until they expire. Nonetheless,
part 2 programs may update signed
consent forms consistent with the final
rule, prior to the effective date of the
final rule if they so choose. Consents
obtained after the effective date would
need to comply with the final rule,
regardless of whether the consents
involve patient identifying information
obtained prior to or after the effective
date of the final rule.
B. Summary of the Major Provisions
This proposed rule is intended to
modernize the 42 CFR part 2 (part 2)
rules by facilitating the electronic
exchange of substance use disorder
information for treatment and other
legitimate health care purposes while
ensuring appropriate confidentiality
protections for records that might
identify an individual, directly or
indirectly, as having or having had a
substance use disorder. To achieve this
goal, we propose the following
modifications.
We propose, in Section III.A., Reports
of Violations (§ 2.4), to revise the
requirement for reporting violations of
these regulations by methadone
programs (now referred to as opioid
treatment programs) to the Food and
Drug Administration (FDA) because the
authority over these programs was
transferred from the FDA to Substance
Abuse and Mental Health Services
Administration (SAMHSA) in 2001.
E:\FR\FM\09FEP3.SGM
09FEP3
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
6990
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
In Section III.B., Definitions (§ 2.11),
we propose to revise some existing
definitions, add new definitions of key
terms that apply to 42 CFR part 2, and
consolidate all but one of the definitions
that are currently in other sections in
§ 2.11. We propose to revise the
definitions of ‘‘Central registry,’’
‘‘Disclose or disclosure,’’ ‘‘Maintenance
treatment,’’ ‘‘Member program,’’
‘‘Patient,’’ ‘‘Patient identifying
information,’’ ‘‘Person,’’ ‘‘Program,’’
‘‘Qualified service organization (QSO),’’
‘‘Records,’’ and ‘‘Treatment.’’ We also
propose to add definitions of ‘‘Part 2
program,’’ ‘‘Part 2 program director,’’
‘‘Substance use disorder,’’ ‘‘Treating
provider relationship,’’ and
‘‘Withdrawal management.’’ Some of
these new definitions replace existing
definitions. In addition, we propose to
revise the regulatory text to use
terminology in a consistent manner.
In Section III.C., Applicability
(§ 2.12), SAMHSA proposes to continue
to apply the 42 CFR part 2 regulations
to a program that is federally assisted
and holds itself out as providing, and
provides, substance use disorder
diagnosis, treatment, or referral for
treatment, but, where currently
paragraph (1) of the definition of
‘‘Program’’ does not apply to general
medical facilities, SAMHSA now
proposes that paragraph (1) would not
apply to either general medical facilities
or general medical practices. The
proposed language goes on to clarify
that paragraph (2) and (3) of the
definition of Program would apply to
‘‘general medical facilities’’ and
‘‘general medical practices’’ under
certain conditions. For example, an
identified unit within a general medical
facility or general medical practice will
be subject to part 2 if it holds itself out
as providing, and provides, substance
use disorder diagnosis, treatment, or
referral for treatment, or if the primary
function of medical personnel or other
staff in the general medical facility or
general medical practice is the provision
of such services and they are identified
as providing such services.
In Section III.D., Confidentiality
Restrictions and Safeguards (§ 2.13),
SAMHSA proposes to add a
requirement that, upon request, patients
who have included a general
designation in the ‘‘To Whom’’ section
of their consent form (see § 2.31) must
be provided a list of entities to which
their information has been disclosed
pursuant to the general designation.
In Section III.E., Security for Records
(§ 2.16), SAMHSA proposes to clarify
that this section requires both part 2
programs and other lawful holders of
patient identifying information to have
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
in place formal policies and procedures
addressing security, including
sanitization of associated media, for
both paper and electronic records.
In Section III.F., Disposition of
Records by Discontinued Programs
(§ 2.19), we propose to address both
paper and electronic records. SAMHSA
also is proposing to add requirements
for sanitizing associated media.
In Section III.G., Notice to Patients of
Federal Confidentiality Requirements
(§ 2.22), we propose to clarify that the
written summary of federal law and
regulations may be provided to patients
in either paper or electronic format.
SAMHSA also proposes to require the
statement regarding the reporting of
violations include contact information
for the appropriate authorities.
In Section III.H., Consent
Requirements (§ 2.31), SAMHSA is
proposing to allow, in certain
circumstances, a patient to include a
general designation in the ‘‘To Whom’’
section of the consent form, in
conjunction with requirements that: (1)
The consent form include an explicit
description of the amount and kind of
substance use disorder treatment
information that may be disclosed; and
(2) the ‘‘From Whom’’ section of the
consent form specifically name the part
2 program or other lawful holder of the
patient identifying information
permitted to make the disclosure.
SAMHSA also is proposing to require
the part 2 program or other lawful
holder of patient identifying
information to include a statement on
the consent form that the patient
understands the terms of their consent
and, when using a general designation
in the ‘‘To Whom’’ section of the
consent form, that they have a right to
obtain, upon request, a list of entities to
which their information has been
disclosed pursuant to the general
designation (see § 2.13). In addition,
SAMHSA is proposing to permit
electronic signatures to the extent that
they are not prohibited by any
applicable law.
In Section III.I., Prohibition on Redisclosure (§ 2.32), we propose to clarify
that the prohibition on re-disclosure
only applies to information that would
identify, directly or indirectly, an
individual as having been diagnosed,
treated, or referred for treatment for a
substance use disorder, such as
indicated through standard medical
codes, descriptive language, or both,
and allows other health-related
information shared by the part 2
program to be re-disclosed, if
permissible under other applicable
laws.
PO 00000
Frm 00004
Fmt 4701
Sfmt 4702
In Section III.J., Disclosures to Prevent
Multiple Enrollments (§ 2.34), we
propose to modernize the terminology
and definitions and move the
definitions to § 2.11, Definitions.
In Section III.K., Medical Emergencies
(§ 2.51), we propose to revise the
medical emergency exception to make it
consistent with the statutory language
and to give providers more discretion to
determine when a ‘‘bona fide medical
emergency’’ exists.
In Section III.L., Research (§ 2.52),
SAMHSA proposes to revise the
research exception to permit data
protected by 42 CFR part 2 to be
disclosed to qualified personnel for the
purpose of conducting scientific
research by a part 2 program or any
other individual or entity that is in
lawful possession of part 2 data if the
researcher provides documentation of
meeting certain requirements related to
other existing protections for human
research. SAMHSA also is proposing to
address data linkages to enable
researchers holding part 2 data to link
to data sets from federal data
repositories, and is seeking comment on
expanding this provision to non-federal
data repositories.
We propose, in Section III.M., Audit
and Evaluation (§ 2.53), to modernize
the requirements to include provisions
for governing both paper and electronic
patient records. SAMHSA also proposes
to permit an audit or evaluation
necessary to meet the requirements of a
Centers for Medicare & Medicaid
Services (CMS)-regulated accountable
care organization (CMS-regulated ACO)
or similar CMS-regulated organization
(including a CMS-regulated Qualified
Entity (QE)), under certain conditions.
C. Summary of Impacts
Our goal in modernizing the part 2
regulations is to increase opportunities
for individuals with substance use
disorders to participate in new and
emerging health and health care models
and health information technology (IT).
Our intent is to facilitate the sharing of
information within the health care
system to support new models of
integrated health care which, among
other things, improve patient safety
while maintaining or strengthening
privacy protections for individuals
seeking treatment for substance use
disorders. We expect the proposed
changes to 42 CFR part 2 to result in a
decrease in the burdens associated with
several aspects of this rule, including
consent requirements. Moreover, as
patients are allowed, in certain
circumstances, to include a general
designation in the ‘‘To Whom’’ section
of the consent form, we anticipate there
E:\FR\FM\09FEP3.SGM
09FEP3
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
would be more individuals with
substance use disorders participating in
organizations that facilitate the
exchange of health information (e.g.,
health information exchanges (HIEs))
and organizations that coordinate care
(e.g., accountable care organizations
(ACOs) and coordinated care
organizations (CCOs)), leading to
increased efficiency and quality in the
provision of health care for this
population.
When estimating the total costs
associated with changes to the 42 CFR
part 2 regulations, we assumed five sets
of costs: Updates to health IT system
costs, costs for staff training and updates
to training curricula, costs to update
patient consent forms, costs associated
with providing patients a list of entities
to which their information has been
disclosed pursuant to a general
designation on the consent form (i.e.,
the List of Disclosures requirement), and
implementation costs associated with
the List of Disclosure requirements. We
assumed that costs associated with
modifications to existing health IT
systems, staff training costs associated
with updating staff training materials,
and costs to update consent forms
would be one-time costs the first year
the final rule is in effect and would not
carry forward into future years. Staff
training costs other than those
associated with updating training
materials are assumed to be ongoing
annual costs to part 2 programs, also
beginning in the first year that the final
rule is in effect. The List of Disclosures
costs are assumed to be ongoing annual
costs to entities named on a consent
form that disclose patient identifying
information to their participants under
the general designation. The List of
Disclosures requirement, however, does
not go into effect until two years after
the final rule is in effect. Therefore, in
years 1 and 2, the costs associated with
the List of Disclosures provision are
limited to implementation costs for
entities that chose to upgrade their
health IT systems in order to comply
with the List of Disclosure
requirements.
We estimate, therefore, that in the first
year that the final rule is in effect, the
costs associated with updates to 42 CFR
part 2 would be $74,217,979. In year
two, we estimate that costs would be
$47,021,182. In years 3 through 10, we
estimate the annual costs would be
$14,835,444. Over the 10-year period
2015–2024, the total undiscounted cost
of the proposed changes would be
$239,922,716 in 2015 dollars. When
future costs are discounted at 3 percent
or 7 percent per year, the total costs
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
become approximately $220.9 million or
$200.9 million, respectively.
Based on data from the 2013 National
Survey of Substance Abuse Treatment
Services (N–SSATS), we estimate that
12,034 hospitals, outpatient treatment
centers, and residential treatment
facilities are covered by part 2. N–
SSATS is an annual survey of U.S.
substance abuse treatment facilities.
Data is collected on facility location,
characteristics, and service utilization.
Not all treatment providers included in
N–SSATs are believed to be under the
jurisdiction of the part 2 regulations.
The 12,034 number is a subset of the
14,148 substance abuse treatment
facilities that responded to the 2013 N–
SSATS, and includes all federally
operated facilities, facilities that
reported receiving public funding other
than Medicare and Medicaid, facilities
that reported accepting Medicare,
Medicaid, TRICARE, and/or Access to
Recovery (ATR) voucher payments, or
were SAMHSA-certified Opioid
Treatment Programs.
If an independently practicing
clinician does not meet the
requirements of paragraph (1) of the
definition of Program (an individual or
entity (other than a general medical
facility or general medical practice) who
holds itself out as providing and
provides substance use disorder
diagnosis, treatment or referral for
treatment), they may be subject to 42
CFR part 2 if they constitute an
identified unit within a general medical
facility or general medical practice
which holds itself out as providing, and
provides, substance use disorder
diagnosis, treatment, or referral for
treatment, or if their primary function in
the facility or practice is the provision
of such services and they are identified
by the facility or practice as providing
such services. Due to data limitations, it
was not possible to estimate the costs
for independently practicing providers
covered by part 2 that did not
participate in the 2013 N–SSATS. For
example, data from the American Board
of Addiction Medicine (ABAM)
provides the number of physicians since
2000, who have active ABAM
certification. However, there is no
source for the number of physicians
who have not participated in the ABAM
certification process. In addition, it is
not possible to determine which ABAMcertified physicians practice in a general
medical setting rather than in a
specialty treatment facility that was
already counted in the N–SSATS data.
Several provisions in the Notice of
Proposed Rulemaking (NPRM) reference
other lawful holders of patient
identifying information in combination
PO 00000
Frm 00005
Fmt 4701
Sfmt 4702
6991
with part 2 programs. These other
lawful holders must comply with part 2
requirements with respect to
information they maintain that is
covered by part 2 regulations. However,
because this group is not clearly defined
with respect to the range of
organizations it may include, we are
unable to include estimates regarding
the number and type of these
organizations and are only including
part 2 programs in this analysis.
In addition to the part 2 programs
described above, entities named on a
consent form that disclose patient
identifying information to their
participants under the general
designation must provide patients, upon
request, a list of entities to which their
information has been disclosed
pursuant to a general designation. These
entities primarily would include
organizations that facilitate the
exchange of health information (e.g.,
HIEs), and also may include
organizations responsible for care
coordination (e.g., ACOs, CCOs, and
patient-centered medical homes
(sometimes called health homes)).
While these types of organizations were
the primary focus of this provision on
the consent form, other types of entities,
such as research institutions, also may
disclose patient identifying information
to their participants (e.g., clinical
researchers) pursuant to the general
designation on the consent form.
Because there are no definitive data
sources for this potential range of
organizations, we are not associating
List of Disclosures requests with any
particular type of organization. Instead,
we chose to estimate the number of
organizations that must respond to List
of Disclosures requests based on the
total number of requests each year.
II. Background
A. Significant Technology Changes
Since the promulgation of 42 CFR part
2, significant technology changes have
impacted the delivery of health care.
The Office of the National Coordinator
for Health Information Technology
(ONC) was established as an office
within the Department of Health and
Human Services (HHS) under Executive
Order 13335 on April 27, 2004.
Subsequently, on February 17, 2009, the
Health Information Technology for
Economic and Clinical Health Act
(HITECH Act) of the American Recovery
and Reinvestment Act of 2009 (ARRA)
(Pub. L. 111–5) expanded the
Department’s health IT work, including
the expansion of ONC’s authority and
the provision of federal funds for ONC’s
activities consistent with the
E:\FR\FM\09FEP3.SGM
09FEP3
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
6992
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
development of a nationwide health IT
infrastructure. This work included the
certification of health IT; the
authorization of CMS’ Electronic Health
Record (EHR) Incentive Program,
including payments to eligible providers
for the adoption and meaningful use of
certified EHR technology; and numerous
other federal agencies’ programs—all of
which served the objective of ensuring
patient health information is secure,
private, accurate, and available where
and when needed.
SAMHSA has played a role in
encouraging the use of health IT by
behavioral health (substance use
disorders and mental health) providers.
SAMHSA’s efforts included
collaborating with ONC to develop two
sets of Frequently Asked Questions and
convening a number of stakeholder
meetings to provide guidance on the
application of 42 CFR part 2 within HIE
models. In addition, SAMHSA funded a
one-year pilot project in 2012 with five
state HIEs to support the exchange of
health information among behavioral
health and physical health providers.
SAMHSA also worked with ONC and
other federal agencies on several
projects to support behavioral health
and health information exchange.
The Data Segmentation for Privacy
(DS4P) initiative within ONC’s
Standards and Interoperability (S&I)
Framework facilitated the development
of standards to improve the
interoperability of EHRs containing
sensitive information that must be
protected to a greater degree than other
health information due to 42 CFR part
2 and similar state laws. The DS4P
initiative met its two goals, which were
to: Demonstrate how standards can be
used to support current privacy policies
for sharing sensitive health information
across organizational boundaries; and
develop standards that will enable
sensitive electronic health information
to flow more freely to authorized users
while improving the ability of health IT
systems to implement current privacy
protection requirements for certain
types of health care data, such as
substance use disorder patient records.
The S&I Framework is a collaborative
community of contributors from the
public and private sectors who are
focused on providing the tools, services,
and guidance to facilitate the electronic
exchange of health information. The
DS4P initiative involved 344 volunteers,
including, but not limited to, federal
and state government agencies,
behavioral health providers, EHR and
other IT companies, health information
exchanges, patient advocacy groups,
professional societies/associations,
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
consultants, health systems, health
insurers, and universities.
Through the DS4P initiative, federal
and community stakeholders developed
standards and guidelines for enabling
data segmentation and managing patient
consent preferences. The technical
approach outlined in the DS4P
Implementation Guide (IG) is based on
the experience of the six pilot projects
and the solutions they developed to
meet the DS4P project requirements.
The DS4P IG is an American National
Standards Institute (ANSI) approved
standard. It was also voted on and
approved at the highest level to become
what Health Level 7 (HL7) calls a
normative standard (a foundational part
of the technology needed to meet the
global challenge of integrating health
care information). The HL7 balloting
process included 155 stakeholders,
including HL7 affiliates, vendors,
consultants, payers, providers, nonprofit organizations, and federal
government representatives. The HL7
standard is the currently acceptable
standard for data segmentation and
consent management. In addition, it is
in compliance with 42 CFR part 2.
The six DS4P IG use case pilot
projects that were conducted in
accordance with ONC’s S&I Framework
included the Department of Veterans
Affairs (VA)/Substance Abuse and
Mental Health Services Administration
(SAMHSA) Pilot. The VA/SAMHSA
Pilot implemented all the DS4P use
cases and passed all conformance tests.
The VA/SAMHSA Pilot was also the
first application to show that managing
consents and patient directives, as well
as segmenting structured data in a
patient record, can be done. SAMHSA
used these DS4P standards to develop
the application branded Consent2Share,
an open-source health IT solution which
assists in consent management and data
segmentation. Consent2Share validates
that the DS4P IG can be used to build
a production-based application to
manage the patient consent lifecycle
electronically. The Consent2Share
software is currently being used by the
Prince Georges County (Maryland)
Health Department to manage patient
consent directives while sharing
substance use disorder information with
an HIE. While this technology is not
perfect, it provides a foundational
standard and shows promise for sharing
substance use disorder information
while complying with 42 CFR part 2.
Notwithstanding these efforts,
SAMHSA is aware that technology
adoption is an ongoing process and the
majority of current EHR and HIE
applications may not have the capability
to support the DS4P initiative. In
PO 00000
Frm 00006
Fmt 4701
Sfmt 4702
addition, paper records are still used
today in some part 2 programs and
shared through facsimile (FAX). Despite
SAMHSA’s efforts to clarify the part 2
regulations through guidance and to
demonstrate that exchange of sensitive
health information can be accomplished
through pilot projects that adhere to the
regulations, some stakeholders
continued to request modernization of
42 CFR part 2. These stakeholders are
concerned that part 2, as currently
written, continues to be a barrier to the
integration of substance use disorder
treatment and physical health care. For
example, some substance use disorder
treatment centers cannot participate in
integrated care models because they
have not implemented data
segmentation and consent management
functionalities necessary to comply with
the part 2 rules. Further, under the
current regulations, the part 2 program
director is the only individual
authorized to release of information for
scientific research purposes. In
addition, under the current regulatory
framework, absent consent,
organizations that store patient health
data, including data that are subject to
part 2, do not have the authority to
disclose part 2 data for scientific
research purposes to qualified
researchers or research organizations.
This could hinder a full understanding
of impacts of treatment for addiction
and other health issues. Finally, some
stakeholders continue to request
modernization of the part 2 rules, in
media and other public and private
forums.
B. Statutory and Rulemaking History
The Confidentiality of Alcohol and
Drug Abuse Patient Records regulations,
42 CFR part 2, implement section 543 of
the Public Health Service Act, 42 United
States Code (U.S.C.) § 290dd–2, as
amended by section 131 of the Alcohol,
Drug Abuse and Mental Health
Administration Reorganization Act
(ADAMHA Reorganization Act), Pub. L.
102–321 (July 10, 1992). The regulations
were promulgated as a final rule on July
1, 1975 (40 FR 27802). In 1980, the
Department invited public comment on
15 substantive issues arising out of its
experience interpreting and
implementing the regulations (45 FR
53). More than 450 public responses to
that invitation were received and taken
into consideration in the preparation of
a 1983 NPRM (48 FR 38758).
Approximately 150 comments were
received in response to the NPRM and
were taken into consideration in the
preparation of the final rule released on
June 9, 1987 (52 FR 21798).
E:\FR\FM\09FEP3.SGM
09FEP3
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
The Department published a NPRM
again in the Federal Register (FR) on
August 18, 1994 (59 FR 42561), which
proposed a clarification of the definition
of ‘‘Program’’ in the regulations.
Specifically, the Department proposed
to clarify that, as to general medical care
facilities, these regulations cover only
specialized individuals or units in such
facilities that hold themselves out as
providing and provide alcohol or drug
abuse diagnosis, treatment, or referral
for treatment and which are federally
assisted, directly or indirectly. On May
5, 1995, the final rule was released (60
FR 22296).
SAMHSA posted a document in the
Federal Register on May 12, 2014, (79
FR 26929) announcing a public
Listening Session planned for June 11,
2014, to solicit feedback on the
Confidentiality of Alcohol and Drug
Abuse Patient Records regulations, 42
CFR part 2. SAMHSA accepted written
comments until June 25, 2014.
In the Federal Register notification
for the public Listening Session (79 FR
26929), SAMHSA invited general
comments, as well as comments on six
key provisions of 42 CFR part 2:
Applicability, Consent requirements,
Re-disclosure, Medical emergency,
QSO, and Research. In addition,
SAMHSA solicited input on electronic
prescribing and Prescription Drug
Monitoring Programs (PDMPs), areas
that could potentially impact part 2
programs. Approximately 1,800
individuals participated in the listening
session, either in person or by phone.
During the session, 112 oral comments
were made, while another 635 written
comments were submitted during the
written comment period. The Listening
Session comments are posted on the
SAMHSA Web site at https://www.
samhsa.gov/about-us/who-we-are/lawsregulations/public-commentsconfidentiality-regulations. In general,
commenters supported updating the
regulations or opposed it. Some
commenters proposed aligning 42 CFR
part 2 with the Health Insurance
Portability and Accountability Act of
1996 (HIPAA) regulations. However,
due to its targeted population, part 2
provides more stringent federal
protections than most other health
privacy laws, including HIPAA. We are
choosing not to address any specific
comments or summarize comments in
detail in this proposed rule. However,
all the feedback received from the
Listening Session was considered and
helped to inform the development of
this NPRM. In addition, SAMHSA
collaborated with its federal partner
experts in developing this NPRM.
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
SAMHSA decided not to address
issues pertaining to e-prescribing and
PDMPs in this NPRM. SAMHSA
concluded that the part 2 program eprescribing and PDMPs are not ripe for
rulemaking at this time due to the state
of technology and because the majority
of part 2 programs are not prescribing
controlled substances electronically.
SAMHSA intends to monitor
developments in this area to see
whether further action may be
warranted in the future.
III. Provisions of This Proposed Rule
The intent of this NPRM is to propose
revisions to key provisions of 42 CFR
part 2 to modernize the regulations
adopted in the June 1987 final rule and
amended by the May 1995 final rule.
This modernization is necessary
because behavioral health, including
substance use disorder treatment, is
essential to overall health; the costs of
untreated substance use disorders, both
personal and societal, are substantial;
and there continues to be a need for
confidentiality protections that
encourage patients to seek treatment
without fear of compromising their
privacy.
Individuals seeking treatment for
substance use disorders often are met
with a host of negative reactions
including discrimination and harm to
their reputations and relationships. In
addition, there is a potential for serious
civil and criminal consequences for the
disclosure of patient identifying
information associated with substance
use disorders beyond the health care
context. We are mindful of the intent of
the governing statute (42 U.S.C. 290dd–
2) and regulations at 42 CFR part 2,
which is to protect the confidentiality of
substance abuse patient records so as
not to make an individual receiving
treatment for a substance use disorder in
a part 2 program more vulnerable by
virtue of seeking treatment than an
individual with a substance use
disorder who does not seek treatment.
SAMHSA strives to facilitate
information exchange within new and
emerging health and health care models,
which promote integrated care and
patient safety, while respecting the
legitimate privacy concerns of patients
seeking treatment for a substance use
disorder due to the potential for
discrimination, harm to their
reputations and relationships, and
serious civil and criminal consequences.
SAMHSA also is mindful that any
regulatory changes contemplated must
be consistent with the authorizing
legislation (42 U.S.C. 290dd–2) and its
statutory intent.
PO 00000
Frm 00007
Fmt 4701
Sfmt 4702
6993
This proposed rule also proposes
editorial changes. SAMHSA deleted
references to 42 U.S.C. 290ee–3 and 42
U.S.C. 290dd–3 in § 2.1, Statutory
authority for confidentiality of drug
abuse patient records, and § 2.2,
Statutory authority for confidentiality of
alcohol abuse patient records. Sections
290dd–3 and 290ee–3 were omitted by
Public Law 102–321 and combined and
renamed into Sections 290dd–2,
Confidentiality of records. We also
combined §§ 2.1 and 2.2 and propose to
rename the new § 2.1 (Statutory
authority for confidentiality of
substance abuse patient records) and redesignate §§ 2.2–2.5. In addition, we
deleted references to laws and
regulations that have been repealed in
§ 2.21. Finally, we made editorial
changes throughout the regulations to
increase clarity and consistency.
Along with proposing substantive
revisions to various sections of 42 CFR
part 2, SAMHSA has proposed a
number of technical, non-substantive
changes for clarity and consistency that
are reflected throughout the regulations.
For the convenience of the public,
SAMHSA is reprinting the text of 42
CFR part 2 in its entirety, which
includes the proposed modifications
incorporated into the existing
provisions. SAMHSA, however, is only
seeking comment on the proposed
changes to the regulations that are
discussed in the preamble of this
NPRM. Sections of 42 CFR part 2 that
have not been proposed for revision are
not subject to review or comment under
this NPRM.
A. Reports of Violations (§ 2.4)
1. Overview
In the current regulations, methadone
programs are required to report
violations of these regulations to the
FDA.
2. Proposed Revisions
We propose to revise the requirement
(§ 2.5(b)) of reporting violations of these
regulations by a methadone program to
the FDA. The authority over methadone
programs (now referred to as opioid
treatment programs) was transferred
from the FDA to SAMHSA in 2001 (66
FR 4076). Suspected violations of 42
CFR part 2 by opioid treatment
programs may be reported to the U.S.
Attorney’s Office for the judicial district
in which the violation occurred, as well
as the SAMHSA office responsible for
opioid treatment program oversight.
E:\FR\FM\09FEP3.SGM
09FEP3
6994
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
B. Definitions (§ 2.11)
1. Overview
Certain defined terms in the current
regulations are used inconsistently.
SAMHSA also received inquiries
regarding certain terms and how they
apply to new health care models. In
addition, the current regulations include
definitions in four different sections
(§§ 2.11, 2.12, 2.14 and 2.34).
2. Proposed Revisions
SAMHSA proposes to consolidate all
of the definitions, with the exception
the definition of the term ‘‘Federally
assisted,’’ in a single section at § 2.11.
SAMHSA proposes to retain the
definition of the term ‘‘Federally
assisted’’ in the Applicability provision
at § 2.12 for the purpose of clarity
because it is key to understanding the
applicability of 42 CFR part 2. We
encourage readers to review all of the
definitions, since a clear understanding
of the regulations builds on an
understanding of the definitions and
their inter-relationships.
a. New Definitions
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
i. Part 2 Program
The current regulations define
‘‘Federally assisted’’ separately from the
term ‘‘Program’’ but do not define the
term ‘‘Part 2 program.’’ In addition, the
terms ‘‘Program’’ and ‘‘federally assisted
alcohol or drug abuse program’’ are used
interchangeably. Therefore, SAMHSA
proposes to define a ‘‘Part 2 program’’
as a federally assisted program
(federally assisted as defined in § 2.12(b)
and program as defined in § 2.11). See
§ 2.12(e)(1) for examples.
We proposed to retain the examples
provided in § 2.12(e)(1) of the current
regulations, with a clarification, because
they explain the part 2 applicability and
coverage.
SAMHSA proposes to replace the
term ‘‘Program’’ with ‘‘Part 2 program,’’
where appropriate. For example, we
propose to revise the definition of QSO,
including replacing ‘‘Program’’ with
‘‘Part 2 program,’’ which is discussed in
depth below (see Section III.B.2.b.,
Existing Definitions). We also propose
to replace ‘‘Program’’ with ‘‘Part 2
program’’ in several other definitions,
while making no additional changes.
ii. Part 2 Program Director
Because of the addition of the ‘‘Part 2
program’’ definition, we also are
proposing to define a ‘‘Part 2 program
director’’ as:
• In the case of a part 2 program
which is an individual, that individual,
and
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
• In the case of a part 2 program
which is an entity, the individual
designated as director or managing
director, or individual otherwise vested
with authority to act as chief executive
officer of the part 2 program.
We propose to delete the definition of
‘‘Program director.’’
iii. Substance Use Disorder
SAMHSA proposes to refer to alcohol
abuse and drug abuse collectively as
‘‘Substance use disorder’’ and, when
referring to the authorizing statute, use
‘‘substance abuse’’ since that is the term
used in Title 42, United States Code,
Section 290dd–2. SAMHSA also uses
the term ‘‘substance abuse’’ when
referencing information from other
publications that use that term.
SAMHSA proposes to use the term
‘‘Substance use disorder’’ to be
consistent with recognized classification
manuals, current diagnostic lexicon,
and commonly used descriptive
terminology, and, for consistency,
proposes to revise the title of 42 CFR
part 2 from ‘‘Confidentiality of Alcohol
and Drug Abuse Patient Records’’ to
‘‘Confidentiality of Substance Use
Disorder Patient Records.’’
While SAMHSA proposes to delete
the definitions of ‘‘Alcohol abuse’’ and
‘‘Drug abuse,’’ we continue to use the
terms ‘‘Alcohol abuse’’ and ‘‘Drug
abuse’’ when referring to 42 U.S.C.
290dd–3 and 42 U.S.C. 290ee–3
(omitted by Pub. L. 102–321 and
combined and renamed into Section
290dd–2), respectively, because they are
the terms used in the outdated statutes.
See § 2.11 of the current regulations for
definitions of the terms ‘‘Alcohol abuse’’
and ‘‘Drug abuse’’.
SAMHSA proposes to define the term
‘‘Substance use disorder’’ in such a
manner as to cover substance use
disorders that can be associated with
altered mental status that has the
potential to lead to risky and/or socially
prohibited behaviors, including, but not
limited to, substances such as, alcohol,
cannabis, hallucinogens, inhalants,
opioids, sedatives, hypnotics,
anxiolytics, and stimulants. In addition,
SAMHSA proposes to clarify that, for
the purposes of these regulations, the
definition excludes both tobacco and
caffeine.
iv. Treating Provider Relationship
As noted in more detail in Section
III.H., Consent Requirements, SAMHSA
has heard a number of concerns from
stakeholders regarding the current
consent requirements in § 2.31 of the
regulations. SAMHSA is proposing to
revise the consent requirements to
permit, in certain circumstances, a more
PO 00000
Frm 00008
Fmt 4701
Sfmt 4702
general description of the individuals or
entities to which a disclosure is made,
but only if the individuals or entities
have a treating provider relationship
with the patient whose information is
being disclosed. This change, therefore,
creates a need to define a treating
provider relationship.
A treating provider relationship
begins when an individual seeks healthrelated assistance from an individual or
entity who may provide assistance.
However, the relationship is clearly
established when the individual or
entity agrees to undertake diagnosis,
evaluation and/or treatment of the
patient, or consultation with the patient,
and the patient agrees to be treated,
whether or not there has been an actual
in-person encounter between the
individual or entity and patient. A
treating provider relationship with a
patient may be established by a health
care provider or another member of a
health care team as long as the
relationship meets the definition of
‘‘Treating provider relationship.’’
A treating provider relationship
means that, regardless of whether there
has been an actual in-person encounter:
• A patient agrees to be diagnosed,
evaluated and/or treated for any
condition by an individual or entity,
and
• The individual or entity agrees to
undertake diagnosis, evaluation and/or
treatment of the patient, or consultation
with the patient, for any condition.
The term ‘‘agrees’’ as used in the
definition does not necessarily imply a
formal written agreement. An agreement
might be evidenced, among other things,
by making an appointment or by a
telephone consultation.
v. Withdrawal Management
SAMHSA proposes to update the
terminology in § 2.34. We propose to
delete the definition of ‘‘Detoxification
treatment’’ and replace it with the
definition of the currently acceptable
term, ‘‘Withdrawal management.’’ We
also propose to move this definition
from § 2.34 to § 2.11 to consolidate
definitions in one section of the
regulations.
b. Existing Definitions
SAMHSA proposes to update
terminology in existing definitions to
accurately convey the meaning of terms
and increase the understandability of
the proposed rule. In addition,
SAMHSA proposes to consolidate all
but one of the defined terms in § 2.11.
i. Central Registry
SAMHSA proposes to update the
terminology in § 2.34 and move this
E:\FR\FM\09FEP3.SGM
09FEP3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
definition from § 2.34 to § 2.11 to
consolidate definitions.
We are proposing to revise the
definition to incorporate currently
accepted terminology.
ii. Disclose or Disclosure
We propose to define only one word,
‘‘Disclose,’’ since it is implied that the
same definition applies to other forms of
the word. We also propose to update
terminology and make the definition
clearer.
iii. Maintenance Treatment
SAMHSA proposes to update the
terminology in § 2.34 and move this
definition from § 2.34 to § 2.11 to
consolidate definitions.
iv. Member Program
SAMHSA proposes to update the
terminology in § 2.34 and move this
definition from § 2.34 to § 2.11 to
consolidate definitions.
v. Patient
To emphasize that the term ‘‘Patient’’
refers to both current and former
patients, SAMHSA proposes to revise
the definition to provide that a patient
is any individual who has applied for or
been given diagnosis, treatment, or
referral for treatment for a substance use
disorder at a part 2 program. Patient
includes any individual who, after
arrest on a criminal charge, is identified
as an individual with a substance use
disorder in order to determine that
individual’s eligibility to participate in
a part 2 program. This definition
includes both current and former
patients.
vi. Patient Identifying Information
SAMHSA proposes to clarify that
‘‘Patient,’’ as used in this definition, is
a defined term in § 2.11. In addition,
SAMHSA deleted the words ‘‘and
speed.’’ If the information could identify
the patient, the speed with which it
identifies the patient is not relevant.
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
vii. Person
The current definition of ‘‘Person’’
includes both individuals and entities.
For the purpose of this proposed
regulation, SAMHSA considers an
‘‘individual’’ to be a human being.
SAMHSA proposes to revise the
definition of ‘‘Person’’ to clearly
indicate that ‘‘Person’’ is also referred to
as individual and/or entity.
viii. Program
SAMHSA is proposing to make the
following changes to the ‘‘Program’’
definition. First, because the current
definition of ‘‘Program’’ includes both
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
the terms ‘‘general medical care facility’’
and ‘‘general medical facility,’’ and
because these terms are used
interchangeably, we are proposing to
consistently use the term ‘‘general
medical facility.’’
Second, more substance use disorder
treatment services are occurring in
general health care and integrated care
settings, which are typically not covered
under the current regulations. Providers
who in the past offered only general or
specialized health care services (other
than substance use disorder services)
now, on occasion, provide substance
use disorder treatment services, but only
as incident to the provision of general
health care. Therefore, SAMHSA
proposes to make clear that paragraph
(1) of the definition of ‘‘Program’’ would
not apply to ‘‘general medical facilities’’
and ‘‘general medical practices.’’
However, paragraphs (2) and (3) of the
definition of ‘‘Program’’ would apply to
‘‘general medical facilities’’ and
‘‘general medical practices.’’ Finally,
SAMHSA is proposing to move the
reference to examples from the
definition of ‘‘Program’’ to the definition
of ‘‘Part 2 program’’ because 42 CFR part
2 would apply only to ‘‘Part 2
programs’’ as defined in the proposed
regulations.
The inclusion of general medical
practices with general medical facilities
is consistent with SAMHSA’s intention
to ensure confidentiality protections
and access to treatment for individuals
whose identity as substance use
disorder patients would be
compromised if records of the
specialized programs from which they
seek treatment were not covered by
these regulations while not
unnecessarily imposing requirements on
general medical facilities or practices in
an overly broad manner.
Consistent with the definition of
‘‘Program’’:
1. If a provider is not a general
medical facility or general medical
practice, then the provider meets the
part 2 definition of a ‘‘Program’’ if it is
an individual or entity who holds itself
out as providing, and provides
substance use disorder diagnosis,
treatment, or referral for treatment.
2. If the provider is an identified unit
within a general medical facility or
general medical practice, it is a
‘‘Program’’ if it holds itself out as
providing, and provides, substance use
disorder diagnosis, treatment or referral
for treatment.
3. If the provider consists of medical
personnel or other staff in a general
medical facility or general medical
practice, it is a ‘‘Program’’ if its primary
function is the provision of substance
PO 00000
Frm 00009
Fmt 4701
Sfmt 4702
6995
use disorder diagnosis, treatment, or
referral for treatment and is identified as
such specialized medical personnel or
other staff by the general medical
facility or general medical practice.
While the term ‘‘general medical
facility’’ is not defined at 42 CFR 2.11
(Definitions), hospitals, trauma centers,
or federally qualified health centers
would generally be considered ‘‘general
medical facilities.’’ Therefore, primary
care providers who work in such
facilities would only be covered by the
part 2 definition of a ‘‘Program’’ if: (1)
They work in an identified unit within
such general medical facility that holds
itself out as providing, and provides,
substance use disorder diagnosis,
treatment or referral for treatment, or (2)
the primary function of the providers is
substance use disorder diagnosis,
treatment or referral for treatment and
they are identified as providers of such
services by the general medical facility.
In addition, a practice comprised of
primary care providers could be
considered a ‘‘general medical
practice.’’ As such, an identified unit
within that general medical practice that
holds itself out as providing and
provides substance use disorder
diagnosis, treatment, or referral for
treatment would be considered a
‘‘Program’’ as defined in § 2.11 of these
regulations. In addition, medical
personnel or staff within that general
medical practice whose primary
function is the provision of substance
use disorder services and who are
identified as such providers by the
general medical practice would qualify
as a ‘‘Program’’ under the definition in
these part 2 regulations.
Finally, ‘‘Holds itself out’’ is currently
not defined in § 2.11, Definitions.
SAMHSA has previously published
guidance relative to the term and
proposes to add an explanation of
‘‘Holds itself out’’ to the Preamble
discussion in § 2.12, Applicability.
Consistent with that guidance, ‘‘Holds
itself out’’ means any activity that
would lead one to reasonably conclude
that the individual or entity provides
substance use disorder diagnosis,
treatment, or referral for treatment
including but not limited to:
• Authorization by the state or federal
government (e.g. licensed, certified,
registered) to provide, and provides,
such services,
• Advertisements, notices, or
statements relative to such services, or
• Consultation activities relative to
such services.
As is the case throughout these
regulations, understanding all defined
terms is important. In the case of the
definition of ‘‘Program’’ and how it
E:\FR\FM\09FEP3.SGM
09FEP3
6996
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
relates to the applicability of these
regulations (see § 2.12), two other
definitions are particularly relevant:
‘‘Diagnosis,’’ and ‘‘Treatment.’’ See
§ 2.11 of the proposed regulations for
the definitions of ‘‘Diagnosis’’ and
‘‘Treatment.’’
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
ix. Qualified Service Organization
A qualified service organization
(QSO) is an individual or entity (see
definition of ‘‘Person,’’ above) that
provides a service to a part 2 program
consistent with a qualified service
organization agreement (QSOA). A
QSOA is a two-way agreement between
a part 2 program and the individual or
entity providing the desired service.
Under the current statutory authority,
patient records pertaining to substance
abuse may be shared only with the prior
written consent of the patient or under
a few limited exceptions that are
specifically enumerated in 42 U.S.C.
290dd-2. However, § 2.12(c)(4) indicates
that these restrictions on disclosure do
not apply to communications between a
part 2 program and a QSO regarding
information needed by the QSO to
provide services to the part 2 program
consistent with the QSOA. Accordingly,
SAMHSA has consistently articulated in
applicable guidance that a QSO would
be permitted to disclose the part 2
information to a contract agent if it
needs to do so in order to provide the
services described in the QSOA, and as
long as the agent only discloses the
information back to the QSO or the part
2 program from which the information
originated. If a disclosure is made by the
QSO to an agent acting on its behalf to
perform the service, both the QSO and
the agent are bound by the part 2
regulations, and neither organization
can disclose the information except as
permitted by part 2 and SAMHSA’s
interpretive guidance.
Recognizing the importance of
population health management,
SAMHSA proposes to revise the
definition of QSO to include population
health management in the list of
examples of services a QSO may
provide. Population health management
refers to increasing desired health
outcomes and conditions through
monitoring and identifying individual
patients within a group. To achieve the
best outcomes, providers must supply
proactive, preventive, and chronic care
to all of their patients, both during and
between encounters with the health care
system. For patients with substance use
disorders, who often have comorbid
conditions, proactive, preventive, and
chronic care is important to achieving
desired outcomes.
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
Any QSOA executed between a part 2
program and an organization providing
population health management services
would be limited to the office or unit
responsible for population health
management in the organization (e.g.,
the ACO, CCO, patient-centered medical
home (sometimes called health home),
or managed care organization), not the
entire organization and not its
participants (e.g., case managers,
physicians, addiction counselors,
hospitals, and clinics). Once a QSOA is
in place, 42 CFR part 2 permits the part
2 program to communicate information
from patients’ records to the
organization providing population
health management services as long as
it is limited to information needed by
the organization to provide such
services to the part 2 program. An
organization providing population
health management services may
disclose part 2 information that it has
received from a part 2 program to its
participants (other than the originating
part 2 program) only if the patient signs
a part 2-compliant consent form
agreeing to those disclosures.
SAMHSA’s proposal to add
population health management to the
list of examples of the services that may
be offered by a QSO is consistent with
the Affordable Care Act (Patient
Protection and Affordable Care Act of
2010 (Pub. L. 111–148)) and the HHS
Strategic Plan FY 2014–2018 which
includes the goals of improving health
care and population health through
meaningful use of health IT. We believe
this revision would benefit patients’
health, safety, and quality of life while
maintaining the confidentiality
protections that attach to the part 2
program’s patient records.
SAMHSA also proposes to revise the
term ‘‘medical services’’ as listed in the
examples of permissible services offered
by a QSO to clarify that it is limited to
‘‘medical staffing services.’’ SAMHSA
proposes to make this revision to
emphasize that QSOAs should not be
used to avoid obtaining patient consent.
Accordingly, a QSOA could be used by
a part 2 program to contract with a
provider of on-call coverage services
(previously clarified in guidance) or
other medical staffing services but could
not be used to disclose John Doe’s
patient identifying information to his
primary care doctor for the purpose of
treatment (other than that provided
under a QSOA for medical staffing
services). However, an individual or
entity who is prohibited from providing
treatment to an individual patient under
a QSOA, may still meet the
requirements of having a treating
provider relationship (based on the
PO 00000
Frm 00010
Fmt 4701
Sfmt 4702
definition in § 2.11) with respect to the
Consent Requirements in § 2.31.
Likewise, care coordination was not
added to the list of examples of
permissible services offered by a QSO
because care coordination has a patient
treatment component.
x. Records
Consistent with the goal of
modernizing the regulations, SAMHSA
proposes to revise the definition of
‘‘Records’’ to include any information,
whether recorded or not, received or
acquired by a part 2 program relating to
a patient. For the purpose of these
regulations, records include both paper
and electronic records.
xi. Treatment
As part of its effort to modernize these
regulations, SAMHSA is proposing to
delete the term, ‘‘management,’’ from
the ‘‘Treatment’’ definition. In today’s
health care environment,
‘‘management’’ has a much broader
meaning than it did when the
regulations were last revised.
c. Terminology Changes
In addition to proposing changes to
several definitions, we propose the
following terminology changes. These
changes are intended to ensure
consistency in the use of terms
throughout the regulations, and to
increase the understandability of the
proposed rule.
The current regulations use a variety
of terms to refer to law enforcement
(e.g., ‘‘office,’’ ‘‘agency or official,’’ and
‘‘authorities’’) as well as using related
terms (e.g., ‘‘persons or individuals
within the criminal justice system’’. We
propose to consistently refer to law
enforcement as ‘‘law enforcement
agencies or officials.’’ In addition, the
current regulations use the terms
‘‘organization’’ and ‘‘entity.’’ Neither
term is defined but ‘‘entity’’ is included
in both the definition of ‘‘Program’’ and
‘‘Person.’’ For this reason, we propose to
use the term ‘‘entity’’ instead of
‘‘organization’’ wherever possible.
Finally, because we have revised the
definition of ‘‘Patient’’ to clarify that it
includes both current and former
patients, we have revised the grammar,
where appropriate.
For the purposes of this regulation,
we also propose that the term ‘‘written’’
include both paper and electronic
documentation. In addition, we propose
to use the phrase ‘‘part 2 program or
other lawful holder of patient
identifying information’’ to refer to a
part 2 program or other individual or
entity that is in lawful possession of
patient identifying information. A
E:\FR\FM\09FEP3.SGM
09FEP3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
‘‘lawful holder’’ of patient identifying
information is an individual or entity
who has received such information as
the result of a part 2-compliant patient
consent (with a re-disclosure notice) or
as a result of one of the limited
exceptions to the consent requirements
specified in the regulations and,
therefore, is bound by 42 CFR part 2.
Examples of such ‘‘lawful holders’’ of
patient identifying information include
a patient’s treating provider, a hospital
emergency room, an insurance
company, an individual or entity
performing an audit or evaluation, or an
individual or entity conducting
scientific research. We are not making
any specific proposals with regard to
‘‘unlawful holders’’ of patient
identifying information in this NPRM
because unlawful holders are addressed
in § 2.3 Criminal penalty for violation.
A patient who has obtained a copy of
their records or a family member who
has received such information from a
patient would not be considered a
‘‘lawful holder of patient identifying
information’’ in this context. As stated
in § 2.23(a), the regulations do not
prohibit a part 2 program from giving a
patient access to their own records,
including the opportunity to inspect
and copy any records that the part 2
program maintains about the patient.
The part 2 program is not required to
obtain a patient’s written consent or
other authorization under these
regulations in order to provide such
access to the patient or their legal
representative.
C. Applicability (§ 2.12)
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
1. Overview
The 1987 regulations (52 FR 21798)
limited the applicability of 42 CFR part
2 to specialized programs, (i.e., to those
federally assisted programs that hold
themselves out as providing and which
actually provide alcohol or drug abuse
diagnosis, treatment, and referral for
treatment). HHS took the position that
limiting the applicability to specialized
programs would simplify the
administration of the regulations
without significantly affecting the
incentive to seek treatment provided by
the confidentiality protections.
Applicability to specialized programs
lessened the adverse economic impact
on a substantial number of facilities that
provided substance use disorder care
only as an incident to the provision of
general medical care.
2. Proposed Revisions
SAMHSA considered options for
defining what information is covered by
42 CFR part 2, including the option of
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
defining covered information based on
the type of substance use disorder
treatment services provided instead of
the type of facility providing the
services. SAMHSA, however, rejected
that approach because more substance
use disorder treatment services are
occurring in general health care and
integrated care settings, which typically
are not covered under the current
regulations. Providers who in the past
offered only general or specialized
health care services (other than
substance use disorder services) now,
on occasion, provide substance use
disorder treatment services, but only as
incident to the provision of general
health care.
As discussed in Section III.B.2.b.,
Existing Definitions, we propose to
revise the definition of ‘‘Program’’ to
align it more closely with current health
care delivery models. SAMHSA
proposes to make clear that paragraph
(1) of the definition of ‘‘Program’’ would
not apply to ‘‘general medical facilities’’
and ‘‘general medical practices.’’
However, paragraphs (2) and (3) of the
definition of ‘‘Program’’ would apply to
‘‘general medical facilities’’ and
‘‘general medical practices.’’
SAMHSA also proposes to include the
term ‘‘Part 2 program,’’ as discussed in
Section III.B.2.a.i. The definition of
‘‘Program’’ in § 2.11 did not explicitly
include ‘‘Federally assisted as defined
in § 2.12(b)’’. As a result, we are
proposing to add a definition of ‘‘Part 2
program.’’ We propose to define the
term and to use the term ‘‘Part 2
program,’’ where appropriate,
throughout the proposed regulations.
This approach is consistent with the
approach taken in 1987 because it
essentially limits the applicability of 42
CFR part 2 to specialized programs,
which simplifies the administration of
the regulations without significantly
affecting the incentive to seek treatment
provided by the confidentiality
protections. We do not foresee that the
exclusion from part 2 coverage of health
care providers who work in general
medical practices and provide substance
use disorder treatment services as
incident to the provision of general
health care would act as a deterrent to
individuals seeking assistance for
substance use disorders.
In addition, in the current regulation,
§ 2.12(d)(2)(iii), restrictions on
disclosures apply to individuals or
entities who have received patient
records directly from part 2 programs.
SAMHSA proposes to revise
§ 2.12(d)(2)(iii) so that restrictions on
disclosures also apply to individuals or
entities who receive patient records
directly from other lawful holders of
PO 00000
Frm 00011
Fmt 4701
Sfmt 4702
6997
patient identifying information. This
change is consistent with the discussion
of ‘‘other lawful holder of patient
identifying information’’ in the
preamble discussion in Terminology
Changes in Section III.B.2.c. and the
proposed inclusion of this term in other
sections of this NPRM. Patient records
subject to these regulations include
patient records maintained by part 2
programs as well as those records in the
possession of ‘‘other lawful holders of
patient identifying information.’’
D. Confidentiality Restrictions and
Safeguards (§ 2.13)
1. Overview
Currently, 42 CFR part 2 does not
include a way for patients to determine
to whom their records have been
disclosed.
2. Proposed Revisions
As discussed in Section G., Consent
Requirements (§ 2.31), SAMHSA
proposes to permit, in certain
circumstances, the inclusion of a
general designation in the ‘‘To Whom’’
section of the consent form.
Specifically, in the case of an entity that
does not have a treating provider
relationship with the patient whose
information is being disclosed,
SAMHSA proposes to permit the
designation of the name(s) of the
entity(-ies) and a general designation of
an individual or entity participant(s) or
a class of participants that must be
limited to those participants who have
a treating provider relationship with the
patient whose information is being
disclosed. An entity without a treating
provider relationship includes, for
example, an entity that facilitates the
exchange of health information (e.g.,
HIE). The consent form, therefore, could
designate the HIE (an entity that does
not have a treating provider relationship
with the patient whose information is
being disclosed) and ‘‘my treating
providers’’ (a general designation of a
class of individual and/or entity
participants with a treating provider
relationship with that same patient).
Under this proposal, the consent form
could not, however, include the general
function ‘‘HIE’’ without specifying the
name of the HIE entity used by the
treating provider. Under this proposal,
merely listing a function is not
sufficient for consent because it would
not sufficiently identify the recipient of
the patient identifying information.
Since SAMHSA is proposing to allow a
general designation in the
circumstances discussed above, we are
proposing that, upon request, patients
who have included a general
E:\FR\FM\09FEP3.SGM
09FEP3
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
6998
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
designation in the ‘‘To Whom’’ section
of their consent form must be provided,
by the entity without a treating provider
relationship that serves as an
intermediary (see § 2.31(a)(4)(iv)), a list
of entities to which their information
has been disclosed pursuant to the
general designation (List of Disclosures).
SAMHSA is proposing to require that
the list of disclosures include a list of
the entities to which the information
was disclosed pursuant a general
designation. However, if entities that are
required to comply with the List of
Disclosures requirement wish to include
individuals on the list of disclosures, in
addition to the required data elements
which are outlined in § 2.13(d)(2)(ii),
nothing in this proposed rule prohibits
it.
SAMHSA considered requiring both
individuals and entities to be included
on the list of disclosures but, after
reviewing the Health Information
Technology Privacy Committee’s
recommendations, decided to require, at
a minimum, a list of entities. These
recommendations addressed the
HITECH requirement that HIPAA
covered entities and business associates
account for disclosures for treatment,
payment, and health care operations
made through an EHR. The Committee
recommended, ‘‘that the content of the
disclosure report be required to include
only an entity name rather than a
specific individual as proposed in the
NPRM.’’ In addition, the report noted
that the Organization for Economic
Cooperation and Development (OECD)
principles, the Fair Credit Reporting
Act, and the Privacy Act of 1974 do not
require that the names of individuals be
provided.
SAMHSA proposes that individuals
who received patient identifying
information pursuant to the general
designation on a consent form should be
included on the List of Disclosures
based on an entity affiliation, such as
the name of their practice or place of
employment. Patients who wish to
know the name of the individual to
whom their information was disclosed
may ask the entity on the List of
Disclosures to provide that information,
however, 42 CFR part 2 would not
require the entity to comply with a
patient’s request.
In order to allow time to develop, test,
and implement advanced technology to
more efficiently comply with this
requirement, SAMHSA is proposing that
the List of Disclosures requirement
become effective two years after the
effective date of the final rule. Some
entities may be able to comply with this
requirement without developing and
implementing new technologies. In
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
addition, entities that use and disclose
primarily paper records could easily
implement a system, if one does not
already exist, such as a sign-out/sign-in
log, that could be used to generate such
a list. SAMHSA anticipates that there
will be few requests based on the
relatively small number of accounting
requests that most covered entities have
received to date under the HIPAA
Accounting for Disclosures rule,
according to some anecdotal reports.
SAMHSA is proposing that patient
requests for a list of entities to which
their information has been disclosed
must be in writing and limited to
disclosures made within the past two
years. Consistent with the preamble
discussion of terminology (§ 2.11,
Definitions), ‘‘written’’ includes both
paper and electronic documentation. A
request letter addressed to the entity
that disclosed the information might
include language such as: ‘‘I am writing
to request a list of the entities to which
my information has been disclosed
within the past two years. This request
is consistent with 42 CFR 2.13, which
also includes the requirements for your
response. Thank you for your
assistance.’’
In addition, SAMHSA is proposing
that entities named on the consent form
that disclose information to their
participants under the general
designation (entities without a treating
provider relationship that serve as
intermediaries) must respond to
requests for a list of disclosures in 30 or
fewer calendar days of receipt of the
request. Responses sent to the patient
electronically may be sent by encrypted
transmission (e.g., email), or by
unencrypted email at the request of the
patient, so long as the patient has been
informed of the potential risks
associated with unsecured transmission.
Patients should be notified that there
may be some level of risk that the
information in an unencrypted email
could be read by a third party. If
patients are notified of the risks and still
prefer unencrypted email, the patient
has the right to receive the information
in that way, and entities are not
responsible for unauthorized access of
the information while in transmission to
the patient based on the patient’s
request.
Before using an unsecured method to
respond to a request for a list of
disclosures, an entity should take
certain precautions, such as checking an
email address for accuracy before
sending it or sending an email alert to
the patient for address confirmation to
avoid unintended disclosures. Patients
may also request that the entity
communicate with them by an
PO 00000
Frm 00012
Fmt 4701
Sfmt 4702
alternative means or at an alternative
location. Responses sent by mail may be
sent by United States Postal Service first
class mail, an equivalent service, or a
service with additional security features
(e.g., tracking). The response must
include the name of the entity to which
each disclosure was made, the date of
the disclosure, and a brief description of
the information disclosed. The brief
description of the information disclosed
must have sufficient specificity to be
understandable to the patient. An
example of a brief description of the
information disclosed is a copy of the
written request for disclosure. This
requirement to provide a list of
disclosures cannot be satisfied by
providing patients with a list (or web
address) of entities that potentially
could receive their patient identifying
information.
This proposed revision would
facilitate patients’ participation in
advances in the health care delivery
system by increasing their confidence
that they could be informed, upon
request, of who received their
information pursuant to a general
designation on the consent form.
In addition, confirming the identity of
an individual who is not and has never
been a patient while remaining silent on
the identity of an actual patient could,
by inference, compromise patient
privacy. For example, if a reporter is
inquiring about five individuals and
only Mr. Smith is not and never has
been a patient, by confirming that Mr.
Smith is not and never has been a
patient and remaining silent on the
other four individuals, the part 2
program could enable the reporter to
conclude that the other four individuals
either are patients or have been patients.
Therefore, SAMHSA is proposing to
remove the concept from § 2.13(c)(2)
that the regulations do not restrict a
disclosure that an identified individual
is not and never has been a patient. If
confirming the identity of an individual
who is not and never has been a patient,
caution should be used so as not to
make an inadvertent disclosure with
respect to one or more other
individuals. This proposed rule does
not prohibit entities that receive a
request for information about an
individual from refusing to disclose any
information regardless of whether the
individual is or ever has been a
patient(s).
E. Security for Records (§ 2.16)
1. Overview
Currently, the Security for Written
Records section in § 2.16 addresses the
maintenance, disclosure, access to, and
E:\FR\FM\09FEP3.SGM
09FEP3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
use of written records. This section,
however, addresses paper, but not
electronic records.
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
2. Proposed Revisions
SAMHSA is proposing to modernize
this section to address both paper and,
in light of the steady increase in the
adoption of health IT, electronic
records. Specifically, SAMHSA
proposes to revise the heading by
deleting the word ‘‘written’’ so that it
now reads: Security for Records.
SAMHSA also proposes to clarify that
this section requires both part 2
programs and other lawful holders of
patient identifying information to have
in place formal policies and procedures
for the security of both paper and
electronic records. These formal policies
and procedures are intended to ensure
protection of patient identifying
information when records are
exchanged electronically using health IT
as well as when they are exchanged
using paper records. The formal policies
and procedures must reasonably protect
against unauthorized uses and
disclosures of patient identifying
information and protect against
reasonably anticipated threats or
hazards to the security of patient
identifying information. The formal
policies and procedures must address,
among other things, the sanitization of
hard copy and electronic media, which
is addressed in the preamble discussion
of Disposition of Records by
Discontinued Programs (§ 2.19).
Suggested resources for part 2 programs
and other lawful holders developing
formal policies and procedures include
materials from the HHS Office for Civil
Rights (e.g., Guidance Regarding
Methods for De-identification of
Protected Health Information in
Accordance with the Health Insurance
Portability and Accountability Act
(HIPAA) Privacy Rule), and the National
Institute of Standards and Technology
(NIST) (e.g., the most current version of
the Special Publication 800–88,
Guidelines for Media Sanitization).
The proposed regulations provide
further guidance for these policies and
procedures. Finally, we are proposing to
replace language in other sections of the
proposed rule with a reference to the
policies and procedures established
under § 2.16, where applicable.
F. Disposition of Records by
Discontinued Programs (§ 2.19)
1. Overview
As with § 2.16, the Disposition of
Records by Discontinued Programs
section in the current regulations do not
address electronic records.
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
2. Proposed Revisions
SAMHSA proposes to modernize this
section to address both paper and
electronic records. Specifically, we
propose to address the disposition of
both paper and electronic records by
discontinued programs, and add
requirements for sanitizing paper and
electronic media. By sanitizing paper or
electronic media, we mean to render the
data stored on the media nonretrievable. Sanitizing electronic media
is distinctly different from deleting
electronic records and may involve
clearing (using software or hardware
products to overwrite media with nonsensitive data) or purging (degaussing or
exposing the media to a strong magnetic
field in order to disrupt the recorded
magnetic domains) the information from
the electronic media. If circumstances
warrant the destruction of the electronic
media prior to disposal, destruction
methods may include disintegrating,
pulverizing, melting, incinerating, or
shredding the media. Because failure to
ensure total destruction of patient
identifying information may lead to the
unauthorized disclosure of sensitive
information regarding a patient’s
substance use disorder history,
SAMHSA expects the process of
sanitizing paper (including printer and
FAX ribbons, drums, etc.) or electronic
media to be permanent and irreversible,
so that there is no reasonable risk that
the information may be recovered. This
result is best achieved by sanitizing the
paper or electronic media in a manner
consistent with the most current version
of the NIST Special Publication 800–88,
Guidelines for Media Sanitization.
SAMHSA also is proposing to reference
the formal security policies and
procedures for both paper and
electronic records established under
§ 2.16.
G. Notice to Patients of Federal
Confidentiality Requirements (§ 2.22)
1. Overview
Currently, § 2.22 lists the
requirements of a notice to patients of
the federal confidentiality requirements,
including giving the patient a summary
in writing of the federal law and
regulations. As with other sections in
the current regulations, this section
requires that the notice to patients be in
writing, but does not address electronic
formats.
2. Proposed Revisions
SAMHSA proposes to continue to
require that patients be given a
summary in writing of the federal law
and regulations. Consistent with the
Preamble discussion in Terminology
PO 00000
Frm 00013
Fmt 4701
Sfmt 4702
6999
Changes in Section III.B.2.c., the term
‘‘written’’ includes both paper and
electronic documentation. We,
therefore, propose to permit the notice
to patients to be either on paper or in
an electronic format. SAMHSA also
proposes to require the statement
regarding the reporting of violations to
include contact information for the
appropriate authorities. The reporting of
any violation of these regulations may
be directed to the U.S. Attorney for the
judicial district in which the violation
occurs and the report of any violation of
these regulations by an opioid treatment
program may also be directed to the
SAMHSA office responsible for opioid
treatment program oversight (see § 2.4 of
the proposed rule). SAMHSA is
considering whether to issue guidance
at a later date that includes a sample
notice.
Although it is not a proposed
requirement, SAMHSA encourages the
part 2 program to be sensitive to the
cultural composition of its patient
population when considering whether
the notice should also be provided in a
language(s) other than English (e.g.,
Spanish).
H. Consent Requirements (§ 2.31)
1. Overview
SAMHSA has heard a number of
concerns from individuals regarding the
current consent requirements of 42 CFR
part 2. In particular, stakeholders
expressed concern that the current
requirements for sharing patient records
covered by part 2 deter patients from
participating in HIEs, ACOs, CCOs, and
similar organizations. While technical
solutions for managing consent
collection, such as data segmentation,
are possible, they are not widely
incorporated into existing systems.
2. Proposed Revisions
SAMHSA examined the consent
requirements in § 2.31 to explore
options for facilitating the sharing of
information within the health care
context while ensuring the patient is
fully informed and the necessary
protections are in place. As a result, we
propose several changes to this section.
First, we propose to revise the section
heading from ‘‘Form of written consent’’
to ‘‘Consent requirements.’’ SAMHSA
also proposes to make revisions in three
sections of the consent form
requirements: The ‘‘To Whom’’ section,
the ‘‘Amount and Kind’’ section, and
the ‘‘From Whom’’ section. SAMHSA
also is proposing to require a part 2
program or other lawful holder of
patient identifying information to obtain
written confirmation from the patient
E:\FR\FM\09FEP3.SGM
09FEP3
7000
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
that they understand both the terms of
their consent and, when using a general
designation in the ‘‘To Whom’’ section
of the consent form (see Section
III.H.2.a., To Whom, below), that they
have the right to obtain, upon request,
a list of entities to which their
information has been disclosed
pursuant to the general designation. In
addition, SAMHSA is proposing to
permit electronic signatures to the
extent that they are not prohibited by
any applicable law. SAMHSA is
considering whether to issue guidance
at a later date that includes a sample
consent form.
As mentioned in Section III.C.2.a.,
New Definitions, SAMHSA is proposing
to include a new definition of ‘‘Treating
provider relationship’’ in § 2.11. Finally,
as a result of these proposed revisions,
we renumbered the subsections
accordingly.
a. To Whom
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
i. Overview
Section 2.31(a)(2) of the current
regulations requires that a consent form
include the name or title of the
individual or the name of the
organization to which disclosure is to be
made as part of the patient’s written
consent to the disclosure of their
records regulated by 42 CFR part 2. The
intent of the specificity required in the
‘‘To Whom’’ section was for the patient
to be able to identify, at the point of
consent, exactly who they are
authorizing to receive their information.
Some stakeholders have reported that
the requirement in 42 CFR 2.31(a)(2) for
the name of the individual or
organization that will be the recipient of
the patient identifying information
makes it difficult to include programs
covered by the regulations in
organizations that facilitate the
exchange of health information or
coordinate care (e.g., HIEs, ACOs, and
CCOs). These organizations have a large
and growing number of participants and
may not have consent management
capabilities. Under the current
regulations, if a new participant joins an
HIE, ACO, CCO, or other similar entity
after a consent is signed, and a patient
later goes to that new participant for
treatment, part 2 would require that the
new participant obtain the patient’s
consent to receive the patient’s
information. Because of the reported
burdens associated with the collection
of updated consent forms whenever new
participants join one of these
organizations, some stakeholders have
indicated that they are currently not
including substance use disorder
treatment information in their systems.
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
ii. Proposed Revisions
SAMHSA is proposing to move the
current § 2.31(a)(2), ‘‘To Whom,’’ to
§ 2.31(a)(4). In the following discussion
of the ‘‘To Whom’’ section of the
consent form and in the regulatory text,
SAMHSA makes a distinction between
individuals and entities who have a
treating provider relationship with the
patient and those who do not. As
discussed in § 2.11, SAMHSA proposes
to define the term ‘‘Treating provider
relationship’’ to provide that regardless
of whether there has been an actual inperson encounter, (a) a patient agrees to
be diagnosed, evaluated and/or treated
for any condition by an individual or
entity and (b) the individual or entity
agrees to undertake diagnosis,
evaluation and/or treatment of the
patient, or consultation with the patient,
for any condition.
Based on this definition, SAMHSA
considers an entity to have a treating
provider relationship with a patient if
the entity employs or privileges one or
more individuals who have a treating
provider relationship with the patient.
SAMHSA is continuing to permit the
name(s) of the individual(s) to whom a
disclosure is to be made to be
designated in the ‘‘To Whom’’ section of
the consent form (e.g., Jane Doe, MD;
John Doe; or George Jones, JD). Because
SAMHSA also is proposing to allow, in
certain circumstances, a general
designation, we propose to eliminate the
current option of designating only a title
of an individual (e.g., Chief of Pediatrics
at Lakeview County Hospital). SAMHSA
also proposes to revise the requirements
for designating the name of an entity, as
discussed below.
In the case of an entity that has a
treating provider relationship with the
patient whose information is being
disclosed, SAMHSA is proposing to
permit the designation of the name of
the entity without requiring any further
designations (as is required for an entity
that does not have a treating provider
relationship with the patient whose
information is being disclosed, see
below). For example, the consent form
could specify any of the following
names of entities: Lakeview County
Hospital, ABC Health Care Clinic, or
Jane Doe & Associates Medical Practice.
In the case of an entity that does not
have a treating provider relationship
with the patient whose information is
being disclosed and is a third-party
payer that requires patient identifying
information for the purpose of
reimbursement for services rendered to
the patient by the part 2 program,
SAMHSA proposes to permit the
PO 00000
Frm 00014
Fmt 4701
Sfmt 4702
designation of the name of the entity
(e.g., Medicare).
In the case of an entity that does not
have a treating provider relationship
with the patient whose information is
being disclosed and is not covered by
§ 2.31(a)(4)(iii) (i.e., the provision
regarding third-party payers), SAMHSA
proposes to permit the designation of
the name(s) of the entity(-ies) and at
least one of the following: (1) The
name(s) of an individual participant(s);
(2) the name(s) of an entity
participant(s) that has a treating
provider relationship with the patient
whose information is being disclosed; or
(3) a general designation of an
individual or entity participant(s) or a
class of participants that must be
limited to those participants who have
a treating provider relationship with the
patient whose information is being
disclosed. Examples of an entity
without a treating provider relationship
include an entity that facilitates the
exchange of health information (e.g.,
HIE) or a research institution. The
consent form, therefore, could designate
the HIE (an entity that does not have a
treating provider relationship with the
patient whose information is being
disclosed) and Drs. Jones and Smith,
and County Memorial Hospital (all
participants in the HIE with a treating
provider relationship with that same
patient). Likewise, the consent form
could designate the HIE (an entity that
does not have a treating provider
relationship with the patient whose
information is being disclosed) and ‘‘my
treating providers’’ (a general
designation of an individual or entity)
participant(s) or a class of individual
and/or entity participants with a
treating provider relationship with the
patient whose information is being
disclosed).
In the case of a research institution, a
‘‘participant’’ could be a clinical
researcher with a treating provider
relationship with the patient whose
information is being disclosed, or a
general researcher who does not have a
treating provider relationship with the
patient whose information is being
disclosed. The clinical researcher could
be included as ‘‘my treating provider’’
in a general designation on the consent
form, whereas the general researcher
would have to be named on the consent
form. Alternatively, a research
institution could obtain patient
identifying information without consent
if it meets the requirements in § 2.52.
If a general designation is used, the
entity must have a mechanism in place
to determine whether a treating provider
relationship exists with the patient
whose information is being disclosed.
E:\FR\FM\09FEP3.SGM
09FEP3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
We encourage innovative solutions to
implement this provision. For example,
the HIE in the aforementioned example
could have a policy in place requiring
their participating providers to attest to
having a treating provider relationship
with the patient. Likewise, the HIE
could provide a patient portal that
permits patients to designate treating
providers as members of ‘‘my health
care team’’ or ‘‘my treating providers.’’
Improving the quality of substance
use disorder care depends on effective
collaboration of mental health,
substance use disorder, general health
care, and other service providers in
coordinating patient care. However, the
composition of a health care team varies
widely among entities. Because
SAMHSA wants to ensure that patient
identifying information is only
disclosed to those individuals and
entities on the health care team with a
need to know this sensitive information,
we are limiting a general designation to
those individuals or entities with a
treating provider relationship. Patients
may further designate their treating
providers as ‘‘past,’’ ‘‘current,’’ and/or
‘‘future’’ treating providers. In addition,
a patient may designate, by name, one
or more individuals on their health care
team with whom they do not have a
treating provider relationship.
SAMHSA proposes to balance the
flexibility afforded by the general
designation in the ‘‘To Whom’’ section
by adding a new confidentiality
safeguard: List of Disclosures (§ 2.13(d)).
The List of Disclosures provision allows
patients who have included a general
designation in the ‘‘To Whom’’ section
of their consent form to request and be
provided a list of entities to which their
information has been disclosed
pursuant to the general designation. In
addition, when using a general
designation, a statement must be
Treating provider
relationship with
patient whose
information is
being disclosed
(a)(4)(i) ...................
Individual ..............
Yes .......................
(a)(4)(i) ...................
(a)(4)(ii) ..................
Individual ..............
Entity .....................
No .........................
Yes .......................
(a)(4)(iii) .................
Entity .....................
No .........................
(a)(4)(iv) .................
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
42 CFR 2.31
Individual or entity
to whom disclosure
is to be made
Entity .....................
No .........................
SAMHSA is seeking public comment
on an alternative approach to the
proposed required elements for the ‘‘To
Whom’’ section of the consent form. The
current part 2 required elements for the
‘‘To Whom’’ section of written consent
are the name or title of the individual
or the name of the organization to which
the disclosure is to be made. The term
‘‘organization’’ is not defined in the
current regulations, but SAMHSA has
interpreted the term narrowly in
guidance to mean that information can
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
PO 00000
Frm 00015
included on the consent form noting
that, by signing the consent form, the
patient confirms their understanding of
the List of Disclosures provision.
Many new integrated care models rely
on interoperable health IT and these
proposed changes are expected to
support the integration of substance use
disorder treatment into primary and
other specialty care, improving the
patient experience, clinical outcomes,
and patient safety while at the same
time ensuring patient choice,
confidentiality, and privacy.
The following table provides an
overview of the options permitted when
completing the designation in the ‘‘To
Whom’’ section of the proposed consent
form.
Designating Individuals and
Organizations in the ‘‘To Whom’’
Section of the Consent Form
Primary designation
Additional designation
Name of individual(s) (e.g., Jane Doe,
MD).
Name of individual(s) (e.g., John Doe)
Name of entity (e.g., Lakeview County
Hospital).
Name of entity that is a third-party
payer
as
specified
under
§ 2.31(a)(4)(iii) (e.g., Medicare).
Name of entity that is not covered by
§ 2.31(a)(4)(iii) (e.g., HIE, or research institution).
be sent to a lead organization but the
information cannot flow from the lead
organization to organization members or
participants. Historically, that meant
that all members or participants of an
organization would need to be listed on
the consent form and a new consent
form would need to be obtained each
time a new provider joined the
organization.
SAMHSA’s alternative approach
reflects the same policy goal as the
proposed regulation text (i.e., allowing
Fmt 4701
Sfmt 4702
7001
None.
None.
None.
None.
At least one of the following:
1. The name(s) of an individual participant(s) (e.g. Jane Doe, MD, or
John Doe).
2. The name(s) of an entity participant(s) with a treating provider relationship with the patient whose information is being disclosed (e.g.,
Lakeview County Hospital).
3. A general designation of an individual or entity participant(s) or a
class of participants limited to those
participants who have a treating
provider relationship with the patient
whose information is being disclosed (e.g., my current and future
treating providers).
more flexibility in the ‘‘To Whom’’
section of the consent form) while
attempting to simplify the language that
would appear on the consent form. This
alternative approach would not change
the existing language in the ‘‘To Whom’’
section of the consent form.
Under this alternative approach,
SAMHSA would add a definition of
‘‘organization’’ to § 2.11. Organization
would mean, for purposes of § 2.31, (a)
an organization that is a treating
provider of the patient whose
E:\FR\FM\09FEP3.SGM
09FEP3
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
7002
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
information is being disclosed; or (b) an
organization that is a third-party payer
that requires patient identifying
information for the purpose of
reimbursement for services rendered to
the patient by a part 2 program; or (c)
an organization that is not a treating
provider of the patient whose
information is being disclosed but that
serves as an intermediary in
implementing the patient’s consent by
providing patient identifying
information to its members or
participants that have a treating
provider relationship, as defined in
§ 2.11, or as otherwise specified by the
patient.
Paragraph (a) of this definition relies
on the definition of ‘‘Treating provider
relationship’’ as defined in § 2.11.
SAMHSA considers an organization to
be a treating provider of a patient if the
organization employs or privileges one
or more individuals who have a treating
provider relationship(s) with the
‘‘patient.’’
Paragraph (b) of this definition refers
to an organization that is not a treating
provider of the patient whose
information is being disclosed but that
requires patient identifying information
in connection with its role as a thirdparty payer for the purpose of
reimbursement for services rendered to
the patient (e.g., Medicare).
Paragraph (c) of this definition refers
to an organization that is not a treating
provider of the patient whose
information is being disclosed but that
serves as an intermediary in
implementing the patient consent. It
permits these organizations to further
disclose patient identifying information
to its members or participants that have
a treating provider relationship with the
patient. It also allows the patient to
specify further instructions for redisclosure to the organization’s
members or participants.
In all instances, patient identifying
information should only be disclosed to
those individuals and organizations in
accordance with the purpose stated by
the patient on the signed consent form
and only to those individuals with a
need to know this sensitive information.
SAMHSA is seeking public comment
on the advantages and disadvantages of
this alternative approach as compared to
SAMHSA’s proposed approach. If
commenters believe the definition of
‘‘organization’’ in the alternative
approach should be broader, please
include proposals for alternate or
additional required elements for the
consent form that facilitate the sharing
of information within the health care
context while ensuring the patient is
fully informed of the individuals and
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
organizations that potentially could
receive their patient identifying
information and that the necessary
protections are in place.
To consider this alternative approach,
SAMHSA would require resolution of
several issues. Therefore, SAMHSA is
also seeking public comment on the
following questions:
(1) To allow patients to determine
which specific members or participants
are authorized to receive their
information from an organization that
serves an intermediary in paragraph (c)
of the proposed organization definition
in SAMSHA’s alternative approach,
what additional elements would need to
be required on the consent form?
(2) How would the List of Disclosures
requirement be applied under a broad
definition of organization? Should the
requirement be applied only to
paragraph (c) of the proposed
organization definition in SAMHSA’s
alternative approach or should different
safeguards replace or supplement the
List of Disclosures requirement?
b. Amount and Kind
i. Overview
Section 2.31(a)(5) currently requires
the consent to include how much and
what kind of information is to be
disclosed. Because we are proposing to
allow the ‘‘To Whom’’ section of the
consent form to include a general
designation under certain
circumstances, we want patients to be
aware of the information they are
authorizing to disclose when they sign
the consent form.
ii. Proposed Revisions
SAMHSA is proposing to move the
current § 2.31(a)(5), ‘‘Amount and
Kind,’’ to § 2.31(a)(3) and revise the
provision to require the consent form to
explicitly describe the substance use
disorder-related information to be
disclosed. The types of information that
might be requested include diagnostic
information, medications and dosages,
lab tests, allergies, substance use history
summaries, trauma history summary,
employment information, living
situation and social supports, and
claims/encounter data. The designation
of the ‘‘Amount and Kind’’ of
information to be disclosed must have
sufficient specificity to allow the
disclosing program or other entity to
comply with the request. For example,
the description may include:
‘‘medications and dosages, including
substance use disorder-related
medications,’’ or ‘‘all of my substance
use disorder-related claims/encounter
data.’’ Examples of unacceptable
PO 00000
Frm 00016
Fmt 4701
Sfmt 4702
descriptions would be ‘‘all of my
records’’ (does not address the
substance use disorder-related
information to be disclosed) and ‘‘only
my substance use disorder records my
family knows about’’ (lacks specificity).
c. From Whom
i. Overview
Section 2.31 currently requires the
specific name or general designation of
the program or person permitted to
make the disclosure. In 1987, the
requirement for the ‘‘From Whom’’
section of the consent form was
broadened to the current requirement to
permit a patient to consent to either a
disclosure from a category of facilities or
from a single specified program.
ii. Proposed Revisions
SAMHSA is proposing to move the
current § 2.31(a)(1), ‘‘From Whom,’’ to
§ 2.31(a)(2). Because SAMHSA is now
allowing, in certain instances, a general
designation in the ‘‘To Whom’’ section
of the consent form, we propose to
require the ‘‘From Whom’’ section of the
consent form to specifically name the
part 2 program(s) or other lawful
holder(s) of the patient identifying
information permitted to make the
disclosure. This revision would avoid
any unintended consequences of
including general designations in both
the ‘‘From Whom’’ and ‘‘To Whom’’
sections. For example, the patient may
be unaware of possible permutations of
combining the two broad designations
to which they are consenting, especially
if these designations include future
unnamed treating providers.
d. New Requirements
i. Overview
Currently, the consent requirements
do not include any requirement that the
patient confirms their understanding of
the information on the consent form.
ii. Proposed Revisions
As discussed in the proposed
revisions to the ‘‘To Whom’’ section,
SAMHSA proposes to add two new
requirements related to the patient’s
signing of the consent form. The first
would require the part 2 program or
other lawful holder of patient
identifying information to include a
statement on the consent form that the
patient understands the terms of their
consent. The second would require the
part 2 program or other lawful holder of
patient identifying information to
include a statement on the consent form
that the patient understands their right,
pursuant to § 2.13(d), to request and be
provided a list of entities to which their
E:\FR\FM\09FEP3.SGM
09FEP3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
information has been disclosed when
the patient includes a general
designation on the consent form. In
addition, the part 2 program or other
lawful holder of patient identifying
information would have to include a
statement on the consent form that the
patient confirms their understanding of
the terms of consent and § 2.13(d) by
signing the consent form.
I. Prohibition on Re-disclosure (§ 2.32)
1. Overview
There is confusion on the part of some
providers as to how much of a patient’s
record is subject to 42 CFR part 2, which
often leads to a decision to protect the
entire record.
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
2. Proposed Revisions
SAMHSA proposes to clarify that the
prohibition on re-disclosure provision
(§ 2.32) only applies to information that
would identify, directly or indirectly, an
individual as having been diagnosed,
treated, or referred for treatment for a
substance use disorder, such as
indicated through standard medical
codes, descriptive language, or both,
and allows other health-related
information shared by the part 2
program to be re-disclosed, if
permissible under the applicable law.
For example, if an individual receives
substance use disorder treatment from a
part 2 program and also receives
treatment for a health condition such as
high blood pressure, the individual’s
record would include information
unrelated to their substance use
disorder (i.e., high blood pressure). Part
2 does not prohibit re-disclosure of the
information related to the high blood
pressure as long as it does not include
information that would identify the
individual as having or having had a
substance use disorder.
However, illnesses that are brought
about by drug or alcohol abuse may
reveal that a patient has a substance use
disorder. For example, cirrhosis of the
liver or pancreatitis could reveal a
substance use disorder. Also, if a
prescription for a medication used for
substance use disorder treatment is
revealed without further clarification of
a non-substance disorder use (e.g.,
methadone used for the treatment of
cancer), it would suggest that the
individual has a substance use disorder
and also would be prohibited.
If data provenance (the historical
record of the data and its origins)
reveals information that would identify,
directly or indirectly, and individual as
having or having had a substance use
disorder, the information would be
prohibited from being re-disclosed. For
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
example, if the treatment location is a
substance use disorder treatment clinic,
this information would identify an
individual as having had a substance
use disorder and is therefore prohibited.
SAMHSA also proposed to clarify that
the federal rules restrict any use of the
information to criminally investigate or
prosecute any patient with a substance
use disorder, except as provided in
§ 2.12(c)(5).
J. Disclosures To Prevent Multiple
Enrollments (§ 2.34)
1. Overview
In the current regulations, special
rules are included for disclosures to
prevent multiple enrollments in
detoxification and maintenance
treatment programs because these types
of disclosure necessitate some
adjustment of the basic written consent
procedures in order to ensure maximum
protection for patients. Under § 2.34, the
timing, content, and use of the patient
information is strictly limited in
accordance with the purpose of the
disclosure.
2. Proposed Revisions
SAMHSA proposes to modernize
section § 2.34 by updating terminology
and revising corresponding definitions.
SAMHSA also proposes to consolidate
definitions by moving definitions from
this section to Definitions in § 2.11, as
discussed in Section III.B., Definitions.
K. Medical Emergencies (§ 2.51)
1. Overview
SAMHSA is considering aligning the
regulatory language with the statutory
language regarding the medical
emergency exception of 42 CFR part 2
(§ 2.51). The current regulations state
that information may be disclosed
without consent for the purpose of
treating a condition which poses an
immediate threat to the health of any
individual and which requires
immediate medical intervention. The
statute, however, states that records may
be disclosed ‘‘to medical personnel to
the extent necessary to meet a bona fide
medical emergency.’’
2. Proposed Revisions
SAMHSA proposes to adapt the
medical emergency exception to give
providers more discretion to determine
when a ‘‘bona fide medical emergency’’
(42 U.S.C. 290dd–2(b)(2)(A)) exists. The
proposed language states that patient
identifying information may be
disclosed to medical personnel to the
extent necessary to meet a bona fide
medical emergency, in which the
PO 00000
Frm 00017
Fmt 4701
Sfmt 4702
7003
patient’s prior informed consent cannot
be obtained.
SAMHSA proposes to continue to
require the part 2 program to
immediately document, in writing,
specific information related to the
medical emergency. Before a part 2
program enters into an affiliation with
an HIE, it should consider whether the
HIE has the capability to comply with
all part 2 requirements, including the
capacity to immediately notify the part
2 program when its records have been
disclosed pursuant to a medical
emergency. To promote compliance,
SAMHSA recommends that the
notification include all the information
that the part 2 program is required to
document in the patient’s records (e.g.,
date and time of disclosure, the nature
of the emergency). Similarly, SAMHSA
recommends that the part 2 program
consider whether the HIE has the
technology, rules, and procedures to
appropriately protect patient identifying
information.
L. Research (§ 2.52)
1. Overview
Under the current regulations at
§ 2.52, only the program director (part 2
program director) may authorize the
disclosure of patient identifying
information for scientific research
purposes to qualified personnel. Part 2
data may be derived from a variety of
sources, including federal or state
agencies that administer Medicare,
Medicaid, or Children’s Health
Insurance Program (CHIP), part 2
programs, or other individuals or
entities that have lawfully obtained the
information and may wish to facilitate
a sharing of the information for
purposes of scientific research that
would ultimately benefit substance use
disorder patients/beneficiaries.
Along with fifteen other federal
departments and agencies, HHS has
announced proposed revisions to the
regulations for protection of human
subjects in research (Common Rule). An
NPRM was published in the Federal
Register on September 8, 2015. In this
part 2 NPRM, SAMHSA proposes
certain revisions that are predicated on
the current version of the Common Rule
(45 CFR part 46, Protection of Human
Subjects, promulgated in 1991).
Although SAMHSA does not anticipate
that the Common Rule provisions
referenced in this part 2 NPRM will
change substantially during the
Common Rule rulemaking process,
should conflicting policies be created,
SAMHSA will take appropriate action
(e.g., issue an NPRM or technical
correction).
E:\FR\FM\09FEP3.SGM
09FEP3
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
7004
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
2. Proposed Revisions
First, we propose to revise the section
heading by deleting the word
‘‘activities’’ (§ 2.52, Research). SAMHSA
also proposes to revise the research
exception to permit data protected by 42
CFR part 2 to be disclosed to qualified
personnel for the purpose of conducting
scientific research by a part 2 program
or any other individual or entity that is
in lawful possession of part 2 data
(lawful holder of part 2 data). For
example, these lawful holders of part 2
data could include third-party payers,
HIEs, ACOs, and CCOs. Qualified
personnel are those individuals who
meet the requirements specified in the
Research provision to receive part 2 data
for the purpose of conducting scientific
research. SAMHSA examined the
existing regulations that protect human
subjects in research and concluded that,
if those requirements were fulfilled, 42
CFR part 2 would ensure confidentiality
protections consistent with the
Congressional intent, while providing
the expanded authority for disclosing
patient identifying information.
Under 42 CFR part 2, part 2 programs
or other lawful holders of part 2 data are
permitted to disclose patient identifying
information for research with patient
consent, or without patient consent
under limited circumstances. SAMHSA
is proposing to allow patient identifying
information to be disclosed for purposes
of scientific research: (1) If the
researcher is a HIPAA covered entity or
business associate and provides
documentation that the researcher
obtained research participants’
authorization, or a waiver of research
participants’ authorization by an
Institutional Review Board (IRB) or
privacy board, for use or disclosure of
information about them for research
purposes consistent with the HIPAA
Privacy Rule, (45 CFR 164.512(i)); or (2)
if the researcher is subject to just the
HHS Common Rule (45 CFR part 46,
subpart A) and provides documentation
that the researcher is in compliance
with the requirements of the HHS
Common Rule, including requirements
relating to informed consent or a waiver
of consent (45 CFR 46.111 and 46.116);
or (3) if the researcher is both a HIPAA
covered entity or business associate and
subject to the HHS Common Rule, the
researcher has met the requirements of
both (1) and (2).
IRBs that are designated by an
institution under an assurance of
compliance approved for Federalwide
use (referred to as Federalwide
Assurance, or FWA) by HHS Office for
Human Research Protections (OHRP)
under § 46.103(a) and that review
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
research involving human subjects
conducted or supported by HHS must
be registered with HHS. The FWA is the
assurance from an institution engaging
in HHS-conducted or -supported human
subjects research regarding compliance
with 45 CFR part 46. An institution
must have an FWA to receive HHS
support for research involving human
subjects, and the FWA has to designate
an IRB registered with OHRP, whether
it is an internal or external IRB.
A privacy board is a review body that
may be established to act upon requests
for a waiver or an alteration of the
requirement under the HIPAA Privacy
Rule to obtain an individual’s
authorization for uses and disclosures of
protected health information for a
particular research study. Like an IRB,
a privacy board may waive or alter all
or part of the HIPAA authorization
requirements for a specified research
project or protocol, provided certain
conditions are met as provided in 45
CFR 164.512(i).
Currently, much research involving
human subjects operates under the HHS
Common Rule (45 CFR part 46, subpart
A). These regulations, which apply to
HHS-conducted or -supported research
or to institutions that have voluntarily
extended their FWA to apply to all
research regardless of funding, include
protections to help ensure
confidentiality. Under this rule, IRBs
determine that, when appropriate, there
are adequate provisions to protect the
privacy of subjects and to maintain the
confidentiality of data before approving
the research (45 CFR 46.111(a)(7)). IRBs
can therefore address the requirements
under the HIPAA Privacy Rule and the
HHS Common Rule, which contain
somewhat similar, but different sets of
requirements. The proposed part 2 rules
set out the requirements for a researcher
conducting research with patient
identifying information. Compliance
with the HIPAA Privacy Rule and/or
federal human subjects research
protections, as set forth in the HHS
Common Rule, where they apply, as
well as the specific additional
requirements in § 2.52(b) discussed
below, is sufficient to meet the
requirements for research disclosures
under part 2.
SAMHSA also is proposing to address
data linkages because the process of
linking two or more streams of data
opens up new research opportunities.
For example, the practice of requesting
data linkages from other data sources to
study the longitudinal effects of
treatment on patients is becoming
widespread. SAMHSA is interested in
affording patients protected by 42 CFR
part 2 the same opportunity to benefit
PO 00000
Frm 00018
Fmt 4701
Sfmt 4702
from these advanced research protocols
while continuing to safeguard their
privacy.
We propose to permit researchers to
request to link data sets that include
patient identifying information if: (1)
The data linkage uses data from a
federal data repository; and (2) the
project, including a data protection
plan, is reviewed and approved by an
IRB registered with OHRP in accordance
with 45 CFR part 46. This permissible
disclosure would allow a researcher to
disclose patient identifying information
to a federal data repository and permit
the federal data repository to link the
patient identifying information to data
held by that repository and return the
linked data file back to the researcher.
It would also ensure that patient privacy
is considered, that the disclosure and
use of identifiable data is justified, and
that the research protocol includes an
appropriate data protection plan.
SAMHSA is proposing to limit the data
repositories from which a researcher
may request data for data linkages
purposes to federal data repositories
because federal agencies that maintain
data repositories have policies and
procedures in place to protect the
security and confidentiality of the
patient identifying information that
must be submitted by a researcher in
order to link the data sets. For example,
in addition to meeting requirements
under the HIPAA Rules and/or the HHS
Common Rule, as applicable, requests
for ‘‘research identifiable files’’ data
from CMS require a Data Use Agreement
and are reviewed by CMS’s Privacy
Board. CMS also has internal policies to
protect the privacy and security of data
received from the researcher, including
the retention and destruction of that
data. In addition, all federal agencies
must comply with directives that
protect sensitive data such as Office of
Management and Budget Circular No.
A–130, Appendix III—Security of
Federal Automated Information and
NIST Federal Information Processing
Standard 200 entitled Minimum
Security Requirements for Federal
Information and Information Systems.
SAMHSA is soliciting public input
regarding whether to expand the data
linkages provision beyond federal data
repositories, what confidentiality,
privacy, and security safeguards are in
place for those non-federal data
repositories, and whether those
safeguards are sufficient to protect the
security and confidentiality of the
patient identifying information.
We invite stakeholders to provide
input and recommendations on the
specific policies, procedures, and other
safeguards that non-federal data
E:\FR\FM\09FEP3.SGM
09FEP3
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
repositories should have in place
including, but not limited to:
1. Data use agreements (e.g., a data
use agreement or contract between the
researcher and the data repository with
written provisions to uphold security
and confidentiality of the data and
provide for sanctions or penalties for
breaches of confidentiality);
2. A review by a privacy board or
other regulatory body(-ies);
3. Internal security and privacy
protections (both physical and
electronic) for the confidentiality and
security of data, including the retention
and destruction of data received for data
linkage purposes (e.g., a requirement to
destroy, in a manner to render the data
non-retrievable, all patient identifying
information provided by the researcher
for data linkage purposes after
performing the match).
4. Security and privacy protections
(both physical and electronic) for
receiving and linking data (e.g., a
requirement that transmission of data
between the researcher and the data
repository must occur through the use of
secure methods and use the most
current encryption technology, such as
the most current version of the
Advanced Encryption Standard (NIST
Federal Information Processing
Standards (FIPS 197)).
5. Internal confidentiality agreements
for staff members who have access to
patient identifying information and
other confidential data;
6. Laws and regulations governing
functions and operations, including
those that address security and privacy;
7. Capability to perform data linkages
according to recognized standards; and
8. Other relevant safeguards.
SAMHSA also is requesting public
comment on the following three sets of
questions:
First, should state government, local
government, private, and/or other nonfederal data repositories (please address
separately) that meet the criteria above
be permitted to conduct data linkages?
Second, are there additional or
alternative criteria that should be
included in the list above? Are there
specific categories of data repositories
that are already required to provide
similar safeguards? When providing
categories of data repositories, please
describe the safeguards that are already
in place for those entities.
Third, how could it be ensured that
data repositories providing data linkages
are in compliance with criteria or
standards concerning confidentiality,
privacy, and security safeguards? Are
there any regulatory or oversight bodies
(including non-governmental and
governmental) that currently oversee
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
compliance with criteria or standards
concerning confidentiality, privacy, and
security safeguards of data in nonfederal repositories?
A researcher may report findings in
aggregate form from patient information
that has been rendered non-identifiable
as long as there are assurances in place
that the information cannot be reidentified and possibly serve as an
unauthorized means to identify a
patient, directly or indirectly, as having
or having had a substance use disorder.
SAMHSA is proposing to require any
individual or entity conducting
scientific research using patient
identifying information to meet
additional requirements to ensure
compliance with confidentiality
provisions under part 2. Among these
are a provision (§ 2.52(b)(1)) that
requires researchers to be fully bound
by these regulations and, if necessary, to
resist in judicial proceedings any efforts
to obtain access to patient records
except as permitted by these
regulations. This requirement means
that researchers involved in a judicial
proceeding are only required to disclose
patient identifying information pursuant
to a subpoena that is accompanied by a
court order. In addition, we have
included a provision (§ 2.52(b)(2))
prohibiting researchers from redisclosing patient identifying
information except back to the
individual or entity from whom that
patient identifying information was
obtained or as permitted under
§ 2.52(b)(4), the data linkages provision.
With respect to this re-disclosure
provision, an individual or entity from
whom the patient identifying
information was obtained does not refer
to patients.
Finally, SAMHSA is proposing to
address, in addition to the maintenance
of part 2 data, the retention and disposal
of such information used in research.
SAMHSA is proposing to do so by
expanding the provisions in § 2.16,
Security for Records and referencing the
policies and procedures established
under § 2.16 in this section.
These proposed revisions would
allow additional scientific research to be
conducted that would facilitate
continual quality improvement of part 2
programs and the important services
they offer. In doing so, SAMHSA
proposes to incorporate existing
protections for human subjects research
that are widely accepted.
M. Audit and Evaluation (§ 2.53)
1. Overview
Under the current Medicare or
Medicaid audit or evaluation section at
PO 00000
Frm 00019
Fmt 4701
Sfmt 4702
7005
§ 2.53, an audit or evaluation is limited
to a civil investigation or administrative
remedy by any federal, state, or local
agency responsible for oversight of the
Medicare or Medicaid program. It also
includes administrative enforcement,
against the program by the agency, or
any remedy authorized by law to be
imposed as a result of the findings of the
investigation.
2. Proposed Revisions
First, we propose to revise the section
heading by deleting the word
‘‘activities’’ (§ 2.53, Audit and
Evaluation). SAMHSA also proposes to
modernize this section to include
provisions for governing both paper and
electronic patient records. In addition,
we propose to revise the requirements
for destroying patient identifying
information by citing the expanded
Security for Records section (§ 2.16).
Furthermore, we propose to update the
Medicare or Medicaid audit or
evaluation subsection title to include
CHIP and, in subsequent language, refer
to Medicare, Medicaid and CHIP
(SAMHSA has always applied this
section to CHIP and is proposing to
explicitly refer to it in the proposed
regulation text).
SAMHSA proposes to permit the part
2 program, not just the part 2 program
director, to determine who is qualified
to conduct an audit or evaluation of the
part 2 program in paragraph (a)(2).
SAMHSA also proposes to permit an
audit or evaluation necessary to meet
the requirements of a CMS-regulated
ACO or similar CMS-regulated
organization (including a CMS-regulated
QE), under certain conditions. To
ensure that patient identifying
information is protected, the CMSregulated ACO or similar CMS-regulated
organization (including a CMS-regulated
QE) that is the subject of, or is
conducting, the audit or evaluation
must have a signed Participation
Agreement with CMS which provides
that the CMS-regulated ACO or similar
CMS-regulated organization (including a
CMS-regulated QE) must comply with
all applicable provisions of 42 U.S.C
290dd–2 and 42 CFR part 2.
IV. Collection of Information
Requirements
Under the Paperwork Reduction Act
of 1995 (PRA), agencies are required to
provide a 60-day notice in the Federal
Register and solicit public comment
before a collection of information
requirement is submitted to the Office of
Management and Budget (OMB) for
review and approval. Currently, the
information collection is approved
under OMB Control No. 0930–0092. In
E:\FR\FM\09FEP3.SGM
09FEP3
7006
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
order to fairly evaluate whether changes
to an information collection should be
approved by OMB, section 3506(c)(2)(A)
of the PRA requires that we solicit
comment on the following issues: (a)
Whether the information collection is
necessary and useful to carry out the
proper functions of the agency; (b) The
accuracy of the agency’s estimate of the
information collection burden; (c) The
quality, utility, and clarity of the
information to be collected; and (d)
Recommendations to minimize the
information collection burden on the
affected public, including automated
collection techniques.
Under the PRA, the time, effort, and
financial resources necessary to meet
the information collection requirements
referenced in this section are to be
considered in rule making. We
explicitly seek, and will consider,
public comment on our assumptions as
they relate to the PRA requirements
summarized in this section.
This proposed rule includes changes
to information collection requirements,
that is, reporting, recordkeeping or
third-party disclosure requirements, as
defined under the PRA (5 CFR part
1320). Some of the provisions involve
changes from the information
collections set out in the previous
regulations. Information collection
requirements are: (1) Section 2.13(d)—
Disclosure: Requires entities named on
a consent form that disclose patient
identifying information to their
participants under the general
designation to make a disclosure, to
each patient who requests a list of
disclosures, in the form of a list of
entities to which their information has
been disclosed pursuant to the general
designation, (2) Section 2.22—
Disclosure: Requires each program to
make public disclosure in the form of
communication to each patient that
federal law and regulations protect the
confidentiality of each patient and
includes a written summary of the effect
of this law and these regulations, (3)
Section 2.51—Recordkeeping: This
provision requires the program to
document a disclosure of a patient
record to authorized medical personnel
in a medical emergency. The regulation
is silent on retention period for keeping
these records as this will vary according
to state laws. It is expected that these
records will be kept as part of the
patients’ health records. Annual burden
estimates for these requirements are
summarized in the table below:
ANNUALIZED BURDEN ESTIMATES
Annual
number of
respondents
Responses
per
respondent
Total
responses
Hours per
response
Total hour
burden
Hourly wage
cost
Total hour cost
Disclosures
42 CFR 2.13 (d) .........
42 CFR 2.22 ..............
1 19,548
1
155
4 12,034
19,548
2 4.15
5 1,861,693
.20
81,124
372,338.6
3 $36.9175
6 40.26
$2,994,895
14,990,352
Recordkeeping
42 CFR 2.51 ..............
12,034
2
24,068
.167
4,019
7 34.16
137,289
Total ....................
8 31,582
........................
1,905,309
..........................
457,482
........................
18,122,536
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
1 The number of entities required to generate a list of disclosures based on the number of estimated patient requests. Patient requests are
based the total number of annual treatment admissions from SAMHSA’s 2010–2012 Treatment Episode Data Set (TEDS) (see footnote 5). The
estimated patient requests equal the average of the total number of requests for a 0.1% request rate and a 2% request rate.
2 The estimated time for developing a list of disclosures is 4 hours for entities collecting the information electronically using an audit log and 3
hours for entities that produce such a list from paper records. Because 90% of entities are estimated to collect the information electronically
using an audit log and 10% are estimated to use paper records, the average weighted time to develop a list of disclosures is 3.9 hours [(0.9 × 4
hours) + (0.1 × 3 hours)]. Including the estimated 15 minutes to prepare each list of disclosures for mailing or transmitting, the total estimated
time for providing a patient a list of disclosures is 4.15 hours (3.9 hours + 0.25 hours).
3 The weighted hourly rate for health information technicians, medical technicians and administrative staff who will be preparing the list of disclosures. The hourly rate is weighted to reflect the fact that health information and medical technicians, who will be generating the list of disclosures, have a higher wage rate than administrative staff and will contribute more hours to generating the list of disclosures. Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed June 3, 2015], Standard Occupations Classification codes (29–
2071, 31–9092) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
4 The number of publicly funded alcohol and drug facilities based on SAMHSA’s 2013 National Survey of Substance Abuse Treatment Services
(N–SSATS).
5 The average number of annual treatment admissions from SAMHSA’s 2010–2012 Treatment Episode Data Set (TEDS).
6 Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations
Classification code (21–1011) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
7 Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations
Classification code (43–0000) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
8 The combined total of the number of publicly funded alcohol and drug facilities and the number of entities required to generate a list of
disclosures.
As described in greater detail in
Section VI., Regulatory Impact Analysis,
the respondents for the collection of
information under 42 CFR 2.22 and 2.51
are publicly (federal, state, or local)
funded, assisted, or regulated substance
use disorder treatment programs. The
estimate of the number of such
programs (respondents) is based on the
results of the 2013 N–SSATS, and the
average number of annual total
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
responses is based on 2010–2012
information on patient admissions
reported to the Treatment Episode Data
Set (TEDS), approved under OMB
Control No. 0930–0106 and OMB
Control No. 0930–0335.
The respondents for the collection of
information under 42 CFR 2.13(d) are
entities named on the consent form that
disclose information to their
participants pursuant to the general
PO 00000
Frm 00020
Fmt 4701
Sfmt 4702
designation. These entities primarily
would be organizations that facilitate
the exchange of health information (e.g.,
HIEs) or coordinate care (e.g., ACOs,
CCOs, and patient-centered medical
homes (sometimes called health
homes)), but other organizations, such
as research institutions, also may
disclose patient identifying information
to their participants (e.g., clinical
researchers) pursuant to the general
E:\FR\FM\09FEP3.SGM
09FEP3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
designation on the consent form.
Because there are no definitive data
sources for this potential range of
organizations, we are not associating
requests for a list of disclosures with
any particular type of organization.
Consequently, the number of
organizations that must respond to list
of disclosures requests is based on the
total number of requests each year.
V. Response to Comments
Because of the large number of public
comments, we anticipate receiving on
this Federal Register document, we are
not going to be able to acknowledge or
respond to them individually. We will
consider all comments we receive by the
date and time specified in the DATES
section of this proposed rule, and, when
we proceed with a subsequent
document, we will respond to the
comments in the preamble to that
document.
VI. Regulatory Impact Analysis
A. Statement of Need
This proposed rule is necessary to
modernize the Confidentiality of
Alcohol and Drug Abuse Patient
Records regulations at 42 CFR part 2.
The last substantive update to 42 CFR
part 2 was in 1987. The part 2 laws were
written out of great concern about the
potential use of substance use disorder
treatment information causing
individuals with substance use
disorders from seeking needed
treatment. Over the last 25 years,
significant changes have occurred
within the U.S. health care system that
were not envisioned by the current
regulations, including new models of
integrated care that are built on a
foundation of information sharing to
support coordination of patient care, the
development of an electronic
infrastructure for managing and
exchanging patient data, and a new
focus on performance measurement
within the health care system. The goal
of this proposed rule is to update 42
CFR part 2, and clarify the requirements
associated with information exchange in
these new health care models.
B. Overall Impact
We have examined the impacts of this
rule as required by Executive Order
12866 on Regulatory Planning and
Review (September 30, 1993), Executive
Order 13563 on Improving Regulation
and Regulatory Review (January 18,
2011), the Regulatory Flexibility Act
(RFA) (September 19, 1980, Pub. L. 96–
354), section 1102(b) of the Social
Security Act, section 202 of the
Unfunded Mandates Reform Act of 1995
(March 22, 1995; Pub. L. 104–4),
Executive Order 13132 on Federalism
(August 4, 1999) and the Congressional
Review Act (5 U.S.C. 804(2)). Executive
Orders 12866 and 13563 direct agencies
to assess all costs and benefits of
available regulatory alternatives and, if
regulation is necessary, to select
regulatory approaches that maximize
net benefits (including potential
economic, environmental, public health
and safety effects, distributive impacts,
and equity). Section 3(f) of Executive
Order 12866 defines a ‘‘significant
regulatory action’’ as an action that is
likely to result in a rule: (1) Having an
annual effect on the economy of $100
million or more in any 1 year, or
adversely and materially affecting a
sector of the economy, productivity,
competition, jobs, the environment,
public health or safety, or state, local or
tribal governments or communities (also
referred to as ‘‘economically
significant’’); (2) creating a serious
inconsistency or otherwise interfering
with an action taken or planned by
another agency; (3) materially altering
the budgetary impacts of entitlement
grants, user fees, or loan programs or the
rights and obligations of recipients
thereof; or (4) raising novel legal or
policy issues arising out of legal
mandates, the President’s priorities, or
the principles set forth in the Executive
Order.
A regulatory impact analysis must be
prepared for major rules with
economically significant effects ($100
million or more in any 1 year). This rule
does not reach the economic threshold
and thus is not considered a major rule.
When estimating the total costs
associated with changes to the 42 CFR
part 2 regulations, we assumed five sets
7007
of costs: updates to health IT systems
costs, costs for staff training and updates
to training curriculum, costs to update
patient consent forms, costs associated
with providing patients a list of entities
to which their information has been
disclosed pursuant to a general
designation on the consent form (i.e.,
the List of Disclosures requirement), and
implementation costs associated with
the List of Disclosure requirements. We
assumed that costs associated with
modifications to existing health IT
systems, staff training costs associated
with updating staff training materials,
and costs to update consent forms
would be one-time costs the first year
the final rule is in effect and would not
carry forward into future years. Staff
training costs other than those
associated with updating training
materials are assumed to be ongoing
annual costs to part 2 programs, also
beginning in the first year that the final
rule is in effect. The List of Disclosures
costs are assumed to be ongoing annual
costs to entities named on a consent
form that disclose patient identifying
information to their participants under
the general designation. The List of
Disclosures requirement, however, does
not go into effect until two years after
the final rule is in effect. Therefore, in
years 1 and 2, the costs associated with
the List of Disclosures provision are
limited to implementation costs for
entities that chose to upgrade their
health IT systems in order to comply
with the List of Disclosure
requirements.
We estimate, therefore, that in the first
year that the final rule is in effect, the
costs associated with updates to 42 CFR
part 2 would be $74,217,979. In year
two, we estimate that costs would be
$47,021,182. In years 3 through 10, we
estimate the annual costs would be
$14,835,444. Over the 10-year period of
2015–2024, the total undiscounted cost
of the proposed changes would be
$239,922,716 in 2015 dollars. When
future costs are discounted at 3 percent
or 7 percent per year, the total costs
become approximately $220.9 million or
$200.9 million, respectively. These costs
are presented in the tables below.
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
TOTAL COST OF 42 CFR PART 2 REVISIONS
[2015 dollars]
Staff training
costs
Consent form
updates
List of
disclosures
Health IT
costs
Total costs
(A)
Year
(B)
(C)
(D)
(E)
2015 .....................................................................................
2016 .....................................................................................
2017 .....................................................................................
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
PO 00000
Frm 00021
$14,881,443
11,834,782
11,834,782
Fmt 4701
Sfmt 4702
$204,786
0
0
$10,995,750
35,186,400
3,000,662
E:\FR\FM\09FEP3.SGM
09FEP3
$48,136,000
0
0
$74,217,979
47,021,182
14,835,444
7008
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
TOTAL COST OF 42 CFR PART 2 REVISIONS—Continued
[2015 dollars]
Staff training
costs
2018
2019
2020
2021
2022
2023
2024
Consent form
updates
List of
disclosures
Health IT
costs
Total costs
(A)
Year
(B)
(C)
(D)
(E)
.....................................................................................
.....................................................................................
.....................................................................................
.....................................................................................
.....................................................................................
.....................................................................................
.....................................................................................
11,834,782
11,834,782
11,834,782
11,834,782
11,834,782
11,834,782
11,834,782
0
0
0
0
0
0
0
3,000,662
3,000,662
3,000,662
3,000,662
3,000,662
3,000,662
3,000,662
0
0
0
0
0
0
0
14,835,444
14,835,444
14,835,444
14,835,444
14,835,444
14,835,444
14,835,444
Total ..............................................................................
121,394,485
204,786
70,187,445
48,136,000
239,922,716
TOTAL COST OF 42 CFR PART 2 REVISIONS—ANNUAL DISCOUNTING
[2015 dollars]
Total costs
Total with 7%
annual
discounting
(F)
(G)
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
.............................................................................................................................................
$74,217,979
47,021,182
14,835,444
14,835,444
14,835,444
14,835,444
14,835,444
14,835,444
14,835,444
14,835,444
$74,217,979
45,651,633
13,983,829
13,576,533
13,181,100
12,797,185
12,424,451
12,062,574
11,711,237
11,370,133
$74,217,979
43,945,030
12,957,852
12,110,142
11,317,889
10,577,467
9,885,483
9,238,769
8,634,364
8,069,499
Total ......................................................................................................................................
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
Total with 3%
annual
discounting
(E)
Year
239,922,716
220,976,654
200,954,473
The costs associated with the
proposed revisions stem from staff
training and updates to training
curriculum, updates to patient consent
forms, compliance with the List of
Disclosures requirement (including
implementation costs), and updates to
health IT infrastructure for information
exchange. Based on data from the 2013
N–SSATS, we estimate that 12,034
hospitals, outpatient treatment centers,
and residential treatment facilities are
covered by part 2. N–SSATS is an
annual survey of U.S. substance abuse
treatment facilities. Data is collected on
facility location, characteristics, and
service utilization. Not all treatment
providers included in N–SSATs are
believed to be under the jurisdiction of
the part 2 regulations. The 12,034
number is a subset of the 14,148
substance abuse treatment facilities that
responded to the 2013 N–SSATS, and
includes all federally operated facilities,
facilities that reported receiving public
funding other than Medicare and
Medicaid, facilities that reported
accepting Medicare, Medicaid,
TRICARE, and/or ATR voucher
payments, or were SAMHSA-certified
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
Opioid Treatment Programs. If a facility
did not have at least one of these
conditions, it was interpreted not to
have received any federal funding and,
therefore, not included in the estimate.
If an independently practicing
clinician does not meet the
requirements of paragraph (1) of the
definition of Program (an individual or
entity (other than a general medical
facility or general medical practice) who
holds itself out as providing and
provides substance use disorder
diagnosis, treatment or referral for
treatment), they may be subject to 42
CFR part 2 if they constitute an
identified unit within a general medical
facility or general medical practice
which holds itself out as providing, and
provides, substance use disorder
diagnosis, treatment, or referral for
treatment or if their primary function in
the facility or practice is the provision
of such services and they are identified
as providing such services. Due to data
limitations, it was not possible to
estimate the costs for independently
practicing providers covered by part 2
that did not participate in the 2013 N–
SSATS. For example, data from ABAM
PO 00000
Frm 00022
Fmt 4701
Sfmt 4702
provides the number of physicians since
2000 who have active ABAM
certification. However, there is no
source for the number of physicians
who have not participated in the ABAM
certification process. In addition, it is
not possible to determine which ABAMcertified physicians practice in a general
medical setting rather than in a
specialty treatment facility that was
already counted in the N–SSATS data.
Several provisions in the draft NPRM
reference ‘‘other lawful holders of
patient identifying information’’ in
combination with part 2 programs.
These other lawful holders must comply
with part 2 requirements with respect to
information they maintain that is
covered by part 2 regulations. However,
because this group could encompass a
wide range of organizations, depending
on whether they received part 2 data via
patient consent or as a result of one of
the limited exceptions to the consent
requirement specified in the regulations,
we are unable to include estimates
regarding the number and type of these
organizations and are only including
part 2 programs in this analysis.
E:\FR\FM\09FEP3.SGM
09FEP3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
In addition to the part 2 programs
described above, entities named on a
consent form that disclose patient
identifying information to their
participants under the general
designation must provide patients, upon
request, a list of entities to which their
information has been disclosed
pursuant to a general designation. These
entities primarily would include
organizations that facilitate the
exchange of health information (e.g.,
HIEs), and may also include
organizations responsible for care
coordination (e.g., ACOs, CCOs, and
patient-centered medical homes
(sometimes called health homes)). The
most recent estimates of these types of
entities are 67 functional, publicly
funded HIEs and 161 functional,
privately funded HIEs in 2013.1 As of
January 2015, there were an estimated
744 ACOs covering approximately 23.5
million individuals.2 Finally, in 2014,
the Accreditation Association for
Ambulatory Health Care, Inc., reported
that 7,000 medical practices have been
accredited as patient-centered medical
homes.3 While these types of
organizations were the primary focus of
this provision on the consent form,
other types of entities, such as research
institutions, may also disclose patient
identifying information to their
participants (e.g., clinical researchers)
pursuant to the general designation on
the consent form. Because there are no
definitive data sources for this potential
range of organizations, we are not
associating requests for lists of
disclosures with any particular type of
organization. We, instead, chose to
estimate the number of organizations
that must respond to list of disclosures
requests based on the total number of
requests each year.
1. Direct Costs of Implementing the
Proposed Regulations
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
There is no known baseline estimate
of the current costs associated with 42
CFR part 2 compliance. Instead,
SAMHSA estimated these cost based on
a range of published costs associated
1 Trends in Health Information Exchanges
(Trends in Health Information Exchanges) https://
innovations.ahrq.gov/perspectives/trends-healthinformation-exchanges#3.
2 Muhlestein, D. (2015). Growth and Dispersion of
Accountable Care Organizations in 2015. Health
Affairs Blog, 19.
3 Accreditation Association for Ambulatory
Health Care. ‘‘The Medical Home—Avoiding the
Rush to Judgment, Growing Model is a
Transformative Process Requiring Perseverance,
Patience . . . and Time, Body of Evidence
Illustrating Success is Surging’’ White Paper.
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
with HIPAA implementation and
compliance.4 5
a. Staff Training
A Standard HIPAA training that meets
or exceeds the federal training
requirements is, on average, one hour
long.6 Therefore, we also estimated one
hour of training per staff to achieve
proficiency in the 42 CFR part 2
regulations. To estimate the labor costs
associated with staff training, we
averaged the average hourly costs for
counseling staff in specialty treatment
centers ($19.48 7), hospital treatment
centers ($21.47 8), and solo practice
offices ($22.61 9). The resulting blended
rate was $21.19 per hour. In order to
account for benefits and overhead costs
associated with staff time, we
multiplied the blended hourly rate by
two. These estimates are only for
training costs associated with
counseling staff, who we assume will
have primary responsibility for
executing the functions associated with
the NPRM revisions.
With regard to training materials,
most part 2 programs are assumed to
already have training curricula in place
that covers current 42 CFR part 2
regulations, and, therefore, these
facilities would only need to update
existing training materials rather than
develop new materials. The American
Hospital Association estimated that the
costs for the development of Privacy
and Confidentiality training, which
would include the development of
training materials and instructor labor
costs, was $16 per employee training
4 Kilbridge, P. (2003). The cost of HIPAA
compliance. New England Journal of Medicine,
348(15), 1423–1477.
5 Williams, A.R., Herman, D.C., Moriarty, J.P.,
Beebe, T.J., Bruggeman, S.K., Klavetter, E.W. &
Bartz, J.K. (2008). HIPAA costs and patient
perceptions of privacy safeguards at Mayo Clinic.
Joint Commission Journal on Quality and Patient
Safety, 34(1), 27–35.
6 65 FR 82462, 82770 (Dec. 28, 2000) (Standards
for Privacy of Individually Identifiable Health
Information).
7 Bureau of Labor Statistics, U.S. Department of
Labor, Occupational Employment Statistics,
[accessed May 2, 2015] Outpatient Mental Health
and Substance Abuse Centers (NAICS code 621420),
Standard Occupations Classification code (211011)
[www.bls.gov/oes/].
8 Bureau of Labor Statistics, U.S. Department of
Labor, Occupational Employment Statistics,
[accessed May 2, 2014] Psychiatric and Substance
Abuse Hospitals (NAICS code 622200), Standard
Occupations Classification code (211011)
[www.bls.gov/oes/].
9 Bureau of Labor Statistics, U.S. Department of
Labor, Occupational Employment Statistics,
[accessed September 23, 2014] Offices of Mental
Health Practitioners (except Physicians) (NAICS
code 621330), Standard Occupations Classification
code (211011) [www.bls.gov/oes/].
PO 00000
Frm 00023
Fmt 4701
Sfmt 4702
7009
hour in 2000.10 Because we assumed
that part 2 programs would be updating
rather than developing training
materials, we estimated the cost of
training development to be one-half of
the cost of developing new materials, or
$8 per employee. Adjusted for
inflation,11 training development costs
in 2015 would be $10.91 per employee.
Using SAMHSA’s 2010–2012 TEDS
average annual number of treatment
admissions (n=1,861,693) as an estimate
of the annual number of patients at part
2 programs and calculated staffing
numbers based on a range of counseling
staff-to-client ratios (i.e., 1 to 10 12 and
1 to 5 13). Based on these assumptions,
staff training costs associated with part
2 patient consent procedures were
projected to range from $9.9 million to
$19.8 million in 2015. We averaged the
two estimated costs for staff training to
determine the final overall estimate of
$14,881,443. We assumed the costs
associated with updating training
materials will be a one-time cost.
Therefore, in subsequent years, we
assumed the costs associated with staff
training will be a function of the
blended hourly rate (multiplied by two
to account for benefits and overhead
costs) and the estimated number of staff
(developed based on the same two staffto-client ratios described above
multiplied by estimated patient counts).
Staff training costs associated with part
2 revisions are projected to range from
$7.9 million to $15.8 million after 2015.
We averaged the two estimated costs for
staff training to determine the final
overall estimate of $11,834,782.
b. Updates to Consent Forms
Updates to the 42 CFR part 2
regulations will need to be reflected in
patient consent forms. Results from a
2008 study from the Mayo Clinic Health
Care Systems 14 reported actuarial costs
for HIPAA implementation activities.
The reported cost to update
10 These estimates are not HHS estimates nor are
they HHS-endorsed cost estimates of HIPAA
implementation and compliance.
11 Calculated using the Consumer Price Index.
12 North Carolina NC Administrative Code
[accessed September 23, 2014]. [https://reports.oah.
state.nc.us/ncac/title%2010a%20-%20health%20
and%20human%20services/chapter%2013%20%20nc%20medical%20care%20commission/
subchapter%20b/10a%20ncac%2013b
%20.5203.pdf.]
13 Commonwealth of Pennsylvania—Department
of Health Staffing Requirements for Drug and
Alcohol Treatment Activities [accessed September
23, 2014]. [https://www.pacode.com/secure/data/
028/chapter704/s704.12.html.]
14 Williams, A.R., Herman, D.C., Moriarty, J.P.,
Beebe, T.J., Bruggeman, S.K., Klavetter, E.W. &
Bartz, J.K. (2008). HIPAA costs and patient
perceptions of privacy safeguards at Mayo Clinic.
Joint Commission Journal on Quality and Patient
Safety, 34(1), 27–35.
E:\FR\FM\09FEP3.SGM
09FEP3
7010
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
authorization forms was $0.10 per
patient. Adjusted for inflation, costs
associated with updating the patient
consent forms in 2015 would be $0.11
per patient. We used the average
number of substance abuse treatment
admissions from SAMHSA’s 2010–2012
TEDS as our estimate of the number of
clients treated on an annual basis by
part 2 facilities. The total cost burden
associated with updating the consent
forms to reflect to the updated 42 CFR
part 2 regulations would be $204,786
(1,861,693 * $0.11).
c. List of Disclosures Costs
The updated part 2 regulations allow
patients who have consented to disclose
their identifying information using a
general designation to request a list of
entities to which their information has
been disclosed pursuant to the general
designation. Under this proposed rule,
entities named on a consent form that
disclose patient identifying information
to their participants under the general
designation would be required to
provide a list of disclosures after
receiving a patient request. Under the
List of Disclosure requirements, a
patient could make a request, for
example, to an organization that
facilitates the exchange of health
information (e.g., an HIE) or an
organization responsible for
coordinating care (e.g., an ACO) for a
list of disclosures that would include
the name of the entity to whom each
disclosure was made, the date of the
disclosure, and a brief description of the
patient identifying information
disclosed, and include this information
for all entities to whom the patient
identifying information has been
disclosed pursuant to the general
designation in the past two years.
For purposes of this analysis, we
assumed that entities disclosing patient
identifying information to their
participants pursuant to a patient’s
general designation on a consent form
are already collecting the information
necessary to comply with the List of
Disclosure requirement, in some form,
either electronically or using paper
records. We also assumed that these
entities could comply with the List of
Disclosures requirement by either
collecting this information
electronically by using audit logs to
obtain the required information or by
keeping a paper record. However, to
address possible concerns about
technical feasibility and other
implementation issues, SAMHSA is
proposing that the List of Disclosures
requirement become effective two years
after the effective date of the final rule
to allow entities collecting this
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
information time to review their
operations and business processes and
to decide whether technological
solutions are needed to enable them to
more efficiently comply with the
requirement.
In order to make preliminary
estimates of the implementation costs,
we first estimated the number of
potentially impacted entities based on
the anticipated number of patient
requests for a disclosure report in a
calendar year. We used the average
number of substance abuse treatment
admissions from SAMHSA’s 2010–2012
TEDS (n = 1,861,693) as the number of
patients treated annually by part 2
programs. We then used the average of
a 0.1 and 2 percent patient request rate
as our estimate of the number of
impacted entities (n = 19,548).
From there, we assumed ten percent
of the impacted entities would use
paper records to comply with the
disclosure reporting requirements (n =
1,995) and would have minimal
implementation costs in years 1 and 2.
Among the remaining entities, many
may be able to comply with the
disclosure reporting requirements
without developing or implementing
new technologies. For entities that do
choose to either update their existing
capabilities or develop and implement
new technologies to facilitate
compliance, we assumed two sets of
costs: (1) Planning and policy
development costs in year 1 and (2)
system update costs in year 2.
Absent any data on the number of
facilities that would require new
technology or the type of technology to
be implemented, we assumed that
twenty-five percent (n = 4,398) of the
remaining entities would choose to
upgrade their existing health IT systems.
The actual system upgrade costs will
vary considerably based on the type of
upgrades that are required. Some
entities may only require minor system
updates to streamline the reporting
requirements, while others may choose
to implement an entirely new system.
Given these data limitations, we
assumed an average, per-entity cost, of
$2,500 for planning development costs
in year 1 and an average, per-entity cost,
of $8,000 for system upgrades in year 2.
The implementation costs for List of
Disclosure reporting compliance across
are estimated to be $10,995,750 in year
1 (4,398 * $2,500) and $35,186,400
(4,398 * $8,000) in year 2.
Once the disclosure reporting
requirements go into effect, we assumed
that the majority of the costs associated
with the List of Disclosures requirement
would primarily come from staff time
needed to prepare a list of disclosures
PO 00000
Frm 00024
Fmt 4701
Sfmt 4702
upon a patient’s request. We also
assumed that the information would
need to be converted to a format that is
accessible to patients.
For those entities with a health IT
system, we expected that disclosure
information would be available in the
system’s audit log. We also assumed
that, unless the audit log has some sort
of electronic filtering system, it would
contain information above and beyond
the requirements for complying with a
request for a list of disclosures. We have
also assumed that the staff accessing
and filtering an audit log to compile the
information for lists of disclosures
would be health information
technicians. The average hourly rate for
health information technicians is $18.68
an hour.15 In order to account for
benefits and overhead costs associated
with staff time, we multiplied the
hourly wage rate by two. Absent any
existing information on the amount of
time associated with producing a list of
disclosures from an audit log, we
assumed it would take a health
information technician half a day (or
four hours) on average, to produce the
list from an audit log.
For entities using paper records to
track disclosures, we expected that a
staff member would need to gather and
aggregate the requested list of
disclosures from paper records. We
assumed medical record technicians
would be the staff with the primary
responsibility for compiling the
information for a list of disclosures. The
average hourly rate for medical record
technicians is $18.68 an hour.16 In order
to account for benefits and overhead
costs associated with staff time, we
multiplied the hourly wage rate by two.
Absent any existing information on the
amount of time associated with
producing a list of disclosures from
paper records, we assumed it would
take a medical record technician three
hours, on average, to produce the list
from paper records.17
15 Bureau of Labor Statistics, U.S. Department of
Labor, Occupational Employment Statistics,
[accessed June 3, 2015], Standard Occupations
Classification code (29–2071) [www.bls.gov/oes/].
16 IBID.
17 For facilities that maintain paper records,
consent forms would indicate who has been given
access to the record. By contrast, our understanding
of health IT audit logs is that they include a record
of all instances in which a record has been
accessed. The audit log will include a record of who
accessed the system, the date the record was
accessed, and what operations were performed. The
audit logs, therefore, will include considerably
more data than what we would anticipate finding
in paper records. Unless the audit log has an
electronic filtering system, we are assuming that a
health information technician will need to
manually review all records in an audit log in order
to compile the necessary information for a list of
disclosures.
E:\FR\FM\09FEP3.SGM
09FEP3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
The number of requests for a list of
disclosures will determine the overall
burden associated with the List of
Disclosures reporting requirements.
However, because this is a new
requirement, there were no data on
which to base an estimated number of
requests per year. We expect that the
rate of requests will be relatively low.
We therefore calculated the total costs
for two rates, 0.1 percent and 2 percent
of patients per year.
We used the average number of
substance abuse treatment admissions
from SAMHSA’s 2010–2012 TEDS as
the number of patients treated annually
by part 2 programs. Assuming that 10
percent of patients making requests (n =
186.17 to n = 3,723.39) would request a
list of disclosures from entities that
track disclosures through paper records
and 90 percent of patients making
requests (n = 1,675.52 to n = 33,510.47)
would make such a request of entities
that track disclosures through health IT
audit logs, the estimated costs to
develop lists of disclosures range from
$20,865.86 to $417,317.10 for entities
using paper records, and $250,390.26 to
$5,007,805.23 for entities using audit
logs. (These ranges reflect the costs
based on the two estimated patient rates
of request referenced above (i.e., 0.1
percent and 2 percent of patients per
year)).
Once a list of disclosures has been
produced, it can be returned to the
patient either by email or mail. Since
the method of sending the list of
disclosures depends on patient
preference, we assumed that 50 percent
of the lists of disclosures would be sent
by email and 50 percent by first-class
mail. We assumed that mailing and
supply costs related to list of disclosures
notifications were $0.10 supply cost per
notification and $0.49 postage cost per
mailing. We also estimated that it would
take an administrative staff member 15
minutes to prepare each list of
disclosures for mailing and/or
transmitting, and that staff preparing the
letters earn $15.01 18 per hour. In order
to account for benefits and overhead
costs associated with staff time, we
multiplied the hourly wage rate by two.
The estimated costs for list of
disclosures notifications range from
$7,535.20 to $150,704.05 for
notifications sent by first-class mail, and
$6,986 to $139,720.06 for notifications
sent by email.
To produce the final overall cost
estimate, we took the average of the
minimum and maximum estimated
costs to develop lists of disclosures by
entities collecting the information
electronically by using an audit log, and
the average of the minimum and
maximum estimated costs to develop
7011
lists of disclosures by entities using
paper records. We then added the
averages together to produce our
estimate of the total cost to entities to
develop lists of disclosures. Next we
took the average of the minimum and
maximum estimated costs for list of
disclosures notifications sent via email
and the minimum and maximum
estimated costs for such notifications
sent via first-class mail. We then added
these two averages together to produce
our estimate of the total cost to entities
for list of disclosures notifications.
Finally, the development and
notification costs for these lists of
disclosures were added together for the
final estimate of costs associated with
complying with List of Disclosure
reporting requirements. The total cost
for List of Disclosure reporting
compliance across all entities was
$3,000,661.88 in 2015 dollars.
Complying with List of Disclosure
requirements is assumed to be an
ongoing, annual activity. Across the tenyear period, the total costs associated
with the List of Disclosure reporting
includes $10,995,750 in year 1,
$35,186,400 in year 2, and $3,000,662
annually in years 3–10 for a total cost
of $70,187,445 across the ten-year
period.
TOTAL DISCLOSURE REPORTING COSTS IN 2015
Minimum
estimated cost
Maximum
estimated cost
Average
estimated cost
Facilities with a Health IT System ...............................................................................................
Facilities without a Health IT System ..........................................................................................
$250,390
20,865
$5,007,805
417,317
$2,629,098
219,091
Total Costs ...........................................................................................................................
Average Number of Facilities ......................................................................................................
........................
........................
........................
........................
2,848,189
19,548
Minimum
estimated cost
Maximum
estimated cost
Average
estimated cost
Email Notification .........................................................................................................................
First Class Mail Notification .........................................................................................................
$6,986
7,535
$139,720
150,704
$73,353
79,120
Total Costs ...........................................................................................................................
........................
........................
152,473
TOTAL DISCLOSURE NOTIFICATION COSTS IN 2015
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
d. IT Updates
SAMHSA, in collaboration with ONC
and Federal and community
stakeholders, has developed
Consent2Share which is an open source
tool for consent management and data
segmentation that is designed to
integrate with existing EHR and HIE
systems. The Consent2Share
architecture has a front-end, patient
facing system known as Patient Consent
Management and a backend control
system known as Access Control
Services. Communications with EHR
vendors indicate that the cost to
facilities of purchasing and installing
additional functionality to existing
18 Bureau of Labor Statistics, U.S. Department of
Labor, Occupational Employment Statistics,
electronic medical records applications,
such as Consent2Share, typically range
from $2,500 to $5,000. Because the addon systems for part 2 programs may be
more complex than standard patient
monitoring systems, we estimate that
the cost of adding the new functionality
would be approximately $8,000 per
facility. We also assumed that this
[accessed June 3, 2015], Standard Occupations
Classification code (31–9092) [www.bls.gov/oes/].
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
PO 00000
Frm 00025
Fmt 4701
Sfmt 4702
E:\FR\FM\09FEP3.SGM
09FEP3
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
7012
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
would be a one-time expense, rather
than a recurring cost, for each provider.
Furthermore, national estimates
indicated that no more than 50 percent
of substance use disorder treatment
facilities have an operational
‘‘computerized administrative
information system.’’ 19 We, therefore,
estimated that only half of the 12,034
part 2 programs (i.e., 6,017 facilities)
would have operational health IT
systems that would require
modifications to account for the changes
to 42 CFR part 2. With 6,017 part 2
programs with operational information
systems, we estimated that each facility
would need to spend $8,000 to modify
their health IT system, which would
lead to a total burden for updating
health IT systems of $48,136,000.
Updating health IT systems would be a
one-time cost, and maintenance costs
should be part of general health IT
maintenance costs in later years. The
proposed rules do not require that part
2 programs adopt health IT systems so
there are no health IT costs associated
with the estimated 50 percent of
substance use disorder treatment
facilities that continue to use paper
records.
The RFA requires agencies to analyze
options for regulatory relief of small
entities. For purposes of the RFA, small
entities include small businesses,
nonprofit organizations, and small
governmental jurisdictions. Most
hospitals and most other providers are
small entities, either by nonprofit status
or by having revenues of less than $7.5
million to $38.5 million in any 1 year.
Individuals and states are not included
in the definition of a small entity. We
are not preparing an analysis for the
RFA because we have determined, and
the Secretary certifies, that this
proposed rule would not have a
significant economic impact on a
substantial number of small entities.
While the changes in the regulations
would apply to all part 2 programs, the
impact on these entities would be quite
small. Specifically, as described in the
Overall Impact section, the cost to part
2 programs associated with updates to
42 CFR part 2 in the first year that the
final rule is in effect would be
$74,217,979, a figure that, due to a
number of one-time updates, is the
highest for any of the 10 years
estimated. The per-entity economic
impact in the first year would be
approximately $6,167 ($74,217,979 ÷
19 McLellan, AT, Kathleen Meyers, K,
Contemporary addiction treatment: A review of
systems problems for adults and adolescents,
Biological Psychiatry, Volume 56, Issue 10, 15
November 2004, Pages 764–770, ISSN 0006–3223,
https://dx.doi.org/10.1016/j.biopsych.2004.06.018.
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
12,034), a figure that is unlikely to
represent 3% of revenues for 5% of
impacted small entities. Consequently,
it has been determined that the
proposed regulations would not have a
significant economic impact on small
entities.
In addition, section 1102(b) of the Act
requires us to prepare a regulatory
impact analysis if a rule may have a
significant impact on the operations of
a substantial number of small rural
hospitals. This analysis must conform to
the provisions of section 603 of the
RFA. For purposes of section 1102(b) of
the Act, we define a small rural hospital
as a hospital that is located outside of
a Metropolitan Statistical Area for
Medicare payment regulations and has
fewer than 100 beds. We are not
preparing an analysis for section 1102(b)
of the Act because we have determined,
and the Secretary certifies, that this
proposed rule would not have a
significant impact on the operations of
a substantial number of small rural
hospitals.
Section 202 of the Unfunded
Mandates Reform Act of 1995 also
requires that agencies assess anticipated
costs and benefits before issuing any
rule whose mandates require spending
in any 1 year of $100 million in 1995
dollars, updated annually for inflation.
In 2014, that threshold is approximately
$141 million. This rule would have no
consequential effect on state, local, or
tribal governments or on the private
sector.
Executive Order 13132 establishes
certain requirements that an agency
must meet when it promulgates a
proposed rule (and subsequent final
rule) that imposes substantial direct
requirement costs on state and local
governments, preempts state law, or
otherwise has Federalism implications.
Since this rule does not impose any
costs on state or local governments, the
requirements of Executive Order 13132
are not applicable.
SAMHSA is proposing to modernize
42 CFR part 2. With respect to our
proposal to revise the regulations, we do
not believe that this proposal would
have a significant impact as it gives
more flexibility to individuals and
entities covered by 42 CFR part 2 but
also adds privacy protections within the
consent requirements for the patient.
We are making this proposal in response
to concerns that 42 CFR part 2 is
outdated and burdensome.
Executive Order 13132 on Federalism
(August 4, 1999) establishes certain
requirements that an agency must meet
when it promulgates a proposed rule
(and subsequent final rule) that imposes
substantial direct requirement costs on
PO 00000
Frm 00026
Fmt 4701
Sfmt 4702
state and local governments, preempts
state law, or otherwise has Federalism
implications. We have reviewed this
proposed rule under the threshold
criteria of Executive Order 13132,
Federalism, and have determined that it
would not have substantial direct effects
on the rights, roles, and responsibilities
of states, local or tribal governments.
C. Conclusion
SAMHSA is proposing to modernize
42 CFR part 2. With respect to our
proposal to revise the regulations, we do
not believe that this proposal would
have a significant impact as it gives
more flexibility to individuals and
entities covered by 42 CFR part 2 but
also increases privacy protections
within the consent requirements and
adds an additional confidentiality
safeguard for patients. This proposed
rule does not reach the economic
threshold for requiring a regulatory
impact by Executive Orders 12866 and
13563 and thus is not considered a
major rule. Likewise, we are not
preparing an analysis for the RFA
because we have determined, and the
Secretary certifies, that this proposed
rule would not have a significant
economic impact on a substantial
number of small entities. We are not
preparing an analysis for section 1102(b)
of the RFA because we have
determined, and the Secretary certifies,
that this proposed rule would not have
a significant impact on the operations of
a substantial number of small rural
hospitals. This proposed rule would
have no consequential effect on state,
local, or tribal governments or on the
private sector. Since this rule does not
impose any costs on state or local
governments, the requirements of
Executive Order 13132 on federalism
are not applicable.
We invite public comments on this
section and request any additional data
that would help us determine more
accurately the impact on individuals
and entities by the proposed rule. In
accordance with the provisions of
Executive Order 12866, this rule was
reviewed by the OMB.
List of Subjects in 42 CFR Part 2
Alcohol abuse, Alcoholism, Drug
abuse, Grant programs-health, Health
records, Privacy, Reporting, and
Recordkeeping requirements.
Regulations Text
For the reasons stated in the preamble
of this proposed rule, 42 CFR part 2 is
proposed to be revised as follows:
E:\FR\FM\09FEP3.SGM
09FEP3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
(3) Because there is a criminal penalty
(a fine—see 42 U.S.C. 290dd–2(f) and
§ 2.3) for violating the regulations, they
are to be construed strictly in favor of
the potential violator in the same
manner as a criminal statute (see M.
Kraus & Brothers v. United States, 327
U.S. 614, 621–22, 66 S. Ct. 705, 707–08
(1946)).
PART 2—CONFIDENTIALITY OF
SUBSTANCE USE DISORDER PATIENT
RECORDS
Subpart A—Introduction
Subpart A—Introduction
Title 42, United States Code, Section
290dd–2(g) authorizes the Secretary to
prescribe regulations. Such regulations
may contain such definitions, and may
provide for such safeguards and
procedures, including procedures and
criteria for the issuance and scope of
orders, as in the judgment of the
Secretary are necessary or proper to
effectuate the purposes of this statute, to
prevent circumvention or evasion
thereof, or to facilitate compliance
therewith.
§ 2.3
§ 2.2
§ 2.4
Sec.
2.1 Statutory authority for confidentiality of
substance use disorder patient records.
2.2 Purpose and effect.
2.3 Criminal penalty for violation.
2.4 Reports of violations.
Subpart B—General Provisions
2.11
2.12
2.13
Definitions.
Applicability.
Confidentiality restrictions and
safeguards.
2.14 Minor patients.
2.15 Incompetent and deceased patients.
2.16 Security for records.
2.17 Undercover agents and informants.
2.18 Restrictions on the use of
identification cards.
2.19 Disposition of records by discontinued
programs.
2.20 Relationship to state laws.
2.21 Relationship to federal statutes
protecting research subjects against
compulsory disclosure of their identity.
2.22 Notice to patients of federal
confidentiality requirements.
2.23 Patient access and restrictions on use.
Subpart C—Disclosures with Patient
Consent
2.31 Consent requirements.
2.32 Prohibition on re-disclosure.
2.33 Disclosures permitted with written
consent.
2.34 Disclosures to prevent multiple
enrollments.
2.35 Disclosures to elements of the criminal
justice system which have referred
patients.
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
Subpart D—Disclosures without Patient
Consent
2.51 Medical emergencies.
2.52 Research.
2.53 Audit and evaluation.
Subpart E—Court Orders Authorizing
Disclosure and Use
2.61 Legal effect of order.
2.62 Order not applicable to records
disclosed without consent to researchers,
auditors and evaluators.
2.63 Confidential communications.
2.64 Procedures and criteria for orders
authorizing disclosures for noncriminal
purposes.
2.65 Procedures and criteria for orders
authorizing disclosure and use of records
to criminally investigate or prosecute
patients.
2.66 Procedures and criteria for orders
authorizing disclosure and use of records
to investigate or prosecute a part 2
program or the person holding the
records.
2.67 Orders authorizing the use of
undercover agents and informants to
criminally investigate employees or
agents of a part 2 program.
Authority: 42 U.S.C. 290dd–2.
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
§ 2.1 Statutory authority for confidentiality
of substance use disorder patient records.
Purpose and effect.
(a) Purpose. Under the statutory
provisions quoted in § 2.1, these
regulations impose restrictions upon the
disclosure and use of substance abuse
patient records which are maintained in
connection with the performance of any
part 2 program. The regulations specify
in:
(1) Subpart B of this part: General
Provisions, including definitions,
applicability, and general restrictions;
(2) Subpart C of this part: Disclosures
with Patient Consent, including
disclosures which require patient
consent and the consent form
requirements;
(3) Subpart D of this part: Disclosures
without Patient Consent, including
disclosures which do not require patient
consent or an authorizing court order;
and
(4) Subpart E of this part: Court
Orders Authorizing Disclosure and Use,
including disclosures and uses of
patient records which may be made
with an authorizing court order and the
procedures and criteria for the entry and
scope of those orders.
(b) Effect. (1) These regulations
prohibit the disclosure and use of
patient records unless certain
circumstances exist. If any circumstance
exists under which disclosure is
permitted, that circumstance acts to
remove the prohibition on disclosure
but it does not compel disclosure. Thus,
the regulations do not require disclosure
under any circumstances.
(2) These regulations are not intended
to direct the manner in which
substantive functions such as research,
treatment, and evaluation are carried
out. They are intended to ensure that a
patient receiving treatment for a
substance use disorder in a part 2
program is not made more vulnerable by
reason of the availability of their patient
record than an individual with a
substance use disorder who does not
seek treatment.
PO 00000
Frm 00027
Fmt 4701
Sfmt 4702
7013
Criminal penalty for violation.
Under 42 U.S.C. 290dd–2(f), any
person who violates any provision of
that statute or these regulations shall be
fined not more than $500 in the case of
a first offense, and not more than $5,000
in the case of each subsequent offense.
Reports of violations.
(a) The report of any violation of these
regulations may be directed to the
United States Attorney for the judicial
district in which the violation occurs.
(b) The report of any violation of these
regulations by an opioid treatment
program may be directed to the United
States Attorney for the judicial district
in which the violation occurs as well as
to the Substance Abuse and Mental
Health Services Administration
(SAMHSA) office responsible for opioid
treatment program oversight.
Subpart B—General Provisions
§ 2.11
Definitions.
For purposes of these regulations:
Central registry means an organization
which obtains from two or more
member programs patient identifying
information about individuals applying
for withdrawal management or
maintenance treatment for the purpose
of avoiding an individual’s concurrent
enrollment in more than one treatment
program.
Diagnosis means any reference to an
individual’s substance use disorder or to
a condition which is identified as
having been caused by that substance
use disorder which is made for the
purpose of treatment or referral for
treatment.
Disclose means to communicate any
information identifying a patient as
having or having had a substance use
disorder either directly, by reference to
publicly available information, or
through verification of such
identification by another person.
Federally assisted— see § 2.12(b).
Informant means an individual:
(1) Who is a patient or employee of a
part 2 program or who becomes a
patient or employee of a part 2 program
at the request of a law enforcement
agency or official; and
(2) Who at the request of a law
enforcement agency or official observes
E:\FR\FM\09FEP3.SGM
09FEP3
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
7014
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
one or more patients or employees of
the part 2 program for the purpose of
reporting the information obtained to
the law enforcement agency or official.
Maintenance treatment means
pharmacotherapy for individuals with
substance use disorders which reduces
the pathological pursuit of reward and/
or relief and supports remission of
substance use disorder-related
symptoms.
Member program means a withdrawal
management or maintenance treatment
program which reports patient
identifying information to a central
registry and which is in the same state
as that central registry or is not more
than 125 miles from any border of the
state in which the central registry is
located.
Minor, as used in these regulations,
means an individual who has not
attained the age of majority specified in
the applicable state law, or if no age of
majority is specified in the applicable
state law, the age of eighteen years.
Part 2 program means a federally
assisted program (federally assisted as
defined in § 2.12(b) and program as
defined in this section). See § 2.12(e)(1)
for examples.
Part 2 program director means:
(1) In the case of a part 2 program
which is an individual, that individual.
(2) In the case of a part 2 program
which is an entity, the individual
designated as director or managing
director, or individual otherwise vested
with authority to act as chief executive
officer of the part 2 program.
Patient means any individual who has
applied for or been given diagnosis,
treatment, or referral for treatment for a
substance use disorder at a part 2
program. Patient includes any
individual who, after arrest on a
criminal charge, is identified as an
individual with a substance use
disorder in order to determine that
individual’s eligibility to participate in
a part 2 program. This definition
includes both current and former
patients.
Patient identifying information means
the name, address, social security
number, fingerprints, photograph, or
similar information by which the
identity of a patient, as defined in this
section, can be determined with
reasonable accuracy either directly or by
reference to other publicly available
information. The term does not include
a number assigned to a patient by a part
2 program, if that number does not
consist of, or contain numbers (such as
a social security, or driver’s license
number) which could be used to
identify a patient with reasonable
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
accuracy from sources external to the
part 2 program.
Person means an individual,
partnership, corporation, federal, state
or local government agency, or any
other legal entity, (also referred to as
individual and/or entity).
Program means:
(1) An individual or entity (other than
a general medical facility or general
medical practice) who holds itself out as
providing, and provides, substance use
disorder diagnosis, treatment, or referral
for treatment; or
(2) An identified unit within a general
medical facility or general medical
practice that holds itself out as
providing, and provides, substance use
disorder diagnosis, treatment, or referral
for treatment; or
(3) Medical personnel or other staff in
a general medical facility or general
medical practice whose primary
function is the provision of substance
use disorder diagnosis, treatment, or
referral for treatment and who are
identified as such providers.
Qualified service organization means
an individual or entity who:
(1) Provides services to a part 2
program, such as data processing, bill
collecting, dosage preparation,
laboratory analyses, or legal, accounting,
population health management, medical
staffing, or other professional services,
or services to prevent or treat child
abuse or neglect, including training on
nutrition and child care and individual
and group therapy, and
(2) Has entered into a written
agreement with a part 2 program under
which that individual or entity:
(i) Acknowledges that in receiving,
storing, processing, or otherwise dealing
with any patient records from the part
2 program, it is fully bound by these
regulations; and
(ii) If necessary, will resist in judicial
proceedings any efforts to obtain access
to patient identifying information
related to substance use disorder
diagnosis, treatment, or referral for
treatment except as permitted by these
regulations.
Records means any information,
whether recorded or not, received or
acquired by a part 2 program relating to
a patient. For the purpose of these
regulations, records include both paper
and electronic records.
Substance use disorder means a
cluster of cognitive, behavioral, and
physiological symptoms indicating that
the individual continues using the
substance despite significant substancerelated problems such as impaired
control, social impairment, risky use,
and pharmacological tolerance and
withdrawal. For the purposes of these
PO 00000
Frm 00028
Fmt 4701
Sfmt 4702
regulations, this definition does not
include tobacco or caffeine use. (Also
referred to as substance abuse.)
Third-party payer means a person
who pays, or agrees to pay, for diagnosis
or treatment furnished to a patient on
the basis of a contractual relationship
with the patient or a member of their
family or on the basis of the patient’s
eligibility for federal, state, or local
governmental benefits.
Treating provider relationship means
that, regardless of whether there has
been an actual in-person encounter:
(1) A patient agrees to be diagnosed,
evaluated and/or treated for any
condition by an individual or entity;
and
(2) The individual or entity agrees to
undertake diagnosis, evaluation and/or
treatment of the patient, or consultation
with the patient, for any condition.
Treatment means the care of a patient
suffering from a substance use disorder,
a condition which is identified as
having been caused by the substance
use disorder, or both, in order to reduce
or eliminate the adverse effects upon the
patient.
Undercover agent means any federal,
state, or local law enforcement agency
or official who enrolls in or becomes an
employee of a part 2 program for the
purpose of investigating a suspected
violation of law or who pursues that
purpose after enrolling or becoming
employed for other purposes.
Withdrawal management means the
use of pharmacotherapies to treat or
attenuate the problematic signs and
symptoms arising when heavy and/or
prolonged substance use is reduced or
discontinued.
§ 2.12
Applicability.
(a) General—(1) Restrictions on
disclosure. The restrictions on
disclosure in these regulations apply to
any information, whether or not
recorded, which:
(i) Would identify a patient as having
or having had a substance use disorder
either directly, by reference to publicly
available information, or through
verification of such identification by
another person; and
(ii) Is drug abuse information obtained
by a federally assisted drug abuse
program after March 20, 1972 (part 2
program), or is alcohol abuse
information obtained by a federally
assisted alcohol abuse program after
May 13, 1974 (part 2 program); or if
obtained before the pertinent date, is
maintained by a part 2 program after
that date as part of an ongoing treatment
episode which extends past that date;
for the purpose of treating a substance
use disorder, making a diagnosis for that
E:\FR\FM\09FEP3.SGM
09FEP3
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
treatment, or making a referral for that
treatment.
(2) Restriction on use. The restriction
on use of information to initiate or
substantiate any criminal charges
against a patient or to conduct any
criminal investigation of a patient (42
U.S.C. 290dd–2(c)) applies to any
information, whether or not recorded
which is drug abuse information
obtained by a federally assisted drug
abuse program after March 20, 1972
(part 2 program), or is alcohol abuse
information obtained by a federally
assisted alcohol abuse program after
May 13, 1974 (part 2 program); or if
obtained before the pertinent date, is
maintained by a part 2 program after
that date as part of an ongoing treatment
episode which extends past that date;
for the purpose of treating a substance
use disorder, making a diagnosis for the
treatment, or making a referral for the
treatment.
(b) Federal assistance. A program is
considered to be federally assisted if:
(1) It is conducted in whole or in part,
whether directly or by contract or
otherwise by any department or agency
of the United States (but see paragraphs
(c)(1) and (2) of this section relating to
the Department of Veterans Affairs and
the Armed Forces);
(2) It is being carried out under a
license, certification, registration, or
other authorization granted by any
department or agency of the United
States including but not limited to:
(i) Participating provider in the
Medicare program;
(ii) Authorization to conduct
maintenance treatment or withdrawal
management; or
(iii) Registration to dispense a
substance under the Controlled
Substances Act to the extent the
controlled substance is used in the
treatment of substance use disorders;
(3) It is supported by funds provided
by any department or agency of the
United States by being:
(i) A recipient of federal financial
assistance in any form, including
financial assistance which does not
directly pay for the substance use
disorder diagnosis, treatment, or referral
for treatment; or
(ii) Conducted by a state or local
government unit which, through general
or special revenue sharing or other
forms of assistance, receives federal
funds which could be (but are not
necessarily) spent for the substance use
disorder program; or
(4) It is assisted by the Internal
Revenue Service of the Department of
the Treasury through the allowance of
income tax deductions for contributions
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
to the program or through the granting
of tax exempt status to the program.
(c) Exceptions—(1) Department of
Veterans Affairs. These regulations do
not apply to information on patients
receiving substance use disorder
treatment who are maintained in
connection with the Department of
Veterans Affairs provisions of hospital
care, nursing home care, domiciliary
care, and medical services under Title
38, U.S.C. Those records are governed
by 38 U.S.C. 7332 and regulations
issued under that authority by the
Secretary of Veterans Affairs.
(2) Armed Forces. These regulations
apply to any information described in
paragraph (a) of this section which was
obtained by any component of the
Armed Forces during a period when the
patient was subject to the Uniform Code
of Military Justice except:
(i) Any interchange of that
information within the Armed Forces;
and
(ii) Any interchange of that
information between the Armed Forces
and those components of the
Department of Veterans Affairs
furnishing health care to veterans.
(3) Communication within a part 2
program or between a part 2 program
and an entity having direct
administrative control over that part 2
program. The restrictions on disclosure
in these regulations do not apply to
communications of information between
or among personnel having a need for
the information in connection with their
duties that arise out of the provision of
diagnosis, treatment, or referral for
treatment of patients with substance use
disorders if the communications are:
(i) Within a part 2 program; or
(ii) Between a part 2 program and an
entity that has direct administrative
control over the program.
(4) Qualified service organizations.
The restrictions on disclosure in these
regulations do not apply to
communications between a part 2
program and a qualified service
organization of information needed by
the qualified service organization to
provide services to the program.
(5) Crimes on part 2 program premises
or against part 2 program personnel.
The restrictions on disclosure and use
in these regulations do not apply to
communications from part 2 program
personnel to law enforcement agencies
or officials which:
(i) Are directly related to a patient’s
commission of a crime on the premises
of the part 2 program or against part 2
program personnel or to a threat to
commit such a crime; and
(ii) Are limited to the circumstances
of the incident, including the patient
PO 00000
Frm 00029
Fmt 4701
Sfmt 4702
7015
status of the individual committing or
threatening to commit the crime, that
individual’s name and address, and that
individual’s last known whereabouts.
(6) Reports of suspected child abuse
and neglect. The restrictions on
disclosure and use in these regulations
do not apply to the reporting under state
law of incidents of suspected child
abuse and neglect to the appropriate
state or local authorities. However, the
restrictions continue to apply to the
original substance use disorder patient
records maintained by the part 2
program including their disclosure and
use for civil or criminal proceedings
which may arise out of the report of
suspected child abuse and neglect.
(d) Applicability to recipients of
information—(1) Restriction on use of
information. The restriction on the use
of any information subject to these
regulations to initiate or substantiate
any criminal charges against a patient or
to conduct any criminal investigation of
a patient applies to any person who
obtains that information from a part 2
program, regardless of the status of the
person obtaining the information or
whether the information was obtained
in accordance with these regulations.
This restriction on use bars, among
other things, the introduction of that
information as evidence in a criminal
proceeding and any other use of the
information to investigate or prosecute a
patient with respect to a suspected
crime. Information obtained by
undercover agents or informants (see
§ 2.17) or through patient access (see
§ 2.23) is subject to the restriction on
use.
(2) Restrictions on disclosures—(i)
Third-party payers, administrative
entities, and others. The restrictions on
disclosure in these regulations apply to:
(A) Third-party payers with regard to
records disclosed to them by part 2
programs;
(B) Entities having direct
administrative control over part 2
programs with regard to information
that is subject to these regulations
communicated to them by the part 2
program under paragraph (c)(3) of this
section; and
(C) Individuals or entities who receive
patient records directly from a part 2
program or other lawful holder of
patient identifying information and who
are notified of the prohibition on redisclosure in accordance with § 2.32.
(ii) [Reserved]
(e) Explanation of applicability—(1)
Coverage. These regulations cover any
information (including information on
referral and intake) about patients
receiving a diagnosis, treatment, or
referral for treatment for a substance use
E:\FR\FM\09FEP3.SGM
09FEP3
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
7016
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
disorder obtained by a part 2 program.
Coverage includes, but is not limited to,
those treatment or rehabilitation
programs, employee assistance
programs, programs within general
hospitals, school-based programs, and
private practitioners (other than general
medical practices) who hold themselves
out as providing, and provide substance
use disorder diagnosis, treatment, or
referral for treatment. However, these
regulations would not apply, for
example, to emergency room personnel
who refer a patient to the intensive care
unit for an apparent overdose, unless
the primary function of such personnel
is the provision of substance use
disorder diagnosis, treatment, or referral
for treatment and they are identified as
providing such services or the
emergency room has promoted itself to
the community as a provider of such
services.
(2) Federal assistance to program
required. If a patient’s substance use
disorder diagnosis, treatment, or referral
for treatment is not provided by a part
2 program, that patient’s record is not
covered by these regulations. Thus, it is
possible for an individual patient to
benefit from federal support and not be
covered by the confidentiality
regulations because the program in
which the patient is enrolled is not
federally assisted as defined in
paragraph (b) of this section. For
example, if a federal court placed an
individual in a private for-profit
program and made a payment to the
program on behalf of that individual,
that patient’s record would not be
covered by these regulations unless the
program itself received federal
assistance as defined by paragraph (b) of
this section.
(3) Information to which restrictions
are applicable. Whether a restriction is
on use or disclosure affects the type of
information which may be available.
The restrictions on disclosure apply to
any information which would identify a
patient as having or having had a
substance use disorder. The restriction
on use of information to bring criminal
charges against a patient for a crime
applies to any information obtained by
the part 2 program for the purpose of
diagnosis, treatment, or referral for
treatment of patients with substance use
disorders. (Note that restrictions on use
and disclosure apply to recipients of
information under paragraph (d) of this
section.)
(4) How type of diagnosis affects
coverage. These regulations cover any
record of a diagnosis identifying a
patient as having or having had a
substance use disorder which is
prepared in connection with the
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
treatment or referral for treatment of a
patient with a substance use disorder. A
diagnosis prepared for the purpose of
treatment or referral for treatment but
which is not so used is covered by these
regulations. The following are not
covered by these regulations:
(i) Diagnosis which is made solely for
the purpose of providing evidence for
use by law enforcement agencies or
officials; or
(ii) A diagnosis of drug overdose or
alcohol intoxication which clearly
shows that the individual involved does
not have a substance use disorder (e.g.,
involuntary ingestion of alcohol or
drugs or reaction to a prescribed dosage
of one or more drugs).
§ 2.13 Confidentiality restrictions and
safeguards.
(a) General. The patient records
subject to these regulations may be
disclosed or used only as permitted by
these regulations and may not otherwise
be disclosed or used in any civil,
criminal, administrative, or legislative
proceedings conducted by any federal,
state, or local authority. Any disclosure
made under these regulations must be
limited to that information which is
necessary to carry out the purpose of the
disclosure.
(b) Unconditional compliance
required. The restrictions on disclosure
and use in these regulations apply
whether or not the part 2 program or
other lawful holder of the patient
identifying information believes that the
person seeking the information already
has it, has other means of obtaining it,
is a law enforcement agency or official
or other government official, has
obtained a subpoena, or asserts any
other justification for a disclosure or use
which is not permitted by these
regulations.
(c) Acknowledging the presence of
patients: Responding to requests. (1)
The presence of an identified patient in
a health care facility or component of a
health care facility which is publicly
identified as a place where only
substance use disorder diagnosis,
treatment, or referral for treatment is
provided may be acknowledged only if
the patient’s written consent is obtained
in accordance with subpart C of this
part or if an authorizing court order is
entered in accordance with subpart E of
this part. The regulations permit
acknowledgement of the presence of an
identified patient in a health care
facility or part of a health care facility
if the health care facility is not publicly
identified as only a substance use
disorder diagnosis, treatment, or referral
for treatment facility, and if the
PO 00000
Frm 00030
Fmt 4701
Sfmt 4702
acknowledgement does not reveal that
the patient has a substance use disorder.
(2) Any answer to a request for a
disclosure of patient records which is
not permissible under these regulations
must be made in a way that will not
affirmatively reveal that an identified
individual has been, or is being,
diagnosed or treated for a substance use
disorder. An inquiring party may be
provided a copy of these regulations and
advised that they restrict the disclosure
of substance use disorder patient
records, but may not be told
affirmatively that the regulations restrict
the disclosure of the records of an
identified patient.
(d) List of disclosures. Upon request,
patients who have consented to disclose
their patient identifying information
using a general designation pursuant to
§ 2.31(a)(4)(iv)(C) must be provided a
list of entities to which their
information has been disclosed
pursuant to the general designation.
(1) Under this paragraph (d), patient
requests:
(i) Must be made in writing; and
(ii) Are limited to disclosures made
within the past two years;
(2) Under this paragraph (d), the
entity named on the consent form that
discloses information pursuant to a
patient’s general designation (the entity
without a treating provider relationship
that serves as an intermediary, as
described in § 2.31(a)(4)(iv)) must:
(i) Respond in 30 or fewer days of
receipt of the written request; and
(ii) Provide, for each disclosure, the
name(s) of the entity(-ies) to which the
disclosure was made, the date of the
disclosure, and a brief description of the
patient identifying information
disclosed.
§ 2.14
Minor patients.
(a) State law not requiring parental
consent to treatment. If a minor patient
acting alone has the legal capacity under
the applicable state law to apply for and
obtain substance use disorder treatment,
any written consent for disclosure
authorized under subpart C of this part
may be given only by the minor patient.
This restriction includes, but is not
limited to, any disclosure of patient
identifying information to the parent or
guardian of a minor patient for the
purpose of obtaining financial
reimbursement. These regulations do
not prohibit a part 2 program from
refusing to provide treatment until the
minor patient consents to the disclosure
necessary to obtain reimbursement, but
refusal to provide treatment may be
prohibited under a state or local law
requiring the program to furnish the
service irrespective of ability to pay.
E:\FR\FM\09FEP3.SGM
09FEP3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
(b) State law requiring parental
consent to treatment. (1) Where state
law requires consent of a parent,
guardian, or other individual for a
minor to obtain treatment for a
substance use disorder, any written
consent for disclosure authorized under
subpart C of this part must be given by
both the minor and their parent,
guardian, or other individual authorized
under state law to act in the minor’s
behalf.
(2) Where state law requires parental
consent to treatment, the fact of a
minor’s application for treatment may
be communicated to the minor’s parent,
guardian, or other individual authorized
under state law to act in the minor’s
behalf only if:
(i) The minor has given written
consent to the disclosure in accordance
with subpart C of this part; or
(ii) The minor lacks the capacity to
make a rational choice regarding such
consent as judged by the part 2 program
director under paragraph (c) of this
section.
(c) Minor applicant for services lacks
capacity for rational choice. Facts
relevant to reducing a threat to the life
or physical well-being of the applicant
or any other individual may be
disclosed to the parent, guardian, or
other individual authorized under state
law to act in the minor’s behalf if the
part 2 program director judges that:
(1) A minor applicant for services
lacks capacity because of extreme youth
or mental or physical condition to make
a rational decision on whether to
consent to a disclosure under subpart C
of this part to their parent, guardian, or
other individual authorized under state
law to act in the minor’s behalf; and
(2) The applicant’s situation poses a
substantial threat to the life or physical
well-being of the applicant or any other
individual which may be reduced by
communicating relevant facts to the
minor’s parent, guardian, or other
individual authorized under state law to
act in the minor’s behalf.
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
§ 2.15
Incompetent and deceased patients.
(a) Incompetent patients other than
minors—(1) Adjudication of
incompetence. In the case of a patient
who has been adjudicated as lacking the
capacity, for any reason other than
insufficient age, to manage their own
affairs, any consent which is required
under these regulations may be given by
the guardian or other individual
authorized under state law to act in the
patient’s behalf.
(2) No adjudication of incompetency.
In the case of a patient, other than a
minor or one who has been adjudicated
incompetent, that for any period suffers
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
from a medical condition that prevents
knowing or effective action on their own
behalf, the part 2 program director may
exercise the right of the patient to
consent to a disclosure under subpart C
of this part for the sole purpose of
obtaining payment for services from a
third-party payer.
(b) Deceased patients—(1) Vital
statistics. These regulations do not
restrict the disclosure of patient
identifying information relating to the
cause of death of a patient under laws
requiring the collection of death or other
vital statistics or permitting inquiry into
the cause of death.
(2) Consent by personal
representative. Any other disclosure of
information identifying a deceased
patient as having a substance use
disorder is subject to these regulations.
If a written consent to the disclosure is
required, that consent may be given by
an executor, administrator, or other
personal representative appointed under
applicable state law. If there is no such
applicable state law appointment, the
consent may be given by the patient’s
spouse or, if none, by any responsible
member of the patient’s family.
§ 2.16
Security for records.
(a) The part 2 program or other lawful
holder of patient identifying
information must have in place formal
policies and procedures to reasonably
protect against unauthorized uses and
disclosures of patient identifying
information and to protect against
reasonably anticipated threats or
hazards to the security of patient
identifying information. These formal
policies and procedures must address:
(1) Paper records, including:
(i) Transferring and removing such
records; and
(ii) Destroying such records, including
sanitizing the hard copy media
associated with the paper printouts, to
render the patient identifying
information non-retrievable; and
(iii) Maintaining such records in a
secure room, locked file cabinet, safe, or
other similar container, or storage
facility when not in use; and
(iv) Using and accessing workstations,
secure rooms, locked file cabinets, safes,
or other similar containers, and storage
facilities that use or store such
information; and
(v) Rendering patient identifying
information non-identifiable in a
manner that creates a very low risk of
re-identification (e.g., removing direct
identifiers).
(2) Electronic records, including:
(i) Copying, downloading, forwarding,
transferring, and removing such records;
and
PO 00000
Frm 00031
Fmt 4701
Sfmt 4702
7017
(ii) Destroying such records, including
sanitizing the electronic media on
which it was stored, to render the
patient identifying information nonretrievable; and
(iii) Maintaining such records; and
(iv) Using and accessing electronic
records or other electronic media
containing patient identifying
information; and
(v) Rendering the patient identifying
information non-identifiable in a
manner that creates a very low risk of
re-identification (e.g., removing direct
identifiers).
(b) [Reserved]
§ 2.17
Undercover agents and informants.
(a) Restrictions on placement. Except
as specifically authorized by a court
order granted under § 2.67, no part 2
program may knowingly employ, or
enroll as a patient, any undercover agent
or informant.
(b) Restriction on use of information.
No information obtained by an
undercover agent or informant, whether
or not that undercover agent or
informant is placed in a part 2 program
pursuant to an authorizing court order,
may be used to criminally investigate or
prosecute any patient.
§ 2.18 Restrictions on the use of
identification cards.
No person may require any patient to
carry in their immediate possession
while away from the part 2 program
premises any card or other object which
would identify the patient as having a
substance use disorder. This section
does not prohibit a person from
requiring patients to use or carry cards
or other identification objects on the
premises of a part 2 program.
§ 2.19 Disposition of records by
discontinued programs.
(a) General. If a part 2 program
discontinues operations or is taken over
or acquired by another program, it must
remove patient identifying information
from its records or destroy its records,
including sanitizing any associated hard
copy or electronic media, to render the
patient identifying information nonretrievable in a manner consistent with
the policies and procedures established
under § 2.16, unless:
(1) The patient who is the subject of
the records gives written consent
(meeting the requirements of § 2.31) to
a transfer of the records to the acquiring
program or to any other program
designated in the consent (the manner
of obtaining this consent must minimize
the likelihood of a disclosure of patient
identifying information to a third party);
or
E:\FR\FM\09FEP3.SGM
09FEP3
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
7018
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
(2) There is a legal requirement that
the records be kept for a period
specified by law which does not expire
until after the discontinuation or
acquisition of the part 2 program.
(b) Special procedure where retention
period required by law. If paragraph
(a)(2) of this section applies:
(1) Records, which are paper, must be:
(i) Sealed in envelopes or other
containers labeled as follows: ‘‘Records
of [insert name of program] required to
be maintained under [insert citation to
statute, regulation, court order or other
legal authority requiring that records be
kept] until a date not later than [insert
appropriate date]’’; and
(A) All hard copy media from which
the paper records were produced, such
as printer and facsimile ribbons, drums,
etc., must be sanitized to render the data
non-retrievable; and
(B) [Reserved]
(ii) Held under the restrictions of
these regulations by a responsible
person who must, as soon as practicable
after the end of the retention period
specified on the label, destroy the
records and sanitize any associated hard
copy media to render the patient
identifying information non-retrievable
in a manner consistent with the
discontinued program’s or acquiring
program’s policies and procedures
established under § 2.16.
(2) Records, which are electronic,
must be:
(i) Transferred to a portable electronic
device with implemented encryption to
encrypt the data at rest so that there is
a low probability of assigning meaning
without the use of a confidential process
or key and implemented access controls
for the confidential process or key; and
(A) All electronic media on which the
patient records or patient identifying
information resided prior to being
transferred to the device, including
email and other electronic
communications, must be sanitized to
render the patient identifying
information non-retrievable in a manner
consistent with the discontinued
program’s or acquiring program’s
policies and procedures established
under § 2.16; and
(B) The device must be:
(1) Sealed in a container along with
any equipment needed to read or access
the information, and labeled as follows:
‘‘Records of [insert name of program]
required to be maintained under [insert
citation to statute, regulation, court
order or other legal authority requiring
that records be kept] until a date not
later than [insert appropriate date];’’ and
(2) Held under the restrictions of
these regulations by a responsible
person who must store the container in
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
a manner that will protect the
information (e.g., climate controlled
environment); and
(C) The responsible person must be
included on the access control list and
be provided a means for decrypting the
data. The responsible person must store
the decryption tools on a device or at a
location separate from the data they are
used to encrypt or decrypt; and
(D) As soon as practicable after the
end of the retention period specified on
the label, the portable electronic device
must be sanitized to render the patient
identifying information non-retrievable
consistent with the policies established
under § 2.16.
(ii) [Reserved]
§ 2.20
Relationship to state laws.
The statute authorizing these
regulations (42 U.S.C. 290dd-2) does not
preempt the field of law which they
cover to the exclusion of all state laws
in that field. If a disclosure permitted
under these regulations is prohibited
under state law, neither these
regulations nor the authorizing statute
may be construed to authorize any
violation of that state law. However, no
state law may either authorize or
compel any disclosure prohibited by
these regulations.
§ 2.21 Relationship to federal statutes
protecting research subjects against
compulsory disclosure of their identity.
(a) Research privilege description.
There may be concurrent coverage of
patient identifying information by these
regulations and by administrative action
taken under section 502(c) of the
Controlled Substances Act (21 U.S.C.
872(c) and the implementing regulations
at 21 CFR part 1316); or section 301(d)
of the Public Health Service Act (42
U.S.C. 241(d) and the implementing
regulations at 42 CFR part 2a). These
research privilege statutes confer on the
Secretary of Health and Human Services
and on the Attorney General,
respectively, the power to authorize
researchers conducting certain types of
research to withhold from all persons
not connected with the research the
names and other identifying information
concerning individuals who are the
subjects of the research.
(b) Effect of concurrent coverage.
These regulations restrict the disclosure
and use of information about patients,
while administrative action taken under
the research privilege statutes and
implementing regulations protects a
person engaged in applicable research
from being compelled to disclose any
identifying characteristics of the
individuals who are the subjects of that
research. The issuance under subpart E
PO 00000
Frm 00032
Fmt 4701
Sfmt 4702
of this part of a court order authorizing
a disclosure of information about a
patient does not affect an exercise of
authority under these research privilege
statutes.
§ 2.22 Notice to patients of federal
confidentiality requirements.
(a) Notice required. At the time of
admission to a part 2 program or as soon
thereafter as the patient is capable of
rational communication, each part 2
program shall:
(1) Communicate to the patient that
federal law and regulations protect the
confidentiality of substance use disorder
patient records; and
(2) Give to the patient a summary in
writing of the federal law and
regulations.
(b) Required elements of written
summary. The written summary of the
federal law and regulations must
include:
(1) A general description of the
limited circumstances under which a
part 2 program may acknowledge that
an individual is present or disclose
outside the part 2 program information
identifying a patient as having or having
had a substance use disorder.
(2) A statement that violation of the
federal law and regulations by a part 2
program is a crime and that suspected
violations may be reported to
appropriate authorities consistent with
§ 2.4, along with contact information.
(3) A statement that information
related to a patient’s commission of a
crime on the premises of the part 2
program or against personnel of the part
2 program is not protected.
(4) A statement that reports of
suspected child abuse and neglect made
under state law to appropriate state or
local authorities are not protected.
(5) A citation to the federal law and
regulations.
(c) Program options. The part 2
program must devise a notice to comply
with the requirement to provide the
patient with a summary in writing of the
federal law and regulations. In this
written summary, the part 2 program
also may include information
concerning state law and any of the part
2 program’s policies that are not
inconsistent with state and federal law
on the subject of confidentiality of
substance use disorder patient records.
§ 2.23
use.
Patient access and restrictions on
(a) Patient access not prohibited.
These regulations do not prohibit a part
2 program from giving a patient access
to their own records, including the
opportunity to inspect and copy any
records that the part 2 program
E:\FR\FM\09FEP3.SGM
09FEP3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
maintains about the patient. The part 2
program is not required to obtain a
patient’s written consent or other
authorization under these regulations in
order to provide such access to the
patient.
(b) Restriction on use of information.
Information obtained by patient access
to their patient record is subject to the
restriction on use of this information to
initiate or substantiate any criminal
charges against the patient or to conduct
any criminal investigation of the patient
as provided for under § 2.12(d)(1).
Subpart C—Disclosures With Patient
Consent
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
§ 2.31
Consent requirements.
(a) Required elements for written
consent. A written consent to a
disclosure under these regulations may
be paper or electronic and must include:
(1) The name of the patient.
(2) The name of the part 2 program(s)
or other lawful holder(s) of the patient
identifying information permitted to
make the disclosure.
(3) How much and what kind of
information is to be disclosed, including
an explicit description of the substance
use disorder information that may be
disclosed.
(4)(i) The name(s) of the individual(s)
to whom a disclosure is to be made; or
(ii) If the entity has a treating provider
relationship with the patient whose
information is being disclosed, such as
a hospital, a health care clinic, or a
private practice, the name of that entity;
or
(iii) If the entity does not have a
treating provider relationship with the
patient whose information is being
disclosed and is a third-party payer that
requires patient identifying information
for the purpose of reimbursement for
services rendered to the patient by the
part 2 program, the name of the entity;
or
(iv) If the entity does not have a
treating provider relationship with the
patient whose information is being
disclosed and is not covered by
paragraph (a)(4)(iii) of this section, such
as an entity that facilitates the exchange
of health information or a research
institution, the name(s) of the
entity(-ies); and
(A) The name(s) of an individual
participant(s); or
(B) The name(s) of an entity
participant(s) that has a treating
provider relationship with the patient
whose information is being disclosed; or
(C) A general designation of an
individual or entity participant(s) or
class of participants that must be
limited to a participant(s) who has a
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
treating provider relationship with the
patient whose information is being
disclosed.
(1) When using a general designation,
a statement must be included on the
consent form that the patient (or other
individual authorized to sign in lieu of
the patient), confirms their
understanding that, upon their request
and consistent with this part, they must
be provided a list of entities to which
their information has been disclosed
pursuant to the general designation (see
§ 2.13(d)).
(2) [Reserved]
(5) The purpose of the disclosure.
(6) A statement that the patient (or
other individual authorized to sign in
lieu of the patient) confirms their
understanding of the terms of their
consent.
(7) A statement that the consent is
subject to revocation at any time except
to the extent that the part 2 program or
other lawful holder of patient
identifying information that is permitted
to make the disclosure has already acted
in reliance on it. Acting in reliance
includes the provision of treatment
services in reliance on a valid consent
to disclose information to a third-party
payer.
(8) The date, event, or condition upon
which the consent will expire if not
revoked before. This date, event, or
condition must ensure that the consent
will last no longer than reasonably
necessary to serve the purpose for
which it is provided.
(9) The signature of the patient and,
when required for a patient who is a
minor, the signature of an individual
authorized to give consent under § 2.14;
or, when required for a patient who is
incompetent or deceased, the signature
of an individual authorized to sign
under § 2.15. Electronic signatures are
permitted to the extent that they are not
prohibited by any applicable law.
(10) The date on which the consent is
signed.
(b) Expired, deficient, or false
consent. A disclosure may not be made
on the basis of a consent which:
(1) Has expired;
(2) On its face substantially fails to
conform to any of the requirements set
forth in paragraph (a) of this section;
(3) Is known to have been revoked; or
(4) Is known, or through reasonable
diligence could be known, by the
individual or entity holding the records
to be materially false.
§ 2.32
Prohibition on re-disclosure.
(a) Notice to accompany disclosure.
Each disclosure made with the patient’s
written consent must be accompanied
by the following written statement:
PO 00000
Frm 00033
Fmt 4701
Sfmt 4702
7019
This information has been disclosed to
you from records protected by federal
confidentiality rules (42 CFR part 2).
The federal rules prohibit you from
making any further disclosure of
information in this record that identifies
a patient as having or having had a
substance use disorder either directly,
by reference to publicly available
information, or through verification of
such identification by another person
unless further disclosure is expressly
permitted by the written consent of the
individual whose information is being
disclosed or as otherwise permitted by
42 CFR part 2. A general authorization
for the release of medical or other
information is NOT sufficient for this
purpose. The federal rules restrict any
use of the information to criminally
investigate or prosecute any patient
with a substance use disorder, except as
provided at § 2.12(c)(5).
(b) [Reserved]
§ 2.33 Disclosures permitted with written
consent.
If a patient consents to a disclosure of
their records under § 2.31, a program
may disclose those records in
accordance with that consent to any
person identified in the consent, except
that disclosures to central registries and
in connection with criminal justice
referrals must meet the requirements of
§§ 2.34 and 2.35, respectively.
§ 2.34 Disclosures to prevent multiple
enrollments.
(a) Restrictions on disclosure. A part
2 program, as defined in § 2.11, may
disclose patient records to a central
registry or to any withdrawal
management or maintenance treatment
program not more than 200 miles away
for the purpose of preventing the
multiple enrollment of a patient only if:
(1) The disclosure is made when:
(i) The patient is accepted for
treatment;
(ii) The type or dosage of the drug is
changed; or
(iii) The treatment is interrupted,
resumed or terminated.
(2) The disclosure is limited to:
(i) Patient identifying information;
(ii) Type and dosage of the drug; and
(iii) Relevant dates.
(3) The disclosure is made with the
patient’s written consent meeting the
requirements of § 2.31, except that:
(i) The consent must list the name and
address of each central registry and each
known withdrawal management or
maintenance treatment program to
which a disclosure will be made; and
(ii) The consent may authorize a
disclosure to any withdrawal
management or maintenance treatment
E:\FR\FM\09FEP3.SGM
09FEP3
7020
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
program established within 200 miles of
the program after the consent is given
without naming any such program.
(b) Use of information limited to
prevention of multiple enrollments. A
central registry and any withdrawal
management or maintenance treatment
program to which information is
disclosed to prevent multiple
enrollments may not re-disclose or use
patient identifying information for any
purpose other than the prevention of
multiple enrollments unless authorized
by a court order under subpart E of this
part.
(c) Permitted disclosure by a central
registry to prevent a multiple
enrollment. When a member program
asks a central registry if an identified
patient is enrolled in another member
program and the registry determines
that the patient is so enrolled, the
registry may disclose:
(1) The name, address, and telephone
number of the member program(s) in
which the patient is already enrolled to
the inquiring member program; and
(2) The name, address, and telephone
number of the inquiring member
program to the member program(s) in
which the patient is already enrolled.
The member programs may
communicate as necessary to verify that
no error has been made and to prevent
or eliminate any multiple enrollments.
(d) Permitted disclosure by a
withdrawal management or
maintenance treatment program to
prevent a multiple enrollment. A
withdrawal management or
maintenance treatment program which
has received a disclosure under this
section and has determined that the
patient is already enrolled may
communicate as necessary with the
program making the disclosure to verify
that no error has been made and to
prevent or eliminate any multiple
enrollments.
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
§ 2.35 Disclosures to elements of the
criminal justice system which have referred
patients.
(a) A part 2 program may disclose
information about a patient to those
individuals within the criminal justice
system who have made participation in
the part 2 program a condition of the
disposition of any criminal proceedings
against the patient or of the patient’s
parole or other release from custody if:
(1) The disclosure is made only to
those individuals within the criminal
justice system who have a need for the
information in connection with their
duty to monitor the patient’s progress
(e.g., a prosecuting attorney who is
withholding charges against the patient,
a court granting pretrial or post-trial
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
release, probation or parole officers
responsible for supervision of the
patient); and
(2) The patient has signed a written
consent meeting the requirements of
§ 2.31 (except paragraph (a)(8) which is
inconsistent with the revocation
provisions of paragraph (c) of this
section) and the requirements of
paragraphs (b) and (c) of this section.
(b) Duration of consent. The written
consent must state the period during
which it remains in effect. This period
must be reasonable, taking into account:
(1) The anticipated length of the
treatment;
(2) The type of criminal proceeding
involved, the need for the information
in connection with the final disposition
of that proceeding, and when the final
disposition will occur; and
(3) Such other factors as the part 2
program, the patient, and the
individual(s) within the criminal justice
system who will receive the disclosure
consider pertinent.
(c) Revocation of consent. The written
consent must state that it is revocable
upon the passage of a specified amount
of time or the occurrence of a specified,
ascertainable event. The time or
occurrence upon which consent
becomes revocable may be no later than
the final disposition of the conditional
release or other action in connection
with which consent was given.
(d) Restrictions on re-disclosure and
use. An individual within the criminal
justice system who receives patient
information under this section may redisclose and use it only to carry out that
individual’s official duties with regard
to the patient’s conditional release or
other action in connection with which
the consent was given.
Subpart D—Disclosures Without
Patient Consent
§ 2.51
Medical emergencies.
(a) General rule. Under the procedures
required by paragraph (c) of this section,
patient identifying information may be
disclosed to medical personnel to the
extent necessary to meet a bona fide
medical emergency in which the
patient’s prior informed consent cannot
be obtained.
(b) Special rule. Patient identifying
information may be disclosed to
medical personnel of the Food and Drug
Administration (FDA) who assert a
reason to believe that the health of any
individual may be threatened by an
error in the manufacture, labeling, or
sale of a product under FDA
jurisdiction, and that the information
will be used for the exclusive purpose
PO 00000
Frm 00034
Fmt 4701
Sfmt 4702
of notifying patients or their physicians
of potential dangers.
(c) Procedures. Immediately following
disclosure, the part 2 program shall
document, in writing, the disclosure in
the patient’s records, including:
(1) The name of the medical
personnel to whom disclosure was
made and their affiliation with any
health care facility;
(2) The name of the individual
making the disclosure;
(3) The date and time of the
disclosure; and
(4) The nature of the emergency (or
error, if the report was to FDA).
§ 2.52
Research.
(a) Patient identifying information
may be disclosed by the part 2 program
or other lawful holder of part 2 data for
the purpose of conducting scientific
research if the individual designated as
director or managing director, or
individual otherwise vested with
authority to act as chief executive officer
or their designee makes a determination
that the recipient of the patient
identifying information:
(1) If a Health Insurance Portability
and Accountability Act (HIPAA)
covered entity or business associate, has
obtained and documented
authorization, or a waiver or alteration
of authorization, consistent with the
HIPAA privacy rule at 45 CFR
164.512(i); or
(2) If subject to the HHS regulations
regarding the protection of human
subjects (45 CFR part 46), provides
documentation that the researcher is in
compliance with the requirements of the
HHS regulations, including the
requirements related to informed
consent or a waiver of consent (45 CFR
46.111 and 46.116); or
(3) If both a HIPAA covered entity or
business associate and subject to the
HHS regulations regarding the
protection of human subjects, has met
the requirements of paragraphs (a)(1)
and (2) of this section; and
(b) Any individual or entity
conducting scientific research using
patient identifying information obtained
under paragraph (a) of this section:
(1) Is fully bound by these regulations
and, if necessary, will resist in judicial
proceedings any efforts to obtain access
to patient records except as permitted
by these regulations.
(2) Must not re-disclose patient
identifying information except back to
the individual or entity from whom that
patient identifying information was
obtained or as permitted under
paragraph (b)(4) of this section.
(3) May include part 2 data in reports
only in aggregate form to limit the
E:\FR\FM\09FEP3.SGM
09FEP3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
potential for the disclosure of patient
identities.
(4) That requests linkages to data sets
from a federal data repository(-ies)
holding patient identifying information
must have the request reviewed and
approved by an Institutional Review
Board (IRB) registered with the
Department of Health and Human
Services, Office for Human Research
Protections in accordance with 45 CFR
part 46 to ensure that patient privacy is
considered and the need for identifiable
data is justified.
(i) Upon request, the researcher may
be required to provide evidence of the
IRB approval of the research project that
contains the data linkage component.
(ii) Except as provided in paragraph
(b) of this section, a researcher may not
use patient identifying information for
data linkages purposes.
(5) Must maintain and destroy patient
identifying information in accordance
with the security policies and
procedures established under § 2.16.
(6) Must retain records in compliance
with applicable federal, state, and local
record retention laws.
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
§ 2.53
Audit and evaluation.
(a) Records not copied or removed. If
patient records are not downloaded,
copied or removed from the part 2
program premises or forwarded
electronically to another electronic
system or device, patient identifying
information, as defined in § 2.11, may
be disclosed in the course of a review
of records on the part 2 program
premises to any individual or entity
who agrees in writing to comply with
the limitations on re-disclosure and use
in paragraph (d) of this section and who:
(1) Performs the audit or evaluation
on behalf of:
(i) Any federal, state, or local
government agency which provides
financial assistance to the part 2
program or is authorized by law to
regulate its activities; or
(ii) Any individual or entity who
provides financial assistance to the part
2 program, which is a third-party payer
covering patients in the part 2 program,
or which is a quality improvement
organization performing a utilization or
quality control review; or
(2) Is determined by the part 2
program to be qualified to conduct an
audit or evaluation of the part 2
program.
(b) Copying, removing, downloading,
or forwarding patient records. Records
containing patient identifying
information, as defined in § 2.11, may
be copied or removed from a part 2
program premises or downloaded or
forwarded to another electronic system
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
or device from the part 2 program’s
electronic records by any individual or
entity who:
(1) Agrees in writing to:
(i) Maintain and destroy the patient
identifying information in a manner
consistent with the policies and
procedures established under § 2.16;
(ii) Retain records in compliance with
applicable federal, state, and local
record retention laws; and
(iii) Comply with the limitations on
disclosure and use in paragraph (d) of
this section; and
(2) Performs the audit or evaluation
on behalf of:
(i) Any federal, state, or local
government agency which provides
financial assistance to the part 2
program or is authorized by law to
regulate its activities; or
(ii) Any individual or entity who
provides financial assistance to the part
2 program, which is a third-party payer
covering patients in the part 2 program,
or which is a quality improvement
organization performing a utilization or
quality control review.
(c) Medicare, Medicaid, Children’s
Health Insurance Program (CHIP), or
related audit or evaluation. (1) Patient
identifying information, as defined in
§ 2.11, may be disclosed under
paragraph (c) of this section to any
individual or entity for the purpose of
conducting a Medicare, Medicaid, or
CHIP audit or evaluation, including an
audit or evaluation necessary to meet
the requirements for a Centers for
Medicare & Medicaid Services (CMS)regulated accountable care organization
(CMS-regulated ACO) or similar CMSregulated organization (including a
CMS-regulated Qualified Entity (QE)), if
the individual or entity agrees in writing
to comply with the following:
(i) Maintain and destroy the patient
identifying information in a manner
consistent with the policies and
procedures established under § 2.16;
(ii) Retain records in compliance with
applicable federal, state, and local
record retention laws; and
(iii) Comply with the limitations on
disclosure and use in paragraph (d) of
this section.
(2) A Medicare, Medicaid, or CHIP
audit or evaluation under this section
includes a civil or administrative
investigation of a part 2 program by any
federal, state, or local government
agency with oversight responsibilities
for Medicare, Medicaid, or CHIP and
includes administrative enforcement,
against the part 2 program by the
government agency, of any remedy
authorized by law to be imposed as a
result of the findings of the
investigation.
PO 00000
Frm 00035
Fmt 4701
Sfmt 4702
7021
(3) An audit or evaluation necessary
to meet the requirements for a CMSregulated ACO or similar CMS-regulated
organization (including a CMS-regulated
QE) must be conducted in accordance
with the following:
(i) A CMS-regulated ACO or similar
CMS-regulated organization (including a
CMS-regulated QE) must:
(A) Have in place administrative and
clinical systems; and
(B) Have in place a leadership and
management structure, including a
governing body and chief executive
officer with responsibility for oversight
of the organization’s management and
for ensuring compliance with and
adherence to the terms and conditions
of the Participation Agreement with
CMS; and
(ii) A CMS-regulated ACO or similar
CMS-regulated organization (including a
CMS-regulated QE) must have a signed
Participation Agreement with CMS,
which provides that the CMS-regulated
ACO or similar CMS-regulated
organization (including a CMS-regulated
QE):
(A) Is subject to periodic evaluations
by CMS, or is required by CMS to
evaluate participants in the CMSregulated ACO or similar CMS-regulated
organization (including a CMS-regulated
QE) relative to CMS-defined or
approved quality and/or cost measures;
(B) Must designate an executive who
has the authority to legally bind the
organization to ensure compliance with
42 U.S.C. 290dd-2 and this part and the
terms and conditions of the
Participation Agreement in order to
receive patient identifying information
from CMS;
(C) Agrees to comply with all
applicable provisions of 42 U.S.C.
290dd-2 and this part;
(D) Must ensure that any audit or
evaluation involving patient identifying
information occurs in a confidential and
controlled setting approved by the
designated executive;
(E) Must ensure that any
communications or reports or other
documents resulting from an audit or
evaluation under this section do not
allow for the direct or indirect
identification of a patient as having or
having had a substance use disorder;
and
(F) Must establish policies and
procedures to protect the confidentiality
of the patient identifying information
consistent with this part, the terms and
conditions of the Participation
Agreement, and the requirements set
forth in paragraph (c)(1) of this section.
(4) Program, as defined in § 2.11,
includes an employee of, or provider of
medical services under the program
E:\FR\FM\09FEP3.SGM
09FEP3
7022
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
when the employee or provider is the
subject of a civil investigation or
administrative remedy, as those terms
are used in paragraph (c)(2) of this
section.
(5) If a disclosure to an individual or
entity is authorized under this section
for a Medicare, Medicaid, or CHIP audit
or evaluation, including a civil
investigation or administrative remedy,
as those terms are used in paragraph
(c)(2) of this section, then a quality
improvement organization which
obtains the information under paragraph
(a) or (b) of this section may disclose the
information to that individual or entity
but only for the purpose of conducting
a Medicare, Medicaid, or CHIP audit or
evaluation.
(6) The provisions of this paragraph
do not authorize the part 2 program, the
federal, state, or local government
agency, or any other individual or entity
to disclose or use patient identifying
information obtained during the audit or
evaluation for any purposes other than
those necessary to complete the audit or
evaluation as specified in paragraph (c)
of this section.
(d) Limitations on disclosure and use.
Except as provided in paragraph (c) of
this section, patient identifying
information disclosed under this section
may be disclosed only back to the
program from which it was obtained
and used only to carry out an audit or
evaluation purpose or to investigate or
prosecute criminal or other activities, as
authorized by a court order entered
under § 2.66.
Subpart E—Court Orders Authorizing
Disclosure and Use
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
§ 2.61
Legal effect of order.
(a) Effect. An order of a court of
competent jurisdiction entered under
this subpart is a unique kind of court
order. Its only purpose is to authorize a
disclosure or use of patient information
which would otherwise be prohibited
by 42 U.S.C. 290dd–2 and these
regulations. Such an order does not
compel disclosure. A subpoena or a
similar legal mandate must be issued in
order to compel disclosure. This
mandate may be entered at the same
time as and accompany an authorizing
court order entered under these
regulations.
(b) Examples. (1) A person holding
records subject to these regulations
receives a subpoena for those records.
The person may not disclose the records
in response to the subpoena unless a
court of competent jurisdiction enters
an authorizing order under these
regulations.
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
(2) An authorizing court order is
entered under these regulations, but the
person authorized does not want to
make the disclosure. If there is no
subpoena or other compulsory process
or a subpoena for the records has
expired or been quashed, that person
may refuse to make the disclosure.
Upon the entry of a valid subpoena or
other compulsory process the person
authorized to disclose must disclose,
unless there is a valid legal defense to
the process other than the
confidentiality restrictions of these
regulations.
§ 2.62 Order not applicable to records
disclosed without consent to researchers,
auditors and evaluators.
A court order under these regulations
may not authorize qualified personnel,
who have received patient identifying
information without consent for the
purpose of conducting research, audit or
evaluation, to disclose that information
or use it to conduct any criminal
investigation or prosecution of a patient.
However, a court order under § 2.66
may authorize disclosure and use of
records to investigate or prosecute
qualified personnel holding the records.
§ 2.63
Confidential communications.
(a) A court order under these
regulations may authorize disclosure of
confidential communications made by a
patient to a part 2 program in the course
of diagnosis, treatment, or referral for
treatment only if:
(1) The disclosure is necessary to
protect against an existing threat to life
or of serious bodily injury, including
circumstances which constitute
suspected child abuse and neglect and
verbal threats against third parties;
(2) The disclosure is necessary in
connection with investigation or
prosecution of an extremely serious
crime, such as one which directly
threatens loss of life or serious bodily
injury, including homicide, rape,
kidnapping, armed robbery, assault with
a deadly weapon, or child abuse and
neglect; or
(3) The disclosure is in connection
with litigation or an administrative
proceeding in which the patient offers
testimony or other evidence pertaining
to the content of the confidential
communications.
(b) [Reserved]
§ 2.64 Procedures and criteria for orders
authorizing disclosures for noncriminal
purposes.
(a) Application. An order authorizing
the disclosure of patient records for
purposes other than criminal
investigation or prosecution may be
applied for by any person having a
PO 00000
Frm 00036
Fmt 4701
Sfmt 4702
legally recognized interest in the
disclosure which is sought. The
application may be filed separately or as
part of a pending civil action in which
it appears that the patient records are
needed to provide evidence. An
application must use a fictitious name,
such as John Doe, to refer to any patient
and may not contain or otherwise
disclose any patient identifying
information unless the patient is the
applicant or has given a written consent
(meeting the requirements of these
regulations) to disclosure or the court
has ordered the record of the proceeding
sealed from public scrutiny.
(b) Notice. The patient and the person
holding the records from whom
disclosure is sought must be provided:
(1) Adequate notice in a manner
which will not disclose patient
identifying information to other
persons; and
(2) An opportunity to file a written
response to the application, or to appear
in person, for the limited purpose of
providing evidence on the statutory and
regulatory criteria for the issuance of the
court order.
(c) Review of evidence: Conduct of
hearing. Any oral argument, review of
evidence, or hearing on the application
must be held in the judge’s chambers or
in some manner which ensures that
patient identifying information is not
disclosed to anyone other than a party
to the proceeding, the patient, or the
person holding the record, unless the
patient requests an open hearing in a
manner which meets the written
consent requirements of these
regulations. The proceeding may
include an examination by the judge of
the patient records referred to in the
application.
(d) Criteria for entry of order. An
order under this section may be entered
only if the court determines that good
cause exists. To make this
determination the court must find that:
(1) Other ways of obtaining the
information are not available or would
not be effective; and
(2) The public interest and need for
the disclosure outweigh the potential
injury to the patient, the physicianpatient relationship and the treatment
services.
(e) Content of order. An order
authorizing a disclosure must:
(1) Limit disclosure to those parts of
the patient’s record which are essential
to fulfill the objective of the order;
(2) Limit disclosure to those persons
whose need for information is the basis
for the order; and
(3) Include such other measures as are
necessary to limit disclosure for the
protection of the patient, the physician-
E:\FR\FM\09FEP3.SGM
09FEP3
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
patient relationship and the treatment
services; for example, sealing from
public scrutiny the record of any
proceeding for which disclosure of a
patient’s record has been ordered.
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
§ 2.65 Procedures and criteria for orders
authorizing disclosure and use of records
to criminally investigate or prosecute
patients.
(a) Application. An order authorizing
the disclosure or use of patient records
to criminally investigate or prosecute a
patient may be applied for by the person
holding the records or by any law
enforcement or prosecutorial officials
who are responsible for conducting
investigative or prosecutorial activities
with respect to the enforcement of
criminal laws. The application may be
filed separately, as part of an
application for a subpoena or other
compulsory process, or in a pending
criminal action. An application must
use a fictitious name such as John Doe,
to refer to any patient and may not
contain or otherwise disclose patient
identifying information unless the court
has ordered the record of the proceeding
sealed from public scrutiny.
(b) Notice and hearing. Unless an
order under § 2.66 is sought with an
order under this section, the person
holding the records must be provided
(1) Adequate notice (in a manner
which will not disclose patient
identifying information to other
persons) of an application by a law
enforcement agency or official;
(2) An opportunity to appear and be
heard for the limited purpose of
providing evidence on the statutory and
regulatory criteria for the issuance of the
court order; and
(3) An opportunity to be represented
by counsel independent of counsel for
an applicant who is a law enforcement
agency or official.
(c) Review of evidence: Conduct of
hearings. Any oral argument, review of
evidence, or hearing on the application
shall be held in the judge’s chambers or
in some other manner which ensures
that patient identifying information is
not disclosed to anyone other than a
party to the proceedings, the patient, or
the person holding the records. The
proceeding may include an examination
by the judge of the patient records
referred to in the application.
(d) Criteria. A court may authorize the
disclosure and use of patient records for
the purpose of conducting a criminal
investigation or prosecution of a patient
only if the court finds that all of the
following criteria are met:
(1) The crime involved is extremely
serious, such as one which causes or
directly threatens loss of life or serious
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
bodily injury including homicide, rape,
kidnapping, armed robbery, assault with
a deadly weapon, and child abuse and
neglect.
(2) There is a reasonable likelihood
that the records will disclose
information of substantial value in the
investigation or prosecution.
(3) Other ways of obtaining the
information are not available or would
not be effective.
(4) The potential injury to the patient,
to the physician-patient relationship
and to the ability of the part 2 program
to provide services to other patients is
outweighed by the public interest and
the need for the disclosure.
(5) If the applicant is a law
enforcement agency or official that:
(i) The person holding the records has
been afforded the opportunity to be
represented by independent counsel;
and
(ii) Any person holding the records
which is an entity within federal, state,
or local government has in fact been
represented by counsel independent of
the applicant.
(e) Content of order. Any order
authorizing a disclosure or use of
patient records under this section must:
(1) Limit disclosure and use to those
parts of the patient’s record which are
essential to fulfill the objective of the
order;
(2) Limit disclosure to those law
enforcement and prosecutorial officials
who are responsible for, or are
conducting, the investigation or
prosecution, and limit their use of the
records to investigation and prosecution
of extremely serious crime or suspected
crime specified in the application; and
(3) Include such other measures as are
necessary to limit disclosure and use to
the fulfillment of only that public
interest and need found by the court.
§ 2.66 Procedures and criteria for orders
authorizing disclosure and use of records
to investigate or prosecute a part 2 program
or the person holding the records.
(a) Application. (1) An order
authorizing the disclosure or use of
patient records to criminally or
administratively investigate or
prosecute a part 2 program or the person
holding the records (or employees or
agents of that part 2 program or person
holding the records) may be applied for
by any administrative, regulatory,
supervisory, investigative, law
enforcement, or prosecutorial agency
having jurisdiction over the program’s
or person’s activities.
(2) The application may be filed
separately or as part of a pending civil
or criminal action against a part 2
program or the person holding the
PO 00000
Frm 00037
Fmt 4701
Sfmt 4702
7023
records (or agents or employees of the
part 2 program or person holding the
records) in which it appears that the
patient records are needed to provide
material evidence. The application must
use a fictitious name, such as John Doe,
to refer to any patient and may not
contain or otherwise disclose any
patient identifying information unless
the court has ordered the record of the
proceeding sealed from public scrutiny
or the patient has provided a written
consent (meeting the requirements of
§ 2.31) to that disclosure.
(b) Notice not required. An
application under this section may, in
the discretion of the court, be granted
without notice. Although no express
notice is required to the part 2 program,
to the person holding the records, or to
any patient whose records are to be
disclosed, upon implementation of an
order so granted any of the above
persons must be afforded an
opportunity to seek revocation or
amendment of that order, limited to the
presentation of evidence on the
statutory and regulatory criteria for the
issuance of the court order.
(c) Requirements for order. An order
under this section must be entered in
accordance with, and comply with the
requirements of, paragraphs (d) and (e)
of § 2.64.
(d) Limitations on disclosure and use
of patient identifying information. (1)
An order entered under this section
must require the deletion of patient
identifying information from any
documents made available to the public.
(2) No information obtained under
this section may be used to conduct any
investigation or prosecution of a patient,
or be used as the basis for an application
for an order under § 2.65.
§ 2.67 Orders authorizing the use of
undercover agents and informants to
criminally investigate employees or agents
of a part 2 program.
(a) Application. A court order
authorizing the placement of an
undercover agent or informant in a part
2 program as an employee or patient
may be applied for by any law
enforcement or prosecutorial agency
which has reason to believe that
employees or agents of the part 2
program are engaged in criminal
misconduct.
(b) Notice. The part 2 program
director must be given adequate notice
of the application and an opportunity to
appear and be heard (for the limited
purpose of providing evidence on the
statutory and regulatory criteria for the
issuance of the court order), unless the
application asserts a belief that:
E:\FR\FM\09FEP3.SGM
09FEP3
7024
Federal Register / Vol. 81, No. 26 / Tuesday, February 9, 2016 / Proposed Rules
mstockstill on DSK4VPTVN1PROD with PROPOSALS3
(1) The part 2 program director is
involved in the criminal activities to be
investigated by the undercover agent or
informant; or
(2) The part 2 program director will
intentionally or unintentionally disclose
the proposed placement of an
undercover agent or informant to the
employees or agents who are suspected
of criminal activities.
(c) Criteria. An order under this
section may be entered only if the court
determines that good cause exists. To
make this determination the court must
find:
(1) There is reason to believe that an
employee or agent of the part 2 program
is engaged in criminal activity;
(2) Other ways of obtaining evidence
of this criminal activity are not available
or would not be effective; and
(3) The public interest and need for
the placement of an undercover agent or
informant in the part 2 program
VerDate Sep<11>2014
19:00 Feb 08, 2016
Jkt 238001
outweigh the potential injury to patients
of the part 2 program, physician-patient
relationships and the treatment services.
(d) Content of order. An order
authorizing the placement of an
undercover agent or informant in a part
2 program must:
(1) Specifically authorize the
placement of an undercover agent or an
informant;
(2) Limit the total period of the
placement to six months;
(3) Prohibit the undercover agent or
informant from disclosing any patient
identifying information obtained from
the placement except as necessary to
criminally investigate or prosecute
employees or agents of the part 2
program; and
(4) Include any other measures which
are appropriate to limit any potential
disruption of the part 2 program by the
placement and any potential for a real
or apparent breach of patient
PO 00000
Frm 00038
Fmt 4701
Sfmt 9990
confidentiality; for example, sealing
from public scrutiny the record of any
proceeding for which disclosure of a
patient’s record has been ordered.
(e) Limitation on use of information.
No information obtained by an
undercover agent or informant placed in
a part 2 program under this section may
be used to criminally investigate or
prosecute any patient or as the basis for
an application for an order under § 2.65.
Dated: February 2, 2016.
Kana Enomoto,
Acting Administrator, Substance Abuse and
Mental Health Services Administration.
Approved: February 4, 2016.
Sylvia M. Burwell,
Secretary, Department of Health and Human
Services.
[FR Doc. 2016–01841 Filed 2–5–16; 11:15 am]
BILLING CODE 4162–20–P
E:\FR\FM\09FEP3.SGM
09FEP3
]]>Agencies
[Federal Register Volume 81, Number 26 (Tuesday, February 9, 2016)]
[Proposed Rules]
[Pages 6987-7024]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-01841]
[[Page 6987]]
Vol. 81
Tuesday,
No. 26
February 9, 2016
Part III
Department of Health and Human Services
-----------------------------------------------------------------------
42 CFR Part 2
Confidentiality of Substance Use Disorder Patient Records; Proposed
Rule
��Federal Register / Vol. 81 , No. 26 / Tuesday, February 9, 2016 /
Proposed Rules��
[[Page 6988]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
42 CFR Part 2
[SAMHSA-4162-20]
RIN 0930-AA21
Confidentiality of Substance Use Disorder Patient Records
AGENCY: Substance Abuse and Mental Health Services Administration
(SAMHSA), HHS.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: This proposed rule addresses changes to the Confidentiality of
Alcohol and Drug Abuse Patient Records regulations. This proposal was
prompted by the need to update and modernize the regulations. These
laws and regulations governing the confidentiality of substance abuse
records were written out of great concern about the potential use of
substance abuse information against an individual, preventing those
individuals with substance use disorders from seeking needed treatment.
The last substantive update to these regulations was in 1987. Over the
last 25 years, significant changes have occurred within the U.S. health
care system that were not envisioned by the current regulations,
including new models of integrated care that are built on a foundation
of information sharing to support coordination of patient care, the
development of an electronic infrastructure for managing and exchanging
patient information, and a new focus on performance measurement within
the health care system. SAMHSA wants to ensure that patients with
substance use disorders have the ability to participate in, and benefit
from new integrated health care models without fear of putting
themselves at risk of adverse consequences. These new integrated models
are foundational to HHS's triple aim of improving health care quality,
improving population health, and reducing unnecessary health care
costs. SAMHSA strives to facilitate information exchange within new
health care models while addressing the legitimate privacy concerns of
patients seeking treatment for a substance use disorder. These concerns
include: The potential for loss of employment, loss of housing, loss of
child custody, discrimination by medical professionals and insurers,
arrest, prosecution, and incarceration. This proposal is also an effort
to make the regulations more understandable and less burdensome. We
welcome public comment on this proposed rule.
DATES: To be assured consideration, comments must be received at one of
the ADDRESSES provided below, no later than 5 p.m. on April 11, 2016.
ADDRESSES: In commenting, please refer to file code SAMHSA 4162-20.
Because of staff and resource limitations, we cannot accept
comments by facsimile (FAX) transmission.
You may submit comments in one of four ways (to avoid duplication,
please submit your comments in only one of the ways listed):
1. Electronically: Federal eRulemaking Portal. You may submit
comments electronically to https://www.regulations.gov. Follow the
``Submit a comment'' instructions.
2. By regular mail. Written comments mailed by regular mail must be
sent to the following address ONLY: The Substance Abuse and Mental
Health Services Administration, Department of Health and Human
Services, Attn: SAMHSA-4162-20, 5600 Fishers Lane, Room 13N02B,
Rockville, Maryland 20857.
Please allow sufficient time for mailed comments to be received before
the close of the comment period.
3. By express or overnight mail. Written comments sent by express
or overnight mail must be sent to the following address ONLY: The
Substance Abuse and Mental Health Services Administration, Department
of Health and Human Services, Attn: SAMHSA-4162-20, 5600 Fishers Lane,
Room 13N02B, Rockville, Maryland 20852.
4. By hand or courier. Written comments delivered by hand or
courier must be delivered to the following address ONLY: The Substance
Abuse and Mental Health Services Administration, Department of Health
and Human Services, Attn: SAMHSA-4162-20, 5600 Fishers Lane, Room
13N02B, Rockville, Maryland 20857.
For information on viewing public comments, see the beginning of
the SUPPLEMENTARY INFORMATION section.
FOR FURTHER INFORMATION CONTACT: Kate Tipping, 240-276-1652, Email
address: PrivacyRegulations@samhsa.hhs.gov.
SUPPLEMENTARY INFORMATION:
Inspection of Public Comments: ALL COMMENTS received before the
close of the comment period are available for viewing by the public,
including any personally identifiable and/or confidential information
that is included in a comment. We post all comments received as soon as
possible after they have been received on the following Web site:
https://www.regulations.gov. Follow the search instructions on that Web
site to view public comments.
Comments received before the close of the comment period will also
be available for public inspection, generally beginning approximately 3
weeks after publication of a document, at the headquarters of the
Substance Abuse and Mental Health Services Administration, 5600 Fishers
Lane, Rockville, Maryland 20857, Monday through Friday of each week
from 8:30 a.m. to 4 p.m. To schedule an appointment to view public
comments, phone 240-276-1660.
We will consider all comments we receive by the date and time
specified in the DATES section of this preamble, and will respond to
the comments in the preamble of the final rule.
Effective date of proposed Sec. 2.13(d): As discussed in the
preamble, the proposed Sec. 2.13(d) shall not go into effect until two
years after the effective date of the final rule.
Table of Contents
To assist readers in referencing sections contained in this
preamble, we are providing a table of contents.
I. Executive Summary
A. Purpose
B. Summary of the Major Provisions
C. Summary of Impacts
II. Background
A. Significant Technology Changes
B. Statutory and Rulemaking History
III. Provisions of This Proposed Rule
A. Reports of Violations (Sec. 2.4)
1. Overview
2. Proposed Revisions
B. Definitions (Sec. 2.11)
1. Overview
2. Proposed Revisions
a. New Definitions
i. Part 2 Program
ii. Part 2 Program Director
iii. Substance Use Disorder
iv. Treating Provider Relationship
v. Withdrawal Management
b. Existing Definitions
i. Central Registry
ii. Disclose or Disclosure
iii. Maintenance Treatment
iv. Member Program
v. Patient
vi. Patient Identifying Information
vii. Person
viii. Program
ix. Qualified Service Organization
x. Records
xi. Treatment
c. Terminology Changes
C. Applicability (Sec. 2.12)
1. Overview
2. Proposed Revisions
D. Confidentiality Restrictions and Safeguards (Sec. 2.13)
1. Overview
2. Proposed Revisions
E. Security for Records (Sec. 2.16)
1. Overview
2. Proposed Revisions
F. Disposition of Records by Discontinued Programs (Sec. 2.19)
[[Page 6989]]
1. Overview
2. Proposed Revisions
G. Notice to Patients of Federal Confidentiality Requirements
(Sec. 2.22)
1. Overview
2. Proposed Revisions
H. Consent Requirements (Sec. 2.31)
1. Overview
2. Proposed Revisions
a. To Whom
i. Overview
ii. Proposed Revisions
b. Amount and Kind
i. Overview
ii. Proposed Revisions
c. From Whom
i. Overview
ii. Proposed Revisions
d. New Requirements
i. Overview
ii. Proposed Revisions
I. Prohibition on Re-disclosure (Sec. 2.32)
1. Overview
2. Proposed Revisions
J. Disclosures to Prevent Multiple Enrollments (Sec. 2.34)
1. Overview
2. Proposed Revisions
K. Medical Emergencies (Sec. 2.51)
1. Overview
2. Proposed Revisions
L. Research (Sec. 2.52)
1. Overview
2. Proposed Revisions
M. Audit and Evaluation (Sec. 2.53)
1. Overview
2. Proposed Revisions
IV. Collection of Information Requirements
V. Response to Comments
VI. Regulatory Impact Analysis
A. Statement of Need
B. Overall Impact
1. Direct Costs of Implementing the Proposed Regulations
a. Staff Training
b. Updates to Consent Forms
c. List of Disclosures Costs
d. IT Updates
C. Conclusion
Acronyms
ACO Accountable Care Organization
ABAM American Board of Addiction Medicine
ADAMHA Alcohol, Drug Abuse and Mental Health Administration
ANSI American National Standards Institute
ARRA American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5)
ATR Access to Recovery
CCO Coordinated Care Organization
CFR Code of Federal Regulations
CHIP Children's Health Insurance Program
CMS Centers for Medicare & Medicaid Services
DS4P Data Segmentation for Privacy
EHR Electronic Health Record
FAX Facsimile
FDA Food and Drug Administration
FR Federal Register
FWA Federalwide Assurance
HHS Department of Health and Human Services
HIE Health Information Exchange
HIPAA Health Insurance Portability and Accountability Act of 1996
(Pub. L. 104-191)
HITECH Health Information Technology for Economic and Clinical
Health
HL7 Health Level 7
IG Implementation Guide
IT Information Technology
IRB Institutional Review Board
NPRM Notice of Proposed Rulemaking
N-SSATS National Survey of Substance Abuse Treatment Services
OECD Organization for Economic Cooperation and Development
OHRP Office for Human Research Protections
OMB Office of Management and Budget
ONC Office of the National Coordinator for Health Information
Technology
PDMP Prescription Drug Monitoring Program
QE Qualified Entity
QSO Qualified Service Organization
QSOA Qualified Service Organization Agreement
RFA Regulatory Flexibility Act
SAMHSA Substance Abuse and Mental Health Services Administration
S&I Standards and Interoperability
TEDS Treatment Episode Data Set
U.S.C. United States Code
VA Department of Veterans Affairs
I. Executive Summary
A. Purpose
This proposed rule would revise title 42 of the Code of Federal
Regulations part 2 (42 CFR part 2), Confidentiality of Alcohol and Drug
Abuse Patient Records regulations. The authorizing statute (Title 42,
United States Code, Section 290dd-2) protects the confidentiality of
the identity, diagnosis, prognosis, or treatment of any patient records
which are maintained in connection with the performance of any
federally assisted program or activity relating to substance abuse
education, prevention, training, treatment, rehabilitation, or
research. Title 42 of the CFR part 2 was first promulgated in 1975 (40
FR 27802) and last substantively updated in 1987 (52 FR 21796).
The laws and regulations governing the confidentiality of substance
abuse records were written out of great concern about the potential use
of substance abuse information against individuals, causing individuals
with substance use disorders to not seek needed treatment. The
disclosure of records of individuals with substance use disorders has
the potential to lead to a host of negative consequences including:
Loss of employment, loss of housing, loss of child custody,
discrimination by medical professionals and insurers, arrest,
prosecution, and incarceration. The purpose of the regulations at 42
CFR part 2 is to ensure that a patient receiving treatment for a
substance use disorder in a part 2 program is not made more vulnerable
by reason of the availability of their patient record than an
individual with a substance use disorder who does not seek treatment.
Under the current regulations, a federally assisted substance use
disorder program generally may only release identifiable information
related to substance use disorder diagnosis, treatment, or referral for
treatment with the individual's express consent. Now over 25 years
later, this proposed rule would make policy changes to the regulations
to better align them with advances in the U.S. health care delivery
system while retaining important privacy protections.
Unless otherwise noted, these changes would be applicable beginning
180 days after the publication of the final rule. If programs that were
required to comply with 42 CFR part 2 prior to the effective date of
the final rule continue to fall within the scope of 42 CFR part 2 as
outlined in the final rule, they would be required to come into
compliance with any revised regulations by the effective date of the
final rule. However, signed consent forms in place prior to the
effective date of the final rule would be valid until they expire.
Nonetheless, part 2 programs may update signed consent forms consistent
with the final rule, prior to the effective date of the final rule if
they so choose. Consents obtained after the effective date would need
to comply with the final rule, regardless of whether the consents
involve patient identifying information obtained prior to or after the
effective date of the final rule.
B. Summary of the Major Provisions
This proposed rule is intended to modernize the 42 CFR part 2 (part
2) rules by facilitating the electronic exchange of substance use
disorder information for treatment and other legitimate health care
purposes while ensuring appropriate confidentiality protections for
records that might identify an individual, directly or indirectly, as
having or having had a substance use disorder. To achieve this goal, we
propose the following modifications.
We propose, in Section III.A., Reports of Violations (Sec. 2.4),
to revise the requirement for reporting violations of these regulations
by methadone programs (now referred to as opioid treatment programs) to
the Food and Drug Administration (FDA) because the authority over these
programs was transferred from the FDA to Substance Abuse and Mental
Health Services Administration (SAMHSA) in 2001.
[[Page 6990]]
In Section III.B., Definitions (Sec. 2.11), we propose to revise
some existing definitions, add new definitions of key terms that apply
to 42 CFR part 2, and consolidate all but one of the definitions that
are currently in other sections in Sec. 2.11. We propose to revise the
definitions of ``Central registry,'' ``Disclose or disclosure,''
``Maintenance treatment,'' ``Member program,'' ``Patient,'' ``Patient
identifying information,'' ``Person,'' ``Program,'' ``Qualified service
organization (QSO),'' ``Records,'' and ``Treatment.'' We also propose
to add definitions of ``Part 2 program,'' ``Part 2 program director,''
``Substance use disorder,'' ``Treating provider relationship,'' and
``Withdrawal management.'' Some of these new definitions replace
existing definitions. In addition, we propose to revise the regulatory
text to use terminology in a consistent manner.
In Section III.C., Applicability (Sec. 2.12), SAMHSA proposes to
continue to apply the 42 CFR part 2 regulations to a program that is
federally assisted and holds itself out as providing, and provides,
substance use disorder diagnosis, treatment, or referral for treatment,
but, where currently paragraph (1) of the definition of ``Program''
does not apply to general medical facilities, SAMHSA now proposes that
paragraph (1) would not apply to either general medical facilities or
general medical practices. The proposed language goes on to clarify
that paragraph (2) and (3) of the definition of Program would apply to
``general medical facilities'' and ``general medical practices'' under
certain conditions. For example, an identified unit within a general
medical facility or general medical practice will be subject to part 2
if it holds itself out as providing, and provides, substance use
disorder diagnosis, treatment, or referral for treatment, or if the
primary function of medical personnel or other staff in the general
medical facility or general medical practice is the provision of such
services and they are identified as providing such services.
In Section III.D., Confidentiality Restrictions and Safeguards
(Sec. 2.13), SAMHSA proposes to add a requirement that, upon request,
patients who have included a general designation in the ``To Whom''
section of their consent form (see Sec. 2.31) must be provided a list
of entities to which their information has been disclosed pursuant to
the general designation.
In Section III.E., Security for Records (Sec. 2.16), SAMHSA
proposes to clarify that this section requires both part 2 programs and
other lawful holders of patient identifying information to have in
place formal policies and procedures addressing security, including
sanitization of associated media, for both paper and electronic
records.
In Section III.F., Disposition of Records by Discontinued Programs
(Sec. 2.19), we propose to address both paper and electronic records.
SAMHSA also is proposing to add requirements for sanitizing associated
media.
In Section III.G., Notice to Patients of Federal Confidentiality
Requirements (Sec. 2.22), we propose to clarify that the written
summary of federal law and regulations may be provided to patients in
either paper or electronic format. SAMHSA also proposes to require the
statement regarding the reporting of violations include contact
information for the appropriate authorities.
In Section III.H., Consent Requirements (Sec. 2.31), SAMHSA is
proposing to allow, in certain circumstances, a patient to include a
general designation in the ``To Whom'' section of the consent form, in
conjunction with requirements that: (1) The consent form include an
explicit description of the amount and kind of substance use disorder
treatment information that may be disclosed; and (2) the ``From Whom''
section of the consent form specifically name the part 2 program or
other lawful holder of the patient identifying information permitted to
make the disclosure. SAMHSA also is proposing to require the part 2
program or other lawful holder of patient identifying information to
include a statement on the consent form that the patient understands
the terms of their consent and, when using a general designation in the
``To Whom'' section of the consent form, that they have a right to
obtain, upon request, a list of entities to which their information has
been disclosed pursuant to the general designation (see Sec. 2.13). In
addition, SAMHSA is proposing to permit electronic signatures to the
extent that they are not prohibited by any applicable law.
In Section III.I., Prohibition on Re-disclosure (Sec. 2.32), we
propose to clarify that the prohibition on re-disclosure only applies
to information that would identify, directly or indirectly, an
individual as having been diagnosed, treated, or referred for treatment
for a substance use disorder, such as indicated through standard
medical codes, descriptive language, or both, and allows other health-
related information shared by the part 2 program to be re-disclosed, if
permissible under other applicable laws.
In Section III.J., Disclosures to Prevent Multiple Enrollments
(Sec. 2.34), we propose to modernize the terminology and definitions
and move the definitions to Sec. 2.11, Definitions.
In Section III.K., Medical Emergencies (Sec. 2.51), we propose to
revise the medical emergency exception to make it consistent with the
statutory language and to give providers more discretion to determine
when a ``bona fide medical emergency'' exists.
In Section III.L., Research (Sec. 2.52), SAMHSA proposes to revise
the research exception to permit data protected by 42 CFR part 2 to be
disclosed to qualified personnel for the purpose of conducting
scientific research by a part 2 program or any other individual or
entity that is in lawful possession of part 2 data if the researcher
provides documentation of meeting certain requirements related to other
existing protections for human research. SAMHSA also is proposing to
address data linkages to enable researchers holding part 2 data to link
to data sets from federal data repositories, and is seeking comment on
expanding this provision to non-federal data repositories.
We propose, in Section III.M., Audit and Evaluation (Sec. 2.53),
to modernize the requirements to include provisions for governing both
paper and electronic patient records. SAMHSA also proposes to permit an
audit or evaluation necessary to meet the requirements of a Centers for
Medicare & Medicaid Services (CMS)-regulated accountable care
organization (CMS-regulated ACO) or similar CMS-regulated organization
(including a CMS-regulated Qualified Entity (QE)), under certain
conditions.
C. Summary of Impacts
Our goal in modernizing the part 2 regulations is to increase
opportunities for individuals with substance use disorders to
participate in new and emerging health and health care models and
health information technology (IT). Our intent is to facilitate the
sharing of information within the health care system to support new
models of integrated health care which, among other things, improve
patient safety while maintaining or strengthening privacy protections
for individuals seeking treatment for substance use disorders. We
expect the proposed changes to 42 CFR part 2 to result in a decrease in
the burdens associated with several aspects of this rule, including
consent requirements. Moreover, as patients are allowed, in certain
circumstances, to include a general designation in the ``To Whom''
section of the consent form, we anticipate there
[[Page 6991]]
would be more individuals with substance use disorders participating in
organizations that facilitate the exchange of health information (e.g.,
health information exchanges (HIEs)) and organizations that coordinate
care (e.g., accountable care organizations (ACOs) and coordinated care
organizations (CCOs)), leading to increased efficiency and quality in
the provision of health care for this population.
When estimating the total costs associated with changes to the 42
CFR part 2 regulations, we assumed five sets of costs: Updates to
health IT system costs, costs for staff training and updates to
training curricula, costs to update patient consent forms, costs
associated with providing patients a list of entities to which their
information has been disclosed pursuant to a general designation on the
consent form (i.e., the List of Disclosures requirement), and
implementation costs associated with the List of Disclosure
requirements. We assumed that costs associated with modifications to
existing health IT systems, staff training costs associated with
updating staff training materials, and costs to update consent forms
would be one-time costs the first year the final rule is in effect and
would not carry forward into future years. Staff training costs other
than those associated with updating training materials are assumed to
be ongoing annual costs to part 2 programs, also beginning in the first
year that the final rule is in effect. The List of Disclosures costs
are assumed to be ongoing annual costs to entities named on a consent
form that disclose patient identifying information to their
participants under the general designation. The List of Disclosures
requirement, however, does not go into effect until two years after the
final rule is in effect. Therefore, in years 1 and 2, the costs
associated with the List of Disclosures provision are limited to
implementation costs for entities that chose to upgrade their health IT
systems in order to comply with the List of Disclosure requirements.
We estimate, therefore, that in the first year that the final rule
is in effect, the costs associated with updates to 42 CFR part 2 would
be $74,217,979. In year two, we estimate that costs would be
$47,021,182. In years 3 through 10, we estimate the annual costs would
be $14,835,444. Over the 10-year period 2015-2024, the total
undiscounted cost of the proposed changes would be $239,922,716 in 2015
dollars. When future costs are discounted at 3 percent or 7 percent per
year, the total costs become approximately $220.9 million or $200.9
million, respectively.
Based on data from the 2013 National Survey of Substance Abuse
Treatment Services (N-SSATS), we estimate that 12,034 hospitals,
outpatient treatment centers, and residential treatment facilities are
covered by part 2. N-SSATS is an annual survey of U.S. substance abuse
treatment facilities. Data is collected on facility location,
characteristics, and service utilization. Not all treatment providers
included in N-SSATs are believed to be under the jurisdiction of the
part 2 regulations. The 12,034 number is a subset of the 14,148
substance abuse treatment facilities that responded to the 2013 N-
SSATS, and includes all federally operated facilities, facilities that
reported receiving public funding other than Medicare and Medicaid,
facilities that reported accepting Medicare, Medicaid, TRICARE, and/or
Access to Recovery (ATR) voucher payments, or were SAMHSA-certified
Opioid Treatment Programs.
If an independently practicing clinician does not meet the
requirements of paragraph (1) of the definition of Program (an
individual or entity (other than a general medical facility or general
medical practice) who holds itself out as providing and provides
substance use disorder diagnosis, treatment or referral for treatment),
they may be subject to 42 CFR part 2 if they constitute an identified
unit within a general medical facility or general medical practice
which holds itself out as providing, and provides, substance use
disorder diagnosis, treatment, or referral for treatment, or if their
primary function in the facility or practice is the provision of such
services and they are identified by the facility or practice as
providing such services. Due to data limitations, it was not possible
to estimate the costs for independently practicing providers covered by
part 2 that did not participate in the 2013 N-SSATS. For example, data
from the American Board of Addiction Medicine (ABAM) provides the
number of physicians since 2000, who have active ABAM certification.
However, there is no source for the number of physicians who have not
participated in the ABAM certification process. In addition, it is not
possible to determine which ABAM-certified physicians practice in a
general medical setting rather than in a specialty treatment facility
that was already counted in the N-SSATS data.
Several provisions in the Notice of Proposed Rulemaking (NPRM)
reference other lawful holders of patient identifying information in
combination with part 2 programs. These other lawful holders must
comply with part 2 requirements with respect to information they
maintain that is covered by part 2 regulations. However, because this
group is not clearly defined with respect to the range of organizations
it may include, we are unable to include estimates regarding the number
and type of these organizations and are only including part 2 programs
in this analysis.
In addition to the part 2 programs described above, entities named
on a consent form that disclose patient identifying information to
their participants under the general designation must provide patients,
upon request, a list of entities to which their information has been
disclosed pursuant to a general designation. These entities primarily
would include organizations that facilitate the exchange of health
information (e.g., HIEs), and also may include organizations
responsible for care coordination (e.g., ACOs, CCOs, and patient-
centered medical homes (sometimes called health homes)). While these
types of organizations were the primary focus of this provision on the
consent form, other types of entities, such as research institutions,
also may disclose patient identifying information to their participants
(e.g., clinical researchers) pursuant to the general designation on the
consent form. Because there are no definitive data sources for this
potential range of organizations, we are not associating List of
Disclosures requests with any particular type of organization. Instead,
we chose to estimate the number of organizations that must respond to
List of Disclosures requests based on the total number of requests each
year.
II. Background
A. Significant Technology Changes
Since the promulgation of 42 CFR part 2, significant technology
changes have impacted the delivery of health care. The Office of the
National Coordinator for Health Information Technology (ONC) was
established as an office within the Department of Health and Human
Services (HHS) under Executive Order 13335 on April 27, 2004.
Subsequently, on February 17, 2009, the Health Information Technology
for Economic and Clinical Health Act (HITECH Act) of the American
Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5) expanded
the Department's health IT work, including the expansion of ONC's
authority and the provision of federal funds for ONC's activities
consistent with the
[[Page 6992]]
development of a nationwide health IT infrastructure. This work
included the certification of health IT; the authorization of CMS'
Electronic Health Record (EHR) Incentive Program, including payments to
eligible providers for the adoption and meaningful use of certified EHR
technology; and numerous other federal agencies' programs--all of which
served the objective of ensuring patient health information is secure,
private, accurate, and available where and when needed.
SAMHSA has played a role in encouraging the use of health IT by
behavioral health (substance use disorders and mental health)
providers. SAMHSA's efforts included collaborating with ONC to develop
two sets of Frequently Asked Questions and convening a number of
stakeholder meetings to provide guidance on the application of 42 CFR
part 2 within HIE models. In addition, SAMHSA funded a one-year pilot
project in 2012 with five state HIEs to support the exchange of health
information among behavioral health and physical health providers.
SAMHSA also worked with ONC and other federal agencies on several
projects to support behavioral health and health information exchange.
The Data Segmentation for Privacy (DS4P) initiative within ONC's
Standards and Interoperability (S&I) Framework facilitated the
development of standards to improve the interoperability of EHRs
containing sensitive information that must be protected to a greater
degree than other health information due to 42 CFR part 2 and similar
state laws. The DS4P initiative met its two goals, which were to:
Demonstrate how standards can be used to support current privacy
policies for sharing sensitive health information across organizational
boundaries; and develop standards that will enable sensitive electronic
health information to flow more freely to authorized users while
improving the ability of health IT systems to implement current privacy
protection requirements for certain types of health care data, such as
substance use disorder patient records. The S&I Framework is a
collaborative community of contributors from the public and private
sectors who are focused on providing the tools, services, and guidance
to facilitate the electronic exchange of health information. The DS4P
initiative involved 344 volunteers, including, but not limited to,
federal and state government agencies, behavioral health providers, EHR
and other IT companies, health information exchanges, patient advocacy
groups, professional societies/associations, consultants, health
systems, health insurers, and universities.
Through the DS4P initiative, federal and community stakeholders
developed standards and guidelines for enabling data segmentation and
managing patient consent preferences. The technical approach outlined
in the DS4P Implementation Guide (IG) is based on the experience of the
six pilot projects and the solutions they developed to meet the DS4P
project requirements. The DS4P IG is an American National Standards
Institute (ANSI) approved standard. It was also voted on and approved
at the highest level to become what Health Level 7 (HL7) calls a
normative standard (a foundational part of the technology needed to
meet the global challenge of integrating health care information). The
HL7 balloting process included 155 stakeholders, including HL7
affiliates, vendors, consultants, payers, providers, non-profit
organizations, and federal government representatives. The HL7 standard
is the currently acceptable standard for data segmentation and consent
management. In addition, it is in compliance with 42 CFR part 2.
The six DS4P IG use case pilot projects that were conducted in
accordance with ONC's S&I Framework included the Department of Veterans
Affairs (VA)/Substance Abuse and Mental Health Services Administration
(SAMHSA) Pilot. The VA/SAMHSA Pilot implemented all the DS4P use cases
and passed all conformance tests. The VA/SAMHSA Pilot was also the
first application to show that managing consents and patient
directives, as well as segmenting structured data in a patient record,
can be done. SAMHSA used these DS4P standards to develop the
application branded Consent2Share, an open-source health IT solution
which assists in consent management and data segmentation.
Consent2Share validates that the DS4P IG can be used to build a
production-based application to manage the patient consent lifecycle
electronically. The Consent2Share software is currently being used by
the Prince Georges County (Maryland) Health Department to manage
patient consent directives while sharing substance use disorder
information with an HIE. While this technology is not perfect, it
provides a foundational standard and shows promise for sharing
substance use disorder information while complying with 42 CFR part 2.
Notwithstanding these efforts, SAMHSA is aware that technology
adoption is an ongoing process and the majority of current EHR and HIE
applications may not have the capability to support the DS4P
initiative. In addition, paper records are still used today in some
part 2 programs and shared through facsimile (FAX). Despite SAMHSA's
efforts to clarify the part 2 regulations through guidance and to
demonstrate that exchange of sensitive health information can be
accomplished through pilot projects that adhere to the regulations,
some stakeholders continued to request modernization of 42 CFR part 2.
These stakeholders are concerned that part 2, as currently written,
continues to be a barrier to the integration of substance use disorder
treatment and physical health care. For example, some substance use
disorder treatment centers cannot participate in integrated care models
because they have not implemented data segmentation and consent
management functionalities necessary to comply with the part 2 rules.
Further, under the current regulations, the part 2 program director is
the only individual authorized to release of information for scientific
research purposes. In addition, under the current regulatory framework,
absent consent, organizations that store patient health data, including
data that are subject to part 2, do not have the authority to disclose
part 2 data for scientific research purposes to qualified researchers
or research organizations. This could hinder a full understanding of
impacts of treatment for addiction and other health issues. Finally,
some stakeholders continue to request modernization of the part 2
rules, in media and other public and private forums.
B. Statutory and Rulemaking History
The Confidentiality of Alcohol and Drug Abuse Patient Records
regulations, 42 CFR part 2, implement section 543 of the Public Health
Service Act, 42 United States Code (U.S.C.) Sec. 290dd-2, as amended
by section 131 of the Alcohol, Drug Abuse and Mental Health
Administration Reorganization Act (ADAMHA Reorganization Act), Pub. L.
102-321 (July 10, 1992). The regulations were promulgated as a final
rule on July 1, 1975 (40 FR 27802). In 1980, the Department invited
public comment on 15 substantive issues arising out of its experience
interpreting and implementing the regulations (45 FR 53). More than 450
public responses to that invitation were received and taken into
consideration in the preparation of a 1983 NPRM (48 FR 38758).
Approximately 150 comments were received in response to the NPRM and
were taken into consideration in the preparation of the final rule
released on June 9, 1987 (52 FR 21798).
[[Page 6993]]
The Department published a NPRM again in the Federal Register (FR)
on August 18, 1994 (59 FR 42561), which proposed a clarification of the
definition of ``Program'' in the regulations. Specifically, the
Department proposed to clarify that, as to general medical care
facilities, these regulations cover only specialized individuals or
units in such facilities that hold themselves out as providing and
provide alcohol or drug abuse diagnosis, treatment, or referral for
treatment and which are federally assisted, directly or indirectly. On
May 5, 1995, the final rule was released (60 FR 22296).
SAMHSA posted a document in the Federal Register on May 12, 2014,
(79 FR 26929) announcing a public Listening Session planned for June
11, 2014, to solicit feedback on the Confidentiality of Alcohol and
Drug Abuse Patient Records regulations, 42 CFR part 2. SAMHSA accepted
written comments until June 25, 2014.
In the Federal Register notification for the public Listening
Session (79 FR 26929), SAMHSA invited general comments, as well as
comments on six key provisions of 42 CFR part 2: Applicability, Consent
requirements, Re-disclosure, Medical emergency, QSO, and Research. In
addition, SAMHSA solicited input on electronic prescribing and
Prescription Drug Monitoring Programs (PDMPs), areas that could
potentially impact part 2 programs. Approximately 1,800 individuals
participated in the listening session, either in person or by phone.
During the session, 112 oral comments were made, while another 635
written comments were submitted during the written comment period. The
Listening Session comments are posted on the SAMHSA Web site at https://www.samhsa.gov/about-us/who-we-are/laws-regulations/public-comments-confidentiality-regulations. In general, commenters supported updating
the regulations or opposed it. Some commenters proposed aligning 42 CFR
part 2 with the Health Insurance Portability and Accountability Act of
1996 (HIPAA) regulations. However, due to its targeted population, part
2 provides more stringent federal protections than most other health
privacy laws, including HIPAA. We are choosing not to address any
specific comments or summarize comments in detail in this proposed
rule. However, all the feedback received from the Listening Session was
considered and helped to inform the development of this NPRM. In
addition, SAMHSA collaborated with its federal partner experts in
developing this NPRM.
SAMHSA decided not to address issues pertaining to e-prescribing
and PDMPs in this NPRM. SAMHSA concluded that the part 2 program e-
prescribing and PDMPs are not ripe for rulemaking at this time due to
the state of technology and because the majority of part 2 programs are
not prescribing controlled substances electronically. SAMHSA intends to
monitor developments in this area to see whether further action may be
warranted in the future.
III. Provisions of This Proposed Rule
The intent of this NPRM is to propose revisions to key provisions
of 42 CFR part 2 to modernize the regulations adopted in the June 1987
final rule and amended by the May 1995 final rule. This modernization
is necessary because behavioral health, including substance use
disorder treatment, is essential to overall health; the costs of
untreated substance use disorders, both personal and societal, are
substantial; and there continues to be a need for confidentiality
protections that encourage patients to seek treatment without fear of
compromising their privacy.
Individuals seeking treatment for substance use disorders often are
met with a host of negative reactions including discrimination and harm
to their reputations and relationships. In addition, there is a
potential for serious civil and criminal consequences for the
disclosure of patient identifying information associated with substance
use disorders beyond the health care context. We are mindful of the
intent of the governing statute (42 U.S.C. 290dd-2) and regulations at
42 CFR part 2, which is to protect the confidentiality of substance
abuse patient records so as not to make an individual receiving
treatment for a substance use disorder in a part 2 program more
vulnerable by virtue of seeking treatment than an individual with a
substance use disorder who does not seek treatment. SAMHSA strives to
facilitate information exchange within new and emerging health and
health care models, which promote integrated care and patient safety,
while respecting the legitimate privacy concerns of patients seeking
treatment for a substance use disorder due to the potential for
discrimination, harm to their reputations and relationships, and
serious civil and criminal consequences. SAMHSA also is mindful that
any regulatory changes contemplated must be consistent with the
authorizing legislation (42 U.S.C. 290dd-2) and its statutory intent.
This proposed rule also proposes editorial changes. SAMHSA deleted
references to 42 U.S.C. 290ee-3 and 42 U.S.C. 290dd-3 in Sec. 2.1,
Statutory authority for confidentiality of drug abuse patient records,
and Sec. 2.2, Statutory authority for confidentiality of alcohol abuse
patient records. Sections 290dd-3 and 290ee-3 were omitted by Public
Law 102-321 and combined and renamed into Sections 290dd-2,
Confidentiality of records. We also combined Sec. Sec. 2.1 and 2.2 and
propose to rename the new Sec. 2.1 (Statutory authority for
confidentiality of substance abuse patient records) and re-designate
Sec. Sec. 2.2-2.5. In addition, we deleted references to laws and
regulations that have been repealed in Sec. 2.21. Finally, we made
editorial changes throughout the regulations to increase clarity and
consistency.
Along with proposing substantive revisions to various sections of
42 CFR part 2, SAMHSA has proposed a number of technical, non-
substantive changes for clarity and consistency that are reflected
throughout the regulations. For the convenience of the public, SAMHSA
is reprinting the text of 42 CFR part 2 in its entirety, which includes
the proposed modifications incorporated into the existing provisions.
SAMHSA, however, is only seeking comment on the proposed changes to the
regulations that are discussed in the preamble of this NPRM. Sections
of 42 CFR part 2 that have not been proposed for revision are not
subject to review or comment under this NPRM.
A. Reports of Violations (Sec. 2.4)
1. Overview
In the current regulations, methadone programs are required to
report violations of these regulations to the FDA.
2. Proposed Revisions
We propose to revise the requirement (Sec. 2.5(b)) of reporting
violations of these regulations by a methadone program to the FDA. The
authority over methadone programs (now referred to as opioid treatment
programs) was transferred from the FDA to SAMHSA in 2001 (66 FR 4076).
Suspected violations of 42 CFR part 2 by opioid treatment programs may
be reported to the U.S. Attorney's Office for the judicial district in
which the violation occurred, as well as the SAMHSA office responsible
for opioid treatment program oversight.
[[Page 6994]]
B. Definitions (Sec. 2.11)
1. Overview
Certain defined terms in the current regulations are used
inconsistently. SAMHSA also received inquiries regarding certain terms
and how they apply to new health care models. In addition, the current
regulations include definitions in four different sections (Sec. Sec.
2.11, 2.12, 2.14 and 2.34).
2. Proposed Revisions
SAMHSA proposes to consolidate all of the definitions, with the
exception the definition of the term ``Federally assisted,'' in a
single section at Sec. 2.11. SAMHSA proposes to retain the definition
of the term ``Federally assisted'' in the Applicability provision at
Sec. 2.12 for the purpose of clarity because it is key to
understanding the applicability of 42 CFR part 2. We encourage readers
to review all of the definitions, since a clear understanding of the
regulations builds on an understanding of the definitions and their
inter-relationships.
a. New Definitions
i. Part 2 Program
The current regulations define ``Federally assisted'' separately
from the term ``Program'' but do not define the term ``Part 2
program.'' In addition, the terms ``Program'' and ``federally assisted
alcohol or drug abuse program'' are used interchangeably. Therefore,
SAMHSA proposes to define a ``Part 2 program'' as a federally assisted
program (federally assisted as defined in Sec. 2.12(b) and program as
defined in Sec. 2.11). See Sec. 2.12(e)(1) for examples.
We proposed to retain the examples provided in Sec. 2.12(e)(1) of
the current regulations, with a clarification, because they explain the
part 2 applicability and coverage.
SAMHSA proposes to replace the term ``Program'' with ``Part 2
program,'' where appropriate. For example, we propose to revise the
definition of QSO, including replacing ``Program'' with ``Part 2
program,'' which is discussed in depth below (see Section III.B.2.b.,
Existing Definitions). We also propose to replace ``Program'' with
``Part 2 program'' in several other definitions, while making no
additional changes.
ii. Part 2 Program Director
Because of the addition of the ``Part 2 program'' definition, we
also are proposing to define a ``Part 2 program director'' as:
In the case of a part 2 program which is an individual,
that individual, and
In the case of a part 2 program which is an entity, the
individual designated as director or managing director, or individual
otherwise vested with authority to act as chief executive officer of
the part 2 program.
We propose to delete the definition of ``Program director.''
iii. Substance Use Disorder
SAMHSA proposes to refer to alcohol abuse and drug abuse
collectively as ``Substance use disorder'' and, when referring to the
authorizing statute, use ``substance abuse'' since that is the term
used in Title 42, United States Code, Section 290dd-2. SAMHSA also uses
the term ``substance abuse'' when referencing information from other
publications that use that term. SAMHSA proposes to use the term
``Substance use disorder'' to be consistent with recognized
classification manuals, current diagnostic lexicon, and commonly used
descriptive terminology, and, for consistency, proposes to revise the
title of 42 CFR part 2 from ``Confidentiality of Alcohol and Drug Abuse
Patient Records'' to ``Confidentiality of Substance Use Disorder
Patient Records.''
While SAMHSA proposes to delete the definitions of ``Alcohol
abuse'' and ``Drug abuse,'' we continue to use the terms ``Alcohol
abuse'' and ``Drug abuse'' when referring to 42 U.S.C. 290dd-3 and 42
U.S.C. 290ee-3 (omitted by Pub. L. 102-321 and combined and renamed
into Section 290dd-2), respectively, because they are the terms used in
the outdated statutes. See Sec. 2.11 of the current regulations for
definitions of the terms ``Alcohol abuse'' and ``Drug abuse''.
SAMHSA proposes to define the term ``Substance use disorder'' in
such a manner as to cover substance use disorders that can be
associated with altered mental status that has the potential to lead to
risky and/or socially prohibited behaviors, including, but not limited
to, substances such as, alcohol, cannabis, hallucinogens, inhalants,
opioids, sedatives, hypnotics, anxiolytics, and stimulants. In
addition, SAMHSA proposes to clarify that, for the purposes of these
regulations, the definition excludes both tobacco and caffeine.
iv. Treating Provider Relationship
As noted in more detail in Section III.H., Consent Requirements,
SAMHSA has heard a number of concerns from stakeholders regarding the
current consent requirements in Sec. 2.31 of the regulations. SAMHSA
is proposing to revise the consent requirements to permit, in certain
circumstances, a more general description of the individuals or
entities to which a disclosure is made, but only if the individuals or
entities have a treating provider relationship with the patient whose
information is being disclosed. This change, therefore, creates a need
to define a treating provider relationship.
A treating provider relationship begins when an individual seeks
health-related assistance from an individual or entity who may provide
assistance. However, the relationship is clearly established when the
individual or entity agrees to undertake diagnosis, evaluation and/or
treatment of the patient, or consultation with the patient, and the
patient agrees to be treated, whether or not there has been an actual
in-person encounter between the individual or entity and patient. A
treating provider relationship with a patient may be established by a
health care provider or another member of a health care team as long as
the relationship meets the definition of ``Treating provider
relationship.''
A treating provider relationship means that, regardless of whether
there has been an actual in-person encounter:
A patient agrees to be diagnosed, evaluated and/or treated
for any condition by an individual or entity, and
The individual or entity agrees to undertake diagnosis,
evaluation and/or treatment of the patient, or consultation with the
patient, for any condition.
The term ``agrees'' as used in the definition does not necessarily
imply a formal written agreement. An agreement might be evidenced,
among other things, by making an appointment or by a telephone
consultation.
v. Withdrawal Management
SAMHSA proposes to update the terminology in Sec. 2.34. We propose
to delete the definition of ``Detoxification treatment'' and replace it
with the definition of the currently acceptable term, ``Withdrawal
management.'' We also propose to move this definition from Sec. 2.34
to Sec. 2.11 to consolidate definitions in one section of the
regulations.
b. Existing Definitions
SAMHSA proposes to update terminology in existing definitions to
accurately convey the meaning of terms and increase the
understandability of the proposed rule. In addition, SAMHSA proposes to
consolidate all but one of the defined terms in Sec. 2.11.
i. Central Registry
SAMHSA proposes to update the terminology in Sec. 2.34 and move
this
[[Page 6995]]
definition from Sec. 2.34 to Sec. 2.11 to consolidate definitions.
We are proposing to revise the definition to incorporate currently
accepted terminology.
ii. Disclose or Disclosure
We propose to define only one word, ``Disclose,'' since it is
implied that the same definition applies to other forms of the word. We
also propose to update terminology and make the definition clearer.
iii. Maintenance Treatment
SAMHSA proposes to update the terminology in Sec. 2.34 and move
this definition from Sec. 2.34 to Sec. 2.11 to consolidate
definitions.
iv. Member Program
SAMHSA proposes to update the terminology in Sec. 2.34 and move
this definition from Sec. 2.34 to Sec. 2.11 to consolidate
definitions.
v. Patient
To emphasize that the term ``Patient'' refers to both current and
former patients, SAMHSA proposes to revise the definition to provide
that a patient is any individual who has applied for or been given
diagnosis, treatment, or referral for treatment for a substance use
disorder at a part 2 program. Patient includes any individual who,
after arrest on a criminal charge, is identified as an individual with
a substance use disorder in order to determine that individual's
eligibility to participate in a part 2 program. This definition
includes both current and former patients.
vi. Patient Identifying Information
SAMHSA proposes to clarify that ``Patient,'' as used in this
definition, is a defined term in Sec. 2.11. In addition, SAMHSA
deleted the words ``and speed.'' If the information could identify the
patient, the speed with which it identifies the patient is not
relevant.
vii. Person
The current definition of ``Person'' includes both individuals and
entities. For the purpose of this proposed regulation, SAMHSA considers
an ``individual'' to be a human being. SAMHSA proposes to revise the
definition of ``Person'' to clearly indicate that ``Person'' is also
referred to as individual and/or entity.
viii. Program
SAMHSA is proposing to make the following changes to the
``Program'' definition. First, because the current definition of
``Program'' includes both the terms ``general medical care facility''
and ``general medical facility,'' and because these terms are used
interchangeably, we are proposing to consistently use the term
``general medical facility.''
Second, more substance use disorder treatment services are
occurring in general health care and integrated care settings, which
are typically not covered under the current regulations. Providers who
in the past offered only general or specialized health care services
(other than substance use disorder services) now, on occasion, provide
substance use disorder treatment services, but only as incident to the
provision of general health care. Therefore, SAMHSA proposes to make
clear that paragraph (1) of the definition of ``Program'' would not
apply to ``general medical facilities'' and ``general medical
practices.'' However, paragraphs (2) and (3) of the definition of
``Program'' would apply to ``general medical facilities'' and ``general
medical practices.'' Finally, SAMHSA is proposing to move the reference
to examples from the definition of ``Program'' to the definition of
``Part 2 program'' because 42 CFR part 2 would apply only to ``Part 2
programs'' as defined in the proposed regulations.
The inclusion of general medical practices with general medical
facilities is consistent with SAMHSA's intention to ensure
confidentiality protections and access to treatment for individuals
whose identity as substance use disorder patients would be compromised
if records of the specialized programs from which they seek treatment
were not covered by these regulations while not unnecessarily imposing
requirements on general medical facilities or practices in an overly
broad manner.
Consistent with the definition of ``Program'':
1. If a provider is not a general medical facility or general
medical practice, then the provider meets the part 2 definition of a
``Program'' if it is an individual or entity who holds itself out as
providing, and provides substance use disorder diagnosis, treatment, or
referral for treatment.
2. If the provider is an identified unit within a general medical
facility or general medical practice, it is a ``Program'' if it holds
itself out as providing, and provides, substance use disorder
diagnosis, treatment or referral for treatment.
3. If the provider consists of medical personnel or other staff in
a general medical facility or general medical practice, it is a
``Program'' if its primary function is the provision of substance use
disorder diagnosis, treatment, or referral for treatment and is
identified as such specialized medical personnel or other staff by the
general medical facility or general medical practice.
While the term ``general medical facility'' is not defined at 42
CFR 2.11 (Definitions), hospitals, trauma centers, or federally
qualified health centers would generally be considered ``general
medical facilities.'' Therefore, primary care providers who work in
such facilities would only be covered by the part 2 definition of a
``Program'' if: (1) They work in an identified unit within such general
medical facility that holds itself out as providing, and provides,
substance use disorder diagnosis, treatment or referral for treatment,
or (2) the primary function of the providers is substance use disorder
diagnosis, treatment or referral for treatment and they are identified
as providers of such services by the general medical facility.
In addition, a practice comprised of primary care providers could
be considered a ``general medical practice.'' As such, an identified
unit within that general medical practice that holds itself out as
providing and provides substance use disorder diagnosis, treatment, or
referral for treatment would be considered a ``Program'' as defined in
Sec. 2.11 of these regulations. In addition, medical personnel or
staff within that general medical practice whose primary function is
the provision of substance use disorder services and who are identified
as such providers by the general medical practice would qualify as a
``Program'' under the definition in these part 2 regulations.
Finally, ``Holds itself out'' is currently not defined in Sec.
2.11, Definitions. SAMHSA has previously published guidance relative to
the term and proposes to add an explanation of ``Holds itself out'' to
the Preamble discussion in Sec. 2.12, Applicability. Consistent with
that guidance, ``Holds itself out'' means any activity that would lead
one to reasonably conclude that the individual or entity provides
substance use disorder diagnosis, treatment, or referral for treatment
including but not limited to:
Authorization by the state or federal government (e.g.
licensed, certified, registered) to provide, and provides, such
services,
Advertisements, notices, or statements relative to such
services, or
Consultation activities relative to such services.
As is the case throughout these regulations, understanding all
defined terms is important. In the case of the definition of
``Program'' and how it
[[Page 6996]]
relates to the applicability of these regulations (see Sec. 2.12), two
other definitions are particularly relevant: ``Diagnosis,'' and
``Treatment.'' See Sec. 2.11 of the proposed regulations for the
definitions of ``Diagnosis'' and ``Treatment.''
ix. Qualified Service Organization
A qualified service organization (QSO) is an individual or entity
(see definition of ``Person,'' above) that provides a service to a part
2 program consistent with a qualified service organization agreement
(QSOA). A QSOA is a two-way agreement between a part 2 program and the
individual or entity providing the desired service. Under the current
statutory authority, patient records pertaining to substance abuse may
be shared only with the prior written consent of the patient or under a
few limited exceptions that are specifically enumerated in 42 U.S.C.
290dd-2. However, Sec. 2.12(c)(4) indicates that these restrictions on
disclosure do not apply to communications between a part 2 program and
a QSO regarding information needed by the QSO to provide services to
the part 2 program consistent with the QSOA. Accordingly, SAMHSA has
consistently articulated in applicable guidance that a QSO would be
permitted to disclose the part 2 information to a contract agent if it
needs to do so in order to provide the services described in the QSOA,
and as long as the agent only discloses the information back to the QSO
or the part 2 program from which the information originated. If a
disclosure is made by the QSO to an agent acting on its behalf to
perform the service, both the QSO and the agent are bound by the part 2
regulations, and neither organization can disclose the information
except as permitted by part 2 and SAMHSA's interpretive guidance.
Recognizing the importance of population health management, SAMHSA
proposes to revise the definition of QSO to include population health
management in the list of examples of services a QSO may provide.
Population health management refers to increasing desired health
outcomes and conditions through monitoring and identifying individual
patients within a group. To achieve the best outcomes, providers must
supply proactive, preventive, and chronic care to all of their
patients, both during and between encounters with the health care
system. For patients with substance use disorders, who often have
comorbid conditions, proactive, preventive, and chronic care is
important to achieving desired outcomes.
Any QSOA executed between a part 2 program and an organization
providing population health management services would be limited to the
office or unit responsible for population health management in the
organization (e.g., the ACO, CCO, patient-centered medical home
(sometimes called health home), or managed care organization), not the
entire organization and not its participants (e.g., case managers,
physicians, addiction counselors, hospitals, and clinics). Once a QSOA
is in place, 42 CFR part 2 permits the part 2 program to communicate
information from patients' records to the organization providing
population health management services as long as it is limited to
information needed by the organization to provide such services to the
part 2 program. An organization providing population health management
services may disclose part 2 information that it has received from a
part 2 program to its participants (other than the originating part 2
program) only if the patient signs a part 2-compliant consent form
agreeing to those disclosures.
SAMHSA's proposal to add population health management to the list
of examples of the services that may be offered by a QSO is consistent
with the Affordable Care Act (Patient Protection and Affordable Care
Act of 2010 (Pub. L. 111-148)) and the HHS Strategic Plan FY 2014-2018
which includes the goals of improving health care and population health
through meaningful use of health IT. We believe this revision would
benefit patients' health, safety, and quality of life while maintaining
the confidentiality protections that attach to the part 2 program's
patient records.
SAMHSA also proposes to revise the term ``medical services'' as
listed in the examples of permissible services offered by a QSO to
clarify that it is limited to ``medical staffing services.'' SAMHSA
proposes to make this revision to emphasize that QSOAs should not be
used to avoid obtaining patient consent. Accordingly, a QSOA could be
used by a part 2 program to contract with a provider of on-call
coverage services (previously clarified in guidance) or other medical
staffing services but could not be used to disclose John Doe's patient
identifying information to his primary care doctor for the purpose of
treatment (other than that provided under a QSOA for medical staffing
services). However, an individual or entity who is prohibited from
providing treatment to an individual patient under a QSOA, may still
meet the requirements of having a treating provider relationship (based
on the definition in Sec. 2.11) with respect to the Consent
Requirements in Sec. 2.31. Likewise, care coordination was not added
to the list of examples of permissible services offered by a QSO
because care coordination has a patient treatment component.
x. Records
Consistent with the goal of modernizing the regulations, SAMHSA
proposes to revise the definition of ``Records'' to include any
information, whether recorded or not, received or acquired by a part 2
program relating to a patient. For the purpose of these regulations,
records include both paper and electronic records.
xi. Treatment
As part of its effort to modernize these regulations, SAMHSA is
proposing to delete the term, ``management,'' from the ``Treatment''
definition. In today's health care environment, ``management'' has a
much broader meaning than it did when the regulations were last
revised.
c. Terminology Changes
In addition to proposing changes to several definitions, we propose
the following terminology changes. These changes are intended to ensure
consistency in the use of terms throughout the regulations, and to
increase the understandability of the proposed rule.
The current regulations use a variety of terms to refer to law
enforcement (e.g., ``office,'' ``agency or official,'' and
``authorities'') as well as using related terms (e.g., ``persons or
individuals within the criminal justice system''. We propose to
consistently refer to law enforcement as ``law enforcement agencies or
officials.'' In addition, the current regulations use the terms
``organization'' and ``entity.'' Neither term is defined but ``entity''
is included in both the definition of ``Program'' and ``Person.'' For
this reason, we propose to use the term ``entity'' instead of
``organization'' wherever possible. Finally, because we have revised
the definition of ``Patient'' to clarify that it includes both current
and former patients, we have revised the grammar, where appropriate.
For the purposes of this regulation, we also propose that the term
``written'' include both paper and electronic documentation. In
addition, we propose to use the phrase ``part 2 program or other lawful
holder of patient identifying information'' to refer to a part 2
program or other individual or entity that is in lawful possession of
patient identifying information. A
[[Page 6997]]
``lawful holder'' of patient identifying information is an individual
or entity who has received such information as the result of a part 2-
compliant patient consent (with a re-disclosure notice) or as a result
of one of the limited exceptions to the consent requirements specified
in the regulations and, therefore, is bound by 42 CFR part 2. Examples
of such ``lawful holders'' of patient identifying information include a
patient's treating provider, a hospital emergency room, an insurance
company, an individual or entity performing an audit or evaluation, or
an individual or entity conducting scientific research. We are not
making any specific proposals with regard to ``unlawful holders'' of
patient identifying information in this NPRM because unlawful holders
are addressed in Sec. 2.3 Criminal penalty for violation.
A patient who has obtained a copy of their records or a family
member who has received such information from a patient would not be
considered a ``lawful holder of patient identifying information'' in
this context. As stated in Sec. 2.23(a), the regulations do not
prohibit a part 2 program from giving a patient access to their own
records, including the opportunity to inspect and copy any records that
the part 2 program maintains about the patient. The part 2 program is
not required to obtain a patient's written consent or other
authorization under these regulations in order to provide such access
to the patient or their legal representative.
C. Applicability (Sec. 2.12)
1. Overview
The 1987 regulations (52 FR 21798) limited the applicability of 42
CFR part 2 to specialized programs, (i.e., to those federally assisted
programs that hold themselves out as providing and which actually
provide alcohol or drug abuse diagnosis, treatment, and referral for
treatment). HHS took the position that limiting the applicability to
specialized programs would simplify the administration of the
regulations without significantly affecting the incentive to seek
treatment provided by the confidentiality protections. Applicability to
specialized programs lessened the adverse economic impact on a
substantial number of facilities that provided substance use disorder
care only as an incident to the provision of general medical care.
2. Proposed Revisions
SAMHSA considered options for defining what information is covered
by 42 CFR part 2, including the option of defining covered information
based on the type of substance use disorder treatment services provided
instead of the type of facility providing the services. SAMHSA,
however, rejected that approach because more substance use disorder
treatment services are occurring in general health care and integrated
care settings, which typically are not covered under the current
regulations. Providers who in the past offered only general or
specialized health care services (other than substance use disorder
services) now, on occasion, provide substance use disorder treatment
services, but only as incident to the provision of general health care.
As discussed in Section III.B.2.b., Existing Definitions, we
propose to revise the definition of ``Program'' to align it more
closely with current health care delivery models. SAMHSA proposes to
make clear that paragraph (1) of the definition of ``Program'' would
not apply to ``general medical facilities'' and ``general medical
practices.'' However, paragraphs (2) and (3) of the definition of
``Program'' would apply to ``general medical facilities'' and ``general
medical practices.''
SAMHSA also proposes to include the term ``Part 2 program,'' as
discussed in Section III.B.2.a.i. The definition of ``Program'' in
Sec. 2.11 did not explicitly include ``Federally assisted as defined
in Sec. 2.12(b)''. As a result, we are proposing to add a definition
of ``Part 2 program.'' We propose to define the term and to use the
term ``Part 2 program,'' where appropriate, throughout the proposed
regulations.
This approach is consistent with the approach taken in 1987 because
it essentially limits the applicability of 42 CFR part 2 to specialized
programs, which simplifies the administration of the regulations
without significantly affecting the incentive to seek treatment
provided by the confidentiality protections. We do not foresee that the
exclusion from part 2 coverage of health care providers who work in
general medical practices and provide substance use disorder treatment
services as incident to the provision of general health care would act
as a deterrent to individuals seeking assistance for substance use
disorders.
In addition, in the current regulation, Sec. 2.12(d)(2)(iii),
restrictions on disclosures apply to individuals or entities who have
received patient records directly from part 2 programs. SAMHSA proposes
to revise Sec. 2.12(d)(2)(iii) so that restrictions on disclosures
also apply to individuals or entities who receive patient records
directly from other lawful holders of patient identifying information.
This change is consistent with the discussion of ``other lawful holder
of patient identifying information'' in the preamble discussion in
Terminology Changes in Section III.B.2.c. and the proposed inclusion of
this term in other sections of this NPRM. Patient records subject to
these regulations include patient records maintained by part 2 programs
as well as those records in the possession of ``other lawful holders of
patient identifying information.''
D. Confidentiality Restrictions and Safeguards (Sec. 2.13)
1. Overview
Currently, 42 CFR part 2 does not include a way for patients to
determine to whom their records have been disclosed.
2. Proposed Revisions
As discussed in Section G., Consent Requirements (Sec. 2.31),
SAMHSA proposes to permit, in certain circumstances, the inclusion of a
general designation in the ``To Whom'' section of the consent form.
Specifically, in the case of an entity that does not have a treating
provider relationship with the patient whose information is being
disclosed, SAMHSA proposes to permit the designation of the name(s) of
the entity(-ies) and a general designation of an individual or entity
participant(s) or a class of participants that must be limited to those
participants who have a treating provider relationship with the patient
whose information is being disclosed. An entity without a treating
provider relationship includes, for example, an entity that facilitates
the exchange of health information (e.g., HIE). The consent form,
therefore, could designate the HIE (an entity that does not have a
treating provider relationship with the patient whose information is
being disclosed) and ``my treating providers'' (a general designation
of a class of individual and/or entity participants with a treating
provider relationship with that same patient). Under this proposal, the
consent form could not, however, include the general function ``HIE''
without specifying the name of the HIE entity used by the treating
provider. Under this proposal, merely listing a function is not
sufficient for consent because it would not sufficiently identify the
recipient of the patient identifying information. Since SAMHSA is
proposing to allow a general designation in the circumstances discussed
above, we are proposing that, upon request, patients who have included
a general
[[Page 6998]]
designation in the ``To Whom'' section of their consent form must be
provided, by the entity without a treating provider relationship that
serves as an intermediary (see Sec. 2.31(a)(4)(iv)), a list of
entities to which their information has been disclosed pursuant to the
general designation (List of Disclosures).
SAMHSA is proposing to require that the list of disclosures include
a list of the entities to which the information was disclosed pursuant
a general designation. However, if entities that are required to comply
with the List of Disclosures requirement wish to include individuals on
the list of disclosures, in addition to the required data elements
which are outlined in Sec. 2.13(d)(2)(ii), nothing in this proposed
rule prohibits it.
SAMHSA considered requiring both individuals and entities to be
included on the list of disclosures but, after reviewing the Health
Information Technology Privacy Committee's recommendations, decided to
require, at a minimum, a list of entities. These recommendations
addressed the HITECH requirement that HIPAA covered entities and
business associates account for disclosures for treatment, payment, and
health care operations made through an EHR. The Committee recommended,
``that the content of the disclosure report be required to include only
an entity name rather than a specific individual as proposed in the
NPRM.'' In addition, the report noted that the Organization for
Economic Cooperation and Development (OECD) principles, the Fair Credit
Reporting Act, and the Privacy Act of 1974 do not require that the
names of individuals be provided.
SAMHSA proposes that individuals who received patient identifying
information pursuant to the general designation on a consent form
should be included on the List of Disclosures based on an entity
affiliation, such as the name of their practice or place of employment.
Patients who wish to know the name of the individual to whom their
information was disclosed may ask the entity on the List of Disclosures
to provide that information, however, 42 CFR part 2 would not require
the entity to comply with a patient's request.
In order to allow time to develop, test, and implement advanced
technology to more efficiently comply with this requirement, SAMHSA is
proposing that the List of Disclosures requirement become effective two
years after the effective date of the final rule. Some entities may be
able to comply with this requirement without developing and
implementing new technologies. In addition, entities that use and
disclose primarily paper records could easily implement a system, if
one does not already exist, such as a sign-out/sign-in log, that could
be used to generate such a list. SAMHSA anticipates that there will be
few requests based on the relatively small number of accounting
requests that most covered entities have received to date under the
HIPAA Accounting for Disclosures rule, according to some anecdotal
reports.
SAMHSA is proposing that patient requests for a list of entities to
which their information has been disclosed must be in writing and
limited to disclosures made within the past two years. Consistent with
the preamble discussion of terminology (Sec. 2.11, Definitions),
``written'' includes both paper and electronic documentation. A request
letter addressed to the entity that disclosed the information might
include language such as: ``I am writing to request a list of the
entities to which my information has been disclosed within the past two
years. This request is consistent with 42 CFR 2.13, which also includes
the requirements for your response. Thank you for your assistance.''
In addition, SAMHSA is proposing that entities named on the consent
form that disclose information to their participants under the general
designation (entities without a treating provider relationship that
serve as intermediaries) must respond to requests for a list of
disclosures in 30 or fewer calendar days of receipt of the request.
Responses sent to the patient electronically may be sent by encrypted
transmission (e.g., email), or by unencrypted email at the request of
the patient, so long as the patient has been informed of the potential
risks associated with unsecured transmission. Patients should be
notified that there may be some level of risk that the information in
an unencrypted email could be read by a third party. If patients are
notified of the risks and still prefer unencrypted email, the patient
has the right to receive the information in that way, and entities are
not responsible for unauthorized access of the information while in
transmission to the patient based on the patient's request.
Before using an unsecured method to respond to a request for a list
of disclosures, an entity should take certain precautions, such as
checking an email address for accuracy before sending it or sending an
email alert to the patient for address confirmation to avoid unintended
disclosures. Patients may also request that the entity communicate with
them by an alternative means or at an alternative location. Responses
sent by mail may be sent by United States Postal Service first class
mail, an equivalent service, or a service with additional security
features (e.g., tracking). The response must include the name of the
entity to which each disclosure was made, the date of the disclosure,
and a brief description of the information disclosed. The brief
description of the information disclosed must have sufficient
specificity to be understandable to the patient. An example of a brief
description of the information disclosed is a copy of the written
request for disclosure. This requirement to provide a list of
disclosures cannot be satisfied by providing patients with a list (or
web address) of entities that potentially could receive their patient
identifying information.
This proposed revision would facilitate patients' participation in
advances in the health care delivery system by increasing their
confidence that they could be informed, upon request, of who received
their information pursuant to a general designation on the consent
form.
In addition, confirming the identity of an individual who is not
and has never been a patient while remaining silent on the identity of
an actual patient could, by inference, compromise patient privacy. For
example, if a reporter is inquiring about five individuals and only Mr.
Smith is not and never has been a patient, by confirming that Mr. Smith
is not and never has been a patient and remaining silent on the other
four individuals, the part 2 program could enable the reporter to
conclude that the other four individuals either are patients or have
been patients. Therefore, SAMHSA is proposing to remove the concept
from Sec. 2.13(c)(2) that the regulations do not restrict a disclosure
that an identified individual is not and never has been a patient. If
confirming the identity of an individual who is not and never has been
a patient, caution should be used so as not to make an inadvertent
disclosure with respect to one or more other individuals. This proposed
rule does not prohibit entities that receive a request for information
about an individual from refusing to disclose any information
regardless of whether the individual is or ever has been a patient(s).
E. Security for Records (Sec. 2.16)
1. Overview
Currently, the Security for Written Records section in Sec. 2.16
addresses the maintenance, disclosure, access to, and
[[Page 6999]]
use of written records. This section, however, addresses paper, but not
electronic records.
2. Proposed Revisions
SAMHSA is proposing to modernize this section to address both paper
and, in light of the steady increase in the adoption of health IT,
electronic records. Specifically, SAMHSA proposes to revise the heading
by deleting the word ``written'' so that it now reads: Security for
Records. SAMHSA also proposes to clarify that this section requires
both part 2 programs and other lawful holders of patient identifying
information to have in place formal policies and procedures for the
security of both paper and electronic records. These formal policies
and procedures are intended to ensure protection of patient identifying
information when records are exchanged electronically using health IT
as well as when they are exchanged using paper records. The formal
policies and procedures must reasonably protect against unauthorized
uses and disclosures of patient identifying information and protect
against reasonably anticipated threats or hazards to the security of
patient identifying information. The formal policies and procedures
must address, among other things, the sanitization of hard copy and
electronic media, which is addressed in the preamble discussion of
Disposition of Records by Discontinued Programs (Sec. 2.19). Suggested
resources for part 2 programs and other lawful holders developing
formal policies and procedures include materials from the HHS Office
for Civil Rights (e.g., Guidance Regarding Methods for De-
identification of Protected Health Information in Accordance with the
Health Insurance Portability and Accountability Act (HIPAA) Privacy
Rule), and the National Institute of Standards and Technology (NIST)
(e.g., the most current version of the Special Publication 800-88,
Guidelines for Media Sanitization).
The proposed regulations provide further guidance for these
policies and procedures. Finally, we are proposing to replace language
in other sections of the proposed rule with a reference to the policies
and procedures established under Sec. 2.16, where applicable.
F. Disposition of Records by Discontinued Programs (Sec. 2.19)
1. Overview
As with Sec. 2.16, the Disposition of Records by Discontinued
Programs section in the current regulations do not address electronic
records.
2. Proposed Revisions
SAMHSA proposes to modernize this section to address both paper and
electronic records. Specifically, we propose to address the disposition
of both paper and electronic records by discontinued programs, and add
requirements for sanitizing paper and electronic media. By sanitizing
paper or electronic media, we mean to render the data stored on the
media non-retrievable. Sanitizing electronic media is distinctly
different from deleting electronic records and may involve clearing
(using software or hardware products to overwrite media with non-
sensitive data) or purging (degaussing or exposing the media to a
strong magnetic field in order to disrupt the recorded magnetic
domains) the information from the electronic media. If circumstances
warrant the destruction of the electronic media prior to disposal,
destruction methods may include disintegrating, pulverizing, melting,
incinerating, or shredding the media. Because failure to ensure total
destruction of patient identifying information may lead to the
unauthorized disclosure of sensitive information regarding a patient's
substance use disorder history, SAMHSA expects the process of
sanitizing paper (including printer and FAX ribbons, drums, etc.) or
electronic media to be permanent and irreversible, so that there is no
reasonable risk that the information may be recovered. This result is
best achieved by sanitizing the paper or electronic media in a manner
consistent with the most current version of the NIST Special
Publication 800-88, Guidelines for Media Sanitization. SAMHSA also is
proposing to reference the formal security policies and procedures for
both paper and electronic records established under Sec. 2.16.
G. Notice to Patients of Federal Confidentiality Requirements (Sec.
2.22)
1. Overview
Currently, Sec. 2.22 lists the requirements of a notice to
patients of the federal confidentiality requirements, including giving
the patient a summary in writing of the federal law and regulations. As
with other sections in the current regulations, this section requires
that the notice to patients be in writing, but does not address
electronic formats.
2. Proposed Revisions
SAMHSA proposes to continue to require that patients be given a
summary in writing of the federal law and regulations. Consistent with
the Preamble discussion in Terminology Changes in Section III.B.2.c.,
the term ``written'' includes both paper and electronic documentation.
We, therefore, propose to permit the notice to patients to be either on
paper or in an electronic format. SAMHSA also proposes to require the
statement regarding the reporting of violations to include contact
information for the appropriate authorities. The reporting of any
violation of these regulations may be directed to the U.S. Attorney for
the judicial district in which the violation occurs and the report of
any violation of these regulations by an opioid treatment program may
also be directed to the SAMHSA office responsible for opioid treatment
program oversight (see Sec. 2.4 of the proposed rule). SAMHSA is
considering whether to issue guidance at a later date that includes a
sample notice.
Although it is not a proposed requirement, SAMHSA encourages the
part 2 program to be sensitive to the cultural composition of its
patient population when considering whether the notice should also be
provided in a language(s) other than English (e.g., Spanish).
H. Consent Requirements (Sec. 2.31)
1. Overview
SAMHSA has heard a number of concerns from individuals regarding
the current consent requirements of 42 CFR part 2. In particular,
stakeholders expressed concern that the current requirements for
sharing patient records covered by part 2 deter patients from
participating in HIEs, ACOs, CCOs, and similar organizations. While
technical solutions for managing consent collection, such as data
segmentation, are possible, they are not widely incorporated into
existing systems.
2. Proposed Revisions
SAMHSA examined the consent requirements in Sec. 2.31 to explore
options for facilitating the sharing of information within the health
care context while ensuring the patient is fully informed and the
necessary protections are in place. As a result, we propose several
changes to this section. First, we propose to revise the section
heading from ``Form of written consent'' to ``Consent requirements.''
SAMHSA also proposes to make revisions in three sections of the consent
form requirements: The ``To Whom'' section, the ``Amount and Kind''
section, and the ``From Whom'' section. SAMHSA also is proposing to
require a part 2 program or other lawful holder of patient identifying
information to obtain written confirmation from the patient
[[Page 7000]]
that they understand both the terms of their consent and, when using a
general designation in the ``To Whom'' section of the consent form (see
Section III.H.2.a., To Whom, below), that they have the right to
obtain, upon request, a list of entities to which their information has
been disclosed pursuant to the general designation. In addition, SAMHSA
is proposing to permit electronic signatures to the extent that they
are not prohibited by any applicable law. SAMHSA is considering whether
to issue guidance at a later date that includes a sample consent form.
As mentioned in Section III.C.2.a., New Definitions, SAMHSA is
proposing to include a new definition of ``Treating provider
relationship'' in Sec. 2.11. Finally, as a result of these proposed
revisions, we renumbered the subsections accordingly.
a. To Whom
i. Overview
Section 2.31(a)(2) of the current regulations requires that a
consent form include the name or title of the individual or the name of
the organization to which disclosure is to be made as part of the
patient's written consent to the disclosure of their records regulated
by 42 CFR part 2. The intent of the specificity required in the ``To
Whom'' section was for the patient to be able to identify, at the point
of consent, exactly who they are authorizing to receive their
information.
Some stakeholders have reported that the requirement in 42 CFR
2.31(a)(2) for the name of the individual or organization that will be
the recipient of the patient identifying information makes it difficult
to include programs covered by the regulations in organizations that
facilitate the exchange of health information or coordinate care (e.g.,
HIEs, ACOs, and CCOs). These organizations have a large and growing
number of participants and may not have consent management
capabilities. Under the current regulations, if a new participant joins
an HIE, ACO, CCO, or other similar entity after a consent is signed,
and a patient later goes to that new participant for treatment, part 2
would require that the new participant obtain the patient's consent to
receive the patient's information. Because of the reported burdens
associated with the collection of updated consent forms whenever new
participants join one of these organizations, some stakeholders have
indicated that they are currently not including substance use disorder
treatment information in their systems.
ii. Proposed Revisions
SAMHSA is proposing to move the current Sec. 2.31(a)(2), ``To
Whom,'' to Sec. 2.31(a)(4). In the following discussion of the ``To
Whom'' section of the consent form and in the regulatory text, SAMHSA
makes a distinction between individuals and entities who have a
treating provider relationship with the patient and those who do not.
As discussed in Sec. 2.11, SAMHSA proposes to define the term
``Treating provider relationship'' to provide that regardless of
whether there has been an actual in-person encounter, (a) a patient
agrees to be diagnosed, evaluated and/or treated for any condition by
an individual or entity and (b) the individual or entity agrees to
undertake diagnosis, evaluation and/or treatment of the patient, or
consultation with the patient, for any condition.
Based on this definition, SAMHSA considers an entity to have a
treating provider relationship with a patient if the entity employs or
privileges one or more individuals who have a treating provider
relationship with the patient.
SAMHSA is continuing to permit the name(s) of the individual(s) to
whom a disclosure is to be made to be designated in the ``To Whom''
section of the consent form (e.g., Jane Doe, MD; John Doe; or George
Jones, JD). Because SAMHSA also is proposing to allow, in certain
circumstances, a general designation, we propose to eliminate the
current option of designating only a title of an individual (e.g.,
Chief of Pediatrics at Lakeview County Hospital). SAMHSA also proposes
to revise the requirements for designating the name of an entity, as
discussed below.
In the case of an entity that has a treating provider relationship
with the patient whose information is being disclosed, SAMHSA is
proposing to permit the designation of the name of the entity without
requiring any further designations (as is required for an entity that
does not have a treating provider relationship with the patient whose
information is being disclosed, see below). For example, the consent
form could specify any of the following names of entities: Lakeview
County Hospital, ABC Health Care Clinic, or Jane Doe & Associates
Medical Practice.
In the case of an entity that does not have a treating provider
relationship with the patient whose information is being disclosed and
is a third-party payer that requires patient identifying information
for the purpose of reimbursement for services rendered to the patient
by the part 2 program, SAMHSA proposes to permit the designation of the
name of the entity (e.g., Medicare).
In the case of an entity that does not have a treating provider
relationship with the patient whose information is being disclosed and
is not covered by Sec. 2.31(a)(4)(iii) (i.e., the provision regarding
third-party payers), SAMHSA proposes to permit the designation of the
name(s) of the entity(-ies) and at least one of the following: (1) The
name(s) of an individual participant(s); (2) the name(s) of an entity
participant(s) that has a treating provider relationship with the
patient whose information is being disclosed; or (3) a general
designation of an individual or entity participant(s) or a class of
participants that must be limited to those participants who have a
treating provider relationship with the patient whose information is
being disclosed. Examples of an entity without a treating provider
relationship include an entity that facilitates the exchange of health
information (e.g., HIE) or a research institution. The consent form,
therefore, could designate the HIE (an entity that does not have a
treating provider relationship with the patient whose information is
being disclosed) and Drs. Jones and Smith, and County Memorial Hospital
(all participants in the HIE with a treating provider relationship with
that same patient). Likewise, the consent form could designate the HIE
(an entity that does not have a treating provider relationship with the
patient whose information is being disclosed) and ``my treating
providers'' (a general designation of an individual or entity)
participant(s) or a class of individual and/or entity participants with
a treating provider relationship with the patient whose information is
being disclosed).
In the case of a research institution, a ``participant'' could be a
clinical researcher with a treating provider relationship with the
patient whose information is being disclosed, or a general researcher
who does not have a treating provider relationship with the patient
whose information is being disclosed. The clinical researcher could be
included as ``my treating provider'' in a general designation on the
consent form, whereas the general researcher would have to be named on
the consent form. Alternatively, a research institution could obtain
patient identifying information without consent if it meets the
requirements in Sec. 2.52.
If a general designation is used, the entity must have a mechanism
in place to determine whether a treating provider relationship exists
with the patient whose information is being disclosed.
[[Page 7001]]
We encourage innovative solutions to implement this provision. For
example, the HIE in the aforementioned example could have a policy in
place requiring their participating providers to attest to having a
treating provider relationship with the patient. Likewise, the HIE
could provide a patient portal that permits patients to designate
treating providers as members of ``my health care team'' or ``my
treating providers.''
Improving the quality of substance use disorder care depends on
effective collaboration of mental health, substance use disorder,
general health care, and other service providers in coordinating
patient care. However, the composition of a health care team varies
widely among entities. Because SAMHSA wants to ensure that patient
identifying information is only disclosed to those individuals and
entities on the health care team with a need to know this sensitive
information, we are limiting a general designation to those individuals
or entities with a treating provider relationship. Patients may further
designate their treating providers as ``past,'' ``current,'' and/or
``future'' treating providers. In addition, a patient may designate, by
name, one or more individuals on their health care team with whom they
do not have a treating provider relationship.
SAMHSA proposes to balance the flexibility afforded by the general
designation in the ``To Whom'' section by adding a new confidentiality
safeguard: List of Disclosures (Sec. 2.13(d)). The List of Disclosures
provision allows patients who have included a general designation in
the ``To Whom'' section of their consent form to request and be
provided a list of entities to which their information has been
disclosed pursuant to the general designation. In addition, when using
a general designation, a statement must be included on the consent form
noting that, by signing the consent form, the patient confirms their
understanding of the List of Disclosures provision.
Many new integrated care models rely on interoperable health IT and
these proposed changes are expected to support the integration of
substance use disorder treatment into primary and other specialty care,
improving the patient experience, clinical outcomes, and patient safety
while at the same time ensuring patient choice, confidentiality, and
privacy.
The following table provides an overview of the options permitted
when completing the designation in the ``To Whom'' section of the
proposed consent form.
Designating Individuals and Organizations in the ``To Whom'' Section of
the Consent Form
----------------------------------------------------------------------------------------------------------------
Treating
provider
Individual or relationship
42 CFR 2.31 entity to whom with patient Primary designation Additional
disclosure is to whose designation
be made information is
being disclosed
----------------------------------------------------------------------------------------------------------------
(a)(4)(i)..................... Individual...... Yes............. Name of individual(s) None.
(e.g., Jane Doe, MD).
(a)(4)(i)..................... Individual...... No.............. Name of individual(s) None.
(e.g., John Doe).
(a)(4)(ii).................... Entity.......... Yes............. Name of entity (e.g., None.
Lakeview County
Hospital).
(a)(4)(iii)................... Entity.......... No.............. Name of entity that None.
is a third-party
payer as specified
under Sec.
2.31(a)(4)(iii)
(e.g., Medicare).
(a)(4)(iv).................... Entity.......... No.............. Name of entity that At least one of the
is not covered by following:
Sec. 1. The name(s) of an
2.31(a)(4)(iii) individual
(e.g., HIE, or participant(s) (e.g.
research Jane Doe, MD, or
institution). John Doe).
2. The name(s) of an
entity
participant(s) with
a treating provider
relationship with
the patient whose
information is being
disclosed (e.g.,
Lakeview County
Hospital).
3. A general
designation of an
individual or entity
participant(s) or a
class of
participants limited
to those
participants who
have a treating
provider
relationship with
the patient whose
information is being
disclosed (e.g., my
current and future
treating providers).
----------------------------------------------------------------------------------------------------------------
SAMHSA is seeking public comment on an alternative approach to the
proposed required elements for the ``To Whom'' section of the consent
form. The current part 2 required elements for the ``To Whom'' section
of written consent are the name or title of the individual or the name
of the organization to which the disclosure is to be made. The term
``organization'' is not defined in the current regulations, but SAMHSA
has interpreted the term narrowly in guidance to mean that information
can be sent to a lead organization but the information cannot flow from
the lead organization to organization members or participants.
Historically, that meant that all members or participants of an
organization would need to be listed on the consent form and a new
consent form would need to be obtained each time a new provider joined
the organization.
SAMHSA's alternative approach reflects the same policy goal as the
proposed regulation text (i.e., allowing more flexibility in the ``To
Whom'' section of the consent form) while attempting to simplify the
language that would appear on the consent form. This alternative
approach would not change the existing language in the ``To Whom''
section of the consent form.
Under this alternative approach, SAMHSA would add a definition of
``organization'' to Sec. 2.11. Organization would mean, for purposes
of Sec. 2.31, (a) an organization that is a treating provider of the
patient whose
[[Page 7002]]
information is being disclosed; or (b) an organization that is a third-
party payer that requires patient identifying information for the
purpose of reimbursement for services rendered to the patient by a part
2 program; or (c) an organization that is not a treating provider of
the patient whose information is being disclosed but that serves as an
intermediary in implementing the patient's consent by providing patient
identifying information to its members or participants that have a
treating provider relationship, as defined in Sec. 2.11, or as
otherwise specified by the patient.
Paragraph (a) of this definition relies on the definition of
``Treating provider relationship'' as defined in Sec. 2.11. SAMHSA
considers an organization to be a treating provider of a patient if the
organization employs or privileges one or more individuals who have a
treating provider relationship(s) with the ``patient.''
Paragraph (b) of this definition refers to an organization that is
not a treating provider of the patient whose information is being
disclosed but that requires patient identifying information in
connection with its role as a third-party payer for the purpose of
reimbursement for services rendered to the patient (e.g., Medicare).
Paragraph (c) of this definition refers to an organization that is
not a treating provider of the patient whose information is being
disclosed but that serves as an intermediary in implementing the
patient consent. It permits these organizations to further disclose
patient identifying information to its members or participants that
have a treating provider relationship with the patient. It also allows
the patient to specify further instructions for re-disclosure to the
organization's members or participants.
In all instances, patient identifying information should only be
disclosed to those individuals and organizations in accordance with the
purpose stated by the patient on the signed consent form and only to
those individuals with a need to know this sensitive information.
SAMHSA is seeking public comment on the advantages and
disadvantages of this alternative approach as compared to SAMHSA's
proposed approach. If commenters believe the definition of
``organization'' in the alternative approach should be broader, please
include proposals for alternate or additional required elements for the
consent form that facilitate the sharing of information within the
health care context while ensuring the patient is fully informed of the
individuals and organizations that potentially could receive their
patient identifying information and that the necessary protections are
in place.
To consider this alternative approach, SAMHSA would require
resolution of several issues. Therefore, SAMHSA is also seeking public
comment on the following questions:
(1) To allow patients to determine which specific members or
participants are authorized to receive their information from an
organization that serves an intermediary in paragraph (c) of the
proposed organization definition in SAMSHA's alternative approach, what
additional elements would need to be required on the consent form?
(2) How would the List of Disclosures requirement be applied under
a broad definition of organization? Should the requirement be applied
only to paragraph (c) of the proposed organization definition in
SAMHSA's alternative approach or should different safeguards replace or
supplement the List of Disclosures requirement?
b. Amount and Kind
i. Overview
Section 2.31(a)(5) currently requires the consent to include how
much and what kind of information is to be disclosed. Because we are
proposing to allow the ``To Whom'' section of the consent form to
include a general designation under certain circumstances, we want
patients to be aware of the information they are authorizing to
disclose when they sign the consent form.
ii. Proposed Revisions
SAMHSA is proposing to move the current Sec. 2.31(a)(5), ``Amount
and Kind,'' to Sec. 2.31(a)(3) and revise the provision to require the
consent form to explicitly describe the substance use disorder-related
information to be disclosed. The types of information that might be
requested include diagnostic information, medications and dosages, lab
tests, allergies, substance use history summaries, trauma history
summary, employment information, living situation and social supports,
and claims/encounter data. The designation of the ``Amount and Kind''
of information to be disclosed must have sufficient specificity to
allow the disclosing program or other entity to comply with the
request. For example, the description may include: ``medications and
dosages, including substance use disorder-related medications,'' or
``all of my substance use disorder-related claims/encounter data.''
Examples of unacceptable descriptions would be ``all of my records''
(does not address the substance use disorder-related information to be
disclosed) and ``only my substance use disorder records my family knows
about'' (lacks specificity).
c. From Whom
i. Overview
Section 2.31 currently requires the specific name or general
designation of the program or person permitted to make the disclosure.
In 1987, the requirement for the ``From Whom'' section of the consent
form was broadened to the current requirement to permit a patient to
consent to either a disclosure from a category of facilities or from a
single specified program.
ii. Proposed Revisions
SAMHSA is proposing to move the current Sec. 2.31(a)(1), ``From
Whom,'' to Sec. 2.31(a)(2). Because SAMHSA is now allowing, in certain
instances, a general designation in the ``To Whom'' section of the
consent form, we propose to require the ``From Whom'' section of the
consent form to specifically name the part 2 program(s) or other lawful
holder(s) of the patient identifying information permitted to make the
disclosure. This revision would avoid any unintended consequences of
including general designations in both the ``From Whom'' and ``To
Whom'' sections. For example, the patient may be unaware of possible
permutations of combining the two broad designations to which they are
consenting, especially if these designations include future unnamed
treating providers.
d. New Requirements
i. Overview
Currently, the consent requirements do not include any requirement
that the patient confirms their understanding of the information on the
consent form.
ii. Proposed Revisions
As discussed in the proposed revisions to the ``To Whom'' section,
SAMHSA proposes to add two new requirements related to the patient's
signing of the consent form. The first would require the part 2 program
or other lawful holder of patient identifying information to include a
statement on the consent form that the patient understands the terms of
their consent. The second would require the part 2 program or other
lawful holder of patient identifying information to include a statement
on the consent form that the patient understands their right, pursuant
to Sec. 2.13(d), to request and be provided a list of entities to
which their
[[Page 7003]]
information has been disclosed when the patient includes a general
designation on the consent form. In addition, the part 2 program or
other lawful holder of patient identifying information would have to
include a statement on the consent form that the patient confirms their
understanding of the terms of consent and Sec. 2.13(d) by signing the
consent form.
I. Prohibition on Re-disclosure (Sec. 2.32)
1. Overview
There is confusion on the part of some providers as to how much of
a patient's record is subject to 42 CFR part 2, which often leads to a
decision to protect the entire record.
2. Proposed Revisions
SAMHSA proposes to clarify that the prohibition on re-disclosure
provision (Sec. 2.32) only applies to information that would identify,
directly or indirectly, an individual as having been diagnosed,
treated, or referred for treatment for a substance use disorder, such
as indicated through standard medical codes, descriptive language, or
both, and allows other health-related information shared by the part 2
program to be re-disclosed, if permissible under the applicable law.
For example, if an individual receives substance use disorder treatment
from a part 2 program and also receives treatment for a health
condition such as high blood pressure, the individual's record would
include information unrelated to their substance use disorder (i.e.,
high blood pressure). Part 2 does not prohibit re-disclosure of the
information related to the high blood pressure as long as it does not
include information that would identify the individual as having or
having had a substance use disorder.
However, illnesses that are brought about by drug or alcohol abuse
may reveal that a patient has a substance use disorder. For example,
cirrhosis of the liver or pancreatitis could reveal a substance use
disorder. Also, if a prescription for a medication used for substance
use disorder treatment is revealed without further clarification of a
non-substance disorder use (e.g., methadone used for the treatment of
cancer), it would suggest that the individual has a substance use
disorder and also would be prohibited.
If data provenance (the historical record of the data and its
origins) reveals information that would identify, directly or
indirectly, and individual as having or having had a substance use
disorder, the information would be prohibited from being re-disclosed.
For example, if the treatment location is a substance use disorder
treatment clinic, this information would identify an individual as
having had a substance use disorder and is therefore prohibited.
SAMHSA also proposed to clarify that the federal rules restrict any
use of the information to criminally investigate or prosecute any
patient with a substance use disorder, except as provided in Sec.
2.12(c)(5).
J. Disclosures To Prevent Multiple Enrollments (Sec. 2.34)
1. Overview
In the current regulations, special rules are included for
disclosures to prevent multiple enrollments in detoxification and
maintenance treatment programs because these types of disclosure
necessitate some adjustment of the basic written consent procedures in
order to ensure maximum protection for patients. Under Sec. 2.34, the
timing, content, and use of the patient information is strictly limited
in accordance with the purpose of the disclosure.
2. Proposed Revisions
SAMHSA proposes to modernize section Sec. 2.34 by updating
terminology and revising corresponding definitions. SAMHSA also
proposes to consolidate definitions by moving definitions from this
section to Definitions in Sec. 2.11, as discussed in Section III.B.,
Definitions.
K. Medical Emergencies (Sec. 2.51)
1. Overview
SAMHSA is considering aligning the regulatory language with the
statutory language regarding the medical emergency exception of 42 CFR
part 2 (Sec. 2.51). The current regulations state that information may
be disclosed without consent for the purpose of treating a condition
which poses an immediate threat to the health of any individual and
which requires immediate medical intervention. The statute, however,
states that records may be disclosed ``to medical personnel to the
extent necessary to meet a bona fide medical emergency.''
2. Proposed Revisions
SAMHSA proposes to adapt the medical emergency exception to give
providers more discretion to determine when a ``bona fide medical
emergency'' (42 U.S.C. 290dd-2(b)(2)(A)) exists. The proposed language
states that patient identifying information may be disclosed to medical
personnel to the extent necessary to meet a bona fide medical
emergency, in which the patient's prior informed consent cannot be
obtained.
SAMHSA proposes to continue to require the part 2 program to
immediately document, in writing, specific information related to the
medical emergency. Before a part 2 program enters into an affiliation
with an HIE, it should consider whether the HIE has the capability to
comply with all part 2 requirements, including the capacity to
immediately notify the part 2 program when its records have been
disclosed pursuant to a medical emergency. To promote compliance,
SAMHSA recommends that the notification include all the information
that the part 2 program is required to document in the patient's
records (e.g., date and time of disclosure, the nature of the
emergency). Similarly, SAMHSA recommends that the part 2 program
consider whether the HIE has the technology, rules, and procedures to
appropriately protect patient identifying information.
L. Research (Sec. 2.52)
1. Overview
Under the current regulations at Sec. 2.52, only the program
director (part 2 program director) may authorize the disclosure of
patient identifying information for scientific research purposes to
qualified personnel. Part 2 data may be derived from a variety of
sources, including federal or state agencies that administer Medicare,
Medicaid, or Children's Health Insurance Program (CHIP), part 2
programs, or other individuals or entities that have lawfully obtained
the information and may wish to facilitate a sharing of the information
for purposes of scientific research that would ultimately benefit
substance use disorder patients/beneficiaries.
Along with fifteen other federal departments and agencies, HHS has
announced proposed revisions to the regulations for protection of human
subjects in research (Common Rule). An NPRM was published in the
Federal Register on September 8, 2015. In this part 2 NPRM, SAMHSA
proposes certain revisions that are predicated on the current version
of the Common Rule (45 CFR part 46, Protection of Human Subjects,
promulgated in 1991). Although SAMHSA does not anticipate that the
Common Rule provisions referenced in this part 2 NPRM will change
substantially during the Common Rule rulemaking process, should
conflicting policies be created, SAMHSA will take appropriate action
(e.g., issue an NPRM or technical correction).
[[Page 7004]]
2. Proposed Revisions
First, we propose to revise the section heading by deleting the
word ``activities'' (Sec. 2.52, Research). SAMHSA also proposes to
revise the research exception to permit data protected by 42 CFR part 2
to be disclosed to qualified personnel for the purpose of conducting
scientific research by a part 2 program or any other individual or
entity that is in lawful possession of part 2 data (lawful holder of
part 2 data). For example, these lawful holders of part 2 data could
include third-party payers, HIEs, ACOs, and CCOs. Qualified personnel
are those individuals who meet the requirements specified in the
Research provision to receive part 2 data for the purpose of conducting
scientific research. SAMHSA examined the existing regulations that
protect human subjects in research and concluded that, if those
requirements were fulfilled, 42 CFR part 2 would ensure confidentiality
protections consistent with the Congressional intent, while providing
the expanded authority for disclosing patient identifying information.
Under 42 CFR part 2, part 2 programs or other lawful holders of
part 2 data are permitted to disclose patient identifying information
for research with patient consent, or without patient consent under
limited circumstances. SAMHSA is proposing to allow patient identifying
information to be disclosed for purposes of scientific research: (1) If
the researcher is a HIPAA covered entity or business associate and
provides documentation that the researcher obtained research
participants' authorization, or a waiver of research participants'
authorization by an Institutional Review Board (IRB) or privacy board,
for use or disclosure of information about them for research purposes
consistent with the HIPAA Privacy Rule, (45 CFR 164.512(i)); or (2) if
the researcher is subject to just the HHS Common Rule (45 CFR part 46,
subpart A) and provides documentation that the researcher is in
compliance with the requirements of the HHS Common Rule, including
requirements relating to informed consent or a waiver of consent (45
CFR 46.111 and 46.116); or (3) if the researcher is both a HIPAA
covered entity or business associate and subject to the HHS Common
Rule, the researcher has met the requirements of both (1) and (2).
IRBs that are designated by an institution under an assurance of
compliance approved for Federalwide use (referred to as Federalwide
Assurance, or FWA) by HHS Office for Human Research Protections (OHRP)
under Sec. 46.103(a) and that review research involving human subjects
conducted or supported by HHS must be registered with HHS. The FWA is
the assurance from an institution engaging in HHS-conducted or -
supported human subjects research regarding compliance with 45 CFR part
46. An institution must have an FWA to receive HHS support for research
involving human subjects, and the FWA has to designate an IRB
registered with OHRP, whether it is an internal or external IRB.
A privacy board is a review body that may be established to act
upon requests for a waiver or an alteration of the requirement under
the HIPAA Privacy Rule to obtain an individual's authorization for uses
and disclosures of protected health information for a particular
research study. Like an IRB, a privacy board may waive or alter all or
part of the HIPAA authorization requirements for a specified research
project or protocol, provided certain conditions are met as provided in
45 CFR 164.512(i).
Currently, much research involving human subjects operates under
the HHS Common Rule (45 CFR part 46, subpart A). These regulations,
which apply to HHS-conducted or -supported research or to institutions
that have voluntarily extended their FWA to apply to all research
regardless of funding, include protections to help ensure
confidentiality. Under this rule, IRBs determine that, when
appropriate, there are adequate provisions to protect the privacy of
subjects and to maintain the confidentiality of data before approving
the research (45 CFR 46.111(a)(7)). IRBs can therefore address the
requirements under the HIPAA Privacy Rule and the HHS Common Rule,
which contain somewhat similar, but different sets of requirements. The
proposed part 2 rules set out the requirements for a researcher
conducting research with patient identifying information. Compliance
with the HIPAA Privacy Rule and/or federal human subjects research
protections, as set forth in the HHS Common Rule, where they apply, as
well as the specific additional requirements in Sec. 2.52(b) discussed
below, is sufficient to meet the requirements for research disclosures
under part 2.
SAMHSA also is proposing to address data linkages because the
process of linking two or more streams of data opens up new research
opportunities. For example, the practice of requesting data linkages
from other data sources to study the longitudinal effects of treatment
on patients is becoming widespread. SAMHSA is interested in affording
patients protected by 42 CFR part 2 the same opportunity to benefit
from these advanced research protocols while continuing to safeguard
their privacy.
We propose to permit researchers to request to link data sets that
include patient identifying information if: (1) The data linkage uses
data from a federal data repository; and (2) the project, including a
data protection plan, is reviewed and approved by an IRB registered
with OHRP in accordance with 45 CFR part 46. This permissible
disclosure would allow a researcher to disclose patient identifying
information to a federal data repository and permit the federal data
repository to link the patient identifying information to data held by
that repository and return the linked data file back to the researcher.
It would also ensure that patient privacy is considered, that the
disclosure and use of identifiable data is justified, and that the
research protocol includes an appropriate data protection plan. SAMHSA
is proposing to limit the data repositories from which a researcher may
request data for data linkages purposes to federal data repositories
because federal agencies that maintain data repositories have policies
and procedures in place to protect the security and confidentiality of
the patient identifying information that must be submitted by a
researcher in order to link the data sets. For example, in addition to
meeting requirements under the HIPAA Rules and/or the HHS Common Rule,
as applicable, requests for ``research identifiable files'' data from
CMS require a Data Use Agreement and are reviewed by CMS's Privacy
Board. CMS also has internal policies to protect the privacy and
security of data received from the researcher, including the retention
and destruction of that data. In addition, all federal agencies must
comply with directives that protect sensitive data such as Office of
Management and Budget Circular No. A-130, Appendix III--Security of
Federal Automated Information and NIST Federal Information Processing
Standard 200 entitled Minimum Security Requirements for Federal
Information and Information Systems.
SAMHSA is soliciting public input regarding whether to expand the
data linkages provision beyond federal data repositories, what
confidentiality, privacy, and security safeguards are in place for
those non-federal data repositories, and whether those safeguards are
sufficient to protect the security and confidentiality of the patient
identifying information.
We invite stakeholders to provide input and recommendations on the
specific policies, procedures, and other safeguards that non-federal
data
[[Page 7005]]
repositories should have in place including, but not limited to:
1. Data use agreements (e.g., a data use agreement or contract
between the researcher and the data repository with written provisions
to uphold security and confidentiality of the data and provide for
sanctions or penalties for breaches of confidentiality);
2. A review by a privacy board or other regulatory body(-ies);
3. Internal security and privacy protections (both physical and
electronic) for the confidentiality and security of data, including the
retention and destruction of data received for data linkage purposes
(e.g., a requirement to destroy, in a manner to render the data non-
retrievable, all patient identifying information provided by the
researcher for data linkage purposes after performing the match).
4. Security and privacy protections (both physical and electronic)
for receiving and linking data (e.g., a requirement that transmission
of data between the researcher and the data repository must occur
through the use of secure methods and use the most current encryption
technology, such as the most current version of the Advanced Encryption
Standard (NIST Federal Information Processing Standards (FIPS 197)).
5. Internal confidentiality agreements for staff members who have
access to patient identifying information and other confidential data;
6. Laws and regulations governing functions and operations,
including those that address security and privacy;
7. Capability to perform data linkages according to recognized
standards; and
8. Other relevant safeguards.
SAMHSA also is requesting public comment on the following three
sets of questions:
First, should state government, local government, private, and/or
other non-federal data repositories (please address separately) that
meet the criteria above be permitted to conduct data linkages?
Second, are there additional or alternative criteria that should be
included in the list above? Are there specific categories of data
repositories that are already required to provide similar safeguards?
When providing categories of data repositories, please describe the
safeguards that are already in place for those entities.
Third, how could it be ensured that data repositories providing
data linkages are in compliance with criteria or standards concerning
confidentiality, privacy, and security safeguards? Are there any
regulatory or oversight bodies (including non-governmental and
governmental) that currently oversee compliance with criteria or
standards concerning confidentiality, privacy, and security safeguards
of data in non-federal repositories?
A researcher may report findings in aggregate form from patient
information that has been rendered non-identifiable as long as there
are assurances in place that the information cannot be re-identified
and possibly serve as an unauthorized means to identify a patient,
directly or indirectly, as having or having had a substance use
disorder.
SAMHSA is proposing to require any individual or entity conducting
scientific research using patient identifying information to meet
additional requirements to ensure compliance with confidentiality
provisions under part 2. Among these are a provision (Sec. 2.52(b)(1))
that requires researchers to be fully bound by these regulations and,
if necessary, to resist in judicial proceedings any efforts to obtain
access to patient records except as permitted by these regulations.
This requirement means that researchers involved in a judicial
proceeding are only required to disclose patient identifying
information pursuant to a subpoena that is accompanied by a court
order. In addition, we have included a provision (Sec. 2.52(b)(2))
prohibiting researchers from re-disclosing patient identifying
information except back to the individual or entity from whom that
patient identifying information was obtained or as permitted under
Sec. 2.52(b)(4), the data linkages provision. With respect to this re-
disclosure provision, an individual or entity from whom the patient
identifying information was obtained does not refer to patients.
Finally, SAMHSA is proposing to address, in addition to the
maintenance of part 2 data, the retention and disposal of such
information used in research. SAMHSA is proposing to do so by expanding
the provisions in Sec. 2.16, Security for Records and referencing the
policies and procedures established under Sec. 2.16 in this section.
These proposed revisions would allow additional scientific research
to be conducted that would facilitate continual quality improvement of
part 2 programs and the important services they offer. In doing so,
SAMHSA proposes to incorporate existing protections for human subjects
research that are widely accepted.
M. Audit and Evaluation (Sec. 2.53)
1. Overview
Under the current Medicare or Medicaid audit or evaluation section
at Sec. 2.53, an audit or evaluation is limited to a civil
investigation or administrative remedy by any federal, state, or local
agency responsible for oversight of the Medicare or Medicaid program.
It also includes administrative enforcement, against the program by the
agency, or any remedy authorized by law to be imposed as a result of
the findings of the investigation.
2. Proposed Revisions
First, we propose to revise the section heading by deleting the
word ``activities'' (Sec. 2.53, Audit and Evaluation). SAMHSA also
proposes to modernize this section to include provisions for governing
both paper and electronic patient records. In addition, we propose to
revise the requirements for destroying patient identifying information
by citing the expanded Security for Records section (Sec. 2.16).
Furthermore, we propose to update the Medicare or Medicaid audit or
evaluation subsection title to include CHIP and, in subsequent
language, refer to Medicare, Medicaid and CHIP (SAMHSA has always
applied this section to CHIP and is proposing to explicitly refer to it
in the proposed regulation text).
SAMHSA proposes to permit the part 2 program, not just the part 2
program director, to determine who is qualified to conduct an audit or
evaluation of the part 2 program in paragraph (a)(2). SAMHSA also
proposes to permit an audit or evaluation necessary to meet the
requirements of a CMS-regulated ACO or similar CMS-regulated
organization (including a CMS-regulated QE), under certain conditions.
To ensure that patient identifying information is protected, the CMS-
regulated ACO or similar CMS-regulated organization (including a CMS-
regulated QE) that is the subject of, or is conducting, the audit or
evaluation must have a signed Participation Agreement with CMS which
provides that the CMS-regulated ACO or similar CMS-regulated
organization (including a CMS-regulated QE) must comply with all
applicable provisions of 42 U.S.C 290dd-2 and 42 CFR part 2.
IV. Collection of Information Requirements
Under the Paperwork Reduction Act of 1995 (PRA), agencies are
required to provide a 60-day notice in the Federal Register and solicit
public comment before a collection of information requirement is
submitted to the Office of Management and Budget (OMB) for review and
approval. Currently, the information collection is approved under OMB
Control No. 0930-0092. In
[[Page 7006]]
order to fairly evaluate whether changes to an information collection
should be approved by OMB, section 3506(c)(2)(A) of the PRA requires
that we solicit comment on the following issues: (a) Whether the
information collection is necessary and useful to carry out the proper
functions of the agency; (b) The accuracy of the agency's estimate of
the information collection burden; (c) The quality, utility, and
clarity of the information to be collected; and (d) Recommendations to
minimize the information collection burden on the affected public,
including automated collection techniques.
Under the PRA, the time, effort, and financial resources necessary
to meet the information collection requirements referenced in this
section are to be considered in rule making. We explicitly seek, and
will consider, public comment on our assumptions as they relate to the
PRA requirements summarized in this section.
This proposed rule includes changes to information collection
requirements, that is, reporting, recordkeeping or third-party
disclosure requirements, as defined under the PRA (5 CFR part 1320).
Some of the provisions involve changes from the information collections
set out in the previous regulations. Information collection
requirements are: (1) Section 2.13(d)--Disclosure: Requires entities
named on a consent form that disclose patient identifying information
to their participants under the general designation to make a
disclosure, to each patient who requests a list of disclosures, in the
form of a list of entities to which their information has been
disclosed pursuant to the general designation, (2) Section 2.22--
Disclosure: Requires each program to make public disclosure in the form
of communication to each patient that federal law and regulations
protect the confidentiality of each patient and includes a written
summary of the effect of this law and these regulations, (3) Section
2.51--Recordkeeping: This provision requires the program to document a
disclosure of a patient record to authorized medical personnel in a
medical emergency. The regulation is silent on retention period for
keeping these records as this will vary according to state laws. It is
expected that these records will be kept as part of the patients'
health records. Annual burden estimates for these requirements are
summarized in the table below:
Annualized Burden Estimates
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annual number
of Responses per Total Hours per Total hour Hourly wage Total hour
respondents respondent responses response burden cost cost
--------------------------------------------------------------------------------------------------------------------------------------------------------
Disclosures
--------------------------------------------------------------------------------------------------------------------------------------------------------
42 CFR 2.13 (d)......................... \1\ 19,548 1 19,548 \2\ 4.15 81,124 \3\ $36.9175 $2,994,895
42 CFR 2.22............................. \4\ 12,034 155 \5\ 1,861,693 .20 372,338.6 \6\ 40.26 14,990,352
--------------------------------------------------------------------------------------------------------------------------------------------------------
Recordkeeping
--------------------------------------------------------------------------------------------------------------------------------------------------------
42 CFR 2.51............................. 12,034 2 24,068 .167 4,019 \7\ 34.16 137,289
---------------------------------------------------------------------------------------------------------------
Total............................... \8\ 31,582 .............. 1,905,309 .............. 457,482 .............. 18,122,536
--------------------------------------------------------------------------------------------------------------------------------------------------------
\1\ The number of entities required to generate a list of disclosures based on the number of estimated patient requests. Patient requests are based the
total number of annual treatment admissions from SAMHSA's 2010-2012 Treatment Episode Data Set (TEDS) (see footnote 5). The estimated patient requests
equal the average of the total number of requests for a 0.1% request rate and a 2% request rate.
\2\ The estimated time for developing a list of disclosures is 4 hours for entities collecting the information electronically using an audit log and 3
hours for entities that produce such a list from paper records. Because 90% of entities are estimated to collect the information electronically using
an audit log and 10% are estimated to use paper records, the average weighted time to develop a list of disclosures is 3.9 hours [(0.9 x 4 hours) +
(0.1 x 3 hours)]. Including the estimated 15 minutes to prepare each list of disclosures for mailing or transmitting, the total estimated time for
providing a patient a list of disclosures is 4.15 hours (3.9 hours + 0.25 hours).
\3\ The weighted hourly rate for health information technicians, medical technicians and administrative staff who will be preparing the list of
disclosures. The hourly rate is weighted to reflect the fact that health information and medical technicians, who will be generating the list of
disclosures, have a higher wage rate than administrative staff and will contribute more hours to generating the list of disclosures. Bureau of Labor
Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed June 3, 2015], Standard Occupations Classification codes (29-2071,
31-9092) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
\4\ The number of publicly funded alcohol and drug facilities based on SAMHSA's 2013 National Survey of Substance Abuse Treatment Services (N-SSATS).
\5\ The average number of annual treatment admissions from SAMHSA's 2010-2012 Treatment Episode Data Set (TEDS).
\6\ Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations
Classification code (21-1011) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
\7\ Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations
Classification code (43-0000) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
\8\ The combined total of the number of publicly funded alcohol and drug facilities and the number of entities required to generate a list of
disclosures.
As described in greater detail in Section VI., Regulatory Impact
Analysis, the respondents for the collection of information under 42
CFR 2.22 and 2.51 are publicly (federal, state, or local) funded,
assisted, or regulated substance use disorder treatment programs. The
estimate of the number of such programs (respondents) is based on the
results of the 2013 N-SSATS, and the average number of annual total
responses is based on 2010-2012 information on patient admissions
reported to the Treatment Episode Data Set (TEDS), approved under OMB
Control No. 0930-0106 and OMB Control No. 0930-0335.
The respondents for the collection of information under 42 CFR
2.13(d) are entities named on the consent form that disclose
information to their participants pursuant to the general designation.
These entities primarily would be organizations that facilitate the
exchange of health information (e.g., HIEs) or coordinate care (e.g.,
ACOs, CCOs, and patient-centered medical homes (sometimes called health
homes)), but other organizations, such as research institutions, also
may disclose patient identifying information to their participants
(e.g., clinical researchers) pursuant to the general
[[Page 7007]]
designation on the consent form. Because there are no definitive data
sources for this potential range of organizations, we are not
associating requests for a list of disclosures with any particular type
of organization. Consequently, the number of organizations that must
respond to list of disclosures requests is based on the total number of
requests each year.
V. Response to Comments
Because of the large number of public comments, we anticipate
receiving on this Federal Register document, we are not going to be
able to acknowledge or respond to them individually. We will consider
all comments we receive by the date and time specified in the DATES
section of this proposed rule, and, when we proceed with a subsequent
document, we will respond to the comments in the preamble to that
document.
VI. Regulatory Impact Analysis
A. Statement of Need
This proposed rule is necessary to modernize the Confidentiality of
Alcohol and Drug Abuse Patient Records regulations at 42 CFR part 2.
The last substantive update to 42 CFR part 2 was in 1987. The part 2
laws were written out of great concern about the potential use of
substance use disorder treatment information causing individuals with
substance use disorders from seeking needed treatment. Over the last 25
years, significant changes have occurred within the U.S. health care
system that were not envisioned by the current regulations, including
new models of integrated care that are built on a foundation of
information sharing to support coordination of patient care, the
development of an electronic infrastructure for managing and exchanging
patient data, and a new focus on performance measurement within the
health care system. The goal of this proposed rule is to update 42 CFR
part 2, and clarify the requirements associated with information
exchange in these new health care models.
B. Overall Impact
We have examined the impacts of this rule as required by Executive
Order 12866 on Regulatory Planning and Review (September 30, 1993),
Executive Order 13563 on Improving Regulation and Regulatory Review
(January 18, 2011), the Regulatory Flexibility Act (RFA) (September 19,
1980, Pub. L. 96-354), section 1102(b) of the Social Security Act,
section 202 of the Unfunded Mandates Reform Act of 1995 (March 22,
1995; Pub. L. 104-4), Executive Order 13132 on Federalism (August 4,
1999) and the Congressional Review Act (5 U.S.C. 804(2)). Executive
Orders 12866 and 13563 direct agencies to assess all costs and benefits
of available regulatory alternatives and, if regulation is necessary,
to select regulatory approaches that maximize net benefits (including
potential economic, environmental, public health and safety effects,
distributive impacts, and equity). Section 3(f) of Executive Order
12866 defines a ``significant regulatory action'' as an action that is
likely to result in a rule: (1) Having an annual effect on the economy
of $100 million or more in any 1 year, or adversely and materially
affecting a sector of the economy, productivity, competition, jobs, the
environment, public health or safety, or state, local or tribal
governments or communities (also referred to as ``economically
significant''); (2) creating a serious inconsistency or otherwise
interfering with an action taken or planned by another agency; (3)
materially altering the budgetary impacts of entitlement grants, user
fees, or loan programs or the rights and obligations of recipients
thereof; or (4) raising novel legal or policy issues arising out of
legal mandates, the President's priorities, or the principles set forth
in the Executive Order.
A regulatory impact analysis must be prepared for major rules with
economically significant effects ($100 million or more in any 1 year).
This rule does not reach the economic threshold and thus is not
considered a major rule.
When estimating the total costs associated with changes to the 42
CFR part 2 regulations, we assumed five sets of costs: updates to
health IT systems costs, costs for staff training and updates to
training curriculum, costs to update patient consent forms, costs
associated with providing patients a list of entities to which their
information has been disclosed pursuant to a general designation on the
consent form (i.e., the List of Disclosures requirement), and
implementation costs associated with the List of Disclosure
requirements. We assumed that costs associated with modifications to
existing health IT systems, staff training costs associated with
updating staff training materials, and costs to update consent forms
would be one-time costs the first year the final rule is in effect and
would not carry forward into future years. Staff training costs other
than those associated with updating training materials are assumed to
be ongoing annual costs to part 2 programs, also beginning in the first
year that the final rule is in effect. The List of Disclosures costs
are assumed to be ongoing annual costs to entities named on a consent
form that disclose patient identifying information to their
participants under the general designation. The List of Disclosures
requirement, however, does not go into effect until two years after the
final rule is in effect. Therefore, in years 1 and 2, the costs
associated with the List of Disclosures provision are limited to
implementation costs for entities that chose to upgrade their health IT
systems in order to comply with the List of Disclosure requirements.
We estimate, therefore, that in the first year that the final rule
is in effect, the costs associated with updates to 42 CFR part 2 would
be $74,217,979. In year two, we estimate that costs would be
$47,021,182. In years 3 through 10, we estimate the annual costs would
be $14,835,444. Over the 10-year period of 2015-2024, the total
undiscounted cost of the proposed changes would be $239,922,716 in 2015
dollars. When future costs are discounted at 3 percent or 7 percent per
year, the total costs become approximately $220.9 million or $200.9
million, respectively. These costs are presented in the tables below.
Total Cost of 42 CFR Part 2 Revisions
[2015 dollars]
----------------------------------------------------------------------------------------------------------------
Staff training Consent form List of Health IT
Year costs updates disclosures costs Total costs
(A) (B) (C) (D) (E)
----------------------------------------------------------------------------------------------------------------
2015............................ $14,881,443 $204,786 $10,995,750 $48,136,000 $74,217,979
2016............................ 11,834,782 0 35,186,400 0 47,021,182
2017............................ 11,834,782 0 3,000,662 0 14,835,444
[[Page 7008]]
2018............................ 11,834,782 0 3,000,662 0 14,835,444
2019............................ 11,834,782 0 3,000,662 0 14,835,444
2020............................ 11,834,782 0 3,000,662 0 14,835,444
2021............................ 11,834,782 0 3,000,662 0 14,835,444
2022............................ 11,834,782 0 3,000,662 0 14,835,444
2023............................ 11,834,782 0 3,000,662 0 14,835,444
2024............................ 11,834,782 0 3,000,662 0 14,835,444
-------------------------------------------------------------------------------
Total....................... 121,394,485 204,786 70,187,445 48,136,000 239,922,716
----------------------------------------------------------------------------------------------------------------
Total Cost of 42 CFR Part 2 Revisions--Annual Discounting
[2015 dollars]
----------------------------------------------------------------------------------------------------------------
Total with 3% Total with 7%
Year Total costs annual annual
discounting discounting
(E) (F) (G)
----------------------------------------------------------------------------------------------------------------
2015.............................................. $74,217,979 $74,217,979 $74,217,979
2016.............................................. 47,021,182 45,651,633 43,945,030
2017.............................................. 14,835,444 13,983,829 12,957,852
2018.............................................. 14,835,444 13,576,533 12,110,142
2019.............................................. 14,835,444 13,181,100 11,317,889
2020.............................................. 14,835,444 12,797,185 10,577,467
2021.............................................. 14,835,444 12,424,451 9,885,483
2022.............................................. 14,835,444 12,062,574 9,238,769
2023.............................................. 14,835,444 11,711,237 8,634,364
2024.............................................. 14,835,444 11,370,133 8,069,499
-------------------------------------------------------------
Total......................................... 239,922,716 220,976,654 200,954,473
----------------------------------------------------------------------------------------------------------------
The costs associated with the proposed revisions stem from staff
training and updates to training curriculum, updates to patient consent
forms, compliance with the List of Disclosures requirement (including
implementation costs), and updates to health IT infrastructure for
information exchange. Based on data from the 2013 N-SSATS, we estimate
that 12,034 hospitals, outpatient treatment centers, and residential
treatment facilities are covered by part 2. N-SSATS is an annual survey
of U.S. substance abuse treatment facilities. Data is collected on
facility location, characteristics, and service utilization. Not all
treatment providers included in N-SSATs are believed to be under the
jurisdiction of the part 2 regulations. The 12,034 number is a subset
of the 14,148 substance abuse treatment facilities that responded to
the 2013 N-SSATS, and includes all federally operated facilities,
facilities that reported receiving public funding other than Medicare
and Medicaid, facilities that reported accepting Medicare, Medicaid,
TRICARE, and/or ATR voucher payments, or were SAMHSA-certified Opioid
Treatment Programs. If a facility did not have at least one of these
conditions, it was interpreted not to have received any federal funding
and, therefore, not included in the estimate.
If an independently practicing clinician does not meet the
requirements of paragraph (1) of the definition of Program (an
individual or entity (other than a general medical facility or general
medical practice) who holds itself out as providing and provides
substance use disorder diagnosis, treatment or referral for treatment),
they may be subject to 42 CFR part 2 if they constitute an identified
unit within a general medical facility or general medical practice
which holds itself out as providing, and provides, substance use
disorder diagnosis, treatment, or referral for treatment or if their
primary function in the facility or practice is the provision of such
services and they are identified as providing such services. Due to
data limitations, it was not possible to estimate the costs for
independently practicing providers covered by part 2 that did not
participate in the 2013 N-SSATS. For example, data from ABAM provides
the number of physicians since 2000 who have active ABAM certification.
However, there is no source for the number of physicians who have not
participated in the ABAM certification process. In addition, it is not
possible to determine which ABAM-certified physicians practice in a
general medical setting rather than in a specialty treatment facility
that was already counted in the N-SSATS data.
Several provisions in the draft NPRM reference ``other lawful
holders of patient identifying information'' in combination with part 2
programs. These other lawful holders must comply with part 2
requirements with respect to information they maintain that is covered
by part 2 regulations. However, because this group could encompass a
wide range of organizations, depending on whether they received part 2
data via patient consent or as a result of one of the limited
exceptions to the consent requirement specified in the regulations, we
are unable to include estimates regarding the number and type of these
organizations and are only including part 2 programs in this analysis.
[[Page 7009]]
In addition to the part 2 programs described above, entities named
on a consent form that disclose patient identifying information to
their participants under the general designation must provide patients,
upon request, a list of entities to which their information has been
disclosed pursuant to a general designation. These entities primarily
would include organizations that facilitate the exchange of health
information (e.g., HIEs), and may also include organizations
responsible for care coordination (e.g., ACOs, CCOs, and patient-
centered medical homes (sometimes called health homes)). The most
recent estimates of these types of entities are 67 functional, publicly
funded HIEs and 161 functional, privately funded HIEs in 2013.\1\ As of
January 2015, there were an estimated 744 ACOs covering approximately
23.5 million individuals.\2\ Finally, in 2014, the Accreditation
Association for Ambulatory Health Care, Inc., reported that 7,000
medical practices have been accredited as patient-centered medical
homes.\3\ While these types of organizations were the primary focus of
this provision on the consent form, other types of entities, such as
research institutions, may also disclose patient identifying
information to their participants (e.g., clinical researchers) pursuant
to the general designation on the consent form. Because there are no
definitive data sources for this potential range of organizations, we
are not associating requests for lists of disclosures with any
particular type of organization. We, instead, chose to estimate the
number of organizations that must respond to list of disclosures
requests based on the total number of requests each year.
---------------------------------------------------------------------------
\1\ Trends in Health Information Exchanges (Trends in Health
Information Exchanges) https://innovations.ahrq.gov/perspectives/trends-health-information-exchanges#3.
\2\ Muhlestein, D. (2015). Growth and Dispersion of Accountable
Care Organizations in 2015. Health Affairs Blog, 19.
\3\ Accreditation Association for Ambulatory Health Care. ``The
Medical Home--Avoiding the Rush to Judgment, Growing Model is a
Transformative Process Requiring Perseverance, Patience . . . and
Time, Body of Evidence Illustrating Success is Surging'' White
Paper.
---------------------------------------------------------------------------
1. Direct Costs of Implementing the Proposed Regulations
There is no known baseline estimate of the current costs associated
with 42 CFR part 2 compliance. Instead, SAMHSA estimated these cost
based on a range of published costs associated with HIPAA
implementation and compliance.4 5
---------------------------------------------------------------------------
\4\ Kilbridge, P. (2003). The cost of HIPAA compliance. New
England Journal of Medicine, 348(15), 1423-1477.
\5\ Williams, A.R., Herman, D.C., Moriarty, J.P., Beebe, T.J.,
Bruggeman, S.K., Klavetter, E.W. & Bartz, J.K. (2008). HIPAA costs
and patient perceptions of privacy safeguards at Mayo Clinic. Joint
Commission Journal on Quality and Patient Safety, 34(1), 27-35.
---------------------------------------------------------------------------
a. Staff Training
A Standard HIPAA training that meets or exceeds the federal
training requirements is, on average, one hour long.\6\ Therefore, we
also estimated one hour of training per staff to achieve proficiency in
the 42 CFR part 2 regulations. To estimate the labor costs associated
with staff training, we averaged the average hourly costs for
counseling staff in specialty treatment centers ($19.48 \7\), hospital
treatment centers ($21.47 \8\), and solo practice offices ($22.61 \9\).
The resulting blended rate was $21.19 per hour. In order to account for
benefits and overhead costs associated with staff time, we multiplied
the blended hourly rate by two. These estimates are only for training
costs associated with counseling staff, who we assume will have primary
responsibility for executing the functions associated with the NPRM
revisions.
---------------------------------------------------------------------------
\6\ 65 FR 82462, 82770 (Dec. 28, 2000) (Standards for Privacy of
Individually Identifiable Health Information).
\7\ Bureau of Labor Statistics, U.S. Department of Labor,
Occupational Employment Statistics, [accessed May 2, 2015]
Outpatient Mental Health and Substance Abuse Centers (NAICS code
621420), Standard Occupations Classification code (211011)
[www.bls.gov/oes/].
\8\ Bureau of Labor Statistics, U.S. Department of Labor,
Occupational Employment Statistics, [accessed May 2, 2014]
Psychiatric and Substance Abuse Hospitals (NAICS code 622200),
Standard Occupations Classification code (211011) [www.bls.gov/oes/
].
\9\ Bureau of Labor Statistics, U.S. Department of Labor,
Occupational Employment Statistics, [accessed September 23, 2014]
Offices of Mental Health Practitioners (except Physicians) (NAICS
code 621330), Standard Occupations Classification code (211011)
[www.bls.gov/oes/].
---------------------------------------------------------------------------
With regard to training materials, most part 2 programs are assumed
to already have training curricula in place that covers current 42 CFR
part 2 regulations, and, therefore, these facilities would only need to
update existing training materials rather than develop new materials.
The American Hospital Association estimated that the costs for the
development of Privacy and Confidentiality training, which would
include the development of training materials and instructor labor
costs, was $16 per employee training hour in 2000.\10\ Because we
assumed that part 2 programs would be updating rather than developing
training materials, we estimated the cost of training development to be
one-half of the cost of developing new materials, or $8 per employee.
Adjusted for inflation,\11\ training development costs in 2015 would be
$10.91 per employee.
---------------------------------------------------------------------------
\10\ These estimates are not HHS estimates nor are they HHS-
endorsed cost estimates of HIPAA implementation and compliance.
\11\ Calculated using the Consumer Price Index.
---------------------------------------------------------------------------
Using SAMHSA's 2010-2012 TEDS average annual number of treatment
admissions (n=1,861,693) as an estimate of the annual number of
patients at part 2 programs and calculated staffing numbers based on a
range of counseling staff-to-client ratios (i.e., 1 to 10 \12\ and 1 to
5 \13\). Based on these assumptions, staff training costs associated
with part 2 patient consent procedures were projected to range from
$9.9 million to $19.8 million in 2015. We averaged the two estimated
costs for staff training to determine the final overall estimate of
$14,881,443. We assumed the costs associated with updating training
materials will be a one-time cost. Therefore, in subsequent years, we
assumed the costs associated with staff training will be a function of
the blended hourly rate (multiplied by two to account for benefits and
overhead costs) and the estimated number of staff (developed based on
the same two staff-to-client ratios described above multiplied by
estimated patient counts). Staff training costs associated with part 2
revisions are projected to range from $7.9 million to $15.8 million
after 2015. We averaged the two estimated costs for staff training to
determine the final overall estimate of $11,834,782.
---------------------------------------------------------------------------
\12\ North Carolina NC Administrative Code [accessed September
23, 2014]. [https://reports.oah.state.nc.us/ncac/title%2010a%20-%20health%20and%20human%20services/chapter%2013%20-%20nc%20medical%20care%20commission/subchapter%20b/10a%20ncac%2013b%20.5203.pdf.]
\13\ Commonwealth of Pennsylvania--Department of Health Staffing
Requirements for Drug and Alcohol Treatment Activities [accessed
September 23, 2014]. [https://www.pacode.com/secure/data/028/chapter704/s704.12.html.]
---------------------------------------------------------------------------
b. Updates to Consent Forms
Updates to the 42 CFR part 2 regulations will need to be reflected
in patient consent forms. Results from a 2008 study from the Mayo
Clinic Health Care Systems \14\ reported actuarial costs for HIPAA
implementation activities. The reported cost to update
[[Page 7010]]
authorization forms was $0.10 per patient. Adjusted for inflation,
costs associated with updating the patient consent forms in 2015 would
be $0.11 per patient. We used the average number of substance abuse
treatment admissions from SAMHSA's 2010-2012 TEDS as our estimate of
the number of clients treated on an annual basis by part 2 facilities.
The total cost burden associated with updating the consent forms to
reflect to the updated 42 CFR part 2 regulations would be $204,786
(1,861,693 * $0.11).
---------------------------------------------------------------------------
\14\ Williams, A.R., Herman, D.C., Moriarty, J.P., Beebe, T.J.,
Bruggeman, S.K., Klavetter, E.W. & Bartz, J.K. (2008). HIPAA costs
and patient perceptions of privacy safeguards at Mayo Clinic. Joint
Commission Journal on Quality and Patient Safety, 34(1), 27-35.
---------------------------------------------------------------------------
c. List of Disclosures Costs
The updated part 2 regulations allow patients who have consented to
disclose their identifying information using a general designation to
request a list of entities to which their information has been
disclosed pursuant to the general designation. Under this proposed
rule, entities named on a consent form that disclose patient
identifying information to their participants under the general
designation would be required to provide a list of disclosures after
receiving a patient request. Under the List of Disclosure requirements,
a patient could make a request, for example, to an organization that
facilitates the exchange of health information (e.g., an HIE) or an
organization responsible for coordinating care (e.g., an ACO) for a
list of disclosures that would include the name of the entity to whom
each disclosure was made, the date of the disclosure, and a brief
description of the patient identifying information disclosed, and
include this information for all entities to whom the patient
identifying information has been disclosed pursuant to the general
designation in the past two years.
For purposes of this analysis, we assumed that entities disclosing
patient identifying information to their participants pursuant to a
patient's general designation on a consent form are already collecting
the information necessary to comply with the List of Disclosure
requirement, in some form, either electronically or using paper
records. We also assumed that these entities could comply with the List
of Disclosures requirement by either collecting this information
electronically by using audit logs to obtain the required information
or by keeping a paper record. However, to address possible concerns
about technical feasibility and other implementation issues, SAMHSA is
proposing that the List of Disclosures requirement become effective two
years after the effective date of the final rule to allow entities
collecting this information time to review their operations and
business processes and to decide whether technological solutions are
needed to enable them to more efficiently comply with the requirement.
In order to make preliminary estimates of the implementation costs,
we first estimated the number of potentially impacted entities based on
the anticipated number of patient requests for a disclosure report in a
calendar year. We used the average number of substance abuse treatment
admissions from SAMHSA's 2010-2012 TEDS (n = 1,861,693) as the number
of patients treated annually by part 2 programs. We then used the
average of a 0.1 and 2 percent patient request rate as our estimate of
the number of impacted entities (n = 19,548).
From there, we assumed ten percent of the impacted entities would
use paper records to comply with the disclosure reporting requirements
(n = 1,995) and would have minimal implementation costs in years 1 and
2. Among the remaining entities, many may be able to comply with the
disclosure reporting requirements without developing or implementing
new technologies. For entities that do choose to either update their
existing capabilities or develop and implement new technologies to
facilitate compliance, we assumed two sets of costs: (1) Planning and
policy development costs in year 1 and (2) system update costs in year
2.
Absent any data on the number of facilities that would require new
technology or the type of technology to be implemented, we assumed that
twenty-five percent (n = 4,398) of the remaining entities would choose
to upgrade their existing health IT systems. The actual system upgrade
costs will vary considerably based on the type of upgrades that are
required. Some entities may only require minor system updates to
streamline the reporting requirements, while others may choose to
implement an entirely new system. Given these data limitations, we
assumed an average, per-entity cost, of $2,500 for planning development
costs in year 1 and an average, per-entity cost, of $8,000 for system
upgrades in year 2. The implementation costs for List of Disclosure
reporting compliance across are estimated to be $10,995,750 in year 1
(4,398 * $2,500) and $35,186,400 (4,398 * $8,000) in year 2.
Once the disclosure reporting requirements go into effect, we
assumed that the majority of the costs associated with the List of
Disclosures requirement would primarily come from staff time needed to
prepare a list of disclosures upon a patient's request. We also assumed
that the information would need to be converted to a format that is
accessible to patients.
For those entities with a health IT system, we expected that
disclosure information would be available in the system's audit log. We
also assumed that, unless the audit log has some sort of electronic
filtering system, it would contain information above and beyond the
requirements for complying with a request for a list of disclosures. We
have also assumed that the staff accessing and filtering an audit log
to compile the information for lists of disclosures would be health
information technicians. The average hourly rate for health information
technicians is $18.68 an hour.\15\ In order to account for benefits and
overhead costs associated with staff time, we multiplied the hourly
wage rate by two. Absent any existing information on the amount of time
associated with producing a list of disclosures from an audit log, we
assumed it would take a health information technician half a day (or
four hours) on average, to produce the list from an audit log.
---------------------------------------------------------------------------
\15\ Bureau of Labor Statistics, U.S. Department of Labor,
Occupational Employment Statistics, [accessed June 3, 2015],
Standard Occupations Classification code (29-2071) [www.bls.gov/oes/
].
---------------------------------------------------------------------------
For entities using paper records to track disclosures, we expected
that a staff member would need to gather and aggregate the requested
list of disclosures from paper records. We assumed medical record
technicians would be the staff with the primary responsibility for
compiling the information for a list of disclosures. The average hourly
rate for medical record technicians is $18.68 an hour.\16\ In order to
account for benefits and overhead costs associated with staff time, we
multiplied the hourly wage rate by two. Absent any existing information
on the amount of time associated with producing a list of disclosures
from paper records, we assumed it would take a medical record
technician three hours, on average, to produce the list from paper
records.\17\
---------------------------------------------------------------------------
\16\ IBID.
\17\ For facilities that maintain paper records, consent forms
would indicate who has been given access to the record. By contrast,
our understanding of health IT audit logs is that they include a
record of all instances in which a record has been accessed. The
audit log will include a record of who accessed the system, the date
the record was accessed, and what operations were performed. The
audit logs, therefore, will include considerably more data than what
we would anticipate finding in paper records. Unless the audit log
has an electronic filtering system, we are assuming that a health
information technician will need to manually review all records in
an audit log in order to compile the necessary information for a
list of disclosures.
---------------------------------------------------------------------------
[[Page 7011]]
The number of requests for a list of disclosures will determine the
overall burden associated with the List of Disclosures reporting
requirements. However, because this is a new requirement, there were no
data on which to base an estimated number of requests per year. We
expect that the rate of requests will be relatively low. We therefore
calculated the total costs for two rates, 0.1 percent and 2 percent of
patients per year.
We used the average number of substance abuse treatment admissions
from SAMHSA's 2010-2012 TEDS as the number of patients treated annually
by part 2 programs. Assuming that 10 percent of patients making
requests (n = 186.17 to n = 3,723.39) would request a list of
disclosures from entities that track disclosures through paper records
and 90 percent of patients making requests (n = 1,675.52 to n =
33,510.47) would make such a request of entities that track disclosures
through health IT audit logs, the estimated costs to develop lists of
disclosures range from $20,865.86 to $417,317.10 for entities using
paper records, and $250,390.26 to $5,007,805.23 for entities using
audit logs. (These ranges reflect the costs based on the two estimated
patient rates of request referenced above (i.e., 0.1 percent and 2
percent of patients per year)).
Once a list of disclosures has been produced, it can be returned to
the patient either by email or mail. Since the method of sending the
list of disclosures depends on patient preference, we assumed that 50
percent of the lists of disclosures would be sent by email and 50
percent by first-class mail. We assumed that mailing and supply costs
related to list of disclosures notifications were $0.10 supply cost per
notification and $0.49 postage cost per mailing. We also estimated that
it would take an administrative staff member 15 minutes to prepare each
list of disclosures for mailing and/or transmitting, and that staff
preparing the letters earn $15.01 \18\ per hour. In order to account
for benefits and overhead costs associated with staff time, we
multiplied the hourly wage rate by two. The estimated costs for list of
disclosures notifications range from $7,535.20 to $150,704.05 for
notifications sent by first-class mail, and $6,986 to $139,720.06 for
notifications sent by email.
---------------------------------------------------------------------------
\18\ Bureau of Labor Statistics, U.S. Department of Labor,
Occupational Employment Statistics, [accessed June 3, 2015],
Standard Occupations Classification code (31-9092) [www.bls.gov/oes/
].
---------------------------------------------------------------------------
To produce the final overall cost estimate, we took the average of
the minimum and maximum estimated costs to develop lists of disclosures
by entities collecting the information electronically by using an audit
log, and the average of the minimum and maximum estimated costs to
develop lists of disclosures by entities using paper records. We then
added the averages together to produce our estimate of the total cost
to entities to develop lists of disclosures. Next we took the average
of the minimum and maximum estimated costs for list of disclosures
notifications sent via email and the minimum and maximum estimated
costs for such notifications sent via first-class mail. We then added
these two averages together to produce our estimate of the total cost
to entities for list of disclosures notifications. Finally, the
development and notification costs for these lists of disclosures were
added together for the final estimate of costs associated with
complying with List of Disclosure reporting requirements. The total
cost for List of Disclosure reporting compliance across all entities
was $3,000,661.88 in 2015 dollars. Complying with List of Disclosure
requirements is assumed to be an ongoing, annual activity. Across the
ten-year period, the total costs associated with the List of Disclosure
reporting includes $10,995,750 in year 1, $35,186,400 in year 2, and
$3,000,662 annually in years 3-10 for a total cost of $70,187,445
across the ten-year period.
Total Disclosure Reporting Costs in 2015
----------------------------------------------------------------------------------------------------------------
Minimum Maximum Average
estimated cost estimated cost estimated cost
----------------------------------------------------------------------------------------------------------------
Facilities with a Health IT System.............................. $250,390 $5,007,805 $2,629,098
Facilities without a Health IT System........................... 20,865 417,317 219,091
-----------------------------------------------
Total Costs................................................. .............. .............. 2,848,189
Average Number of Facilities.................................... .............. .............. 19,548
----------------------------------------------------------------------------------------------------------------
Total Disclosure Notification Costs in 2015
----------------------------------------------------------------------------------------------------------------
Minimum Maximum Average
estimated cost estimated cost estimated cost
----------------------------------------------------------------------------------------------------------------
Email Notification.............................................. $6,986 $139,720 $73,353
First Class Mail Notification................................... 7,535 150,704 79,120
-----------------------------------------------
Total Costs................................................. .............. .............. 152,473
----------------------------------------------------------------------------------------------------------------
d. IT Updates
SAMHSA, in collaboration with ONC and Federal and community
stakeholders, has developed Consent2Share which is an open source tool
for consent management and data segmentation that is designed to
integrate with existing EHR and HIE systems. The Consent2Share
architecture has a front-end, patient facing system known as Patient
Consent Management and a backend control system known as Access Control
Services. Communications with EHR vendors indicate that the cost to
facilities of purchasing and installing additional functionality to
existing electronic medical records applications, such as
Consent2Share, typically range from $2,500 to $5,000. Because the add-
on systems for part 2 programs may be more complex than standard
patient monitoring systems, we estimate that the cost of adding the new
functionality would be approximately $8,000 per facility. We also
assumed that this
[[Page 7012]]
would be a one-time expense, rather than a recurring cost, for each
provider.
Furthermore, national estimates indicated that no more than 50
percent of substance use disorder treatment facilities have an
operational ``computerized administrative information system.'' \19\
We, therefore, estimated that only half of the 12,034 part 2 programs
(i.e., 6,017 facilities) would have operational health IT systems that
would require modifications to account for the changes to 42 CFR part
2. With 6,017 part 2 programs with operational information systems, we
estimated that each facility would need to spend $8,000 to modify their
health IT system, which would lead to a total burden for updating
health IT systems of $48,136,000. Updating health IT systems would be a
one-time cost, and maintenance costs should be part of general health
IT maintenance costs in later years. The proposed rules do not require
that part 2 programs adopt health IT systems so there are no health IT
costs associated with the estimated 50 percent of substance use
disorder treatment facilities that continue to use paper records.
---------------------------------------------------------------------------
\19\ McLellan, AT, Kathleen Meyers, K, Contemporary addiction
treatment: A review of systems problems for adults and adolescents,
Biological Psychiatry, Volume 56, Issue 10, 15 November 2004, Pages
764-770, ISSN 0006-3223, https://dx.doi.org/10.1016/j.biopsych.2004.06.018.
---------------------------------------------------------------------------
The RFA requires agencies to analyze options for regulatory relief
of small entities. For purposes of the RFA, small entities include
small businesses, nonprofit organizations, and small governmental
jurisdictions. Most hospitals and most other providers are small
entities, either by nonprofit status or by having revenues of less than
$7.5 million to $38.5 million in any 1 year. Individuals and states are
not included in the definition of a small entity. We are not preparing
an analysis for the RFA because we have determined, and the Secretary
certifies, that this proposed rule would not have a significant
economic impact on a substantial number of small entities. While the
changes in the regulations would apply to all part 2 programs, the
impact on these entities would be quite small. Specifically, as
described in the Overall Impact section, the cost to part 2 programs
associated with updates to 42 CFR part 2 in the first year that the
final rule is in effect would be $74,217,979, a figure that, due to a
number of one-time updates, is the highest for any of the 10 years
estimated. The per-entity economic impact in the first year would be
approximately $6,167 ($74,217,979 / 12,034), a figure that is unlikely
to represent 3% of revenues for 5% of impacted small entities.
Consequently, it has been determined that the proposed regulations
would not have a significant economic impact on small entities.
In addition, section 1102(b) of the Act requires us to prepare a
regulatory impact analysis if a rule may have a significant impact on
the operations of a substantial number of small rural hospitals. This
analysis must conform to the provisions of section 603 of the RFA. For
purposes of section 1102(b) of the Act, we define a small rural
hospital as a hospital that is located outside of a Metropolitan
Statistical Area for Medicare payment regulations and has fewer than
100 beds. We are not preparing an analysis for section 1102(b) of the
Act because we have determined, and the Secretary certifies, that this
proposed rule would not have a significant impact on the operations of
a substantial number of small rural hospitals.
Section 202 of the Unfunded Mandates Reform Act of 1995 also
requires that agencies assess anticipated costs and benefits before
issuing any rule whose mandates require spending in any 1 year of $100
million in 1995 dollars, updated annually for inflation. In 2014, that
threshold is approximately $141 million. This rule would have no
consequential effect on state, local, or tribal governments or on the
private sector.
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a proposed rule (and subsequent
final rule) that imposes substantial direct requirement costs on state
and local governments, preempts state law, or otherwise has Federalism
implications. Since this rule does not impose any costs on state or
local governments, the requirements of Executive Order 13132 are not
applicable.
SAMHSA is proposing to modernize 42 CFR part 2. With respect to our
proposal to revise the regulations, we do not believe that this
proposal would have a significant impact as it gives more flexibility
to individuals and entities covered by 42 CFR part 2 but also adds
privacy protections within the consent requirements for the patient. We
are making this proposal in response to concerns that 42 CFR part 2 is
outdated and burdensome.
Executive Order 13132 on Federalism (August 4, 1999) establishes
certain requirements that an agency must meet when it promulgates a
proposed rule (and subsequent final rule) that imposes substantial
direct requirement costs on state and local governments, preempts state
law, or otherwise has Federalism implications. We have reviewed this
proposed rule under the threshold criteria of Executive Order 13132,
Federalism, and have determined that it would not have substantial
direct effects on the rights, roles, and responsibilities of states,
local or tribal governments.
C. Conclusion
SAMHSA is proposing to modernize 42 CFR part 2. With respect to our
proposal to revise the regulations, we do not believe that this
proposal would have a significant impact as it gives more flexibility
to individuals and entities covered by 42 CFR part 2 but also increases
privacy protections within the consent requirements and adds an
additional confidentiality safeguard for patients. This proposed rule
does not reach the economic threshold for requiring a regulatory impact
by Executive Orders 12866 and 13563 and thus is not considered a major
rule. Likewise, we are not preparing an analysis for the RFA because we
have determined, and the Secretary certifies, that this proposed rule
would not have a significant economic impact on a substantial number of
small entities. We are not preparing an analysis for section 1102(b) of
the RFA because we have determined, and the Secretary certifies, that
this proposed rule would not have a significant impact on the
operations of a substantial number of small rural hospitals. This
proposed rule would have no consequential effect on state, local, or
tribal governments or on the private sector. Since this rule does not
impose any costs on state or local governments, the requirements of
Executive Order 13132 on federalism are not applicable.
We invite public comments on this section and request any
additional data that would help us determine more accurately the impact
on individuals and entities by the proposed rule. In accordance with
the provisions of Executive Order 12866, this rule was reviewed by the
OMB.
List of Subjects in 42 CFR Part 2
Alcohol abuse, Alcoholism, Drug abuse, Grant programs-health,
Health records, Privacy, Reporting, and Recordkeeping requirements.
Regulations Text
For the reasons stated in the preamble of this proposed rule, 42
CFR part 2 is proposed to be revised as follows:
[[Page 7013]]
PART 2--CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS
Subpart A--Introduction
Sec.
2.1 Statutory authority for confidentiality of substance use
disorder patient records.
2.2 Purpose and effect.
2.3 Criminal penalty for violation.
2.4 Reports of violations.
Subpart B--General Provisions
2.11 Definitions.
2.12 Applicability.
2.13 Confidentiality restrictions and safeguards.
2.14 Minor patients.
2.15 Incompetent and deceased patients.
2.16 Security for records.
2.17 Undercover agents and informants.
2.18 Restrictions on the use of identification cards.
2.19 Disposition of records by discontinued programs.
2.20 Relationship to state laws.
2.21 Relationship to federal statutes protecting research subjects
against compulsory disclosure of their identity.
2.22 Notice to patients of federal confidentiality requirements.
2.23 Patient access and restrictions on use.
Subpart C--Disclosures with Patient Consent
2.31 Consent requirements.
2.32 Prohibition on re-disclosure.
2.33 Disclosures permitted with written consent.
2.34 Disclosures to prevent multiple enrollments.
2.35 Disclosures to elements of the criminal justice system which
have referred patients.
Subpart D--Disclosures without Patient Consent
2.51 Medical emergencies.
2.52 Research.
2.53 Audit and evaluation.
Subpart E--Court Orders Authorizing Disclosure and Use
2.61 Legal effect of order.
2.62 Order not applicable to records disclosed without consent to
researchers, auditors and evaluators.
2.63 Confidential communications.
2.64 Procedures and criteria for orders authorizing disclosures for
noncriminal purposes.
2.65 Procedures and criteria for orders authorizing disclosure and
use of records to criminally investigate or prosecute patients.
2.66 Procedures and criteria for orders authorizing disclosure and
use of records to investigate or prosecute a part 2 program or the
person holding the records.
2.67 Orders authorizing the use of undercover agents and informants
to criminally investigate employees or agents of a part 2 program.
Authority: 42 U.S.C. 290dd-2.
Subpart A--Introduction
Sec. 2.1 Statutory authority for confidentiality of substance use
disorder patient records.
Title 42, United States Code, Section 290dd-2(g) authorizes the
Secretary to prescribe regulations. Such regulations may contain such
definitions, and may provide for such safeguards and procedures,
including procedures and criteria for the issuance and scope of orders,
as in the judgment of the Secretary are necessary or proper to
effectuate the purposes of this statute, to prevent circumvention or
evasion thereof, or to facilitate compliance therewith.
Sec. 2.2 Purpose and effect.
(a) Purpose. Under the statutory provisions quoted in Sec. 2.1,
these regulations impose restrictions upon the disclosure and use of
substance abuse patient records which are maintained in connection with
the performance of any part 2 program. The regulations specify in:
(1) Subpart B of this part: General Provisions, including
definitions, applicability, and general restrictions;
(2) Subpart C of this part: Disclosures with Patient Consent,
including disclosures which require patient consent and the consent
form requirements;
(3) Subpart D of this part: Disclosures without Patient Consent,
including disclosures which do not require patient consent or an
authorizing court order; and
(4) Subpart E of this part: Court Orders Authorizing Disclosure and
Use, including disclosures and uses of patient records which may be
made with an authorizing court order and the procedures and criteria
for the entry and scope of those orders.
(b) Effect. (1) These regulations prohibit the disclosure and use
of patient records unless certain circumstances exist. If any
circumstance exists under which disclosure is permitted, that
circumstance acts to remove the prohibition on disclosure but it does
not compel disclosure. Thus, the regulations do not require disclosure
under any circumstances.
(2) These regulations are not intended to direct the manner in
which substantive functions such as research, treatment, and evaluation
are carried out. They are intended to ensure that a patient receiving
treatment for a substance use disorder in a part 2 program is not made
more vulnerable by reason of the availability of their patient record
than an individual with a substance use disorder who does not seek
treatment.
(3) Because there is a criminal penalty (a fine--see 42 U.S.C.
290dd-2(f) and Sec. 2.3) for violating the regulations, they are to be
construed strictly in favor of the potential violator in the same
manner as a criminal statute (see M. Kraus & Brothers v. United States,
327 U.S. 614, 621-22, 66 S. Ct. 705, 707-08 (1946)).
Sec. 2.3 Criminal penalty for violation.
Under 42 U.S.C. 290dd-2(f), any person who violates any provision
of that statute or these regulations shall be fined not more than $500
in the case of a first offense, and not more than $5,000 in the case of
each subsequent offense.
Sec. 2.4 Reports of violations.
(a) The report of any violation of these regulations may be
directed to the United States Attorney for the judicial district in
which the violation occurs.
(b) The report of any violation of these regulations by an opioid
treatment program may be directed to the United States Attorney for the
judicial district in which the violation occurs as well as to the
Substance Abuse and Mental Health Services Administration (SAMHSA)
office responsible for opioid treatment program oversight.
Subpart B--General Provisions
Sec. 2.11 Definitions.
For purposes of these regulations:
Central registry means an organization which obtains from two or
more member programs patient identifying information about individuals
applying for withdrawal management or maintenance treatment for the
purpose of avoiding an individual's concurrent enrollment in more than
one treatment program.
Diagnosis means any reference to an individual's substance use
disorder or to a condition which is identified as having been caused by
that substance use disorder which is made for the purpose of treatment
or referral for treatment.
Disclose means to communicate any information identifying a patient
as having or having had a substance use disorder either directly, by
reference to publicly available information, or through verification of
such identification by another person.
Federally assisted-- see Sec. 2.12(b).
Informant means an individual:
(1) Who is a patient or employee of a part 2 program or who becomes
a patient or employee of a part 2 program at the request of a law
enforcement agency or official; and
(2) Who at the request of a law enforcement agency or official
observes
[[Page 7014]]
one or more patients or employees of the part 2 program for the purpose
of reporting the information obtained to the law enforcement agency or
official.
Maintenance treatment means pharmacotherapy for individuals with
substance use disorders which reduces the pathological pursuit of
reward and/or relief and supports remission of substance use disorder-
related symptoms.
Member program means a withdrawal management or maintenance
treatment program which reports patient identifying information to a
central registry and which is in the same state as that central
registry or is not more than 125 miles from any border of the state in
which the central registry is located.
Minor, as used in these regulations, means an individual who has
not attained the age of majority specified in the applicable state law,
or if no age of majority is specified in the applicable state law, the
age of eighteen years.
Part 2 program means a federally assisted program (federally
assisted as defined in Sec. 2.12(b) and program as defined in this
section). See Sec. 2.12(e)(1) for examples.
Part 2 program director means:
(1) In the case of a part 2 program which is an individual, that
individual.
(2) In the case of a part 2 program which is an entity, the
individual designated as director or managing director, or individual
otherwise vested with authority to act as chief executive officer of
the part 2 program.
Patient means any individual who has applied for or been given
diagnosis, treatment, or referral for treatment for a substance use
disorder at a part 2 program. Patient includes any individual who,
after arrest on a criminal charge, is identified as an individual with
a substance use disorder in order to determine that individual's
eligibility to participate in a part 2 program. This definition
includes both current and former patients.
Patient identifying information means the name, address, social
security number, fingerprints, photograph, or similar information by
which the identity of a patient, as defined in this section, can be
determined with reasonable accuracy either directly or by reference to
other publicly available information. The term does not include a
number assigned to a patient by a part 2 program, if that number does
not consist of, or contain numbers (such as a social security, or
driver's license number) which could be used to identify a patient with
reasonable accuracy from sources external to the part 2 program.
Person means an individual, partnership, corporation, federal,
state or local government agency, or any other legal entity, (also
referred to as individual and/or entity).
Program means:
(1) An individual or entity (other than a general medical facility
or general medical practice) who holds itself out as providing, and
provides, substance use disorder diagnosis, treatment, or referral for
treatment; or
(2) An identified unit within a general medical facility or general
medical practice that holds itself out as providing, and provides,
substance use disorder diagnosis, treatment, or referral for treatment;
or
(3) Medical personnel or other staff in a general medical facility
or general medical practice whose primary function is the provision of
substance use disorder diagnosis, treatment, or referral for treatment
and who are identified as such providers.
Qualified service organization means an individual or entity who:
(1) Provides services to a part 2 program, such as data processing,
bill collecting, dosage preparation, laboratory analyses, or legal,
accounting, population health management, medical staffing, or other
professional services, or services to prevent or treat child abuse or
neglect, including training on nutrition and child care and individual
and group therapy, and
(2) Has entered into a written agreement with a part 2 program
under which that individual or entity:
(i) Acknowledges that in receiving, storing, processing, or
otherwise dealing with any patient records from the part 2 program, it
is fully bound by these regulations; and
(ii) If necessary, will resist in judicial proceedings any efforts
to obtain access to patient identifying information related to
substance use disorder diagnosis, treatment, or referral for treatment
except as permitted by these regulations.
Records means any information, whether recorded or not, received or
acquired by a part 2 program relating to a patient. For the purpose of
these regulations, records include both paper and electronic records.
Substance use disorder means a cluster of cognitive, behavioral,
and physiological symptoms indicating that the individual continues
using the substance despite significant substance-related problems such
as impaired control, social impairment, risky use, and pharmacological
tolerance and withdrawal. For the purposes of these regulations, this
definition does not include tobacco or caffeine use. (Also referred to
as substance abuse.)
Third-party payer means a person who pays, or agrees to pay, for
diagnosis or treatment furnished to a patient on the basis of a
contractual relationship with the patient or a member of their family
or on the basis of the patient's eligibility for federal, state, or
local governmental benefits.
Treating provider relationship means that, regardless of whether
there has been an actual in-person encounter:
(1) A patient agrees to be diagnosed, evaluated and/or treated for
any condition by an individual or entity; and
(2) The individual or entity agrees to undertake diagnosis,
evaluation and/or treatment of the patient, or consultation with the
patient, for any condition.
Treatment means the care of a patient suffering from a substance
use disorder, a condition which is identified as having been caused by
the substance use disorder, or both, in order to reduce or eliminate
the adverse effects upon the patient.
Undercover agent means any federal, state, or local law enforcement
agency or official who enrolls in or becomes an employee of a part 2
program for the purpose of investigating a suspected violation of law
or who pursues that purpose after enrolling or becoming employed for
other purposes.
Withdrawal management means the use of pharmacotherapies to treat
or attenuate the problematic signs and symptoms arising when heavy and/
or prolonged substance use is reduced or discontinued.
Sec. 2.12 Applicability.
(a) General--(1) Restrictions on disclosure. The restrictions on
disclosure in these regulations apply to any information, whether or
not recorded, which:
(i) Would identify a patient as having or having had a substance
use disorder either directly, by reference to publicly available
information, or through verification of such identification by another
person; and
(ii) Is drug abuse information obtained by a federally assisted
drug abuse program after March 20, 1972 (part 2 program), or is alcohol
abuse information obtained by a federally assisted alcohol abuse
program after May 13, 1974 (part 2 program); or if obtained before the
pertinent date, is maintained by a part 2 program after that date as
part of an ongoing treatment episode which extends past that date; for
the purpose of treating a substance use disorder, making a diagnosis
for that
[[Page 7015]]
treatment, or making a referral for that treatment.
(2) Restriction on use. The restriction on use of information to
initiate or substantiate any criminal charges against a patient or to
conduct any criminal investigation of a patient (42 U.S.C. 290dd-2(c))
applies to any information, whether or not recorded which is drug abuse
information obtained by a federally assisted drug abuse program after
March 20, 1972 (part 2 program), or is alcohol abuse information
obtained by a federally assisted alcohol abuse program after May 13,
1974 (part 2 program); or if obtained before the pertinent date, is
maintained by a part 2 program after that date as part of an ongoing
treatment episode which extends past that date; for the purpose of
treating a substance use disorder, making a diagnosis for the
treatment, or making a referral for the treatment.
(b) Federal assistance. A program is considered to be federally
assisted if:
(1) It is conducted in whole or in part, whether directly or by
contract or otherwise by any department or agency of the United States
(but see paragraphs (c)(1) and (2) of this section relating to the
Department of Veterans Affairs and the Armed Forces);
(2) It is being carried out under a license, certification,
registration, or other authorization granted by any department or
agency of the United States including but not limited to:
(i) Participating provider in the Medicare program;
(ii) Authorization to conduct maintenance treatment or withdrawal
management; or
(iii) Registration to dispense a substance under the Controlled
Substances Act to the extent the controlled substance is used in the
treatment of substance use disorders;
(3) It is supported by funds provided by any department or agency
of the United States by being:
(i) A recipient of federal financial assistance in any form,
including financial assistance which does not directly pay for the
substance use disorder diagnosis, treatment, or referral for treatment;
or
(ii) Conducted by a state or local government unit which, through
general or special revenue sharing or other forms of assistance,
receives federal funds which could be (but are not necessarily) spent
for the substance use disorder program; or
(4) It is assisted by the Internal Revenue Service of the
Department of the Treasury through the allowance of income tax
deductions for contributions to the program or through the granting of
tax exempt status to the program.
(c) Exceptions--(1) Department of Veterans Affairs. These
regulations do not apply to information on patients receiving substance
use disorder treatment who are maintained in connection with the
Department of Veterans Affairs provisions of hospital care, nursing
home care, domiciliary care, and medical services under Title 38,
U.S.C. Those records are governed by 38 U.S.C. 7332 and regulations
issued under that authority by the Secretary of Veterans Affairs.
(2) Armed Forces. These regulations apply to any information
described in paragraph (a) of this section which was obtained by any
component of the Armed Forces during a period when the patient was
subject to the Uniform Code of Military Justice except:
(i) Any interchange of that information within the Armed Forces;
and
(ii) Any interchange of that information between the Armed Forces
and those components of the Department of Veterans Affairs furnishing
health care to veterans.
(3) Communication within a part 2 program or between a part 2
program and an entity having direct administrative control over that
part 2 program. The restrictions on disclosure in these regulations do
not apply to communications of information between or among personnel
having a need for the information in connection with their duties that
arise out of the provision of diagnosis, treatment, or referral for
treatment of patients with substance use disorders if the
communications are:
(i) Within a part 2 program; or
(ii) Between a part 2 program and an entity that has direct
administrative control over the program.
(4) Qualified service organizations. The restrictions on disclosure
in these regulations do not apply to communications between a part 2
program and a qualified service organization of information needed by
the qualified service organization to provide services to the program.
(5) Crimes on part 2 program premises or against part 2 program
personnel. The restrictions on disclosure and use in these regulations
do not apply to communications from part 2 program personnel to law
enforcement agencies or officials which:
(i) Are directly related to a patient's commission of a crime on
the premises of the part 2 program or against part 2 program personnel
or to a threat to commit such a crime; and
(ii) Are limited to the circumstances of the incident, including
the patient status of the individual committing or threatening to
commit the crime, that individual's name and address, and that
individual's last known whereabouts.
(6) Reports of suspected child abuse and neglect. The restrictions
on disclosure and use in these regulations do not apply to the
reporting under state law of incidents of suspected child abuse and
neglect to the appropriate state or local authorities. However, the
restrictions continue to apply to the original substance use disorder
patient records maintained by the part 2 program including their
disclosure and use for civil or criminal proceedings which may arise
out of the report of suspected child abuse and neglect.
(d) Applicability to recipients of information--(1) Restriction on
use of information. The restriction on the use of any information
subject to these regulations to initiate or substantiate any criminal
charges against a patient or to conduct any criminal investigation of a
patient applies to any person who obtains that information from a part
2 program, regardless of the status of the person obtaining the
information or whether the information was obtained in accordance with
these regulations. This restriction on use bars, among other things,
the introduction of that information as evidence in a criminal
proceeding and any other use of the information to investigate or
prosecute a patient with respect to a suspected crime. Information
obtained by undercover agents or informants (see Sec. 2.17) or through
patient access (see Sec. 2.23) is subject to the restriction on use.
(2) Restrictions on disclosures--(i) Third-party payers,
administrative entities, and others. The restrictions on disclosure in
these regulations apply to:
(A) Third-party payers with regard to records disclosed to them by
part 2 programs;
(B) Entities having direct administrative control over part 2
programs with regard to information that is subject to these
regulations communicated to them by the part 2 program under paragraph
(c)(3) of this section; and
(C) Individuals or entities who receive patient records directly
from a part 2 program or other lawful holder of patient identifying
information and who are notified of the prohibition on re-disclosure in
accordance with Sec. 2.32.
(ii) [Reserved]
(e) Explanation of applicability--(1) Coverage. These regulations
cover any information (including information on referral and intake)
about patients receiving a diagnosis, treatment, or referral for
treatment for a substance use
[[Page 7016]]
disorder obtained by a part 2 program. Coverage includes, but is not
limited to, those treatment or rehabilitation programs, employee
assistance programs, programs within general hospitals, school-based
programs, and private practitioners (other than general medical
practices) who hold themselves out as providing, and provide substance
use disorder diagnosis, treatment, or referral for treatment. However,
these regulations would not apply, for example, to emergency room
personnel who refer a patient to the intensive care unit for an
apparent overdose, unless the primary function of such personnel is the
provision of substance use disorder diagnosis, treatment, or referral
for treatment and they are identified as providing such services or the
emergency room has promoted itself to the community as a provider of
such services.
(2) Federal assistance to program required. If a patient's
substance use disorder diagnosis, treatment, or referral for treatment
is not provided by a part 2 program, that patient's record is not
covered by these regulations. Thus, it is possible for an individual
patient to benefit from federal support and not be covered by the
confidentiality regulations because the program in which the patient is
enrolled is not federally assisted as defined in paragraph (b) of this
section. For example, if a federal court placed an individual in a
private for-profit program and made a payment to the program on behalf
of that individual, that patient's record would not be covered by these
regulations unless the program itself received federal assistance as
defined by paragraph (b) of this section.
(3) Information to which restrictions are applicable. Whether a
restriction is on use or disclosure affects the type of information
which may be available. The restrictions on disclosure apply to any
information which would identify a patient as having or having had a
substance use disorder. The restriction on use of information to bring
criminal charges against a patient for a crime applies to any
information obtained by the part 2 program for the purpose of
diagnosis, treatment, or referral for treatment of patients with
substance use disorders. (Note that restrictions on use and disclosure
apply to recipients of information under paragraph (d) of this
section.)
(4) How type of diagnosis affects coverage. These regulations cover
any record of a diagnosis identifying a patient as having or having had
a substance use disorder which is prepared in connection with the
treatment or referral for treatment of a patient with a substance use
disorder. A diagnosis prepared for the purpose of treatment or referral
for treatment but which is not so used is covered by these regulations.
The following are not covered by these regulations:
(i) Diagnosis which is made solely for the purpose of providing
evidence for use by law enforcement agencies or officials; or
(ii) A diagnosis of drug overdose or alcohol intoxication which
clearly shows that the individual involved does not have a substance
use disorder (e.g., involuntary ingestion of alcohol or drugs or
reaction to a prescribed dosage of one or more drugs).
Sec. 2.13 Confidentiality restrictions and safeguards.
(a) General. The patient records subject to these regulations may
be disclosed or used only as permitted by these regulations and may not
otherwise be disclosed or used in any civil, criminal, administrative,
or legislative proceedings conducted by any federal, state, or local
authority. Any disclosure made under these regulations must be limited
to that information which is necessary to carry out the purpose of the
disclosure.
(b) Unconditional compliance required. The restrictions on
disclosure and use in these regulations apply whether or not the part 2
program or other lawful holder of the patient identifying information
believes that the person seeking the information already has it, has
other means of obtaining it, is a law enforcement agency or official or
other government official, has obtained a subpoena, or asserts any
other justification for a disclosure or use which is not permitted by
these regulations.
(c) Acknowledging the presence of patients: Responding to requests.
(1) The presence of an identified patient in a health care facility or
component of a health care facility which is publicly identified as a
place where only substance use disorder diagnosis, treatment, or
referral for treatment is provided may be acknowledged only if the
patient's written consent is obtained in accordance with subpart C of
this part or if an authorizing court order is entered in accordance
with subpart E of this part. The regulations permit acknowledgement of
the presence of an identified patient in a health care facility or part
of a health care facility if the health care facility is not publicly
identified as only a substance use disorder diagnosis, treatment, or
referral for treatment facility, and if the acknowledgement does not
reveal that the patient has a substance use disorder.
(2) Any answer to a request for a disclosure of patient records
which is not permissible under these regulations must be made in a way
that will not affirmatively reveal that an identified individual has
been, or is being, diagnosed or treated for a substance use disorder.
An inquiring party may be provided a copy of these regulations and
advised that they restrict the disclosure of substance use disorder
patient records, but may not be told affirmatively that the regulations
restrict the disclosure of the records of an identified patient.
(d) List of disclosures. Upon request, patients who have consented
to disclose their patient identifying information using a general
designation pursuant to Sec. 2.31(a)(4)(iv)(C) must be provided a list
of entities to which their information has been disclosed pursuant to
the general designation.
(1) Under this paragraph (d), patient requests:
(i) Must be made in writing; and
(ii) Are limited to disclosures made within the past two years;
(2) Under this paragraph (d), the entity named on the consent form
that discloses information pursuant to a patient's general designation
(the entity without a treating provider relationship that serves as an
intermediary, as described in Sec. 2.31(a)(4)(iv)) must:
(i) Respond in 30 or fewer days of receipt of the written request;
and
(ii) Provide, for each disclosure, the name(s) of the entity(-ies)
to which the disclosure was made, the date of the disclosure, and a
brief description of the patient identifying information disclosed.
Sec. 2.14 Minor patients.
(a) State law not requiring parental consent to treatment. If a
minor patient acting alone has the legal capacity under the applicable
state law to apply for and obtain substance use disorder treatment, any
written consent for disclosure authorized under subpart C of this part
may be given only by the minor patient. This restriction includes, but
is not limited to, any disclosure of patient identifying information to
the parent or guardian of a minor patient for the purpose of obtaining
financial reimbursement. These regulations do not prohibit a part 2
program from refusing to provide treatment until the minor patient
consents to the disclosure necessary to obtain reimbursement, but
refusal to provide treatment may be prohibited under a state or local
law requiring the program to furnish the service irrespective of
ability to pay.
[[Page 7017]]
(b) State law requiring parental consent to treatment. (1) Where
state law requires consent of a parent, guardian, or other individual
for a minor to obtain treatment for a substance use disorder, any
written consent for disclosure authorized under subpart C of this part
must be given by both the minor and their parent, guardian, or other
individual authorized under state law to act in the minor's behalf.
(2) Where state law requires parental consent to treatment, the
fact of a minor's application for treatment may be communicated to the
minor's parent, guardian, or other individual authorized under state
law to act in the minor's behalf only if:
(i) The minor has given written consent to the disclosure in
accordance with subpart C of this part; or
(ii) The minor lacks the capacity to make a rational choice
regarding such consent as judged by the part 2 program director under
paragraph (c) of this section.
(c) Minor applicant for services lacks capacity for rational
choice. Facts relevant to reducing a threat to the life or physical
well-being of the applicant or any other individual may be disclosed to
the parent, guardian, or other individual authorized under state law to
act in the minor's behalf if the part 2 program director judges that:
(1) A minor applicant for services lacks capacity because of
extreme youth or mental or physical condition to make a rational
decision on whether to consent to a disclosure under subpart C of this
part to their parent, guardian, or other individual authorized under
state law to act in the minor's behalf; and
(2) The applicant's situation poses a substantial threat to the
life or physical well-being of the applicant or any other individual
which may be reduced by communicating relevant facts to the minor's
parent, guardian, or other individual authorized under state law to act
in the minor's behalf.
Sec. 2.15 Incompetent and deceased patients.
(a) Incompetent patients other than minors--(1) Adjudication of
incompetence. In the case of a patient who has been adjudicated as
lacking the capacity, for any reason other than insufficient age, to
manage their own affairs, any consent which is required under these
regulations may be given by the guardian or other individual authorized
under state law to act in the patient's behalf.
(2) No adjudication of incompetency. In the case of a patient,
other than a minor or one who has been adjudicated incompetent, that
for any period suffers from a medical condition that prevents knowing
or effective action on their own behalf, the part 2 program director
may exercise the right of the patient to consent to a disclosure under
subpart C of this part for the sole purpose of obtaining payment for
services from a third-party payer.
(b) Deceased patients--(1) Vital statistics. These regulations do
not restrict the disclosure of patient identifying information relating
to the cause of death of a patient under laws requiring the collection
of death or other vital statistics or permitting inquiry into the cause
of death.
(2) Consent by personal representative. Any other disclosure of
information identifying a deceased patient as having a substance use
disorder is subject to these regulations. If a written consent to the
disclosure is required, that consent may be given by an executor,
administrator, or other personal representative appointed under
applicable state law. If there is no such applicable state law
appointment, the consent may be given by the patient's spouse or, if
none, by any responsible member of the patient's family.
Sec. 2.16 Security for records.
(a) The part 2 program or other lawful holder of patient
identifying information must have in place formal policies and
procedures to reasonably protect against unauthorized uses and
disclosures of patient identifying information and to protect against
reasonably anticipated threats or hazards to the security of patient
identifying information. These formal policies and procedures must
address:
(1) Paper records, including:
(i) Transferring and removing such records; and
(ii) Destroying such records, including sanitizing the hard copy
media associated with the paper printouts, to render the patient
identifying information non-retrievable; and
(iii) Maintaining such records in a secure room, locked file
cabinet, safe, or other similar container, or storage facility when not
in use; and
(iv) Using and accessing workstations, secure rooms, locked file
cabinets, safes, or other similar containers, and storage facilities
that use or store such information; and
(v) Rendering patient identifying information non-identifiable in a
manner that creates a very low risk of re-identification (e.g.,
removing direct identifiers).
(2) Electronic records, including:
(i) Copying, downloading, forwarding, transferring, and removing
such records; and
(ii) Destroying such records, including sanitizing the electronic
media on which it was stored, to render the patient identifying
information non-retrievable; and
(iii) Maintaining such records; and
(iv) Using and accessing electronic records or other electronic
media containing patient identifying information; and
(v) Rendering the patient identifying information non-identifiable
in a manner that creates a very low risk of re-identification (e.g.,
removing direct identifiers).
(b) [Reserved]
Sec. 2.17 Undercover agents and informants.
(a) Restrictions on placement. Except as specifically authorized by
a court order granted under Sec. 2.67, no part 2 program may knowingly
employ, or enroll as a patient, any undercover agent or informant.
(b) Restriction on use of information. No information obtained by
an undercover agent or informant, whether or not that undercover agent
or informant is placed in a part 2 program pursuant to an authorizing
court order, may be used to criminally investigate or prosecute any
patient.
Sec. 2.18 Restrictions on the use of identification cards.
No person may require any patient to carry in their immediate
possession while away from the part 2 program premises any card or
other object which would identify the patient as having a substance use
disorder. This section does not prohibit a person from requiring
patients to use or carry cards or other identification objects on the
premises of a part 2 program.
Sec. 2.19 Disposition of records by discontinued programs.
(a) General. If a part 2 program discontinues operations or is
taken over or acquired by another program, it must remove patient
identifying information from its records or destroy its records,
including sanitizing any associated hard copy or electronic media, to
render the patient identifying information non-retrievable in a manner
consistent with the policies and procedures established under Sec.
2.16, unless:
(1) The patient who is the subject of the records gives written
consent (meeting the requirements of Sec. 2.31) to a transfer of the
records to the acquiring program or to any other program designated in
the consent (the manner of obtaining this consent must minimize the
likelihood of a disclosure of patient identifying information to a
third party); or
[[Page 7018]]
(2) There is a legal requirement that the records be kept for a
period specified by law which does not expire until after the
discontinuation or acquisition of the part 2 program.
(b) Special procedure where retention period required by law. If
paragraph (a)(2) of this section applies:
(1) Records, which are paper, must be:
(i) Sealed in envelopes or other containers labeled as follows:
``Records of [insert name of program] required to be maintained under
[insert citation to statute, regulation, court order or other legal
authority requiring that records be kept] until a date not later than
[insert appropriate date]''; and
(A) All hard copy media from which the paper records were produced,
such as printer and facsimile ribbons, drums, etc., must be sanitized
to render the data non-retrievable; and
(B) [Reserved]
(ii) Held under the restrictions of these regulations by a
responsible person who must, as soon as practicable after the end of
the retention period specified on the label, destroy the records and
sanitize any associated hard copy media to render the patient
identifying information non-retrievable in a manner consistent with the
discontinued program's or acquiring program's policies and procedures
established under Sec. 2.16.
(2) Records, which are electronic, must be:
(i) Transferred to a portable electronic device with implemented
encryption to encrypt the data at rest so that there is a low
probability of assigning meaning without the use of a confidential
process or key and implemented access controls for the confidential
process or key; and
(A) All electronic media on which the patient records or patient
identifying information resided prior to being transferred to the
device, including email and other electronic communications, must be
sanitized to render the patient identifying information non-retrievable
in a manner consistent with the discontinued program's or acquiring
program's policies and procedures established under Sec. 2.16; and
(B) The device must be:
(1) Sealed in a container along with any equipment needed to read
or access the information, and labeled as follows: ``Records of [insert
name of program] required to be maintained under [insert citation to
statute, regulation, court order or other legal authority requiring
that records be kept] until a date not later than [insert appropriate
date];'' and
(2) Held under the restrictions of these regulations by a
responsible person who must store the container in a manner that will
protect the information (e.g., climate controlled environment); and
(C) The responsible person must be included on the access control
list and be provided a means for decrypting the data. The responsible
person must store the decryption tools on a device or at a location
separate from the data they are used to encrypt or decrypt; and
(D) As soon as practicable after the end of the retention period
specified on the label, the portable electronic device must be
sanitized to render the patient identifying information non-retrievable
consistent with the policies established under Sec. 2.16.
(ii) [Reserved]
Sec. 2.20 Relationship to state laws.
The statute authorizing these regulations (42 U.S.C. 290dd-2) does
not preempt the field of law which they cover to the exclusion of all
state laws in that field. If a disclosure permitted under these
regulations is prohibited under state law, neither these regulations
nor the authorizing statute may be construed to authorize any violation
of that state law. However, no state law may either authorize or compel
any disclosure prohibited by these regulations.
Sec. 2.21 Relationship to federal statutes protecting research
subjects against compulsory disclosure of their identity.
(a) Research privilege description. There may be concurrent
coverage of patient identifying information by these regulations and by
administrative action taken under section 502(c) of the Controlled
Substances Act (21 U.S.C. 872(c) and the implementing regulations at 21
CFR part 1316); or section 301(d) of the Public Health Service Act (42
U.S.C. 241(d) and the implementing regulations at 42 CFR part 2a).
These research privilege statutes confer on the Secretary of Health and
Human Services and on the Attorney General, respectively, the power to
authorize researchers conducting certain types of research to withhold
from all persons not connected with the research the names and other
identifying information concerning individuals who are the subjects of
the research.
(b) Effect of concurrent coverage. These regulations restrict the
disclosure and use of information about patients, while administrative
action taken under the research privilege statutes and implementing
regulations protects a person engaged in applicable research from being
compelled to disclose any identifying characteristics of the
individuals who are the subjects of that research. The issuance under
subpart E of this part of a court order authorizing a disclosure of
information about a patient does not affect an exercise of authority
under these research privilege statutes.
Sec. 2.22 Notice to patients of federal confidentiality requirements.
(a) Notice required. At the time of admission to a part 2 program
or as soon thereafter as the patient is capable of rational
communication, each part 2 program shall:
(1) Communicate to the patient that federal law and regulations
protect the confidentiality of substance use disorder patient records;
and
(2) Give to the patient a summary in writing of the federal law and
regulations.
(b) Required elements of written summary. The written summary of
the federal law and regulations must include:
(1) A general description of the limited circumstances under which
a part 2 program may acknowledge that an individual is present or
disclose outside the part 2 program information identifying a patient
as having or having had a substance use disorder.
(2) A statement that violation of the federal law and regulations
by a part 2 program is a crime and that suspected violations may be
reported to appropriate authorities consistent with Sec. 2.4, along
with contact information.
(3) A statement that information related to a patient's commission
of a crime on the premises of the part 2 program or against personnel
of the part 2 program is not protected.
(4) A statement that reports of suspected child abuse and neglect
made under state law to appropriate state or local authorities are not
protected.
(5) A citation to the federal law and regulations.
(c) Program options. The part 2 program must devise a notice to
comply with the requirement to provide the patient with a summary in
writing of the federal law and regulations. In this written summary,
the part 2 program also may include information concerning state law
and any of the part 2 program's policies that are not inconsistent with
state and federal law on the subject of confidentiality of substance
use disorder patient records.
Sec. 2.23 Patient access and restrictions on use.
(a) Patient access not prohibited. These regulations do not
prohibit a part 2 program from giving a patient access to their own
records, including the opportunity to inspect and copy any records that
the part 2 program
[[Page 7019]]
maintains about the patient. The part 2 program is not required to
obtain a patient's written consent or other authorization under these
regulations in order to provide such access to the patient.
(b) Restriction on use of information. Information obtained by
patient access to their patient record is subject to the restriction on
use of this information to initiate or substantiate any criminal
charges against the patient or to conduct any criminal investigation of
the patient as provided for under Sec. 2.12(d)(1).
Subpart C--Disclosures With Patient Consent
Sec. 2.31 Consent requirements.
(a) Required elements for written consent. A written consent to a
disclosure under these regulations may be paper or electronic and must
include:
(1) The name of the patient.
(2) The name of the part 2 program(s) or other lawful holder(s) of
the patient identifying information permitted to make the disclosure.
(3) How much and what kind of information is to be disclosed,
including an explicit description of the substance use disorder
information that may be disclosed.
(4)(i) The name(s) of the individual(s) to whom a disclosure is to
be made; or
(ii) If the entity has a treating provider relationship with the
patient whose information is being disclosed, such as a hospital, a
health care clinic, or a private practice, the name of that entity; or
(iii) If the entity does not have a treating provider relationship
with the patient whose information is being disclosed and is a third-
party payer that requires patient identifying information for the
purpose of reimbursement for services rendered to the patient by the
part 2 program, the name of the entity; or
(iv) If the entity does not have a treating provider relationship
with the patient whose information is being disclosed and is not
covered by paragraph (a)(4)(iii) of this section, such as an entity
that facilitates the exchange of health information or a research
institution, the name(s) of the entity(-ies); and
(A) The name(s) of an individual participant(s); or
(B) The name(s) of an entity participant(s) that has a treating
provider relationship with the patient whose information is being
disclosed; or
(C) A general designation of an individual or entity participant(s)
or class of participants that must be limited to a participant(s) who
has a treating provider relationship with the patient whose information
is being disclosed.
(1) When using a general designation, a statement must be included
on the consent form that the patient (or other individual authorized to
sign in lieu of the patient), confirms their understanding that, upon
their request and consistent with this part, they must be provided a
list of entities to which their information has been disclosed pursuant
to the general designation (see Sec. 2.13(d)).
(2) [Reserved]
(5) The purpose of the disclosure.
(6) A statement that the patient (or other individual authorized to
sign in lieu of the patient) confirms their understanding of the terms
of their consent.
(7) A statement that the consent is subject to revocation at any
time except to the extent that the part 2 program or other lawful
holder of patient identifying information that is permitted to make the
disclosure has already acted in reliance on it. Acting in reliance
includes the provision of treatment services in reliance on a valid
consent to disclose information to a third-party payer.
(8) The date, event, or condition upon which the consent will
expire if not revoked before. This date, event, or condition must
ensure that the consent will last no longer than reasonably necessary
to serve the purpose for which it is provided.
(9) The signature of the patient and, when required for a patient
who is a minor, the signature of an individual authorized to give
consent under Sec. 2.14; or, when required for a patient who is
incompetent or deceased, the signature of an individual authorized to
sign under Sec. 2.15. Electronic signatures are permitted to the
extent that they are not prohibited by any applicable law.
(10) The date on which the consent is signed.
(b) Expired, deficient, or false consent. A disclosure may not be
made on the basis of a consent which:
(1) Has expired;
(2) On its face substantially fails to conform to any of the
requirements set forth in paragraph (a) of this section;
(3) Is known to have been revoked; or
(4) Is known, or through reasonable diligence could be known, by
the individual or entity holding the records to be materially false.
Sec. 2.32 Prohibition on re-disclosure.
(a) Notice to accompany disclosure. Each disclosure made with the
patient's written consent must be accompanied by the following written
statement:
This information has been disclosed to you from records protected by
federal confidentiality rules (42 CFR part 2). The federal rules
prohibit you from making any further disclosure of information in this
record that identifies a patient as having or having had a substance
use disorder either directly, by reference to publicly available
information, or through verification of such identification by another
person unless further disclosure is expressly permitted by the written
consent of the individual whose information is being disclosed or as
otherwise permitted by 42 CFR part 2. A general authorization for the
release of medical or other information is NOT sufficient for this
purpose. The federal rules restrict any use of the information to
criminally investigate or prosecute any patient with a substance use
disorder, except as provided at Sec. 2.12(c)(5).
(b) [Reserved]
Sec. 2.33 Disclosures permitted with written consent.
If a patient consents to a disclosure of their records under Sec.
2.31, a program may disclose those records in accordance with that
consent to any person identified in the consent, except that
disclosures to central registries and in connection with criminal
justice referrals must meet the requirements of Sec. Sec. 2.34 and
2.35, respectively.
Sec. 2.34 Disclosures to prevent multiple enrollments.
(a) Restrictions on disclosure. A part 2 program, as defined in
Sec. 2.11, may disclose patient records to a central registry or to
any withdrawal management or maintenance treatment program not more
than 200 miles away for the purpose of preventing the multiple
enrollment of a patient only if:
(1) The disclosure is made when:
(i) The patient is accepted for treatment;
(ii) The type or dosage of the drug is changed; or
(iii) The treatment is interrupted, resumed or terminated.
(2) The disclosure is limited to:
(i) Patient identifying information;
(ii) Type and dosage of the drug; and
(iii) Relevant dates.
(3) The disclosure is made with the patient's written consent
meeting the requirements of Sec. 2.31, except that:
(i) The consent must list the name and address of each central
registry and each known withdrawal management or maintenance treatment
program to which a disclosure will be made; and
(ii) The consent may authorize a disclosure to any withdrawal
management or maintenance treatment
[[Page 7020]]
program established within 200 miles of the program after the consent
is given without naming any such program.
(b) Use of information limited to prevention of multiple
enrollments. A central registry and any withdrawal management or
maintenance treatment program to which information is disclosed to
prevent multiple enrollments may not re-disclose or use patient
identifying information for any purpose other than the prevention of
multiple enrollments unless authorized by a court order under subpart E
of this part.
(c) Permitted disclosure by a central registry to prevent a
multiple enrollment. When a member program asks a central registry if
an identified patient is enrolled in another member program and the
registry determines that the patient is so enrolled, the registry may
disclose:
(1) The name, address, and telephone number of the member
program(s) in which the patient is already enrolled to the inquiring
member program; and
(2) The name, address, and telephone number of the inquiring member
program to the member program(s) in which the patient is already
enrolled. The member programs may communicate as necessary to verify
that no error has been made and to prevent or eliminate any multiple
enrollments.
(d) Permitted disclosure by a withdrawal management or maintenance
treatment program to prevent a multiple enrollment. A withdrawal
management or maintenance treatment program which has received a
disclosure under this section and has determined that the patient is
already enrolled may communicate as necessary with the program making
the disclosure to verify that no error has been made and to prevent or
eliminate any multiple enrollments.
Sec. 2.35 Disclosures to elements of the criminal justice system
which have referred patients.
(a) A part 2 program may disclose information about a patient to
those individuals within the criminal justice system who have made
participation in the part 2 program a condition of the disposition of
any criminal proceedings against the patient or of the patient's parole
or other release from custody if:
(1) The disclosure is made only to those individuals within the
criminal justice system who have a need for the information in
connection with their duty to monitor the patient's progress (e.g., a
prosecuting attorney who is withholding charges against the patient, a
court granting pretrial or post-trial release, probation or parole
officers responsible for supervision of the patient); and
(2) The patient has signed a written consent meeting the
requirements of Sec. 2.31 (except paragraph (a)(8) which is
inconsistent with the revocation provisions of paragraph (c) of this
section) and the requirements of paragraphs (b) and (c) of this
section.
(b) Duration of consent. The written consent must state the period
during which it remains in effect. This period must be reasonable,
taking into account:
(1) The anticipated length of the treatment;
(2) The type of criminal proceeding involved, the need for the
information in connection with the final disposition of that
proceeding, and when the final disposition will occur; and
(3) Such other factors as the part 2 program, the patient, and the
individual(s) within the criminal justice system who will receive the
disclosure consider pertinent.
(c) Revocation of consent. The written consent must state that it
is revocable upon the passage of a specified amount of time or the
occurrence of a specified, ascertainable event. The time or occurrence
upon which consent becomes revocable may be no later than the final
disposition of the conditional release or other action in connection
with which consent was given.
(d) Restrictions on re-disclosure and use. An individual within the
criminal justice system who receives patient information under this
section may re-disclose and use it only to carry out that individual's
official duties with regard to the patient's conditional release or
other action in connection with which the consent was given.
Subpart D--Disclosures Without Patient Consent
Sec. 2.51 Medical emergencies.
(a) General rule. Under the procedures required by paragraph (c) of
this section, patient identifying information may be disclosed to
medical personnel to the extent necessary to meet a bona fide medical
emergency in which the patient's prior informed consent cannot be
obtained.
(b) Special rule. Patient identifying information may be disclosed
to medical personnel of the Food and Drug Administration (FDA) who
assert a reason to believe that the health of any individual may be
threatened by an error in the manufacture, labeling, or sale of a
product under FDA jurisdiction, and that the information will be used
for the exclusive purpose of notifying patients or their physicians of
potential dangers.
(c) Procedures. Immediately following disclosure, the part 2
program shall document, in writing, the disclosure in the patient's
records, including:
(1) The name of the medical personnel to whom disclosure was made
and their affiliation with any health care facility;
(2) The name of the individual making the disclosure;
(3) The date and time of the disclosure; and
(4) The nature of the emergency (or error, if the report was to
FDA).
Sec. 2.52 Research.
(a) Patient identifying information may be disclosed by the part 2
program or other lawful holder of part 2 data for the purpose of
conducting scientific research if the individual designated as director
or managing director, or individual otherwise vested with authority to
act as chief executive officer or their designee makes a determination
that the recipient of the patient identifying information:
(1) If a Health Insurance Portability and Accountability Act
(HIPAA) covered entity or business associate, has obtained and
documented authorization, or a waiver or alteration of authorization,
consistent with the HIPAA privacy rule at 45 CFR 164.512(i); or
(2) If subject to the HHS regulations regarding the protection of
human subjects (45 CFR part 46), provides documentation that the
researcher is in compliance with the requirements of the HHS
regulations, including the requirements related to informed consent or
a waiver of consent (45 CFR 46.111 and 46.116); or
(3) If both a HIPAA covered entity or business associate and
subject to the HHS regulations regarding the protection of human
subjects, has met the requirements of paragraphs (a)(1) and (2) of this
section; and
(b) Any individual or entity conducting scientific research using
patient identifying information obtained under paragraph (a) of this
section:
(1) Is fully bound by these regulations and, if necessary, will
resist in judicial proceedings any efforts to obtain access to patient
records except as permitted by these regulations.
(2) Must not re-disclose patient identifying information except
back to the individual or entity from whom that patient identifying
information was obtained or as permitted under paragraph (b)(4) of this
section.
(3) May include part 2 data in reports only in aggregate form to
limit the
[[Page 7021]]
potential for the disclosure of patient identities.
(4) That requests linkages to data sets from a federal data
repository(-ies) holding patient identifying information must have the
request reviewed and approved by an Institutional Review Board (IRB)
registered with the Department of Health and Human Services, Office for
Human Research Protections in accordance with 45 CFR part 46 to ensure
that patient privacy is considered and the need for identifiable data
is justified.
(i) Upon request, the researcher may be required to provide
evidence of the IRB approval of the research project that contains the
data linkage component.
(ii) Except as provided in paragraph (b) of this section, a
researcher may not use patient identifying information for data
linkages purposes.
(5) Must maintain and destroy patient identifying information in
accordance with the security policies and procedures established under
Sec. 2.16.
(6) Must retain records in compliance with applicable federal,
state, and local record retention laws.
Sec. 2.53 Audit and evaluation.
(a) Records not copied or removed. If patient records are not
downloaded, copied or removed from the part 2 program premises or
forwarded electronically to another electronic system or device,
patient identifying information, as defined in Sec. 2.11, may be
disclosed in the course of a review of records on the part 2 program
premises to any individual or entity who agrees in writing to comply
with the limitations on re-disclosure and use in paragraph (d) of this
section and who:
(1) Performs the audit or evaluation on behalf of:
(i) Any federal, state, or local government agency which provides
financial assistance to the part 2 program or is authorized by law to
regulate its activities; or
(ii) Any individual or entity who provides financial assistance to
the part 2 program, which is a third-party payer covering patients in
the part 2 program, or which is a quality improvement organization
performing a utilization or quality control review; or
(2) Is determined by the part 2 program to be qualified to conduct
an audit or evaluation of the part 2 program.
(b) Copying, removing, downloading, or forwarding patient records.
Records containing patient identifying information, as defined in Sec.
2.11, may be copied or removed from a part 2 program premises or
downloaded or forwarded to another electronic system or device from the
part 2 program's electronic records by any individual or entity who:
(1) Agrees in writing to:
(i) Maintain and destroy the patient identifying information in a
manner consistent with the policies and procedures established under
Sec. 2.16;
(ii) Retain records in compliance with applicable federal, state,
and local record retention laws; and
(iii) Comply with the limitations on disclosure and use in
paragraph (d) of this section; and
(2) Performs the audit or evaluation on behalf of:
(i) Any federal, state, or local government agency which provides
financial assistance to the part 2 program or is authorized by law to
regulate its activities; or
(ii) Any individual or entity who provides financial assistance to
the part 2 program, which is a third-party payer covering patients in
the part 2 program, or which is a quality improvement organization
performing a utilization or quality control review.
(c) Medicare, Medicaid, Children's Health Insurance Program (CHIP),
or related audit or evaluation. (1) Patient identifying information, as
defined in Sec. 2.11, may be disclosed under paragraph (c) of this
section to any individual or entity for the purpose of conducting a
Medicare, Medicaid, or CHIP audit or evaluation, including an audit or
evaluation necessary to meet the requirements for a Centers for
Medicare & Medicaid Services (CMS)-regulated accountable care
organization (CMS-regulated ACO) or similar CMS-regulated organization
(including a CMS-regulated Qualified Entity (QE)), if the individual or
entity agrees in writing to comply with the following:
(i) Maintain and destroy the patient identifying information in a
manner consistent with the policies and procedures established under
Sec. 2.16;
(ii) Retain records in compliance with applicable federal, state,
and local record retention laws; and
(iii) Comply with the limitations on disclosure and use in
paragraph (d) of this section.
(2) A Medicare, Medicaid, or CHIP audit or evaluation under this
section includes a civil or administrative investigation of a part 2
program by any federal, state, or local government agency with
oversight responsibilities for Medicare, Medicaid, or CHIP and includes
administrative enforcement, against the part 2 program by the
government agency, of any remedy authorized by law to be imposed as a
result of the findings of the investigation.
(3) An audit or evaluation necessary to meet the requirements for a
CMS-regulated ACO or similar CMS-regulated organization (including a
CMS-regulated QE) must be conducted in accordance with the following:
(i) A CMS-regulated ACO or similar CMS-regulated organization
(including a CMS-regulated QE) must:
(A) Have in place administrative and clinical systems; and
(B) Have in place a leadership and management structure, including
a governing body and chief executive officer with responsibility for
oversight of the organization's management and for ensuring compliance
with and adherence to the terms and conditions of the Participation
Agreement with CMS; and
(ii) A CMS-regulated ACO or similar CMS-regulated organization
(including a CMS-regulated QE) must have a signed Participation
Agreement with CMS, which provides that the CMS-regulated ACO or
similar CMS-regulated organization (including a CMS-regulated QE):
(A) Is subject to periodic evaluations by CMS, or is required by
CMS to evaluate participants in the CMS-regulated ACO or similar CMS-
regulated organization (including a CMS-regulated QE) relative to CMS-
defined or approved quality and/or cost measures;
(B) Must designate an executive who has the authority to legally
bind the organization to ensure compliance with 42 U.S.C. 290dd-2 and
this part and the terms and conditions of the Participation Agreement
in order to receive patient identifying information from CMS;
(C) Agrees to comply with all applicable provisions of 42 U.S.C.
290dd-2 and this part;
(D) Must ensure that any audit or evaluation involving patient
identifying information occurs in a confidential and controlled setting
approved by the designated executive;
(E) Must ensure that any communications or reports or other
documents resulting from an audit or evaluation under this section do
not allow for the direct or indirect identification of a patient as
having or having had a substance use disorder; and
(F) Must establish policies and procedures to protect the
confidentiality of the patient identifying information consistent with
this part, the terms and conditions of the Participation Agreement, and
the requirements set forth in paragraph (c)(1) of this section.
(4) Program, as defined in Sec. 2.11, includes an employee of, or
provider of medical services under the program
[[Page 7022]]
when the employee or provider is the subject of a civil investigation
or administrative remedy, as those terms are used in paragraph (c)(2)
of this section.
(5) If a disclosure to an individual or entity is authorized under
this section for a Medicare, Medicaid, or CHIP audit or evaluation,
including a civil investigation or administrative remedy, as those
terms are used in paragraph (c)(2) of this section, then a quality
improvement organization which obtains the information under paragraph
(a) or (b) of this section may disclose the information to that
individual or entity but only for the purpose of conducting a Medicare,
Medicaid, or CHIP audit or evaluation.
(6) The provisions of this paragraph do not authorize the part 2
program, the federal, state, or local government agency, or any other
individual or entity to disclose or use patient identifying information
obtained during the audit or evaluation for any purposes other than
those necessary to complete the audit or evaluation as specified in
paragraph (c) of this section.
(d) Limitations on disclosure and use. Except as provided in
paragraph (c) of this section, patient identifying information
disclosed under this section may be disclosed only back to the program
from which it was obtained and used only to carry out an audit or
evaluation purpose or to investigate or prosecute criminal or other
activities, as authorized by a court order entered under Sec. 2.66.
Subpart E--Court Orders Authorizing Disclosure and Use
Sec. 2.61 Legal effect of order.
(a) Effect. An order of a court of competent jurisdiction entered
under this subpart is a unique kind of court order. Its only purpose is
to authorize a disclosure or use of patient information which would
otherwise be prohibited by 42 U.S.C. 290dd-2 and these regulations.
Such an order does not compel disclosure. A subpoena or a similar legal
mandate must be issued in order to compel disclosure. This mandate may
be entered at the same time as and accompany an authorizing court order
entered under these regulations.
(b) Examples. (1) A person holding records subject to these
regulations receives a subpoena for those records. The person may not
disclose the records in response to the subpoena unless a court of
competent jurisdiction enters an authorizing order under these
regulations.
(2) An authorizing court order is entered under these regulations,
but the person authorized does not want to make the disclosure. If
there is no subpoena or other compulsory process or a subpoena for the
records has expired or been quashed, that person may refuse to make the
disclosure. Upon the entry of a valid subpoena or other compulsory
process the person authorized to disclose must disclose, unless there
is a valid legal defense to the process other than the confidentiality
restrictions of these regulations.
Sec. 2.62 Order not applicable to records disclosed without consent
to researchers, auditors and evaluators.
A court order under these regulations may not authorize qualified
personnel, who have received patient identifying information without
consent for the purpose of conducting research, audit or evaluation, to
disclose that information or use it to conduct any criminal
investigation or prosecution of a patient. However, a court order under
Sec. 2.66 may authorize disclosure and use of records to investigate
or prosecute qualified personnel holding the records.
Sec. 2.63 Confidential communications.
(a) A court order under these regulations may authorize disclosure
of confidential communications made by a patient to a part 2 program in
the course of diagnosis, treatment, or referral for treatment only if:
(1) The disclosure is necessary to protect against an existing
threat to life or of serious bodily injury, including circumstances
which constitute suspected child abuse and neglect and verbal threats
against third parties;
(2) The disclosure is necessary in connection with investigation or
prosecution of an extremely serious crime, such as one which directly
threatens loss of life or serious bodily injury, including homicide,
rape, kidnapping, armed robbery, assault with a deadly weapon, or child
abuse and neglect; or
(3) The disclosure is in connection with litigation or an
administrative proceeding in which the patient offers testimony or
other evidence pertaining to the content of the confidential
communications.
(b) [Reserved]
Sec. 2.64 Procedures and criteria for orders authorizing disclosures
for noncriminal purposes.
(a) Application. An order authorizing the disclosure of patient
records for purposes other than criminal investigation or prosecution
may be applied for by any person having a legally recognized interest
in the disclosure which is sought. The application may be filed
separately or as part of a pending civil action in which it appears
that the patient records are needed to provide evidence. An application
must use a fictitious name, such as John Doe, to refer to any patient
and may not contain or otherwise disclose any patient identifying
information unless the patient is the applicant or has given a written
consent (meeting the requirements of these regulations) to disclosure
or the court has ordered the record of the proceeding sealed from
public scrutiny.
(b) Notice. The patient and the person holding the records from
whom disclosure is sought must be provided:
(1) Adequate notice in a manner which will not disclose patient
identifying information to other persons; and
(2) An opportunity to file a written response to the application,
or to appear in person, for the limited purpose of providing evidence
on the statutory and regulatory criteria for the issuance of the court
order.
(c) Review of evidence: Conduct of hearing. Any oral argument,
review of evidence, or hearing on the application must be held in the
judge's chambers or in some manner which ensures that patient
identifying information is not disclosed to anyone other than a party
to the proceeding, the patient, or the person holding the record,
unless the patient requests an open hearing in a manner which meets the
written consent requirements of these regulations. The proceeding may
include an examination by the judge of the patient records referred to
in the application.
(d) Criteria for entry of order. An order under this section may be
entered only if the court determines that good cause exists. To make
this determination the court must find that:
(1) Other ways of obtaining the information are not available or
would not be effective; and
(2) The public interest and need for the disclosure outweigh the
potential injury to the patient, the physician-patient relationship and
the treatment services.
(e) Content of order. An order authorizing a disclosure must:
(1) Limit disclosure to those parts of the patient's record which
are essential to fulfill the objective of the order;
(2) Limit disclosure to those persons whose need for information is
the basis for the order; and
(3) Include such other measures as are necessary to limit
disclosure for the protection of the patient, the physician-
[[Page 7023]]
patient relationship and the treatment services; for example, sealing
from public scrutiny the record of any proceeding for which disclosure
of a patient's record has been ordered.
Sec. 2.65 Procedures and criteria for orders authorizing disclosure
and use of records to criminally investigate or prosecute patients.
(a) Application. An order authorizing the disclosure or use of
patient records to criminally investigate or prosecute a patient may be
applied for by the person holding the records or by any law enforcement
or prosecutorial officials who are responsible for conducting
investigative or prosecutorial activities with respect to the
enforcement of criminal laws. The application may be filed separately,
as part of an application for a subpoena or other compulsory process,
or in a pending criminal action. An application must use a fictitious
name such as John Doe, to refer to any patient and may not contain or
otherwise disclose patient identifying information unless the court has
ordered the record of the proceeding sealed from public scrutiny.
(b) Notice and hearing. Unless an order under Sec. 2.66 is sought
with an order under this section, the person holding the records must
be provided
(1) Adequate notice (in a manner which will not disclose patient
identifying information to other persons) of an application by a law
enforcement agency or official;
(2) An opportunity to appear and be heard for the limited purpose
of providing evidence on the statutory and regulatory criteria for the
issuance of the court order; and
(3) An opportunity to be represented by counsel independent of
counsel for an applicant who is a law enforcement agency or official.
(c) Review of evidence: Conduct of hearings. Any oral argument,
review of evidence, or hearing on the application shall be held in the
judge's chambers or in some other manner which ensures that patient
identifying information is not disclosed to anyone other than a party
to the proceedings, the patient, or the person holding the records. The
proceeding may include an examination by the judge of the patient
records referred to in the application.
(d) Criteria. A court may authorize the disclosure and use of
patient records for the purpose of conducting a criminal investigation
or prosecution of a patient only if the court finds that all of the
following criteria are met:
(1) The crime involved is extremely serious, such as one which
causes or directly threatens loss of life or serious bodily injury
including homicide, rape, kidnapping, armed robbery, assault with a
deadly weapon, and child abuse and neglect.
(2) There is a reasonable likelihood that the records will disclose
information of substantial value in the investigation or prosecution.
(3) Other ways of obtaining the information are not available or
would not be effective.
(4) The potential injury to the patient, to the physician-patient
relationship and to the ability of the part 2 program to provide
services to other patients is outweighed by the public interest and the
need for the disclosure.
(5) If the applicant is a law enforcement agency or official that:
(i) The person holding the records has been afforded the
opportunity to be represented by independent counsel; and
(ii) Any person holding the records which is an entity within
federal, state, or local government has in fact been represented by
counsel independent of the applicant.
(e) Content of order. Any order authorizing a disclosure or use of
patient records under this section must:
(1) Limit disclosure and use to those parts of the patient's record
which are essential to fulfill the objective of the order;
(2) Limit disclosure to those law enforcement and prosecutorial
officials who are responsible for, or are conducting, the investigation
or prosecution, and limit their use of the records to investigation and
prosecution of extremely serious crime or suspected crime specified in
the application; and
(3) Include such other measures as are necessary to limit
disclosure and use to the fulfillment of only that public interest and
need found by the court.
Sec. 2.66 Procedures and criteria for orders authorizing disclosure
and use of records to investigate or prosecute a part 2 program or the
person holding the records.
(a) Application. (1) An order authorizing the disclosure or use of
patient records to criminally or administratively investigate or
prosecute a part 2 program or the person holding the records (or
employees or agents of that part 2 program or person holding the
records) may be applied for by any administrative, regulatory,
supervisory, investigative, law enforcement, or prosecutorial agency
having jurisdiction over the program's or person's activities.
(2) The application may be filed separately or as part of a pending
civil or criminal action against a part 2 program or the person holding
the records (or agents or employees of the part 2 program or person
holding the records) in which it appears that the patient records are
needed to provide material evidence. The application must use a
fictitious name, such as John Doe, to refer to any patient and may not
contain or otherwise disclose any patient identifying information
unless the court has ordered the record of the proceeding sealed from
public scrutiny or the patient has provided a written consent (meeting
the requirements of Sec. 2.31) to that disclosure.
(b) Notice not required. An application under this section may, in
the discretion of the court, be granted without notice. Although no
express notice is required to the part 2 program, to the person holding
the records, or to any patient whose records are to be disclosed, upon
implementation of an order so granted any of the above persons must be
afforded an opportunity to seek revocation or amendment of that order,
limited to the presentation of evidence on the statutory and regulatory
criteria for the issuance of the court order.
(c) Requirements for order. An order under this section must be
entered in accordance with, and comply with the requirements of,
paragraphs (d) and (e) of Sec. 2.64.
(d) Limitations on disclosure and use of patient identifying
information. (1) An order entered under this section must require the
deletion of patient identifying information from any documents made
available to the public.
(2) No information obtained under this section may be used to
conduct any investigation or prosecution of a patient, or be used as
the basis for an application for an order under Sec. 2.65.
Sec. 2.67 Orders authorizing the use of undercover agents and
informants to criminally investigate employees or agents of a part 2
program.
(a) Application. A court order authorizing the placement of an
undercover agent or informant in a part 2 program as an employee or
patient may be applied for by any law enforcement or prosecutorial
agency which has reason to believe that employees or agents of the part
2 program are engaged in criminal misconduct.
(b) Notice. The part 2 program director must be given adequate
notice of the application and an opportunity to appear and be heard
(for the limited purpose of providing evidence on the statutory and
regulatory criteria for the issuance of the court order), unless the
application asserts a belief that:
[[Page 7024]]
(1) The part 2 program director is involved in the criminal
activities to be investigated by the undercover agent or informant; or
(2) The part 2 program director will intentionally or
unintentionally disclose the proposed placement of an undercover agent
or informant to the employees or agents who are suspected of criminal
activities.
(c) Criteria. An order under this section may be entered only if
the court determines that good cause exists. To make this determination
the court must find:
(1) There is reason to believe that an employee or agent of the
part 2 program is engaged in criminal activity;
(2) Other ways of obtaining evidence of this criminal activity are
not available or would not be effective; and
(3) The public interest and need for the placement of an undercover
agent or informant in the part 2 program outweigh the potential injury
to patients of the part 2 program, physician-patient relationships and
the treatment services.
(d) Content of order. An order authorizing the placement of an
undercover agent or informant in a part 2 program must:
(1) Specifically authorize the placement of an undercover agent or
an informant;
(2) Limit the total period of the placement to six months;
(3) Prohibit the undercover agent or informant from disclosing any
patient identifying information obtained from the placement except as
necessary to criminally investigate or prosecute employees or agents of
the part 2 program; and
(4) Include any other measures which are appropriate to limit any
potential disruption of the part 2 program by the placement and any
potential for a real or apparent breach of patient confidentiality; for
example, sealing from public scrutiny the record of any proceeding for
which disclosure of a patient's record has been ordered.
(e) Limitation on use of information. No information obtained by an
undercover agent or informant placed in a part 2 program under this
section may be used to criminally investigate or prosecute any patient
or as the basis for an application for an order under Sec. 2.65.
Dated: February 2, 2016.
Kana Enomoto,
Acting Administrator, Substance Abuse and Mental Health Services
Administration.
Approved: February 4, 2016.
Sylvia M. Burwell,
Secretary, Department of Health and Human Services.
[FR Doc. 2016-01841 Filed 2-5-16; 11:15 am]
BILLING CODE 4162-20-P
