Confidentiality of Substance Use Disorder Patient Records, 6052-6127 [2017-00719]
Download as PDF
<![CDATA[
6052
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Office of the Secretary
42 CFR Part 2
[SAMHSA–4162–20]
RIN 0930–AA21
Confidentiality of Substance Use
Disorder Patient Records
Substance Abuse and Mental
Health Services Administration, HHS.
ACTION: Final rule.
AGENCY:
The Department of Health and
Human Services (HHS) is issuing this
final rule to update and modernize the
Confidentiality of Alcohol and Drug
Abuse Patient Records regulations and
facilitate information exchange within
new health care models while
addressing the legitimate privacy
concerns of patients seeking treatment
for a substance use disorder. These
modifications also help clarify the
regulations and reduce unnecessary
burden.
DATES: Effective date: This final rule is
effective February 17, 2017.
FOR FURTHER INFORMATION CONTACT:
Danielle Tarino, Telephone number:
(240) 276–2857, Email address:
PrivacyRegulations@samhsa.hhs.gov.
SUPPLEMENTARY INFORMATION:
SUMMARY:
mstockstill on DSK3G9T082PROD with RULES6
Preamble Table of Contents
I. Executive Summary
A. Purpose of the Regulatory Action
B. Summary of the Major Provisions
C. Summary of Impacts
II. Background
A. Significant Technology Changes
B. Statutory and Rulemaking History
III. Overview of the Final Rule
IV. Effective Date
V. Discussion of Public Comments and Final
Modifications to 42 CFR part 2
A. General Comments on the Proposed
Rule
1. General Feedback on the Proposed Rule
a. General Support for the Proposed Rule
b. General Opposition to the Proposed Rule
2. The Proposed Rule Did Not Go Far
Enough To Facilitate Information
Exchange
3. Final Rule Should Balance Patient
Protections With Enhanced Information
Exchange
4. Part 2 Should Align With the Health
Insurance Portability and Accountability
Act
B. Statutory Authority (§ 2.1)
C. Reports of Violations (§ 2.4)
D. Definitions (§ 2.11)
1. New Definitions
a. Part 2 Program
b. Part 2 Program Director
c. Substance Use Disorder
d. Treating Provider Relationship
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
e. Withdrawal Management
2. Existing Definitions
a. Central Registry
b. Disclose or Disclosure
c. Maintenance Treatment
d. Member Program
e. Patient
f. Patient Identifying Information
g. Person
h. Program
i. Qualified Service Organization
j. Records
k. Treatment
3. Terminology Changes
4. Other Comments on Definitions
E. Applicability (§ 2.12)
F. Confidentiality Restrictions and
Safeguards (§ 2.13)
1. Delayed Implementation of List of
Disclosures Provision
2. Responsibilities Under the List of
Disclosures Process
3. Technological Challenges and Burden of
the List of Disclosures Provision
4. Recommendations to Further Protect
Patient Privacy
5. Other Comments and Recommendations
on the List of Disclosures Provision
G. Security for Records (§ 2.16)
H. Disposition of Records by Discontinued
Programs (§ 2.19)
I. Notice to Patients of Federal
Confidentiality Requirements (§ 2.22)
J. Consent Requirements (§ 2.31)
1. General Comments on Consent
Requirements
a. General
b. Consent Form Validity Period
c. Technical Challenges to Proposed
Consent Requirements
d. Requests for Exemptions and Exceptions
e. Commenter Recommendations
2. To Whom
a. General
b. Determination of Treating Provider
Relationship
c. Requests for Clarification
d. Commenter Recommendations
e. Proposed Alternative Approach for ‘‘To
Whom’’ Section
3. Amount and Kind
a. General
b. Impact of the Amount and Kind
Requirement on Providers and Patients
c. Required Substance Use Disorder
Information on Consent Forms
d. Requests for Clarification
4. From Whom
5. New Requirements
K. Prohibition on Re-Disclosure (§ 2.32)
1. General
2. Impact of Re-Disclosure Prohibition on
Patient Privacy and Patient Choice
3. Disclosure of Information that May
Indicate a Substance Use Disorder
4. Technical Challenges in Preventing
Unauthorized Re-Disclosure
5. Requests for Clarification of the ReDisclosure Prohibition
6. Recommendations to Improve the
Prohibition on Re-Disclosure
L. Disclosures to Prevent Multiple
Enrollments (§ 2.34)
M. Medical Emergencies (§ 2.51)
1. General
2. Definition of ‘‘Bona Fide Medical
Emergency’’
PO 00000
Frm 00002
Fmt 4701
Sfmt 4700
3. Documentation of Medical Emergency
4. Other Comments on Medical Emergency
N. Research (§ 2.52)
1. General
2. Suggestions for Improvement of the
Research Provisions
3. HIPAA and HHS Common Rule
Requirements
4. Data Linkages
5. Multi-Payer Claims Database
O. Audit and Evaluation (§ 2.53)
P. Other Public Comments on the Proposed
Rule
1. Requests to Extend the Public Comment
Period
2. Rulemaking Process
3. Implementation Timeline and Other
Barriers to Implementation
4. Educational Opportunities
5. Increased Enforcement
6. Other Miscellaneous Comments on the
Proposed Rule
VI. Rulemaking Analyses
A. Paperwork Reduction Act
B. Regulatory Impact Analysis
C. Regulatory Flexibility Act
D. Unfunded Mandates Reform Act
E. Federalism (Executive Order 13132)
Acronyms
ACO Accountable Care Organization
ABAM American Board of Addiction
Medicine
ADAMHA Alcohol, Drug Abuse and Mental
Health Administration
APCD All Payer Claims Database
ARRA American Recovery and
Reinvestment Act of 2009 (Pub. L. 111–5)
ASAM American Society of Addiction
Medicine
ATR Access to Recovery
C-CDA Consolidated-Clinical Document
Architecture
CCD Continuity of Care Document
CCLF Claim and Claim Line Feed
CCO Coordinated Care Organization
CFR Code of Federal Regulations
CHIP Children’s Health Insurance Program
CMS Centers for Medicare & Medicaid
Services
CPCMH Certified Patient-Centered Medical
Home
DS4P Data Segmentation for Privacy
EHR Electronic Health Record
EQRO External Quality Review
Organization
FAQ Frequently Asked Question
FAX Facsimile
FDA Food and Drug Administration
FR Federal Register
HHS Department of Health and Human
Services
HIE Health Information Exchange
HIO Health Information Organization
HIPAA Health Insurance Portability and
Accountability Act of 1996 (Pub. L. 104–
191)
HITECH Health Information Technology for
Economic and Clinical Health Act of 2009
(Pub. L. 111–5, title XIII of division A and
title IV of division B)
HITPC Health Information Technology
Privacy Committee
IG Implementation Guide
IRB Institutional Review Board
IT Information Technology
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
MCO Managed Care Organization
MPCD Multi-Payer Claims Database
NCQA National Committee for Quality
Assurance
NPRM Notice of Proposed Rulemaking
N-SSATS National Survey of Substance
Abuse Treatment Services
OHRP Office for Human Research
Protections
OMB Office of Management and Budget
ONC Office of the National Coordinator for
Health Information Technology
PDMP Prescription Drug Monitoring
Program
PPS Performing Provider System
QE Qualified Entity
QSO Qualified Service Organization
QSOA Qualified Service Organization
Agreement
RFA Regulatory Flexibility Act
RHIO Regional Health Information
Organization
SAMHSA Substance Abuse and Mental
Health Services Administration
SBIRT Screening, Brief Intervention, and
Referrals for Treatment
S&I Standards and Interoperability
TEDS Treatment Episode Data Set
U.S.C. United States Code
USAO United States Attorney’s Office
VA Department of Veterans Affairs
I. Executive Summary
mstockstill on DSK3G9T082PROD with RULES6
A. Purpose of the Regulatory Action
The laws and regulations governing
the confidentiality of substance use
disorder records were written out of
great concern about the potential use of
substance use disorder information
against individuals, causing individuals
with substance use disorders not to seek
needed treatment. The disclosure of
records of individuals with substance
use disorders has the potential to lead
to a host of negative consequences,
including: Loss of employment, loss of
housing, loss of child custody,
discrimination by medical professionals
and insurers, arrest, prosecution, and
incarceration. The purpose of the
regulations at title 42 of the Code of
Federal Regulations (CFR) part 2 (42
CFR part 2) is to ensure that a patient
receiving treatment for a substance use
disorder in a part 2 program is not made
more vulnerable by reason of the
availability of their patient record than
an individual with a substance use
disorder who does not seek treatment.
Now, more than 29 years since the part
2 regulations were last substantively
amended, this final rule makes policy
changes to the regulations to better align
them with advances in the U.S. health
care delivery system while retaining
important privacy protections.
Need for Regulatory Action
The last substantive update to these
regulations was in 1987. Over the last 29
years, significant changes have occurred
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
within the U.S. health care system that
were not envisioned by the current
(1987) regulations, including new
models of integrated care that are built
on a foundation of information sharing
to support coordination of patient care,
the development of an electronic
infrastructure for managing and
exchanging patient information, and a
new focus on performance measurement
within the health care system. SAMHSA
wants to ensure that patients with
substance use disorders have the ability
to participate in, and benefit from health
system delivery improvements,
including from new integrated health
care models while providing
appropriate privacy safeguards. These
new integrated models are foundational
to HHS’s delivery system reform goals of
better care, smarter spending, and
healthier people.
Legal Authority for Regulatory Action
This final rule revises 42 CFR part 2,
Confidentiality of Alcohol and Drug
Abuse Patient Records regulations. The
authorizing statute, Title 42, United
States Code (U.S.C.) 290dd–2, protects
the confidentiality of the records
containing the identity, diagnosis,
prognosis, or treatment of any patient
that are maintained in connection with
the performance of any federally
assisted program or activity relating to
substance abuse (now referred to as
substance use disorder) education,
prevention, training, treatment,
rehabilitation, or research. Title 42 of
the CFR part 2 was first promulgated in
1975 (40 FR 27802) and last
substantively updated in 1987 (52 FR
21796).
B. Summary of the Major Provisions
Proposed modifications to 42 CFR
part 2 were published as a Notice of
Proposed Rulemaking (NPRM) on
February 9, 2016 (81 FR 6988). After
consideration of the public comments
received in response to the NPRM,
SAMHSA is issuing this final rule
amending 14 major provisions of 42
CFR part 2, as follows:
Statutory authority for confidentiality
of substance use disorder patient
records (§ 2.1) combines old § 2.1
(Statutory authority for confidentiality
of drug abuse patient records), and § 2.2
(Statutory authority for confidentiality
of alcohol abuse patient records) and
deleting references to 42 U.S.C. 290ee–
3 and 42 U.S.C. 290dd–3, as these
U.S.C. sections were omitted by Public
Law 102–321 and combined and
renamed into Section 290dd–2,
Confidentiality of records. Because
SAMHSA combined former §§ 2.1 and
PO 00000
Frm 00003
Fmt 4701
Sfmt 4700
6053
2.2 into § 2.1, we redesignated §§ 2.2
through 2.5 accordingly.
Reports of violations (§ 2.4) revises
the requirement for reporting violations
of these regulations by methadone
programs (now referred to as opioid
treatment programs) to the Food and
Drug Administration (FDA) because the
authority over these programs was
transferred from the FDA to the
Substance Abuse and Mental Health
Services Administration (SAMHSA) in
2001.
Definitions (§ 2.11) revises some
existing definitions, adds new
definitions of key terms that apply to 42
CFR part 2, and consolidates all but one
of the definitions that are currently in
other sections into § 2.11 (e.g., the
definition of ‘‘Minor’’ previously found
in § 2.14(a)). We revised the definitions
of ‘‘Central registry,’’ ‘‘Disclose or
disclosure,’’ ‘‘Maintenance treatment,’’
‘‘Member program,’’ ‘‘Patient,’’ ‘‘Patient
identifying information,’’ ‘‘Person,’’
‘‘Program,’’ ‘‘Qualified service
organization (QSO),’’ ‘‘Records,’’ and
‘‘Treatment.’’ We also added definitions
of ‘‘Part 2 program,’’ ‘‘Part 2 program
director,’’ ‘‘Substance use disorder,’’
‘‘Treating provider relationship,’’ and
‘‘Withdrawal management,’’ some of
which replaced existing definitions. In
addition, SAMHSA revised the
regulatory text to use terminology in a
consistent manner. The following
definitions were not revised
substantively: ‘‘Diagnosis,’’
‘‘Informant,’’ ‘‘Minor,’’ ‘‘Third-party
payer,’’ and ‘‘Undercover agent.’’
Applicability (§ 2.12) continues to
apply the 42 CFR part 2 regulations to
a program that is federally assisted and
holds itself out as providing, and
provides, substance use disorder
diagnosis, treatment, or referral for
treatment. Most changes to the
applicability of the part 2 regulations
result from SAMHSA’s decision not to
finalize one of its proposed changes to
the definition of ‘‘Program’’ (see § 2.11,
Definitions). Whereas the NPRM
definition of ‘‘Program’’ included, under
certain conditions, ‘‘general medical
practices’’ in addition to ‘‘general
medical facilities,’’ the definition in this
final rule is limited to ‘‘general medical
facilities.’’ However, consistent with the
NPRM, the definition of ‘‘Program’’
continues to use the term ‘‘general
medical facility’’ rather than both
‘‘general medical facility’’ and ‘‘general
medical care facility’’ that were used
interchangeably in the 1987 final rule
definition of ‘‘Program.’’ For example,
an identified unit within a general
medical facility is subject to part 2 if it
holds itself out as providing, and
provides, substance use disorder
E:\FR\FM\18JAR6.SGM
18JAR6
mstockstill on DSK3G9T082PROD with RULES6
6054
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
diagnosis, treatment, or referral for
treatment. In addition, if the primary
function of medical personnel or other
staff in a general medical facility is the
provision of such services and they are
identified as providing such services,
they are considered a ‘‘Program’’ and,
thus, subject to part 2. This final rule
revises § 2.12(d)(2)(i)(C) so that
restrictions on disclosures also apply to
individuals or entities who receive
patient records from other lawful
holders of patient identifying
information, such that patient records
subject to the part 2 regulations include
substance use disorder records
maintained by part 2 programs, as well
as those records in the possession of
‘‘other lawful holders of patient
identifying information.’’
Confidentiality restrictions and
safeguards (§ 2.13) adds a requirement
that, upon request, patients who have
included a general designation in the
‘‘To Whom’’ section of their consent
form (see § 2.31) must be provided a list
of entities (referred to as a List of
Disclosures) to which their information
has been disclosed pursuant to the
general designation.
Security for records (§ 2.16) clarifies
that this section requires both part 2
programs and other lawful holders of
patient identifying information to have
in place formal policies and procedures
addressing security, including
sanitization of associated media, for
both paper and electronic records.
Disposition of records by
discontinued programs (§ 2.19)
addresses both paper and electronic
records. SAMHSA also added
requirements for sanitizing associated
media.
In Section I., Notice to Patients of
Federal Confidentiality Requirements
(§ 2.22), SAMHSA clarifies that the
written summary of federal law and
regulations may be provided to patients
in either paper or electronic format.
SAMHSA also revised § 2.22 to require
the statement regarding the reporting of
violations include contact information
for the appropriate authorities.
Consent requirements (§ 2.31)
permits, in certain circumstances, a
patient to include a general designation
in the ‘‘To Whom’’ section of the
consent form, in conjunction with
requirements that the consent form
include an explicit description of the
amount and kind of substance use
disorder treatment information that may
be disclosed. SAMHSA decided not to
finalize its proposed changes to the
‘‘From Whom’’ section, but did make
minor updates to the terminology in the
text. SAMHSA also revised § 2.31 to
require the part 2 program or other
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
lawful holder of patient identifying
information to include a statement on
the consent form when using a general
designation in the ‘‘To Whom’’ section
of the consent form that patients have a
right to obtain, upon request, a list of
entities to which their information has
been disclosed pursuant to the general
designation (see § 2.13). In addition,
SAMHSA revised § 2.31 to permit
electronic signatures to the extent that
they are not prohibited by any
applicable law.
In Section K., Prohibition on Redisclosure (§ 2.32), SAMHSA clarifies
that the prohibition on re-disclosure
only applies to information that would
identify, directly or indirectly, an
individual as having been diagnosed,
treated, or referred for treatment for a
substance use disorder, such as
indicated through standard medical
codes, descriptive language, or both,
and allows other health-related
information shared by the part 2
program to be re-disclosed, if
permissible under other applicable
laws.
Disclosures to prevent multiple
enrollments (§ 2.34) modernizes the
terminology and definitions and moves
the definitions to § 2.11 (Definitions).
Medical emergencies (§ 2.51) revises
the medical emergency exception to
make it consistent with the statutory
language and to give providers more
discretion to determine when a ‘‘bona
fide medical emergency’’ exists.
Research (§ 2.52) revises the research
exception to permit data protected by 42
CFR part 2 to be disclosed to qualified
personnel for the purpose of conducting
scientific research by a part 2 program
or any other individual or entity that is
in lawful possession of part 2 data if the
researcher provides documentation of
meeting certain requirements related to
other existing protections for human
research. SAMHSA also revised § 2.52
to address data linkages to enable
researchers holding part 2 data to obtain
linkages to other datasets, provided that
appropriate safeguards are in place as
outlined in section 2.52.
Audit and evaluation (§ 2.53)
modernizes the requirements to include
provisions governing both paper and
electronic patient records. SAMHSA
also revised § 2.53 to permit an audit or
evaluation necessary to meet the
requirements of a Centers for Medicare
& Medicaid Services (CMS)-regulated
accountable care organization (CMSregulated ACO) or similar CMSregulated organization (including a
CMS-regulated Qualified Entity (QE)),
under certain conditions.
The other sections in 42 CFR part 2
that are not referenced above are not
PO 00000
Frm 00004
Fmt 4701
Sfmt 4700
addressed in this final rule nor were
they discussed in the NPRM because
SAMHSA is maintaining their content
substantively unchanged from the 1987
final rule.
C. Summary of Impacts
In the first year that the final rule is
in effect, we estimate that the total costs
associated with updates to 42 CFR part
2 will be roughly $70,691,000. In year
two we estimate that costs will be
$17,680,000, and increase annually as a
larger share of entities implement List of
Disclosures requirements and respond
to disclosure requests. Over the 10-year
period of 2016–2025, the total
undiscounted cost of the part 2 changes
will be about $241 million in 2016
dollars. When future costs are
discounted at 3 percent or 7 percent per
year, the total costs become
approximately $217,586,000 or
$193,098,000, respectively. These costs
are presented in the tables below.
Costs associated with the 42 CFR part
2 final rule, include: updates to health
IT system costs, costs for staff training
and updates to training curricula, costs
to update patient consent forms, costs
associated with providing patients a list
of entities to which their information
has been disclosed pursuant to a general
designation on the consent form (i.e.,
the List of Disclosures requirement), and
implementation costs associated with
the List of Disclosures requirements. We
assumed that costs associated with
modifications to existing health IT
systems, staff training costs associated
with updating staff training materials,
and costs to update consent forms will
be one-time costs the first year the final
rule is in effect and will not carry
forward into future years. Staff training
costs other than those associated with
updating training materials are assumed
to be ongoing annual costs to part 2
programs, also beginning in the first
year that the final rule is in effect. The
List of Disclosures costs are assumed to
be ongoing annual costs to entities
named on a consent form that disclose
patient identifying information to their
participants under the general
designation. Costs associated with the
List of Disclosures provision are limited
to implementation costs for entities that
chose to upgrade their health IT systems
in order to comply with the List of
Disclosures requirements. Several
provisions in the final rule reference
other lawful holders of patient
identifying information in combination
with part 2 programs. These other
lawful holders must comply with part 2
requirements with respect to
information they maintain that is
covered by part 2 regulations. However,
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
because this group is not clearly defined
with respect to the range of
organizations it may include, we are
unable to include estimates regarding
the number and type of these
organizations and are only including
part 2 programs in this analysis.
The benefits of modernizing the part
2 regulations is to increase
opportunities for individuals with
substance use disorders to participate in
new and emerging health and health
care models and health information
technology (IT). The final rule will
facilitate the sharing of information
within the health care system to support
new models of integrated health care
which, among other things, improve
patient safety while maintaining or
strengthening privacy protections for
individuals seeking treatment for
substance use disorders. Moreover, as
patients are allowed, in certain
circumstances, to include a general
designation in the ‘‘To Whom’’ section
of the consent form, we anticipate there
will be more individuals with substance
use disorders participating in
organizations that facilitate the
exchange of health information (e.g.,
health information exchanges (HIEs))
and organizations that coordinate care
(e.g., ACOs and coordinated care
organizations (CCOs)), leading to
increased efficiency and quality in the
provision of health care for this
population. In addition, the revisions to
the research provision (§ 2.52) will
allow additional scientific research to be
conducted that will facilitate continual
quality improvement of part 2 programs
and the important services they offer.
mstockstill on DSK3G9T082PROD with RULES6
II. Background
A. Significant Technology Changes
Since the promulgation of 42 CFR part
2, significant technology changes have
impacted the delivery of health care.
The Office of the National Coordinator
for Health Information Technology
(ONC) was established as an office
within HHS under Executive Order
13335 on April 27, 2004. Subsequently,
on February 17, 2009, the Health
Information Technology for Economic
and Clinical Health Act (HITECH Act) of
the American Recovery and
Reinvestment Act of 2009 (ARRA) (Pub.
L. 111–5) expanded the Department’s
health IT work, including the expansion
of ONC’s authority and the provision of
federal funds for ONC’s activities
consistent with the development of a
nationwide health IT infrastructure.
This work included the certification of
health IT; the authorization of CMS’
Electronic Health Record (EHR)
Incentive Program, including payments
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
to eligible providers for the adoption
and meaningful use of certified EHR
technology; and numerous other federal
agencies’ programs—all of which served
the objective of ensuring patient health
information is secure, private, accurate,
and available where and when needed.
SAMHSA’s role in encouraging the use
of health IT by behavioral health
(substance use disorder and mental
health) providers, included: (1)
Collaborating with ONC to develop two
sets of Frequently Asked Questions
(FAQs) and convening a number of
stakeholder meetings to provide
guidance on the application of 42 CFR
part 2 to HIE models; (2) a one-year pilot
project with five state HIEs to support
the exchange of health information
among behavioral health and physical
health providers; and (3) the Data
Segmentation for Privacy (DS4P)
initiative within ONC’s Standards and
Interoperability (S&I) Framework
facilitated:
• The development of standards to
improve the interoperability of EHRs
containing sensitive information that
must be protected to a greater degree
than other health information due to 42
CFR part 2 and similar state laws,
• six DS4P Implementation Guide
(IG) use case pilot projects including the
Department of Veterans Affairs (VA)/
SAMHSA Pilot that implemented all the
DS4P use cases and passed all
conformance tests, and
• the development of the application
branded Consent2Share, an open-source
health IT solution based on DS4P which
assists in consent management and data
segmentation. Consent2Share is
currently being used by the Prince
Georges County (Maryland) Health
Department to manage patient consent
directives while sharing substance use
disorder information with an HIE.
Despite SAMHSA’s efforts, some
stakeholders continued to request
modernization of 42 CFR part 2 out of
concern that part 2, as written in the
current (1987) regulation, continues to
be a barrier to the integration of
substance use disorder treatment and
physical health care. As noted below,
SAMHSA plans to release shortly an
updated version of Consent2Share with
improved functionality and ability to
meet List of Disclosures requirements.
B. Statutory and Rulemaking History
The Confidentiality of Alcohol and
Drug Abuse Patient Records regulations,
42 CFR part 2, implement Section 543
of the Public Health Service Act, 42
U.S.C. 290dd–2, as amended by Section
131 of the Alcohol, Drug Abuse and
Mental Health Administration
Reorganization Act (ADAMHA
PO 00000
Frm 00005
Fmt 4701
Sfmt 4700
6055
Reorganization Act), Public Law 102–
321 (July 10, 1992). The regulations
were promulgated as a final rule on July
1, 1975 (40 FR 27802). In 1980, the
Department invited public comment on
15 substantive issues arising out of its
experience interpreting and
implementing the regulations (45 FR
53). More than 450 public responses to
that invitation were received and taken
into consideration in the preparation of
a 1983 NPRM (48 FR 38758).
Approximately 150 comments were
received in response to the NPRM and
were taken into consideration in the
preparation of the final rule released on
June 9, 1987 (52 FR 21798).
The Department published an NPRM
again in the Federal Register (FR) on
August 18, 1994 (59 FR 42561), which
proposed a clarification of the definition
of ‘‘Program’’ in the regulations.
Specifically, the Department proposed
to clarify that, as to general medical care
facilities, these regulations cover only
specialized individuals or units in such
facilities that hold themselves out as
providing and provide alcohol or drug
abuse (now referred to as substance use
disorder) diagnosis, treatment, or
referral for treatment and which are
federally assisted, directly or indirectly.
On May 5, 1995, the final rule was
released (60 FR 22296).
SAMHSA posted a document in the
FR on May 12, 2014, (79 FR 26929)
announcing a public Listening Session
planned for June 11, 2014, to solicit
feedback on the Confidentiality of
Alcohol and Drug Abuse Patient
Records regulations, 42 CFR part 2.
SAMHSA accepted written comments
until June 25, 2014. The Listening
Session comments are posted on the
SAMHSA Web site at https://
www.samhsa.gov/about-us/who-we-are/
laws-regulations/public-commentsconfidentiality-regulations.
Prompted by the need to update and
modernize the Confidentiality of
Alcohol and Drug Abuse Patient
Records regulations at 42 CFR part 2, on
February 9, 2016, SAMHSA published
an NPRM that proposed revisions to the
part 2 regulations and requested public
input on the proposed changes during a
60-day public comment period (81 FR
6988). Although raised in the Listening
Session public comments, SAMHSA
decided not to address issues pertaining
to e-prescribing and Prescription Drug
Monitoring Programs (PDMPs) in the
NPRM because they were not ripe for
rulemaking at the time due to the state
of technology and because the majority
of part 2 programs are not prescribing
controlled substances electronically. As
noted in the NPRM, SAMHSA intends
to monitor developments in this area to
E:\FR\FM\18JAR6.SGM
18JAR6
6056
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
see whether further action may be
warranted in the future. SAMHSA
received 376 public comment
submissions on the part 2 NPRM. The
comments received were detailed,
thoughtful, and reflective of the
complex issues addressed and balanced
in the part 2 regulations. This final rule
reflects SAMHSA’s thorough
consideration of all substantive issues
raised in the public comments in
response to its proposals in the NPRM.
mstockstill on DSK3G9T082PROD with RULES6
III. Overview of the Final Rule
In this final rule, the Department
finalizes the modifications to the
Confidentiality of Alcohol and Drug
Abuse Patient Records, 42 CFR part 2,
including renaming it ‘‘Confidentiality
of Substance Use Disorder Patient
Records.’’ The modifications modernize
the rule by facilitating electronic
exchange of substance use disorder
information for treatment and other
legitimate health care purposes while
ensuring appropriate confidentiality
protections for records that might
identify an individual, directly or
indirectly, as having or having had a
substance use disorder.
Overview of Public Comments
We received 376 public comments
from medical health care providers;
behavioral health care providers;
combined medical/behavioral health
care providers; HIEs, ACOs, CCOs, and
certified patient-centered medical
homes (CPCMHs), sometimes called
health homes; third-party payers;
privacy/consumer advocates; medical
health care provider associations;
behavioral health care provider
associations; accrediting organizations;
researchers; individuals (with no stated
affiliation); attorneys (with no stated
affiliation); HIT vendors; and state/local
governments. The comments ranged
from general support or opposition to
the proposed provisions to very specific
questions or comments regarding the
proposed rules.
Some comments were outside the
scope of or inconsistent with
SAMHSA’s legal authority regarding the
confidentiality of substance use disorder
patient records. Likewise, other
comments did not pertain to specific
proposals made by SAMHSA in the
NPRM. In some instances, commenters
raised policy or operational issues that
are best addressed through
subregulatory guidance that SAMHSA
will consider issuing subsequent to this
final rule. Consequently, SAMHSA did
not address these comments in this final
rule.
Commenters have also provided
SAMHSA with informative feedback on
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
how lawful holders, including thirdparty payers and others within the
healthcare industry, use health data or
hire others to use health data on their
behalf to provide operational services
such as independent auditing, legal
services, claims processing, plan pricing
and other functions that are key to the
day-to-day operation of entities subject
to this rule. We have previously
clarified in responses to particular
questions that contracted agents of
individuals and/or entities may be
treated as the individual/entity.
Questions raised by commenters during
this rulemaking have, however,
highlighted varying interpretations of
the current (1987) rule’s restrictions on
lawful holders and their contractors’
and subcontractors’ use and disclosure
of part 2-covered data for purposes of
carrying out payment, health care
operations, and other health care related
activities. In consideration of this
feedback and given the critical role that
third-party payers, other lawful holders,
and their contractors and subcontractors
play in the provision of health care
services, SAMHSA is issuing a
supplemental notice of proposed
rulemaking (SNPRM) to seek further
comments and information on this
matter.
IV. Effective Date
In this final rule, SAMHSA has
established a single effective date of 30
days after the publication of the final
rule, or February 17, 2017. On this date,
the revised 42 CFR part 2 will replace
the 1987 version of part 2 in the CFR
and all part 2 programs and other lawful
holders of patient identifying
information must comply with all
aspects of the regulations. In the NPRM,
SAMHSA proposed that, with the
exception of § 2.13(d), part 2 programs
and other lawful holders of patient
identifying information would have to
comply with applicable requirements of
the revised part 2 regulations beginning
30 days after the publication of the final
rule. See Section V.D.3 below for a
discussion of ‘‘other lawful holders.’’
We proposed that entities would not
have to comply with the List of
Disclosures requirements of § 2.13(d)
until two-years after the effective date of
the final rule. As explained below,
because the right to obtain, upon
request, a List of Disclosures is only
available to patients who use a general
designation in the ‘‘To Whom’’ section
of the consent form, entities must only
have the technical capability to provide
the List of Disclosures if they take
advantage of the general designation
provision. Therefore, SAMHSA has
revised the effective date from that
PO 00000
Frm 00006
Fmt 4701
Sfmt 4700
proposed to avoid confusion. However,
signed consent forms in place prior to
the effective date of this final rule will
be valid until they expire. Nonetheless,
part 2 programs may update signed
consent forms consistent with the final
rule, prior to the effective date of the
final rule if they so choose. Consents
obtained after the effective date will
need to comply with the final rule,
regardless of whether the consents
involve patient identifying information
obtained prior to or after the effective
date of this final rule.
Public Comments
One commenter urged that the final
rule allow for implementation of the
research provision (§ 2.52) immediately
or shortly after the rule takes effect.
Several commenters raised concerns
about how to interpret the two-year
delayed implementation of List of
Disclosures and whether the general
designation will be used during that
period.
SAMHSA Response
SAMHSA acknowledges commenters’
confusion regarding the proposed twoyear delayed compliance date for the
List of Disclosures requirements. After
considering the public comments
received on this point, SAMHSA
realized that such a two-year delayed
compliance date for the requirements of
§ 2.13(d) is not helpful. As explained in
the ‘‘To Whom’’ section of the part 2compliant consent requirements (see
Section V.J.2 below), an entity that
serves as an intermediary (e.g., HIE,
ACO, CCO) must comply with the List
of Disclosures provision in order to
disclose information pursuant to a
general designation provided on the
consent form (see
§ 2.31(a)(4)(iii)(B)(3)(i)). Therefore, an
entity that serves as an intermediary
would be prohibited from electing to
disclose information pursuant to a
general designation without the ability
to comply with the List of Disclosures
requirement. It would not make sense to
implement a two-year delayed
compliance date for the List of
Disclosures requirements at § 2.13(d)
because the only reason an entity that
serves as an intermediary would have to
comply with the List of Disclosures
requirements would be if they wanted to
disclose information pursuant to general
designations that have been included in
the ‘‘To Whom’’ section of the patient
consent form, which requires alerting
patients to the fact that they have a right
to request a list of entities to which their
information has been disclosed (per
§ 2.13(d)). Thus, an entity that serves as
an intermediary is prohibited from
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
disclosing information pursuant to a
general designation without having the
capability to comply with the List of
Disclosures requirements. For these
reasons, it is not advisable to include a
two-year delayed compliance date for
the List of Disclosures provision. Some
entities that serve as intermediaries as
described by § 2.31(a)(4)(iii)(B) may
elect never to disclose information
pursuant to a general designation and,
thus, would not need to comply with
the List of Disclosures requirement.
Those that choose to disclose
information pursuant to general
designations must ensure the capability
to comply with the List of Disclosures
requirements at § 2.13(d) before they
disclose the information pursuant to a
general designation. But there is no
timeframe in which they need to
comply; only the condition that if they
choose to have the option of disclosing
information pursuant to a general
designation on a consent form, they
must also be capable of providing a List
of Disclosures upon request per
§ 2.13(d).
Regarding the suggestion to allow for
implementation of the Research
provision § 2.52 immediately after the
final rule takes effect, SAMHSA
declines to make this change. For clarity
regarding part 2 compliance, the 1987
part 2 final rule remains in effect until
the effective date for the 2016 part 2
regulations established in this final rule.
Because of the revised definitions that
impact the research provision, it would
create unnecessary confusion to make
effective § 2.52 before the rest of the
final rule.
mstockstill on DSK3G9T082PROD with RULES6
V. Discussion of Public Comments and
Final Modifications to 42 CFR Part 2
In this section of the final rule,
SAMHSA explains the finalized
revisions to the part 2 regulations and
responds to public comments received.
If a part 2 CFR section is not addressed
below, it is because SAMHSA did not
propose changes to that part 2 provision
and that this final rule maintains the
existing language in that section.
However, SAMHSA notes that in
addition to the revisions discussed
below, SAMHSA has made other
technical, non-substantive, and
nomenclature changes to various part 2
provisions. Those changes are reflected
in the regulatory text at the end of this
rule.
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
A. General Comments on the Proposed
Rule
1. General Feedback on the Proposed
Rule
a. General Support for the Proposed
Rule
Public Comments
Many commenters expressed general
support for the proposed rule, with
some noting that the proposed rule
would preserve the confidentiality
rights of substance use disorder patients
while facilitating the sharing of health
information; would ensure that patients
with a substance use disorder
participate in, and benefit from, new
integrated health care models without
fear of putting themselves at risk of
adverse consequences; would help
reduce the stigma associated with
substance use disorder; and would
provide patients comfort in knowing
they have control of their record.
Several commenters expressed
general support for the NPRM’s
proposed part 2 changes to enhance
integrated care and information
exchange. Multiple commenters, with
some stressing the need for patient
privacy protections, suggested that
integrated networks of care between
medical and behavioral health services
is current best practice and will benefit
patients. Two commenters implied
general support. The first of these two
commenters stated that the current
practice of keeping paper substance use
records separate from the EHR system
increases work required to maintain
records, creates redundancies, and
could contribute to providers missing
critical information needed for treating
patients. The second commenter stated
that the current (1987) part 2 regulations
are out of step with the health care
system’s rapid adoption of EHRs, its
capacity to quickly exchange
information (e.g., HIEs), the federal
privacy and security regulations (Health
Insurance and Portability and
Accountability Act [HIPAA] and
HITECH) governing these EHRs and
exchanges, and the increasing treatment
of patients’ substance use in health care
systems not covered by existing part 2
regulations, but by HIPAA.
Another commenter expressed
support for the facilitation of electronic
exchange of substance use disorder
treatment information where the
confidentiality protections historically
afforded patients by part 2 are
maintained.
A few commenters stated that the
proposal would help patients with
substance use disorders benefit from
emerging care models that require
PO 00000
Frm 00007
Fmt 4701
Sfmt 4700
6057
enhanced health information exchange
for better care coordination (e.g.,
CPCMHs, ACOs).
SAMHSA Response
SAMHSA appreciates the support for
updating the regulations. This final rule
is intended to modernize the part 2
regulations by facilitating the electronic
exchange of substance use disorder
information for treatment and other
legitimate health care purposes while
ensuring appropriate confidentiality
protections for records that might
identify an individual, directly or
indirectly, as having or having had a
substance use disorder. Many new
integrated care models rely on
interoperable health IT and these
proposed changes are expected to
support the integration of substance use
disorder treatment into primary and
other specialty care, improving the
patient experience, clinical outcomes,
and patient safety while at the same
time ensuring patient choice,
confidentiality, and privacy. Due to its
targeted population, part 2 provides
more stringent federal protections than
most other health privacy laws,
including HIPAA.
b. General Opposition to the Proposed
Rule
Public Comments
Some commenters expressed general
opposition to the proposed rule, with
some arguing that it would eliminate the
right of patients to protect and control
personal health information; would
introduce complexity, not
simplification; and would maintain the
stigma surrounding drug use. One
commenter warned the proposed rule
would create concessions to
institutional stakeholders, both
providers and researchers, who find the
consent requirements inconvenient and
burdensome.
Many commenters requested that part
2 remain unchanged, with some stating
that loosening part 2 regulations would
dissuade substance use disorder
patients from seeking help out of fear of
how their information could be used
against them or that the proposed
regulations would not offer the intended
protection.
Some commenters asserted that
maintaining a separate set of
confidentiality restrictions aimed solely
at substance use disorder providers and
patients perpetuates the discrimination
associated with substance use disorder
and ultimately negatively impacts
patients and the care they receive,
suggesting that issues of substance use
disorder information confidentiality
E:\FR\FM\18JAR6.SGM
18JAR6
6058
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
should be part of the broader general
medical care confidentiality regulations.
Others argued that the fear of
discrimination is a real problem for
many individuals suffering from a
substance use disorder and being able to
receive treatment without worrying that
personal information will be leaked is
crucial in helping these people get the
help they need so that they can return
to their communities as contributing
members of society.
SAMHSA Response
SAMHSA wants to ensure that
patients with substance use disorders
have the ability to participate in, and
benefit from, new and emerging health
care models that promote integrated
care and patient safety while respecting
the legitimate privacy concerns of
patients seeking treatment for a
substance use disorder due to the
potential for discrimination, harm to
their reputations and relationships, and
serious civil and criminal consequences.
This approach is consistent with the
intent of the governing statute (42 U.S.C.
290dd–2) and regulations at 42 CFR part
2, which is to protect the confidentiality
of substance use disorder patient
records. SAMHSA has added more
flexibility to some of the consent
provisions, including a range of ‘‘To
Whom’’ consent options that includes
the current (1987) ‘‘To Whom’’ consent
requirement, but still retained core part
2 protections, including the prohibition
on re-disclosure as well as requiring the
‘‘Amount and Kind’’ section of the
consent form to include how much and
what kind of information is to be
disclosed, including an explicit
description of the substance use
disorder information that may be
disclosed. Changes to the research
provision also enable patients to benefit
from advanced research protocols while
still complying with part 2 protections
regarding patient confidentiality.
However, with these conflicting
comments, as well all other comments,
SAMHSA was guided by the governing
statute in developing the final rule,
which restricts disclosure without
consent other than under a small
number of exceptions
mstockstill on DSK3G9T082PROD with RULES6
2. The Proposed Rule Did Not Go Far
Enough To Facilitate Information
Exchange
Public Comments
Several commenters suggested that
the proposed part 2 revisions did not go
far enough to facilitate information
exchange and data sharing. For
example, some commenters asserted
that the proposed regulations would
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
maintain previous barriers and create
additional barriers that impede the
sharing of information exchange and
care coordination necessary to
effectively treat patients who seek care
in a variety of settings. A few
commenters said the proposed part 2
revisions go beyond the protections
intended by the statutory requirements
in 42 U.S.C. 290dd–2 and suggested that
the proposed changes would continue to
decrease access to substance use
disorder treatment and the achievement
of positive health outcomes.
Citing concerns about people with
substance use disorders who visit
multiple health care providers to obtain
medication, one commenter advocated
that substance use disorder health care
records should be accessible to all
health care facilities for the sole purpose
of better treating and rehabilitating these
patients.
Other commenters requested further
clarification on the regulations to ensure
that coordination of care happens
smoothly for all patients, especially
those at the highest need of
coordination, without unnecessary
barriers. Citing a 2010 report from the
President’s Council of Advisors on
Science and Technology, a couple of
commenters urged SAMHSA to initiate
a broad conversation among other HHS
agencies to develop a granular data
specification standard that enables
patients to be in full control of all their
health data, not just part 2 data.
Citing technological barriers, a
commenter asserted that additional
changes to part 2 are necessary to allow
for technological solutions for sharing
data. One commenter said new funding
for HIEs permitted by recent CMS
guidance could be maximized by more
substantial revisions to part 2 that
would encourage the inclusion of
substance use disorder providers in
HIEs. Expressing uncertainty as to
whether data segmentation can be
implemented effectively absent clear
standards, a commenter expressed
concern the result would be a two-tier
system of how substance use disorder
data are defined both by payers and by
local and state jurisdictions that has the
effect of having substance use disorder
data exchanged differently depending
on if the patient received services
within or beyond the veil of part 2
regulation.
Some commenters suggested that the
current (1987) part 2 regulation and the
proposed revisions maintain a status
quo of segregated substance use disorder
information with minimal benefits to
patients, high compliance costs, and
deterrence for organizations to provide
substance use treatment. Some of these
PO 00000
Frm 00008
Fmt 4701
Sfmt 4700
commenters said the part 2 regulations
keep the substance use disorder
treatment system isolated from general
health care providers and reduce access
to substance use disorder treatment
being added by general health care
organizations, which, due to
administrative burden and liability
fears, are less likely to add substance
use disorder treatment. A few of these
commenters asserted that the part 2
regulations have unintended
consequences, including disadvantaging
persons with a substance use disorder
and treatment providers because of the
burdens associated with constantly
updating expiring consents. One of
these commenters said that the burdens
caused by the part 2 regulations are
particularly costly because patients with
substance use disorder are among the
highest cost utilizers in the health care
system.
Some commenters asserted that
maintaining a separate set of
confidentiality restrictions aimed solely
at substance use disorder providers and
patients perpetuates the stigma
associated with substance use disorder
and ultimately negatively impacts
patients and the care they receive,
suggesting that issues of substance use
disorder information confidentiality
should be part of the broader general
medical care confidentiality regulations.
Some commenters expressed concern
that the proposed part 2 revisions did
not address information exchange issues
associated with specific types of health
care services delivery, including
integrated delivery systems operating
with a behavioral health organization
unit or department; organizations that
include affiliated entities, such as
jointly held and operated hospital-based
systems and health insurance plans;
risk-based Medicaid managed care;
social service programs integrated with
publicly financed health delivery
systems; and combined behavioral
health service delivery.
One commenter urged SAMHSA to
include the release of previous
substance use disorder treatment
information from insurance companies
to part 2 programs as disclosure
permitted without consent under part 2.
Another commenter expressed concern
that SAMHSA did not propose an
allowance under part 2 regarding
appropriate disclosures by a health plan
for the coordination of a health plan
member’s care.
Expressing concern that the proposed
part 2 revisions do not address many of
the issues on which SAMHSA has
issued guidance with respect to health
information networks, a commenter
asserted that such guidance is outdated
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
mstockstill on DSK3G9T082PROD with RULES6
and creates unintended obstacles to the
desired exchange of information on
patients with substance use disorders.
SAMHSA Response
The governing statute (42 U.S.C.
290dd-2) and regulations at 42 CFR part
2 protect the confidentiality of
substance use disorder patient records.
Consistent with the governing statute,
SAMHSA wants to ensure that patients
with substance use disorders have the
ability to participate in, and benefit
from new and emerging health care
models which promote integrated care
and patient safety while respecting the
legitimate privacy concerns of patients
seeking treatment for a substance use
disorder due to the potential for
discrimination, harm to their
reputations and relationships, and
serious civil and criminal consequences.
Toward that end, SAMHSA held a
Listening Session on June 11, 2014, to
solicit feedback on the Confidentiality
of Alcohol and Drug Abuse Patient
Records regulations. All the feedback
received from the Listening Session was
considered and helped to inform the
development of the proposed and final
rules. In addition, SAMHSA
collaborated with its federal partner
experts in developing this final rule.
Information exchange is addressed in
both the applicability provision (§ 2.12)
and the consent requirements provision
(§ 2.31), among other places in this final
rule. SAMHSA has added more
flexibility to the ‘‘To Whom’’ section of
the consent form, which will give
patients the option to release their
records to past, current, and/or future
treating providers. In addition, § 2.13
requires a part 2-compliant consent
form must list the date, event, or
condition upon which the consent will
expire, if not revoked before. Thus, it is
not sufficient under part 2 for a consent
form to merely state that that
disclosures will be permitted until the
consent is revoked by the patient. It is,
however, permissible for a consent form
to specify the event or condition that
will result in revocation, such as having
its expiration date be ‘‘upon my death.’’
The Applicability provision includes:
‘‘The restrictions on disclosure in these
regulations do not apply to
communications of information between
or among personnel having a need for
the information in connection with their
duties that arise out of the provision of
diagnosis, treatment, or referral for
treatment of patients with substance use
disorders if the communications are
within a part 2 program; or between a
part 2 program and an entity that has
direct administrative control over the
program.’’
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
With this rulemaking, SAMHSA has
attempted to facilitate the electronic
exchange of substance use disorder
treatment records while ensuring
patient privacy. SAMHSA
acknowledges that many EHRs and HIEs
are experiencing technical barriers to
segmenting or redacting substance use
disorder treatment data. As a result,
SAMHSA has spent several years
supporting the continued development
of the Consent2Share application, an
open-source health IT solution based on
DS4P, which assists in both consent
management and data segmentation. It
is designed to integrate with existing
EHR and HIE systems via the developed
standards. Consent2Share enables
electronic implementation of various
sensitive health information disclosure
policies by applying the informationsharing rules needed to constrain the
disclosure of sensitive data according to
patient preferences. SAMHSA, in
conjunction with ONC and other federal
partners, also continues to support the
development of data standards and IGs
to further reduce technical barriers in
the field.
Finally, SAMHSA has added
additional information from previously
issued FAQ guidance to the preamble
discussion in this final rule, such as
information about medical emergencies
and ‘‘holds itself out,’’ and plans to
issue additional subregulatory guidance
after publication of the final rule.
3. Final Rule Should Balance Patient
Protections With Enhanced Information
Exchange
Public Comments
Numerous commenters emphasized
that the part 2 revisions must balance
patient protections with enhanced
information exchange and data sharing.
Some commenters suggested that
patient confidentiality should not be
compromised by any updates to the part
2 regulations, reasoning that the stigma
associated with having or having had a
substance use disorder and the fear that
this information may be used against an
individual would lead them to not seek
treatment. To this end, a few of these
commenters cautioned SAMHSA to
remain diligent in the oversight of these
regulations to ensure that the
information is only being conveyed to
the appropriate parties with the sole
intent to improve patient care. Other
commenters emphasized that sharing
patient information should be solely for
necessary medical purposes. Another
commenter argued that the interest in
integrating mental health care with
physical health care should not result in
the erosion or elimination of the
heightened privacy protections that are
PO 00000
Frm 00009
Fmt 4701
Sfmt 4700
6059
essential for effective mental health
treatment.
A few commenters urged SAMHSA to
ensure that the final rule respects
patient choice for privacy in the
treatment of sensitive information like
substance use disorder treatment
records, including the right to control
how their records are disclosed, even for
health and payment purposes. A
commenter said the proposed part 2
changes have substantially weakened
the privacy protections surrounding the
sharing of a patient’s substance use
treatment data. One commenter stated
that before an individual’s health data
can be accessed, there should be a
specific, legitimate reason, and a careful
review of the patient’s set of
permissions. In addition to suggesting
that mental health and substance abuse
records be blocked from view by any
providers or staff not directly involved
in the care and treatment of a patient,
a commenter asserted that a patient has
the right to have substance abuse and/
or mental health treatment records
blocked from view by even their
primary care provider or nurses.
A couple of commenters asserted that
it is both necessary and technologically
possible to integrate substance use
disorder and other health care
information and effectively exchange
substance use treatment data while
maintaining the core protections of part
2, including consent requirements and
the prohibition on re-disclosure.
Emphasizing the importance of
patient confidentiality and privacy, a
few commenters asserted that sacrificing
the dignity and well-being of a person
seeking help for a substance use
disorder in the name of convenience,
administrative efficiency, and research
is a poor way to achieve the well-being
of either the person in need or the
community. One of these commenters
recommended that SAMHSA delay the
part 2 changes until the technology is
available to protect persons with
substance use disorder.
Another commenter encouraged a
cautious, step-wise approach to making
substance use treatment records more
integrated with general medical records.
This commenter expressed concern that
making treatment records more
accessible to other providers would
exacerbate the stigmatization of
substance use disorder, particularly
among pregnant women, which could
lead to these individuals not seeking
treatment for their substance use
disorder or prenatal care.
SAMHSA Response
SAMHSA reiterates its intent to
ensure that patients with substance use
E:\FR\FM\18JAR6.SGM
18JAR6
mstockstill on DSK3G9T082PROD with RULES6
6060
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
disorders have the ability to participate
in, and benefit from new and emerging
health care models which promote
integrated care and patient safety while
respecting the legitimate privacy
concerns of patients seeking treatment
for a substance use disorder due to the
potential for discrimination, harm to
their reputations and relationships, and
serious civil and criminal consequences.
This approach is consistent with the
intent of the governing statute (42 U.S.C.
290dd-2) and regulations at 42 CFR part
2, which is to protect the confidentiality
of substance use disorder patient
records.
In response to the commenters who
cautioned SAMHSA to remain diligent
in the oversight of these regulations,
SAMHSA has the statutory authority to
promulgate 42 CFR part 2, but the
Department of Justice retains the
authority for enforcing 42 CFR part 2.
Reports of violation of these regulations
may be directed to the United States
Attorney for the judicial district in
which the violation occurs. The report
of any violations of these regulations by
an opioid treatment program may be
directed to United States Attorney for
the judicial district in which the
violation occurs as well as the SAMHSA
office for opioid treatment program
oversight. SAMHSA has oversight of
opioid treatment programs through 42
CFR part 8. Related to oversight and
compliance education, SAMHSA
expects to issue FAQs as it has done in
the past and develop other
subregulatory guidance such as
education and outreach materials.
SAMHSA has added more flexibility
to some of the consent provisions but
still retained core part 2 protections,
including prohibition on re-disclosure
as well as consent options that would
continue to give patients significant
control. For example, the ‘‘To Whom’’
section of the consent form includes an
option permitting a general designation
under certain circumstances. However,
SAMHSA retained the option of listing
the name(s) of the individual(s) to
whom a disclosure is made. In addition,
any disclosure made under these
regulations must comply with the
‘‘Amount and Kind’’ of information to
be disclosed and the purpose of the
disclosure, as provided on a part 2compliant consent form. Furthermore,
§ 2.13(a) limits the information to be
disclosed to that information which is
necessary to carry out the purpose of the
disclosure. Moreover, a patient has the
option to withhold consent to disclosure
of any of their substance use disorder
information.
SAMHSA is aware that technology
adoption is an ongoing process and that
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
many behavioral health providers have
yet to adopt electronic health records as
incentive payments have been
unavailable for such purposes for these
providers under the HITECH
Meaningful Use Program. In addition,
paper records are still used today in
some part 2 programs and shared
through facsimile (FAX). Therefore, in
spite of advances in technology, some
stakeholders are concerned that part 2,
as currently written, continues to be a
barrier to the integration of substance
use disorder treatment and physical
health care. Rather than waiting for the
development and adoption of
technology, SAMHSA decided to issue
these final regulations to ensure that
patients with substance use disorders
have the ability to participate in, and
benefit from new and emerging health
care models which promote integrated
care and patient safety while respecting
the legitimate privacy concerns of
patients seeking treatment for a
substance use disorder due to the
potential for discrimination, harm to
their reputations and relationships, and
serious civil and criminal consequences.
SAMHSA understands the importance
of not compromising patient protection,
and has, in § 2.13(d) of these final
regulations, required an entity that
serves as an intermediary (upon request)
to provide a List of Disclosures made
pursuant to the general designation
option. Further, as discussed later in
this preamble, the general designation
option may not be used until there is
technical capability to provide the
required List of Disclosures.
4. Part 2 Should Align With the Health
Insurance Portability and
Accountability Act
Public Comments
Many commenters expressed that part
2 should be aligned with HIPAA. Some
commenters specifically mentioned
various areas for HIPAA alignment,
including the consent form; Business
Associate Agreement standards;
treatment, payment, and health care
operations; patient-requested
restrictions on disclosure; deidentification standards, medical
emergencies; research; the definition of
‘‘Patient identifying information;’’
HIPAA penalties contained in the
HITECH Act; and re-disclosure
provisions. Many commenters asserted
that aligning the regulations with
HIPAA would help to strike an
appropriate balance between protecting
sensitive patient health information
while providing coordinated, quality
care. Many commenters urged SAMHSA
to align part 2 with HIPAA to broaden
PO 00000
Frm 00010
Fmt 4701
Sfmt 4700
the allowable sharing of data for
purposes of care coordination and
patient safety.
Numerous commenters urged that
substance use disorder records and
treatments should be held to the same
level of privacy as all other health
records. Other commenters raised the
concern of equal access, stating that
individuals with substance use disorder
should have the same access to the
benefits of increased care coordination
as individuals without substance use
disorder.
Commenters encouraged the broader
harmonization of part 2, HIPAA, and
HITECH into a single uniform set of
standards applicable for all personal
health information, including substance
use disorder treatment and payment.
Some commenters asserted that
HIPAA is sufficient to protect patient
privacy and part 2 is no longer
necessary. Some commenters also
asserted that part 2 also predates the
development of EHR and HIEs, and
there is pressing need to reconsider
these rules in light of more recent
technological and legal developments.
Some commenters expressed concern
that complying with both part 2 and
HIPAA would lead to undue
administrative burden and management
issues across the continuum of patient
care.
A commenter recommended that
SAMHSA should add the same release
requirements for substance use disorder
treatment as is required for
psychotherapy notes under HIPAA,
which are restricted from release
without the client’s consent. According
to the commenter, this would give
substance use disorder patients
protections with Business Associates
Agreements (instead of additional rules
and forms for Qualified Service
Organization Agreements [QSOAs]),
notification upon breach requirements,
and other rights already afforded
persons receiving medical and mental
health care.
Several commenters said part 2
should be as consistent as possible with
HIPAA, except for the prohibition on
use for investigation, prosecution, or
criminal charges.
SAMHSA Response
SAMHSA noted the many comments
from a wide range of commenters that
requested that SAMHSA align part 2
provisions with HIPAA where possible.
In some instances, SAMHSA has
attempted to do so in this final rule to
the extent the change was permissible
under 42 U.S.C. 290dd–2. At the same
time, part 2 and its governing statute are
separate and distinct from HIPAA and
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
its implementing regulations. Because of
its targeted population, part 2 provides
more stringent federal protections than
most other health privacy laws,
including HIPAA.
In response to comments about
alignment of this regulation with
HIPAA, SAMHSA has aligned the
interpretation the definition of ‘‘Patient
identifying information’’ with HIPAA to
the extent feasible. In addition,
SAMHSA revised Security for records
(§ 2.16) to more closely align with
HIPAA.
mstockstill on DSK3G9T082PROD with RULES6
B. Statutory Authority (§ 2.1)
SAMHSA is adopting this section as
proposed. SAMHSA has combined what
was §§ 2.1 (Statutory authority for
confidentiality of drug abuse patient
records) and 2.2 (Statutory authority for
confidentiality of alcohol abuse patient
records) and renamed the new § 2.1,
Statutory authority for confidentiality of
substance use disorder patient records.
We have re-designated §§ 2.2 through
2.5 accordingly. In the new § 2.1,
SAMHSA has deleted references to 42
U.S.C. 290ee–3 and 42 U.S.C. 290dd–3.
Sections 290dd–3 and 290ee–3 were
omitted by Public Law 102–321 and
combined and renamed into Section
290dd–2, Confidentiality of records. In
addition, we have deleted references to
laws and regulations that have been
repealed in § 2.21.
Public Comments
One commenter urged SAMHSA to
assess whether existing statutory
authority is adequate to modernize part
2 regulatory requirements to keep pace
with existing laws and industry
developments while also protecting
privacy, and to discuss necessary
statutory changes in the final rule.
Further, the commenter recommended
that SAMHSA encourage Congress to
convene public hearings to evaluate
proposals for statutory changes and
delay issuing a final rule if pending
legislative proposals are enacted that
change the legal landscape for substance
use disorder information and related
protections.
A commenter urged SAMHSA to
address the congressional action that
may be needed to effectively expand the
ability to provide coordinated services,
such as including health and human
services agencies’ field staff clearly into
the definition of treatment terms. A few
commenters suggested that the statutory
authority underlying the part 2
regulations (42 U.S.C. 290dd–2) should
be revised. Another commenter asserted
that the 1992 confidentiality statute
should be reformed to afford patients
greater protections against unlawful
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
disclosure of their substance use
disorder treatment, limit the use of
information shared for non-health
purposes, provide meaningful
enforcement and penalties, and more
effectively prevent discrimination.
Another commenter recommended that
modifications should be made to HIPAA
to incorporate special protections and
limitations for substance use
information and that the part 2
regulations should be rescinded. If the
intent of the part 2 changes is to prevent
inappropriate adverse consequences
from the disclosure of substance use
disorder health data, a commenter
suggested that those specific adverse
consequences should be targeted with
legislation reform, rather than providing
a blanket privacy allowance that hides
medical information from providers.
SAMHSA Response
SAMHSA does not have the authority
to repeal or revise the governing statute
for the regulations codified at 42 CFR
part 2 nor any other statute, as that
power is given to Congress. The part 2
authorizing statute, 42 U.S.C. 290dd–2,
gives the Secretary broad authority to
carry out the confidentiality provisions
therein, but to promulgate requirements
to: (1) Carry out the purposes of the
legislation; (2) prevent its
circumvention or evasion; and (3)
facilitate its compliance. These part 2
revisions were drafted to further these
three purposes while, to the extent
allowable under the legislation,
permitting disclosure and use to
increase access to treatment and
improve treatment services. The intent
of the part 2 regulations and its
governing statute (42 U.S.C. 290dd–2) is
to protect the confidentiality of
substance use disorder patient records.
Because individuals seeking treatment
for substance use disorders may
experience a host of negative
consequences, including discrimination,
harm to their reputations and
relationships, and possibly serious civil
and criminal consequences should
information regarding their treatment be
improperly disclosed, there is a specific
need for strong privacy protections for
substance use disorder records.
C. Reports of Violations (§ 2.4)
SAMHSA is adopting this section as
proposed. We have revised the
requirement of reporting violations of
these regulations by a methadone
program to the FDA (§ 2.5(b)). The
authority over methadone programs
(now referred to as opioid treatment
programs) was transferred from the FDA
to SAMHSA in 2001 (66 FR 4076).
Suspected violations of 42 CFR part 2 by
PO 00000
Frm 00011
Fmt 4701
Sfmt 4700
6061
opioid treatment programs may be
reported to the U.S. Attorney’s Office for
the judicial district in which the
violation occurred, as well as the
SAMHSA office responsible for opioid
treatment program oversight.
Public Comments
SAMHSA received no public
comments on this section. This section
of the final rule is adopted as proposed.
D. Definitions (§ 2.11)
SAMHSA has consolidated all of the
definitions in 42 CFR part 2, with the
exception the definition of the term
‘‘Federally assisted,’’ into a single
section at § 2.11. SAMHSA has retained
the definition of the term ‘‘Federally
assisted’’ in § 2.12 (Applicability) for the
purpose of clarity because it is key to
understanding the applicability of the
part 2 regulations. SAMHSA is adopting
these structural changes as proposed in
the NPRM. Specific definitions are
discussed in the sections below. If a part
2 definition is not addressed below, it
is because SAMHSA did not propose or
make substantive changes to that
definition. However, as discussed
below, SAMHSA updated the terms in
those definitions, as appropriate (e.g., to
replace ‘‘program’’ with ‘‘part 2
program,’’ and when ‘‘alcohol abuse’’
and ‘‘drug abuse’’ were used collectively
to replace it with ‘‘substance use
disorder’’). The definitions in the
regulatory text of this final rule reflect
these changes.
1. New Definitions
a. Part 2 Program
SAMHSA is adopting this definition
as proposed. SAMHSA defines a ‘‘Part
2 program’’ as ‘‘a federally assisted
program (federally assisted as defined in
§ 2.12(b) and program as defined in
§ 2.11). See § 2.12(e)(1) for examples.’’
We have retained the examples
provided in § 2.12(e)(1) of the current
(1987) regulations, with minor
clarifications in § 2.12(e)(1), because
they explain the part 2 applicability and
coverage. SAMHSA has replaced the
term ‘‘program’’ with ‘‘part 2 program,’’
where appropriate. For example, we
have revised the definition of QSO,
including replacing ‘‘program’’ with
‘‘part 2 program,’’ which is discussed in
depth below (see Section V.D.2.i.,
Existing Definitions). We also replaced
‘‘program’’ with ‘‘part 2 program’’ in
several other definitions, while making
no additional changes.
While a couple of commenters
purported to address the proposed
definition of ‘‘Part 2 program,’’ the
nature of their comments made clear
that their underlying concern was how
E:\FR\FM\18JAR6.SGM
18JAR6
6062
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
SAMHSA defined ‘‘Program’’ for
purposes of part 2. For this reason, these
comments are addressed in the
discussion of the definition of
‘‘Program’’ below (see Section V.D.2.h).
b. Part 2 Program Director
SAMHSA is adopting this definition
as proposed, except for a nonsubstantive technical edit. Because of
the addition of the ‘‘Part 2 program’’
definition, we have defined a ‘‘Part 2
program director’’ as:
• In the case of a part 2 program that
is an individual, that individual; and
• In the case of a part 2 program that
is an entity, the individual designated as
director or managing director, or
individual otherwise vested with
authority to act as chief executive officer
of the part 2 program.
We have deleted the definition of
‘‘Program Director.’’
mstockstill on DSK3G9T082PROD with RULES6
Public Comments
SAMHSA received no public
comments on this definition. This
section of the final rule is adopted as
proposed.
c. Substance Use Disorder
SAMHSA is adopting this definition
as proposed, except to remove the final
sentence, ‘‘Also referred to as substance
abuse.’’ Throughout this rule, SAMHSA
made revisions to refer to alcohol abuse
and drug abuse collectively as
‘‘substance use disorder’’ but, when
referring to the part 2 governing statute,
we use ‘‘substance abuse’’ since that is
the term used in 42 U.S.C. 290dd–2.
SAMHSA also uses the term ‘‘substance
abuse’’ when discussing public
comments and other publications that
use that term. For consistency,
SAMHSA also revised the title of 42
CFR part 2 from ‘‘Confidentiality of
Alcohol and Drug Abuse Patient
Records’’ to ‘‘Confidentiality of
Substance Use Disorder Patient
Records.’’ SAMHSA has replaced
‘‘alcohol or drug abuse’’ with
‘‘substance use disorder’’ in several
definitions.
While SAMHSA has deleted the
definitions of ‘‘Alcohol abuse’’ and
‘‘Drug abuse,’’ we continued to use the
terms ‘‘alcohol abuse’’ and ‘‘drug abuse’’
when referring to 42 U.S.C. 290dd–3
and 42 U.S.C. 290ee–3 (omitted by Pub.
L. 102–321 and combined and renamed
into Section 290dd–2), respectively,
because they are the terms used in the
statutes.
SAMHSA is defining the term
‘‘Substance use disorder’’ in such a
manner as to cover substance use
disorders that can be associated with
altered mental status that has the
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
potential to lead to risky and/or socially
prohibited behaviors, including, but not
limited to, substances such as, alcohol,
cannabis, hallucinogens, inhalants,
opioids, sedatives, hypnotics,
anxiolytics, and stimulants. In addition,
the ‘‘Substance use disorder’’ definition
clarifies that, for the purposes of these
regulations, the term excludes both
tobacco and caffeine.
Public Comments
Several commenters expressed
support for the newly defined term
‘‘substance use disorder’’ to replace
references to alcohol and drug abuse.
One commenter requested that
SAMHSA clarify the scope of substance
use disorder and what constitutes
substance use treatment. Another
commenter suggested that, in the
definition of substance use disorder,
protected data should be directly related
to an objective measure, such as
information related to specific payment
or clinical diagnosis codes submitted in
connection with reimbursement for
services.
SAMHSA Response
The final rule adopts the definition of
substance use disorder as proposed,
except that the parenthetical of the
proposed definition is not adopted in
the final rule. Use of the term is
consistent with recognized classification
manuals, current diagnostic lexicon,
and commonly used descriptive
terminology. Moreover, SAMHSA
declines to define substance use
disorder treatment by specific billing or
diagnostic codes in in the final rule as
these codes are subject to frequent
revision.
d. Treating Provider Relationship
SAMHSA is modifying the proposed
definition of ‘‘Treating provider
relationship’’ slightly to account for the
situation of involuntary commitment
and other situations where a patient is
diagnosed, evaluated and/or treated, but
may not have actually consented to such
care, as discussed in greater detail
below. In summary, a treating provider
relationship means that, regardless of
whether there has been an actual inperson encounter:
• A patient is, agrees to, or is legally
required to be diagnosed, evaluated,
and/or treated, or agrees to accept
consultation, for any condition by an
individual or entity, and;
• The individual or entity undertakes
or agrees to undertake diagnosis,
evaluation, and/or treatment of the
patient, or consultation with the patient,
for any condition.
PO 00000
Frm 00012
Fmt 4701
Sfmt 4700
As explained in the NPRM, the term
‘‘agrees’’ as used in the definition does
not necessarily imply a formal written
agreement. An agreement might be
evidenced, among other things, by
making an appointment or by a
telephone consultation.
It is also important to note that, based
on the definition of treating provider
relationship, SAMHSA considers an
entity to have a treating provider
relationship with a patient if the entity
employs or privileges one or more
individuals who have a treating
provider relationship with the patient.
Public Comments
A few commenters expressed support
for the proposed definition of ‘‘treating
provider relationship.’’ One commenter
supported the definition and added that
this type of relationship could be a
result of any action taken to schedule,
refer, or order services that are related
to health services to be provided in the
future.
Other commenters provided
suggestions to improve the definition,
including specifying entities involved in
identifying, evaluating, and referring for
treatment any persons in need of
substance use disorder services; adding
related services, including social
services, and consultation; accounting
for patients who cannot agree or consent
to the relationship; and clarifying that
an individual’s designated treating
provider is also a treating provider for
part 2 purposes, even before the
patient’s first appointment. A few
commenters requested that HIEs, health
plans, and organizations that provide
care coordination be added to the
definition, or that comparable
definitions be provided for these
entities.
A few commenters objected to the
consent requirements limiting recipients
to entities with a ‘‘treating provider
relationship,’’ and suggested that the
requirement be eliminated, or the term
be redefined to include entities that
provide care management. A few
commenters also disagreed with the
interpretation that equates making an
appointment with an agreement to
diagnose or treat.
Some commenters raised a number of
questions about the definition,
including whether the definition applies
to each hospital in a system or to the
system as a whole; whether the
definition applies to Medicaid managed
care programs with mandatory
enrollment; whether a care coordination
entity can form a treating provider
relationship with an individual; and
whether ancillary providers, such as
laboratories, pharmacies, therapists,
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
counselors, or mental health specialists,
fall within the definition of treating
provider relationship.
SAMHSA Response
A treating provider relationship, as
defined in this final rule, begins when
an individual seeks or receives healthrelated assistance from an individual or
entity who may provide assistance.
However, the relationship is clearly
established when the individual or
entity agrees to undertake diagnosis,
evaluation, and/or treatment of the
patient, or consultation with the patient,
and the patient agrees to be treated,
whether or not there has been an actual
in-person encounter between the
individual or entity and the patient.
When a patient is not regarded as being
legally competent under the laws of
their jurisdiction, such as when a
patient is subject to an involuntary
commitment (i.e., formally committed
for behavioral health treatment by a
court, board, commission, or other legal
authority), a treating provider
relationship may be established when a
patient is, agrees to, or is legally
required to be provided consultation,
diagnosis, evaluation, and/or treatment
by an individual or entity. A treating
provider relationship may be
established whether or not there has
been an actual in-person encounter
between the individual or entity and
patient. A treating provider relationship
with a patient may be established by
any member of the health care team as
long as the relationship meets the
definition of ‘‘Treating provider
relationship.’’ SAMHSA believes that
further specification in this definition is
unnecessary.
e. Withdrawal Management
SAMHSA is adopting this definition
as proposed. SAMHSA has removed the
definition of ‘‘Detoxification treatment’’
and replaced it with the definition of
the currently acceptable term
‘‘Withdrawal management’’ as indicated
in the American Society of Addiction
Medicine (ASAM) Principles of
Addiction Medicine, 5th edition.1
mstockstill on DSK3G9T082PROD with RULES6
Public Comments
One commenter supported replacing
the term ‘‘Detoxification treatment’’
with the term ‘‘Withdrawal
management.’’
SAMHSA Response
SAMHSA appreciates this support.
1 ASAM Principles of Addiction Medicine, 5th
edition, 2014, Richard Ries et al., editor. https://
www.asam.org/quality-practice/essential-textbooks/
principles-of-addiction-medicine (last accessed
Aug. 1, 2016).
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
2. Existing Definitions
a. Central Registry
SAMHSA is adopting this definition
as proposed. SAMHSA has updated the
definition of ‘‘Central registry’’ to
incorporate currently accepted
terminology.
Public Comments
One commenter stated that the NPRM
preamble described the proposed
revisions to the definition of ‘‘central
registry’’ as changes to ‘‘update
terminology to make the definition
clearer,’’ rather than detailing the
proposed changes to the definition, so
there was insufficient information for
public comment.
SAMHSA Response
Exact language for the definition of
‘‘central registry’’ was provided in the
NPRM regulation text and is being
adopted as proposed.
b. Disclose or Disclosure
SAMHSA is modifying the proposed
definition of ‘‘Disclose’’ to specifically
cover diagnosis, treatment, and referral
for treatment for substance use disorder,
as follows: ‘‘Disclose means to
communicate any information
identifying a patient as being or having
been diagnosed with a substance use
disorder, having or having had a
substance use disorder, or being or
having been referred for treatment of a
substance use disorder either directly,
by reference to publicly available
information, or through verification of
such identification by another person.’’
We have updated terminology and made
the definition clearer. SAMHSA has
defined only one word, ‘‘Disclose,’’
since it is implied that the same
definition applies to other forms of the
word.
Public Comments
A commenter encouraged SAMHSA
to develop guidance and promote
standards adoption for the identification
of part 2 data so that the
implementation and applicability of
concrete restrictions and obligations can
be applied to the disclosure of such
data. Another commenter urged
coordination between the definitions of
‘‘disclosure’’ of a substance use disorder
and a current or former ‘‘patient,’’
because someone may have a past
substance use disorder but may not have
been a former patient. A commenter
stated that the NPRM preamble
described the proposed revisions to the
definition of ‘‘disclosure’’ as changes to
‘‘update terminology and make the
definition clearer,’’ rather than detailing
PO 00000
Frm 00013
Fmt 4701
Sfmt 4700
6063
the proposed changes to the definition,
so there was insufficient information for
public comment.SAMHSA Response
With regard to developing
subregulatory guidance and promoting
standards adoption, SAMHSA is an
organizational member of Health Level
7 (HL7) and is working to ensure that
health IT standards support the needs of
behavioral health treatment patients and
providers. SAMHSA has supported the
creation of several HL7 standards,
including the Composite Privacy
Consent Directive Domain Analysis
Model to capture the requirement of
states and federal agencies. Those
requirements were reflected in the IG for
Clinical Document Architecture Release
2 (CDA R2) to provide a standard-based
electronic representation of a consent to
support the management of consent
directives and policies.
In response to comments urging
coordination between the definition of
‘‘disclosure’’ and a current or former
patient, SAMHSA has expanded the
definition of ‘‘disclose’’ to include any
information identifying a patient as
‘‘being or having been diagnosed with a
substance use disorder, having or
having had a substance use disorder, or
being or having been referred for
treatment of a substance use disorder.’’
Exact language for the definition of
‘‘disclosure’’ was provided in the NPRM
regulatory text and is being adopted as
proposed. We note that to the extent an
individual may have had a past
substance use disorder diagnosis, but
never sought or received diagnosis,
treatment, or referral for substance use
disorder treatment, the definition of
patient would not cover such individual
and the part 2 regulations would not
apply to that individual’s health
information unless and until the
individual is a patient as defined in
these regulations.
c. Maintenance Treatment
SAMHSA is modifying this definition
from what was proposed by replacing
the term ‘‘pharmacotherapy’’ with the
phrase ‘‘long-term pharmacotherapy’’
for purposes of clarity to read as
follows: ‘‘Maintenance treatment means
long-term pharmacotherapy for
individuals with substance use
disorders that reduces the pathological
pursuit of reward and/or relief and
supports remission of substance use
disorder-related symptoms.’’ As
compared to the 1987 final rule
definition of ‘‘Maintenance treatment,’’
SAMHSA updated terminology in the
definition and moved it from § 2.34 to
§ 2.11.
E:\FR\FM\18JAR6.SGM
18JAR6
6064
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
Public Comments
A commenter stated that the NPRM
preamble described the proposed
revisions to the definition of
‘‘maintenance treatment’’ as changes to
‘‘update terminology and make the
definition clearer,’’ rather than detailing
the proposed changes to the definition,
so there was insufficient information for
public comment.
SAMHSA Response
Exact language for the proposed
definition of ‘‘maintenance treatment’’
was provided in the NPRM regulation
text at 81 FR 7014.
d. Member Program
In response to comments received,
SAMHSA has revised the definition of
‘‘Member program,’’ by replacing a
reference to a specific geographic
distance, so it reads as follows:
‘‘Member program means a withdrawal
management or maintenance treatment
program which reports patient
identifying information to a central
registry and which is in the same state
as that central registry or is in a state
that participates in data sharing with the
central registry of the program in
question.’’
Public Comments
A commenter asserted that the 125mile distance to a state border limitation
contained within the definition of
‘‘member program’’ does not adequately
recognize the geographic realities of
states with significant rural and frontier
areas, and the commenter strongly
suggested that it be eliminated.
mstockstill on DSK3G9T082PROD with RULES6
SAMHSA Response
In response to the comment,
SAMHSA has removed the distance
from the definition to address the
concerns about rural areas and replaced
it with ‘‘is in a state that participates in
data sharing with the central registry of
the program in question.’’ We removed
the distance requirement from the
definition of ‘‘Member program’’ to
reflect that in some states (e.g., with
rural areas) the distance from the border
of the state in which the central registry
is located may exceed 125 miles.
e. Patient
SAMHSA is adopting this definition
as proposed. To emphasize that the term
‘‘Patient’’ refers to both current and
former patients, SAMHSA has revised
the definition as follows: ‘‘Patient
means any individual who has applied
for or been given diagnosis, treatment,
or referral for treatment for a substance
use disorder at a part 2 program. Patient
includes any individual who, after
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
arrest on a criminal charge, is identified
as an individual with a substance use
disorder in order to determine that
individual’s eligibility to participate in
a part 2 program. This definition
includes both current and former
patients.’’
services from a part 2 program are
covered by the definition. SAMHSA
declines to accept the suggestion that
the definition should be expanded to
cover patients in prevention programs
as such programs are not covered by the
definition of a part 2 program.
Public Comments
One comment opposed the inclusion
of former patients in the definition
because retrospective outcome studies
would be difficult to conduct because
many patients relocate or their contact
information becomes otherwise
unobtainable for purposes of obtaining
consent to disclose and use patient
identifying information. One commenter
opposed including in the definition
individuals who ‘‘applied for’’ but did
not receive a diagnosis and also asked
who makes the identification of an
individual with a substance use
disorder. Another commenter suggested
that the definition should include
individuals participating in prevention
programs and recovery support
programs. A commenter asked whether
the definition includes an individual
who has been involuntarily committed
to a program for treatment and
suggested that the final rule clarify that
such an individual is considered a
patient and entitled to part 2’s
protections.
f. Patient Identifying Information
SAMHSA is modifying the definition
as proposed to: (1) Clarify that SAMHSA
intends for the identifiers listed in the
HIPAA Privacy Rule at 45 CFR
164.514(b)(2)(i) that are not already
included in the definition of patient
identifying information to meet the ‘‘or
similar information’’ standard; (2) delete
the word ‘‘publicly’’ from the phrase
‘‘can be determined with reasonable
accuracy either directly or by reference
to other publicly available information’’;
and (3) to revise the last sentence as
follows: for internal use only by the part
2 program, if that number does not
consist of, or contain numbers (such as
a social security, or driver’s license
number) that could be used to identify
a patient with reasonable accuracy from
sources external to the part 2 program.’’
SAMHSA intends for the identifiers
listed in the HIPAA Privacy Rule at 45
CFR 164.514(b)(2)(i) that are not already
included in the definition of ‘‘Patient
identifying information’’ to meet the
following clause: ‘‘or similar
information.’’ Those HIPAA Privacy
Rule identifiers are:
(1) Name;
(2) All geographic subdivisions
smaller than a [s]tate, including street
address, city, county, precinct, zip code,
and their equivalent geocodes, except
for the initial three digits of a zip code
if, according to the current publicly
available data from the Bureau of the
Census:
(i) The geographic unit formed by
combining all zip codes with the same
three initial digits contains more than
20,000 people; and
(ii) The initial three digits of a zip
code for all such geographic units
containing 20,000 or fewer people is
changed to 000;
(3) All elements of dates (except year)
for dates directly related to an
individual, including birth date,
admission date, discharge date, date of
death; and all ages over 89 and all
elements of dates (including year)
indicative of such age, except that such
ages and elements may be aggregated
into a single category of age 90 or older;
(4) Telephone numbers;
(5) Fax numbers;
(6) Electronic mail addresses;
(7) Social security numbers;
(8) Medical record numbers;
(9) Health plan beneficiary numbers;
SAMHSA Response
Regarding the opposition to including
former patients in the definition of
‘‘Patient’’ because retrospective outcome
studies would be difficult to conduct,
this concern appears to be based on a
misunderstanding that a consent
requires a specific expiration date. A
part 2-compliant consent form must list
the date, event, or condition upon
which the consent will expire, if not
revoked before. Therefore, it would be
permissible for a consent form to specify
the event or condition that will result in
revocation, such as having its expiration
date be ‘‘upon my death.’’
Consequently, it is possible for
researchers to obtain consents that
would permit retrospective outcome
studies.
Regarding the inclusion of ‘‘applied
for’’ in the definition of ‘‘Patient,’’ this
definition has not changed from that
included in the 1987 final rule except to
replace ‘‘alcohol and drug abuse’’ with
‘‘substance use disorder.’’ SAMHSA
declines to make the recommended
change since no other concerns
regarding the inclusion of ‘‘applied for’’
have been received in over 29 years.
Patients who are involuntarily
committed to participating in or
receiving substance use disorder
PO 00000
Frm 00014
Fmt 4701
Sfmt 4700
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
(10) Account numbers;
(11) Certificate/license numbers;
(12) Vehicle identifiers and serial
numbers, including license plate
numbers;
(13) Device identifiers and serial
numbers;
(14) Web Universal Resource Locators
(URLs);
(15) Internet Protocol (IP) address
numbers;
(16) Biometric identifiers, including
finger and voice prints;
(17) Full face photographic images
and any comparable image; or
(18) Any other unique identifying
number, characteristic, or code.
Public Comments
A few commenters urged that the
definition of ‘‘Patient identifying
information’’ be aligned with the
‘‘protected health information,’’
including the patient identifiers, under
HIPAA. One commenter recommended
that telephone numbers and email
addresses should be mentioned because
they are accessible by electronic means.
Another commenter suggested that
SAMHSA delete the reference to
publicly available information; use a
phrase such as, ‘‘information with
respect to which there is a reasonable
basis to believe that the information can
be used to identify the individual’’; and
mention other identifiers assigned to an
individual, including credit card
numbers, driver’s license numbers, and
automobile license numbers.
SAMHSA Response
The HIPAA Privacy Rule, at 45 CFR
164.514(b)(2)(i), enumerates 18
identifiers that make health information
individually identifiable. SAMHSA
considers any of these identifiers to be
patient identifying information either
because SAMHSA has explicitly listed
the identifier in the definition of patient
identifying information in 42 CFR part
2 or because SAMHSA considers the
identifier to be ‘similar information’
(See § 2.11 Definitions). Also as
suggested, SAMHSA has deleted the
word ‘‘publicly’’ from the phrase ‘‘can
be determined with reasonable accuracy
either directly or by reference to other
publicly available information;’’
mstockstill on DSK3G9T082PROD with RULES6
g. Person
SAMHSA is adopting this definition
as proposed. SAMHSA has revised the
definition of ‘‘Person’’ to clearly
indicate that ‘‘Person’’ is also referred to
as individual or entity.
Public Comments
A commenter urged SAMHSA to
recognize an ‘‘Affiliated Covered Entity’’
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
under HIPAA as an ‘‘entity’’ in the
definition of ‘‘Person.’’ Another
commenter asked that the definition
specify that it includes limited liability
companies. A commenter suggested
removing the redundant parenthetical at
the end of the proposed definition.
SAMHSA Response
SAMHSA has determined that no
change is needed in response to the
comments; the definition covers any
legal entity. SAMHSA declines to delete
the clarifying parenthetical at the end of
the definition since the terms
‘‘individual’’ and ‘‘entity’’ are more
intuitive than the term ‘‘person,’’ as
defined in these regulations.
h. Program
SAMHSA decided not to finalize its
proposed changes to the definition of
‘‘Program,’’ but did make minor updates
to the terminology in the text. We are,
however, finalizing certain other minor
changes to the proposed definition to
update terminology so that it is
consistent with current best practice.
First, SAMHSA moved the reference
to examples from the definition of
‘‘Program’’ to the definition of ‘‘Part 2
program.’’
Second, we retain the language
changes from drug and/or alcohol abuse
to substance use disorder.
Finally, as stated in the NPRM,
SAMHSA clarifies that paragraph (1) of
the definition of ‘‘Program’’ would not
apply to ‘‘general medical facilities’’.
However, paragraphs (2) and (3) of the
definition of ‘‘Program’’ would apply to
‘‘general medical facilities.’’
Public Comments
A few commenters expressed support
for the revised definition of ‘‘Program.’’
However, many commenters generally
opposed the proposed revision to the
definition of ‘‘Program.’’ The reasons
primarily related to interpretations that
SAMHSA did not intend to imply.
Many commenters asked that SAMHSA
not call out general medical practices as
a separate category of provider excluded
from paragraph one but included in
paragraphs two and three of the
definition of program.
Some commenters requested
clarification in various areas, including
the meaning and examples of ‘‘holds
itself out;’’ determining ‘‘primary
function;’’ treatment of behavioral
health clinics and community mental
health centers; roles of general medical
or dental practices that engage in
screening, brief intervention, and
referrals for treatment (SBIRT) activities,
and co-located substance abuse/mental
health counselors; whether covered part
PO 00000
Frm 00015
Fmt 4701
Sfmt 4700
6065
2 facilities provide some, primarily
provide, or only provide substance use
disorder diagnosis, treatment, and
referral to treatment; physicians who
prescribe buprenorphine products and
pharmacies that fill those prescriptions;
a general psychiatric unit that also
provides substance use disorder
treatment; and offering patients
integrated behavioral health care in a
primary care setting.
Some commenters suggested limiting
programs to those that meet a minimum
standard, are specifically licensed,
credentialed, or accredited, such as state
licensure. Several commenters asked
that SAMHSA provide an exception for
pharmacists and pharmacies or dentists.
Lastly, a commenter said the rule
should include rehabilitation centers as
medical facilities.
SAMHSA Response
Based on the number and type of
comments received regarding including
general medical practices in the
Program definition, SAMHSA has
decided not to finalize the general
medical practices language in the final
rule. The number and type of comments
led SAMHSA to believe separating out
general medical practices from general
medical facilities was more confusing
than clarifying. Most commenters
indicated a belief that SAMHSA was
expanding the definition of program to
include individuals and entities that
had not previously been covered. As
we’ve previously noted in our publicly
available FAQ guidance, a practice
comprised of primary care providers
could be considered a ‘‘general medical
facility and be subject to 42 CFR part 2
if they are both ‘‘federally assisted’’ and
meet the definition of a program under
42 CFR 2.11. Nevertheless, consistent
with the definition of a ‘‘program’’:
1. If a provider is not a general medical
care facility, then the provider meets the part
2 definition of a ‘‘Program’’ if it is an
individual or entity who holds itself out as
providing, and provides substance use
disorder diagnosis, treatment, or referral for
treatment.
2. If the provider is an identified unit
within a general medical facility, it is a
‘‘Program’’ if it holds itself out as providing,
and provides, substance use disorder
diagnosis, treatment, or referral for treatment.
3. If the provider consists of medical
personnel or other staff in a general medical
facility, it is a ‘‘Program’’ if its primary
function is the provision of substance use
disorder diagnosis, treatment, or referral for
treatment and is identified as such
specialized medical personnel or other staff
by the general medical facility.
SAMHSA’s FAQ guidance further
addresses the issue of what constitutes
a general medical facility. This FAQ
E:\FR\FM\18JAR6.SGM
18JAR6
mstockstill on DSK3G9T082PROD with RULES6
6066
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
guidance clarifies that, while the term
‘‘general medical care facility’’ is not
defined in the definitions section of 42
CFR 2.11, hospitals, trauma centers, or
federally qualified health centers would
generally be considered ‘‘general
medical care’’ facilities. Therefore,
primary care providers who work in
such facilities would only meet part 2’s
definition of a program if (1) they work
in an identified unit within such general
medical facility that holds itself out as
providing, and provides, substance use
disorder diagnosis, treatment or referral
for treatment, or (2) the primary
function of the provider is substance use
disorder diagnosis, treatment or referral
for treatment and they are identified as
providers of such services. In addition,
a practice comprised of primary care
providers could be considered a
‘‘general medical facility.’’ As such,
only an identified unit within that
general medical care facility which
holds itself out as providing and
provides substance use disorder
diagnosis, treatment or referral for
treatment would be considered a
‘‘program’’ under the definition in the
part 2 regulations. Medical personnel or
staff within that facility whose primary
function is the provision of those
services and who are identified as such
providers would also qualify as a
‘‘program’’ under the definition in the
part 2 regulations. Other units or
practitioners within that general
medical care facility would not meet the
definition of a part 2 program unless
such units or practitioners also hold
themselves out as providing and
provide substance use disorder
diagnosis, treatment or referral for
treatment.
SAMHSA also clarifies that the
program definition does not
categorically exclude buprenorphine
providers. However, holding a waiver to
prescribe buprenorphine or holding a
waiver and prescribing buprenorphine
as part of primary care practice also
does not lead to categorical inclusion of
providers in the definition of a part 2
program; such determinations are factspecific. Also, a health care provider
that does not otherwise meet the
definition of a part 2 program would not
become a program simply because they
provided screening, brief intervention,
and/or referral to treatment within the
context of general health care. SBIRT is
discussed in further detail under
Section V.E (Applicability) below.
Regarding comments on the meaning
of ‘‘primary function,’’ SAMHSA did
not propose a definition of ‘‘primary
function’’ because it has not historically
received many, if any, questions on its
meaning.
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
Consistent with previously published
FAQ guidance, we reiterate that ‘‘Holds
itself out’’ means any activity that
would lead one to reasonably conclude
that the individual or entity provides
substance use disorder diagnosis,
treatment, or referral for treatment,
including but not limited to:
• Authorization by the state or federal
government (e.g. licensed, certified,
registered) to provide, and provides,
such services,
• Advertisements, notices, or
statements relative to such services, or
• Consultation activities relative to
such services.
i. Qualified Service Organization
SAMHSA is adopting the definition of
‘‘Qualified Service Organization’’ as
proposed. SAMHSA has revised the
definition of QSO to include population
health management in the list of
examples of services a QSO may
provide. SAMHSA also revised the term
‘‘medical services’’ as listed in the
examples of permissible services offered
by a QSO to clarify that it is limited to
‘‘medical staffing services.’’ SAMHSA
made this revision to emphasize that
QSOAs should not be used to avoid
obtaining patient consent.
Public Comments
A large number of commenters
supported the proposed QSO definition,
particularly the addition of ‘‘population
health management.’’ Many commenters
requested a clarification or a narrow
definition of ‘‘population health
management.’’
SAMHSA Response
SAMHSA provided guidance in the
NPRM preamble regarding what
constitutes population health
management services. Specifically,
population health management refers to
increasing desired health outcomes and
conditions through monitoring and
identifying individual patients within a
group. To achieve the best outcomes,
providers must supply proactive,
preventive, and chronic care to all of
their patients, both during and between
encounters with the health care system.
For patients with substance use
disorders, who often have comorbid
conditions, proactive, preventive, and
chronic care is important to achieving
desired outcomes. Any QSOA executed
between a part 2 program and an
organization providing population
health management services would be
limited to the office(s) or unit(s)
responsible for population health
management in the organization (e.g.,
the ACO, CCO, CPCMH, or managed
care organization [MCO]), not the entire
PO 00000
Frm 00016
Fmt 4701
Sfmt 4700
organization and not its participants
(e.g., case managers, physicians,
addiction counselors, hospitals, and
clinics). However, the presence of a
QSOA does not preclude disclosures of
patient identifying information to other
individuals within these organizations
based on a valid part 2-compliant
consent.
Public Comments
Some commenters requested
clarification about the definition, such
as whether an HIE could be considered
a QSO; whether the definition, which
includes ‘‘an individual,’’ can include
members of the covered entity’s
workforce; and whether public health
management staff can share part 2
information with case managers.
A few commenters expressed
opposition to the proposed definition of
QSO, asserting that patient consent
should be obtained before making a
disclosure of substance use disorder
information to multiple entities.
Another commenter warned that under
the definition, it would be difficult to
track which part 2 patients may or may
not be within a population health
program at any given time.
SAMHSA Response
The NPRM as well as the current
(1987) definition of QSO uses the term
person. Person is defined in the current
(1987) regulations as: ‘‘Person means an
individual, partnership, corporation,
federal, state or local government
agency, or any other legal entity.’’ The
NPRM definition proposed a
parenthetical: ‘‘(also referred to as
individual or entity).’’ Because both the
1987 regulations and the NPRM
definition of person includes both
individuals and entities, the definition
of the term QSO has always included
both individual and entities, the
definition of the term QSO has always
included individuals, as well as entities.
Whether the QSO definition applies
to members of an entity’s workforce and
case managers depends on whether they
meet the definition of QSO as defined
in § 2.11 because such determinations
are fact-specific. An individual or entity
who does not meet the definition of a
QSO may, however, meet the definition
of ‘‘Treating provider relationship’’ for
the purposes of obtaining consent.
Likewise, care coordination was not
added to the list of examples of
permissible services offered by a QSO
because care coordination has a patient
treatment component.
Under the part 2 governing statute,
patient records pertaining to the
patient’s substance use disorder may be
shared only with the prior written
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
consent of the patient or as permitted
under the part 2 statute, regulations, or
guidance. However, the regulations may
contain such definitions, and may
provide for such safeguards and
procedures, including procedures and
criteria for the issuance and scope of
orders, as in the judgment of the
Secretary are necessary or proper to
effectuate the purposes of this statute, to
prevent circumvention or evasion
thereof, or to facilitate compliance
therewith.
Regarding the concern about
disclosing to multiple entities under a
QSOA, as noted above, any QSOA
executed between a part 2 program and
an organization providing population
health management services would be
limited to the office(s) or unit(s)/
entity(ies) responsible for population
health management for the organization
(e.g., the ACO, CCO, CPCMH, or MCO),
not the entire organization and not its
participants (e.g., case managers,
physicians, addiction counselors,
hospitals, and clinics).
mstockstill on DSK3G9T082PROD with RULES6
Public Comments
Commenters provided various
suggestions to improve the definition.
Several commenters said the definition
should be expanded to permit a multiparty agreement for multi-directional
sharing of information. Commenters
said the description of the provision
should address overlapping
requirements of HIPAA and part 2 with
respect to contractual agreements and
services such as data processing and
billing. A commenter said facilitating
entities should be able to enter into QSO
agreements with participating providers
to perform quality improvement
activities. Another commenter said the
QSO exception to restrictions on
disclosure should apply to third-party
payers and other holders of part 2
information, and the definition should
include other functions to support
improved care delivery.
SAMHSA Response
Part 2 and its implementing statute
are much more restrictive than HIPAA.
Because 42 CFR part 2 and its governing
statute are separate and distinct from
HIPAA, the part 2 regulations use
different terminology than used in
HIPAA. However, SAMHSA aligned
policy with HIPAA where possible.
Because a QSOA is a two-way
agreement between a part 2 program and
the entity providing the part 2 program
and an individual or entity providing a
service to a part 2 program, agreements
between more than those two parties
(e.g. multi-party agreements) are
prohibited. A QSOA cannot be used to
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
avoid obtaining patient consent in the
treatment context.
As stated previously in this preamble,
SAMHSA is issuing an SNPRM to seek
further comments and information on
the disclosure to and use of part 2
information by the contractors and
subcontractors of third-party payers and
other lawful holders for purposes of
payment, health care operations, and
other health care related activities
before establishing any appropriate
restrictions on disclosures to them.
Public Comments
Commenters generally expressed
opposition to the change of ‘‘medical
services’’ to ‘‘medical staffing services’’
in the definition. A commenter
expressed opposition to the
interpretation that the QSO agreement
executed between a part 2 program and
an organization that provided
population health management services
would be limited to a specific office(s)
or unit(s) within the organization that
is/are tasked with carrying out such
services.
SAMHSA Response
SAMHSA has revised the term
‘‘medical services’’ as listed in the
examples of permissible services offered
by a QSO to clarify that it is limited to
‘‘medical staffing services.’’ SAMHSA
proposed to make this revision to
emphasize that QSOAs should not be
used to avoid obtaining patient consent.
Accordingly, a QSOA could be used by
a part 2 program to contract with a
provider of on-call coverage services
(previously clarified in FAQ guidance)
or other medical staffing services but
could not be used to disclose John Doe’s
patient identifying information to his
primary care doctor for the purpose of
treatment (other than that provided
under a QSOA for medical staffing
services). However, an individual or
entity who is prohibited from providing
treatment to an individual patient under
a QSOA may still meet the requirements
of having a treating provider
relationship (as that term is defined in
§ 2.11) with respect to the consent
requirements in § 2.31.
With respect to the comment
regarding an organization providing
population health management services,
a QSOA is a two-way agreement
between a part 2 program and the entity
providing the service. We reiterate that
disclosures by a QSO pursuant to a
QSOA executed between a part 2
program and an organization that
provides population health management
services would be limited to a specific
office(s) or unit(s)/entity(ies) that is/are
tasked with carrying out such services
PO 00000
Frm 00017
Fmt 4701
Sfmt 4700
6067
for the organization. SAMHSA believes
this is a needed safeguard to limit
disclosures to that which is reasonably
necessary to carry out services under the
QSOA.
Public Comments
Many commenters expressed
opposition to the exclusion of ‘‘care
coordination’’ from the QSO definition
or requested clarification for the
meaning of ‘‘care coordination.’’ Some
commenters specifically requested
adding care coordination to the list of
services a QSO may provide, reasoning
that it would facilitate integrated
substance use disorder, health, and
mental health services. The commenters
asserted that the addition would benefit
patients’ health, safety, and quality of
life while maintaining confidentiality
protections.
SAMHSA Response
In the NPRM, SAMHSA clarified that
an individual or entity is prohibited
from providing treatment to an
individual patient under a QSOA.
SAMHSA has revised the term ‘‘medical
services’’ as listed in the examples of
permissible services offered by a QSO to
clarify that it is limited to ‘‘medical
staffing services.’’ SAMHSA proposed to
make this revision to emphasize that
QSOAs should not be used to avoid
obtaining patient consent. Accordingly,
a QSOA could be used by a part 2
program to contract with a provider of
on-call coverage services (previously
clarified in FAQ guidance) or other
medical staffing services, but could not
be used to disclose John Doe’s patient
identifying information to his primary
care doctor for the purpose of treatment
(other than that provided under a QSOA
for medical staffing services). For this
reason, care coordination and
medication management, both of which
have a treatment component, were not
added to the list of examples of
permissible services offered by a QSO.
However, an individual or entity who is
prohibited from providing treatment to
an individual patient under a QSOA
may still meet the requirements of
having a treating provider relationship
(as that term is defined in § 2.11) with
respect to the consent requirements in
§ 2.31.
Regarding the request to clarify the
meaning of ‘‘care coordination’’ and
how it differs from ‘‘population health
management,’’ because SAMHSA
decided not to include care
coordination in the examples of
permissible services under the
definition of a QSO, we did not define
the term ‘‘care coordination’’ in the
NPRM and, therefore, decline to do so
E:\FR\FM\18JAR6.SGM
18JAR6
6068
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
in this final rule. Population health
management refers to increasing desired
health outcomes and conditions through
monitoring and identifying patients
within a group.
k. Treatment
SAMHSA is adopting the proposed
definition of ‘‘Treatment.’’ SAMHSA
has deleted the term ‘‘management’’
from the ‘‘Treatment’’ definition.
j. Records
SAMHSA has revised the proposed
definition. As suggested by commenters,
SAMHSA has modified the definition of
‘‘Records’’ by adding ‘‘created by’’ and
a parenthetical with examples to read as
follows: ‘‘Records means any
information, whether recorded or not,
created by, received, or acquired by a
part 2 program relating to a patient (e.g.,
diagnosis, treatment and referral for
treatment information, billing
information, emails, voice mails, and
texts). For the purpose of these
regulations, records include both paper
and electronic records.’’ SAMHSA
revised the definition of ‘‘Records’’ to
include any information, whether
recorded or not, which includes verbal
communications, created, received or
acquired by a part 2 program relating to
a patient. The revised definition makes
clear that, for the purpose of the part 2
regulations, records include both paper
and electronic records.
Public Comments
A few commenters opposed the
proposed removal of the term
‘‘management’’ from the definition of
‘‘treatment’’ because the narrower
definition would decrease information
sharing and have a chilling effect on
care coordination. A couple of
commenters urged that ‘‘treatment’’
should be limited to care of the
substance use disorder and not be
extended to include care of other
medical conditions secondary to or that
arose because of the substance use
disorder. One commenter suggested that
‘‘care’’ should be defined as it is used
in the definition of ‘‘treatment.’’
mstockstill on DSK3G9T082PROD with RULES6
Public Comments
A commenter remarked that the
proposed definition of ‘‘records’’ does
not address ‘‘identifiability,’’ asserting
that information that is not individually
identifiable, that is not reasonably
capable of being re-identified, or that is
aggregate may not need to be covered by
the definition of record. Regarding the
phrase ‘‘whether recorded or not’’ in the
proposed definition, a couple of
commenters requested guidance on
what constitutes ‘‘unrecorded
information.’’
SAMHSA Response
SAMHSA clarifies that unrecorded
information includes verbal
communications and is still considered
part of the record. To add further clarity
to the definition, SAMHSA has revised
the definition of ‘‘Records’’ from the
proposed language by adding examples
(e.g., diagnosis, treatment and referral
for treatment information, billing
information, emails, voice mails, and
texts). SAMHSA also added the phrase
‘‘created by’’ to clarify that ‘‘records’’
includes information received, acquired,
or created by a part 2 program relating
to a patient. Regarding ‘‘identifiability,’’
identification is addressed in the term
‘‘Patient identifying information,’’ not in
the definition of ‘‘Record.’’ The
definition of records is just that and
does not address information that may
be disclosed.
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
SAMHSA Response
SAMHSA removed the term
‘‘management’’ from the definition of
‘‘Treatment’’ because in today’s health
care environment, ‘‘management’’ has a
much broader meaning than it did when
the regulations were last revised.
Treatment is not limited to care of the
substance use disorder because patients
with a substance use disorder often have
comorbid conditions.
3. Terminology Changes
SAMHSA is adopting the changes
proposed in this section, as described in
the NPRM. In addition to changes to
several definitions, SAMHSA is also
implementing several terminology
changes intended to ensure consistency
in the use of terms throughout the
regulations and to increase the
understandability of the rule. First, we
made revisions to consistently refer to
law enforcement as ‘‘law enforcement
agencies or officials.’’ Secondly,
SAMHSA revised the part 2 regulations
to use the term ‘‘entity’’ instead of
‘‘organization’’ wherever possible.
Thirdly, SAMHSA clarifies that, for the
purposes of this regulation, the term
‘‘written’’ includes both paper and
electronic documentation. Fourthly, we
use the phrase ‘‘part 2 program or other
lawful holder of patient identifying
information’’ to refer to a part 2 program
or other individual or entity that is in
lawful possession of patient identifying
information. A ‘‘lawful holder’’ of
patient identifying information is an
individual or entity who has received
such information as the result of a part
2-compliant patient consent (with a
prohibition on re-disclosure notice) or
as a result of one of the exceptions to
the consent requirements in the statute
PO 00000
Frm 00018
Fmt 4701
Sfmt 4700
or implementing regulations and,
therefore, is bound by 42 CFR part 2.
Public Comments
One commenter requested
clarification about what entities are
considered ‘‘lawful holders’’ of patient
identifying information in the context of
complex health care systems. For
example, would the parent company of
a health care system, each specific
hospital, or each entity affiliated with
the health care system be considered a
‘‘lawful holder’’?
Another commenter urged that the
term ‘‘other lawful holder’’ should be
clearly defined in the final rule.
SAMHSA Response
A ‘‘lawful holder’’ of patient
identifying information is an individual
or entity who has received such
information as the result of a part 2compliant patient consent (with a
prohibition on re-disclosure notice) or
as permitted under the part 2 statute,
regulations, or guidance and, therefore,
is bound by 42 CFR part 2. SAMHSA
cannot determine what entities are
‘‘lawful holders’’ because such
determinations are fact-specific. In
addition, SAMHSA determined that it
was not feasible to define all lawful
holders of information so has not
included a definition in the rule. As
explained in the NPRM, examples of
‘‘lawful holders’’ include a patient’s
treating provider, a hospital emergency
room, an insurance company, an
individual or entity performing an audit
or evaluation, or an individual or entity
conducing scientific research. This list
provided in the NPRM was intended
only as an illustrative example of who
could be a lawful holder.
4. Other Comments on Definitions
Public Comments
Many commenters expressed general
support for the proposed clarification of
definitions. Some commenters sought
new definitions for terms including HIE;
recipient; population health
management and care coordination;
population health; re-disclosure; law
enforcement agency or official;
repository; and scientific research.
Several commenters addressed the
‘‘alternative approach’’ discussed in the
NPRM for allowing disclosure to
treating providers by requesting the
addition of a definition for
‘‘organization’’ to § 2.11. Commenters
generally supported a clear definition of
‘‘organization’’ to allow for the exchange
of part 2 information. One commenter,
however, opposed relying upon a
definition rather than specifying the
process for consent in the rule itself.
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
SAMHSA Response
SAMHSA did not propose definitions
for the terms suggested and has decided
not to pursue the ‘‘alternative approach’’
since that approach as written received
no support and only 2 commenters
supported the ‘‘alternative approach
with suggested revisions.’’ Based on
comments received, the agency has
addressed disclosures to treating
providers within this rule’s consent
requirements.
E. Applicability (§ 2.12)
SAMHSA is adopting this section as
proposed. In addition to the revisions to
the definition of ‘‘Program’’ and the
addition of a definition for ‘‘Part 2
program’’ mentioned above, SAMHSA
has revised § ;2.12(d)(2)(i)(C) so that
restrictions on disclosures also apply to
individuals or entities who receive
patient records from other lawful
holders of patient identifying
information (see § 2.11, Terminology
Changes). Patient records subject to
these regulations include patient
records maintained by part 2 programs,
as well as those records in the
possession of ‘‘other lawful holders of
patient identifying information.’’
SAMHSA may issue additional
subregulatory guidance addressing the
applicability section, as deemed
necessary, after publication of the final
rule.
mstockstill on DSK3G9T082PROD with RULES6
Public Comments
A few commenters supported the
proposed applicability provisions. Some
commenters cited relevant preamble
language but remained uncertain about
who qualifies as a part 2 provider.
Several commenters requested greater
clarification in identifying part 2
coverage, including whether the
provisions apply to various models of
integrated behavioral health and
primary care; mixed-use facilities that
provide primary care and behavioral
health services or mental health and
substance use treatment; certified
community behavioral health centers
that do not necessarily ‘‘primarily’’
furnish substance abuse services but
rather provide a comprehensive
approach to care; embedded behavioral
health information within an acute care
record; a medical facility providing
several distinct books of business, of
which only one receives federal
assistance; pharmacies; dentists; Drug
Addiction Treatment Act (DATA 2000)waived physicians; employee assistance
programs that may include substance
use assessment and counseling; a
provider who bills Medicaid and
Medicare but is not otherwise a
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
‘‘federally assisted program;’’ and
confidential information related to
safety and incident reporting. A
commenter requested clarification about
the definition of ‘‘direct administrative
control’’ in the proposed provision
related to exceptions for
communications within a part 2
program. A commenter urged
consideration for reporting by programs
to a public health registry and suggested
advantages of such a requirement.
Some commenters requested
applicability exemptions. Some
commenters requested exclusions for
employee assistance programs;
Medicaid overutilization control
programs; and plans with integrated
care delivery models. Some commenters
requested exemptions to consent for
communications between a QSO and a
part 2 program or third-party payer (e.g.,
Medicaid) and between a part 2
program. One commenter requested
clarification that consent and disclosure
requirements would not apply when the
patient directs electronic disclosure for
a consumer health application. A
commenter requested clarification that
services are only covered under part 2
if the personnel are identified as
providing substance use disorder
treatment outside the organization to the
general public. Commenters favored an
exception for reporting of child abuse
and elder abuse. A few commenters
mentioned certain concerns related to
the proposed rule. A commenter argued
that the proposed rule would do little to
simplify requirements for providers, and
this may result in providers not
documenting substance use disorderrelated information in medical records.
Other commenters opposed the lack of
protections in the proposal and warned
that the rule would impose constraints
and burdens on providing a patient’s
behavioral health data and impede
information sharing. A commenter
stated that general health care
organizations that hire an employee
with substance use disorder expertise
would be considered a covered entity,
so they may be discouraged from
integrating substance use disorder
services into their operation. Similarly,
hospital emergency departments may be
discouraged from hiring staff with
specialized experience in substance use
disorders. One commenter expressed
concern that the rule may extend
protection not just to records for
substance use disorder treatment, but
also to medical conditions and
medications that allow an inference that
the patient has a substance use disorder.
One commenter argued that any
substance use record should be
PO 00000
Frm 00019
Fmt 4701
Sfmt 4700
6069
protected from unauthorized disclosure
for criminal justice investigations.
Expressing support for the continued
protection of substance use disorder
records from disclosure and use in
criminal investigations except under
certain conditions, a commenter said
that while HIPAA and other laws also
provide similar protections, part 2 has
more stringent due process and court
order provisions.
One commenter argued that the
proposed rule exceeds the underlying
statutory requirements in 42 U.S.C.
290dd–2 by expanding protections of
substance use information and
establishing penalties. Another
commenter mentioned that the HITECH
revisions to HIPAA already require
general medical facilities to utilize
enhanced security measures to protect
the confidentiality and privacy of
patient’s health records.
A few commenters advocated that the
safeguards applied to protected health
information (as defined under HIPAA)
for all other health conditions could
apply for substance use disorder-related
information.
One commenter urged a focus on the
actual information that requires
protection, as opposed to the origin of
the treatment records. Similarly, another
commenter expressed disappointment
that SAMHSA rejected the option to
redefine the applicability of part 2 based
on the type of substance use disorder
treatment services, rather than the type
of provider.
Several commenters suggested
exceptions to the applicability of part 2
regulations. One commenter said
SAMHSA should create a due diligence
exception to allow a part 2 program’s
records to be reviewed in the event of
a proposed sale of the part 2 facility.
Another commenter said SAMHSA
should include an exception to allow
disclosure of part 2 records in
connection with the seeking of a grant
or much needed funding for substance
abuse patients. A commenter said
SAMHSA should create a payment
exception that would allow part 2
programs to submit information to
governmental or commercial payers
without the patient’s prior
authorization.
Other commenters stated that
exceptions should be added for the
purpose of seeking involuntary
commitment of an individual who poses
a likelihood of serious harm to self or
others by reason of a substance use
disorder, in accordance with applicable
provisions of state law and subject to
appropriate terms regarding the
continued confidentiality of such data.
Another commenter stated that the rule
E:\FR\FM\18JAR6.SGM
18JAR6
6070
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
mstockstill on DSK3G9T082PROD with RULES6
should specifically permit continued
data collection of substance use disorder
by state agencies. Another commenter
stated that an exception limited
disclosures to law enforcement and
other appropriate parties in the event a
committed patient escapes from a
treatment facility, and to other part 2
programs and appropriate state agencies
as necessary for purposes of discharge
planning or transferring a patient
without consent.
SAMHSA Response
With respect to the comments
recommending aligning with HIPAA,
SAMHSA has attempted to do so in this
final rule to the extent the change was
permissible under 42 U.S.C. 290dd-2. At
the same time, part 2 and its governing
statute are separate and distinct from
HIPAA and its implementing
regulations. Because of its targeted
population, part 2 provides more
stringent federal protections than most
other health privacy laws, including
HIPAA.
As stated in the preamble discussion
of the applicability (§ 2.12) in the
NPRM, SAMHSA considered options for
defining what information is covered by
part 2, including defining covered
information based on the type of
substance use disorder treatment
services provided instead of the type of
facility providing the services.
SAMHSA however, rejected that
approach because more substance use
disorder treatment services are
occurring in general health care and
integrated care settings, which typically
are not covered under the current (1987)
regulations. Providers who in the past
offered only general or specialized
health care services (other than
substance use disorder services) now,
on occasion, provide substance use
disorder treatment services, but only as
incident to the provision of general
health.
The definitions of ‘‘Part 2 program’’
and ‘‘Program’’ are critical to
applicability. These terms are defined in
§ 2.11. The response to comments on the
definition of program in this final rule
further clarifies coverage. Holding a
waiver to prescribe buprenorphine or
holding a waiver and prescribing
buprenorphine as part of primary care
practice does not lead to categorical
inclusion of providers in the definition
of a part 2 program; such determinations
are fact-specific. The same concept
applies whenever determining
applicability.
With respect to comments on part 2
coverage, although the statute may not
be explicit with regard to certain
provisions in 42 CFR part 2, the statute
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
directs the Secretary to prescribe
regulations to carry out the purpose of
the statute, which may include
definitions and may provide for such
safeguards and procedures that in the
judgment of the Secretary are necessary
or proper to effectuate the purposes of
this section, to prevent circumvention
or evasion thereof, or to facilitate
compliance therewith. For various
models of integrated behavioral health,
SAMHSA strives to facilitate
information exchange within new
health care models while addressing the
legitimate privacy concerns of patients
seeking treatment for a substance use
disorder. These concerns include, but
are not limited to, the potential for loss
of employment, loss of housing, loss of
child custody, discrimination by
medical professionals and insurers,
arrest, prosecution, and incarceration.
The response to comments on the
definition of program in this final rule
further clarifies coverage.
SBIRT is a cluster of activities
designed to identify people who engage
in risky substance use or who might
meet the criteria for a formal substance
use disorder. Clinical findings indicate
that the overwhelming majority of
individuals screened in a general
medical setting do not have a substance
use disorder and do not need substance
use disorder treatment. A health care
provider that does not otherwise meet
the definition of a part 2 program would
not become a part 2 program simply
because they provide SBIRT within the
context of general health care.
For behavioral health facilities,
SAMSHA notes that federally qualified
health centers, community mental
health centers, and behavioral health
clinics meeting the definition of a part
2 program must comply with 42 CFR
part 2 and those that do not meet the
definition of part 2 program do not have
to comply with 42 CFR part 2 unless
they become a lawful holder of patient
identifying information because they
received patient identifying information
via consent (along with a notice of
prohibition on re-disclosure) or as
permitted under the part 2 statute,
regulations, or guidance. Rather than
offer definitions or outline an
exhaustive list of entities that could
meet the definition of a part 2 program,
we prefer to offer illustrative examples
in the explanation of applicability
provision of these regulations (see
§ 2.12(e)(1)). SAMHSA has not received
questions in the past concerning the
definition of general medical facility.
Regarding the question of part 2
applicability when a patient directs
electronic disclosure for a consumer
health application, the NPRM preamble
PO 00000
Frm 00020
Fmt 4701
Sfmt 4700
discussion of lawful holder in the
Terminology Changes section stated: ‘‘A
patient who has obtained a copy of their
records or a family member who has
received such information from a
patient would not be considered a
‘lawful holder’ of patient identifying
information in this context.’’
Information disclosed by a part 2
program or a lawful holder of patient
identifying information is covered by 42
CFR part 2 and requires patient consent
unless disclosure is otherwise permitted
under the part 2 statute or regulations.
Therefore, it is permissible for a patient
to disclose information to a personal
health record or similar consumer
health application but if a part 2
program or lawful holder of patient
identifying information discloses that
information to the personal health
record or other similar consumer
application on behalf of the patient,
consent would be required.
Regarding patient records and
Medicaid overutilization control
programs, the prohibition on redisclosure (§ 2.32) applies to
information that would identify,
directly or indirectly, an individual as
having been diagnosed, treated, or
referred for treatment for a substance
use disorder, such as indicated through
standard medical codes, descriptive
language, or both, and allows other
health-related information shared by the
part 2 program to be re-disclosed, if not
prohibited by any other applicable laws.
Under the current statutory authority,
patient records pertaining to substance
use disorder may be shared only with
the prior written consent of the patient
or as permitted under the part 2 statute
and implementing regulations. In
addition, the authorizing statute
specifically enumerates the areas of
non-applicability, which includes the
reporting under state law of incidents of
suspected child abuse and neglect to
appropriate state and local authorities.
Therefore, SAMHSA did not adopt this
requested change. Regarding elder
abuse, if a program determines it is
important to report elder abuse,
disabled person abuse, or a threat to
someone’s health or safety, or if the laws
in a program’s state require such
reporting, the program must make the
report anonymously, or in a way that
does not disclose that the person
making the threat is a patient in the
program or has a substance use disorder,
or obtain a court order if time allows.
Some commenters asked about the
applicability of the part 2 regulations to
various facilities or entities, such as
rehabilitation facilities, dentists, and
pharmacies. In summary, if a provider is
not a general medical facility or does
E:\FR\FM\18JAR6.SGM
18JAR6
mstockstill on DSK3G9T082PROD with RULES6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
not hold itself out as providing, and
provides, substance use disorder
diagnosis, treatment or referral for
treatment, it would not meet the first
section of the definition of ‘‘Program.’’
If the provider is either not an identified
unit within a general medical facility
that holds itself out as providing, or
does not provide, substance use
disorder diagnosis, treatment, or referral
for treatment, it does not meet the
second section of the definition of
‘‘Program.’’ If the provider either does
not consist of medical personnel or
other staff in a general medical facility
whose primary function is the provision
of substance use disorder diagnosis,
treatment, or referral for treatment or is
not identified as such specialized
medical personnel or other staff by the
general medical facility, it does not meet
the third section of the definition of
‘‘Program.’’ Whether embedded
behavioral health information is covered
by 42 CFR part 2 depends on several
factors: First, only patient identifying
information is subject to part 2
protections. If the acute care facility
meets the definition of a part 2 program
and the information would identify,
directly or indirectly an individual as
having been diagnosed, treated, or
referred for treatment for a substance
use disorder, the information is subject
to part 2 protections; and if the acute
care facility received the patient
identifying information via a valid part
2 consent (with a notice of prohibition
on re-disclosure) or as otherwise
permitted under the part 2 statute or
regulations, the information is subject to
part 2 protections.
With respect to pharmacies, when
they receive prescriptions directly from
part 2 programs, the patient identifying
information related to those
prescriptions is subject to 42 CFR part
2 confidentiality restrictions (as
indicated by the accompanying
prohibition on re-disclosure notice).
Pharmacies that receive paper
prescriptions directly from patients (and
do not receive a prohibition on redisclosure notice) are, therefore, not
subject to the part 2confidentiality
restrictions. However, if the pharmacy
or pharmacist meets the definition of a
part 2 program, they must comply with
the part 2 regulations.
In response to the commenter’s
request for clarification that services are
only covered under part 2 if the
personnel are identified as providing
substance use disorder treatment
outside the organization to the general
public, the third section of the
definition of program uses the term
‘‘personnel’’ to state that medical
personnel or other staff in a general
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
medical facility whose primary function
is the provision of substance use
disorder diagnosis, treatment or referral
for treatment and who are identified as
such providers. This section of the
definition of program does not include
the phrase ‘‘holds itself out’’ as do the
first two sections of the definition of
program. In the third section of the
definition, the medical personnel or
other staff must be identified as such
specialized medical personnel or other
staff by the general medical facility.
Although commenters requested an
exclusion for employee assistance
programs, the regulation text at
§ 2,12(d)(1) states: ‘‘Coverage includes,
but is not limited to, those treatment or
rehabilitation programs, employee
assistance programs, programs within
general hospitals, school-based
programs, and private practitioners who
hold themselves out as providing, and
provide substance use disorder
diagnosis, treatment, or referral for
treatment.
Commenters requested an exemption
for communications between a part 2
program and another entity under
common ownership or control, but
SAMHSA declines to make the
requested change. However, as stated in
the regulatory text (§ 2.12(c)(3)
restrictions on disclosure in these
regulations do not apply to
communications of information between
or among personnel having a need for
the information in connection with their
duties that arise out of the provision of
diagnosis, treatment, or referral for
treatment of patients with substance use
disorders if the communications are:
(i) Within a part 2 program; or
(ii) Between a part 2 program and an
entity that has direct administrative
control over the program.’’
SAMHSA declines to add the various
suggested exceptions to the applicability
of the part 2 regulations, and encourages
all stakeholders to consult with legal
counsel to ensure compliance with 42
CFR part 2, as well as any other
applicable federal, state, or local laws or
regulations. SAMHSA is limited by
statute to the specific exceptions listed
in the law; it cannot, therefore, add
exceptions. As stated previously,
SAMHSA is authorized to promulgate
regulations and to provide such
safeguards and procedures necessary to
carry out the purposes of the
authorizing statute. SAMHSA has
endeavored to strike an appropriate
balance between the important privacy
protections afforded patients with
substance use disorders and the
necessary exchange of information to
improve treatment outcomes for these
individuals.
PO 00000
Frm 00021
Fmt 4701
Sfmt 4700
6071
F. Confidentiality Restrictions and
Safeguards (§ 2.13)
SAMHSA is modifying this section
slightly from that proposed in the
NPRM by adding a paragraph clarifying
responsibility for the List of Disclosures
requirement. As discussed in the
proposal, because SAMHSA is revising
the consent requirements to allow a
general designation in certain
circumstances, we have revised § 2.13
by adding a paragraph (d), which
requires that, upon request, patients
who have included a general
designation in the ‘‘To Whom’’ section
of their consent form must be provided,
by the entity that serves as an
intermediary, a list of entities to which
their information has been disclosed
pursuant to the general designation (List
of Disclosures).
The new § 2.13(d) specifies that
patient requests for a list of entities to
which their information has been
disclosed must be in writing. Consistent
with the NPRM, we consider ‘‘written’’
to include both paper and electronic
documentation. The list is limited to
disclosures made within the past 2
years.
Further, entities named on the
consent form that disclose information
pursuant to a patient’s general
designation (entities that serve as
intermediaries as described in
§ 2.31(a)(4)(iii)(B)) must respond to
requests for a List of Disclosures in 30
or fewer days of receipt of the request.
1. Delayed Implementation of List of
Disclosures Provision
Public Comments
Several commenters raised concerns
about how to interpret the two-year
delayed implementation of List of
Disclosures and whether the general
designation will be used during that
period. A commenter expressed concern
about the immediate implementation of
the general designation while the right
of patients to obtain a List of Disclosures
is postponed for two years.
Other commenters stated that, based
on the NPRM language, HIEs will not be
able to take advantage of a general
designation on the consent form until
they have the ability to comply with the
List of Disclosures requirement.
Commenters said SAMHSA needs to
clarify that the duty to begin collecting
and storing disclosures under the
general designation begins two years
after the effective date of the final rule
and not before.
A commenter recommended that the
right to obtain a list of those who have
received the patient’s information
should be implemented simultaneously
E:\FR\FM\18JAR6.SGM
18JAR6
6072
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
with any other revisions to the part 2
regulation. Another commenter said
SAMSHA should implement the List of
Disclosures requirement within 90 days.
SAMHSA Response
SAMHSA clarifies that the general
designation on a consent form may not
be used until entities have the ability to
comply with the List of Disclosures
provision. However, SAMHSA has
removed the two-year delayed
compliance date for the List of
Disclosures provision for the reasons
discussed in Section IV above.
2. Responsibilities Under the List of
Disclosures Process
mstockstill on DSK3G9T082PROD with RULES6
Public Comments
Commenters said SAMHSA should
allow non-treating entities, that do not
have a treating provider relationship
with the patient whose information is
being disclosed and serve as
intermediaries named on the consent
form, to release the List of Disclosures
to the facility where the patient receives
care (or the part 2 program), rather than
to the patient directly. One commenter
said because this process, in which the
patient/consumer requests and receives
the List of Disclosures from the site
where they receive care/part 2 program,
rather than from the HIE, resembles the
process currently being used to meet
HIPAA disclosure requirements, it
could be implemented without
requiring additional burdens on HIEs.
Since most HIEs are not patient-facing,
commenters stated that there are
typically not policies or procedures in
place for interacting with patients
directly, particularly for patient
authentication, and suggested it be done
at the provider level, and that the
patient communication be maintained at
the part 2 program level.
Other commenters said SAMHSA
does not specify what responsibility, if
any, the part 2 program has to
coordinate or verify the compliance of
the CCO or HIE with the List of
disclosures. One commenter said if
SAMHSA intends for the part 2 program
to have any responsibilities beyond this,
then it should obtain additional
feedback from part 2 programs before
proposing any new obligations. Some
commenters appeared to assume the
part 2 program was responsible for the
List of Disclosures and requested that
SAMHSA modify the requirement to
impose the duty directly upon the HIE,
ACO, CCO, or research institution to
provide the listing to the patient, rather
than the part 2 program.
A commenter said SAMSHA should
clarify what entities must be included
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
on the List of Disclosures when the
entity is part of a complex healthcare
system.
Another commenter said the absence
of requiring disclosure of individual
names undermines the intent of the List
of Disclosures and undermines the
purpose of expanding the ‘‘To Whom’’
provision and the patient’s incentive or
willingness to consent to a general
designation. The commenter said the
provision must be very explicit in
disclosing those agencies or individuals
that will receive the patients’ medical
information.
SAMHSA Response
Regarding the suggestion to allow
entities that serve as intermediaries as
described by § 2.31(a)(4)(iii)(B) to
release the List of Disclosures to the
facility where the patient receives care
(or the part 2 program) or with the
providers to whom the disclosure was
made, rather than directly to the patient,
SAMHSA has decided to retain the
NPRM language and proposed
responsibilities because the party
making the disclosure under the general
designation should be accountable for
that disclosure. SAMHSA has clarified
in paragraph § 2.31(d)(3) that the part 2
program is not responsible for
complying with the List of Disclosures
requirement; the entity that serves as an
intermediary, as described in
§ 2.31(a)(4)(iii)(B), is responsible for
compliance with the List of Disclosures
requirement.
SAMHSA plans to issue subregulatory
guidance that clarifies how the patient
may request the List of Disclosures from
intermediaries as described by
§ 2.31(a)(4)(iii)(B).
On the responsibility of part 2
providers to comply with the List of
Disclosures requirement, SAMHSA
agrees with the commenters that more
clarity is needed. In the circumstance in
which a patient provides a general
designation in the ‘‘To Whom’’ part of
a consent form, the part 2 program may
not know to whom the disclosures have
been made by the entity that serves as
an intermediary. As such, the List of
Disclosures provision requires that: The
entity named on the consent form that
discloses information pursuant to a
patient’s general designation (the entity
that serves as an intermediary, as
described in § 2.31(a)(4)(iii)(B)) must: (i)
Respond in 30 or fewer days of receipt
of the written request; and (ii) Provide,
for each disclosure, the name(s) of the
entity(ies) to which the disclosure was
made, the date of the disclosure, and a
brief description of the patient
identifying information disclosed.
Further, paragraph (d)(3) clarifies that
PO 00000
Frm 00022
Fmt 4701
Sfmt 4700
the part 2 program is not responsible for
complying with § 2.13(d).
In response to the request for
clarification on what entities must be
listed on the List of Disclosures and
suggestion that individuals (rather than
entities with whom such individuals are
affiliated) must be listed, SAMHSA
clarifies that the List of Disclosures
must include a list of the entities to
which the information was disclosed
pursuant to a general designation.
Individuals who received patient
identifying information pursuant to the
general designation on a consent form
should be included on the List of
Disclosures based on an entity
affiliation, such as the name of their
practice or place of employment.
However, if entities that are required to
comply with the List of Disclosures
requirement wish to include individuals
on the List of Disclosures, in addition to
the required data elements which are
outlined in § 2.13(d)(2)(ii), nothing in
this rule prohibits it.
SAMHSA considered requiring both
individuals and entities to be included
on the List of disclosures but, after
reviewing the Health Information
Technology Privacy Committee’s
(HITPC’s) recommendations (https://
www.healthit.gov/sites/faca/files/PSTT_
Transmittal010914.pdf), decided to
require, at a minimum, a list of entities.
These recommendations addressed the
HITECH requirement that HIPAA
covered entities and business associates
account for disclosures for treatment,
payment, and health care operations
made through an EHR. The Transmittal
Letter recommended, ‘‘that the content
of the disclosure report be required to
include only an entity name rather than
a specific individual as proposed in the
NPRM.’’ In addition, the Transmittal
Letter noted that the Organization for
Economic Cooperation and
Development (OECD) principles, the
Fair Credit Reporting Act, and the
Privacy Act of 1974 do not require that
the names of individuals be provided.
The HITPC, a committee established by
the American Recovery and
Reinvestment Act of 2009 in accordance
with the Federal Advisory Committee
Act (FACA), provides recommendations
on health IT policy issues to the ONC
for consideration. The HITPC gave a
broad charge to its Privacy & Security
Tiger Team (Tiger Team) ‘‘to provide
recommendations on how to implement
the requirements of the HITECH Act of
2009 for covered entities and business
associates to account for disclosures for
treatment, payment and health care
operations made through an EHR. In the
referenced Transmittal Letter, the
HITPC did not focus on 42 CFR part 2,
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
however, given the similarities of the
issues and the importance of the lessons
the Tiger Team learned, SAMHSA was
persuaded by the Tiger Team’s
discussion.
3. Technological Challenges and Burden
of the List of Disclosures Provision
Public Comments
mstockstill on DSK3G9T082PROD with RULES6
Public Comments
Many commenters argued that entities
may not be equipped to maintain and
provide a List of Disclosures. A few
commenters expressed general concern
about the burden associated with the
List of Disclosures provision. Several
commenters added that the burden is
disproportionate to the anticipated
benefit. Other commenters specified
areas of burden, including
administering consents; developing a
tracking system; manually reviewing or
auditing all records; and transmitting
information by U.S. mail. Some
comments mentioned the operational
impact of the provision, including the
impact on existing business practices;
uncertainty about interoperability with
additional systems; and operationalizing
a different approach for HIPAA. One
commenter argued that HIPAA already
provides sufficient protections through
the requirement for tracking and
providing an accounting of certain
disclosures. Another commenter
expressed concern that there are varying
levels of technical resources available
for compliance with the rule.
A commenter warned that one
component of the Affordable Care Act is
its focus on sharing of certain medical
information and the proposed regulation
may prevent realization of that goal.
Similarly, another commenter said, if
HIEs are included in the disclosure
request, entities would be left with the
choice of either not sending this
information, which would then not be
available in emergent situations, or not
complying with this requirement.
Another commenter said creating
additional accounting requirements,
without further clarification on the
interoperability of such EHR systems,
can create a state of continuous
uncertainty and flux, deterring
investment into substance use disorder
treatment programs within integrated
care networks.
Some commenters stated that the
proposed provision conflicts with
existing HIPAA accounting of disclosure
requirements or state laws. Other
commenters said it would be
administratively burdensome to
implement, particularly in light of the
fact that the health information
technology industry is still waiting for
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
OCR to determine how it will address
the HITECH changes to HIPAA
accounting of disclosures.
For the above reasons, some
commenters urged SAMHSA not to
include the List of Disclosures provision
in the final rule; delay promulgating
until OCR decides how it will approach
the HITECH provisions concerning the
HIPAA accounting of disclosures
requirement; and engage with OCR,
providers, and vendors to fully
understand the implications of such a
requirement before establishing an
implementation date for the List of
Disclosures requirement.
SAMHSA Response
SAMHSA is including the List of
Disclosures requirement in the final rule
to balance the flexibility of allowing a
general designation in the ‘‘To Whom’’
section of the consent form against the
protection of patient privacy. We
understand commenter concerns about
the technical feasibility of implementing
the List of Disclosures requirement.
However, there is no timeframe in
which part 2 programs and lawful
holders need to comply with the List of
Disclosures requirements; only the
condition that if they choose to have the
option to disclose information pursuant
to a general designation on the ‘‘To
Whom’’ part of the consent form, they
must also be capable of providing a List
of Disclosures upon request per
§ 2.13(d). Because the general
designation is not mandated on a
consent form, this allows entities time
to develop and test the technology
needed for compliance with the List of
Disclosures requirements or to decide
not to disclose information pursuant to
a general designation and not
implement technology needed for
compliance with the List of Disclosures
provision.
Public Comments
A commenter said the List of
Disclosures will impose a complex
burden upon all parties involved in the
disclosure and receipt of substance use
disorder treatment, asserting that the
disclosing party—if it is not a part 2
program—would need to know that the
information being disclosed is subject to
the part 2 requirements. The commenter
said there may be a question of whether
this type of disclosure would be
prohibited per the Prohibition on redisclosure provision, and this becomes
more complex if further disclosures or
re-disclosures take place.
SAMHSA Response
SAMHSA responds that the entity
that serves as an intermediary should be
PO 00000
Frm 00023
Fmt 4701
Sfmt 4700
6073
provided a copy of the part 2-compliant
consent form or the pertinent
information on the consent form
necessary for the intermediary to
comply with the signed consent. The
providers with a treating provider
relationship with the patient whose
information is being disclosed would be
aware of the part 2 protections because
the disclosure would also be
accompanied by the prohibition on redisclosure notice.
Public Comments
A commenter said SAMHSA has not
addressed whether there will be a cost
to the patient for obtaining a List of
Disclosures. If patients will be required
to pay a fee for this list of disclosures,
the commenter said SAMHSA should
establish a reasonable fee for the
provision of the List of Disclosures.
SAMHSA Response
SAMHSA strongly encourages entities
to provide the List of Disclosures at no
charge to the patient.
4. Recommendations To Further Protect
Patient Privacy
Public Comments
A commenter said SAMHSA should
require the List of Disclosures to include
all disclosures of the patient’s health
information, whether such disclosure
was made pursuant to a consent form,
QSOA, medical emergency, or any other
means. Similarly, another commenter
stated that, when a record of all uses
and disclosures already exists, a
program should be required to make
that record available to a patient upon
request. Other commenters asserted that
the List of Disclosures should be
presented to the patient at the time the
consent is signed, rather than after the
disclosures have been made. A
commenter said patients should also be
given the option, at the time of signing,
to cross out entities to whom they do
not want their information disclosed.
Also, a commenter said patients should
be informed of changes to the list that
may now have access to their
information.
Some commenters expressed concern
that the List of Disclosures would be
limited to disclosures made within the
past two years, which does not allow
the patient to learn about past data
breaches. Some commenters
recommended expanding the time
period to five years or not including a
time limit.
SAMHSA Response
In response to these concerns and
recommendations about increasing
patient privacy rights, SAMHSA
E:\FR\FM\18JAR6.SGM
18JAR6
6074
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
clarifies that the List of Disclosures
provision was proposed in the NPRM as
a way to balance the revision to the
consent form allowing a more general
designation in the ‘‘To Whom’’ section,
which is optional. The List of
Disclosures provision is limited to
information disclosed pursuant to the
general designation by the entity that
serves as the intermediary, but these
entities as well as part 2 programs are
not prohibited from providing patients
with all available information. Patients
will have the right to request this List
of Disclosures and have it produced in
a timely fashion; however, SAMHSA
has chosen not to require entities to
provide this information at the time of
patient consent as this would be
impossible because disclosure of the
patient’s information has not occurred
at that point. SAMHSA also emphasizes
that patients are not required to use a
general designation in the ‘‘To Whom’’
section of the consent form. Therefore,
patients can limit disclosures by a more
concrete specification (i.e., named
individual(s)).
In response the comments on
expanding the time period that the List
of Disclosures covers, this final rule’s
provision to limit the List of Disclosures
to those made within the last two years
does not preclude an entity that serves
as an intermediary from providing the
patient with a list covering disclosures
made for periods greater than two years.
Public Comments
A commenter said SAMHSA should
not include the sample language for a
request for a List of Disclosures under
the general designation in the final rule
because HIPAA has shown that entities
construe such sample language as
mandates to use the sample language,
thereby making it more difficult for an
individual to request such information,
and hindering their ability to obtain
such information contrary to the intent
of the proposed rule. The commenter
suggested that SAMHSA, as part of this
rule or in subregulatory guidance at a
later date, recommend that certain
criteria be included as part of an
individual’s request for such
disclosures.
mstockstill on DSK3G9T082PROD with RULES6
SAMHSA Response
SAMHSA did not intend for the
sample language for a request for a list
of disclosures provided in the NPRM to
be construed as a requirement for
requesting a List of Disclosures, but
rather to assist patients in making such
a request. SAMHSA is retaining the
sample language in this rule.
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
Public Comments
Public Comments
A commenter asserted that states can
set a higher standard than part 2, but the
NPRM language would lead the patient
to think that they could get information
via unencrypted email. The commenter
suggested the provision be modified to
indicate that responses sent to the
patient electronically may be sent by
unencrypted email at the request of the
patient ‘‘so long as it is not prohibited
by applicable law.’’ In addition, the
commenter said the final rule should
require patients to be notified that there
may be some level of risk that the
information in an unencrypted email
could be read by a third party. In
addition, the commenter said the rule
should state that, if patients are notified
of the risks and still prefer unencrypted
email, the patient has the right to
receive the information in that way, and
entities are not responsible for
unauthorized access of the information
while in transmission to the patient
based on the patient’s request.
A commenter said the NPRM
abandoned the current statement that
the rule does not restrict a disclosure
that ‘‘an identified individual is not and
has never been a patient.’’ The
commenters said the new approach
militates against fishing by third parties.
SAMHSA Response
The language regarding unencrypted
email transmissions appears in the
NPRM preamble only and acknowledges
both encrypted and unencrypted email
as acceptable modes of transmission.
The language goes on to say: ‘‘Responses
sent to the patient electronically may be
sent by encrypted transmission (e.g.,
encrypted email or portal), or by
unencrypted email at the request of the
patient, so long as the patient has been
informed of the potential risks
associated with unsecured transmission.
Patients should be notified that there
may be some level of risk that the
information in an unencrypted email
could be read by a third party. If
patients are notified of the risks and still
prefer unencrypted email, the patient
has the right to receive the information
in that way, and entities are not
responsible for unauthorized access of
the information while in transmission to
the patient based on the patient’s
request. Before using an unsecured
method to respond to a request for a list
of disclosures, an entity should take
certain precautions, such as checking an
email address for accuracy before
sending it or sending an email alert to
the patient for address confirmation to
avoid unintended disclosures.’’
SAMHSA does not intend to be
prescriptive regarding how the
information is relayed to the patient or
to preempt applicable state law that may
prohibit unencrypted transmission (see
§ 2.20).
PO 00000
Frm 00024
Fmt 4701
Sfmt 4700
SAMHSA Response
SAMHSA agrees with the commenter
that prohibiting a disclosure that ‘‘an
identified individual is not and has
never been a patient’’ mitigates against
fishing by third parties. In the NPRM,
SAMHSA proposed to remove the
concept from § 2.13(c)(2) that the
regulations do not restrict a disclosure
that an identified individual is not and
never has been a patient and has
retained this position in the final rule.
Public Comments
Commenters made other
recommendations relating to the
proposed List of Disclosures
requirement focused on generally
improving patients’ rights, including
suggestions to keep information
confidential; notify when a treating
provider has accessed the patient’s
confidential information; ensure
patient-approved information sharing;
provide a process by which an
individual can raise a complaint; and
disclose to patients in plain language.
SAMHSA Response
SAMHSA acknowledges and shares
the commenters’ concerns with patient
privacy. We believe that the List of
Disclosures requirement as proposed in
the NPRM is adequate to inform patients
of how their information has been
shared in the event that they provided
a general designation in the ‘‘To Whom’’
portion of their consent. SAMHSA
encourages entities to provide the
information associated with a List of
Disclosures in plain language and with
sufficient specificity so that patients
understand the List of Disclosures,
including the brief description of the
patient identifying information
disclosed.
5. Other Comments and
Recommendations on the List of
Disclosures Provision
Public Comments
One commenter recommended that
SAMHSA allow consent to include a
description of HIE as a function to
support patient care, and exclude this
function from the information
disclosure accounting [List of
Disclosure] requirement.
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
A commenter recommended that
SAMHSA offer additional guidance on
best practices and make infrastructure
grants available to create the necessary
modifications within providers’ EHRs or
other consent tracking systems.
Some commenters made other
suggestions. For example, a commenter
requested that SAMHSA define ‘‘in
writing’’ and ‘‘written requests’’ as those
terms are used in the List of Disclosures
provision (§ 3.13(d)). Another
commenter urged SAMHSA to explore
options to reduce the cost of the List of
Disclosures provision and further clarify
how the enhanced protection of
substance use disorder treatment
information can be consistent and
interoperable with other health systems.
mstockstill on DSK3G9T082PROD with RULES6
SAMHSA Response
As for the request to define ‘‘in
writing’’ and ‘‘written requests’’ as those
terms are used in the List of Disclosures
provision, in the NPRM preamble
discussion of Terminology Changes,
SAMHSA explained that for the
purposes of this regulation, we also
propose that the term ‘‘written’’ include
both paper and electronic
documentation.
The consent requirements (§ 2.31)
include the option of including in the
‘‘To Whom’’ section of the consent form
the name of an entity that does not have
a treating provider relationship with the
patient whose information is being
disclosed (and is not a third-party payer
that requires patient identifying
information for the purposes of
reimbursement for the services rendered
by the part 2 program) and either the
name(s) of an individual participant(s);
or the name(s) of an entity participant(s)
that has a treating provider relationship
with the patient whose information is
being disclosed; or a general designation
of an individual or entity participant(s)
or class of participant(s) who has a
treating provider relationship with the
patient whose information is being
disclosed. Any HIE that serves as an
intermediary is subject to the List of
Disclosures requirement regardless of its
other ‘‘functions.’’ Regarding the
requests for guidance, SAMHSA may
issue additional subregulatory guidance
on this provision after this final rule is
published.
G. Security for Records (§ 2.16)
SAMHSA is adopting this section as
proposed except for some nonsubstantive, technical changes to the
language in proposed § 2.16(a)(2)(i).
SAMHSA is modernizing this section to
address both paper and electronic
records. First, SAMHSA revised the
heading by deleting the word ‘‘written’’
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
so that it now reads: Security for
Records. Secondly, SAMHSA clarified
that this section requires both part 2
programs and other lawful holders of
patient identifying information to have
in place formal policies and procedures
for the security of both paper and
electronic records. Finally, SAMHSA
has replaced language in other sections
of part 2 with a reference to the policies
and procedures established under
§ 2.16, where applicable. As noted
above, SAMHSA has made some
technical changes to the language in
proposed § 2.16(a)(2)(i). In particular, to
more closely align with the HIPAA
Security Rule, SAMHSA has revised
§ 2.16(a)(2)(i) to require that part 2
program security for electronic records
policies must include ‘‘creating,
receiving, maintaining, and transmitting
such records.’’ The proposed language
was ‘‘copying, downloading,
forwarding, transferring, and removing
such records.’’
Public Comments
Some commenters supported the
proposed provisions on security and
stated that they provide appropriate
protections. However, many
commenters asserted that the security
provisions of HIPAA should be followed
and that those requirements should
satisfy the part 2 provisions.
A commenter also supported the use
of internal confidentiality agreements.
A commenter expressed concern that
the rule does not address what a nonpart 2 provider who receives part 2 data
must do to ensure adequate safeguards
are in place. Similarly, another
commenter expressed concern about
security obligations that would be
placed on other lawful holders, such as
courts, law firms, family members, or
other private citizens who are often not
the types of providers subject to the
current (1987) part 2.
One commenter recommended an
expiration date for electronic records.
Another commenter recommended that
the use of secure, certified HIT be added
as a requirement for part 2 program
providers, as well as any services
provided that conduct audits and
evaluations related to transition of
patient information.
SAMHSA Response
SAMHSA appreciates the support of
commenters on this issue. On the issue
of HIPAA, covered entities must comply
with all regulations that are applicable
to them. Because some entities subject
to this rule are not subject to HIPAA,
SAMHSA may provide subregulatory
guidance after the rulemaking on the
extent to which compliance with
PO 00000
Frm 00025
Fmt 4701
Sfmt 4700
6075
HIPAA security requirements, for those
subject to them, will satisfy § 2.16.
SAMHSA emphasizes that if an entity
already has security practices and
policies in place that meet the
requirements of this rule, whether those
practices were developed to meet the
regulatory requirements or simply as a
matter of good practice, the entity may
not need to take additional action on
this issue. In the NPRM, SAMHSA
suggested resources for part 2 programs
and other lawful holders for developing
formal policies and procedures
including materials from the HHS Office
for Civil Rights (e.g., Guidance
Regarding Methods for De-identification
of Protected Health Information in
Accordance with the Health Insurance
Portability and Accountability Act
(HIPAA) Privacy Rule), and the National
Institute of Standards and Technology
(NIST) (e.g., the most current version of
the Special Publication 800–88,
Guidelines for Media Sanitization).
On the issue of use of internal
confidentiality agreements and the
required use of secure, certified Health
IT, § 2.16 provides requirements for
formal policies and procedures to
reasonably protect against unauthorized
uses and disclosure of patient
identifying information and to protect
against reasonably anticipated threats or
hazards to the security of patient
identifying information. A part 2
program or other lawful holder of
patient identifying information may
impose any additional requirements that
they feel will enhance protections.
With regard to security of the records
lawfully obtained by non-part 2
programs, § 2.16 applies equally to these
entities (referred to as lawful holders of
patient identifying information). The
required formal policies and procedures
are intended to ensure protection of
patient identifying information when
electronic records are exchanged
electronically using health IT, as well as
when they are exchanged using paper
records. In addition, the formal policies
and procedures will have to address,
among other things, the sanitization of
hard copy and electronic media, which
is addressed in the NPRM discussion of
Disposition of Records by Discontinued
Programs (§ 2.19). On the concern
raised that § 2.16 places an
unreasonable burden on courts, law
firms, family members, or other private
citizens who may obtain the
information, a patient who has obtained
a copy of his or her records or a family
member or private citizen who has
received such information from a
patient would not be considered a
lawful holder of patient identifying
information in this context. Generally,
E:\FR\FM\18JAR6.SGM
18JAR6
6076
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
consents and permissible disclosures
are initiated by a lawful holder who
desires the information and, therefore,
the lawful holder would already be
familiar with part 2.
mstockstill on DSK3G9T082PROD with RULES6
H. Disposition of Records by
Discontinued Programs (§ 2.19)
SAMHSA is modifying this section
from that proposed in the NPRM in
response to public comments, as
discussed below. In this section,
SAMHSA addresses the disposition of
both paper and electronic records by
discontinued programs, including
added requirements for sanitizing paper
and electronic media, which is
distinctly different from deleting
electronic records and may involve
clearing (using software or hardware
products to overwrite media with nonsensitive data) or purging (degaussing or
exposing the media to a strong magnetic
field in order to disrupt the recorded
magnetic domains) the information from
the electronic media. If circumstances
warrant the destruction of the electronic
media prior to disposal, destruction
methods may include disintegrating,
pulverizing, melting, incinerating, or
shredding the media. SAMHSA expects
the process of sanitizing paper media
(including printer and facsimile (FAX)
ribbons, drums, etc.) or electronic media
to be permanent and irreversible, so that
there is no reasonable risk that the
information may be recovered. For the
purpose of this rule, SAMHSA makes a
distinction between electronic devices
(something that has computing
capability, such as a laptop, tablet, etc.)
and electronic media (something that
can be read on an electronic device,
such as a CD/DVD, flash drive, etc.).
Public Comments
A commenter expressed support for
the proposal related to disposition of
records by discontinued programs.
Another commenter recommended that
the rule allow for ‘‘selective sanitizing,’’
using methods that will not require
overwriting the entire electronic media.
Two commenters asked about patient
records when a program is acquired by
another program. A commenter
suggested that the rule should address
situations in which a patient cannot be
located or is deceased and cannot give
consent. The commenter provided
multiple suggestions relating to
disposition of records, including permit
more flexible means of storage; permit
scanning and electronic storage of
records; do not require transfer to a
portable device; offer an option to store
records in a production encrypted
network storage device. This commenter
also asserted that sanitation of
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
electronic communications would not
be feasible in organizations storing
millions of electronic records; requiring
storage of a portable electronic device in
a sealed container does not add
additional security if it is already
encrypted; and deleting substance use
information from records does not
conceal the fact that someone has a
substance use disorder but instead
highlights the fact.
SAMHSA Response
SAMHSA acknowledges the support
for the proposed provision. With regard
to the issue of multiple sources of
records, we have revised the language in
the final rule to allow one year to
complete the process of sanitizing paper
or electronic media (see § 2.19(b)(2)(iii)).
This change should allow for select
patient records to be removed from both
the specific site and any operational
sources without disrupting other patient
records. Regarding acquisition of one
program by another, the § 2.19(a)
regulatory text outlines the exceptions
to removing patient identifying
information from its records or
destroying its records.
If the patient cannot be located or is
deceased and cannot give consent, the
part 2 program that has discontinued
operations or is taken over or acquired
by another program, must remove the
patient’s identifying information from
its records, including sanitizing any
associated hard copy or patient records
or patient identifying information
residing on electronic media, to render
the patient identifying information nonretrievable in a manner consistent with
policies and procedures under § 2.16.
Regarding comments on more flexible
means of electronic record storage,
SAMHSA has revised § 2.19(b)(2) to
allow for more flexibility. The revised
language allows for electronic records to
be transferred to a portable electronic
device with implemented encryption to
encrypt the data at rest so that there is
a low probability of assigning meaning
without the use of a confidential process
or key and implemented access controls
for the confidential process or key (see
§ 2.19(b)(2)(i)); or transferred, along with
a backup copy, to separate electronic
media, so that both the records and the
backup have implemented encryption to
encrypt the data at rest so that there is
a low probability of assigning meaning
without the use of a confidential process
or key and implemented access controls
for the confidential process or key (see
§ 2.19(b)(2)(ii)). For electronic storage of
the records, if the records are scanned,
they would have to be maintained
consistent with § 2.19(b)(2) and the
paper records would have to be
PO 00000
Frm 00026
Fmt 4701
Sfmt 4700
destroyed consistent with § 2.16.
Regarding portable device storage, the
final § 2.19 language specifies that the
portable electronic device or the original
and backup electronic media must be
sealed in a container along with any
equipment needed to read or access the
information. The sealed container
prevents the portable electronic device
or the original and backup electronic
media from being separated from the
equipment needed to read or access the
information.
I. Notice to Patients of Federal
Confidentiality Requirements (§ 2.22)
SAMHSA is adopting this section as
proposed. Consistent with the NPRM,
SAMHSA considers the term ‘‘written’’
to include both paper and electronic
documentation. Accordingly, the notice
to patients may be either on paper or in
an electronic format. SAMHSA also
revised § 2.22(b)(2) to require the
statement regarding the reporting of
violations to include contact
information for the appropriate
authorities.
Public Comments
Several commenters expressed
support for the proposed provisions,
particularly the allowing of electronic
notice, and they encouraged the use of
plain language and notices in languages
other than English. Several commenters
recommended that SAMHSA should
make a sample notice or language
available to covered entities. One
commenter asked how written notice
can be provided for encounters that are
not in person.
Other commenters suggested that the
patient be given copies rather than
written summaries of state and federal
law; a paper report, if requested; the
right to request and obtain restrictions;
and a description of how patient
information may be disclosed for
scientific research.
SAMHSA Response
The final rule requires that the notice
include contact information for the
appropriate authorities for reporting
violations. SAMHSA believes this
change will make it easier for patients
to identify to whom they should file a
complaint of a potential violation of part
2. Therefore, SAMHSA declines to
include a sample complaint form at this
time but may consider whether to issue
one outside of this rulemaking process.
SAMHSA also declines to require copies
rather than summaries of state and
federal law because the notice to
patients of federal confidentiality
requirements is required to provide
citations to the federal law and
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
regulations that protect the
confidentiality of patient records and
including information concerning state
laws and regulations is optional. The
notice must also be provided in writing
but as was discussed in Terminology
Changes (§ 2.11), the term ‘‘in writing’’
includes both paper and electronic
documentation. Because the purpose of
the notice is to communicate to the
patient the federal law and regulations
that protect the confidentiality of
patient records, SAMHSA declines to
require anything additional. However, if
a part 2 program wishes to provide
additional information, nothing in this
provision prohibits them from doing so.
mstockstill on DSK3G9T082PROD with RULES6
J. Consent Requirements (§ 2.31)
SAMHSA is finalizing the consent
requirements in this section, with
certain modifications as described in
greater detail below. In summary,
SAMHSA is adopting all proposed
changes to § 2.31 except for two at this
time. In the ‘‘From Whom’’ section of
the consent requirements (§ 2.31(a)(2)),
SAMHSA decided not to finalize its
proposal to remove the general
designation option, but did make minor
updates to the terminology in the
current (1987) regulatory text. As
explained in greater detail below, the
final ‘‘From Whom’’ provision of the
consent requirements specifies that a
written consent to a disclosure of part
2 information must include the specific
name(s) or general designation(s) of the
part 2 program(s), entity(ies), or
individual(s) permitted to make the
disclosure. SAMHSA also decided not
to finalize the proposed requirement
that a part 2 program or other lawful
holder of patient identifying
information obtain written confirmation
from the patient that they understand
the terms of the consent.
SAMHSA has revised the section
heading from ‘‘Form of written consent’’
to ‘‘Consent requirements.’’ SAMHSA
also made revisions to the two other
sections of the consent form
requirements: the ‘‘To Whom’’ section
and the ‘‘Amount and Kind’’ section.
SAMHSA also revised § 2.31 to require
a part 2 program or other lawful holder
of patient identifying information to
include on the consent form that
patients, when using a general
designation in the ‘‘To Whom’’ section
of the consent form, have the right to
obtain, upon request, a List of
Disclosures (see § 2.13). In addition,
SAMHSA revised § 2.31 to permit
electronic signatures to the extent that
they are not prohibited by any
applicable law.
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
1. General Comments on Consent
Requirements
a. General
Public Comments
SAMHSA received many comments
on the proposed rule’s updated consent
requirements. Some commenters
generally supported the new consent
requirements. Other commenters listed
various reasons for their support,
including increased facilitation of
informed patient decisions, increased
patient choice with regard to protection
of their health information, and
increased sharing of health care records
among providers. One commenter
supported the use of paper and
electronic forms of written consent.
Many commenters, however,
expressed general opposition to the
proposed consent requirements. Several
commenters argued that the proposed
rule created unnecessary burdens for
providers, such as staff training,
constant updates to consent forms, and
expensive updates to provider EHRs.
Several commenters argued the
proposed consent rules would create
obstacles to information sharing and
integrated care. Specifically, a
commenter argued that the ‘‘To Whom’’
and ‘‘From Whom’’ format restricts who
within organizations can view a
patient’s records, further hampering
coordinated care. Another commenter
argued that the proposed consent form
requirements would make it difficult for
many HIEs to exchange part 2
information, and that the new
requirements do little to promote a
patient’s informed consent. A couple of
commenters argued that the proposed
regulations would reduce access to
substance use disorder treatment being
added by general health care
organizations, due to administrative
burden and liability fears. General
health care providers are less likely to
add substance use disorder treatment, or
partner or undertake projects with
substance use disorder treatment
providers. Another commenter stated
this rule may result in providers not
screening patients for substance use
disorders and not documenting
substance use disorder related
information.
According to a few commenters, the
current part 2 regulations exceed the
statutory requirements that led to the
regulations. One commenter suggested
that 42 U.S.C 290dd–2 requires consent
to share information and does not allow
any shared information to be used for
prosecution. The commenter goes on to
state that nothing in Title 42, U.S.C.
290dd–2 requires an explicit description
PO 00000
Frm 00027
Fmt 4701
Sfmt 4700
6077
of what information can be released, or
requires time limits on consent. The
commenter suggested that SAMHSA
could reduce confusion and
administrative burden by proposing
revisions that are much more consistent
with HIPAA than its current proposal.
SAMHSA Response
Regarding the comments on statutory
authority, we do not agree that the
regulations in 42 CFR part 2 exceed the
authority provided for in 42 U.S.C.
290dd-2. The statute specifies that
patient identifying information may be
disclosed in accordance with prior
written patient consent, ‘‘but only to
such extent under such circumstances,
and for such purposes as may be
allowed under regulations prescribed’’
by the Secretary.
Regarding concerns about
unnecessary burdens for providers, such
as staff training, constant updates to
consent forms, and expensive updates to
provider EHRs, these burdens might be
offset by the benefits of increased in
flexibility in the consent requirements.
With respect to obstacles to information
sharing, one of SAMHSA’s goals for this
rulemaking is to ensure that patients
with substance use disorders have the
ability to participate in and benefit from
new integrated health care models
without fear of putting themselves at
risk of adverse consequences.
Public Comments
Some commenters stressed that
consent forms should be easy to read,
accessible to limited English proficiency
patients, and should meet HIPAA’s
plain language requirements.
Commenters stated that language and
literacy concerns could be barriers to
actual understanding of the form’s
contents. Similarly, suggesting that
SAMHSA take into account the reading
level standards in other health
programs, including Medicare and
Medicaid, one commenter asserted that
the proposed regulations do not provide
adequate options for an individual to
easily and simply determine who can or
cannot access their substance use
disorder records.
SAMHSA Response
SAMHSA agrees with the commenters
that the consent form should be written
clearly so that the patient can easily
understand the form. SAMHSA is
considering issuing subregulatory
guidance in the future to provide
examples of forms that comply with the
basic consent requirements in 2.31(a). In
addition, SAMHSA encourages part 2
programs to be sensitive to the cultural
and linguistic composition of their
E:\FR\FM\18JAR6.SGM
18JAR6
6078
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
patient population when considering
whether the consent form should also be
provided in a language(s) other than
English (e.g., Spanish).
b. Consent Form Validity Period
Public Comments
Several commenters stated that a twoyear time limit for the validity of
consent is insufficient, with some
commenters suggesting that consent
forms be valid indefinitely or until
death. For example, one commenter
asked why SAMHSA would deny a
person who has received substance use
disorder treatment the right to decide
that they want any and all information
regarding their treatment shared with
any and all of their health care
providers indefinitely as needed for
coordination of care. Another
commenter stressed the language of
§ 2.31(a) was confusing and requested
clarification on the permissible length of
time a consent is valid.
SAMHSA Response
Under § 2.31, a part 2-compliant
consent form must list the date, event,
or condition upon which the consent
will expire, if not revoked before. Thus,
it is not sufficient under part 2 for a
consent form to merely state that that
disclosures will be permitted until the
consent is revoked by the patient. It is,
however, permissible for a consent form
to specify the event or condition that
will result in revocation, such as having
its expiration date be ‘‘upon my death.’’
The rule does not set a two-year time
limit for consents, as some commenters
thought.
mstockstill on DSK3G9T082PROD with RULES6
c. Technical Challenges to Proposed
Consent Requirements
Public Comments
Commenters expressed concern about
the technical challenges providers
would face in complying with the
proposed consent requirements.
Generally, commenters expressed
concern that few, if any, EHR systems
and/or HIEs have the capability to
segregate substance use disorder patient
information in a way that could fully
support the rule by reflecting the
patient’s consent choices, and many
providers would have to expend
significant amounts of funds to create or
acquire a compliant system.
Commenters argued that if providers do
not have data segmentation capability,
they may simply exclude substance use
disorder patient data from their systems,
thus adversely impacting system
integration and patient care.
A couple of commenters asserted that
EHR, HIE, and other electronic records
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
systems have no way of selecting
different levels of consent for treating
providers. Specifically, a commenter
stated that SAMHSA should remove
requirements for varied levels of
consent within a given organization
(e.g., between departments or
individuals), instead limiting such
variation to HIEs that share information
between or across organizations. A
commenter stated that it is not feasible
to do individual exclusionary consents
in an HIE, especially for an entity that
has thousands of employees across
multiple states.
A commenter stated that providers in
an integrated care network may be
precluded from performing important
quality improvement checks because no
set of clinically integrated network
officials can be expected to have a direct
treatment relationship with every
patient in the large data pools necessary
to drive these important public health
efforts.
A commenter stated that the
confidentiality of a substance use
disorder patient’s information should
not be compromised if some electronic
systems were poorly designed and
without regard for part 2. Similarly,
another commenter stated that
technology should be regarded as a tool
and should not diminish a patient’s
privacy rights.
SAMHSA Response
SAMHSA acknowledges the concerns
regarding technical challenges to the
consent requirements and data
segmentation more broadly. As stated
above, SAMHSA has played a
significant role in encouraging the use
of health IT by behavioral health
(substance use disorders and mental
health) providers and towards
minimizing technical burdens through a
variety of activities. SAMHSA actively
participates in the development and
stewarding of data standards to promote
data segmentation and interoperability.
Specifically, the Data Segmentation for
Privacy (DS4P) initiative within ONC’s
Standards and Interoperability (S&I)
Framework facilitated the development
of standards to improve the
interoperability of EHRs containing
sensitive information that must be
protected to a greater degree than other
health information due to 42 CFR part
2 and similar state laws. The DS4P
standards were used in several pilot
projects, including the Department of
Veterans Affairs (VA)/SAMHSA Pilot,
which implemented all the DS4P use
cases and passed all conformance tests;
and SAMHSA’s Opioid Treatment
Program (OTP) Service Continuity Pilot
that connected OTPs to an HIE to
PO 00000
Frm 00028
Fmt 4701
Sfmt 4700
facilitate continuity of care during
disasters or other unexpected
disruptions in service. Additionally,
DS4P standards were adopted in ONC’s
2015 Edition final rule (80 FR 62702,
Oct. 16, 2015) as part of the 2015
Edition Health IT Certification Criteria
(2015 Edition). See 45 CFR 170.315(b)(7)
and (8). SAMHSA has also supported
the development of the application
branded Consent2Share, an open-source
health IT solution based on DS4P,
which assists in consent management
and data segmentation and is currently
being used by the Prince Georges
County (Maryland) Health Department
to manage patient consent directives
while sharing substance use disorder
information with an HIE. SAMHSA is
currently updating Consent2Share,
slated for release in late 2016, with the
aim that its streamlined data stack and
improved functionality will lower
barriers to implementation in the field.
SAMHSA is considering issuing
subregulatory guidance in the future to
address other technical solutions to
complying with the regulation.
Regarding the comment that it is not
feasible to do individual exclusionary
consents in an HIE, the HIE does not
have to give the patient the option to do
individual level consent. SAMHSA has
provided more flexibility in the consent
provisions in an effort to ensure that
patients with substance use disorders
have the ability to participate in and
benefit from new integrated health care
models while, at the same time,
maintaining core confidentiality
protections.
d. Requests for Exemptions and
Exceptions
Public Comments
Several commenters requested various
exemptions or exceptions from the part
2 consent requirements, including a
public health exception similar to that
of the HIPAA Privacy Rule (see https://
www.hhs.gov/hipaa/for-professionals/
special-topics/public-health/
index.html), an exemption for CCOs
who have a treating relationship with a
patient, an exemption for ACOs who
have integrated delivery systems, an
exception for state health data
organizations that collect data under
legislative authority and collection of
substance use disorder data by state
agencies, and in instances where part 2
data may be used to improve patient
care coordination, ensure
interoperability, and ensure patient
safety. One commenter requested an
exception for care coordination
purposes for valid and vital clinical
reasons.
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
mstockstill on DSK3G9T082PROD with RULES6
Regarding § 2.20 (Relationship to state
laws), a commenter said SAMHSA
should include an exception under part
2, subpart D (Disclosures Without
Patient Consent) allowing disclosures of
substance use disorder treatment
information based on state laws that
authorize or compel such disclosures
(e.g., for public health or medical
assistance reasons). Another
commenter, noting the role of multipayer claims databases or MPCDs (also
known as all payer claims databases
(APCDs)), suggested that SAMHSA add
a new section to include state health
data organizations that collect data
under a legislative authority, reasoning
that these states have decades of
experience in collecting and managing
sensitive data with strict legal and
policy controls.
A commenter said SAMHSA should
permit oral consent with documentation
and specific information to be shared.
SAMHSA Response
SAMHSA appreciates the
perspectives expressed by those who
seek additional exceptions or
exemptions from part 2 consent
requirements, as well as the suggestion
that SAMHSA permit oral consents that
are documented in writing.
The part 2 underlying statute, 42
U.S.C. 290dd–2, and this rule require a
written patient consent to disclose part
2 information unless the disclosure is
otherwise permitted under the part 2
statute or regulations. The statute, for
instance, does not provide a general
exception to the consent requirement for
the purpose of sharing information with
public health officials. In certain
circumstances, disclosures of part 2
information may be authorized by court
order to protect against an existing
threat to life or of serious bodily injury
(see § 2.63, Confidential
communications) or to the extent
necessary to meet a bona fide medical
emergency in which the patient’s prior
informed consent cannot be obtained
(see § 2.51, Medical emergencies).
SAMHSA may in the future consider
issuing subregulatory guidance to
further describe medical emergencies
under § 2.51 and how such emergencies
may relate to public health emergencies
declared at the federal, state, local, and/
or tribal levels. SAMHSA does not,
however, have the statutory authority to
authorize routine disclosure of part 2
information for public health reporting,
surveillance, investigation or
intervention purposes.
With respect to § 2.20 (Relationship to
state laws), in the proposed and final
rules SAMHSA maintains current
language regarding preemption. As
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
discussed above, SAMHSA cannot
develop a new general exception for
public health or medical assistance
purposes in light of the statute.
Likewise, SAMHSA cannot develop a
specific new exception for APCDs
(hereinafter referred to as MPCDs). The
role of MPCDs is discussed in the
section of this preamble concerning
research (§ 2.52). SAMHSA disagrees
with the recommendations to consider a
specific exemption to the consent
requirements for ACOs that have
integrated delivery systems, except as
described in § 2.53 for the purposes of
audits and evaluations. Similarly,
SAMHSA is not accepting the
suggestion to provide a specific
exemption from the part 2 consent
requirements for CCOs that have a
treating provider relationship with a
patient (i.e., that meet the definition of
having a treating provider relationship
with the patient whose information is
being disclosed). SAMHSA believes that
the final changes to the consent
requirements will facilitate care
coordination and information exchange.
Improving the quality of substance use
disorder care depends on effective
collaboration of mental health,
substance use disorder, general health
care, and other service providers in
coordinating patient care. However, the
composition of a health care team varies
widely among entities. Because
SAMHSA wants to ensure that patient
identifying information is only
disclosed to those individuals and
entities on the health care team with a
need to know this sensitive information,
we are limiting a general designation in
the ‘‘To Whom’’ section of the consent
requirements to those individuals or
entities with a treating provider
relationship. Patients may further
designate their treating providers as
‘‘past,’’ ‘‘current,’’ and/or ‘‘future’’
treating providers. In addition, the
consent form can include multiple
authorizations in the ‘‘To Whom’’
section. A consent may allow a patient
to designate, by name, one or more
individuals with whom they do not
have a treating provider relationship,
that they authorize to receive or access
their health care data.
While we are not establishing specific
additional exemptions or exclusions
from the consent requirements at this
time in response to commenters’
suggestions, in light of the longstanding
role that contractors and subcontractors
play in the health care system and their
handling of part 2 data, we are issuing
an SNPRM related to lawful holders’ use
of contractors and subcontractors.
PO 00000
Frm 00029
Fmt 4701
Sfmt 4700
6079
e. Commenter Recommendations
Public Comments
Some commenters said SAMHSA
should expand the list of persons who
could view the patient’s medical record
without the patient’s written consent to
include clergy, social workers,
psychologists and family members if in
their professional opinion they were
necessary for the patient’s recovery and
progress. Another commenter
recommended expanding the list to
include all types of professionals
involved in the treatment of individuals
receiving substance use treatment into
the respective definitions, including
those employed in social services that
are members of the treatment team.
SAMHSA Response
The definition of ‘‘treating provider
relationship’’ is sufficiently broad to
cover the necessary components of a
patient’s care team. The statute, 42
U.S.C. 290dd-2, does not provide an
exception to the consent requirement for
the purpose of sharing information with
family members. Part 2, therefore,
requires a part 2-compliant consent to
disclose patient identifying information
unless disclosure is otherwise permitted
under the statute or regulations.
Public Comments
Many commenters said SAMHSA
should provide a sample consent form.
Some commenters stated that any
sample consent form should not be
mandated to allow stakeholders
flexibility.
SAMHSA Response
SAMHSA may, after publication of
this rule, issue subregulatory guidance
that includes a sample consent form that
meets the specifications of the final rule.
SAMHSA has never and has no
intention of mandating the use of a
specific consent form.
Public Comments
Several commenters generally
supported the use of electronic
signatures. Several commenters only
supported electronic signatures when
also authorized under state law. A
couple of commenters requested
guidance on what steps the provider
would need to take to verify identity,
provide the required prefatory
information and to obtain a substance
use disorder patient’s electronic
signature. A commenter requested
guidance from SAMHSA on the areas
modified by SAMHSA. A commenter
said SAMHSA should identify the
signatory and enforceability
E:\FR\FM\18JAR6.SGM
18JAR6
6080
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
Because there is no single federal law
on electronic signatures and there may
be variation in state laws, SAMHSA
recommends that stakeholders consult
their attorneys to ensure they are in
compliance with all applicable laws.
information systems that cannot be
made secure.
A commenter stated the proposed rule
did not address revocation or refusal of
consent. Similarly, another commenter
recommended adding language that
makes clear that revocation of consent
prevents unauthorized access but does
not remove the information from the
electronic record.
Public Comments
SAMHSA Response
Some commenters made
recommendations for patient privacy
protection. One commenter noted that
the use of secure, certified health IT,
networks, and devices, especially for the
transmission of patient records, does not
appear to be included in the proposed
provisions. Another commenter said
meaningful consents could only be
achieved by adding statements that
inform the patient of the unprecedented
risks of making highly sensitive
substance use disorder information
accessible throughout integrated health
care systems or electronic health
Section 2.16 addresses security for
records and requires formal policies and
procedures to reasonably protect against
unauthorized use and disclosures of
patient identifying information and to
protect against reasonably anticipated
threats or hazards to the security of
patient identifying information.
Whereas this provision does not
specifically address the use of certified
health IT networks, and devices, they
may be used as long as the requirements
of section 2.16 are met. Regarding
revocation of consent, § 2.31(a)(6)
requires: ‘‘A statement that the consent
consideration of electronic consent
through reference to other laws.
SAMHSA Response
is subject to revocation at any time
except to the extent that the part 2
program or other lawful holder of
patient identifying information that is
permitted to make the disclosure has
already acted in reliance on it. Acting in
reliance includes the provision of
treatment services in reliance on a valid
consent to disclose information to a
third-party payer.’’ To the extent an
individual refuses to consent to the
disclosure of their patient identifying
information, part 2 prohibits such
disclosure unless otherwise permitted
under the statute or regulations (e.g.,
audit or evaluation, or scientific
research).
2. To Whom
SAMHSA is adopting this aspect of
the proposal. SAMHSA has moved the
former § 2.31(a)(2), ‘‘To Whom’’
provision, to § 2.31(a)(4). The following
table provides an overview of the
options permitted when completing the
designation in the ‘‘To Whom’’ section
of the consent form.
TABLE 1—DESIGNATING INDIVIDUALS AND ORGANIZATIONS IN THE ‘‘TO WHOM’’ SECTION OF THE CONSENT FORM
Individual or
entity to whom disclosure
is to be made
Treating provider
relationship with patient
whose information is
being disclosed
(a)(4)(i) ..............................
Individual .........................
Yes ..................................
(a)(4)(i) ..............................
(a)(4)(ii) .............................
Individual .........................
Entity ...............................
No ....................................
Yes ..................................
(a)(4)(iii)(A) ........................
Entity ...............................
No ....................................
(a)(4)(iii)(B) ........................
mstockstill on DSK3G9T082PROD with RULES6
42 CFR 2.31
Entity ...............................
No ....................................
If a general designation is used, the
entity must have a mechanism in place
to determine whether a treating provider
relationship exists with the patient
whose information is being disclosed.
Patients may further designate their
treating providers as ‘‘past,’’ ‘‘current,’’
and/or ‘‘future’’ treating providers. In
addition, a patient may designate, by
name, one or more individuals on their
health care team with whom they do not
have a treating provider relationship.
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
Name of individual(s) (e.g., Jane Doe,
MD).
Name of individual(s) (e.g., John Doe)
Name of entity (e.g., Lakeview County
Hospital).
Name of entity that is a third-party
payer
as
specified
under
§ 2.31(a)(4)(iii)(A) (e.g., Medicare).
Name of entity that is not covered by
§ 2.31(a)(4)(iii)(A) (e.g., HIE, or research institution).
a. General
Public Comments
Several commenters generally agreed
with the proposed ‘‘To whom’’ section
of the consent requirements, stating that
it allows patients to disclose substance
use disorder information to past,
current, or future treating providers;
would improve information and data
sharing for health care, especially for
entities that are continually adding new
members; allow patients to remain in
PO 00000
Frm 00030
Fmt 4701
Required additional
designation
Primary designation
Sfmt 4700
None.
None.
None.
None.
At least one of the following:
1. The name(s) of an individual participant(s) (e.g., Jane Doe, MD, or
John Doe).
2. The name(s) of an entity participant(s) with a treating provider relationship with the patient whose information is being disclosed (e.g.,
Lakeview County Hospital).
3. A general designation of an individual or entity participant(s) or a
class of participants limited to those
participants who have a treating
provider relationship with the patient
whose information is being disclosed (e.g., my current and future
treating providers).
control of their substance use disorder
information and understand who had
access to their data. One commenter
supported the express permission to
designate the name of the entity for
third-party payers that require patient
identifying information for purposes of
reimbursement of services rendered to
the patient.
Many commenters offered general
support for the proposed rule’s general
designation. Some commenters stated
that the general designation creates a
E:\FR\FM\18JAR6.SGM
18JAR6
mstockstill on DSK3G9T082PROD with RULES6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
balance between patient privacy and
operational functions, facilitates
internal communication within an
integrated delivery system, streamlines
the consent process, reduces
administration burdens, creates new
flexibility, may help facilitate increased
behavioral health participation in some
HIEs around the country, and would
help improve the quality and continuity
of care within integrated delivery
models. A commenter supported the
expansion of the use of a general
designation when there is a treating
provider relationship, but said it is
unworkable to require an updated
consent form every time new entities are
added to the ‘‘umbrella’’ consent.
Some commenters generally disagreed
with the proposed ‘‘To Whom’’
provision of the consent requirements.
Several commenters argued that the
proposal was burdensome, would create
additional complexity, would reduce
information sharing, and would not
improve patient privacy protections or
facilitate informed consent. Commenters
stated it is unnecessary and impractical
to require the consent form to name
every HIE and other intermediaries that
may assist in transmitting or providing
access to the patient’s information. A
couple of commenters stated the
proposed rule would restrict the ability
of patients to specifically name an entity
or to authorize part 2 programs to send
their information to entities that do not
have a treatment relationship [treating
provider relationship]. Another
commenter said the regulatory preface
mentions a number of very specific
drivers of this purported need for
broader sharing (such as HIEs), but the
regulatory language itself contains no
such limitation and offers HIE only as
an illustrative example.
Many commenters specifically did not
support the general designation in the
‘‘To Whom’’ section. Some commenters
claimed that the proposal presumes
each person entering a treatment
process has the ability to understand the
longer-term consequences, or that
substance use disorder patients, who are
under tremendous stress, would simply
choose the general designation because
it was easiest. A commenter said the
general designation does not guarantee
that a HIE or other organizations will
send all patient data, which could be a
critical source of information in the case
of an emergency.
SAMHSA Response
A patient may consent to designate,
for example, an HIE (an entity that does
not have a treating provider relationship
with the patient whose information is
being disclosed) and ‘‘all my treating
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
providers’’ (a general designation of an
individual or entity participant(s) or a
class of individual or entity participants
that must be limited to a participant(s)
who has a treating provider relationship
with the patient whose information is
being disclosed). Using the same
concept, an ACO, pursuant to a general
designation, may disclose information
described in the ‘‘Amount and Kind’’
section of a consent form (explained
further in 3. Amount and Kind) to ‘‘all
my entity treating providers.’’ If a
general designation is used, the entity
must have a mechanism in place to
determine whether a treating provider
relationship exists with the patient
whose information is being disclosed
(e.g., an attestation). In the HIE and ACO
examples above, the entity that does not
have a treating provider relationship
with the patient whose information is
being disclosed and serves as the
intermediary may not further disclose
the patient identifying information
except to those providers who have a
treating provider relationship with the
patient whose information is being
disclosed that can be verified by the
intermediary. The prohibition on redisclosure notice must be provided with
the disclosure because it also applies to
the treating provider(s) who receive the
information from the entity that serves
as an intermediary. In addition, a copy
of the part 2-compliant consent form or
the pertinent information on the consent
form necessary for the treating
provider(s) to comply with the signed
consent should be provided with the
disclosure.
The patient retains the ability to name
only specific individuals or entities to
whom their records will be disclosed.
Patients have the option to use a general
designation to designate entities with
which they have a treating provider
relationship, but are not required to do
so. Although SAMHSA received
comments suggesting that the proposed
rule makes it more difficult to disclose
necessary information to an
organization that does not have a
treating provider relationship with the
patient whose information is being
disclosed other than a 3rd party payer,
the commenters did not provide
examples of such entities. The final rule
permits the ‘‘To Whom’’ section of the
consent form to designate disclosure of
information to an entity that does not
have a treating provider relationship
with the patient whose information is
being disclosed, as long as the consent
also includes one of three options
specified in § 2.31(a)(4)(iii)(B), for
example, include the name(s) of an
individual participant(s).
PO 00000
Frm 00031
Fmt 4701
Sfmt 4700
6081
If the patient designates all my
current treating providers, and another
of the patient’s treating providers
becomes a participant in the entity that
does not have a treating provider
relationship with the patient and serves
as the intermediary, a new consent form
would not be required. For example, if
a patient designates an HIE (an entity
that does not have a treating provider
relationship with the patient whose
information is being disclosed and
serves as an intermediary) and ‘‘my
current treating providers,’’ and
subsequently another of the patient’s
treating providers becomes a participant
in the HIE, a new consent form would
not be required. In addition, more than
one HIE or other intermediary may be
listed on the consent form. With respect
to burden, SAMHSA acknowledges that
there may be burdens associated with
the revised consent requirements.
SAMHSA made these changes based on
comments from stakeholders in the field
and SAMHSA strongly believes that the
changes to ‘‘To Whom’’ will increase
flexibility for patients and providers.
b. Determination of Treating Provider
Relationship
Public Comments
A commenter agreed with SAMHSA’s
suggestion that entities must have an
established mechanism for determining
whether a treating provider relationship
exists. However, several commenters
stated that determining who has a
treating provider relationship would be
difficult. Commenters expressed
concern that entities do not currently
have mechanisms in place to determine
whether a treating provider relationship
exists with the patient whose
information is being disclosed. Another
commenter asked how an HIE would be
able to determine which participants
have a past/present/future treating
provider relationship with the patient.
A commenter stated that creating this
mechanism would require additional
resources and would discourage entities
from sharing necessary data. Another
commenter recommended a provision
that exempts the provider from liability
when relying in good faith on an
attestation or representation from an
outside treating provider.
Several commenters expressed
concern that once a consent reflecting a
general designation of recipients with a
treating provider relationship has been
executed and relied upon by the part 2
program, there is no method by which
the program can ensure that the
recipients are properly authenticated by
the HIE or research institution.
Commenters suggested the proposed
E:\FR\FM\18JAR6.SGM
18JAR6
6082
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
rule should specify that the HIE, ACOs,
CCOs or research institution, as well as
the recipient that has a treating provider
relationship with the patient, be
responsible for ensuring that the
recipient is actually a treating provider
and that the disclosure is appropriate
under part 2.
A commenter requested clarification
on whether care managers would be
included as having a ‘‘treating provider
relationship.’’ Another commenter
requested clarification as to whether
care coordinating entities that have a
treating provider relationship may
assign additional designees under the
general designation (e.g., treatment
providers with different levels of care or
recovery services).
Commenters recommended the
language in the ‘‘To Whom’’ clause state
‘‘my treating providers’’ or ‘‘my service
providers.’’ A commenter recommended
‘‘my substance use disorder providers’’
or ‘‘my treating providers except Dr.
John Doe.’’ Another commenter
recommended ‘‘my treating providers
and transferring HIEs’’
SAMHSA Response
Although SAMHSA understands the
concerns about further clarifying when
an entity is considered a treating
provider, it respectfully declines to
provide more specificity in the final rule
than was included in the NPRM. The
arrangements between treating
providers and other entities evolve too
rapidly to be comprehensively
addressed in regulations. Although,
SAMHSA has not revised the proposed
text, SAMHSA may provide additional
subregulatory guidance in the future if
further clarification is needed. In
addition, only individuals and entities
that meet the definition of having a
treating provider relationship with a
patient are considered treating
providers. The determination is factspecific. Consistent with the NPRM,
SAMHSA continues to encourage
innovative solutions to implement this
provision. For example, an HIE could
have a policy in place requiring their
participant providers to attest to have a
treating provider relationship with a
patient, or provide a patient portal
where patients designate their treating
providers.
mstockstill on DSK3G9T082PROD with RULES6
c. Requests for Clarification
Public Comments
Some commenters requested
clarification regarding the patient’s role
in consent, including the patient’s
ability to alter their consent, how
patients can authorize disclosures to
non-health entities other than third-
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
party payers, and what the impact
would be if a patient failed to designate
past, present, and future disclosures.
One commenter stated that, if a patient
designates an entity without a treating
provider relationship and ‘‘my treating
providers’’ without further specifying
‘‘past, present, or future,’’ it should be
assumed that the intent is to designate
‘‘current’’ treating providers.
SAMHSA Response
Patients may designate on the consent
form a specific individual(s) with whom
they either have or do not have a
treating provider relationship and/or a
specific entity(-ies) with whom they
have a treating provider relationship.
Consents for disclosures to entities that
do not have a treating provider
relationship (other than third-party
payers) require at least one of the
following: (1) The name(s) of an
individual participant(s); (2) the name(s)
of an entity participant(s) that has a
treating provider relationship with the
patient whose information is being
disclosed; or (3) a general designation of
an individual or entity participant(s) or
a class of participants that must be
limited to a participant(s) who has a
treating provider relationship with the
patient whose information is being
disclosed.
If a patient uses a general designation
and lists ‘‘my treating providers’’
without further specifying ‘‘past,
current, or future,’’ it should be
presumed that the intent is to designate
‘‘current’’ treating providers. Finally, a
patient can revoke a consent at any
time, except to the extent that the part
2 program or other lawful holder of
patient identifying information that is
permitted to make the disclosure has
already acted in reliance on it. Acting in
reliance includes the provision of
treatment services in reliance on a valid
consent to disclose information to a
third-party payer.
Public Comments
Other commenters requested
clarification regarding entity roles,
including whether a CCO can request a
single consent for multiple purposes
(e.g., care coordination, treatment, and
payment); whether providers need to
maintain the variety of forms to meet
the requirements of § 2.31(a)(4); what
limitations (if any) would be placed on
HIE entities or research institutions
using substance use disorder
information received via the new
consent process, specifically whether
the disclosure would not be limited to
treatment purposes; and whether an
HIE-to-HIE disclosure is permissible
and, if so, for what purposes. A few
PO 00000
Frm 00032
Fmt 4701
Sfmt 4700
commenters asked whether it would be
permissible to list multiple HIEs on a
consent form. Similarly, another
commenter recommended SAMHSA
adopt a broad definition of an HIE to
allow a ‘‘network of networks,’’ such as
the statewide health information
network to be considered an HIE. A
commenter requested clarification as to
whether 42 CFR part 2 information can
flow through other HIEs not designated
on the consent form to transfer the
information to the recipient.
A few commenters requested
clarification on how the proposed
changes would impact multi-party
consent forms that allow disclosure
‘‘among and between’’ all the parties
listed on the form. Similarly, a
commenter requested clarification
regarding the ‘‘To Whom’’ and ‘‘From
Whom’’ definitions and how they would
apply between two providers to whom
a patient has independently given
consent to receive information, urging
that the definitions be general and
consistent so that they allow for bidirectional flow of information.
A commenter said SAMHSA should
clarify that the provision of general
consent to disclosure of substance use
disorder treatment also applies to
disclosure of information between those
responsible for treatment in the
community and those responsible for
treatment in correctional settings.
SAMHSA Response
Under the changes to the consent
requirements, an entity that does not
have a treating provider relationship
with the patient may further disclose,
with a part 2-compliant consent, to a
named individual who does not have a
treating provider relationship with the
patient.
Section 2.31(a)(4) of the consent
requirements may be completed with
one or more recipients. Section
2.31(a)(5) of the consent requirements
requires that the consent form include
the purpose of the disclosure. Part 2
allows the use of a single consent form
authorizing the disclosure of part 2
patient information to different
recipients for different purposes.
However, part 2 also requires a consent
form to specify the amount and kind of
information that can be disclosed,
including an explicit description of the
substance use disorder information that
may be disclosed, to each of the
recipients named in the consent. The
amount of information to be disclosed
‘‘must be limited to that information
which is necessary to carry out the
purpose of the disclosure (see § 2.13(a)).
This will vary depending on the
different purposes for which different
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
mstockstill on DSK3G9T082PROD with RULES6
recipients are being allowed to access or
receive the information. Thus the
consent form would have to be
structured to make it clear what
information may be given to each of the
recipients, and for which purposes.
Disclosure of patient identifying
information made with the patient’s
written consent must be accompanied
by a written notice regarding the
prohibition on re-disclosure (see § 2.32).
This notice informs them that 42 CFR
part 2 prohibits the recipients of the
patient identifying information from redisclosing it to any individual or
organization not specified in the
consent form unless otherwise
permitted under the part 2 statute or
regulations.
The rule includes an additional
patient safeguard, in which patients
who have included a general
designation in the ‘‘To Whom’’ section
of their consent form (see § 2.31) must
be provided, upon request, a list of
entities to which their information has
been disclosed pursuant to the general
designation.
With respect to multi-party consent,
SAMHSA is not finalizing the ‘‘From
Whom’’ provision (2.31(a)(2)) as
proposed for the reasons discussed in 4.
‘‘From Whom.’’ Therefore, consents may
authorize disclosures ‘‘among and
between’’ the parties designated in the
‘‘To Whom’’ and ‘‘From Whom’’
sections of the consent form.
Public Comments
Some commenters requested
clarification regarding aspects of the
‘‘To Whom’’ provision, such as what
would happen if a person does not want
to give a general designation; how the
process of designating past, present, and
future treating providers would work in
practice; whether a Performing Provider
System (PPS) could be assigned in the
‘‘To Whom’’ section of the consent form;
and whether a health care organization
would be an appropriate entity to be
named for disclosure.
With regard to third-party payers, a
commenter asked whether a general
designation for third-party payers could
be used for other purposes, such as care
coordination, population health, or
other services that may fall under the
definition of health care operations
within the meaning of HIPAA. Some
commenters recommended that thirdparty payers should not have to be listed
in the ‘‘To Whom’’ section of the
consent form.
SAMHSA Response
With regard to third-party payers, the
regulations require written consent for
disclosure of patient identifying
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
information to third-party payers. The
statute does not provide an exception to
this consent requirement. However,
with respect to patients who have both
a substance use disorder and a mental
illness, § 2.15 of the regulations states
that, in the case of a patient, other than
a minor or one who has been
adjudicated incompetent, that for any
period suffers from a medical condition
that prevents knowing or effective
action on their own behalf, the part 2
program director may exercise the right
of the patient to consent to a disclosure
under subpart C of this part for the sole
purpose of obtaining payment for
services from a third-party payer. In
addition, in the case of minor patients,
§ 2.14 of the regulations states the
regulations do not prohibit a part 2
program from refusing to provide
treatment until the minor patient
consents to the disclosure necessary to
obtain reimbursement, but refusal to
provide treatment may be prohibited
under a state or local law requiring the
program to furnish the service
irrespective of ability to pay.
If an individual does not want to use
a general designation, they have several
other options, which are enumerated in
§ 2.31(a)(4) of this final rule.
If a patient does not designate
‘‘current, past, and/or future’’ treating
provider(s), the presumption is that the
patient means ‘‘current treating
provider(s).’’ SAMHSA may, after
publication of this final rule, also
provide further clarification on this
process of designating past, present, and
future treating providers in
subregulatory guidance.
Whether a PPS or a health care
organization may be listed in the ‘‘To
Whom’’ section of the consent form
depends upon whether they have a
treating provider relationship with the
patient whose information is being
disclosed. If an entity does have a
treating provider relationship with the
patient, the entity name may be listed
on the consent (see § 2.31(a)(4)(ii)).
However, if the entity does not have a
treating provider relationship with the
patient whose information is being
disclosed, and is not a third-party payer,
the entity name may be listed on the
consent form as long as one or more of
the following is also listed: (1) The
name(s) of an individual participant(s);
(2) the name(s) of an entity
participant(s) that has a treating
provider relationship with the patient
whose information is being disclosed; or
(3) a general designation of an
individual or entity participant(s) or a
class of participants that must be
limited to those participants who have
a treating provider relationship with the
PO 00000
Frm 00033
Fmt 4701
Sfmt 4700
6083
patient whose information is being
disclosed.
SAMHSA plans to address issues
concerning third-party payer use and
disclosure of part 2 information in
greater detail in an SNPRM.
d. Commenter Recommendations
Public Comments
Commenters recommended more
flexibility in the ‘‘To Whom’’ section.
Commenters recommended that
SAMHSA expand the general
designation to include all of the various
participants in the modern health care
system and their respective activities:
Providers, care managers, health plans
and ACOs, MCO services, CCOs, and
similar integrated health care networks.
One commenter said the general
designation should include those who
do not have a treating provider
relationship with the patient but who/
which require access to the patient’s
information solely in relation to
fulfilling a specific function for the
benefit of the individual or entity that
has the treating provider relationship
with specific patients. Another
commenter requested that SAMHSA
allow patients to generally consent to
disclose information to any company
assisting in processing their insurance
claims. Another commenter suggested
that patients be able to name as many
treating providers as they wish under
the general designation. One commenter
said patients should be permitted to
provide a generalized consent for all of
their previous providers to disclose
information. One commenter said
generic consent (i.e., disclosure through
an HIE) is all that should be required
because SAMHSA has previously
provided guidance that HIEs may have
access to part 2 information under a
QSO agreement without patient consent.
A commenter said the rule should allow
for the general designation of certain
types of non-treating providers, rather
than require a listing of the name of
each entity.
In contrast, other commenters
suggested increased limitations on the
‘‘To Whom’’ designation. A commenter
proposed excluding health information
networks and health information
organizations (HIOs) from being
specifically identified on patient
consent form because they are not true
recipients of patient health information
and simply facilitate electronic
exchange of information. One
commenter recommended that
SAMHSA preserve the patient’s right of
consent to disclosures only to
specifically identified practitioners
E:\FR\FM\18JAR6.SGM
18JAR6
6084
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
mstockstill on DSK3G9T082PROD with RULES6
involved in their mental health
treatment.
Regarding third-party payers, several
commenters recommended allowing
third-party payers to act as
intermediaries for purposes of sharing
substance use disorder information,
allowing them to share information with
all of the patient’s treating providers.
Another commenter requested general
designation for third-party payers. To
accommodate the operational realities of
Medicaid, a commenter stressed that the
rule should explicitly provide that
consent to disclose covered data to
Medicaid constitutes consent to release
such data to Medicaid or to the payer’s
contracted entity (e.g. the MCO) to
apply to both entities as a third-party
payer. Similarly, another commenter
recommended that the rule consider a
designation to the name of the state
agency, the MCO, or simply Medicaid as
consent that applies to the state and its
contracted delivery system, reasoning
that not all Medicaid beneficiaries
understand their health care system.
SAMHSA Response
SAMHSA acknowledges the
commenters’ concerns related to the
recommendations above. SAMHSA has
concluded that the proposed changes to
the consent requirements would
facilitate care coordination and
information exchange. Improving the
quality of substance use disorder care
depends on effective collaboration of
mental health, substance use disorder,
general health care, and other service
providers in coordinating patient care.
However, the composition of a health
care team varies widely among entities.
Because SAMHSA wants to ensure that
patient identifying information is only
disclosed to those individuals and
entities on the health care team with a
need to know this sensitive information,
we are limiting a general designation to
those individuals or entities with a
treating provider relationship. Patients
may further designate their treating
providers as ‘‘past,’’ ‘‘current,’’ and/or
‘‘future’’ treating providers. In addition,
a patient may designate, by name, one
or more individuals on their health care
team with whom they do not have a
treating provider relationship. SAMHSA
clarifies that a QSO can be used to share
part 2 information with the HIE when
the HIE is a service provider to the part
2 program, but the QSO cannot be used
to share information with the members
of an HIE without patient consent.
As for third-party payers and others,
SAMHSA must balance the need for and
benefits of care coordination with the
need for consent and the requirements
of the part 2 governing statute.
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
SAMHSA declines to adopt commenter
recommendations to allow third-party
payers to serve as intermediaries that
could share information with all the
patient’s treating providers because we
conclude that the ‘‘To Whom’’ consent
requirements are sufficiently broad to
cover the necessary components of a
patient’s care team. For purposes of
payment-related activities, to the extent
that federal or state law authorizes or
requires that the Medicaid or Medicare
agency or program share data or enter
into a contractual arrangement or other
formal agreements to do so, consent to
disclose patient identifying information
to the agencies or programs (as a thirdparty payer) under section
2.31(a)(4)(iii)(A) is considered to extend
to the contractors and subcontractors of
the agencies or programs.
Commenters have provided SAMHSA
with informative feedback on how
lawful holders, including third-party
payers and others within the healthcare
industry, use health data or hire others
to use health data on their behalf to
provide operational services such as
independent auditing, legal services,
claims processing, plan pricing and
other functions that are key to the dayto-day operation of entities subject to
this rule. Those comments indicate that
there may be varying interpretations of
the part 2 rule’s restrictions on lawful
holders and their contractors’ and
subcontractors’ use and disclosure of
part 2-covered data for purposes of
carrying out payment, health care
operations, and other health care related
activities. In consideration of this
feedback and given the critical role
third-party payers, other lawful holders,
and their contractors and subcontractors
play in the provision of health care
services, SAMHSA is issuing an SNPRM
to seek further comments and
information on this matter before
establishing any appropriate
restrictions.
Public Comments
Instead of listing organizations in the
‘‘To Whom’’ section, a commenter
recommended that a consent form
should specify the reasons for
disclosure (e.g. care coordination,
management of benefits).
SAMHSA Response
In addition to the ‘‘To Whom’’
section, the consent form is required to
include how much and want kind of
information is to be disclosed, including
an explicit description of the substance
use disorder information that may be
disclosed. In addition, the consent form
must include the purpose of the
disclosure. All the required elements
PO 00000
Frm 00034
Fmt 4701
Sfmt 4700
must be included on the consent form.
SAMHSA declines to make the
suggested change to allow the
‘‘Purpose’’ of the consent to dictate the
recipients of the patient identifying
information. The intent of SAMHSA’s
approach to the ‘‘To Whom’’ section of
the consent form is to provide the
patient options for the degree to which
they will be able to identify, at the point
of consent, who they are authorizing to
receive their information.
Public Comments
A commenter stated that SAMHSA
should explicitly recognize and include
health plan care services, such as
managed care, care coordination, case
management and other integrated care
activities as part of the required
elements for written consent for entities
that do not have a treating provider
relationship with the patient under
proposed § 2.31(a)(4)(iv).
A commenter stated any privacy
concerns could be fixed by requiring (1)
a general designation of a class of
participants with a treating provider
relationship; and (2) that the disclosing
organization provide patients, upon
request, a list entities to which their
information has been disclosed.
A commenter proposed that
§ 2.31(a)(4) be revised to allow a general
designation to be used whenever there
is a ‘‘treating provider relationship’’ or
a ‘‘care management relationship.’’ The
commenter stated the ‘‘care
management relationship’’ should be
defined to include the concepts of
assistance in obtaining appropriate care,
care coordination, and assistance in the
implementation of a plan of medical
care.
A couple of commenters suggested
SAMHSA revise proposed
§ 2.31(a)(4)(iv)(C) to read: ‘‘. . . to a
participant(s) who has a treating
provider relationship with the patient at
the time the disclosure is made.’’ (Note,
the relevant text is now found at
§ 2.31(a)(4)(iii)(B)(3) due to renumbering
of the final regulation.) The commenters
stated this would make it clear that
participants who develop a treatment
relationship with the patient after the
date the consent can gain access.
Commenters recommended that the
general authorization mirror the
authorization under HIPAA to ease the
transition and reduce compliance
issues.
A commenter recommended
SAMHSA work with other federal
entities that are exploring parity
enforcement to ensure that the proposed
rule changes would not create barriers
for states working on enforcement of the
parity law.
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
If a patient notes their information
may be shared with current and future
health care providers, one commenter
said the specific name of the ACO or
other provider should not be required.
SAMHSA Response
SAMHSA declines to explicitly
recognize and include health plan care
services, such as managed care, care
coordination, case management and
other integrated care activities as part of
the required elements for written
consent for entities that do not have a
treating provider relationship with the
patient under proposed § 2.31(a)(4)(iv),
or broaden the ‘‘treating provider
relationship’’ to also include a ‘‘care
management relationship.’’ The
definition of ‘‘Treating provider
relationship’’ is sufficiently broad to
cover the necessary components of a
patient’s care team.
A commenter stated any privacy
concerns could be fixed by requiring (1)
a general designation of a class of
participants with a treating provider
relationship; and (2) that the disclosing
organization provide patients, upon
request, a list of entities to which their
information has been disclosed. Another
commenter wanted to delete the
requirement of naming the entity
without a treating provider relationship
with the patient whose information is
being disclosed. SAMHSA is retaining
the consent requirements discussed in
this section of the preamble because we
believe it balances increased flexibility
with necessary privacy protections.
SAMHSA declines to mirror the
authorization under HIPAA to ease the
transition and reduce compliance
issues, as a commenter suggested,
because, due to its targeted population,
part 2 provides more stringent federal
protections than most other health
privacy laws, including HIPAA.
SAMHSA may, after publication of
this final rule, provide further
subregulatory guidance on specific
concerns, such as states working on
enforcement of the parity law.
mstockstill on DSK3G9T082PROD with RULES6
Public Comments
Several commenters recommended
splitting proposed § 2.31(a)(4)(iv) into
two sections. The first would contain
special provisions governing disclosures
made through HIEs and would retain
the references to ‘‘individual
participants’’ and ‘‘entity participants.’’
The second would cover all entities that
do not fall into any of the other
categories in proposed paragraph
(a)(4)(iv); in these cases, the specific
entity to which disclosure is made
would have to be specified.
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
SAMHSA Response
SAMHSA proposed § 2.31(a)(4)(iv) to
apply to an entity (1) that does not have
a treating provider relationship with the
patient whose information is being
disclosed, and (2) is not a third-party
payer. Therefore, SAMHSA declines to
make the recommended changes. We
note, however, that due to re-numbering
the proposed § 2.31(a)(4)(iv) provision is
found in the final regulation at
§ 2.31(a)(4)(iii)(B).
Public Comments
A commenter recommended that the
use of multi-party consents be
permissible even when the ‘‘To Whom’’
section contains a general designation,
and that the party(ies) named in the ‘‘To
Whom’’ section be permitted to redisclose patient information if the
patient has consented to such redisclosures in order to allow patients’
treating providers to communicate with
each other (pursuant to patient consent)
within networks like HIE and integrated
care organizations. Another commenter
stated that the general designation is a
step in the right direction but the
proposed rule would add a burdensome
accounting, which is not required for
disclosures pursuant to a valid
authorization under HIPAA.
SAMHSA Response
On the issue of multi-party consent, a
multi-party consent can be achieved by
allowing for bi-directional
communication using the general
designation in both the ‘‘To Whom’’ and
‘‘From Whom’’ sections of the consent.
It can also be created by naming
multiple individuals with or without a
treating provider relationship with the
patient whose information is being
disclosed or entities with a treating
provider relationship with the patient
whose information is being disclosed in
the ‘‘To Whom’’ and ‘‘From Whom’’
sections of the consent. The key is to
make sure the consent form authorizes
each party to disclose to the other ones
the information specified and for the
purpose specified, in the consent. The
‘‘To Whom’’ and ‘‘From Whom’’
sections of the consent provisions of the
final rule will permit multi-party
consents.
With respect to the comment
regarding the additional burden of the
List of Disclosures associated with the
use of a general designation on the
consent form, SAMHSA addressed this
issue in Section F.3, in the preamble
discussion of Confidentiality
Restrictions and Safeguards (§ 2.3). That
discussion emphasizes the fact that
there is no timeframe in which part 2
PO 00000
Frm 00035
Fmt 4701
Sfmt 4700
6085
programs and lawful holders need to
comply with the List of Disclosures
systems requirements; the final rule
only requires that if they choose to
disclose information pursuant to a
general designation on the ‘‘To Whom’’
part of the consent form, they must also
be capable of providing a List of
Disclosures upon request per § 2.13(d).
e. Proposed Alternative Approach for
‘‘To Whom’’ Section
SAMHSA is not finalizing the
alternative approach to the ‘‘To Whom’’
consent provision. In the NPRM,
SAMHSA proposed an alternative
approach for the ‘‘To Whom’’ aspect of
a consent form that attempted to reflect
the same policy goal as the proposed
regulation text while attempting to
simplify the language that would appear
on the consent form. This alternative
approach would not change the existing
language in the ‘‘To Whom’’ section of
the consent form. Under this alternative
approach, SAMHSA proposed to add a
definition of ‘‘organization’’ to § 2.11.
Organization would mean, for purposes
of § 2.31, (a) an organization that is a
treating provider of the patient whose
information is being disclosed; or (b) an
organization that is a third-party payer
that requires patient identifying
information for the purpose of
reimbursement for services rendered to
the patient by a part 2 program; or (c)
an organization that is not a treating
provider of the patient whose
information is being disclosed but that
serves as an intermediary in
implementing the patient’s consent by
providing patient identifying
information to its members or
participants that have a treating
provider relationship, as defined in
§ 2.11, or as otherwise specified by the
patient.
Public Comments
No commenters expressed support for
the proposed rule’s alternative approach
to required elements as stated. One
commenter said the alternative
approach would impose fewer burdens
on patients and part 2 entities but did
not agree with the restriction on
dissemination to only treating entities.
Another commenter supported the
proposed alternative if it results in only
the name of the HIE and not its
participants being listed on the consent
form.
Several commenters expressed
general opposition to the proposed
alternative approach. One commenter
stated that redefining ‘‘organization’’ to
make it more expansive would lead to
erosion of trust and would have a
chilling effect on the communications
E:\FR\FM\18JAR6.SGM
18JAR6
6086
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
necessary for effective treatment.
Another commenter stated that a more
expansive definition of ‘‘organization’’
may defeat a patient’s intent because a
patient would have less notice that their
information could be disclosed to an
entity not specifically named on the
consent form.
SAMHSA Response
Based on the comments, SAMHSA
has not adopted the alternate approach.
Although a few commenters supported
the adoption of the broad definition of
‘‘organization,’’ none provided
sufficient information to determine how
that definition could be implemented to
protect the patient’s information from
disclosure to parties without a need to
know. It is also unclear how the List of
Disclosures requirement would be
applied under a broader definition of
‘‘organization.’’ SAMHSA, therefore, has
not adopted a definition of
‘‘organization.’’ SAMHSA disagrees
with the recommendation that
disclosure to a wider range of entities
should be allowed without the patient’s
specific consent.
3. Amount and Kind
SAMHSA is adopting this aspect of
the proposal. SAMHSA has moved the
former § 2.31(a)(5), ‘‘Amount and Kind’’
provision, to § 2.31(a)(3) and revised the
provision to require the consent form to
explicitly describe the substance use
disorder-related information to be
disclosed. The designation of the
‘‘Amount and Kind’’ of information to
be disclosed must have sufficient
specificity to allow the disclosing
program or other entity to comply with
the request.
mstockstill on DSK3G9T082PROD with RULES6
a. General
Public Comments
Many commenters provided feedback
on the proposed rule’s ‘‘Amount and
Kind’’ requirements on a patient’s
consent form. A few commenters
generally supported the provision.
However, several commenters generally
disagreed with the proposed provision
because it would either decrease or fail
to improve the sharing of patient
information; would hamper integrated
care; would result in consent forms
routinely becoming outdated; patients
should not decide what information is
disclosed; and the current (1987) rule
language is adequate for protection of
patient privacy.
Some commenters said the rule
should continue to allow a general
description of the type of information
being disclosed. Other commenters
asked SAMHSA to clarify why the
revision of the regulatory language was
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
necessary and why specific information
is preferable to simply stating that the
consent form covers all the records
maintained by the part 2 program.
SAMHSA Response
The designation of the ‘‘Amount and
Kind’’ of information to be disclosed
must explicitly describe the substance
use disorder-related information to be
disclosed and have sufficient specificity
to allow the disclosing program or other
entity to comply with the request.
However, the entity creating the consent
form may provide options by including
free text space, or choices based on a
generally accepted architecture (e.g. the
Consolidated-Clinical Document
Architecture (C–CDA)), or document
(e.g. the Summary of Care Record as
defined by CMS for the EHR Incentive
Programs). It is permissible to include
‘‘all my substance use disorder
information’’ as long as more granular
options are also included.
Nothing in the rule would prevent the
development and use of broad
categories of the substance use disorderrelated information on the Amount and
Kind section of the consent form. The
types of information that might be
requested include diagnostic
information, medications and dosages,
lab tests, allergies, substance use history
summaries, trauma history summary,
elements of a medical record such as
clinical notes and discharge summary,
employment information, living
situation and social supports, and
claims/encounter data. If options are
provided, it is also permissible to
provide check boxes next to each
option.
b. Impact of the Amount and Kind
Requirement on Providers and Patients
Public Comments
Commenters expressed concern that
the proposed ‘‘Amount and Kind’’
provision would be unduly burdensome
for providers, thus obstructing
communications. Several commenters
stated that the proposed rule would
require both patients and providers to
have an in-depth understanding of the
precise terms used for substance use
disorder information. Some commenters
thought this would put undue burden
on patients. Other commenters argued
that the ‘‘Amount and Kind’’
requirement would place an additional
burden on patients to anticipate future
care and/or continually update their
consent forms. Similarly, commenters
stated that patients do not know what
information is necessary to support their
treatment, which could lead to
important information being omitted.
PO 00000
Frm 00036
Fmt 4701
Sfmt 4700
Commenters argued that the ‘‘Amount
and Kind’’ provision would require
requesting health providers to know the
format, titling, and nomenclature used
for substance use disorder information
in the part 2 program.
A commenter argued that many
patients would want all of their
substance use disorder information
disclosed if it would improve the
quality and coordination of their care.
Many commenters recommended that
patients should be able to sign a consent
to sharing their entire record (i.e., a
global consent), with some arguing that
the form should include a statement that
covers ‘‘all my records,’’ ‘‘all my
substance abuse records,’’ ‘‘entire
record’’ and/or ‘‘full record.’’ Other
commenters said patients should be able
to choose via a check box ‘‘substance
abuse treatment information’’ or
authorize the entire medical record and
list what cannot be disclosed. Several
commenters stated that an exhaustive
list of check boxes on the consent form
would be confusing for many patients.
Some commenters said patients
should be able to designate an option for
overall record release with an option for
further specification of dates and
materials to be released from the
substance use disorder record. However,
another commenter said selections
should be ‘‘all or nothing’’ to enable
providers to exchange information with
HIE, ACO, CCO or a similar entity
according to the patient’s consent
directive with other providers.
SAMHSA Response
The patient will be aware that they
have substance use disorder information
and can make a determination whether
they want that information disclosed.
The 1987 final rule part 2 regulations
require the patient to list ‘‘how much
and what kind of information is to be
disclosed’’ (§ 2.31(a)(5)). SAMHSA has
revised the provision to require that the
consent form explicitly describe the
substance use disorder information to be
disclosed to ensure patients understand
they are disclosing the specified
substance use disorder information. The
amount of specificity patients wish to
include in the ‘‘Amount and Kind’’
section of the consent form is left to
them, as long as it has sufficient
specificity to allow the disclosing
program or other entity to comply with
the request. As such, this section does
not prohibit a patient from listing ‘‘all
my substance use disorder information’’
or ‘‘none of my substance use disorder
information.’’ However, the Amount
and Kind section of a consent form must
accommodate more specific options. As
stated previously, nothing in the rule
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
would prohibit the inclusion on a
consent form of broad categories of the
substance use disorder-related
information that would generally appear
in patient records to assist patients in
identifying the information they wish to
disclose. In developing broad categories
of information to be included on the
consent form, part 2 programs and other
lawful holders of patient identifying
information would need to take into
consideration reading level standards
and the concepts of plain language. The
rule does not require further consent
when new information is added to the
substance use disorder record if the new
information is covered by the ‘‘Amount
and Kind’’ section on the consent form.
If the ‘‘Amount and Kind’’ section does
include specificity that the patient
doesn’t understand, the party obtaining
the consent should explain it to the
patient. SAMHSA may, after publication
of this final rule, issue in subregulatory
guidance information for educating staff
and patients. We are reliant on the
provider to be clear to patient, which
has always been the case.
mstockstill on DSK3G9T082PROD with RULES6
c. Required Substance Use Disorder
Information on Consent Forms
Public Comments
Some commenters said the level of
detail required in the ‘‘Amount and
Kind’’ section of the consent form was
unrealistic, unnecessary, and confusing.
A commenter argued that the level of
detail required by the rule was at odds
with the general designations necessary
for information exchange. A commenter
stated that EHR infrastructure may not
be able to categorize and segregate
information as described in proposed
§ 2.31(a)(3).
Some commenters urged SAMHSA to
simplify or otherwise revise this section
of the consent form. A commenter
recommended that the list could be
simplified by including standardized
fields on the consent form that align
with information commonly found on a
Continuity of Care Document (CCD).
Commenters recommended narrowing
the list to several broad categories (e.g.
employment information, living
situation, social supports). A commenter
stated that if more specific categories
were needed, the patient could write in
their own terms. Some commenters said
the elements and extent of the consent
should be the same under part 2 as it is
in HIPAA. Other commenters said
SAMHSA should use the required
elements of a Summary of Care Record
as defined by CMS for the EHR
Incentive Program as a basis for the
‘‘kind’’ and ‘‘type’’ of information able
to be disclosed. Another commenter
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
said SAMHSA should defer to the
expertise of health plans to determine
what is necessary for a treating provider
to know about substance use disorder.
SAMHSA Response
The types of information that might
be requested include diagnostic
information, medications and dosages,
lab tests, allergies, substance use history
summaries, trauma history summary,
employment information, living
situation and social supports, and
claims/encounter data. However, the
entity creating the consent form may
provide options to include free text
space, or choices based on a generally
accepted architecture or document such
as the C–CDA, or Summary of Care
Record, as defined by CMS for the EHR
Incentive Program. It is permissible to
include ‘‘all my substance use disorder
information’’ as long as more granular
options are also included. If options are
provided, it is also permissible to
provide check boxes next to each
option. The designation of the ‘‘Amount
and Kind’’ of information to be
disclosed must have sufficient
specificity to allow the disclosing
program or other entity to comply with
the request.
d. Requests for Clarification
Public Comments
A couple of commenters asked
SAMHSA to clarify whether the
‘‘Amount and Kind’’ section is to inform
the patient or the providers. A
commenter requested clarification on
whether multiple patient consents
would be necessary when the contents
of a record changes over time. Some
commenters requested that SAMHSA
provide more specific examples of
adequate descriptions of the type of
information being disclosed. Another
commenter recommended SAMHSA
create a sample consent form.
SAMHSA Response
The ‘‘amount and kind’’ section
informs both the patient and the
providers. It allows patients the
opportunity to specify whether all of
their substance use disorder treatment
information or only some may be
disclosed and sets the limits on what a
part 2 program or other lawful holders
may disclose. The amount and kind
section will generally cover classes of
information so that changes to the
record should not trigger the need for reconsents for the same classes of
information. SAMHSA may provide
examples or a sample consent form in
subregulatory guidance following the
publication of the final rule.
PO 00000
Frm 00037
Fmt 4701
Sfmt 4700
6087
4. From Whom
SAMHSA is not finalizing the
substantive changes that were proposed
for the ‘‘From Whom’’ provision in
§ 2.31(a)(2). In the NPRM, SAMHSA
proposed to move the 1987 § 2.31(a)(1)
‘‘From Whom’’ language of the consent
requirements provision to § 2.31(a)(2).
In addition, because SAMHSA was also
proposing, in certain instances, to
permit a general designation in the ‘‘To
Whom’’ section of the consent form,
SAMHSA proposed to require the
‘‘From Whom’’ section of the consent
form to specifically name the part 2
program(s) or other lawful holder(s) of
the patient identifying information
permitted to make the disclosure.
Public Comments
SAMHSA received comments on the
‘‘From Whom’’ section of the consent
form from a group of commenters
representing a broad spectrum of
stakeholder organizations. The
overwhelming majority of these
commenters were opposed to the
proposed change and many suggested
withdrawing the proposal in § 2.31(a)(2)
and retaining the 1987 ‘‘From Whom’’
language (§ 2.31(a)(1)).
Commenters expressed concern that
the proposed § 2.31(a)(2) could decrease
the sharing of health information; would
add complexity with little or no benefit
to patient privacy; would unnecessarily
limit the use of a consent; and may
accidentally cause the patient to omit a
provider whom they want or need to see
their data; would negatively impact
certain HIE models. A significant
majority of the comments regarding the
‘‘From Whom’’ section of the consent
form voiced strong opposition to the
proposal. A few commenters said the
proposed change would unnecessarily
limit the positive step SAMHSA took in
permitting, in certain circumstance, a
general designation in the ‘‘To Whom’’
section of the consent form. One
commenter suggested revising the
requirements on the basis that the
proposed changes do not modernize the
regulation.
SAMHSA Response
SAMHSA was persuaded by the
overwhelming opposition to the
proposed ‘‘From Whom’’ language and,
with the exception of minor technical
revisions, will retain in this final rule
the language in the current (1987)
regulation. SAMHSA made this decision
for several reasons. First, the existing
‘‘From Whom’’ requirements have been
in effect for nearly 30 years and were
based on the Department’s prior
determination that, even with a general
E:\FR\FM\18JAR6.SGM
18JAR6
mstockstill on DSK3G9T082PROD with RULES6
6088
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
designation option, the provision did
not jeopardize patient privacy. The fact
that SAMHSA is not aware of any
reports of the current (1987) ‘‘From
Whom’’ requirement resulting in
unintended consequences further
supports this position.
Second, in the NPRM, SAMHSA
supported the elimination of the general
designation option in the ‘‘From
Whom’’ section of the consent form
based on concerns that ‘‘[t]he patient
may be unaware of possible
permutations of combining the two
broad designations (i.e., in the ‘‘To
Whom’’ and ‘‘From Whom’’ sections) to
which they are consenting, especially if
these designations include future
unnamed treating providers.’’ Based on
the comments received, we believe this
concern may have been overstated.
Commenters generally did not agree that
the ‘‘unintended consequences’’ the
NPRM postulated were likely to occur.
Commenters also asserted that
SAMHSA’s proposal shifted the burden
from the receiver to the sender of health
information and would be burdensome
both to providers and patients. In
addition, the proposed change could
undermine new models to streamline
consent.
While the option of using a general
designation in either the ‘‘To Whom’’ or
the ‘‘From Whom’’ sections (or both)
provides the patient greater flexibility,
and may result in two broad
designations, it is still ultimately the
patient’s decision whether to use these
options or to specifically name both the
disclosing and receiving parties on the
consent form. We agree with the
remarks of one commenter that the
proposed change to the ‘‘From Whom’’
section potentially undermines, rather
than supports, patient choice, which
was not SAMHSA’s intent. Another
commenter suggested that SAMHSA’s
proposed revisions may restrict multiparty consents and disclosures, such as
consents that authorize disclosures
‘‘between and among’’ the parties. These
types of consents are an important
option for part 2 programs and patients,
which SAMHSA believes would be
eliminated if it were to finalize the
proposal articulated in the NPRM.
Another characterized the proposed
change as adding greater complexity to
the consent process for patients with
little or no benefit to patient privacy.
Third, leaving the 1987 ‘‘From
Whom’’ section essentially unchanged
may reduce the burden on providers
and IT vendors to accommodate this
final regulation. HIE consortiums/
associations and state governments were
particularly concerned about the impact
of the proposed revisions on consent-to-
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
access HIE models (sometimes referred
to as a community-wide consent-toaccess model). As several commenters
said, the only way for the participant to
comply with the NPRM ‘‘From Whom’’
requirement would be for the
participant to list the name of every part
2 program in the relevant state in the
‘‘From Whom’’ section of the consent
form in order to inform the patient that
there is a possibility that one of these
programs might be the source of the
information being accessed. Not only
would this require the listing of
hundreds of providers on the face of a
consent form—effectively transforming
the document into a provider
directory—but it would also require the
listing of part 2 programs that are not
participating in the HIE, which would
be misleading and likely draw
objections from these programs.
Moreover, the identities of part 2
programs that may be sources of
information are constantly changing as
new programs are licensed or join the
HIE. This would mean that every time
a participant sought to access a patient’s
information in an HIE, it would have to
provide the patient with a consent form
listing all of these new providers, and
the participant would constantly need
to print new forms with updated lists of
part 2 programs in the state. This would
even apply in the vast majority of cases
where no part 2 information would be
exchanged, since a participant in a
consent-to-access model often does not
know whether the sought-after
information contains part 2 information
and, therefore, needs to assume that it
does. Requiring participants to print
lengthy consent forms with an updated
list of part 2 programs every time a new
part 2 program is licensed in the
relevant state (and developing a system
to inform every participant about such
updates) is simply not feasible. The
community consent-to-access model
was implemented specifically in order
to meet the spirit and letter of the 1987
part 2 regulations. In addition, federal
and state governments have invested
hundreds of millions of dollars to build
statewide health information networks
in reliance on the 1987 part 2
regulations, which allow consent forms
to have a general designation of ‘‘From
Whom’’ the records are being disclosed.
Theoretically, it is possible for part 2
programs to switch to a consent-todisclose model while all other
participants continue to operate under a
consent-to-access model.
Fourth, the flexibility provided in the
‘‘To Whom’’ and ‘‘From Whom’’
sections of the consent form are
balanced by the specificity in the
‘‘Amount and Kind’’ and ‘‘Purpose’’
PO 00000
Frm 00038
Fmt 4701
Sfmt 4700
sections of the consent form. SAMHSA
has revised the ‘‘Amount and Kind’’
element on the consent form to require
the consent form to explicitly describe
the substance use disorder-related
information to be disclosed so that
patients will be aware of the substance
use disorder information they are
authorizing to disclose when they sign
the consent form. In addition, under the
current (1987) regulation, consent forms
are required to include the purpose of
the disclosure. Any disclosure made
under these regulations must be limited
to that information which is necessary
to carry out the purpose of the
disclosure.
5. New Requirements
SAMHSA is modifying this aspect of
the proposal. SAMHSA proposed to add
two new requirements related to the
patient’s signing of the consent form.
First, SAMHSA proposed a provision
that would have required the part 2
program or other lawful holder of
patient identifying information to
include a statement on the consent form
that the patient understands the terms of
their consent. For the reasons explained
below, SAMHSA is not incorporating
this requirement into § 2.31 in this final
rule. Second, SAMHSA revised § 2.31 to
require the part 2 program or other
lawful holder of patient identifying
information to include a statement on
the consent form that the patient
understands their right, pursuant to
§ 2.13(d), to request and be provided a
list of entities to which their
information has been disclosed when
the patient includes a general
designation on the consent form.
SAMHSA is including this requirement
in the final rule (see
§ 2.31(a)(4)(iii)(B)(3)(i)).
Public Comments
A few commenters supported the
additional statement clarifying that the
patient understands the terms of
consent and their rights. One
commenter suggested expanding the
statement to include language about the
potential consequences of utilizing a
general designation in the ‘‘To Whom’’
and ‘‘From Whom’’ fields, which would
address concerns about the use of two
general designations, while preserving
the flexibility allowed in the ‘‘From
Whom’’ section of the current (1987)
regulation.
However, other commenters opposed
updating the consent requirements
because doing so would require
providers to update consent forms or
would require a separate substance use
disorder consent form. Several
commenters questioned the purpose of
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
the additional signed statement. A
commenter criticized the proposed
language and argued that it was an
attempt to avoid liability.
Several commenters argued that
patients would not have the capacity to
understand what they are signing.
Furthermore, another commenter stated
that a signed statement saying that the
patient has read the terms of the consent
does not mean the patient actually read
and understood the consent. A
commenter recommended a provision to
allow the treating physician to sign a
consent for substance use disorder
records for patients who may lack the
cognitive ability to sign a waiver.
mstockstill on DSK3G9T082PROD with RULES6
SAMHSA Response
SAMHSA agrees with the commenters
that the requirement that the part 2
program or other lawful holder of
patient identifying information must
include a statement on the consent form
that the patient understands the terms of
their consent is unnecessary. As
commenters stated, a signature on a
confirmation statement does not assure
that the patient has, in fact, read or
understood it. It is also the case, as
commenters stated, that some patients
may not have the capacity, at the time
they are admitted, to provide an
informed consent. Therefore, SAMHSA
has eliminated this requirement.
K. Prohibition on Re-Disclosure (§ 2.32)
SAMHSA is adopting this section as
proposed except for a clarifying revision
to § 2.32(a). As discussed in the NPRM
preamble, the prohibition on redisclosure provision only applies to
information that would identify,
directly or indirectly, an individual as
having been diagnosed, treated, or
referred for treatment for a substance
use disorder and allows other healthrelated information shared by the part 2
program to be re-disclosed, if
permissible under the applicable law.
SAMHSA also clarified in the NPRM
preamble that, if data provenance (the
historical record of the data and its
origins) reveals information that would
identify, directly or indirectly, an
individual as having or having had a
substance use disorder, the information
is prohibited from being re-disclosed. In
addition, SAMHSA revised § 2.32 to
clarify that the federal rules restrict any
use of the information to criminally
investigate or prosecute any patient
with a substance use disorder, except as
provided in §§ 2.12(c)(5) and 2.65.
1. General
Public Comments
Several commenters generally
supported the prohibition on re-
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
disclosure, with some stating that the
prohibition ensured the confidentiality
of the patient’s information and would
facilitate broader sharing of information
among providers and programs in
support of integrated care, thus
increasing quality of care. A commenter
supported the delineation between
substance use disorder data and other
health-related data, particularly the
flexibility to share portions of a patient’s
record that do not fall under part 2
requirements. Another commenter
supported application of the prohibition
on re-disclosure to individuals or
entities that receive confidential
identifying information from lawful
holders.
However, many commenters generally
disagreed with the prohibition on redisclosure. Commenters argued that the
prohibition created unnecessary barriers
and challenges for health care providers
and would jeopardize patient treatment
and care coordination (e.g., due to overrestriction of medical records). One
commenter argued that the prohibition
would prevent the inclusion of
substance use disorder treatment
information within HIE, ACOs, CCOs,
and research institutions. Another
commenter stated the prohibition would
prevent substance use disorder
treatment clinics from being
incorporated into integrated care
networks. A commenter said the
prohibition on re-disclosure would
prohibit providers or payers from
correcting or supplementing knowledge
of another provider based on fear of
violating the law. Lastly, a commenter
said the proposed rules prohibition on
re-disclosure was not different from the
current (1987) regulation and therefore
no clarification was necessary.
SAMHSA Response
SAMHSA is adopting § 2.32 as
proposed except for a minor
clarification in § 2.32(a). As discussed
elsewhere in this final rule, SAMHSA is
attempting to balance the facilitation of
information exchange within new
health care models that promote
integrated care with the continued need
for confidentiality protections that
encourage patients to seek treatment
without fear of compromising their
privacy. SAMHSA acknowledges the
legitimate concerns of commenters
regarding how care coordination relates
to patient safety. However, SAMHSA
must consider the intent of the
governing statute (42 U.S.C. 290dd-2),
which is to protect the confidentiality of
substance use disorder patient records.
SAMHSA believes that the prohibition
on the re-disclosure of information that
would identify, directly or indirectly, an
PO 00000
Frm 00039
Fmt 4701
Sfmt 4700
6089
individual as having been diagnosed,
treated, or referred for treatment for a
substance use disorder comports with
its statutory mandate. SAMHSA notes
that the revisions to § 2.32 clarify that
the prohibition on re-disclosure only
applies to information that would
identify an individual as having been
diagnosed, treated, or referred for
treatment for a substance use disorder,
but does not apply to health information
unrelated to the substance use disorder,
such as treatment for an unrelated
health condition. These revisions
should minimize decisions by part 2
programs to protect an entire patient
record.
Public Comments
Several commenters argued that the
original statute for the substance use
disorder regulations did not prohibit redisclosure. Another commenter argued
that HIPAA did not exist when the
original regulations regarding substance
use disorder data were promulgated and
that the re-disclosure prohibition was
not needed in today’s legal
environment. Another commenter stated
that the re-disclosure prohibition is at
odds with the goals of The Mental
Health Parity and Addiction Equity Act
and the Affordable Care Act.
SAMHSA Response
While the statute may not be explicit
with regard to certain provisions in 42
CFR part 2, the statute directs the
Secretary to prescribe regulations to
carry out the purpose of the statute,
which may include definitions and may
provide for such safeguards and
procedures that in the judgment of the
Secretary are necessary or proper to
effectuate the purposes of this section,
to prevent circumvention or evasion
thereof, or to facilitate compliance
therewith.
Because 42 CFR part 2 and its
governing statute are separate and
distinct from HIPAA and due to its
targeted population, part 2 provides
more stringent federal protections than
most other health privacy laws,
including HIPAA. However, SAMHSA
aligned policy with HIPAA where
possible.
SAMHSA strives to facilitate
information exchange within new
health care models while addressing the
legitimate privacy concerns of patients
seeking treatment for a substance use
disorder. These concerns include: The
potential for loss of employment, loss of
housing, loss of child custody,
discrimination by medical professionals
and insurers, arrest, prosecution, and
incarceration.
E:\FR\FM\18JAR6.SGM
18JAR6
6090
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
2. Impact of Re-Disclosure Prohibition
on Patient Privacy and Patient Choice
mstockstill on DSK3G9T082PROD with RULES6
Public Comments
Several commenters expressed
concerns that the prohibition on redisclosure did not improve patient
privacy protections. A commenter stated
that the proposed changes allowed more
disclosures without patient notice,
undermining the goal of protecting a
patient’s privacy. A commenter argued
that any information given by a
substance use disorder treatment
program, including a refusal to provide
information, could identify an
individual as having a substance use
disorder (whether or not the patient
actually does) or having received
treatment for a substance use disorder.
Another commenter argued against
expanding the scope of part 2 to nonsubstance use disorder conditions
which may unfairly suggest the
presence of a substance use disorder.
Several commenters expressed
concern that the prohibition on redisclosure interfered with a patient’s
choice on whether to disclose their
medical record. Commenters argued that
the prohibition on re-disclosure
imposed an unnecessary burden on
substance use disorder patients who
wish to have the same level of quality
coordinated care as other patients.
Several commenters expressed concern
that the prohibition on re-disclosure
required patients to anticipate future
care. Several commenters argued that a
patient should be allowed to consent to
or otherwise control the re-disclosure of
their information.
SAMHSA Response
Patients may permit re-disclosures of
their information via written consent.
Part 2-compliant consent forms can
authorize an exchange of information
between multiple parties named in the
consent form. The key is to make sure
the consent form authorizes each party
to disclose to the other ones the
information specified and for the
purpose specified, in the consent. In
addition, the revised consent
requirements allow patients, under
certain circumstances, to authorize
disclosure of their information via a
general designation (e.g., to ‘‘all my
current and future treating providers’’)
rather than to specifically name each
recipient.
As SAMHSA has stated in this
regulation, the ‘‘To Whom’’ section of
the consent form can authorize a
disclosure of patient identifying
information to an entity that does not
have a treating provider relationship
with the patient whose information is
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
being disclosed and acts as an
intermediary for its participants, such as
an HIO, and a general designation of
individual and entities with a treating
provider relationship with the patient
whose information is being disclosed
that are participants. The required
statement prohibiting re-disclosure
should accompany the information
disclosed through consent along with a
copy of the part 2-compliant consent
form (or the pertinent information on
the consent form necessary for the
intermediary to comply with the signed
consent), so that each subsequent
recipient of that information is notified
of the prohibition on re-disclosure.
3. Disclosure of Information that May
Indicate a Substance Use Disorder
Public Comments
Several commenters argued that
determining which conditions and
medications would ‘‘identify a patient
as having or having had a substance
abuse order’’ would be a burden on
providers. Commenters said most staff
within an HIE do not have the
qualifications (e.g., clinical knowledge
regarding medical conditions and
medications) to distinguish which
information could indicate an
individual’s substance use disorder and
would thus need to be trained
accordingly. Commenters stressed that
the difficulty in determining what
patient information would indicate a
patient had a substance use disorder
would discourage providers and health
plans from exchanging information,
further inhibiting coordinated care and
enforcing differential treatment of
individuals with substance use
disorders.
Several commenters expressed
concern that the language of the
proposed rule was too broad. A
commenter said the provision was
problematic because many medications
are frequently related to substance use
disorder or other physical or mental
conditions, so there is a risk of
indicating a patient had a substance use
disorder whether or not the patient
actually did have a substance use
disorder. Similarly, commenters argued
that preventing disclosure of
information that suggests a substance
use disorder is too broad and would
overly restrict the information available
to health care providers, thus
endangering patient safety. A
commenter recommended that
SAMHSA interpret ‘‘identifies a patient
as having or having had a substance use
disorder’’ to mean only information that
actually identifies a patient as having a
substance use disorder, rather than
PO 00000
Frm 00040
Fmt 4701
Sfmt 4700
including information that merely
suggests that a person might have an
substance use disorder. A commenter
recommended that the provision be
interpreted as written in the rule
language, not as expansively considered
in the NPRM preamble.
One commenter argued that a
prescription for a certain drug is not
enough to identify a person as having a
substance use disorder, let alone
indicate the person is receiving care
from a substance use disorder program.
The commenter stated that this
ambiguity is sufficient to be able to say
that the information does not ‘‘identify’’
the person as having a substance use
disorder or, moreover, that they are
being treated in a program.
A commenter stated that, when the
data sharing of the records are redacted
to remove all evidence of substance use
disorder they become worthless in terms
of ensuring improved client care.
Further, this commenter said that there
is no way to ensure such redaction
would be done effectively and that there
is a high risk of inadvertent disclosure,
which cannot be made private again.
SAMHSA Response
Comments received by SAMHSA
suggest that the discussion in the NPRM
of re-disclosure regarding medications
and examples provided were not clear.
Both the proposed rule and this final
rule prohibit re-disclosure of part 2
information that would identify,
directly or indirectly, an individual as
having been diagnosed, treated, or
referred for treatment for a substance
use disorder, such as indicated through
standard medical codes, descriptive
language, or both, unless further
disclosure is expressly permitted by the
written consent of the individual whose
information is being disclosed or is
otherwise permitted by the part 2 statute
or regulations. Such information could,
in some circumstances, include part 2
information concerning a patient’s
prescription for a medication typically
used for medication-assisted treatment
or a disease or condition frequently
associated with substance use disorders.
While certain medical information in
and of itself may not identify a patient
as having a substance use disorder and
approved medications may be used for
various purposes, the context of this
preamble and § 2.32 concerns the redisclosure of information that is directly
related to the patient’s undergoing
treatment for substance use disorders.
Therefore, it is considerably more likely
that the re-disclosure of such
information would result in identifying
the patient as receiving treatment for a
substance use disorder. By contrast, a
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
patient who is not receiving such
treatment (and, therefore, whose health
information is not covered by this rule)
would not face such risks even if their
medication or condition is frequently
associated with substance use disorders.
It is also important to note that in some
cases, patients may expressly consent to
further re-disclosure and that such redisclosure may in some cases be
allowed under other provisions of this
rule. SAMHSA understands that this is
an important topic and may provide
additional subregulatory guidance on
this issue after the publication of this
final rule.
4. Technical Challenges in Preventing
Unauthorized Re-Disclosure
mstockstill on DSK3G9T082PROD with RULES6
Public Comments
Commenters expressed concern that,
due to how information is exchanged
electronically, it may be technically
difficult for the medical industry to
prevent re-disclosure. Commenters
argued that providers do not have the
technical ability to segregate substance
use disorder content and redact that
information from being sent to new
providers who use or review the record.
More specifically, a commenter argued
that EHR currently have the ability to
contribute patient data to an HIE or a
Regional Health Information
Organization (RHIO) at the patient level,
not at the services rendered level. A
commenter stated that this capability
was five to ten years away. A
commenter argued that if the outputs of
the DS4P’s pilots were refined and
required under the federal health IT
certification program, there would have
been solution for the re-disclosure of
substance use disorder information.
Several commenters expressed
concern about the lack of technical
standards. A commenter recommended
that SAMHSA adopt clear technical
methods and standards for recipients of
disclosures, by which part 2 providers
and programs would be able to identify
which records are not part 2 sensitive
and can be incorporated directly into
recipient’s EHR. Similarly, a commenter
stated there needed to be standards for
all EHR Vendors and HIEs to address
the re-disclosure prohibition.
Some commenters expressed concern
about the burden of upgrading their
record system to comply with the
prohibition on re-disclosure.
Commenters stated that the redisclosure prohibition would require
upgrades and modifications to EHR and
HIEs. A commenter stated that
SAMHSA should provide funding to
upgrade HIE systems or HIEs would be
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
likely to refuse to accept substance use
disorder data.
Many commenters said the
prohibition on re-disclosure and the
technical limitations many providers
faced in preventing re-disclosure would
have adverse impacts on sharing of
information and patient care. A
commenter stated that, due to the
technical limitations, some providers
would continue to prohibit re-disclosure
of the patient’s entire medical record.
Other commenters argued that the
technical limitations would result in
substance use disorder information
being kept out of the electronic health
care environment, leaving gaps that
could contribute to poor patient
outcomes. A commenter stated that part
2 programs would be unable to
participate in integrated care delivery
models because their system was not
equipped to segregate substance use
disorder data.
A commenter stated that SAMHSA
should encourage the expansion of
meaningful use to allow behavioral
health care providers to adopt data
segmentation technology. A commenter
stated that, in light of the EHR
requirements under meaningful use,
SAMHSA should consider ways to
reduce the burden on entities using EHR
with respect to disclosure statements
under § 2.32. Another commenter
argued that SAMHSA should simply
issue consent recommendations and
incorporate more complex structures,
such as data segmentation, in a broader
mandate or on other requirements in
order to allow sufficient time for
implementation.
SAMHSA Response
SAMHSA actively supports the
continued development of data
standards to support the integration of
substance use disorder treatment in
emerging health care models. The Data
Segmentation for Privacy (DS4P)
initiative within ONC’s Standards and
Interoperability (S&I) Framework
facilitated the development of standards
to improve the interoperability of EHRs
containing sensitive information that
must be protected to a greater degree
than other health information due to 42
CFR part 2 and similar state laws. The
DS4P standard allows a provider to tag
a C–CDA document with privacy
metadata that expresses the data
classification and possible re-disclosure
restrictions placed on the data by
applicable law. This aids in the
electronic exchange of sensitive health
information. In October 2015, ONC
adopted the DS4P standard as part of
the 2015 Edition health IT certification
criteria. The DS4P certification criteria
PO 00000
Frm 00041
Fmt 4701
Sfmt 4700
6091
require health IT to demonstrate the
ability to send and received summary
care records that are document-level
tagged. SAMHSA will continue to work
with ONC to further refine the DS4P
standard so that it can be applied to
segment data at the data element level
in the manner described in ONC’s
‘‘Connecting Health and Care for the
Nation: A Shared Nationwide
Interoperability Roadmap—Version 1.0
Final (Roadmap),’’ 2 and to accelerate
the adopting of the DS4P send and
receive standards.
Regarding re-disclosure, the primary
advantage of continuing the prohibition
on re-disclosure by recipients of a
disclosure with patient consent is that it
assures a greater measure of
confidentiality for patient identifying
information. SAMHSA strives to
facilitate information exchange within
new health care models while
addressing the legitimate privacy
concerns of patients seeking treatment
for a substance use disorder. These
concerns include: The potential for loss
of employment, loss of housing, loss of
child custody, discrimination by
medical professionals and insurers,
arrest, prosecution, and incarceration.
The prohibition on re-disclosure
predates this rulemaking and providers
were already required to comply with
the existing provision. SAMHSA
proposed only minor changes to the
provision for clarity, which should not
necessitate system upgrades. Therefore,
SAMHSA declines to respond to
comments regarding the burdens of
system upgrades to comply with the
prohibition on re-disclosure.
Finally, SAMHSA works closely with
its federal colleagues to improve the
integration of substance use disorder
treatment providers and their data.
Although the part 2 authorizing statute
does not give SAMHSA authority to
mandate data segmentation, as noted
above, DS4P was included in the ONC
2015 Edition Health IT Certification
Criteria (2015 Edition). SAMHSA has
also supported the development of the
application branded Consent2Share, an
open-source health IT solution based on
DS4P which assists in consent
management and data segmentation and
will continue to work to improve the
granularity of how the DS4P standard
operates.
2 https://www.healthit.gov/sites/default/files/hieinteroperability/nationwide-interoperabilityroadmap-final-version-1.0.pdf.
E:\FR\FM\18JAR6.SGM
18JAR6
6092
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
5. Requests for Clarification of the ReDisclosure Prohibition
Public Comments
Commenters requested clarification
on various aspects of the re-disclosure
prohibition. Some commenters asked for
clarification on what records were
subject to the re-disclosure prohibition
(e.g., the actual record, or the part 2compliant record that is now
incorporated into the physician’s notes
at the receiving institution). The
commenters requested examples of how
data may, or may not, be disclosed after
lawful receipt of part 2 data.
A commenter suggested that
SAMHSA confirm that only records that
originated at a part 2 program are
subject to the prohibition on redisclosure.
mstockstill on DSK3G9T082PROD with RULES6
SAMHSA Response
Once patient identifying information
has been initially disclosed (with or
without patient consent), no redisclosure is permitted without the
patient’s express consent to re-disclose
or unless otherwise permitted by the
part 2 statute or regulations. Only
disclosure of patient identifying
information made with the patient’s
written consent must be accompanied
by a written notice regarding the part 2
prohibition on re-disclosure. Although
there is no requirement to provide such
written notice to individuals and
entities who receive information
through other means under the part 2
program, all lawful holders must
comply with the part 2 program
requirements, including, but not limited
to the limitations on re-disclosure.
Regarding requested confirmation that
only records originated at a part 2
program are subject to the prohibition
on re-disclosure, SAMHSA clarifies that
individuals and entities that are not
covered by part 2 that possess substance
use disorder data that did not originate
in a part 2-covered provider are not
subject to the part 2 program
requirements. However, if those
individuals and entities received that
information that is subject to part 2 via
patient consent (with or without the
notice of prohibition on re-disclosure)
or through any other means under the
part 2 program (i.e., through means that
made them a lawful holder), they would
be required to comply with part 2.
Public Comments
Several commenters asked for
clarification with regard to disclosing
prescription medications. A few
commenters asked whether prescription
medications could be disclosed without
consent if the prescriber states that the
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
prescription is not for substance use
disorder treatment. Another commenter
asked what the requirements were for
medications that are used ‘‘off label’’ to
treat substance use disorder and
medications that treat withdrawal. A
commenter asked for clarification on
whether providers in part 2 programs,
who do not reveal their part 2 program
affiliation, would be prohibited from
disclosing information about substance
use disorder prescriptions that are also
prescribed for non-substance use
disorder purposes, unless the patient
has consented to the disclosure.
SAMHSA Response
SAMHSA agrees that part 2 would
permit the disclosure of information
without patient consent relative to a
medication that is used for both
substance use disorder and nonsubstance use disorder purposes, even
when it is being prescribed for the
purpose of substance use disorder
treatment. In disclosing the information,
both the provider and the data
provenance must not identify the
provider as being affiliated with a part
2 program or prescribing the substance
use disorder medication for substance
use disorder treatment.
Public Comments
Regarding the prohibition on redisclosure, a commenter requested that
SAMHSA provide clarification on what
impact a court order has on sharing
information otherwise deemed
confidential under the part 2
regulations.
SAMHSA Response
SAMHSA has previously stated in
FAQ guidance concerning re-disclosures
that when information is disclosed
pursuant to an authorizing court order,
part 2 requires that steps be taken to
protect patient confidentiality. In a civil
case, part 2 requires that the court order
authorizing a disclosure include
measures necessary to limit disclosure
for the patient’s protection, which could
include sealing from public scrutiny the
record of any proceeding for which
disclosure of a patient’s record has been
ordered [42 CFR 2.64(e)(3)]. In a
criminal case, such order must limit
disclosure to those law enforcement and
prosecutorial officials who are
responsible for or are conducting the
investigation or prosecution, and must
limit their use of the record to cases
involving extremely serious crimes or
suspected crimes [42 CRF § 2.65(e)(2)].
Public Comments
A commenter asked how a mixed-use
mental health and substance use
PO 00000
Frm 00042
Fmt 4701
Sfmt 4700
treatment facility should handle redisclosure and how SBIRT would be
addressed under this section.
SAMHSA Response
Only the substance use disorder
information is covered by part 2. The
mental health information is not. The
prohibition on re-disclosure only
applies to information that would
identify, directly or indirectly, an
individual as having been diagnosed,
treated, or referred for treatment for a
substance use disorder, such as
indicated through standard medical
codes, descriptive language, or both,
and allows other health-related
information shared by the part 2
program to be re-disclosed, if
permissible under other applicable
laws.
6. Recommendations To Improve the
Prohibition on Re-Disclosure
Public Comments
Several commenters recommended
exclusions to the prohibition on redisclosure of substance use disorder
patient data. A commenter said patients
should be able to consent to the
disclosure of substance use disorder
information to a covered entity and such
information would be protected by
HIPAA, but would be free from the redisclosure prohibition. Some
commenters said SAMHSA should
permit re-disclosure of substance use
disorder treatment information for the
purpose of treatment and/or care
coordination. Another commenter
suggested an exemption for providers
within a given PDMP, CCO, ACO or
HIE, for the purposes of treatment,
payment, or health care operations. A
commenter said SAMHSA should allow
re-disclosures without patient consent
for public health purposes to prevent
disease or control injury or disability.
Lastly, a commenter said SAMHSA
should add a category under subpart D
‘‘Disclosures without Patient Consent’’
to include state health data
organizations that collect data under a
legislative authority.
SAMHSA Response
Due to its targeted population, part 2
provides more stringent federal
protections than most other health
privacy laws, including HIPAA. In light
of the statute, SAMHSA declines to
create the specific suggested exclusions
from the use and disclosure restrictions.
SAMHSA will specifically address
disclosures to subcontractors and
contractors for health care purposes in
the SNRPM.
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
Public Comments
Commenters requested that SAMHSA
provide guidance in several areas,
including the type of permissible
information that can be disclosed;
applicability to co-occurring disorders;
and applicability to multi-use
organizations. A commenter said
SAMHSA should publish the medical
codes (e.g., ICD–10s) that are affected by
this provision.
SAMHSA Response
As for the type of permissible
information that can be disclosed, the
proposed clarifications to § 2.32 clarify
that the prohibition on re-disclosure
only applies to information that would
identify, directly or indirectly, an
individual as having been diagnosed,
treated, or referred for treatment for a
substance use disorder, such as
indicated through standard medical
codes, descriptive language, or both,
and allows other health-related
information shared by the part 2
program to be re-disclosed, if
permissible under other applicable
laws.
Regarding the re-disclosure of
information related to co-occurring
disorders, only the substance use
disorder information is covered by part
2. The mental health information in a
patient record is not. However, part 2
programs must ensure adequate
confidentiality protections for mental
health patient data that are applicable
based on any relevant federal or state
law.
mstockstill on DSK3G9T082PROD with RULES6
Public Comments
Commenters proposed many other
recommendations to improve the redisclosure provision. One commenter
said the rule should specify the
consequences part 2 providers will face
if they violate the proposed rule’s
prohibition on re-disclosure. A
commenter said non-part 2 programs
that prescribe substance use disorder
medication should not be forbidden
from disclosing such prescriptions, nor
required to state the purpose of the
medication. A commenter said the rule
should continue to prohibit information
being shared with law enforcement for
criminal prosecution. A commenter said
SAMHSA should include an updated
sample Notice of Prohibition of Redisclosure in the final rule. One
commenter said patients should have
the ability to remove their substance use
disorder history from their medical
record after ten years. A commenter said
SAMHSA should rescind the proposed
prohibition on re-disclosure relative to
general designations and advocate for
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
the medical community to do more
within their industry to recognize and
provide appropriate, comprehensive
care for those living with substance use
disorders.
SAMHSA Response
Regarding the consequences for
violation of the re-disclosure
prohibition, each disclosure made with
the patient’s written consent must be
accompanied by the notice of
prohibition on re-disclosure. Under 42
U.S.C. 290dd–2 (f), any person who
violates any provision of this section or
any regulation issued pursuant to this
section shall be fined in accordance
with Title 18.
Regarding the comment on non-part 2
prescribers, prescribers that are not
covered by part 2 are not prohibited
from disclosing such prescriptions nor
required to specify the purpose of such
prescriptions.
On prohibition of information being
shared with law enforcement for
criminal prosecution, this prohibition
remains in effect. Specifically,
SAMHSA has clarified § 2.32(a) to state
‘‘[t]he federal rules restrict any use of
the information to criminally investigate
or prosecute any patient with a
substance use disorder, except as
provided at §§ 2.12(c)(5) and 2.65.’’
Public Comments
A commenter stated that individuals
or entities who are not part 2 programs
may not be familiar with the specific
consent requirements of part 2, so the
next-to-last sentence of § 2.32 should
include a citation to § 2.31.
SAMHSA Response
SAMHSA appreciates the suggestion
and has revised § 2.32 to add a reference
to the § 2.31 to the penultimate sentence
in paragraph (a).
L. Disclosures to Prevent Multiple
Enrollments (§ 2.34)
SAMHSA is adopting this section as
proposed. SAMHSA has modernized
§ 2.34 by updating terminology and
revising corresponding definitions.
SAMHSA also consolidated definitions
by moving definitions from this section
to the part 2 definitions provision
(§ 2.11), as discussed in Section III.D.
Public Comments
A few commenters supported
disclosures to prevent multiple
enrollments. Some urged the proposed
regulations to go further and specifically
allow registries in the form of HIEs or
PDMPs to share controlled substance
prescriptions in the same manner that it
would allow withdrawal management or
PO 00000
Frm 00043
Fmt 4701
Sfmt 4700
6093
maintenance treatment programs. The
aim would be to prevent multiple
prescribing of prescription drugs that
can be abused. Other commenters
argued that the registry should be
available to check enrollment beyond
200 miles. Asserting that the
requirement to list every site that may
be contacted in the consent document is
an unusual burden, one of these
commenters suggested that the concern
can be better addressed by indicating
‘‘any licensed treatment center within
the state when a patient presents for
treatment.’’ One commenter requested
clarification as to what type of ‘‘central
registry’’ is being considered for
disclosure of patient records. Another
suggested language that allows for
multiple payments to providers in
situations where clients are enrolled in
multiple programs and where programs
may be obtaining multiple payments for
multiple services.
SAMHSA Response:
Central registries, defined as ‘‘an
organization that obtains from two or
more member programs patient
identifying information about
individuals applying for withdrawal
management or maintenance treatment
for the purpose of avoiding an
individual’s concurrent enrollment in
more than one treatment program,’’
serve a different purpose than HIEs or
PDMPs. According to the Centers for
Disease Control and Prevention, PDMPs
are state-run electronic databases used
to track the prescribing and dispensing
of controlled prescription drugs to
patients. They are designed, in part, to
monitor this information for suspected
abuse or diversion (i.e., channeling
drugs into illegal use), and can give a
prescriber or pharmacist critical
information regarding a patient’s
controlled substance prescription
history. Although PDMPs may serve
many valuable purposes, SAMHSA
decided not to address issues pertaining
to e-prescribing and PDMPs in the final
rule because, as stated in the NPRM,
they were not ripe for rulemaking at the
time due to the state of technology and
because the majority of part 2 programs
are not prescribing controlled
substances electronically.
Under § 2.34(a)(3)(ii), the consent may
authorize a disclosure to any
withdrawal management or
maintenance treatment program
established within 200 miles of the
program after the consent is given
without naming any such program.
Regarding comments on the 200-mile
limit, SAMHSA declines to make any
changes to the 200-mile limit because it
is unlikely that a patient would be
E:\FR\FM\18JAR6.SGM
18JAR6
6094
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
enrolled in multiple programs greater
than 200 miles from each other. The
regulations do not confine the 200-mile
limit to within a state.
As for the request to allow a consent
for disclosure to ‘‘any licensed
treatment center within the state where
a patient presents for treatment,’’
SAMHSA has concluded that the
proposed specificity is needed. Section
2.34 requires that the consent must list
the name and address of each central
registry and each known withdrawal
management or maintenance treatment
program to which a disclosure will be
made. This specificity was retained
because the purpose of the section is to
prevent multiple enrollments that
would result in a patient receiving
substance use disorder treatment
medication from more than one
provider, thereby increasing the
likelihood for an adverse event or
diversion.
Regarding the request to allow for
multiple payments to providers in
situations where clients are enrolled in
multiple programs and where programs
may be obtaining multiple payments for
multiple services, SAMHSA has
determined that this request it outside
of the scope of the proposed part 2
changes in the NPRM.
FDA who provide reason to believe that
the health of any individual may be
threatened by a product under the
FDA’s jurisdiction and that the
information used solely for notifying the
patient or their physicians of the
potential dangers.
However, several commenters warned
that part 2 programs should not be
expected to assume the unrealistic
burden of liability for a HIE’s capability
to comply with all part 2 requirements.
Another commenter argued the current
medical emergency exception is clear
under current (1987) law and providers
are already making the determination as
to what constitutes an emergency.
M. Medical Emergencies (§ 2.51)
2. Definition of ‘‘Bona Fide Medical
Emergency’’
SAMHSA is adopting this section as
proposed. SAMHSA has revised the
medical emergency exception to give
providers more discretion to determine
when a ‘‘bona fide medical emergency’’
(42 U.S.C. 290dd–2(b)(2)(A)) exists. The
revised language states that patient
identifying information may be
disclosed to medical personnel to the
extent necessary to meet a bona fide
medical emergency in which the
patient’s prior informed consent cannot
be obtained. SAMHSA continues to
require the part 2 program to
immediately document, in writing,
specific information related to the
medical emergency.
1. General
mstockstill on DSK3G9T082PROD with RULES6
Public Comments
Many commenters expressed support
for the proposed change in language of
the medical emergency exception to
provide medical personnel with
increased discretion to determine a
‘‘bona fide medical emergency.’’ Some
commenters expressly supported
aligning the regulatory language with
the statutory language for medical
emergencies. A commenter supported
the special rule that would allow the
disclosure of patient identifying
information to medical personnel at the
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
SAMHSA Response
SAMHSA appreciates the support of
commenters on this issue. With regard
to the comment about the burden of
liability, SAMHSA asserts that the
treating provider must make the
determination as to whether a bona fide
medical emergency exists. However,
concern alone about potential drug
interaction may not be sufficient to meet
the standard of a medical emergency.
Thus, based on the circumstances of the
presenting situation, SAMHSA
recommends that health care providers
obtain consent from the patient where
feasible.
Public Comments
Commenters provided various
suggestions for expanding the definition
to include disclosure of records for
mental health involuntary commitment
evaluations and other psychiatric
emergencies; to detoxification centers;
when there is ‘‘risk of serious harm’’ to
self or others by reason of an substance
use disorder; in order to save a life or
prevent further injury of a person who
is not able to make a rational decision
due to mental impairment; and to
prevent suicide. Several commenters
asserted the revisions should include an
exception for disclosure without
consent in order to prevent medical
emergencies from occurring in the first
place. Other commenters suggested not
limiting this section to only medical
emergencies, but allowing disclosures
for treatment, payment, and operation
purposes. A few commenters supported
adding a duty to warn exception where
a substance use disorder patient
discloses intent, plan, or means to
inflict harm onto another individual or
the public.
SAMHSA Response
On the request to expand the
definition, while the statute authorizes
PO 00000
Frm 00044
Fmt 4701
Sfmt 4700
an exception for a bona fide medical
emergency, broadening this provision to
include non-emergency situations
would be inconsistent with the statutory
scheme. With respect to warnings, part
2 does not impose a duty to warn—or
a duty to disclose any information. It
only governs when disclosures may be
made, not when they must be made.
SAMHSA has previously provided FAQ
guidance on when a part 2 program may
make a disclosure without divulging
patient identifying information.
SAMHSA will monitor this issue and
may consider whether additional
subregulatory guidance in the future
may be helpful.
Regarding involuntary commitment,
patient identifying information may be
disclosed to medical personnel to the
extent necessary to meet a bona fide
medical emergency in which the
patient’s prior informed consent cannot
be obtained. This may include
situations in which the patient is not
regarded as being legally competent
under the laws of their jurisdiction.
Such circumstances may apply when a
patient is subject to an involuntary
commitment (i.e., formally committed
for behavioral health treatment by a
court, board, commission, or other
lawful authority). Consistent with
§ 2.51, during the period of time a
patient is not regarded as being legally
competent, any previously established,
unrevoked, or unmodified general
designation remains valid for their
current treating providers until such
time as the individual’s competency is
restored. The treating provider(s) would,
in such circumstances, be expected to
follow provisions of this rule pursuant
to medical emergencies, including all
documentation requirements.
Importantly, at any time when a patient
is legally competent, they may modify
their general designation consistent
with the provisions of this final rule.
Public Comments
Other commenters suggested
restrictions on the definition of ‘‘bona
fide medical emergency’’ or other
limitations to the medical emergency
exception. Several recommended that
the final rule explicitly state that the
medical emergency exception continues
to be limited to circumstances in which
an individual needs immediate medical
care and the patient’s consent cannot be
obtained. The medical emergency
exception does not apply to situations
where the patient could but will not
consent, since the exception should not
be used to avoid obtaining consent. A
commenter urged that a ‘‘bona fide
medical emergency’’ be limited to
circumstances in which an individual
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
needs immediate medical care because
of an immediate (not future) threat to a
person’s health.
A commenter asserted that it be
specified that a ‘‘medical emergency’’ is
determined by the treating provider.
A commenter asserted that the
information disclosed in a ‘‘bona fide
medical emergency’’ should be more
clearly limited and the rule should
require the provider to affirmatively
share the required documentation of the
disclosure with the patient.
A commenter stated that part 2
information disclosed in a medical
emergency should not be re-disclosed
for criminal investigation or
prosecution.
A few commenters advocated for
emergency care providers to be
permitted to access only limited part 2
information available through a HIE.
SAMHSA Response
On situations in which the patient
could but will not consent, SAMHSA
has not revised the regulatory language,
but agrees that ‘‘patient consent could
not be obtained’’ refers to the fact that
the patient was incapable of providing
consent, not that the patient refused
consent.
With regard to the request that a
‘‘medical emergency’’ be determined by
the treating provider, SAMHSA clarifies
that any health care provider who is
treating the patient for a medical
emergency can make that determination.
On limiting the information disclosed,
§ 2.13(a) of the rule indicates that the
amount of information to be disclosed
‘‘must be limited to that information
which is necessary to carry out the
purpose of the disclosure.’’
With regard to the comment on redisclosure, SAMHSA will address redisclosure of part 2 information
obtained during a medical emergency in
subregulatory guidance rather than in
the rule, as it has in the past.
mstockstill on DSK3G9T082PROD with RULES6
Public Comments
Several commenters asserted that
automated or pre-determinations for
medical emergencies should be allowed.
A commenter suggested that predefining the criteria for medical
emergency would enable HIEs to
automate the decisions about whether a
patient visit is a medical emergency.
The commenter said such criteria could
be defined by each individual hospital
or could be based on national standards.
Another commenter argued that Level of
Care Utilization System (LOCUS) scores
and the ASAM levels could be used as
clinical standards for determining ‘‘bona
fide emergency’’ situations where
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
behavioral health information should be
more broadly shared.
SAMHSA Response
Automated electronic health
information systems can be programmed
to flag specific patient information for
medical personnel to use in determining
whether a bona fide medical emergency
exists and may be programmed to
provide alerts to authorized providers.
However, as SAMHSA has explained in
previous FAQ guidance, one may not
automate the determination of a medical
emergency.
Public Comments
Many commenters requested
examples of emergency situations in
order to minimize confusion among
providers and organizations as to the
circumstances under which medical
emergencies would be valid. Many of
these commenters provided their own
instances requesting clarification if
disclosure would be necessary.
SAMHSA Response
SAMHSA plans to provide the
requested examples in subregulatory
guidance after the publication of this
final rule.
3. Documentation of Medical Emergency
Public Comments
Many commenters argued for removal
of the requirement that a part 2 program
immediately document a disclosure
pursuant to a medical emergency. A
commenter stated that SAMHSA should
simplify the existing onerous
documentation requirements that
impede vital sharing of information.
Another commenter suggested part 2
programs should rely on other
functionalities that retain disclosure and
specific information related to the
medical emergency, such as audit
reports.
A commenter suggested the language
be modified to allow the part 2 program
to document the disclosure ‘‘promptly’’
rather than ‘‘immediately.’’
Other commenters suggested
eliminating the requirement to provide
‘‘the name of the medical personnel to
whom disclosure was made.’’
Another commenter asserted that the
rule should allow an HIE to maintain
documentation of disclosures for the
part 2 program and provide ongoing
access to such information.
A commenter suggested that a ‘‘list of
the information disclosed’’ be added to
the list of information that must be
entered into the patient record at the
time of the emergency disclosure.
PO 00000
Frm 00045
Fmt 4701
Sfmt 4700
6095
SAMHSA Response
SAMHSA is not convinced of the
benefit of replacing ‘‘immediately’’ with
‘‘promptly,’’ particularly since neither
term is defined in the final rule. With
regard to the suggestion to eliminate the
requirement to provide ‘‘the name of the
medical personnel to whom disclosure
was made,’’ the current (1987) part 2
regulations (as well as the regulatory
language in the NPRM) require part 2
programs to document the name of the
medical personnel to whom disclosure
was made and their affiliation with any
health care facility because it is
important for that information to be
available to the part 2 program and the
patient.
4. Other Comments on Medical
Emergencies
Public Comments
Some commenters suggested that
SAMHSA expand who is authorized to
access emergency records. Some
commenters requested the definition of
‘‘medical personnel’’ include any
professional who provides healthrelated services, including behavioral
health services, rather than being
limited to medical doctors, nurses, and
emergency medical technicians. Other
commenters suggested the language be
changed so that ‘‘non-medical
personnel’’ who are currently working
with clients in an emergency situation
have access to the patient emergency
record. A commenter argued that
substance use disorder patients
commonly face medical emergencies
and therefore it is prudent for an
emergency department be named or
identified under the ‘‘general
disclosure’’ provision.
SAMHSA Response
Part 2 allows patient identifying
information to be disclosed to medical
personnel in a medical emergency. Part
2 does not define the term ‘‘medical
personnel’’ but merely provides that
information can be given to medical
personnel who have a need for
information about a patient in a bona
fide medical emergency. It is up to the
health care provider or facility treating
the emergency to determine the
existence of a medical emergency and
which personnel are needed to address
the medical emergency. The name of the
medical personnel to whom the
disclosure was made, their affiliation
with any health care facility, the name
of the individual making the disclosure,
the date and time of the disclosure, and
the nature of the medical emergency
must be documented in the patient’s
records by the part 2 program disclosing
E:\FR\FM\18JAR6.SGM
18JAR6
6096
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
the information. SAMHSA does not
have the authority to permit information
to be disclosed to ‘‘non-medical
personnel’’ pursuant to a medical
emergency because the authorizing
statute for the regulations codified at 42
CFR part 2 limits disclosures to
‘‘medical personnel.’’
With regard to identifying emergency
departments under the ‘‘general
disclosure’’ provision, the medical
emergency exception requires that a
provider determine that a bona fide
medical emergency exists and that a
patient’s visit to an emergency room
does not automatically constitute such
an emergency. SAMHSA reiterates that
there is a difference between refusal to
consent and being incapable of
consenting to disclosure.
Public Comments
Commenters requested clarification
on which entity, the receiving
emergency department or HIE, would be
obligated to maintain part 2-compliance
with information received through a
declared patient emergency. A
commenter argued the rule should state
that a hospital emergency room or other
health care provider that obtains
program information under the medical
emergency exception would not be
subject to part 2 rules with respect to
such program information.
mstockstill on DSK3G9T082PROD with RULES6
SAMHSA Response
Part 2 requires that when a disclosure
is made in connection with a medical
emergency, the part 2 program must
document in the patient’s record the
name and affiliation of the recipient of
the information, the name of the
individual making the disclosure, the
date and time of the disclosure, and the
nature of the emergency. Thus, data
systems must be designed to ensure that
the part 2 program is notified when a
‘‘break the glass’’ disclosure occurs and
part 2 records are released pursuant to
a medical emergency. The notification
must include all the information that
the part 2 program is required to
document in the patient’s records. The
information about emergency
disclosures should also be kept in the
HIE’s electronic system. Regarding the
requests for clarification on part 2
applicability to information disclosed
pursuant to a medical emergency,
SAMHSA understands the importance
of these questions. However, because
these issues are not related to specific
proposals made in the NPRM, SAMHSA
plans to address them in subregulatory
guidance after the publication of the
final rule.
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
Public Comments
A commenter warned that emergency
disclosures for requesting of part 2
records can occur by means other than
solely through an HIE.
SAMHSA Response
The EHR is the vehicle for the
disclosure of the part 2 record but not
the decision-maker. The name of the
person who makes the determination to
disclose and discloses the information
electronically through an EHR system
should be recorded. SAMHSA clarifies
that the example used of an HIE was not
meant to be exhaustive to include all
potential sources of disclosures.
N. Research (§ 2.52)
SAMHSA is modifying this section
from the regulatory text proposed, as
described in detail below. SAMHSA is
implementing several changes to the
research provision. First, we have
revised the section heading by deleting
the word ‘‘activities.’’ In addition,
SAMHSA has revised the research
exception to permit data protected by 42
CFR part 2 to be disclosed by any
individual or entity that is in lawful
possession of part 2 data (lawful holder
of part 2 data) under certain conditions.
SAMHSA also addressed data
linkages because the process of linking
two or more streams of data opens up
new research opportunities and
potential risks. In the NPRM, SAMHSA
proposed to permit researchers to
request to link data sets that include
patient identifying information if (1) the
data linkage uses data from a federal
data repository, and (2) the project,
including a data protection plan, is
reviewed and approved by an
Institutional Review Board (IRB)
registered with the Office for Human
Research Protections (OHRP) in
accordance with 45 CFR part 46.
SAMHSA requested comments in the
NPRM on whether to expand the data
linkages provision beyond federal data
repositories. After considering the
public comments received on this topic,
as discussed in greater detail below,
SAMHSA has revised the data linkages
provision to permit researchers to link
to federal and non-federal data
repositories provided certain conditions
are met.
The revised § 2.52 permits a
researcher to include part 2 data in
reports only in aggregate form.
SAMHSA clarified in this final rule that,
with respect to these types of reports,
the patient identifying information has
been rendered non-identifiable such
that the information cannot be reidentified and serve as an unauthorized
PO 00000
Frm 00046
Fmt 4701
Sfmt 4700
means to identify a patient, directly or
indirectly as having or having had a
substance use disorder. SAMHSA
requires any individual or entity
conducting scientific research using
patient identifying information to meet
additional requirements to ensure
compliance with confidentiality
provisions under part 2. Note that deidentified information can be shared for
the purposes of research; this was the
status quo under the previous part 2
regulations, and this final rule does not
change that.
Finally, § 2.52 addresses, in addition
to the maintenance of part 2 data, the
retention and disposal of such
information used in research. SAMHSA
expanded the provisions in § 2.16
(Security for records) and references the
policies and procedures established
under § 2.16 in revised § 2.52. The
NPRM language in (a)(1) only referenced
‘‘the HIPAA privacy rule at 45 CFR
164.512(i)’’ while the final rule
regulatory language in (a)(1) now says:
‘‘consistent with the HIPAA Privacy
Rule at 45 CFR 164.508 or 164.512(i), as
applicable’’.
1. General
Public Comments
Many commenters expressed support
for revising the research exception to
permit data protected by part 2 to be
disclosed to qualified personnel for the
purpose of conducting scientific
research by a part 2 program or any
other individual or entity that is in
lawful possession of part 2 data (lawful
holder of part 2 data). Many
commenters expressed general support
for expanding the circumstances in
which research may be conducted with
part 2 data. Many commenters
supported disclosure of data from other
lawful holders of substance use disorder
records with researchers. Commenters
supported the prevention of data
scrubbing of records and other data
suppression related to substance use
disorders. Some commenters specified
support to stop ‘‘suppression’’ of
Medicare and Medicaid data from any
records associated with substance use
disorder.
SAMHSA Response
SAMHSA’s revisions to the research
provision address these concerns
regarding access to substance use
disorder information from CMS claims/
encounter data disclosed for research
purposes. First, the research provision
permits part 2 programs and other
lawful holders of patient identifying
information (not just part 2 program
directors) to disclose data protected by
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
42 CFR part 2 to qualified personnel for
the purpose of conducting scientific
research if the researcher provides
documentation of meeting certain
requirements related to other existing
protections for human research. Second,
SAMHSA also addressed data linkages
to enable researchers holding part 2 data
to link to data sets from federal and nonfederal data repositories provided
certain conditions are met as spelled out
in section 2.52.
Public Comments
Another commenter supported the
use of data use agreements for all
research transfers of part 2 information
and requested the proposed regulation
provide examples of these agreements.
A commenter stated that the agency
should allow research of additional
administrative data sets such as those
held by HIEs, ACOs, state Medicaid
agencies, commercial insurance
companies, and Medicare Advantage
plans with appropriate IRB reviews.
mstockstill on DSK3G9T082PROD with RULES6
SAMHSA Response
Although not required by § 2.52, the
regulation would permit any lawful
holder of patient identifying
information to require a researcher sign
a data use agreement spelling out these
requirements.
SAMHSA is adopting its proposal
regarding the research exception to
permit data protected by 42 CFR part 2
to be disclosed to qualified personnel
for the purpose of conducting scientific
research by a part 2 program or any
other individual or entity that is in
lawful possession of part 2 data if the
researcher provides documentation of
meeting certain requirements related to
other existing protections for human
research. If an entity meets the
requirements of an ‘‘other lawful holder
of patient identifying information,’’ as
described in the preamble of this final
rule, the entity would be authorized to
disclose part 2 data for research
purposes in accordance with § 2.52.
Public Comments
Another commenter asked a series of
questions related to the release of data
by lawful holders that are not part 2
programs (e.g., HIEs). The commenter
asked how these HIEs, third-party
payers, etc., will be able to determine
that a researcher will maintain the
confidential patient identifying
information in accordance with the
security requirements set out in
§ 2.52(a)(2); how will the ‘‘lawful
holders’’ be able to assess whether the
potential benefits of the research
outweighs any risks to confidentiality as
required by § 2.52(a)(3); and what
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
individual at these various ‘‘lawful
holders’’ will be the equivalent of a part
2 program director and have the
authority to make these decisions. The
commenter stated that it is almost
certain that these ‘‘lawful holders’’ will
not sufficiently know the confidentiality
regulations so as to ensure the
researchers are aware of, and will
comply with the prohibition against redisclosure specified in § 2.52(b).
SAMHSA Response
SAMHSA examined the existing
regulations that protect human subjects
in research and concluded that, if those
requirements were fulfilled, 42 CFR part
2 would ensure confidentiality
protections consistent with the statute,
while providing the expanded authority
for disclosing patient identifying
information. Requirements that ensure
compliance with HIPAA and the
Common Rule (e.g., IRB and/or privacy
board review) with respect to research
provide these assurances, including that
the researcher has a plan to protect and
destroy identifiers and to not re-disclose
the information in an unauthorized
manner. The individual who would
make the determination to disclose part
2 data on behalf of a part 2 program or
other lawful holder would be the
individual designated as director or
managing director, or individual
otherwise vested with authority to act as
chief executive officer or their designee.
In addition, there is nothing in the
regulation that requires this individual
to disclose the data, even if the
researcher provides documentation of
compliance with the requirements
under § 2.52.
Public Comments
A commenter stated that the proposed
rule adopted an overly narrow approach
to disclosures for scientific research, by
limiting part 2 disclosures only to
entities or individuals subject to the
HIPAA Privacy Rule or the HHS
Common Rule. The commenter stated
that because the commenter is not a
HIPAA covered entity or business
associate under HIPAA, and is not
currently subject to the Common Rule,
the commenter does not appear to meet
the conditions required for disclosure
for scientific research. The commenter
stated that limiting disclosures for
research purposes only to entities or
individuals subject to the HIPAA
Privacy Rule and/or Common Rule is
inconsistent with the language and
intent of the governing statute, which
broadly authorizes disclosures to
qualified personnel for the purposes of
conducting scientific research.’’ (42
U.S.C. 290dd–2(b)(2)(B)). The
PO 00000
Frm 00047
Fmt 4701
Sfmt 4700
6097
commenter urged SAMHSA to interpret
research broadly to include state
analytic activities to identify patterns
and variations in the cost, quality and
delivery of health care, similar to the
approach adopted by CMS for the
release of CMS claims/encounter data to
state agencies.
SAMHSA Response
The revised research exception will
now permit data protected by 42 CFR
part 2 to be disclosed for research
purposes by part 2 programs and other
lawful holders of patient identifying
information not just by part 2 program
directors as the 1987 final rule
regulations require. Because SAMHSA
is expanding the authority for disclosing
patient identifying information beyond
part 2 program directors, it was
necessary to establish a mechanism to
ensure that confidentiality protections
consistent with the statute were fulfilled
in all cases. SAMHSA determined that
the existing regulations that protect
human subjects in research would
accomplish this, and, therefore, decided
to limit the permitted disclosures for
research purposes under part 2 to
instances in which the researchers
would meet the requirements governing
their receipt of protected health
information from a covered entity under
the HIPAA privacy rule and/or the
requirements governing research on
human subjects under the HHS
Common Rule. Under this expanded
authority, the HIPAA standards would
be applied as a test regardless of
whether the data source for the
disclosure was a HIPAA covered entity.
Under 42 CFR part 2, the research
provision provides clear policies on
conducting research and protecting the
confidentiality of patient identifying
information, including their obligations
to comply with requirements under 42
CFR 2.16, Security for Records.
Public Comments
A commenter stated that SAMHSA, in
coordination with state regulators,
should work together to issue guidance
related to the application of the federal
part 2 requirements to substance use
disorder information that may be
requested by states for public health and
other purposes.
SAMHSA Response
The statute authorizing part 2
contains specific limited exceptions to
the consent requirement, and making a
change to exempt states from this
requirement, under certain conditions,
would be inconsistent with the statutory
scheme.
E:\FR\FM\18JAR6.SGM
18JAR6
6098
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
mstockstill on DSK3G9T082PROD with RULES6
Public Comments
One commenter stated that the
expansion of the disclosure of patient
identifying information should be
limited to CMS and/or state
governmental agencies that have
authority over substance use disorder
treatment services. The commenter
stated that an unintended consequence
of implementing the potential of widespread disclosure of previously
protected information is that the
protections the confidentiality
regulations afforded patients will be
eviscerated as essentially all the
recipients of protected information, for
the last 40 years will no longer be bound
by the prohibition of re-disclosure,
subjecting the patient’s information to
re-disclosure, without the patient’s
consent, to any individual or entity
representing that they are conducting
scientific research. The commenter
argued that SAMHSA should limit the
number of entities who can release
patient identifying information to those
who actually have the resources to
verify that such disclosure to a
researcher is for a valid research
purpose; can ensure proper research
protections are in place; and affirm the
patient will not be more vulnerable as
a result of the disclosure. The vast
majority of lawful holders cannot
adequately perform this analysis and
therefore cannot protect the patient’s
interest as required under the part 2
regulations.
SAMHSA Response
SAMHSA declines to narrow the
scope of the research provision as
suggested. In developing the proposed
rule, SAMHSA examined the existing
regulations that protect human subjects
in research and concluded that, if those
requirements were fulfilled, 42 CFR part
2 would ensure confidentiality
protections consistent with the statute,
while providing the expanded authority
for disclosing patient identifying
information. Specifically, IRBs
determine that, when appropriate, there
are adequate provisions to protect the
privacy of subjects and to maintain the
confidentiality of data before approving
the research (45 CFR 46.111(a)(7)).
SAMHSA is interested in affording
patients protected by 42 CFR part 2 the
same opportunity to benefit from
advanced research protocols while
continuing to safeguard their privacy,
and narrowing the scope of lawful
holders that may disclose part 2 data for
research purposes, as suggested by the
commenter would limit the ability of
patients to benefit from these research
efforts.
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
Public Comments
Other commenters expressed concern
about the expanded research exception.
A commenter stated that the proposed
provision would create a wide
opportunity for data sharing with
increased risk of adverse impact.
Similarly, a commenter warned that the
research exception revision poses
unnecessary risk of data breach of
patient’s confidentiality.
SAMHSA received a large number of
comments, particularly from
researchers, expressing support for the
revised research provision. These
commenters expressed concern that,
without this revised provision,
researchers’ access to substance use
disorder-related data in Medicare and
Medicaid claims/encounter databases
would be limited to instances in which
consent could be obtained. A number of
commenters cited a study by K. Rough
et al. published in the March 15, 2016,
issue of the Journal of the American
Medical Association that found the
exclusion of part 2 data from Medicare
and Medicaid claims/encounter data in
research contexts coincided with
decreases in the rates of diagnoses for
certain conditions commonly cooccurring with substance use disorder.
Commenters reiterated a point made in
the article that underestimating
diagnoses has the potential to bias
health services research studies and
epidemiological analyses. Some
commenters also stated that
implementing appropriate data
safeguards can protect patient privacy
while still allowing researchers access
to critical data.
SAMHSA Response
SAMHSA agrees with the
commenters’ assertions regarding how
the exclusion of this substance use
disorder data hampers vital public
health research, particularly in light of
the growing national opioid epidemic
and is finalizing the research data access
proposal in the final rule.
With respect to concerns about
privacy and the expansion of the
research exception, SAMHSA clarifies
that the research exception is intended
to permit data protected by 42 CFR part
2 to be disclosed to qualified personnel
for the purpose of conducting scientific
research by a part 2 program or any
other individual or entity that is in
lawful possession of part 2 data (lawful
holder of part 2 data).
The research provision (§ 2.52(b))
already includes a requirement that the
researcher receiving the part 2 data is
fully bound by 42 CFR part 2. Although
not required by § 2.52, the regulation
PO 00000
Frm 00048
Fmt 4701
Sfmt 4700
would permit any lawful holder of
patient identifying information to
require a researcher to sign a data use
agreement spelling out these
requirements. Lawful holders of patient
identifying information may disclose
part 2 data without patient consent for
research purposes only under the
specified circumstances under the
research provision.
Public Comments
A commenter requested clarification
as to whether ‘‘lawful holders’’ may
disclose part 2 data to third parties to
conduct research or whether the ‘‘lawful
holder’’ has to conduct the research
itself.
Citing the HIPAA tracking criteria for
disclosures outside the entity pursuant
to a waiver of authorization, another
commenter asked SAMHSA to clarify
what tracking requirements would
apply to disclosure of part 2 data for
purposes of research. This commenter
also asked SAMHSA to clarify whether
disclosure for purposes of research
means sharing the data with anyone for
research purposes or only applies when
part 2 data is shared with an outside
entity.
SAMHSA Response
The research provision permits part 2
programs and other lawful holders of
patient identifying information to
disclose data protected by 42 CFR part
2 to qualified personnel for the purpose
of conducting scientific research if the
researcher provides documentation of
meeting certain requirements related to
other existing protections for human
research. ‘‘Qualified personnel’’ is a
statutory term and SAMHSA has
clarified that this term includes those
individuals who meet the requirements
specified in the research provision to
receive part 2 data for the purpose of
conducting scientific research.
The proposed rule did not include a
tracking requirement for information
disclosed under the research exception
and so we are declining to include such
a requirement in the final rule.
Public Comments
Another commenter reasoned that
municipalities should be able to receive
and match patient identifying
information and then use the deidentified data for planning and analysis
purposes (e.g., determining how many
criminal justice-involved defendants
have a previous history of substance use
disorder treatment).
SAMHSA Response
SAMHSA declines to make the
recommended expansion to the research
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
provision. SAMHSA is revising the
research exception to permit data
protected by 42 CFR part 2 to be
disclosed to qualified personnel for the
purpose of conducting scientific
research by a part 2 program or any
other individual or entity that is in
lawful possession of part 2 data (lawful
holder of part 2 data).’’Qualified
personnel’’ is a statutory term and
SAMHSA has clarified that this term
includes those individuals who meet
the requirements specified in the
research provision to receive part 2 data
for the purpose of conducting scientific
research. This term would not preclude
researchers from conducting such
research efforts on behalf of a
municipality. However, part 2 prohibits
researchers from re-disclosing patient
identifying information except back to
the individual or entity from whom that
patient identifying information was
obtained or as permitted under § 2.52(c)
of this section, and permits researchers
to include part 2 data in reports only in
aggregate form in which patient
identifying information has been
rendered non-identifiable such that the
information cannot be re-identified and
serve as an unauthorized means to
identify a patient, directly or indirectly,
as having or having had a substance use
disorder.
mstockstill on DSK3G9T082PROD with RULES6
Public Comments
A commenter expressed support for
the strengthened proposed research
provision whereby patient identifying
information may be released only after
the program director has determined the
research recipient has obtained
appropriate IRB and/or privacy board
approval and consent. Another
commenter asserted that information
that is de-identified and presented in
aggregate should be permitted to be
more readily used in research. The
commenter stated that this was another
area where SAMHSA can promote
greater alignment with HIPAA, which
provides allowances for covered
information that is de-identified and
presented in the aggregate.
SAMHSA Response
Part 2 only applies to information that
would identify a patient as having or
having had a substance use disorder.
The revised research provision allows
researchers to include part 2 data in
reports only in aggregate form in which
patient identifying information has been
rendered non-identifiable such that the
information cannot be re-identified and
serve as an unauthorized means to
identify a patient, directly or indirectly,
as having or having had a substance use
disorder. The revised § 2.52 also
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
requires researchers to maintain and
destroy patient identifying information
in accordance with the security policies
and procedures established under
§ 2.16. SAMHSA aligned policy with
HIPAA where possible. However, 42
CFR part 2 and its governing statute are
separate and distinct from HIPAA, and
the part 2 regulations use different
terminology than used in HIPAA.
Public Comments
A commenter requested clarification
on whether data disclosed to qualified
personnel under § 2.52 would include
‘‘identifiable information.’’ For example,
this commenter asked why a name
would be relevant if the data and
information would be used for research.
Another commenter stated that certain
patient identifying information such as
social security numbers should not be
included, as it serves no purpose to
researchers. The commenter stated that
this can easily be mitigated by data
segmentation and consent management,
but until then the rule should be
maintained in that the part 2 program
director is the only individual
authorized to release of information.
SAMHSA Response
The part 2 data that may be disclosed
for research purposes include patient
identifying information, as that term is
defined in § 2.11. One reason
researchers would need identifiable
information is to link part 2 data to
other data sets, or for conducting data
linkages. SAMHSA also proposed to
address data linkages, which requires
identifiable information, because the
process of linking two or more streams
of data opens up new research
opportunities and potential risks. For
example, the practice of requesting data
linkages from other data sources to
study the longitudinal effects of
treatment is becoming widespread.
SAMHSA is interested in affording
patients protected by 42 CFR part 2 the
same opportunity to benefit from these
advanced research protocols while
continuing to safeguard their privacy.
Likewise, SAMHSA revised the research
provision to enable part 2 data to be
disclosed for research purposes by part
2 programs and other lawful holders of
patient identifying information so that
patients may benefit from the additional
scientific research that will be
conducted and that will facilitate
continual quality improvement of part 2
programs and the important services
they offer. This additional research
would not be able to be conducted if
SAMHSA were to continue to maintain
the existing part 2 research provision, as
suggested.
PO 00000
Frm 00049
Fmt 4701
Sfmt 4700
6099
2. Suggestions for Improvement of the
Research Provisions
Public Comments
Some commenters made suggestions
to improve privacy protections as it
relates to research. A commenter
suggested that the research provision
require a certificate of confidentiality as
a prerequisite to researcher access to
part 2 information.
SAMHSA Response
The research provision (§ 2.52(b))
already includes a requirement that the
researcher receiving the part 2 data is
fully bound by 42 CFR part 2. Although
not required by § 2.52, the regulation
would permit any lawful holder of
patient identifying information to
require a researcher sign a data use
agreement spelling out these
requirements.
According to NIH, certificates of
confidentiality do not take the place of
good data security or clear policies and
procedures for data protection, which
are essential to the protection of
research participants’ privacy. Under 42
CFR part 2, the research provision
provides clear policies on conducting
research and protecting the
confidentiality of patient identifying
information, including their obligations
to comply with requirements under 42
CFR 2.16, Security for Records.
Public Comments
A commenter concluded that the
number of entities who could release
patient identifying information should
be limited to those who have the
resources to verify the research is valid
and the patient will not become more
vulnerable as result of disclosure. A
commenter suggested that strict policies
be in place at all levels of research
organizations to assure that prohibited
re-disclosure of patient information
does not occur. A commenter asserted
that aligning part 2’s requirements for a
valid written consent with those
applicable under the HIPAA Privacy
Rule would avoid confusion. One
commenter suggested that the filing of
conflict of interest statements by the
primary investigators and coinvestigators be required. A commenter
suggested a change in language to clarify
that researchers will resist any judicial
demand for access to patient records,
except as permitted by these
regulations.
SAMHSA Response
SAMHSA examined the existing
regulations that protect human subjects
in research and concluded that, if those
requirements were fulfilled, 42 CFR part
E:\FR\FM\18JAR6.SGM
18JAR6
mstockstill on DSK3G9T082PROD with RULES6
6100
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
2 would ensure confidentiality
protections consistent with the statute,
while providing the expanded authority
for disclosing patient identifying
information. Requirements that ensure
compliance with HIPAA and the
Common Rule (e.g., IRB and/or privacy
board review) with respect to research
provide these assurances, including that
the researcher has a plan to protect and
destroy identifiers and to not re-disclose
the information in an unauthorized
manner. Disclosure of part 2 data also
would be allowable for research that
qualifies for exemption under the
Common Rule due to the lower risk to
subjects in the circumstances where
exemptions apply, and this has been
clarified in § 2.52(a)(2). The individual
who would make the determination to
disclose part 2 data on behalf of a part
2 program or other lawful holder would
be the individual designated as director
or managing director, or an individual
otherwise vested with authority to act as
chief executive officer or their designee.
In addition, there is nothing in the
regulation that requires this individual
to disclose the data, even if the
researcher provides documentation of
compliance with the requirements
under § 2.52.
SAMHSA declines to make the
recommended change regarding
conflicts of interest to the research
section (§ 2.52). The revised research
provision requires reviews, either by an
IRB and/or privacy board, for the
specific purpose of minimizing risk to
patients and their privacy. The research
provision also requires researchers
requesting data linkages, as described in
§ 2.52(c), to have the request reviewed
and approved by an IRB registered with
the Department of Health and Human
Services, Office for Human Research
Protections in accordance with 45 CFR
part 46 to ensure that patient privacy is
considered and the need for identifiable
data is justified. In addition, HHS has
issued subregulatory guidance that, to
the extent financial interests may affect
the rights and welfare of human subjects
in research, IRBs, institutions, and
investigators need to consider what
actions regarding financial interests may
be necessary to protect those subjects.
SAMHSA proposed to require any
individual or entity conducting
scientific research using patient
identifying information to meet
additional requirements to ensure
compliance with confidentiality
provisions under part 2. Among these
are a provision (§ 2.52(b)(1)) that
‘‘requires researchers to be fully bound
by these regulations and, if necessary, to
resist in judicial proceedings any efforts
to obtain access to patient records
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
except as permitted by these
regulations.’’
Public Comments
Another commenter suggested that
the rule allow an extended disclosure
period specific to research that could be
included in the initial disclosure
approval.
SAMHSA Response
The part 2 regulations do not specify
a disclosure period in the research
provision.
Public Comments
A commenter said that it would bring
clarity and aid entities seeking to
comply with the proposed rule if it
included a definition of ‘‘repository’’
and of ‘‘scientific research.’’ The
commenter stated that the HHS
Common Rule provisions, referenced
repeatedly in the proposed rule, apply
only to activities which meet the
definition of research involving human
subjects. It is not clear whether
SAMHSA intends to adopt Common
Rule definitions or create a separate
scheme.
SAMHSA Response
SAMHSA did not propose a
regulatory definition for these terms in
the NPRM and respectfully declines to
define the terms in the final rule as
suggested. ‘‘Scientific research’’ is a
statutory term that is not defined.
Researchers requesting part 2 data for
the purposes of conducting scientific
research and whose research is subject
to the Common Rule would need to
comply with requirements for the
Common Rule as well as those of part
2. SAMHSA refers to the term
‘‘repository’’ in the context of the data
linkages provision, and intended the
term to broadly refer to data that is
stored and managed. SAMHSA may
address undefined terms that require
further elaboration in subregulatory
guidance or in subsequent rulemaking.
Public Comments
One commenter supported provisions
that allow states to work with outside
entities, which are HIPAA and Common
Rule compliant, to conduct research that
will improve care and drive quality
outcomes for Medicaid beneficiaries
with a substance use disorder.
SAMHSA Response
SAMHSA supports the efforts of part
2 stakeholders to work together
collaboratively and in compliance with
the law. Part 2 prohibits researchers
from re-disclosing patient identifying
information except back to the
PO 00000
Frm 00050
Fmt 4701
Sfmt 4700
individual or entity from whom that
patient identifying information was
obtained or as permitted under the data
linkages provision. Researchers may
include part 2 data in reports only in
aggregate form in which patient
identifying information has been
rendered non-identifiable such that the
information cannot be re-identified and
serve as an unauthorized means to
identify a patient, directly or indirectly,
as having or having had a substance use
disorder.
3. HIPAA and HHS Common Rule
Requirements
Public Comments
Many commenters expressed support
for aligning requirements for disclosure
of information for conducting research
with existing requirements for research
as regulated by the HHS Common Rule
(45 CFR part 46). A commenter
remarked that an alternate approach
would be to create a single category of
consent for research purposes.
SAMHSA Response
In this part 2 final rule, SAMHSA has
implemented certain revisions that are
predicated on the current version of the
Common Rule (45 CFR part 46,
Protection of Human Subjects,
promulgated in 1991). Should
conflicting policies be created in the
future, SAMHSA will take appropriate
action (e.g., issue an NPRM or technical
correction). With respect to creating a
single category of consent for research,
the existing consent requirements
permit patient consent for the disclosure
of patient identifying information for
the purpose of scientific research.
4. Data Linkages
SAMHSA revised § 2.52 from the
proposed regulatory text by separating
out the data linkages provisions into its
own paragraph, § 2.52(c) for purposes of
clarity and readability. In addition, the
final § 2.52 addresses data linkages to
enable researchers holding part 2 data to
link to data sets from federal and nonfederal data repositories as explained in
greater detail below. SAMHSA proposed
to permit researchers to request to link
data sets that include patient identifying
information under certain conditions.
We proposed to limit the data
repositories from which a researcher
may request data for data linkages
purposes to federal data repositories
because federal agencies that maintain
data repositories have policies and
procedures in place to protect the
security and confidentiality of the
patient identifying information that
must be submitted by a researcher in
order to link the data sets. SAMHSA
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
mstockstill on DSK3G9T082PROD with RULES6
sought input from the public regarding
whether to expand the data linkages
provision beyond federal data
repositories; what confidentiality,
privacy, and security safeguards are in
place for those non-federal data
repositories; and whether those
safeguards are sufficient to protect the
security and confidentiality of the
patient identifying information.
Public Comments
Several commenters suggested that
researchers be allowed to perform data
linkages between data sets containing
substance use disorder data. However,
some warned that the proposed rule was
unclear regarding data linkages. One
commenter said SAMHSA should
clarify that researchers have the option
to submit data to a federal data
repository, like CMS, for linking of
federal data, but are not required to do
so. Other commenters argued that
proposed § 2.52 should explicitly allow
researchers to perform their own data
linkages between data sets containing
substance use disorder records. A
commenter asserted that non-profit
entities who engage in research should
be distinct from for-profit organizations
and that for-profit organizations should
not be allowed access to large linked
data sets.
Many commenters expressed support
for permitting linkage with non-federal
repositories where adequate, flexible
safeguards are in place to protect the
security and confidentiality of part 2
data. A commenter asserted that only
allowing researchers to combine 42 CFR
part 2 records received without patient
consent with records from a federal
repository is not consistent with the
goal of enhancing research conducted
with data protected by part 2. In
particular, commenters pointed out that
many state, local, tribal, and corporate
data repositories with hospital
emergency department and discharge,
trauma registry, and birth and death
records would not be covered by the
federal data linkages language in the
proposed rule, thereby hampering
important research and evaluation
activities. Additionally, commenters
supported the expansion of data
linkages in order to better support the
analysis required by evolving health
care delivery and payment models, such
as Accountable Care Organizations.
Commenters urged that appropriate
privacy and security protections are in
place, to include physical security and
disposition of data if SAMHSA permits
linkages to non-federal data repositories.
One commenter remarked that
protections imposed by federal
repositories that are not imposed by
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
other repositories should be identified
and considered as requirements, so as
not to lose the insight offered through
additional linkage opportunities.
Another suggested implementation of
data use agreement language to nonfederal repositories. A commenter
reasoned IRBs or privacy officers could
ensure other repositories are in
compliance with part 2 requirements.
However, a few commenters did not
support expansion of data linkage to
non-federal repositories. Some
commenters expressed concerns about
the security of data in both federal and
non-federal data repositories citing
examples of healthcare data breaches.
One commenter concluded data linkage
to any data repositories be withdrawn
from the proposed language citing the
federal agencies as well as health care
data repositories inability to adequately
safeguard personal information. Another
commenter suggested data repositories
performing the data linkages, if outside
of part 2 entity, not be given information
subject to part 2.
SAMHSA Response
SAMHSA would like to clarify that
the data linkages provision is not
intended to prohibit a researcher from
linking a data set in the researcher’s
possession that contains part 2 data
with a data set from a third party source,
so long as the part 2 data is not further
disclosed in the data linkage process
and the researcher adheres to any
applicable confidentiality, privacy, and
security requirements and safeguards.
Regarding the comment on for-profit
organizations, whether the researcher is
a for-profit or not-for-profit
organization, the researcher would be
required to have IRB approval and/or
privacy board review of their research,
and, additionally, IRB approval of the
research project that contains the data
linkage component, to ensure risks to
the patient and their privacy are
minimized. In addition, part 2 prohibits
researchers from re-disclosing patient
identifying information except back to
the individual or entity from whom that
patient identifying information was
obtained or as permitted under the data
linkages provision. Researchers may
include part 2 data in reports only in
aggregate form in which patient
identifying information has been
rendered non-identifiable such that the
information cannot be re-identified and
serve as an unauthorized means to
identify a patient, directly or indirectly,
as having or having had a substance use
disorder.
In response to public comments,
SAMHSA has decided in the final rule
to permit data linkages to both federal
PO 00000
Frm 00051
Fmt 4701
Sfmt 4700
6101
and non-federal data repositories subject
to the conditions explained below.
SAMHSA believes that these changes
will enhance research while still
ensuring the protection of part 2 patient
identifying information. SAMHSA
agrees with commenters that many nonfederal data repositories, as well as
federal data repositories, contain data
that is critical to research and, therefore,
SAMHSA is expanding data linkages
provisions.
In the data linkages provision of this
final rule (§ 2.52(c)), SAMHSA revises
its proposal to enable researchers
holding part 2 data to link to data sets
from any repository, including nonfederal repositories, provided that the
linkage has been reviewed and
approved by an Institutional Review
Board registered with the Department of
Health and Human Services, Office for
Human Research Protections in
accordance with 45 CFR part 46 to
ensure that patient privacy is
considered and the need for identifiable
data is justified. In addition to having
the request reviewed and approved by
an IRB, the researcher must ensure that
patient identifying information obtained
under the rule’s research provisions is
not provided to law enforcement
agencies or officials. SAMHSA states in
the final rule that the data repository is
fully bound by the provisions of part 2
upon receipt of the patient identifying
data and must, after providing the
researcher with the linked data, destroy
or delete the linked data from its
records, including sanitizing any
associated hard copy or electronic
media, to render the patient identifying
information non-retrievable in a manner
consistent with the policies and
procedures established under § 2.16
Security for records. In addition, the
data repository must ensure that any
data obtained pursuant to part 2’s
research provisions is not provided to
law enforcement agencies or officials.
Public Comments
One commenter recommended that
SAMHSA expand data linkages beyond
research to the broader need for it to be
inclusive of coordinated care. The
commenter stated that this is another
area where SAMHSA could look to
existing HIPAA provisions and align the
part 2 provisions accordingly.
SAMHSA Response
SAMHSA declines to make the
revision suggested by the commenter.
The transfer of part 2 information for the
purposes of research, as allowed under
§ 2.52, is an exception to patient
consent, and, therefore, the data
linkages provision cannot be expanded
E:\FR\FM\18JAR6.SGM
18JAR6
6102
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
to other parts of the regulation. Because
of its targeted population, part 2
provides more stringent federal
protections than most other health
privacy laws, including HIPAA.
However, SAMHSA aligned policy with
HIPAA where possible.
5. Multi-Payer Claims Database
Public Comments
Many commenters urged the final rule
to explicitly include a statement on the
authority granted to MPCDs (also
referred to as APCDs) that maintain
adequate safeguards to collect, link, and
disseminate substance use disorder
records without patient consent for
research purposes. Several commenters
argued that many states have
established state-sponsored MPCD
systems and urged the proposed rule to
specifically ensure substance use
disorder data are not systematically
excluded from state MPCD systems,
allowing part 2 data to be collected,
linked, and disseminated without
patient consent for research purposes. A
commenter requested specific guidance
as to whether MPCDs could be lawful
holders of part 2 data with the same
disclosure requirements as those for
HIEs. A commenter stated that the rule
should authorize state data repositories
such as an MPCD to link part 2 data to
other data for research purposes.
mstockstill on DSK3G9T082PROD with RULES6
SAMHSA Response
For an MPCD or any entity to disclose
part 2 data for research purposes under
the rule’s research exception to consent
requirements (§ 2.52), the entity must be
a ‘‘lawful holder of patient identifying
information.’’ Under the research
provision, any lawful holder of part 2
data may disclose the data to qualified
researchers that meet the requirements
under the HHS Common Rule or HIPAA
Privacy Rule. As SAMHSA discussed in
the NPRM preamble, a ‘‘lawful holder’’
of patient identifying information is an
individual or entity who has received
such information in accordance with the
part 2 requirements, and, therefore, is
bound by 42 CFR part 2. Examples of
potential ‘‘lawful holders’’ of patient
identifying information include a
patient’s treating provider, a hospital
emergency room, an insurance
company, an individual or entity
performing an audit or evaluation, or an
individual or entity conducting
scientific research. As permitted by the
authorizing statute and under these
regulations, any lawful holder of patient
identifying information may disclose
part 2 data without patient consent for
research purposes under the
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
circumstances specified under the
research provision.
Regarding the specific scenario raised
by commenters, SAMHSA wishes to
clarify that MPCDs and other data
intermediaries are permitted to obtain
part 2 data under the research exception
provided in § 2.52, provided that the
conditions of the research exception are
met. Furthermore, an MPCD or data
intermediary that obtains part 2 data in
this fashion would be considered a
‘‘lawful holder’’ under these final
regulations and would therefore be
permitted to redisclose part 2 data for
research purposes, subject to the other
conditions imposed under § 2.52. The
final rule edits the language under
paragraph 2.52(a) to clarify that the
regulations do not prohibit such a
disclosure.
Except as provided in paragraph
2.52(c), a researcher may not redisclose
patient identifying information for data
linkages purposes. SAMHSA’s data
linkages provision permits researchers
to request to link data sets that include
patient identifying information if the
data linkages component is reviewed
and approved by an IRB registered with
OHRP in accordance with 45 CFR part
46 and certain other conditions are met.
The data linkages provision is not
intended to prohibit a researcher from
linking a data set in the researcher’s
possession that contains part 2 data
with a data set from a third-party
source, so long as the part 2 data is not
further disclosed in the data linkage
process and any applicable
confidentiality, privacy, and other
conditions as specified in this rule are
adhered to.
O. Audit and Evaluation (§ 2.53)
SAMHSA is modifying the proposed
language as discussed below. SAMHSA
has revised the section heading by
deleting the word ‘‘activities.’’
SAMHSA modernized this section to
include provisions governing both paper
and electronic patient records. In
addition, we revised the requirements
for destroying patient identifying
information by citing the expanded
Security for Records section (§ 2.16).
Furthermore, we updated the Medicare
or Medicaid audit or evaluation
paragraph title to include Children’s
Health Insurance Program (CHIP) and,
in subsequent language, refer to
Medicare, Medicaid, and CHIP.
The § 2.53 revisions permit the part 2
program, not just the part 2 program
director, to determine who is qualified
to conduct an audit or evaluation of the
part 2 program. The revised language
also permits an audit or evaluation
necessary to meet the requirements of a
PO 00000
Frm 00052
Fmt 4701
Sfmt 4700
CMS-regulated ACO or similar CMSregulated organization (including a
CMS-regulated QE), under certain
conditions, by better aligning the
criteria in this section with those set
forth in the Affordable Care Act
(regulating ACOs, in part, at 42 U.S.C.
1395jjj). We have specified that such
ACO or similar CMS-regulated entities
must have in place administrative and/
or clinical systems. While the NPRM
indicated both types of systems were
required, it has been noted that some
ACO or similar CMS-regulated entities
will not have both clinical and
administrative systems. We also have
clarified in the final rule that the ACO
or similar CMS-regulated organization
(including a CMS-regulated QE) is
subject to periodic evaluations by, or
receives patient identifying information
from, CMS or its agents. To ensure that
patient identifying information is
protected, the ACO or similar CMSregulated organization (including a
CMS-regulated QE) that is the subject of,
or is conducting, the audit or evaluation
must have a signed Participation
Agreement with CMS or similar
documentation that demonstrates that
the organization and its auditors or
evaluators must conduct the audit and
evaluation activities in full compliance
with all applicable provisions of 42
U.S.C. 290dd–2 and 42 CFR part 2.
Public Comments
Several commenters provided
comments with regard to § 2.53, Audit
and Evaluation. A few commenters
discussed the application of this section
to Medicare and Medicaid. A couple of
commenters recommended clarifying
that Medicaid agencies are permitted
under the QSO exception to disclose
part 2 information to third-party payers
for audit or evaluation purposes. These
commenters also suggested that
Medicaid and other third-party payers
may use (third-party) contractors and
vendors to assist beneficiaries and
perform such activities as program
integrity activities. The commenters
argued that the QSO exception
described above should include
communications between third-party
payers such as Medicaid agencies and
other holders of part 2 data and QSOs
to help ensure ‘‘operational efficiency.’’
Another commenter suggested that the
revisions concerning the auditing
process and Participation Agreements
would be too burdensome, and would
be inconsistently applied because
Medicare and Medicaid do not have to
comply with the auditing requirements,
whereas providers do. Further, a couple
of commenters stated that part 2
programs would be confused in
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
mstockstill on DSK3G9T082PROD with RULES6
attempting to decipher which
organizations have Participating
Agreements with CMS in place, further
exacerbating the existing compliance
issues with part 2. A commenter
requested that SAMHSA clarify whether
Medicaid program ACOs and external
quality review organizations (EQRO) are
considered ‘‘CMS-regulated’’ for the
purposes of permitted disclosures. The
commenter suggested that Medicaid
program entities should be considered
CMS-regulated entities.
SAMHSA Response
A QSO is an individual or entity that
provides a service to a part 2 program
consistent with a QSOA (see §§ 2.11,
Definitions; 2.12(c)(4), Applicability). A
QSOA is a two-way agreement between
a part 2 program and the individual or
entity providing the desired service.
Therefore, to be a QSO, the contracted
entity must be providing the service to
a part 2 program. The QSOA authorizes
communication only between the part 2
program and QSO. Third-party payers,
such as Medicaid, are not considered
part 2 programs as defined in this rule,
and are not eligible to have QSO
through a QSOA. That said, comments
to the proposed rule raised questions
that indicate that there may be varying
interpretations of the current (1987) part
2 rule’s restrictions regarding the use of
contractors/subcontractors in contexts
other than the QSO context, such as the
sharing of part 2 information by thirdparty payers with contractors and
subcontractors to carry out activities
related to audit and evaluation and
program integrity, and we intend to
address such scenarios with greater
clarity in an SNPRM.. As stated under
§ 2.12(a)(1), Restrictions on disclosures,
the restrictions on disclosures in these
regulations apply to any information,
whether recorded or not, which would
identify a patient as having or having
had a substance use disorder either
directly, by reference to publicly
available information, or through
verification of such information by
another person. Patient identifying
information that has been rendered nonidentifiable in a manner that creates a
very low risk of re-identification may be
disclosed.
With regard to the concern that the
proposed revisions to § 2.53 would be
burdensome and create confusion when
part 2 programs have to determine who
has a Participation Agreement or similar
documentation in place, CMS-regulated
entities that, among other requirements,
are subject to periodic evaluations by
CMS or its agents, or are required by
CMS to evaluate participants in the
ACO or similar CMS-regulated
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
organization (including a CMS-regulated
QE) relative to CMS-defined or
approved quality and/or cost measures
should be able to produce evidence that
they have Participation Agreements or
similar documentation in place with
CMS if requested by a part 2 program.
As to whether Medicaid program
ACOs and EQROs are considered ‘‘CMSregulated,’’ this rule explicitly states
that ACOs and similar organizations
regulated by CMS may, subject to
certain conditions, disclose or require
participants in the organization to
disclose part 2-covered information in
order for the organization to meet CMS
audit and evaluation requirements.
Other entities may also be considered
‘‘CMS-regulated’’ depending on the
particular circumstances, for example,
as a result of their direct supervision by
CMS, the establishment by CMS of
regulations governing their conduct or
qualification, or, in the case of Medicaid
and CHIP-related entities, CMS’
approval of state plans or waivers and
supervision of the state agencies.
Medicaid program ACOs and EQROs do
fit within the entities covered by the
audit and evaluation provisions of the
part 2 program. SAMHSA may further
elaborate on this topic in subregulatory
guidance issued following the
publication of the final rule.
Public Comments
A few commenters provided input on
SAMHSA’s proposal to permit audit or
evaluation necessary to meet the
requirements of a CMS-regulated ACO
or similar CMS-regulated organization
(including a CMS-regulated QE), under
certain conditions. A couple of
commenters recommended that
SAMHSA modify part 2 to permit CMS
to provide all claims with substance use
disorder treatment information through
the Claim and Claim Line Feed (CCLF)
file so patients can receive
comprehensive, quality treatment and
programs can operate more efficiently
and effectively. The commenters
suggested that because 42 U.S.C. 290dd2(b)(2)(B) permits substance use
disorder treatment program to disclose
treatment records without the consent of
the patient for the purpose of audits or
evaluation; § 2.53 of the proposed rule
also permits substance use disorder
treatment programs to disclose
treatment records to ACOs or other
CMS-regulated organizations to allow
the organizations to meet CMS’s audit
and evaluation requirements for
participation; therefore the provision
could be expanded, or clarified, to also
permit CMS to disclose substance use
disorder treatment information to ACOs
and bundled payment participants for
PO 00000
Frm 00053
Fmt 4701
Sfmt 4700
6103
audit and evaluation activities. Another
commenter expressed concern about the
expansion of the part 2 audit and
evaluation exception to include ACOs,
because ACOs are continually
‘‘auditing’’ programs as a continual
process of evaluating and monitoring
and part 2’s language makes clear that
an audit or evaluation is a time-limited
activity that is not intended to permit
ongoing access to program records. This
commenter asserted that the part 2 audit
and evaluation exception should not be
allowed to result in a practice that
circumvents the need to obtain a
patient’s consent to access their
information.
One commenter noted that CMS’s
application of part 2 in its removal of
substance use disorder treatment
information from the monthly CCLF, in
which CMS redacts any claim submitted
by any provider where a substance use
disorder is either the principal or
secondary diagnosis, causes CMS to
remove claims from the CCLF file that
are not produced by federally assisted
substance use disorder treatment
programs. The commenter urged
SAMHSA to work with CMS to develop
a pathway to include substance use
disorder treatment information in the
CCLF data file.
SAMHSA Response
CMS may disclose patient identifying
information to a CMS-regulated ACO or
similar CMS-regulated organization
(including a CMS-regulated QE) for
Medicare audit and evaluation purposes
pursuant to § 2.53(c), which provides
that ‘‘[p]atient identifying information,
as defined in § 2.11, may be disclosed
under paragraph (c) of this section to
any individual or entity for the purpose
of conducting a Medicare, Medicaid, or
CHIP audit or evaluation. . . .’’ Neither
the statute nor the part 2 regulations
define audit or evaluation. However,
under this section of the audit and
evaluation exception, the purpose of the
disclosure must be to conduct a
Medicare, Medicaid, or CHIP audit or
evaluation. This may include audit or
evaluation activities, such as reviews of
financial performance or the quality of
health care services delivered,
undertaken by the CMS-regulated
organization itself to review its own
performance. The exception does not
cover any activities conducted by ACOs
that may not be reasonably construed as
being related to such a purpose.
Public Comments
Commenters provided other
recommendations related to this section.
A commenter suggested that § 2.53(d)
should be revised to permit disclosure
E:\FR\FM\18JAR6.SGM
18JAR6
6104
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
of patient information to entities that
have administrative control over
auditors. Another commenter suggested
that SAMHSA consider allowing
‘‘lawful holders’’ the ability to share
information for audit and evaluation
services, with the agreement that the
service provider must adhere to part 2.
Another commenter recommended
that SAMHSA convene a group of state,
local, and provider representatives to
develop draft guidance.
SAMHSA Response
Regarding the suggestion that
§ 2.53(d) should be revised to permit
disclosure of patient information to
entities that have administrative control
over auditors, except as provided in
§ 2.53(c), patient identifying information
disclosed under this section may be
disclosed only back to the program from
which it was obtained and used only to
carry out an audit or evaluation purpose
or to investigate or prosecute criminal or
other activities, as authorized by a court
order entered under § 2.66.
As recommended by a commenter,
SAMHSA plans to develop and publish
subregulatory guidance regarding the
application of § 2.53 audit and
evaluation disclosures after publication
of this final rule.
P. Other Public Comments on the
Proposed Rule
1. Requests To Extend the Public
Comment Period
mstockstill on DSK3G9T082PROD with RULES6
Public Comments
Several commenters requested
extension to the public comment period.
Commenters stated the complexity and
importance of the rule warranted
additional time for reflection and
comment. A few commenters requested
that the comment period be extended
for one year to allow for a more open
process. A couple of commenters
suggested that in addition to extending
the comment period for one year, public
hearings also be held across the county.
SAMHSA Response
While SAMHSA recognizes that the
issues addressed in the part 2 NPRM are
complex and important, we concluded
that the 60-day comment period was
sufficient to provide the public a
meaningful opportunity to comment,
and this conclusion is supported by the
hundreds of complex and thoughtful
comments received. Additionally, the
NPRM was available to the public for a
preliminary review on the Federal
Register Web site upon submission of
the NPRM to the Federal Register,
which was several days prior to
publication, thereby providing
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
stakeholders additional time prior to the
publication date. Finally, on June 11,
2014, SAMHSA held a public listening
session and, invited through a Federal
Register notice, general comments, as
well as comments on six key provisions
of 42 CFR part 2.
2. Rulemaking Process
Public Comments
One commenter expressed concern
that SAMHSA did not summarize or
address specific comments from
stakeholders who participated in the
public listening sessions.
Another commenter said that the part
2 changes should move forward but
should be monitored and modified
accordingly over the next two to three
years.
SAMHSA Response
SAMHSA will undertake further
rulemaking as necessary and intends to
respond to issues raised with respect to
the part 2 regulations, as they have in
the past, through subregulatory
guidance.
SAMHSA considered all comments
received in the June 2014 public
Listening Session on the part 2
regulations. As explained in the NPRM,
feedback from the Listening Session was
considered and helped to inform the
development of the February 2016
NPRM (see 81 FR 6988, 6993). SAMHSA
posted all comments received in
response to the Listening Session
Federal Register Notice on its Web site:
https://www.samhsa.gov/about-us/whowe-are/laws-regulations/publiccomments-confidentiality-regulations.
3. Implementation Timeline and Other
Barriers to Implementation
Public Comments
To allay privacy concerns, a
commenter said that SAMHSA should
delay the proposed part 2 changes to
further develop its Consent2Share
application and encourage wider
adoption. Similarly, a commenter
recommended further testing and
evaluation on IT solutions before
issuing part 2 changes. This commenter
further urged SAMHSA to address these
issues in the final rule by specifically
detailing a process for updating the
Consent2Share tool so that its design
specifications remain compatible with
the rapidly advancing and very fluid
EHR design landscape.
SAMHSA Response
SAMHSA declines to accept these
recommendations to delay publication
of a final rule pending technology
developments or Congressional action.
PO 00000
Frm 00054
Fmt 4701
Sfmt 4700
Technology adoption is an ongoing
process, and the majority of current EHR
and HIE applications may not have the
capability to support the DS4P
initiative. In addition, paper records are
still used today in some part 2 programs
and shared through facsimile (FAX). In
addition, SAMHSA’s publication of a
final rule would not prevent further
Congressional action with respect to
part 2.
Public Comments
One commenter expressed concern
that applying electronic data
segmentation in conjunction with
patient privacy preferences can
significantly increase the complexity of
the workflow process and have
unintended consequences on system
performance and response times at the
point of care. The commenter
recommended that SAMHSA, in
conjunction with other federal agencies,
advisory bodies, such as the National
Committee on Vital and Health
Statistics (NCVHS), and public and
private stakeholders should convene
public discussions to evaluate the
possibility of data segmentation
standards in electronic systems, the
benefits and potential unintended
consequences that may result, along
with the associated costs and
anticipated consumer uses of such
standards and processes.
In addition to the technical
challenges, a commenter said that
SAMHSA should recognize other
barriers to implementation of part 2
changes, including complexity in
navigating individual state regulations,
challenges around mapping to clinical
codes, and lack of a standardized
service discovery mechanism to ensure
capability of exchanging systems to
evaluate the ability to receive and
interpret a tagged document.
SAMHSA Response
SAMHSA recognizes the concerns
expressed by the commenter; however,
SAMHSA’s jurisdiction is limited to
those regulations over which it has
authority. We note that the part 2
regulations permit, but do not require,
data segmentation.
4. Educational Opportunities
Public Comments
Some commenters urged SAMHSA to
provide trainings/webinars and
technical assistance after the final rule
is adopted so that substance use
disorder providers, other health care
providers, and patients will understand
the changes to ensure compliance with
the rule. Expressing concern that many
people will not understand the idea of
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
an HIE or a registry, one commenter
suggested creating paid space for a
nurse visit to walk a consumer through
the consent.
A few commenters encouraged
SAMHSA to invest in provider and
patient education efforts on the value of
integrated care, the role of information
sharing in enabling integrated care, how
the consent process works, patient
rights under 42 CFR part 2, and the
implications of providing consent to
share personal health information.
A commenter encouraged SAMHSA
to continue its efforts to provide
guidance as to how part 2’s
requirements can be incorporated into
HIE systems, suggesting that many of
the perceived part 2 issues can be
resolved by proper education regarding
the actual requirements and how
information can be exchanged pursuant
to part 2 with little, if any, additional
effort if proper operational practices are
utilized by health care providers and
management organizations.
One commenter suggested that
SAMHSA establish a consumer
engagement committee or seek input
from an existing national consumer
advisory council to support part 2
programs in complying with certain
areas of the rule, such as developing
user-friendly consent forms and crafting
educational materials for patients. One
commenter suggested that SAMHSA
contract with the Legal Action Center to
create a webinar or FAQ to provide
guidance to community health centers
and other ‘‘multi-use’’ organizations as
to the applicability of part 2.
Another commenter recommended
that SAMHSA develop educational
materials targeted at pharmacists
because of the pharmacy profession’s
growing role in substance use disorder
treatment.
SAMHSA Response
mstockstill on DSK3G9T082PROD with RULES6
SAMHSA appreciates these comments
on educational opportunities and plans
to address specific commenter requests
in subregulatory guidance after the
publication of the final rule. SAMHSA
will consider additional educational
activities, such as trainings, webinars,
and establishing engagement
committees, should SAMHSA
determine the need during
implementation of the final rule.
5. Increased Enforcement
Public Comments
Some commenters urged SAMHSA to
ensure that part 2 provides for
meaningful enforcement and penalties,
with a few reasoning that the rule would
create new avenues for the exchanges of
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
patients’ substance use disorder
information, especially to other parts of
the health care system that may have
little to no experience treating substance
use disorder or complying with part 2.
One of these commenters asserted that
fines imposed for part 2 violations are
so minimal that they are not a deterrent
to intentional or accidental violations. A
commenter suggested that SAMHSA
adopt the HIPAA penalties contained in
the HITECH Act and specify that any
disclosures of information in violation
of this statute must be excluded from
evidence and deemed inadmissible for
use in any administrative, civil, or
criminal proceeding.
Urging SAMHSA to review and
correct the enforcement concerns of the
underlying statute, one commenter
argued that the current confidentiality
obligations have questionable
enforcement authority because there is
no express provision in Title 18
pertaining to the confidentiality of drug
and alcohol treatment records. Although
the original part 2 underlying statute set
forth specific fines, the commenter
explained that a subsequent revision (by
Pub. L. 102–321) eliminated the fines
leaving only a reference to Title 18.
Moreover, the commenter said that by
the proposed transfer of the existing
enforcement authority from FDA to
SAMHSA, the proposed rule appears to
remove enforcement authority that
actually exists to a potential state of
unenforceability. Similarly, another
commenter stated that SAMHSA does
not have legislative authority to impose
penalties for disclosure. No mention of
privacy law violation fines, penalties, or
offenses exist in Title 18. Thus, the
current confidentiality obligations have
no enforcement authority. The
commenter stated that entities receiving
unauthorized information would likely
not be subject to penalties unless a
common law breach of privacy lawsuit
is filed.
SAMHSA Response
The Department of Justice is
responsible for enforcing violations of
42 CFR part 2 in accordance with Title
18 of the United States Code. Title 42
U.S.C. 290dd-2 provides that ‘‘[a]ny
person who violates any provision of
[the] section or any regulation issued
pursuant to [the] section shall be fined
in accordance with title 18.’’ Reports of
violation of the regulations may be
directed to the United States Attorney’s
Office (USAO) for the judicial district in
which the violation occurs or may be
directed to SAMHSA for possible
referral to the relevant USAO. A report
of any violation of these regulations by
an opioid treatment program may be
PO 00000
Frm 00055
Fmt 4701
Sfmt 4700
6105
directed to the relevant USAO as well
as the SAMHSA office for opioid
treatment program oversight, pursuant
to 42 CFR part 8.
6. Other Miscellaneous Comments on
the Proposed Rule
Public Comments
A commenter suggested that
SAMHSA revise the title of part 2 to
‘‘Confidentiality of Patient Records
Relevant to Substance Use Disorders
and Associated Behavioral Diagnoses,’’
to ensure person-centered language is
used.
SAMHSA Response
To be consistent with recognized
classification manuals, current
diagnostic lexicon, and commonly used
descriptive terminology, SAMHSA
proposed to refer to alcohol abuse and
drug abuse collectively as ‘‘substance
use disorder,’’ and, for consistency,
proposed to revise the title of 42 CFR
part 2 from ‘‘Confidentiality of Alcohol
and Drug Abuse Patient Records’’ to
‘‘Confidentiality of Substance Use
Disorder Patient Records.’’
Public Comments
Some commenters made specific
suggestions or requested clarification
regarding parts of the part 2 regulations
that were not the subject of the
proposed changes in the NPRM. For
example, commenters addressed §§ 2.14
(Minor patients), 2.20 (Relationship to
state laws), and 2.21 (Relationship to
federal statutes protecting research
subjects against compulsory disclosure
of their identity).
SAMHSA Response
SAMHSA acknowledges commenters’
questions and suggestions relating to all
aspects of the part 2 regulations.
However, for purposes of this final rule,
SAMHSA generally considered
comments submitted on provisions for
which changes were not proposed in the
February 2016 NPRM to be outside of
the scope of this rulemaking. SAMHSA
will take such comments and
recommendations under advisement
and may issue subregulatory guidance
in the future to address some of these
issues brought up by commenters.
Public Comments
Another commenter also urged
SAMHSA to work with CMS to ensure
that when proper criteria are met, such
as through a QSOA and/or a signed
consent form, patient substance use
claim information is available to ACOs
through their CCLF files. Asserting that
it is a major blind spot in the ability of
an ACO to manage total care if it does
E:\FR\FM\18JAR6.SGM
18JAR6
6106
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
not have data on substance use disorder
data, a commenter encouraged
SAMHSA to work with CMS on ways to
effectively manage substance use
disorder care within the administration
of the ACO program. One commenter
suggested that SAMHSA work with
federal agencies, states, localities, and
providers to identify the cost/burden of
the rule on entities and professionals.
The commenter also recommended that
SAMHSA work with the CMS and the
Office of the National Coordinator for
Health Information Technology (ONC)
to align the rule with guidance
permitting the HITECH enhanced
funding for administrative costs to other
providers.
SAMHSA Response
SAMHSA will continue to work with
CMS and its other federal partners to
ensure the effective and timely
implementation of the part 2 final rule.
Public Comments
Because a state provides health care,
including federally funded substance
use disorder treatment programs, to
inmates in the state jail system, a
commenter stated that the part 2
regulations impact the methods by
which care is coordinated for inmates
and urged SAMHSA to consider part 2’s
impact on incarcerated populations.
SAMHSA Response
SAMHSA considered how the
regulations would impact part 2
programs and lawful holders of patient
identifying information, as well as other
stakeholders. All part 2 programs and
other lawful holders of patient
identifying information must comply
with part 2. If a jail or prison meets the
definition of a part 2 program, it would
be required to comply with part 2.
Public Comments
One commenter stated that there
should be an option for the patient to
have the ability to remove their
substance use disorder history from
their medical record after a ten-year
minimum time period.
mstockstill on DSK3G9T082PROD with RULES6
SAMHSA Response
Although SAMHSA is not prescribing
any specific retention period, the
expectation is the both paper and
electronic records would comply with
applicable federal, state, and local
retention laws.
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
Public Comments
A commenter requested that
SAMHSA provide a description of 42
CFR part 2-covered entities similar to
the designation under HIPAA.
SAMHSA Response
SAMHSA may address applicability
in subregulatory guidance or in
subsequent rulemaking.
VI. Rulemaking Analyses
A. Paperwork Reduction Act
Under the Paperwork Reduction Act
of 1995 (PRA), agencies are required to
provide a 60-day notice in the FR and
solicit public comment before a
collection of information requirement is
submitted to the Office of Management
and Budget (OMB) for review and
approval. We provided for this comment
period as part of the NPRM. The part 2
information collections are approved
under OMB Control No. 0930–0092, and
SAMHSA will shortly submit the
changes associated with this rule to
OMB for review.
This rule includes changes to
information collection requirements,
that is, reporting, recordkeeping or
third-party disclosure requirements, as
defined under the PRA (5 CFR part
1320). Some of the provisions involve
changes from the information
collections set out in the previous
regulations. Information collection
requirements are: (1) Section 2.13(d)—
Disclosure: Requires entities named by
patients using general designation under
§ 2.31(a)(4)(iv)(C) to provide a list of
entities to which the patient’s
information has been disclosed to
participants pursuant to the general
designation, (2) Section 2.22—
Disclosure: Requires each program
notify each patient that federal law and
regulations protect the confidentiality of
substance use disorder patient records
and provide a written summary of the
effect of this law and these regulations,
(3) Section 2.51—Recordkeeping: This
provision requires the program to
document a disclosure of a patient
record to authorized medical personnel
in a bona fide medical emergency as
defined in § 2.51. The regulation is
silent on retention period for keeping
these records as this will vary according
to state laws. It is expected that these
records will be kept as part of the
patients’ health records. The major
change from current (1987) regulations
is the list of disclosures requirement at
Section 2.13(d). SAMHSA proposed that
entities named on a consent form that
PO 00000
Frm 00056
Fmt 4701
Sfmt 4700
disclose patient identifying information
to their participants under the general
designation must provide patients, upon
request, a list of entities to which their
information has been disclosed
pursuant to a general designation (i.e.,
list of disclosures). Impact of this
provision is noted below. SAMHSA
notes that entities are not required to
use the general designation permitted
under § 2.31(a)(4)(iii)(B)(3)(i).
Under the PRA, the time, effort, and
financial resources necessary to meet
the information collection requirements
referenced in this section are to be
considered in rulemaking. The NPRM
solicited comments on PRA issues.
Commenters did not raise concerns
regarding the burden for information
collection requirements for the
recordkeeping and notification
provisions above. Though commenters
expressed concern about some aspects
of the list of disclosures requirements,
these comments did not suggest that the
burden of information collection would
increase for 42 CFR part 2-compliant
entities. Indeed, one commenter noted
that current practice for many facilities
to maintain both paper and electronic
records may be both burdensome and
inefficient. By promoting use of EHRs,
changes in this rule may help to
improve efficiency for providers. Some
commenters also hypothesized that
complying with the list of disclosures
requirement would require such steps as
developing a tracking system; or manual
review or audit of all records; and
mailing of letters through U.S. mail.
Entities should already be collecting
and retaining information needed to
comply with the list of disclosures
requirement. The final rule does not
impose requirements to manually
review all records, mail letters using the
U.S. Postal Service or develop a tracking
system specifically to comply with the
list of disclosures provisions. For
instance, we note below that entities
could comply with the List of
Disclosures requirement by either
collecting this information
electronically by using audit logs to
obtain the required information or by
keeping a paper record. Similarly, we
point out that list of disclosures may be
transmitted through such methods as
mail or email or through other means
preferred by the patient. We discuss the
list of disclosures requirements further
in the impact analysis section below.
Annual burden estimates for these
requirements are summarized in the
table below:
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
6107
TABLE 2—ANNUAL BURDEN ESTIMATES
Annual
number of
respondents
Responses
per
respondent
Total
responses
Hours per
response
Total hour
burden
Hourly wage
cost
Total cost
Disclosures
1 19,548
42 CFR 2.13 (d) ............................................
42 CFR 2.22 ..................................................
1
155
4 12,034
19,548
2 4.15
.20
81,124
372,338.6
3 $36.9175
5 1,861,693
6 40.26
$2,995,000
14,990,000
Recordkeeping
42 CFR 2.51 ..................................................
12,034
2
24,068
.167
4,019
7 34.16
137,000
Total .......................................................
8 31,582
........................
1,905,309
........................
457,482
........................
18,123,000
mstockstill on DSK3G9T082PROD with RULES6
1 The number of entities required to generate a list of disclosures based on the number of estimated patient requests. Patient requests are based the total number
of annual treatment admissions from SAMHSA’s 2010–2012 Treatment Episode Data Set (TEDS) (see footnote 5). The estimated patient requests equal the average
of the total number of requests for a 0.1 percent request rate and a 2 percent request rate. SAMHSA notes that this estimate reflects the number of patient requests
rather than the number of impacted entities as some entities may receive more than one request.
2 The estimated time for developing a list of disclosures is 4 hours for entities collecting the information electronically using an audit log and 3 hours for entities that
produce such a list from paper records. Because 90 percent of entities are estimated to collect the information electronically using an audit log and 10 percent are estimated to use paper records, the average weighted time to develop a list of disclosures is 3.9 hours [(0.9 × 4 hours) + (0.1 × 3 hours)]. Including the estimated 15
minutes to prepare each list of disclosures for mailing or transmitting, the total estimated time for providing a patient a list of disclosures is 4.15 hours (3.9 hours +
0.25 hours).
3 The weighted hourly rate for health information technicians, medical technicians and administrative staff who will be preparing the list of disclosures. The hourly
rate is weighted to reflect the fact that health information and medical technicians, who will be generating the list of disclosures, have a higher wage rate than administrative staff and will contribute more hours to generating the list of disclosures. Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed June 3, 2015], Standard Occupations Classification codes (29–2071, 31–9092) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
4 The number of publicly funded alcohol and drug facilities based on SAMHSA’s 2013 National Survey of Substance Abuse Treatment Services (N–SSATS). The
estimated annual number of respondents, 12,034, is based on N–SSATS data and reflects facilities receiving federal funding. However, under N–SSATS an organization may complete survey responses for multiple facilities.
5 The average number of annual treatment admissions from SAMHSA’s 2010–2012 TEDS.
6 Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations Classification code
(21–1011) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
7 Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations Classification code
(43–0000) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
8 The combined total of the number of publicly funded alcohol and drug facilities and the number of entities required to generate a list of disclosures.
As described in greater detail in
Section VI.B, Regulatory Impact
Analysis, the respondents for the
collection of information under § 2.22
and 2.51 are publicly (federal, state, or
local) funded, assisted, or regulated
substance use disorder treatment
programs. The estimate of the number of
such programs (respondents) is based on
the results of the 2013 N–SSATS, and
the average number of annual total
responses is based on 2010–2012
information on patient admissions
reported to the Treatment Episode Data
Set (TEDS), approved under OMB
Control No. 0930–0106 and OMB
Control No. 0930–0335.
The respondents for the collection of
information under § 2.13(d) are entities
named on the consent form that disclose
information to their participants
pursuant to the general designation.
These entities primarily would be
organizations that facilitate the
exchange of health information (e.g.,
HIEs) or coordinate care (e.g., ACOs,
CCOs, and CPCMHs), but other
organizations, such as research
institutions, also may disclose patient
identifying information to their
participants (e.g., clinical researchers)
pursuant to the general designation on
the consent form. Because there are no
definitive data sources for this potential
range of organizations, we are not
associating requests for a list of
disclosures with any particular type of
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
organization. Consequently, the number
of organizations that must respond to
list of disclosures requests is based on
the total number of requests each year.
B. Regulatory Impact Analysis
1. Public Comments on Notice of
Proposed Rulemaking Regulatory
Impact Analysis
a. Support for Cost Estimates
Public Comments
SAMHSA received roughly 376
comments on the proposed rule.
However, relatively few comments
focused on the Regulatory Impact
Analysis. We respond to these
comments below and have made
changes in our analysis, when
appropriate, to reflect these comments.
A few commenters suggested that the
estimated costs outlined by SAMHSA in
the proposed rule are in line with actual
costs. For instance, one commenter
suggested that the estimated total cost of
$239 million over 10 years would not be
unduly burdensome and would improve
patient care and safety. A commenter
stated that costs would be minimal for
integrating the requirement properly to
sanitize and dispose of records into
training and instruction. Another
commenter stated that the costs related
to modifying release forms and training
staff would be absorbed by
organizations and would not impact
business processes. Explaining that in
PO 00000
Frm 00057
Fmt 4701
Sfmt 4700
order to reflect the revision in title of 42
CFR part 2, a modification of the printed
and on-line versions of applicable CFR
Titles would be necessary, a commenter
concluded that because of regular
updates to CFRs, the incorporation of
amendments made as part of this rule
should not result in a significant
economic impact.
SAMHSA Response
SAMHSA acknowledges and
appreciates the comments received that
expressed support for the cost estimates
in the NPRM. Though SAMSHA does
not attempt in this rule to quantify
benefits, it is important to note that
updates to 42 CFR part 2 may result in
long-term cost savings as well due to
improved care coordination and
integration and more efficient use of
data for research and performance
improvement purposes.
b. Assertions That SAMHSA
Underestimated Costs
Public Comments
Some commenters generally asserted
that the compliance and
implementation costs were
underestimated. One commenter
suggested that cost effectiveness of
complying with the proposed regulation
will impact members and patients
because of the additional costs
associated with implementation (e.g.,
outreach and education, changes to
E:\FR\FM\18JAR6.SGM
18JAR6
mstockstill on DSK3G9T082PROD with RULES6
6108
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
consent forms), which undermines care
coordination and effective delivery of
services. Another commenter suggested
that the projected costs of complying
with part 2 should include costs for
other institutions that are affected with
re-disclosure of the provision; costs to
individual practitioners or health
organizations with few clinicians that
fall under part 2; vendor-related costs;
costs for software development and
upgrades should be added to the costs
of electronic record purchase and
maintenance; cost to HIE; and costs to
hire administrative staff.
A few commenters suggested that the
estimated $8,000 cost per facility to
implement consent management was
too low, failing to reflect fully
development, testing and process costs.
One commenter suggested that the
estimated $8,000 cost per facility to
implement consent management likely
does not consider vendor-related costs
such as development, testing, training,
adoption and process modifications that
may need to occur, only the cost of the
infrastructure investment. Commenters
urged SAMHSA and federal partners to
consider funding HIT adoption by
behavioral health providers. Another
commenter stated that the proposed rule
underestimated the cost of scaling
efforts to integrate DS4P and
Consent2Share, including upgrades and
iterations across EHR products.
Commenters also suggested SAMHSA
modify its DS4P efforts to reflect
updated 42 CFR part 2 requirements.
Lastly, a commenter suggested that the
estimate of $8,000 to comply with the
proposal underestimates the costs for
existing pharmacy management systems
to add new functionality and
applications and does not include other
software or security requirements,
training, or other implementation costs
associated with the proposed rule.
Another commenter generally suggested
that the estimated cost burden of
transitioning to a new consent form will
be greater than proposed in the
proposed rule.
Several commenters mentioned other
specific areas in which SAMHSA
underestimated costs. One commenter
suggested that the costs estimated
related to EHR customizations are
underestimated because there is no
current standard interoperability within
EHRs that address part 2 information.
Another commenter also shared their
own experience in which they estimated
a cost of $30,000 to comply with 42 CFR
part 2 when including 2 substance use
specialists as part of an integrated
treatment model using an electronic
health record. This commenter asserted
based on their own experience that if
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
small entities attempt to develop
integrated substance use disorder
treatment programs they may face
similar costs, including information
technology time and efforts to modify
EHRs to include restrictions on sharing
of 42 CFR part 2 information in an
integrated setting prohibitive. Another
commenter stated that time, resources
and training would be required to
implement proposed changes to §§ 2.12,
2.31, and 2.32, and that personnel and
financial constraints are common within
the health care industry. The
commenter estimated that the ability to
adapt currently used electronic health
records to segregate certain patient
information will also take considerable
effort and time. A commenter stated that
the proposed cost analysis associated
with staff training is inaccurate because
it assumes that only substance use
disorder counselors would need training
when, in actuality, other fields would
also need to be trained because they
could potentially become lawful holders
of the patient information (e.g., social
work, psychology, medicine, managed
care, HIE, research organizations). The
commenter added that additional work
will be needed to redact patient records
to be in compliance with the data
sharing elements related to information
that could identify a patient as a
substantive abuse disorder patient. A
commenter stated that the cost to
organizations to comply with the
requirement for U.S. mail transmissions
will be significant.
SAMHSA Response
Though commenters suggested
anecdotally that SAMHSA
underestimated the burden of 42 CFR
part 2-compliance, SAMHSA notes the
availability of data segmentation tools
such as Consent2Share, an open source
tool for consent management that is
compliant with 42 CFR part 2. As noted
above (in Section V.J.1.c), SAMHSA will
be shortly releasing an updated version
of Consent2Share with improved
functionality and ability to meet the list
of disclosures requirements. Provided
that a facility already is using electronic
health records and can partner with a
health information exchange using
Consent2Share or similar software,
SAMHSA believes based on current
efforts to pilot an updated version of
Consent2Share that a cost of between
$6,000 and $10,000 is reasonable. At the
individual clinic level, initial set-up,
training and testing are expected to
constitute the main expenses. D4SP,
Consent2Share, and similar tools make
it feasible for entities to comply with
updated 42 CFR part 2 requirements at
reasonable cost.
PO 00000
Frm 00058
Fmt 4701
Sfmt 4700
While we acknowledge comments
that entities other than those directly
subject to this rule may be impacted by
its provisions, including vendors of EHR
products, such impacts are outside the
scope of the regulation. We do not
mandate vendors to perform additional
activities. Nonetheless, SAMHSA will
monitor such impacts and, to the extent
feasible, work with stakeholders and
federal partners to develop fact sheets
and other materials to assist in outreach
to patients and others about changes
made in this rule. Likewise, while
SAMHSA is unable to directly fund
updates to EHRs, SAMHSA continues to
work closely with ONC and others to
ensure inclusion of behavioral health
providers in ongoing information
technology programs (See https://
www.samhsa.gov/health-informationtechnology/samhsas-efforts; https://
www.healthit.gov/policy-researchersimplementers/behavioral-health).
We acknowledge that the cost of
updating consent forms may be greater
than we had proposed and have made
changes to our cost estimates in this
final rule to reflect the need to update
forms to meet new requirements. We
note that most of these costs may only
need to be incurred once and in the past
some organizations have made sample
template forms and materials available
(See e.g., https://lac.org/resources/
substance-use-resources/confidentialityresources/sample-forms-confidentiality/
). SAMHSA may, at a future time,
develop sample templates and forms to
ease compliance costs.
c. Other Comments on Costs
Public Comments
Some commenters said existing
functionalities within EHR systems and
consent management tools do not easily
separate or redact substance use
disorder information from general
medical information when such systems
are shared across an integrated health
system. Similarly, commenters
expressed concern that the proposed
rule could have the opposite effect of its
intended purpose by causing HIEs to
exclude part 2 information from
information exchanges entirely since
most HIEs and EHRs today do not
support data segmentation. Asserting
that the proposed part 2 changes would
require HIEs to create an architecture for
data management that provides for the
segmentation of substance use disorder
and general behavioral health data from
physical health care data, including a
way to have consent operate differently
in each of the environments, one
commenter asserted that this is a costly
challenging administrative burden that
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
mstockstill on DSK3G9T082PROD with RULES6
does nothing to promote the sharing of
information between all necessary
providers for the integration of
coordination of care.
A commenter suggested that the
financial burden of the proposed rule
would vary depending on the size or
complexity of the covered entity.
Another commenter asserted that the
rule should not be adopted because it
would result in increased health care
costs. The commenter stated that
SAMHSA is not able to estimate
additional costs that are likely to occur
when adding sensitive substantive
abuse disorder treatment information of
patients to electronic health information
systems without patient consent (e.g.,
additional security, costs related to
breaches, class action lawsuits for
breached information, and loss of
business due to breaches). The
commenter concluded that, because
these costs do not provide additional
substance use disorder or health care
services, and instead remove dollars
from health care services, the proposed
rule is in conflict with SAMHSA’s
proposed goal of reducing unnecessary
health care costs.
SAMHSA Response
SAMHSA agrees that costs may vary
based on an institution’s size,
complexity and patient population
served. However, we anticipate that
over time compliance costs will drop
significantly as institutions implement
initial compliance efforts. SAMHSA
notes that EHRs already are widely used
in many health care settings with no
evidence of class action lawsuits, loss of
business or other speculative impacts
(see e.g., https://dashboard.healthit.gov/
quickstats/quickstats.php). Though
SAMHSA is concerned about health
care costs, the use of EHRs is likely both
to improve care and reduce costs over
time. Changes made in this rule will
help to support EHR adoption and
integration of care. Though in general
EHR adoption among behavioral health
providers lags behind that of other
health care providers, forthcoming N–
SSATS data reflect that more than 25
percent of surveyed substance use
disorder treatment facilities used EHRs
only and more than half use EHRs and
paper-based records. Such growing
adoption by substance use disorder
treatment facilities reflects that EHR use
is consistent with good quality of care
and 42 CFR part 2 compliance.
2. Statement of Need
This final rule reflects changes in the
health care system and behavioral
health, such as the increasing use of
electronic health records and drive
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
toward greater integration of physical
and behavioral health care. Despite
efforts to enhance integration and
coordination of care, however, it
remains important to ensure persons
seeking treatment for substance use
disorders can remain confident as to the
safeguarding of their medical
information. This rule updates 42 CFR
part 2 to balance these important needs.
3. Overall Impact
SAMHSA examined the impacts of
this final rule as required by Executive
Order 12866 on Regulatory Planning
and Review (September 30, 1993),
Executive Order 13563 on Improving
Regulation and Regulatory Review
(January 18, 2011), the Regulatory
Flexibility Act (RFA) (September 19,
1980, Pub. L. 96–354), Section 1102(b)
of the Social Security Act, section 202
of the Unfunded Mandates Reform Act
of 1995 (March 22, 1995; Pub. L. 104–
4), Executive Order 13132 on
Federalism (August 4, 1999) and the
Congressional Review Act (5 U.S.C.
804(2)). Executive Orders 12866 and
13563 direct agencies to assess all costs
and benefits of available regulatory
alternatives and, if regulation is
necessary, to select regulatory
approaches that maximize net benefits
(including potential economic,
environmental, public health and safety
effects, distributive impacts, and
equity). Section 3(f) of Executive Order
12866 defines a ‘‘significant regulatory
action’’ as an action that is likely to
result in a rule: (1) Having an annual
effect on the economy of $100 million
or more in any one year, or adversely
and materially affecting a sector of the
economy, productivity, competition,
jobs, the environment, public health or
safety, or state, local or tribal
governments or communities (also
referred to as ‘‘economically
significant’’); (2) creating a serious
inconsistency or otherwise interfering
with an action taken or planned by
another agency; (3) materially altering
the budgetary impacts of entitlement
grants, user fees, or loan programs or the
rights and obligations of recipients
thereof; or (4) raising novel legal or
policy issues arising out of legal
mandates, the President’s priorities, or
the principles set forth in the Executive
Order.
A regulatory impact analysis must be
prepared for major rules with
economically significant effects ($100
million or more in any one year). This
rule does not reach the economic
threshold and thus is not considered to
be an economically significant rule.
However, because this rule raises novel
policy issues arising out of legal
PO 00000
Frm 00059
Fmt 4701
Sfmt 4700
6109
mandates, the rule is considered ‘‘a
significant regulatory action,’’ this
regulatory impact analysis has been
prepared, and the rule has been
reviewed by OMB.
When estimating the total costs
associated with changes to the 42 CFR
part 2 regulations, we assumed five sets
of costs: updates to health IT systems
costs, costs for staff training and updates
to training curriculum, costs to update
patient consent forms, costs associated
with providing patients a list of entities
to which their information has been
disclosed pursuant to a general
designation on the consent form (i.e.,
the List of Disclosures requirement), and
implementation costs associated with
the List of Disclosures requirements. We
assumed that costs associated with
modifications to existing health IT
systems, staff training costs associated
with updating staff training materials,
and costs to update consent forms
would be one-time costs the first year
the final rule is in effect and would not
carry forward into future years. Staff
training costs other than those
associated with updating training
materials were assumed to be ongoing
annual costs to part 2 programs, also
beginning in the first year that the final
rule is in effect. The List of Disclosures
costs were assumed to be ongoing
annual costs to entities named on a
consent form that disclose patient
identifying information to their
participants under the general
designation. In the NPRM, SAMHSA
proposed to require non-treating
providers to implement the List of
Disclosures requirement at any time, but
they cannot use the general designation
without being able to provide a List of
Disclosures. Therefore, we assumed that
starting in year 1 ten percent of entities
would decide to implement each year,
resulting in 100 percent of entities
implementing by year 10. We note that
it is possible that some entities will
never implement this requirement and
choose to forego use of the general
designation.
We estimated, therefore, that in the
first year that the final rule is in effect,
the total costs associated with updates
to 42 CFR part 2 will be about $70,
691,000. In year two, we estimate that
costs will be roughly $17,680,000 and
increase annually as a larger share of
entities implement List of Disclosures
requirements and respond to disclosure
requests. Over the 10-year period of
2016–2025, the total undiscounted cost
of the part 2 changes will be about $241
million in 2016 dollars. When future
costs are discounted at 3 percent or 7
percent per year, the total costs become
approximately $217, 586,000 or
E:\FR\FM\18JAR6.SGM
18JAR6
6110
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
$193,098,000, respectively. These costs
are presented in the tables below.
TABLE 3—TOTAL COST OF 42 CFR PART 2 REVISIONS
[Note: Numbers may not add due to rounding]
[Note that all costs presented in this analysis are rounded to avoid communicating inaccurate levels of precision]
Year
Staff training costs
Consent form
updates
List of disclosures
Health IT costs
Total costs
(B)
(C)
(D)
(E)
$2,104,000
0
0
0
0
0
0
0
0
0
2,104,000
$4,930,000
5,242,000
5,554,000
5,866,000
6,178,000
6,490,000
6,802,000
7,114,000
7,426,000
7,738,000
63,338,000
[2016 dollars]
(A)
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
Total
.......................................................
.......................................................
.......................................................
.......................................................
.......................................................
.......................................................
.......................................................
.......................................................
.......................................................
.......................................................
.......................................................
$15,521,000
12,438,000
12,438,000
12,438,000
12,438,000
12,438,000
12,438,000
12,438,000
12,438,000
12,438,000
127,463,000
$48,136,000
0
0
0
0
0
0
0
0
0
48,136,000
$70,691,000
17,680,000
17,992,000
18,304,000
18,616,000
18,928,000
19,240,000
19,552,000
19,864,000
20,176,000
241,040,000
TABLE 4—TOTAL COST OF 42 CFR PART 2 REVISIONS—ANNUAL DISCOUNTING
[Note: Numbers may not add due to rounding]
Total costs
Total with 3% annual discounting
Total with 7% annual discounting
(E)
Year
(F)
(G)
[2016 dollars]
2016 ...........................................................................................................................
2017 ...........................................................................................................................
2018 ...........................................................................................................................
2019 ...........................................................................................................................
2020 ...........................................................................................................................
2021 ...........................................................................................................................
2022 ...........................................................................................................................
2023 ...........................................................................................................................
2024 ...........................................................................................................................
2025 ...........................................................................................................................
Total ...........................................................................................................................
Annualized .................................................................................................................
$70,691,000
17,680,000
17,992,000
18,304,000
18,616,000
18,928,000
19,240,000
19,552,000
19,864,000
20,176,000
241,040,000
..............................
$70,691,000
17,165,000
16,959,000
16,751,000
16,540,000
16,327,000
16,113,000
15,897,000
15,681,000
15,463,000
217,586,000
25,507,717.01
$70,691,000
16,523,000
15,715,000
14,941,000
14,202,000
13,495,000
12,820,000
12,176,000
11,561,000
10,974,200
193,098,000
27,492,811.02
mstockstill on DSK3G9T082PROD with RULES6
Note: Numbers may not add due to rounding.
The costs associated with the
proposed revisions stem from staff
training and updates to training
curriculum, updates to patient consent
forms, compliance with the List of
Disclosures requirement (including
implementation costs), and updates to
health IT infrastructure for information
exchange. Based on data from the 2013
N–SSATS, we estimated that 12,034
hospitals, outpatient treatment centers,
and residential treatment facilities are
covered by part 2. N–SSATS is an
annual survey of U.S. substance use
disorder treatment facilities. Data is
collected on facility location,
characteristics, and service utilization.
Not all treatment providers included in
N–SSATs are believed to be under the
jurisdiction of the part 2 regulations.
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
The 12,034 number is a subset of the
14,148 substance use disorder treatment
facilities that responded to the 2013 N–
SSATS, and includes all federally
operated facilities, facilities that
reported receiving public funding other
than Medicare and Medicaid, facilities
that reported accepting Medicare,
Medicaid, TRICARE, and/or Access to
Recovery (ATR) voucher payments, or
were SAMHSA-certified Opioid
Treatment Programs. If a facility did not
have at least one of these conditions, it
was interpreted not to have received any
federal funding and, therefore, not
included in the estimate. The estimated
annual number of respondents, 12,034,
is based on N–SSATS data and reflects
facilities receiving federal funding.
However, under N–SSATS an
PO 00000
Frm 00060
Fmt 4701
Sfmt 4700
organization may complete survey
responses for multiple facilities it
oversees. Thus, an organization with
three facilities may complete three
separate surveys.
If an independently practicing
clinician does not meet the
requirements of paragraph (1) of the
definition of Program they may be
subject to 42 CFR part 2 if they
constitute an identified unit within a
general medical facility which holds
itself out as providing, and provides,
substance use disorder diagnosis,
treatment, or referral for treatment or if
their primary function in the facility or
practice is the provision of such services
and they are identified as providing
such services. Due to data limitations, it
was not possible to estimate the costs
E:\FR\FM\18JAR6.SGM
18JAR6
mstockstill on DSK3G9T082PROD with RULES6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
for independently practicing providers
covered by part 2 that did not
participate in the 2013 N–SSATS. For
example, data from American Board of
Addiction Medicine (ABAM) provides
the number of physicians since 2000
who have active ABAM certification.
However, there is no source for the
number of physicians who have not
participated in the ABAM certification
process. In addition, it is not possible to
determine which ABAM-certified
physicians practice in a general medical
setting rather than in a specialty
treatment facility that was already
counted in the N–SSATS data.
Several provisions in the NPRM
referenced ‘‘other lawful holders of
patient identifying information’’ in
combination with part 2 programs.
These other lawful holders must comply
with part 2 requirements with respect to
information they maintain that is
covered by part 2 regulations. However,
because this group could encompass a
wide range of organizations, depending
on whether they received part 2 data via
patient consent or as a result of one of
the limited exceptions to the consent
requirement specified in the regulations,
we are unable to include estimates
regarding the number and type of these
organizations and only included part 2
programs in this analysis.
In addition to the part 2 programs
described above, SAMHSA proposed
that entities named on a consent form
that disclose patient identifying
information to their participants under
the general designation must provide
patients, upon request, a list of entities
to which their information has been
disclosed pursuant to a general
designation (i.e., list of disclosures).
These entities primarily would include
organizations that facilitate the
exchange of health information (e.g.,
HIEs), and may also include
organizations responsible for care
coordination (e.g., ACOs, CCOs, and
CPCMHs). The most recent estimates of
these types of entities are 67 functional,
publicly funded HIEs and 161
functional, privately funded HIEs in
2013.1 As of January 2015, there were an
estimated 744 ACOs covering
approximately 23.5 million
individuals.2 Finally, the National
Committee for Quality Assurance
(NCQA) recently noted that there are
now more than 10,000 NCQArecognized CPCMHs.3 While these types
of organizations were the primary focus
of this provision on the consent form,
other types of entities, such as research
institutions, may also disclose patient
identifying information to their
participants (e.g., clinical researchers)
pursuant to the general designation on
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
the consent form. Because there are no
definitive data sources for this potential
range of organizations, we are not
associating requests for lists of
disclosures with any particular type of
organization. We, instead, estimate the
number of organizations that must
respond to list of disclosures requests
based on the total number of requests
each year.
a. Direct Costs of Implementing the
Proposed Regulations
There is no known baseline estimate
of the current costs associated with 42
CFR part 2-compliance. However, as
reflected by commenters who requested
alignment between HIPAA and 42 CFR
part 2, HIPAA authorization and
notification requirements have
similarities to requirements of 42 CFR
part 2 (see https://www.hhs.gov/hipaa/
for-professionals/privacy/).
Instead, therefore, in the absence of data
and studies specifically focused on
compliance with 42 CFR part 2,
SAMHSA has estimated these costs
based on a range of published costs
associated with HIPAA implementation
and compliance.4 5
i. Staff Training
Because SAMHSA lacks specific data
regarding the cost of staff training to
comply with 42 CFR part 2, SAMHSA
has examined analogous HIPAA
implementation costs. A Standard
HIPAA training that meets or exceeds
the federal training requirements is, on
average, one hour long.6 Therefore, we
also estimated one hour of training per
staff to achieve proficiency in the 42
CFR part 2 regulations. To estimate the
labor costs associated with staff training,
we averaged the average hourly costs for
counseling staff in specialty treatment
centers ($20.33 7), hospital treatment
centers ($21.80 8), and solo practice
offices ($24.67 [9]). The resulting average
wage rate was $22.27 per hour. In order
to account for benefits and overhead
costs associated with staff time, we
multiplied the average hourly wage rate
by two. These estimates were only for
training costs associated with
counseling staff, who we assume will
have primary responsibility for
executing the functions associated with
the part 2 revisions.
It is important as well to note that
many current staff already have
familiarity with current (1987) 42 CFR
part 2 requirements. With regard to
training materials, most part 2 programs
are assumed to already have training
curricula in place that covers current
(1987) 42 CFR part 2 regulations, and,
therefore, these facilities would only
need to update existing training
PO 00000
Frm 00061
Fmt 4701
Sfmt 4700
6111
materials rather than develop new
materials. Part 2 entities may determine
the content of this training. The
American Hospital Association
estimated that the costs for the
development of Privacy and
Confidentiality training, which would
include the development of training
materials and instructor labor costs, was
$16 per employee training hour in
2000.[10] Because we assumed that part
2 programs would be updating existing
rather than developing entirely new
training materials, we estimated the cost
of training development to be one-half
of the cost of developing new materials,
or $8 per employee. Adjusted for
inflation,[11] training development costs
in 2016 would be $11.04 per employee.
Using SAMHSA’s 2010–2012 TEDS
average annual number of treatment
admissions (n=1,861,693) as an estimate
of the annual number of patients at part
2 programs and calculated staffing
numbers based on a range of counseling
staff-to-client ratios (i.e., 1 to 10 [12] and
1 to 5 [13] ). Based on these assumptions,
staff training costs associated with part
2 patient consent procedures were
projected to range from $10.3 million to
$20.7 million in 2016. We averaged the
two estimated costs for staff training to
determine the final overall estimate of
$15,521,000. We assumed the costs
associated with updating training
materials will be a one-time cost.
Therefore, in subsequent years, we
assumed the costs associated with staff
training would be a function of the
average hourly wage rate (multiplied by
two to account for benefits and
overhead costs) and the estimated
number of staff (developed based on the
same two staff-to-client ratios described
above multiplied by estimated patient
counts). Staff training costs associated
with part 2 revisions were projected to
range from $8.3 million to $16.6 million
after 2016. We averaged the two
estimated costs for staff training to
determine the final overall estimate of
$12,438,000.
ii. Updates to Consent Forms
Updates to the 42 CFR part 2
regulations will need to be reflected in
patient consent forms. As there is no
literature to date on costs to update
forms for 42 CFR part 2, we examined
results from a 2008 study from the Mayo
Clinic Health Care Systems [14] that
reported actuarial costs for HIPAA
implementation activities. These costs
were about $1 per patient visit.
Adjusted for inflation, costs associated
with updating the patient consent forms
in 2016 would be $1.13 per patient visit.
We used the average number of
substance abuse treatment admissions
E:\FR\FM\18JAR6.SGM
18JAR6
6112
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
mstockstill on DSK3G9T082PROD with RULES6
from SAMHSA’s 2010–2012 TEDS as
our estimate of the number of clients
treated on an annual basis by part 2
facilities. The total cost burden
associated with updating the consent
forms to reflect to the updated 42 CFR
part 2 regulations would be
approximately $2,104,000 (1,861,693 *
$1.13).[14]
iii. List of Disclosures Costs
The proposed part 2 regulations allow
patients who have consented to disclose
their identifying information using a
general designation to request a list of
entities to which their information has
been disclosed pursuant to the general
designation. Under this final rule,
entities named on a consent form that
disclose patient identifying information
to their participants under the general
designation will be required to provide
a list of disclosures after receiving a
patient request. Under the List of
Disclosures requirements, a patient
could make a request, for example, to an
organization that facilitates the
exchange of health information (e.g., an
HIE) or an organization responsible for
coordinating care (e.g., an ACO) for a
list of disclosures that would include
the name of the entity to whom each
disclosure was made, the date of the
disclosure, and a brief description of the
patient identifying information
disclosed, and include this information
for all entities to whom the patient
identifying information has been
disclosed pursuant to the general
designation in the past two years.
For purposes of the analysis, we
assumed that entities disclosing patient
identifying information to their
participants pursuant to a patient’s
general designation on a consent form
are already collecting the information
necessary to comply with the List of
Disclosures requirement, in some form,
either electronically or using paper
records. We also assumed that these
entities could comply with the List of
Disclosures requirement by either
collecting this information
electronically by using audit logs to
obtain the required information or by
keeping a paper record. However, to
address possible concerns about
technical feasibility and other
implementation issues, SAMHSA
finalizes its proposal that the List of
Disclosures requirement may be
implemented at any time, but nontreating providers cannot use the
general designation without being able
to provide a List of Disclosures to allow
entities collecting this information time
to review their operations and business
processes and to decide whether
technological solutions are needed to
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
enable them to more efficiently comply
with the requirement.
In order to make preliminary
estimates of the implementation costs,
we first estimated the number of
potentially impacted entities based on
the anticipated number of patient
requests for a disclosure report in a
calendar year. We used the average
number of substance use disorder
treatment admissions from SAMHSA’s
2010–2012 TEDS (n = 1,861,693) as the
number of patients treated annually by
part 2 programs. We then used the
average of a 0.1 and 2 percent patient
request rate as our estimate of the
number of impacted entities (n =
19,548).
From there, we assumed 10 percent of
the impacted entities would use paper
records to comply with the disclosure
reporting requirements (n = 1,995) and
would have minimal implementation
costs. Among the remaining entities,
many may be able to comply with the
disclosure reporting requirements
without developing or implementing
new technologies. For entities that do
choose to either update their existing
capabilities or develop and implement
new technologies to facilitate
compliance, we assumed two sets of
costs: (1) Planning and policy
development costs and (2) system
update costs. SAMHSA notes that the
Office of the National Coordinator for
Health Information Technology and
other organizations are encouraging
adoption of electronic health records to
allow providers to access patient
records remotely, improve
communication with patients and other
providers and reduce errors (https://
www.healthit.gov/providersprofessionals/benefits-electronic-healthrecords-ehrs)). For these reasons, we
believe that the trend toward adoption
of electronic health records will
continue.
Absent any data on the number of
facilities that would require new
technology or the type of technology to
be implemented, we assumed that
twenty-five percent (n = 4,398) of the
remaining entities would choose to
upgrade their existing health IT systems.
The actual system upgrade costs will
vary considerably based on the type of
upgrades that are required. Some
entities may only require minor system
updates to streamline the reporting
requirements, while others may choose
to implement an entirely new system.
Given these data limitations, we
assumed an average, per-entity cost, of
$2,500 for planning development costs
and an average, per-entity cost, of
$8,000 for system upgrades for a total
cost of $10,500. We assume that ten
PO 00000
Frm 00062
Fmt 4701
Sfmt 4700
percent of entities will implement each
year, resulting in 100 percent of the
4,398 entities having implemented the
system planning and upgrades by year
10. The implementation costs for List of
Disclosures reporting compliance in
year 1, and each year thereafter, are
estimated to be approximately
$4,618,000 ([4,398*0.10] *
[8,000+2,500]). We acknowledge that
without better data on the number of
facilities that may require new
technology and the number of facilities
that would use the general designation
and therefore be required to comply
with the list of disclosures requirement,
this approach may overestimate or
underestimate the costs.
As entities begin to comply with the
disclosure reporting requirements, we
assumed that the majority of the costs
associated with the List of Disclosures
requirement would primarily come from
staff time needed to prepare a list of
disclosures upon a patient’s request. We
also assumed that the information
would need to be converted to a format
that is accessible to patients.
For those entities with a health IT
system, we expected that disclosure
information would be available in the
system’s audit log. We also assumed
that, unless the audit log has some sort
of electronic filtering system, it would
contain information above and beyond
the requirements for complying with a
request for a list of disclosures. We had
also assumed that the staff accessing
and filtering an audit log to compile the
information for lists of disclosures
would be health information
technicians. The average hourly rate for
health information technicians is $19.44
an hour.[15] In order to account for
benefits and overhead costs associated
with staff time, we multiplied the
hourly wage rate by two. Absent any
existing information on the amount of
time associated with producing a list of
disclosures from an audit log, we
assumed it would take a health
information technician half a day (or 4
hours) on average, to produce the list
from an audit log.
For entities using paper records to
track disclosures, we expected that a
staff member would need to gather and
aggregate the requested list of
disclosures from paper records. We
assumed medical record technicians
would be the staff with the primary
responsibility for compiling the
information for a list of disclosures. The
average hourly rate for medical record
technicians is $19.44 an hour an
hour.[16] In order to account for benefits
and overhead costs associated with staff
time, we multiplied the hourly wage
rate by two. Absent any existing
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
information on the amount of time
associated with producing a list of
disclosures from paper records, we
assumed it would take a medical record
technician 3 hours, on average, to
produce the list from paper records. [17]
The number of requests for a list of
disclosures will determine the overall
burden associated with the List of
Disclosures reporting requirements.
However, because this is a new
requirement, there were no data on
which to base an estimated number of
requests per year. We expected that the
rate of requests will be relatively low.
We therefore calculated the total costs
for two rates, 0.1 percent and 2 percent
of patients per year.
We used the average number of
substance use disorder treatment
admissions from SAMHSA’s 2010–2012
TEDS as the number of patients treated
annually by part 2 programs. Assuming
that 10 percent of patients making
requests (n = 186.17 to n = 3,723.39)
would request a list of disclosures from
entities that track disclosures through
paper records and 90 percent of patients
making requests (n = 1,675.52 to n =
33,510.47) would make such a request
of entities that track disclosures through
health IT audit logs, the estimated costs
to develop lists of disclosures range
from roughly $21,700 to $434,300 for
entities using paper records, and
$261,000 to $5,212,000 for entities using
audit logs. (These ranges reflect the
costs based on the two estimated patient
rates of request referenced above (i.e.,
0.1 percent and 2 percent of patients per
year)).
Once a list of disclosures has been
produced, it can be returned to the
patient either by email or mail. Since
the method of sending the list of
disclosures depends on patient
preference, we assumed that 50 percent
of the lists of disclosures would be sent
by email and 50 percent by first-class
mail. We assumed that mailing and
supply costs related to list of disclosures
notifications were $0.10 supply cost per
notification and $0.49 postage cost per
mailing. We also estimated that it would
take an administrative staff member 15
minutes to prepare each list of
disclosures for mailing and/or
transmitting, and that staff preparing the
letters earn $15.34 [18] per hour. In
order to account for benefits and
overhead costs associated with staff
time, we multiplied the hourly wage
rate by two. The estimated costs for list
of disclosures notifications range from
approximately $7, 700 to $154,000 for
notifications sent by first-class mail, and
$7, 140 to $143, 000 for notifications
sent by email.
To produce the final overall cost
estimate, we took the average of the
minimum and maximum estimated
costs to develop lists of disclosures by
entities collecting the information
electronically by using an audit log, and
the average of the minimum and
maximum estimated costs to develop
6113
lists of disclosures by entities using
paper records. We then added the
averages together to produce our
estimate of the total cost to entities to
develop lists of disclosures. Next we
took the average of the minimum and
maximum estimated costs for list of
disclosures notifications sent via email
and the minimum and maximum
estimated costs for such notifications
sent via first-class mail. We then added
these two averages together to produce
our estimate of the total cost to entities
for list of disclosures notifications.
Finally, the development and
notification costs for these lists of
disclosures were added together for the
final estimate of costs associated with
complying with List of Disclosures
reporting requirements. The total cost
for List of Disclosures reporting
compliance across all entities was
roughly $3,120,000 in 2016 dollars.
Complying with List of Disclosures
requirements is assumed to be an
ongoing, annual activity for entities that
have completed the system upgrade and
comply with the disclosure
requirements. Since we assume 10
percent of entities begin to comply with
the requirements each year, year 1
reporting compliance costs is roughly
$312,000 (3,120,000*0.10) and $624,000
(3,120, 000*0.20) in year 2, and
continues to increase each year until
year 10 all entities are complying and
have annual compliance costs of
$3,120,000
TABLE 5—TOTAL ESTIMATED DISCLOSURE REPORTING COSTS IN 2018
[Note: Numbers may not add due to rounding]
Minimum
estimated cost
Maximum
estimated cost
Average
estimated cost
Facilities with a Health IT System .............................................................................
Facilities without a Health IT System ........................................................................
$261,000
21,700
$5,212,000
434,300
$2,736,000
228,000
Total Costs .........................................................................................................
Average Number of Facilities ....................................................................................
..............................
..............................
..............................
..............................
2,964,000
19,548
TABLE 6—TOTAL ESTIMATED DISCLOSURE NOTIFICATION COSTS IN 2018
[Note: Numbers may not add due to rounding]
Minimum
estimated cost
Maximum
estimated cost
Average
estimated cost
$7,100
7,700
$143,000
154,000
$75,000
81,000
Total Costs .........................................................................................................
mstockstill on DSK3G9T082PROD with RULES6
Email Notification .......................................................................................................
First Class Mail Notification .......................................................................................
..............................
..............................
156,000
iv. IT Updates
SAMHSA, in collaboration with ONC
and federal and community
stakeholders, has developed
Consent2Share which is an open source
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
tool for consent management and data
segmentation that is designed to
integrate with existing EHR and HIE
systems. SAMHSA plans to release
shortly an updated version of
Consent2Share with improved
PO 00000
Frm 00063
Fmt 4701
Sfmt 4700
functionality and ability to meet list of
disclosures requirements.
The Consent2Share architecture has a
front-end, patient facing system known
as Patient Consent Management and a
backend control system known as
E:\FR\FM\18JAR6.SGM
18JAR6
6114
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
mstockstill on DSK3G9T082PROD with RULES6
Access Control Services.
Communications with EHR vendors
indicated that the cost to facilities of
purchasing and installing additional
functionality to existing electronic
medical records applications, such as
Consent2Share, typically range from
$2,500 to $5,000. Because the add-on
systems for part 2 programs may be
more complex than standard patient
monitoring systems, we estimated that
the cost of adding the new functionality
would be approximately $8,000 per
facility. We also assumed that this
would be a one-time expense, rather
than a recurring cost, for each provider.
SAMHSA acknowledges that there may
be fluctuation in costs among affected
entities from the average cost. However,
though costs could possibly be higher
for some entities, information shared by
commenters was largely anecdotal and
it is unclear how such data could be
broadly extrapolated to a wide range of
entities.
Furthermore, national estimates
indicated that no more than 50 percent
of substance use disorder treatment
facilities have an operational
‘‘computerized administrative
information system.’’ [19] We, therefore,
estimated that only half of the 12,034
part 2 programs (i.e., 6,017 facilities)
would have operational health IT
systems that would require
modifications to account for the changes
to 42 CFR part 2. With 6,017 part 2
programs with operational information
systems, we estimated that each facility
would need to spend $8,000 to modify
their health IT system, which would
lead to a total burden for updating
health IT systems of $48.1 million.
Updating health IT systems would be a
one-time cost, and maintenance costs
should be part of general health IT
maintenance costs in later years. The
final rule does not require that part 2
programs adopt health IT systems so
there are no health IT costs associated
with substance use disorder treatment
facilities that continue to use paper
records.
C. Regulatory Flexibility Act (RFA)
The RFA requires agencies to analyze
options for regulatory relief of small
entities. For purposes of the RFA, small
entities include small businesses,
nonprofit organizations, and small
governmental jurisdictions. Most
hospitals and most other providers are
small entities, either by nonprofit status
or by having revenues of less than $7.5
million to $38.5 million in any one year.
Individuals and states are not included
in the definition of a small entity. We
are not preparing an analysis for the
RFA because we have determined, and
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
the Secretary certifies, that this final
rule will not have a significant
economic impact on a substantial
number of small entities. While the
changes in the regulations will apply to
all part 2 programs, the impact on these
entities would be quite small.
Specifically, as described in the Overall
Impact section, the cost to part 2
programs associated with updates to 42
CFR part 2 in the first year that the final
rule is in effect will be $76.1 million, a
figure that due to a number of one-time
updates, is the highest for any of the 10
years estimated. The per-entity
economic impact in the first year will be
approximately $6,300 ($76,100,000 ÷
12,034), a figure that is unlikely to
represent 3 percent of revenues for 5
percent of impacted small entities.
Consequently, it has been determined
that the final rule will not have a
significant economic impact on small
entities.
In addition, Section 1102(b) of the Act
requires us to prepare a regulatory
impact analysis if a rule may have a
significant impact on the operations of
a substantial number of small rural
hospitals. This analysis must conform to
the provisions of Section 603 of the
RFA. For purposes of Section 1102(b) of
the Act, we defined a small rural
hospital as a hospital that is located
outside of a Metropolitan Statistical
Area for Medicare payment regulations
and has fewer than 100 beds. We are not
preparing an analysis for Section
1102(b) of the Act because we have
determined, and the Secretary certifies,
that this final rule will not have a
significant impact on the operations of
a substantial number of small rural
hospitals.
D. Unfunded Mandates Reform Act
Section 202 of the Unfunded
Mandates Reform Act of 1995 also
requires that agencies assess anticipated
costs and benefits before issuing any
rule whose mandates require spending
in any one year of $100 million in 1995
dollars, updated annually for inflation.
In 2016, that threshold is approximately
$146 million. This rule will have no
consequential effect on state, local, or
tribal governments or on the private
sector.
E. Federalism (Executive Order 13132)
Executive Order 13132 establishes
certain requirements that an agency
must meet when it promulgates a
proposed rule (and subsequent final
rule) that imposes substantial direct
requirement costs on state and local
governments, preempts state law, or
otherwise has Federalism implications.
Since this rule does not impose any
PO 00000
Frm 00064
Fmt 4701
Sfmt 4700
costs on state or local governments, the
requirements of Executive Order 13132
are not applicable.
SAMHSA is modernizing 42 CFR part
2. With respect to our revisions to the
part 2 regulations, we do not believe
that this final rule will have a
significant impact as it gives more
flexibility to individuals and entities
covered by 42 CFR part 2 but also adds
privacy protections within the consent
requirements for the patient. We are
revising the part 2 regulations in
response to concerns that 42 CFR part
2 was outdated and burdensome.
Executive Order 13132 on Federalism
(August 4, 1999) establishes certain
requirements that an agency must meet
when it promulgates a proposed rule
(and subsequent final rule) that imposes
substantial direct requirement costs on
state and local governments, preempts
state law, or otherwise has Federalism
implications. We have reviewed this
final rule under the threshold criteria of
Executive Order 13132, Federalism, and
have determined that it will not have
substantial direct effects on the rights,
roles, and responsibilities of states, local
or tribal governments.
Conclusion
SAMHSA is enacting changes to
modernize 42 CFR part 2. With respect
to our revisions to the regulations, we
do not believe that this final rule will
have a significant impact as it gives
more flexibility to individuals and
entities covered by 42 CFR part 2 but
also increases privacy protections
within the consent requirements and
adds an additional confidentiality
safeguard for patients. This final rule
does not reach the threshold for
requiring a regulatory impact analysis
by Executive Orders 12866 and 13563
and thus is not considered an
economically significant rule. This rule
will not have a significant economic
impact on a substantial number of small
entities. This rule will not have a
significant impact on the operations of
a substantial number of small rural
hospitals. Since this rule does not
impose any costs on state or local
governments, the requirements of
Executive Order 13132 on federalism
are not applicable.
Footnotes
1. Trends in Health Information Exchanges
(Trends in Health Information Exchanges)
https://innovations.ahrq.gov/perspectives/
trends-health-information-exchanges#3.
2. Muhlestein, D. (2015). Growth and
Dispersion of Accountable Care
Organizations in 2015. Health Affairs Blog,
19.
3. National Committee for Quality
Assurance. A Victory Lap . . . For Patients.
E:\FR\FM\18JAR6.SGM
18JAR6
mstockstill on DSK3G9T082PROD with RULES6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
Blog, May 15, 2015. https://blog.ncqa.org/avictory-lap-for-patients/.
4. Kilbridge, P. (2003). The cost of HIPAA
compliance. New England Journal of
Medicine, 348(15), 1423–1477.
5. Williams, A.R., Herman, D.C., Moriarty,
J.P., Beebe, T.J., Bruggeman, S.K., Klavetter,
E.W. & Bartz, J.K. (2008). HIPAA costs and
patient perceptions of privacy safeguards at
Mayo Clinic. Joint Commission Journal on
Quality and Patient Safety, 34 (1), 27–35.
6. 65 FR 82462, 82770 (Dec. 28, 2000)
(Standards for Privacy of Individually
Identifiable Health Information).
7. Bureau of Labor Statistics, U.S.
Department of Labor, Occupational
Employment Statistics, [accessed May 2,
2015] Outpatient Mental Health and
Substance Abuse Centers (NAICS code
621420), Standard Occupations Classification
code (211011) [www.bls.gov/oes/].
8. Bureau of Labor Statistics, U.S.
Department of Labor, Occupational
Employment Statistics, [accessed May 2,
2014] Psychiatric and Substance Abuse
Hospitals (NAICS code 622200), Standard
Occupations Classification code (211011)
[www.bls.gov/oes/].
9. Bureau of Labor Statistics, U.S.
Department of Labor, Occupational
Employment Statistics, [accessed September
23, 2014] Offices of Mental Health
Practitioners (except Physicians) (NAICS
code 621330), Standard Occupations
Classification code (211011) [www.bls.gov/
oes/].
10. These estimates are not HHS estimates
nor are they HHS-endorsed cost estimates of
HIPAA implementation and compliance.
11. Calculated using the Consumer Price
Index.
12. North Carolina NC Administrative
Code [accessed September 23, 2014]. [https://
reports.oah.state.nc.us/ncac/title%2010a
%20-%20health%20and%20human%20
services/chapter%2013%20-%20nc%20
medical%20care%20commission/subchapter
%20b/10a%20ncac%2013b%20.5203.pdf.]
13. Commonwealth of Pennsylvania—
Department of Health Staffing Requirements
for Drug and Alcohol Treatment Activities
[accessed September 23, 2014]. [https://
www.pacode.com/secure/data/028/
chapter704/s704.12.html.]
14. Williams, A.R., Herman, D.C., Moriarty,
J.P., Beebe, T.J., Bruggeman, S.K., Klavetter,
E.W. & Bartz, J.K. (2008). HIPAA costs and
patient perceptions of privacy safeguards at
Mayo Clinic. Joint Commission Journal on
Quality and Patient Safety, 34 (1), 27–35.
15. Bureau of Labor Statistics, U.S.
Department of Labor, Occupational
Employment Statistics, Standard
Occupations Classification code (29–2071)
[www.bls.gov/oes/].
16. IBID.
17. For facilities that maintain paper
records, consent forms would indicate who
has been given access to the record. By
contrast, our understanding of health IT audit
logs is that they include a record of all
instances in which a record has been
accessed. The audit log will include a record
of who accessed the system, the date the
record was accessed, and what operations
were performed. The audit logs, therefore,
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
will include considerably more data than
what we would anticipate finding in paper
records. Unless the audit log has an
electronic filtering system, we are assuming
that a health information technician will
need to manually review all records in an
audit log in order to compile the necessary
information for a list of disclosures.
18. Bureau of Labor Statistics, U.S.
Department of Labor, Occupational
Employment Statistics, [accessed June 3,
2015], Standard Occupations Classification
code (31–9092) [www.bls.gov/oes/].
19. McLellan, A.T., Kathleen Meyers, K.,
Contemporary addiction treatment: A review
of systems problems for adults and
adolescents, Biological Psychiatry, Volume
56, Issue 10, 15 November 2004, Pages 764–
770, ISSN 0006–3223, https://dx.doi.org/
10.1016/j.biopsych.2004.06.018.
List of Subjects in 42 CFR Part 2
Alcohol abuse, Alcoholism, Drug
abuse, Grant programs-health, Health
records, Privacy, Reporting, and
Recordkeeping requirements.
■ For the reasons stated in the preamble
of this final rule, SAMHSA revises 42
CFR part 2 to read as follows:
PART 2—CONFIDENTIALITY OF
SUBSTANCE USE DISORDER PATIENT
RECORDS
Subpart A—Introduction
Sec.
2.1 Statutory authority for confidentiality of
substance use disorder patient records.
2.2 Purpose and effect.
2.3 Criminal penalty for violation.
2.4 Reports of violations.
Subpart B—General Provisions
Sec.
2.11 Definitions.
2.12 Applicability.
2.13 Confidentiality restrictions and
safeguards.
2.14 Minor patients.
2.15 Incompetent and deceased patients.
2.16 Security for records.
2.17 Undercover agents and informants.
2.18 Restrictions on the use of
identification cards.
2.19 Disposition of records by discontinued
programs.
2.20 Relationship to state laws.
2.21 Relationship to federal statutes
protecting research subjects against
compulsory disclosure of their identity.
2.22 Notice to patients of federal
confidentiality requirements.
2.23 Patient access and restrictions on use.
Subpart C—Disclosures with Patient
Consent
Sec.
2.31 Consent requirements.
2.32 Prohibition on re-disclosure.
2.33 Disclosures permitted with written
consent.
2.34 Disclosures to prevent multiple
enrollments.
2.35 Disclosures to elements of the criminal
justice system which have referred
patients.
PO 00000
Frm 00065
Fmt 4701
Sfmt 4700
6115
Subpart D—Disclosures without Patient
Consent
Sec.
2.51 Medical emergencies.
2.52 Research.
2.53 Audit and evaluation.
Subpart E—Court Orders Authorizing
Disclosure and Use
Sec.
2.61 Legal effect of order.
2.62 Order not applicable to records
disclosed without consent to researchers,
auditors and evaluators.
2.63 Confidential communications.
2.64 Procedures and criteria for orders
authorizing disclosures for noncriminal
purposes.
2.65 Procedures and criteria for orders
authorizing disclosure and use of records
to criminally investigate or prosecute
patients.
2.66 Procedures and criteria for orders
authorizing disclosure and use of records
to investigate or prosecute a part 2
program or the person holding the
records.
2.67 Orders authorizing the use of
undercover agents and informants to
criminally investigate employees or
agents of a part 2 program.
Authority: 42 U.S.C. 290dd–2.
Subpart A—Introduction
§ 2.1 Statutory authority for confidentiality
of substance use disorder patient records.
Title 42, United States Code, Section
290dd–2(g) authorizes the Secretary to
prescribe regulations. Such regulations
may contain such definitions, and may
provide for such safeguards and
procedures, including procedures and
criteria for the issuance and scope of
orders, as in the judgment of the
Secretary are necessary or proper to
effectuate the purposes of this statute, to
prevent circumvention or evasion
thereof, or to facilitate compliance
therewith.
§ 2.2
Purpose and effect.
(a) Purpose. Pursuant to 42 U.S.C.
290dd–2(g), the regulations in this part
impose restrictions upon the disclosure
and use of substance use disorder
patient records which are maintained in
connection with the performance of any
part 2 program. The regulations in this
part include the following subparts:
(1) Subpart B of this part: General
Provisions, including definitions,
applicability, and general restrictions;
(2) Subpart C of this part: Disclosures
with Patient Consent, including
disclosures which require patient
consent and the consent form
requirements;
(3) Subpart D of this part: Disclosures
without Patient Consent, including
disclosures which do not require patient
E:\FR\FM\18JAR6.SGM
18JAR6
6116
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
consent or an authorizing court order;
and
(4) Subpart E of this part: Court
Orders Authorizing Disclosure and Use,
including disclosures and uses of
patient records which may be made
with an authorizing court order and the
procedures and criteria for the entry and
scope of those orders.
(b) Effect. (1) The regulations in this
part prohibit the disclosure and use of
patient records unless certain
circumstances exist. If any circumstance
exists under which disclosure is
permitted, that circumstance acts to
remove the prohibition on disclosure
but it does not compel disclosure. Thus,
the regulations do not require disclosure
under any circumstances.
(2) The regulations in this part are not
intended to direct the manner in which
substantive functions such as research,
treatment, and evaluation are carried
out. They are intended to ensure that a
patient receiving treatment for a
substance use disorder in a part 2
program is not made more vulnerable by
reason of the availability of their patient
record than an individual with a
substance use disorder who does not
seek treatment.
(3) Because there is a criminal penalty
for violating the regulations, they are to
be construed strictly in favor of the
potential violator in the same manner as
a criminal statute (see M. Kraus &
Brothers v. United States, 327 U.S. 614,
621–22, 66 S. Ct. 705, 707–08 (1946)).
§ 2.3
Criminal penalty for violation.
Under 42 U.S.C. 290dd–2(f), any
person who violates any provision of
this section or any regulation issued
pursuant to this section shall be fined in
accordance with Title 18 of the U.S.
Code.
mstockstill on DSK3G9T082PROD with RULES6
§ 2.4
Reports of violations.
(a) The report of any violation of the
regulations in this part may be directed
to the United States Attorney for the
judicial district in which the violation
occurs.
(b) The report of any violation of the
regulations in this part by an opioid
treatment program may be directed to
the United States Attorney for the
judicial district in which the violation
occurs as well as to the Substance
Abuse and Mental Health Services
Administration (SAMHSA) office
responsible for opioid treatment
program oversight.
Subpart B—General Provisions
§ 2.11
Definitions.
For purposes of the regulations in this
part:
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
Central registry means an organization
which obtains from two or more
member programs patient identifying
information about individuals applying
for withdrawal management or
maintenance treatment for the purpose
of avoiding an individual’s concurrent
enrollment in more than one treatment
program.
Diagnosis means any reference to an
individual’s substance use disorder or to
a condition which is identified as
having been caused by that substance
use disorder which is made for the
purpose of treatment or referral for
treatment.
Disclose means to communicate any
information identifying a patient as
being or having been diagnosed with a
substance use disorder, having or
having had a substance use disorder, or
being or having been referred for
treatment of a substance use disorder
either directly, by reference to publicly
available information, or through
verification of such identification by
another person.
Federally assisted—see § 2.12(b).
Informant means an individual:
(1) Who is a patient or employee of a
part 2 program or who becomes a
patient or employee of a part 2 program
at the request of a law enforcement
agency or official; and
(2) Who at the request of a law
enforcement agency or official observes
one or more patients or employees of
the part 2 program for the purpose of
reporting the information obtained to
the law enforcement agency or official.
Maintenance treatment means longterm pharmacotherapy for individuals
with substance use disorders that
reduces the pathological pursuit of
reward and/or relief and supports
remission of substance use disorderrelated symptoms.
Member program means a withdrawal
management or maintenance treatment
program which reports patient
identifying information to a central
registry and which is in the same state
as that central registry or is in a state
that participates in data sharing with the
central registry of the program in
question.
Minor, as used in the regulations in
this part, means an individual who has
not attained the age of majority
specified in the applicable state law, or
if no age of majority is specified in the
applicable state law, the age of 18 years.
Part 2 program means a federally
assisted program (federally assisted as
defined in § 2.12(b) and program as
defined in this section). See § 2.12(e)(1)
for examples.
Part 2 program director means:
PO 00000
Frm 00066
Fmt 4701
Sfmt 4700
(1) In the case of a part 2 program that
is an individual, that individual.
(2) In the case of a part 2 program that
is an entity, the individual designated as
director or managing director, or
individual otherwise vested with
authority to act as chief executive officer
of the part 2 program.
Patient means any individual who has
applied for or been given diagnosis,
treatment, or referral for treatment for a
substance use disorder at a part 2
program. Patient includes any
individual who, after arrest on a
criminal charge, is identified as an
individual with a substance use
disorder in order to determine that
individual’s eligibility to participate in
a part 2 program. This definition
includes both current and former
patients.
Patient identifying information means
the name, address, social security
number, fingerprints, photograph, or
similar information by which the
identity of a patient, as defined in this
section, can be determined with
reasonable accuracy either directly or by
reference to other information. The term
does not include a number assigned to
a patient by a part 2 program, for
internal use only by the part 2 program,
if that number does not consist of or
contain numbers (such as a social
security, or driver’s license number) that
could be used to identify a patient with
reasonable accuracy from sources
external to the part 2 program.
Person means an individual,
partnership, corporation, federal, state
or local government agency, or any
other legal entity, (also referred to as
‘‘individual or entity’’).
Program means:
(1) An individual or entity (other than
a general medical facility) who holds
itself out as providing, and provides,
substance use disorder diagnosis,
treatment, or referral for treatment; or
(2) An identified unit within a general
medical facility that holds itself out as
providing, and provides, substance use
disorder diagnosis, treatment, or referral
for treatment; or
(3) Medical personnel or other staff in
a general medical facility whose
primary function is the provision of
substance use disorder diagnosis,
treatment, or referral for treatment and
who are identified as such providers.
Qualified service organization means
an individual or entity who:
(1) Provides services to a part 2
program, such as data processing, bill
collecting, dosage preparation,
laboratory analyses, or legal, accounting,
population health management, medical
staffing, or other professional services,
or services to prevent or treat child
E:\FR\FM\18JAR6.SGM
18JAR6
mstockstill on DSK3G9T082PROD with RULES6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
abuse or neglect, including training on
nutrition and child care and individual
and group therapy, and
(2) Has entered into a written
agreement with a part 2 program under
which that individual or entity:
(i) Acknowledges that in receiving,
storing, processing, or otherwise dealing
with any patient records from the part
2 program, it is fully bound by the
regulations in this part; and
(ii) If necessary, will resist in judicial
proceedings any efforts to obtain access
to patient identifying information
related to substance use disorder
diagnosis, treatment, or referral for
treatment except as permitted by the
regulations in this part.
Records means any information,
whether recorded or not, created by,
received, or acquired by a part 2
program relating to a patient (e.g.,
diagnosis, treatment and referral for
treatment information, billing
information, emails, voice mails, and
texts). For the purpose of the regulations
in this part, records include both paper
and electronic records.
Substance use disorder means a
cluster of cognitive, behavioral, and
physiological symptoms indicating that
the individual continues using the
substance despite significant substancerelated problems such as impaired
control, social impairment, risky use,
and pharmacological tolerance and
withdrawal. For the purposes of the
regulations in this part, this definition
does not include tobacco or caffeine use.
Third-party payer means an
individual or entity who pays and/or
agrees to pay for diagnosis or treatment
furnished to a patient on the basis of a
contractual relationship with the patient
or a member of the patient’s family or
on the basis of the patient’s eligibility
for federal, state, or local governmental
benefits.
Treating provider relationship means
that, regardless of whether there has
been an actual in-person encounter:
(1) A patient is, agrees to, or is legally
required to be diagnosed, evaluated,
and/or treated, or agrees to accept
consultation, for any condition by an
individual or entity, and;
(2) The individual or entity
undertakes or agrees to undertake
diagnosis, evaluation, and/or treatment
of the patient, or consultation with the
patient, for any condition.
Treatment means the care of a patient
suffering from a substance use disorder,
a condition which is identified as
having been caused by the substance
use disorder, or both, in order to reduce
or eliminate the adverse effects upon the
patient.
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
Undercover agent means any federal,
state, or local law enforcement agency
or official who enrolls in or becomes an
employee of a part 2 program for the
purpose of investigating a suspected
violation of law or who pursues that
purpose after enrolling or becoming
employed for other purposes.
Withdrawal management means the
use of pharmacotherapies to treat or
attenuate the problematic signs and
symptoms arising when heavy and/or
prolonged substance use is reduced or
discontinued.
§ 2.12
Applicability.
(a) General—(1) Restrictions on
disclosure. The restrictions on
disclosure in the regulations in this part
apply to any information, whether or
not recorded, which:
(i) Would identify a patient as having
or having had a substance use disorder
either directly, by reference to publicly
available information, or through
verification of such identification by
another person; and
(ii) Is drug abuse information obtained
by a federally assisted drug abuse
program after March 20, 1972 (part 2
program), or is alcohol abuse
information obtained by a federally
assisted alcohol abuse program after
May 13, 1974 (part 2 program); or if
obtained before the pertinent date, is
maintained by a part 2 program after
that date as part of an ongoing treatment
episode which extends past that date;
for the purpose of treating a substance
use disorder, making a diagnosis for that
treatment, or making a referral for that
treatment.
(2) Restriction on use. The restriction
on use of information to initiate or
substantiate any criminal charges
against a patient or to conduct any
criminal investigation of a patient (42
U.S.C. 290dd–2(c)) applies to any
information, whether or not recorded,
which is drug abuse information
obtained by a federally assisted drug
abuse program after March 20, 1972
(part 2 program), or is alcohol abuse
information obtained by a federally
assisted alcohol abuse program after
May 13, 1974 (part 2 program); or if
obtained before the pertinent date, is
maintained by a part 2 program after
that date as part of an ongoing treatment
episode which extends past that date;
for the purpose of treating a substance
use disorder, making a diagnosis for the
treatment, or making a referral for the
treatment.
(b) Federal assistance. A program is
considered to be federally assisted if:
(1) It is conducted in whole or in part,
whether directly or by contract or
otherwise by any department or agency
PO 00000
Frm 00067
Fmt 4701
Sfmt 4700
6117
of the United States (but see paragraphs
(c)(1) and (2) of this section relating to
the Department of Veterans Affairs and
the Armed Forces);
(2) It is being carried out under a
license, certification, registration, or
other authorization granted by any
department or agency of the United
States including but not limited to:
(i) Participating provider in the
Medicare program;
(ii) Authorization to conduct
maintenance treatment or withdrawal
management; or
(iii) Registration to dispense a
substance under the Controlled
Substances Act to the extent the
controlled substance is used in the
treatment of substance use disorders;
(3) It is supported by funds provided
by any department or agency of the
United States by being:
(i) A recipient of federal financial
assistance in any form, including
financial assistance which does not
directly pay for the substance use
disorder diagnosis, treatment, or referral
for treatment; or
(ii) Conducted by a state or local
government unit which, through general
or special revenue sharing or other
forms of assistance, receives federal
funds which could be (but are not
necessarily) spent for the substance use
disorder program; or
(4) It is assisted by the Internal
Revenue Service of the Department of
the Treasury through the allowance of
income tax deductions for contributions
to the program or through the granting
of tax exempt status to the program.
(c) Exceptions— (1) Department of
Veterans Affairs. These regulations do
not apply to information on substance
use disorder patients maintained in
connection with the Department of
Veterans Affairs’ provision of hospital
care, nursing home care, domiciliary
care, and medical services under Title
38, U.S.C. Those records are governed
by 38 U.S.C. 7332 and regulations
issued under that authority by the
Secretary of Veterans Affairs.
(2) Armed Forces. The regulations in
this part apply to any information
described in paragraph (a) of this
section which was obtained by any
component of the Armed Forces during
a period when the patient was subject
to the Uniform Code of Military Justice
except:
(i) Any interchange of that
information within the Armed Forces;
and
(ii) Any interchange of that
information between the Armed Forces
and those components of the
Department of Veterans Affairs
furnishing health care to veterans.
E:\FR\FM\18JAR6.SGM
18JAR6
mstockstill on DSK3G9T082PROD with RULES6
6118
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
(3) Communication within a part 2
program or between a part 2 program
and an entity having direct
administrative control over that part 2
program. The restrictions on disclosure
in the regulations in this part do not
apply to communications of information
between or among personnel having a
need for the information in connection
with their duties that arise out of the
provision of diagnosis, treatment, or
referral for treatment of patients with
substance use disorders if the
communications are:
(i) Within a part 2 program; or
(ii) Between a part 2 program and an
entity that has direct administrative
control over the program.
(4) Qualified service organizations.
The restrictions on disclosure in the
regulations in this part do not apply to
communications between a part 2
program and a qualified service
organization of information needed by
the qualified service organization to
provide services to the program.
(5) Crimes on part 2 program premises
or against part 2 program personnel.
The restrictions on disclosure and use
in the regulations in this part do not
apply to communications from part 2
program personnel to law enforcement
agencies or officials which:
(i) Are directly related to a patient’s
commission of a crime on the premises
of the part 2 program or against part 2
program personnel or to a threat to
commit such a crime; and
(ii) Are limited to the circumstances
of the incident, including the patient
status of the individual committing or
threatening to commit the crime, that
individual’s name and address, and that
individual’s last known whereabouts.
(6) Reports of suspected child abuse
and neglect. The restrictions on
disclosure and use in the regulations in
this part do not apply to the reporting
under state law of incidents of
suspected child abuse and neglect to the
appropriate state or local authorities.
However, the restrictions continue to
apply to the original substance use
disorder patient records maintained by
the part 2 program including their
disclosure and use for civil or criminal
proceedings which may arise out of the
report of suspected child abuse and
neglect.
(d) Applicability to recipients of
information— (1) Restriction on use of
information. The restriction on the use
of any information subject to the
regulations in this part to initiate or
substantiate any criminal charges
against a patient or to conduct any
criminal investigation of a patient
applies to any person who obtains that
information from a part 2 program,
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
regardless of the status of the person
obtaining the information or whether
the information was obtained in
accordance with the regulations in this
part. This restriction on use bars, among
other things, the introduction of that
information as evidence in a criminal
proceeding and any other use of the
information to investigate or prosecute a
patient with respect to a suspected
crime. Information obtained by
undercover agents or informants (see
§ 2.17) or through patient access (see
§ 2.23) is subject to the restriction on
use.
(2) Restrictions on disclosures—(i)
Third-party payers, administrative
entities, and others. The restrictions on
disclosure in the regulations in this part
apply to:
(A) Third-party payers with regard to
records disclosed to them by part 2
programs or under § 2.31(a)(4)(iii)(A);
(B) Entities having direct
administrative control over part 2
programs with regard to information
that is subject to the regulations in this
part communicated to them by the part
2 program under paragraph (c)(3) of this
section; and
(C) Individuals or entities who receive
patient records directly from a part 2
program or other lawful holder of
patient identifying information and who
are notified of the prohibition on redisclosure in accordance with § 2.32.
(ii) [Reserved]
(e) Explanation of applicability—(1)
Coverage. These regulations cover any
information (including information on
referral and intake) about patients
receiving diagnosis, treatment, or
referral for treatment for a substance use
disorder created by a part 2 program.
Coverage includes, but is not limited to,
those treatment or rehabilitation
programs, employee assistance
programs, programs within general
hospitals, school-based programs, and
private practitioners who hold
themselves out as providing, and
provide substance use disorder
diagnosis, treatment, or referral for
treatment. However, the regulations in
this part would not apply, for example,
to emergency room personnel who refer
a patient to the intensive care unit for
an apparent overdose, unless the
primary function of such personnel is
the provision of substance use disorder
diagnosis, treatment, or referral for
treatment and they are identified as
providing such services or the
emergency room has promoted itself to
the community as a provider of such
services.
(2) Federal assistance to program
required. If a patient’s substance use
disorder diagnosis, treatment, or referral
PO 00000
Frm 00068
Fmt 4701
Sfmt 4700
for treatment is not provided by a part
2 program, that patient’s record is not
covered by the regulations in this part.
Thus, it is possible for an individual
patient to benefit from federal support
and not be covered by the
confidentiality regulations because the
program in which the patient is enrolled
is not federally assisted as defined in
paragraph (b) of this section. For
example, if a federal court placed an
individual in a private for-profit
program and made a payment to the
program on behalf of that individual,
that patient’s record would not be
covered by the regulations in this part
unless the program itself received
federal assistance as defined by
paragraph (b) of this section.
(3) Information to which restrictions
are applicable. Whether a restriction
applies to use or disclosure affects the
type of information which may be
disclosed. The restrictions on disclosure
apply to any information which would
identify a patient as having or having
had a substance use disorder. The
restriction on use of information to
bring criminal charges against a patient
for a crime applies to any information
obtained by the part 2 program for the
purpose of diagnosis, treatment, or
referral for treatment of patients with
substance use disorders. (Note that
restrictions on use and disclosure apply
to recipients of information under
paragraph (d) of this section.)
(4) How type of diagnosis affects
coverage. These regulations cover any
record of a diagnosis identifying a
patient as having or having had a
substance use disorder which is initially
prepared by a part 2 provider in
connection with the treatment or
referral for treatment of a patient with
a substance use disorder. A diagnosis
prepared for the purpose of treatment or
referral for treatment but which is not so
used is covered by the regulations in
this part. The following are not covered
by the regulations in this part:
(i) Diagnosis which is made solely for
the purpose of providing evidence for
use by law enforcement agencies or
officials; or
(ii) A diagnosis of drug overdose or
alcohol intoxication which clearly
shows that the individual involved does
not have a substance use disorder (e.g.,
involuntary ingestion of alcohol or
drugs or reaction to a prescribed dosage
of one or more drugs).
§ 2.13 Confidentiality restrictions and
safeguards.
(a) General. The patient records
subject to the regulations in this part
may be disclosed or used only as
permitted by the regulations in this part
E:\FR\FM\18JAR6.SGM
18JAR6
mstockstill on DSK3G9T082PROD with RULES6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
and may not otherwise be disclosed or
used in any civil, criminal,
administrative, or legislative
proceedings conducted by any federal,
state, or local authority. Any disclosure
made under the regulations in this part
must be limited to that information
which is necessary to carry out the
purpose of the disclosure.
(b) Unconditional compliance
required. The restrictions on disclosure
and use in the regulations in this part
apply whether or not the part 2 program
or other lawful holder of the patient
identifying information believes that the
person seeking the information already
has it, has other means of obtaining it,
is a law enforcement agency or official
or other government official, has
obtained a subpoena, or asserts any
other justification for a disclosure or use
which is not permitted by the
regulations in this part.
(c) Acknowledging the presence of
patients: Responding to requests. (1)
The presence of an identified patient in
a health care facility or component of a
health care facility which is publicly
identified as a place where only
substance use disorder diagnosis,
treatment, or referral for treatment is
provided may be acknowledged only if
the patient’s written consent is obtained
in accordance with subpart C of this
part or if an authorizing court order is
entered in accordance with subpart E of
this part. The regulations permit
acknowledgement of the presence of an
identified patient in a health care
facility or part of a health care facility
if the health care facility is not publicly
identified as only a substance use
disorder diagnosis, treatment, or referral
for treatment facility, and if the
acknowledgement does not reveal that
the patient has a substance use disorder.
(2) Any answer to a request for a
disclosure of patient records which is
not permissible under the regulations in
this part must be made in a way that
will not affirmatively reveal that an
identified individual has been, or is
being, diagnosed or treated for a
substance use disorder. An inquiring
party may be provided a copy of the
regulations in this part and advised that
they restrict the disclosure of substance
use disorder patient records, but may
not be told affirmatively that the
regulations restrict the disclosure of the
records of an identified patient.
(d) List of disclosures. Upon request,
patients who have consented to disclose
their patient identifying information
using a general designation pursuant to
§ 2.31(a)(4)(iii)(B)(3) must be provided a
list of entities to which their
information has been disclosed
pursuant to the general designation.
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
(1) Under this paragraph (d), patient
requests:
(i) Must be made in writing; and
(ii) Are limited to disclosures made
within the past two years;
(2) Under this paragraph (d), the
entity named on the consent form that
discloses information pursuant to a
patient’s general designation (the entity
that serves as an intermediary, as
described in § 2.31(a)(4)(iii)(B)) must:
(i) Respond in 30 or fewer days of
receipt of the written request; and
(ii) Provide, for each disclosure, the
name(s) of the entity(-ies) to which the
disclosure was made, the date of the
disclosure, and a brief description of the
patient identifying information
disclosed.
(3) The part 2 program is not
responsible for compliance with this
paragraph (d); the entity that serves as
an intermediary, as described in
§ 2.31(a)(4)(iii)(B), is responsible for
compliance with the list of disclosures
requirement.
§ 2.14
Minor patients.
(a) State law not requiring parental
consent to treatment. If a minor patient
acting alone has the legal capacity under
the applicable state law to apply for and
obtain substance use disorder treatment,
any written consent for disclosure
authorized under subpart C of this part
may be given only by the minor patient.
This restriction includes, but is not
limited to, any disclosure of patient
identifying information to the parent or
guardian of a minor patient for the
purpose of obtaining financial
reimbursement. These regulations do
not prohibit a part 2 program from
refusing to provide treatment until the
minor patient consents to the disclosure
necessary to obtain reimbursement, but
refusal to provide treatment may be
prohibited under a state or local law
requiring the program to furnish the
service irrespective of ability to pay.
(b) State law requiring parental
consent to treatment. (1) Where state
law requires consent of a parent,
guardian, or other individual for a
minor to obtain treatment for a
substance use disorder, any written
consent for disclosure authorized under
subpart C of this part must be given by
both the minor and their parent,
guardian, or other individual authorized
under state law to act in the minor’s
behalf.
(2) Where state law requires parental
consent to treatment, the fact of a
minor’s application for treatment may
be communicated to the minor’s parent,
guardian, or other individual authorized
under state law to act in the minor’s
behalf only if:
PO 00000
Frm 00069
Fmt 4701
Sfmt 4700
6119
(i) The minor has given written
consent to the disclosure in accordance
with subpart C of this part; or
(ii) The minor lacks the capacity to
make a rational choice regarding such
consent as judged by the part 2 program
director under paragraph (c) of this
section.
(c) Minor applicant for services lacks
capacity for rational choice. Facts
relevant to reducing a substantial threat
to the life or physical well-being of the
minor applicant or any other individual
may be disclosed to the parent,
guardian, or other individual authorized
under state law to act in the minor’s
behalf if the part 2 program director
judges that:
(1) A minor applicant for services
lacks capacity because of extreme
youthor mental or physical condition to
make a rational decision on whether to
consent to a disclosure under subpart C
of this part to their parent, guardian, or
other individual authorized under state
law to act in the minor’s behalf; and
(2) The minor applicant’s situation
poses a substantial threat to the life or
physical well-being of the minor
applicant or any other individual which
may be reduced by communicating
relevant facts to the minor’s parent,
guardian, or other individual authorized
under state law to act in the minor’s
behalf.
§ 2.15
Incompetent and deceased patients.
(a) Incompetent patients other than
minors—(1) Adjudication of
incompetence. In the case of a patient
who has been adjudicated as lacking the
capacity, for any reason other than
insufficient age, to their own affairs, any
consent which is required under the
regulations in this part may be given by
the guardian or other individual
authorized under state law to act in the
patient’s behalf.
(2) No adjudication of incompetency.
In the case of a patient, other than a
minor or one who has been adjudicated
incompetent, that for any period suffers
from a medical condition that prevents
knowing or effective action on their own
behalf, the part 2 program director may
exercise the right of the patient to
consent to a disclosure under subpart C
of this part for the sole purpose of
obtaining payment for services from a
third-party payer.
(b) Deceased patients—(1) Vital
statistics. These regulations do not
restrict the disclosure of patient
identifying information relating to the
cause of death of a patient under laws
requiring the collection of death or other
vital statistics or permitting inquiry into
the cause of death.
E:\FR\FM\18JAR6.SGM
18JAR6
6120
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
§ 2.17
§ 2.16
mstockstill on DSK3G9T082PROD with RULES6
(2) Consent by personal
representative. Any other disclosure of
information identifying a deceased
patient as having a substance use
disorder is subject to the regulations in
this part. If a written consent to the
disclosure is required, that consent may
be given by an executor, administrator,
or other personal representative
appointed under applicable state law. If
there is no such applicable state law
appointment, the consent may be given
by the patient’s spouse or, if none, by
any responsible member of the patient’s
family.
§ 2.18 Restrictions on the use of
identification cards.
Security for records.
(a) The part 2 program or other lawful
holder of patient identifying
information must have in place formal
policies and procedures to reasonably
protect against unauthorized uses and
disclosures of patient identifying
information and to protect against
reasonably anticipated threats or
hazards to the security of patient
identifying information. These formal
policies and procedures must address:
(1) Paper records, including:
(i) Transferring and removing such
records;
(ii) Destroying such records, including
sanitizing the hard copy media
associated with the paper printouts, to
render the patient identifying
information non-retrievable;
(iii) Maintaining such records in a
secure room, locked file cabinet, safe, or
other similar container, or storage
facility when not in use;
(iv) Using and accessing workstations,
secure rooms, locked file cabinets, safes,
or other similar containers, and storage
facilities that use or store such
information; and
(v) Rendering patient identifying
information non-identifiable in a
manner that creates a very low risk of
re-identification (e.g., removing direct
identifiers).
(2) Electronic records, including:
(i) Creating, receiving, maintaining,
and transmitting such records;
(ii) Destroying such records, including
sanitizing the electronic media on
which such records are stored, to render
the patient identifying information nonretrievable;
(iii) Using and accessing electronic
records or other electronic media
containing patient identifying
information; and
(iv) Rendering the patient identifying
information non-identifiable in a
manner that creates a very low risk of
re-identification (e.g., removing direct
identifiers).
(b) [Reserved]
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
Undercover agents and informants.
(a) Restrictions on placement. Except
as specifically authorized by a court
order granted under § 2.67, no part 2
program may knowingly employ, or
enroll as a patient, any undercover agent
or informant.
(b) Restriction on use of information.
No information obtained by an
undercover agent or informant, whether
or not that undercover agent or
informant is placed in a part 2 program
pursuant to an authorizing court order,
may be used to criminally investigate or
prosecute any patient.
No person may require any patient to
carry in their immediate possession
while away from the part 2 program
premises any card or other object which
would identify the patient as having a
substance use disorder. This section
does not prohibit a person from
requiring patients to use or carry cards
or other identification objects on the
premises of a part 2 program.
§ 2.19 Disposition of records by
discontinued programs.
(a) General. If a part 2 program
discontinues operations or is taken over
or acquired by another program, it must
remove patient identifying information
from its records or destroy its records,
including sanitizing any associated hard
copy or electronic media, to render the
patient identifying information nonretrievable in a manner consistent with
the policies and procedures established
under § 2.16, unless:
(1) The patient who is the subject of
the records gives written consent
(meeting the requirements of § 2.31) to
a transfer of the records to the acquiring
program or to any other program
designated in the consent (the manner
of obtaining this consent must minimize
the likelihood of a disclosure of patient
identifying information to a third party);
or
(2) There is a legal requirement that
the records be kept for a period
specified by law which does not expire
until after the discontinuation or
acquisition of the part 2 program.
(b) Special procedure where retention
period required by law. If paragraph
(a)(2) of this section applies:
(1) Records, which are paper, must be:
(i) Sealed in envelopes or other
containers labeled as follows: ‘‘Records
of [insert name of program] required to
be maintained under [insert citation to
statute, regulation, court order or other
legal authority requiring that records be
kept] until a date not later than [insert
appropriate date]’’;
PO 00000
Frm 00070
Fmt 4701
Sfmt 4700
(A) All hard copy media from which
the paper records were produced, such
as printer and facsimile ribbons, drums,
etc., must be sanitized to render the data
non-retrievable; and
(B) [Reserved]
(ii) Held under the restrictions of the
regulations in this part by a responsible
person who must, as soon as practicable
after the end of the required retention
period specified on the label, destroy
the records and sanitize any associated
hard copy media to render the patient
identifying information non-retrievable
in a manner consistent with the
discontinued program’s or acquiring
program’s policies and procedures
established under § 2.16.
(2) Records, which are electronic,
must be:
(i) Transferred to a portable electronic
device with implemented encryption to
encrypt the data at rest so that there is
a low probability of assigning meaning
without the use of a confidential process
or key and implemented access controls
for the confidential process or key; or
(ii) Transferred, along with a backup
copy, to separate electronic media, so
that both the records and the backup
copy have implemented encryption to
encrypt the data at rest so that there is
a low probability of assigning meaning
without the use of a confidential process
or key and implemented access controls
for the confidential process or key; and
(iii) Within one year of the
discontinuation or acquisition of the
program, all electronic media on which
the patient records or patient identifying
information resided prior to being
transferred to the device specified in (i)
above or the original and backup
electronic media specified in (ii) above,
including email and other electronic
communications, must be sanitized to
render the patient identifying
information non-retrievable in a manner
consistent with the discontinued
program’s or acquiring program’s
policies and procedures established
under § 2.16; and
(iv) The portable electronic device or
the original and backup electronic
media must be:
(A) Sealed in a container along with
any equipment needed to read or access
the information, and labeled as follows:
‘‘Records of [insert name of program]
required to be maintained under [insert
citation to statute, regulation, court
order or other legal authority requiring
that records be kept] until a date not
later than [insert appropriate date];’’ and
(B) Held under the restrictions of the
regulations in this part by a responsible
person who must store the container in
a manner that will protect the
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
information (e.g., climate controlled
environment); and
(v) The responsible person must be
included on the access control list and
be provided a means for decrypting the
data. The responsible person must store
the decryption tools on a device or at a
location separate from the data they are
used to encrypt or decrypt; and
(vi) As soon as practicable after the
end of the required retention period
specified on the label, the portable
electronic device or the original and
backup electronic media must be
sanitized to render the patient
identifying information non-retrievable
consistent with the policies established
under § 2.16.
§ 2.20
Relationship to state laws.
The statute authorizing the
regulations in this part (42 U.S.C.
290dd–2) does not preempt the field of
law which they cover to the exclusion
of all state laws in that field. If a
disclosure permitted under the
regulations in this part is prohibited
under state law, neither the regulations
in this part nor the authorizing statute
may be construed to authorize any
violation of that state law. However, no
state law may either authorize or
compel any disclosure prohibited by the
regulations in this part.
mstockstill on DSK3G9T082PROD with RULES6
§ 2.21 Relationship to federal statutes
protecting research subjects against
compulsory disclosure of their identity.
(a) Research privilege description.
There may be concurrent coverage of
patient identifying information by the
regulations in this part and by
administrative action taken under
section 502(c) of the Controlled
Substances Act (21 U.S.C. 872(c) and
the implementing regulations at 21 CFR
part 1316); or section 301(d) of the
Public Health Service Act (42 U.S.C.
241(d) and the implementing
regulations at 42 CFR part 2a). These
research privilege statutes confer on the
Secretary of Health and Human Services
and on the Attorney General,
respectively, the power to authorize
researchers conducting certain types of
research to withhold from all persons
not connected with the research the
names and other identifying information
concerning individuals who are the
subjects of the research.
(b) Effect of concurrent coverage.
These regulations restrict the disclosure
and use of information about patients,
while administrative action taken under
the research privilege statutes and
implementing regulations protects a
person engaged in applicable research
from being compelled to disclose any
identifying characteristics of the
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
individuals who are the subjects of that
research. The issuance under subpart E
of this part of a court order authorizing
a disclosure of information about a
patient does not affect an exercise of
authority under these research privilege
statutes.
§ 2.22 Notice to patients of federal
confidentiality requirements.
(a) Notice required. At the time of
admission to a part 2 program or, in the
case that a patient does not have
capacity upon admission to understand
his or her medical status, as soon
thereafter as the patient attains such
capacity, each part 2 program shall:
(1) Communicate to the patient that
federal law and regulations protect the
confidentiality of substance use disorder
patient records; and
(2) Give to the patient a summary in
writing of the federal law and
regulations.
(b) Required elements of written
summary. The written summary of the
federal law and regulations must
include:
(1) A general description of the
limited circumstances under which a
part 2 program may acknowledge that
an individual is present or disclose
outside the part 2 program information
identifying a patient as having or having
had a substance use disorder;
(2) A statement that violation of the
federal law and regulations by a part 2
program is a crime and that suspected
violations may be reported to
appropriate authorities consistent with
§ 2.4, along with contact information;
(3) A statement that information
related to a patient’s commission of a
crime on the premises of the part 2
program or against personnel of the part
2 program is not protected;
(4) A statement that reports of
suspected child abuse and neglect made
under state law to appropriate state or
local authorities are not protected; and
(5) A citation to the federal law and
regulations.
(c) Program options. The part 2
program must devise a notice to comply
with the requirement to provide the
patient with a summary in writing of the
federal law and regulations. In this
written summary, the part 2 program
also may include information
concerning state law and any of the part
2 program’s policies that are not
inconsistent with state and federal law
on the subject of confidentiality of
substance use disorder patient records.
§ 2.23
use.
Patient access and restrictions on
(a) Patient access not prohibited.
These regulations do not prohibit a part
PO 00000
Frm 00071
Fmt 4701
Sfmt 4700
6121
2 program from giving a patient access
to their own records, including the
opportunity to inspect and copy any
records that the part 2 program
maintains about the patient. The part 2
program is not required to obtain a
patient’s written consent or other
authorization under the regulations in
this part in order to provide such access
to the patient.
(b) Restriction on use of information.
Information obtained by patient access
to his or her patient record is subject to
the restriction on use of this information
to initiate or substantiate any criminal
charges against the patient or to conduct
any criminal investigation of the patient
as provided for under § 2.12(d)(1).
Subpart C—Disclosures With Patient
Consent
§ 2.31
Consent requirements.
(a) Required elements for written
consent. A written consent to a
disclosure under the regulations in this
part may be paper or electronic and
must include:
(1) The name of the patient.
(2) The specific name(s) or general
designation(s) of the part 2 program(s),
entity(ies), or individual(s) permitted to
make the disclosure.
(3) How much and what kind of
information is to be disclosed, including
an explicit description of the substance
use disorder information that may be
disclosed.
(4)(i) The name(s) of the individual(s)
to whom a disclosure is to be made; or
(ii) Entities with a treating provider
relationship with the patient. If the
recipient entity has a treating provider
relationship with the patient whose
information is being disclosed, such as
a hospital, a health care clinic, or a
private practice, the name of that entity;
or
(iii) Entities without a treating
provider relationship with the patient.
(A) If the recipient entity does not
have a treating provider relationship
with the patient whose information is
being disclosed and is a third-party
payer, the name of the entity; or
(B) If the recipient entity does not
have a treating provider relationship
with the patient whose information is
being disclosed and is not covered by
paragraph (a)(4)(iii)(A) of this section,
such as an entity that facilitates the
exchange of health information or a
research institution, the name(s) of the
entity(-ies); and
(1) The name(s) of an individual
participant(s); or
(2) The name(s) of an entity
participant(s) that has a treating
provider relationship with the patient
whose information is being disclosed; or
E:\FR\FM\18JAR6.SGM
18JAR6
mstockstill on DSK3G9T082PROD with RULES6
6122
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
(3) A general designation of an
individual or entity participant(s) or
class of participants that must be
limited to a participant(s) who has a
treating provider relationship with the
patient whose information is being
disclosed.
(i) When using a general designation,
a statement must be included on the
consent form that the patient (or other
individual authorized to sign in lieu of
the patient), confirms their
understanding that, upon their request
and consistent with this part, they must
be provided a list of entities to which
their information has been disclosed
pursuant to the general designation (see
§ 2.13(d)).
(ii) [Reserved]
(5) The purpose of the disclosure. In
accordance with § 2.13(a), the disclosure
must be limited to that information
which is necessary to carry out the
stated purpose.
(6) A statement that the consent is
subject to revocation at any time except
to the extent that the part 2 program or
other lawful holder of patient
identifying information that is permitted
to make the disclosure has already acted
in reliance on it. Acting in reliance
includes the provision of treatment
services in reliance on a valid consent
to disclose information to a third-party
payer
(7) The date, event, or condition upon
which the consent will expire if not
revoked before. This date, event, or
condition must ensure that the consent
will last no longer than reasonably
necessary to serve the purpose for
which it is provided.
(8) The signature of the patient and,
when required for a patient who is a
minor, the signature of an individual
authorized to give consent under § 2.14;
or, when required for a patient who is
incompetent or deceased, the signature
of an individual authorized to sign
under § 2.15. Electronic signatures are
permitted to the extent that they are not
prohibited by any applicable law.
(9) The date on which the consent is
signed.
(b) Expired, deficient, or false
consent. A disclosure may not be made
on the basis of a consent which:
(1) Has expired;
(2) On its face substantially fails to
conform to any of the requirements set
forth in paragraph (a) of this section;
(3) Is known to have been revoked; or
(4) Is known, or through reasonable
diligence could be known, by the
individual or entity holding the records
to be materially false.
§ 2.32
Prohibition on re-disclosure.
(a) Notice to accompany disclosure.
Each disclosure made with the patient’s
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
written consent must be accompanied
by the following written statement: This
information has been disclosed to you
from records protected by federal
confidentiality rules (42 CFR part 2).
The federal rules prohibit you from
making any further disclosure of
information in this record that identifies
a patient as having or having had a
substance use disorder either directly,
by reference to publicly available
information, or through verification of
such identification by another person
unless further disclosure is expressly
permitted by the written consent of the
individual whose information is being
disclosed or as otherwise permitted by
42 CFR part 2. A general authorization
for the release of medical or other
information is NOT sufficient for this
purpose (see § 2.31). The federal rules
restrict any use of the information to
investigate or prosecute with regard to
a crime any patient with a substance use
disorder, except as provided at
§§ 2.12(c)(5) and 2.65.
(b) [Reserved]
§ 2.33 Disclosures permitted with written
consent.
If a patient consents to a disclosure of
their records under § 2.31, a program
may disclose those records in
accordance with that consent to any
person identified in the consent, except
that disclosures to central registries and
in connection with criminal justice
referrals must meet the requirements of
§§ 2.34 and 2.35, respectively.
§ 2.34 Disclosures to prevent multiple
enrollments.
(a) Restrictions on disclosure. A part
2 program, as defined in § 2.11, may
disclose patient records to a central
registry or to any withdrawal
management or maintenance treatment
program not more than 200 miles away
for the purpose of preventing the
multiple enrollment of a patient only if:
(1) The disclosure is made when:
(i) The patient is accepted for
treatment;
(ii) The type or dosage of the drug is
changed; or
(iii) The treatment is interrupted,
resumed or terminated.
(2) The disclosure is limited to:
(i) Patient identifying information;
(ii) Type and dosage of the drug; and
(iii) Relevant dates.
(3) The disclosure is made with the
patient’s written consent meeting the
requirements of § 2.31, except that:
(i) The consent must list the name and
address of each central registry and each
known withdrawal management or
maintenance treatment program to
which a disclosure will be made; and
PO 00000
Frm 00072
Fmt 4701
Sfmt 4700
(ii) The consent may authorize a
disclosure to any withdrawal
management or maintenance treatment
program established within 200 miles of
the program, but does not need to
individually name all programs.
(b) Use of information limited to
prevention of multiple enrollments. A
central registry and any withdrawal
management or maintenance treatment
program to which information is
disclosed to prevent multiple
enrollments may not re-disclose or use
patient identifying information for any
purpose other than the prevention of
multiple enrollments unless authorized
by a court order under subpart E of this
part.
(c) Permitted disclosure by a central
registry to prevent a multiple
enrollment. When a member program
asks a central registry if an identified
patient is enrolled in another member
program and the registry determines
that the patient is so enrolled, the
registry may disclose:
(1) The name, address, and telephone
number of the member program(s) in
which the patient is already enrolled to
the inquiring member program; and
(2) The name, address, and telephone
number of the inquiring member
program to the member program(s) in
which the patient is already enrolled.
The member programs may
communicate as necessary to verify that
no error has been made and to prevent
or eliminate any multiple enrollments.
(d) Permitted disclosure by a
withdrawal management or
maintenance treatment program to
prevent a multiple enrollment. A
withdrawal management or
maintenance treatment program which
has received a disclosure under this
section and has determined that the
patient is already enrolled may
communicate as necessary with the
program making the disclosure to verify
that no error has been made and to
prevent or eliminate any multiple
enrollments.
§ 2.35 Disclosures to elements of the
criminal justice system which have referred
patients.
(a) A part 2 program may disclose
information about a patient to those
individuals within the criminal justice
system who have made participation in
the part 2 program a condition of the
disposition of any criminal proceedings
against the patient or of the patient’s
parole or other release from custody if:
(1) The disclosure is made only to
those individuals within the criminal
justice system who have a need for the
information in connection with their
duty to monitor the patient’s progress
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
(e.g., a prosecuting attorney who is
withholding charges against the patient,
a court granting pretrial or post-trial
release, probation or parole officers
responsible for supervision of the
patient); and
(2) The patient has signed a written
consent meeting the requirements of
§ 2.31 (except paragraph (a)(8) which is
inconsistent with the revocation
provisions of paragraph (c) of this
section) and the requirements of
paragraphs (b) and (c) of this section.
(b) Duration of consent. The written
consent must state the period during
which it remains in effect. This period
must be reasonable, taking into account:
(1) The anticipated length of the
treatment;
(2) The type of criminal proceeding
involved, the need for the information
in connection with the final disposition
of that proceeding, and when the final
disposition will occur; and
(3) Such other factors as the part 2
program, the patient, and the
individual(s) within the criminal justice
system who will receive the disclosure
consider pertinent.
(c) Revocation of consent. The written
consent must state that it is revocable
upon the passage of a specified amount
of time or the occurrence of a specified,
ascertainable event. The time or
occurrence upon which consent
becomes revocable may be no later than
the final disposition of the conditional
release or other action in connection
with which consent was given.
(d) Restrictions on re-disclosure and
use. An individual within the criminal
justice system who receives patient
information under this section may redisclose and use it only to carry out that
individual’s official duties with regard
to the patient’s conditional release or
other action in connection with which
the consent was given.
Subpart D—Disclosures Without
Patient Consent
mstockstill on DSK3G9T082PROD with RULES6
§ 2.51
Medical emergencies.
(a) General rule. Under the procedures
required by paragraph (c) of this section,
patient identifying information may be
disclosed to medical personnel to the
extent necessary to meet a bona fide
medical emergency in which the
patient’s prior informed consent cannot
be obtained.
(b) Special rule. Patient identifying
information may be disclosed to
medical personnel of the Food and Drug
Administration (FDA) who assert a
reason to believe that the health of any
individual may be threatened by an
error in the manufacture, labeling, or
sale of a product under FDA
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
jurisdiction, and that the information
will be used for the exclusive purpose
of notifying patients or their physicians
of potential dangers.
(c) Procedures. Immediately following
disclosure, the part 2 program shall
document, in writing, the disclosure in
the patient’s records, including:
(1) The name of the medical
personnel to whom disclosure was
made and their affiliation with any
health care facility;
(2) The name of the individual
making the disclosure;
(3) The date and time of the
disclosure; and
(4) The nature of the emergency (or
error, if the report was to FDA).
§ 2.52
Research.
(a) Notwithstanding other provisions
of this part, including paragraph (b)(2)
of this section, patient identifying
information may be disclosed by the
part 2 program or other lawful holder of
part 2 data, for the purpose of
conducting scientific research if the
individual designated as director or
managing director, or individual
otherwise vested with authority to act as
chief executive officer or their designee
makes a determination that the recipient
of the patient identifying information:
(1) If a HIPAA-covered entity or
business associate, has obtained and
documented authorization from the
patient, or a waiver or alteration of
authorization, consistent with the
HIPAA Privacy Rule at 45 CFR 164.508
or 164.512(i), as applicable; or
(2) If subject to the HHS regulations
regarding the protection of human
subjects (45 CFR part 46), either
provides documentation that the
researcher is in compliance with the
requirements of the HHS regulations,
including the requirements related to
informed consent or a waiver of consent
(45 CFR 46.111 and 46.116) or that the
research qualifies for exemption under
the HHS regulations (45 CFR 46.101(b)
and any successor regulations; or
(3) If both a HIPAA covered entity or
business associate and subject to the
HHS regulations regarding the
protection of human subjects, has met
the requirements of paragraphs (a)(1)
and (2) of this section; and
(4) If neither a HIPAA covered entity
or business associate or subject to the
HHS regulations regarding the
protection of human subjects, this
section does not apply.
(b) Any individual or entity
conducting scientific research using
patient identifying information obtained
under paragraph (a) of this section:
(1) Is fully bound by the regulations
in this part and, if necessary, will resist
PO 00000
Frm 00073
Fmt 4701
Sfmt 4700
6123
in judicial proceedings any efforts to
obtain access to patient records except
as permitted by the regulations in this
part.
(2) Must not re-disclose patient
identifying information except back to
the individual or entity from whom that
patient identifying information was
obtained or as permitted under
paragraph (c) of this section.
(3) May include part 2 data in
research reports only in aggregate form
in which patient identifying information
has been rendered non-identifiable such
that the information cannot be reidentified and serve as an unauthorized
means to identify a patient, directly or
indirectly, as having or having had a
substance use disorder.
(4) Must maintain and destroy patient
identifying information in accordance
with the security policies and
procedures established under § 2.16.
(5) Must retain records in compliance
with applicable federal, state, and local
record retention laws.
(c) Data linkages—(1) Researchers.
Any individual or entity conducting
scientific research using patient
identifying information obtained under
paragraph (a) of this section that
requests linkages to data sets from a data
repository(-ies) holding patient
identifying information must:
(i) Have the request reviewed and
approved by an Institutional Review
Board (IRB) registered with the
Department of Health and Human
Services, Office for Human Research
Protections in accordance with 45 CFR
part 46 to ensure that patient privacy is
considered and the need for identifiable
data is justified. Upon request, the
researcher may be required to provide
evidence of the IRB approval of the
research project that contains the data
linkage component.
(ii) Ensure that patient identifying
information obtained under paragraph
(a) of this section is not provided to law
enforcement agencies or officials.
(2) Data repositories. For purposes of
this section, a data repository is fully
bound by the provisions of part 2 upon
receipt of the patient identifying data
and must:
(i) After providing the researcher with
the linked data, destroy or delete the
linked data from its records, including
sanitizing any associated hard copy or
electronic media, to render the patient
identifying information non-retrievable
in a manner consistent with the policies
and procedures established under § 2.16
Security for records.
(ii) Ensure that patient identifying
information obtained under paragraph
(a) of this section is not provided to law
enforcement agencies or officials.
E:\FR\FM\18JAR6.SGM
18JAR6
6124
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
(2) Except as provided in paragraph
(c) of this section, a researcher may not
redisclose patient identifying
information for data linkages purposes.
mstockstill on DSK3G9T082PROD with RULES6
§ 2.53
Audit and evaluation.
(a) Records not copied or removed. If
patient records are not downloaded,
copied or removed from the part 2
program premises or forwarded
electronically to another electronic
system or device, patient identifying
information, as defined in § 2.11, may
be disclosed in the course of a review
of records on the part 2 program
premises to any individual or entity
who agrees in writing to comply with
the limitations on re-disclosure and use
in paragraph (d) of this section and who:
(1) Performs the audit or evaluation
on behalf of:
(i) Any federal, state, or local
government agency which provides
financial assistance to the part 2
program or is authorized by law to
regulate its activities; or
(ii) Any individual or entity who
provides financial assistance to the part
2 program, which is a third-party payer
covering patients in the part 2 program,
or which is a quality improvement
organization performing a utilization or
quality control review; or
(2) Is determined by the part 2
program to be qualified to conduct an
audit or evaluation of the part 2
program.
(b) Copying, removing, downloading,
or forwarding patient records. Records
containing patient identifying
information, as defined in § 2.11, may
be copied or removed from a part 2
program premises or downloaded or
forwarded to another electronic system
or device from the part 2 program’s
electronic records by any individual or
entity who:
(1) Agrees in writing to:
(i) Maintain and destroy the patient
identifying information in a manner
consistent with the policies and
procedures established under § 2.16;
(ii) Retain records in compliance with
applicable federal, state, and local
record retention laws; and
(iii) Comply with the limitations on
disclosure and use in paragraph (d) of
this section; and
(2) Performs the audit or evaluation
on behalf of:
(i) Any federal, state, or local
government agency which provides
financial assistance to the part 2
program or is authorized by law to
regulate its activities; or
(ii) Any individual or entity who
provides financial assistance to the part
2 program, which is a third-party payer
covering patients in the part 2 program,
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
or which is a quality improvement
organization performing a utilization or
quality control review.
(c) Medicare, Medicaid, Children’s
Health Insurance Program (CHIP), or
related audit or evaluation. (1) Patient
identifying information, as defined in
§ 2.11, may be disclosed under
paragraph (c) of this section to any
individual or entity for the purpose of
conducting a Medicare, Medicaid, or
CHIP audit or evaluation, including an
audit or evaluation necessary to meet
the requirements for a Centers for
Medicare & Medicaid Services (CMS)regulated accountable care organization
(CMS-regulated ACO) or similar CMSregulated organization (including a
CMS-regulated Qualified Entity (QE)), if
the individual or entity agrees in writing
to comply with the following:
(i) Maintain and destroy the patient
identifying information in a manner
consistent with the policies and
procedures established under § 2.16;
(ii) Retain records in compliance with
applicable federal, state, and local
record retention laws; and
(iii) Comply with the limitations on
disclosure and use in paragraph (d) of
this section.
(2) A Medicare, Medicaid, or CHIP
audit or evaluation under this section
includes a civil or administrative
investigation of a part 2 program by any
federal, state, or local government
agency with oversight responsibilities
for Medicare, Medicaid, or CHIP and
includes administrative enforcement,
against the part 2 program by the
government agency, of any remedy
authorized by law to be imposed as a
result of the findings of the
investigation.
(3) An audit or evaluation necessary
to meet the requirements for a CMSregulated ACO or similar CMS-regulated
organization (including a CMS-regulated
QE) must be conducted in accordance
with the following:
(i) A CMS-regulated ACO or similar
CMS-regulated organization (including a
CMS-regulated QE) must:
(A) Have in place administrative and/
or clinical systems; and
(B) Have in place a leadership and
management structure, including a
governing body and chief executive
officer with responsibility for oversight
of the organization’s management and
for ensuring compliance with and
adherence to the terms and conditions
of the Participation Agreement or
similar documentation with CMS; and
(ii) A CMS-regulated ACO or similar
CMS-regulated organization (including a
CMS-regulated QE) must have a signed
Participation Agreement or similar
documentation with CMS, which
PO 00000
Frm 00074
Fmt 4701
Sfmt 4700
provides that the CMS-regulated ACO or
similar CMS-regulated organization
(including a CMS-regulated QE):
(A) Is subject to periodic evaluations
by CMS or its agents, or is required by
CMS to evaluate participants in the
CMS-regulated ACO or similar CMSregulated organization (including a
CMS-regulated QE) relative to CMSdefined or approved quality and/or cost
measures;
(B) Must designate an executive who
has the authority to legally bind the
organization to ensure compliance with
42 U.S.C. 290dd-2 and this part and the
terms and conditions of the
Participation Agreement in order to
receive patient identifying information
from CMS or its agents;
(C) Agrees to comply with all
applicable provisions of 42 U.S.C.
290dd-2 and this part;
(D) Must ensure that any audit or
evaluation involving patient identifying
information occurs in a confidential and
controlled setting approved by the
designated executive;
(E) Must ensure that any
communications or reports or other
documents resulting from an audit or
evaluation under this section do not
allow for the direct or indirect
identification (e.g., through the use of
codes) of a patient as having or having
had a substance use disorder; and
(F) Must establish policies and
procedures to protect the confidentiality
of the patient identifying information
consistent with this part, the terms and
conditions of the Participation
Agreement, and the requirements set
forth in paragraph (c)(1) of this section.
(4) Program, as defined in § 2.11,
includes an employee of, or provider of
medical services under the program
when the employee or provider is the
subject of a civil investigation or
administrative remedy, as those terms
are used in paragraph (c)(2) of this
section.
(5) If a disclosure to an individual or
entity is authorized under this section
for a Medicare, Medicaid, or CHIP audit
or evaluation, including a civil
investigation or administrative remedy,
as those terms are used in paragraph
(c)(2) of this section, then a quality
improvement organization which
obtains the information under paragraph
(a) or (b) of this section may disclose the
information to that individual or entity
but only for the purpose of conducting
a Medicare, Medicaid, or CHIP audit or
evaluation.
(6) The provisions of this paragraph
do not authorize the part 2 program, the
federal, state, or local government
agency, or any other individual or entity
to disclose or use patient identifying
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
information obtained during the audit or
evaluation for any purposes other than
those necessary to complete the audit or
evaluation as specified in paragraph (c)
of this section.
(d) Limitations on disclosure and use.
Except as provided in paragraph (c) of
this section, patient identifying
information disclosed under this section
may be disclosed only back to the
program from which it was obtained
and used only to carry out an audit or
evaluation purpose or to investigate or
prosecute criminal or other activities, as
authorized by a court order entered
under § 2.66.
Subpart E—Court Orders Authorizing
Disclosure and Use
§ 2.61
Legal effect of order.
mstockstill on DSK3G9T082PROD with RULES6
(a) Effect. An order of a court of
competent jurisdiction entered under
this subpart is a unique kind of court
order. Its only purpose is to authorize a
disclosure or use of patient information
which would otherwise be prohibited
by 42 U.S.C. 290dd–2 and the
regulations in this part. Such an order
does not compel disclosure. A subpoena
or a similar legal mandate must be
issued in order to compel disclosure.
This mandate may be entered at the
same time as and accompany an
authorizing court order entered under
the regulations in this part.
(b) Examples. (1) A person holding
records subject to the regulations in this
part receives a subpoena for those
records. The person may not disclose
the records in response to the subpoena
unless a court of competent jurisdiction
enters an authorizing order under the
regulations in this part.
(2) An authorizing court order is
entered under the regulations in this
part, but the person holding the records
does not want to make the disclosure. If
there is no subpoena or other
compulsory process or a subpoena for
the records has expired or been
quashed, that person may refuse to
make the disclosure. Upon the entry of
a valid subpoena or other compulsory
process the person holding the records
must disclose, unless there is a valid
legal defense to the process other than
the confidentiality restrictions of the
regulations in this part.
§ 2.62 Order not applicable to records
disclosed without consent to researchers,
auditors and evaluators.
A court order under the regulations in
this part may not authorize qualified
personnel, who have received patient
identifying information without consent
for the purpose of conducting research,
audit or evaluation, to disclose that
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
information or use it to conduct any
criminal investigation or prosecution of
a patient. However, a court order under
§ 2.66 may authorize disclosure and use
of records to investigate or prosecute
qualified personnel holding the records.
§ 2.63
Confidential communications.
(a) A court order under the
regulations in this part may authorize
disclosure of confidential
communications made by a patient to a
part 2 program in the course of
diagnosis, treatment, or referral for
treatment only if:
(1) The disclosure is necessary to
protect against an existing threat to life
or of serious bodily injury, including
circumstances which constitute
suspected child abuse and neglect and
verbal threats against third parties;
(2) The disclosure is necessary in
connection with investigation or
prosecution of an extremely serious
crime allegedly committed by the
patient, such as one which directly
threatens loss of life or serious bodily
injury, including homicide, rape,
kidnapping, armed robbery, assault with
a deadly weapon, or child abuse and
neglect; or
(3) The disclosure is in connection
with litigation or an administrative
proceeding in which the patient offers
testimony or other evidence pertaining
to the content of the confidential
communications.
(b) [Reserved]
§ 2.64 Procedures and criteria for orders
authorizing disclosures for noncriminal
purposes.
(a) Application. An order authorizing
the disclosure of patient records for
purposes other than criminal
investigation or prosecution may be
applied for by any person having a
legally recognized interest in the
disclosure which is sought. The
application may be filed separately or as
part of a pending civil action in which
the applicant asserts that the patient
records are needed to provide evidence.
An application must use a fictitious
name, such as John Doe, to refer to any
patient and may not contain or
otherwise disclose any patient
identifying information unless the
patient is the applicant or has given
written consent (meeting the
requirements of the regulations in this
part) to disclosure or the court has
ordered the record of the proceeding
sealed from public scrutiny.
(b) Notice. The patient and the person
holding the records from whom
disclosure is sought must be provided:
(1) Adequate notice in a manner
which does not disclose patient
PO 00000
Frm 00075
Fmt 4701
Sfmt 4700
6125
identifying information to other
persons; and
(2) An opportunity to file a written
response to the application, or to appear
in person, for the limited purpose of
providing evidence on the statutory and
regulatory criteria for the issuance of the
court order as described in § 2.64(d).
(c) Review of evidence: Conduct of
hearing. Any oral argument, review of
evidence, or hearing on the application
must be held in the judge’s chambers or
in some manner which ensures that
patient identifying information is not
disclosed to anyone other than a party
to the proceeding, the patient, or the
person holding the record, unless the
patient requests an open hearing in a
manner which meets the written
consent requirements of the regulations
in this part. The proceeding may
include an examination by the judge of
the patient records referred to in the
application.
(d) Criteria for entry of order. An
order under this section may be entered
only if the court determines that good
cause exists. To make this
determination the court must find that:
(1) Other ways of obtaining the
information are not available or would
not be effective; and
(2) The public interest and need for
the disclosure outweigh the potential
injury to the patient, the physicianpatient relationship and the treatment
services.
(e) Content of order. An order
authorizing a disclosure must:
(1) Limit disclosure to those parts of
the patient’s record which are essential
to fulfill the objective of the order;
(2) Limit disclosure to those persons
whose need for information is the basis
for the order; and
(3) Include such other measures as are
necessary to limit disclosure for the
protection of the patient, the physicianpatient relationship and the treatment
services; for example, sealing from
public scrutiny the record of any
proceeding for which disclosure of a
patient’s record has been ordered.
§ 2.65 Procedures and criteria for orders
authorizing disclosure and use of records
to criminally investigate or prosecute
patients.
(a) Application. An order authorizing
the disclosure or use of patient records
to investigate or prosecute a patient in
connection with a criminal proceeding
may be applied for by the person
holding the records or by any law
enforcement or prosecutorial officials
who are responsible for conducting
investigative or prosecutorial activities
with respect to the enforcement of
criminal laws. The application may be
E:\FR\FM\18JAR6.SGM
18JAR6
mstockstill on DSK3G9T082PROD with RULES6
6126
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
filed separately, as part of an
application for a subpoena or other
compulsory process, or in a pending
criminal action. An application must
use a fictitious name such as John Doe,
to refer to any patient and may not
contain or otherwise disclose patient
identifying information unless the court
has ordered the record of the proceeding
sealed from public scrutiny.
(b) Notice and hearing. Unless an
order under § 2.66 is sought in addition
to an order under this section, the
person holding the records must be
provided:
(1) Adequate notice (in a manner
which will not disclose patient
identifying information to other
persons) of an application by a law
enforcement agency or official;
(2) An opportunity to appear and be
heard for the limited purpose of
providing evidence on the statutory and
regulatory criteria for the issuance of the
court order as described in § 2.65(d);
and
(3) An opportunity to be represented
by counsel independent of counsel for
an applicant who is a law enforcement
agency or official.
(c) Review of evidence: Conduct of
hearings. Any oral argument, review of
evidence, or hearing on the application
shall be held in the judge’s chambers or
in some other manner which ensures
that patient identifying information is
not disclosed to anyone other than a
party to the proceedings, the patient, or
the person holding the records. The
proceeding may include an examination
by the judge of the patient records
referred to in the application.
(d) Criteria. A court may authorize the
disclosure and use of patient records for
the purpose of conducting a criminal
investigation or prosecution of a patient
only if the court finds that all of the
following criteria are met:
(1) The crime involved is extremely
serious, such as one which causes or
directly threatens loss of life or serious
bodily injury including homicide, rape,
kidnapping, armed robbery, assault with
a deadly weapon, and child abuse and
neglect.
(2) There is a reasonable likelihood
that the records will disclose
information of substantial value in the
investigation or prosecution.
(3) Other ways of obtaining the
information are not available or would
not be effective.
(4) The potential injury to the patient,
to the physician-patient relationship
and to the ability of the part 2 program
to provide services to other patients is
outweighed by the public interest and
the need for the disclosure.
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
(5) If the applicant is a law
enforcement agency or official, that:
(i) The person holding the records has
been afforded the opportunity to be
represented by independent counsel;
and
(ii) Any person holding the records
which is an entity within federal, state,
or local government has in fact been
represented by counsel independent of
the applicant.
(e) Content of order. Any order
authorizing a disclosure or use of
patient records under this section must:
(1) Limit disclosure and use to those
parts of the patient’s record which are
essential to fulfill the objective of the
order;
(2) Limit disclosure to those law
enforcement and prosecutorial officials
who are responsible for, or are
conducting, the investigation or
prosecution, and limit their use of the
records to investigation and prosecution
of the extremely serious crime or
suspected crime specified in the
application; and
(3) Include such other measures as are
necessary to limit disclosure and use to
the fulfillment of only that public
interest and need found by the court.
§ 2.66 Procedures and criteria for orders
authorizing disclosure and use of records
to investigate or prosecute a part 2 program
or the person holding the records.
(a) Application. (1) An order
authorizing the disclosure or use of
patient records to investigate or
prosecute a part 2 program or the person
holding the records (or employees or
agents of that part 2 program or person
holding the records) in connection with
a criminal or administrative matter may
be applied for by any administrative,
regulatory, supervisory, investigative,
law enforcement, or prosecutorial
agency having jurisdiction over the
program’s or person’s activities.
(2) The application may be filed
separately or as part of a pending civil
or criminal action against a part 2
program or the person holding the
records (or agents or employees of the
part 2 program or person holding the
records) in which the applicant asserts
that the patient records are needed to
provide material evidence. The
application must use a fictitious name,
such as John Doe, to refer to any patient
and may not contain or otherwise
disclose any patient identifying
information unless the court has
ordered the record of the proceeding
sealed from public scrutiny or the
patient has provided written consent
(meeting the requirements of § 2.31) to
that disclosure.
(b) Notice not required. An
application under this section may, in
PO 00000
Frm 00076
Fmt 4701
Sfmt 4700
the discretion of the court, be granted
without notice. Although no express
notice is required to the part 2 program,
to the person holding the records, or to
any patient whose records are to be
disclosed, upon implementation of an
order so granted any of the above
persons must be afforded an
opportunity to seek revocation or
amendment of that order, limited to the
presentation of evidence on the
statutory and regulatory criteria for the
issuance of the court order in
accordance with § 2.66(c).
(c) Requirements for order. An order
under this section must be entered in
accordance with, and comply with the
requirements of, paragraphs (d) and (e)
of § 2.64.
(d) Limitations on disclosure and use
of patient identifying information. (1)
An order entered under this section
must require the deletion of patient
identifying information from any
documents made available to the public.
(2) No information obtained under
this section may be used to conduct any
investigation or prosecution of a patient
in connection with a criminal matter, or
be used as the basis for an application
for an order under § 2.65.
§ 2.67 Orders authorizing the use of
undercover agents and informants to
investigate employees or agents of a part 2
program in connection with a criminal
matter.
(a) Application. A court order
authorizing the placement of an
undercover agent or informant in a part
2 program as an employee or patient
may be applied for by any law
enforcement or prosecutorial agency
which has reason to believe that
employees or agents of the part 2
program are engaged in criminal
misconduct.
(b) Notice. The part 2 program
director must be given adequate notice
of the application and an opportunity to
appear and be heard (for the limited
purpose of providing evidence on the
statutory and regulatory criteria for the
issuance of the court order in
accordance with § 2.67(c)), unless the
application asserts that:
(1) The part 2 program director is
involved in the suspected criminal
activities to be investigated by the
undercover agent or informant; or
(2) The part 2 program director will
intentionally or unintentionally disclose
the proposed placement of an
undercover agent or informant to the
employees or agents of the program who
are suspected of criminal activities.
(c) Criteria. An order under this
section may be entered only if the court
determines that good cause exists. To
E:\FR\FM\18JAR6.SGM
18JAR6
Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Rules and Regulations
mstockstill on DSK3G9T082PROD with RULES6
make this determination the court must
find all of the following:
(1) There is reason to believe that an
employee or agent of the part 2 program
is engaged in criminal activity;
(2) Other ways of obtaining evidence
of the suspected criminal activity are
not available or would not be effective;
and
(3) The public interest and need for
the placement of an undercover agent or
informant in the part 2 program
outweigh the potential injury to patients
of the part 2 program, physician-patient
relationships and the treatment services.
(d) Content of order. An order
authorizing the placement of an
undercover agent or informant in a part
2 program must:
VerDate Sep<11>2014
22:14 Jan 17, 2017
Jkt 241001
(1) Specifically authorize the
placement of an undercover agent or an
informant;
(2) Limit the total period of the
placement to six months;
(3) Prohibit the undercover agent or
informant from disclosing any patient
identifying information obtained from
the placement except as necessary to
investigate or prosecute employees or
agents of the part 2 program in
connection with the suspected criminal
activity; and
(4) Include any other measures which
are appropriate to limit any potential
disruption of the part 2 program by the
placement and any potential for a real
or apparent breach of patient
confidentiality; for example, sealing
from public scrutiny the record of any
PO 00000
Frm 00077
Fmt 4701
Sfmt 9990
6127
proceeding for which disclosure of a
patient’s record has been ordered.
(e) Limitation on use of information.
No information obtained by an
undercover agent or informant placed in
a part 2 program under this section may
be used to investigate or prosecute any
patient in connection with a criminal
matter or as the basis for an application
for an order under § 2.65.
Dated: December 20, 2016.
Kana Enomoto,
Acting Deputy Assistant Secretary for Mental
Health and Substance Use.
Sylvia M. Burwell,
Secretary.
[FR Doc. 2017–00719 Filed 1–13–17; 11:15 am]
BILLING CODE 4162–20–P
E:\FR\FM\18JAR6.SGM
18JAR6
]]>Agencies
[Federal Register Volume 82, Number 11 (Wednesday, January 18, 2017)]
[Rules and Regulations]
[Pages 6052-6127]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-00719]
[[Page 6051]]
Vol. 82
Wednesday,
No. 11
January 18, 2017
Part VII
Department of Health and Human Services
-----------------------------------------------------------------------
42 CFR Part 2
Confidentiality of Substance Use Disorder Patient Records; Final Rule
��Federal Register / Vol. 82 , No. 11 / Wednesday, January 18, 2017 /
Rules and Regulations��
[[Page 6052]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
42 CFR Part 2
[SAMHSA-4162-20]
RIN 0930-AA21
Confidentiality of Substance Use Disorder Patient Records
AGENCY: Substance Abuse and Mental Health Services Administration, HHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Health and Human Services (HHS) is issuing
this final rule to update and modernize the Confidentiality of Alcohol
and Drug Abuse Patient Records regulations and facilitate information
exchange within new health care models while addressing the legitimate
privacy concerns of patients seeking treatment for a substance use
disorder. These modifications also help clarify the regulations and
reduce unnecessary burden.
DATES: Effective date: This final rule is effective February 17, 2017.
FOR FURTHER INFORMATION CONTACT: Danielle Tarino, Telephone number:
(240) 276-2857, Email address: PrivacyRegulations@samhsa.hhs.gov.
SUPPLEMENTARY INFORMATION:
Preamble Table of Contents
I. Executive Summary
A. Purpose of the Regulatory Action
B. Summary of the Major Provisions
C. Summary of Impacts
II. Background
A. Significant Technology Changes
B. Statutory and Rulemaking History
III. Overview of the Final Rule
IV. Effective Date
V. Discussion of Public Comments and Final Modifications to 42 CFR
part 2
A. General Comments on the Proposed Rule
1. General Feedback on the Proposed Rule
a. General Support for the Proposed Rule
b. General Opposition to the Proposed Rule
2. The Proposed Rule Did Not Go Far Enough To Facilitate
Information Exchange
3. Final Rule Should Balance Patient Protections With Enhanced
Information Exchange
4. Part 2 Should Align With the Health Insurance Portability and
Accountability Act
B. Statutory Authority (Sec. 2.1)
C. Reports of Violations (Sec. [thinsp]2.4)
D. Definitions (Sec. [thinsp]2.11)
1. New Definitions
a. Part 2 Program
b. Part 2 Program Director
c. Substance Use Disorder
d. Treating Provider Relationship
e. Withdrawal Management
2. Existing Definitions
a. Central Registry
b. Disclose or Disclosure
c. Maintenance Treatment
d. Member Program
e. Patient
f. Patient Identifying Information
g. Person
h. Program
i. Qualified Service Organization
j. Records
k. Treatment
3. Terminology Changes
4. Other Comments on Definitions
E. Applicability (Sec. [thinsp]2.12)
F. Confidentiality Restrictions and Safeguards (Sec.
[thinsp]2.13)
1. Delayed Implementation of List of Disclosures Provision
2. Responsibilities Under the List of Disclosures Process
3. Technological Challenges and Burden of the List of
Disclosures Provision
4. Recommendations to Further Protect Patient Privacy
5. Other Comments and Recommendations on the List of Disclosures
Provision
G. Security for Records (Sec. [thinsp]2.16)
H. Disposition of Records by Discontinued Programs (Sec.
[thinsp]2.19)
I. Notice to Patients of Federal Confidentiality Requirements
(Sec. [thinsp]2.22)
J. Consent Requirements (Sec. [thinsp]2.31)
1. General Comments on Consent Requirements
a. General
b. Consent Form Validity Period
c. Technical Challenges to Proposed Consent Requirements
d. Requests for Exemptions and Exceptions
e. Commenter Recommendations
2. To Whom
a. General
b. Determination of Treating Provider Relationship
c. Requests for Clarification
d. Commenter Recommendations
e. Proposed Alternative Approach for ``To Whom'' Section
3. Amount and Kind
a. General
b. Impact of the Amount and Kind Requirement on Providers and
Patients
c. Required Substance Use Disorder Information on Consent Forms
d. Requests for Clarification
4. From Whom
5. New Requirements
K. Prohibition on Re-Disclosure (Sec. [thinsp]2.32)
1. General
2. Impact of Re-Disclosure Prohibition on Patient Privacy and
Patient Choice
3. Disclosure of Information that May Indicate a Substance Use
Disorder
4. Technical Challenges in Preventing Unauthorized Re-Disclosure
5. Requests for Clarification of the Re-Disclosure Prohibition
6. Recommendations to Improve the Prohibition on Re-Disclosure
L. Disclosures to Prevent Multiple Enrollments (Sec.
[thinsp]2.34)
M. Medical Emergencies (Sec. [thinsp]2.51)
1. General
2. Definition of ``Bona Fide Medical Emergency''
3. Documentation of Medical Emergency
4. Other Comments on Medical Emergency
N. Research (Sec. [thinsp]2.52)
1. General
2. Suggestions for Improvement of the Research Provisions
3. HIPAA and HHS Common Rule Requirements
4. Data Linkages
5. Multi-Payer Claims Database
O. Audit and Evaluation (Sec. [thinsp]2.53)
P. Other Public Comments on the Proposed Rule
1. Requests to Extend the Public Comment Period
2. Rulemaking Process
3. Implementation Timeline and Other Barriers to Implementation
4. Educational Opportunities
5. Increased Enforcement
6. Other Miscellaneous Comments on the Proposed Rule
VI. Rulemaking Analyses
A. Paperwork Reduction Act
B. Regulatory Impact Analysis
C. Regulatory Flexibility Act
D. Unfunded Mandates Reform Act
E. Federalism (Executive Order 13132)
Acronyms
ACO Accountable Care Organization
ABAM American Board of Addiction Medicine
ADAMHA Alcohol, Drug Abuse and Mental Health Administration
APCD All Payer Claims Database
ARRA American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5)
ASAM American Society of Addiction Medicine
ATR Access to Recovery
C-CDA Consolidated-Clinical Document Architecture
CCD Continuity of Care Document
CCLF Claim and Claim Line Feed
CCO Coordinated Care Organization
CFR Code of Federal Regulations
CHIP Children's Health Insurance Program
CMS Centers for Medicare & Medicaid Services
CPCMH Certified Patient-Centered Medical Home
DS4P Data Segmentation for Privacy
EHR Electronic Health Record
EQRO External Quality Review Organization
FAQ Frequently Asked Question
FAX Facsimile
FDA Food and Drug Administration
FR Federal Register
HHS Department of Health and Human Services
HIE Health Information Exchange
HIO Health Information Organization
HIPAA Health Insurance Portability and Accountability Act of 1996
(Pub. L. 104-191)
HITECH Health Information Technology for Economic and Clinical
Health Act of 2009 (Pub. L. 111-5, title XIII of division A and
title IV of division B)
HITPC Health Information Technology Privacy Committee
IG Implementation Guide
IRB Institutional Review Board
IT Information Technology
[[Page 6053]]
MCO Managed Care Organization
MPCD Multi-Payer Claims Database
NCQA National Committee for Quality Assurance
NPRM Notice of Proposed Rulemaking
N-SSATS National Survey of Substance Abuse Treatment Services
OHRP Office for Human Research Protections
OMB Office of Management and Budget
ONC Office of the National Coordinator for Health Information
Technology
PDMP Prescription Drug Monitoring Program
PPS Performing Provider System
QE Qualified Entity
QSO Qualified Service Organization
QSOA Qualified Service Organization Agreement
RFA Regulatory Flexibility Act
RHIO Regional Health Information Organization
SAMHSA Substance Abuse and Mental Health Services Administration
SBIRT Screening, Brief Intervention, and Referrals for Treatment
S&I Standards and Interoperability
TEDS Treatment Episode Data Set
U.S.C. United States Code
USAO United States Attorney's Office
VA Department of Veterans Affairs
I. Executive Summary
A. Purpose of the Regulatory Action
The laws and regulations governing the confidentiality of substance
use disorder records were written out of great concern about the
potential use of substance use disorder information against
individuals, causing individuals with substance use disorders not to
seek needed treatment. The disclosure of records of individuals with
substance use disorders has the potential to lead to a host of negative
consequences, including: Loss of employment, loss of housing, loss of
child custody, discrimination by medical professionals and insurers,
arrest, prosecution, and incarceration. The purpose of the regulations
at title 42 of the Code of Federal Regulations (CFR) part 2 (42 CFR
part 2) is to ensure that a patient receiving treatment for a substance
use disorder in a part 2 program is not made more vulnerable by reason
of the availability of their patient record than an individual with a
substance use disorder who does not seek treatment. Now, more than 29
years since the part 2 regulations were last substantively amended,
this final rule makes policy changes to the regulations to better align
them with advances in the U.S. health care delivery system while
retaining important privacy protections.
Need for Regulatory Action
The last substantive update to these regulations was in 1987. Over
the last 29 years, significant changes have occurred within the U.S.
health care system that were not envisioned by the current (1987)
regulations, including new models of integrated care that are built on
a foundation of information sharing to support coordination of patient
care, the development of an electronic infrastructure for managing and
exchanging patient information, and a new focus on performance
measurement within the health care system. SAMHSA wants to ensure that
patients with substance use disorders have the ability to participate
in, and benefit from health system delivery improvements, including
from new integrated health care models while providing appropriate
privacy safeguards. These new integrated models are foundational to
HHS's delivery system reform goals of better care, smarter spending,
and healthier people.
Legal Authority for Regulatory Action
This final rule revises 42 CFR part 2, Confidentiality of Alcohol
and Drug Abuse Patient Records regulations. The authorizing statute,
Title 42, United States Code (U.S.C.) 290dd-2, protects the
confidentiality of the records containing the identity, diagnosis,
prognosis, or treatment of any patient that are maintained in
connection with the performance of any federally assisted program or
activity relating to substance abuse (now referred to as substance use
disorder) education, prevention, training, treatment, rehabilitation,
or research. Title 42 of the CFR part 2 was first promulgated in 1975
(40 FR 27802) and last substantively updated in 1987 (52 FR 21796).
B. Summary of the Major Provisions
Proposed modifications to 42 CFR part 2 were published as a Notice
of Proposed Rulemaking (NPRM) on February 9, 2016 (81 FR 6988). After
consideration of the public comments received in response to the NPRM,
SAMHSA is issuing this final rule amending 14 major provisions of 42
CFR part 2, as follows:
Statutory authority for confidentiality of substance use disorder
patient records (Sec. 2.1) combines old Sec. [thinsp]2.1 (Statutory
authority for confidentiality of drug abuse patient records), and Sec.
[thinsp]2.2 (Statutory authority for confidentiality of alcohol abuse
patient records) and deleting references to 42 U.S.C. 290ee-3 and 42
U.S.C. 290dd-3, as these U.S.C. sections were omitted by Public Law
102-321 and combined and renamed into Section 290dd-2, Confidentiality
of records. Because SAMHSA combined former Sec. Sec. [thinsp]2.1 and
2.2 into Sec. 2.1, we redesignated Sec. Sec. [thinsp]2.2 through 2.5
accordingly.
Reports of violations (Sec. [thinsp]2.4) revises the requirement
for reporting violations of these regulations by methadone programs
(now referred to as opioid treatment programs) to the Food and Drug
Administration (FDA) because the authority over these programs was
transferred from the FDA to the Substance Abuse and Mental Health
Services Administration (SAMHSA) in 2001.
Definitions (Sec. [thinsp]2.11) revises some existing definitions,
adds new definitions of key terms that apply to 42 CFR part 2, and
consolidates all but one of the definitions that are currently in other
sections into Sec. [thinsp]2.11 (e.g., the definition of ``Minor''
previously found in Sec. 2.14(a)). We revised the definitions of
``Central registry,'' ``Disclose or disclosure,'' ``Maintenance
treatment,'' ``Member program,'' ``Patient,'' ``Patient identifying
information,'' ``Person,'' ``Program,'' ``Qualified service
organization (QSO),'' ``Records,'' and ``Treatment.'' We also added
definitions of ``Part 2 program,'' ``Part 2 program director,''
``Substance use disorder,'' ``Treating provider relationship,'' and
``Withdrawal management,'' some of which replaced existing definitions.
In addition, SAMHSA revised the regulatory text to use terminology in a
consistent manner. The following definitions were not revised
substantively: ``Diagnosis,'' ``Informant,'' ``Minor,'' ``Third-party
payer,'' and ``Undercover agent.''
Applicability (Sec. [thinsp]2.12) continues to apply the 42 CFR
part 2 regulations to a program that is federally assisted and holds
itself out as providing, and provides, substance use disorder
diagnosis, treatment, or referral for treatment. Most changes to the
applicability of the part 2 regulations result from SAMHSA's decision
not to finalize one of its proposed changes to the definition of
``Program'' (see Sec. 2.11, Definitions). Whereas the NPRM definition
of ``Program'' included, under certain conditions, ``general medical
practices'' in addition to ``general medical facilities,'' the
definition in this final rule is limited to ``general medical
facilities.'' However, consistent with the NPRM, the definition of
``Program'' continues to use the term ``general medical facility''
rather than both ``general medical facility'' and ``general medical
care facility'' that were used interchangeably in the 1987 final rule
definition of ``Program.'' For example, an identified unit within a
general medical facility is subject to part 2 if it holds itself out as
providing, and provides, substance use disorder
[[Page 6054]]
diagnosis, treatment, or referral for treatment. In addition, if the
primary function of medical personnel or other staff in a general
medical facility is the provision of such services and they are
identified as providing such services, they are considered a
``Program'' and, thus, subject to part 2. This final rule revises Sec.
[thinsp]2.12(d)(2)(i)(C) so that restrictions on disclosures also apply
to individuals or entities who receive patient records from other
lawful holders of patient identifying information, such that patient
records subject to the part 2 regulations include substance use
disorder records maintained by part 2 programs, as well as those
records in the possession of ``other lawful holders of patient
identifying information.''
Confidentiality restrictions and safeguards (Sec. [thinsp]2.13)
adds a requirement that, upon request, patients who have included a
general designation in the ``To Whom'' section of their consent form
(see Sec. [thinsp]2.31) must be provided a list of entities (referred
to as a List of Disclosures) to which their information has been
disclosed pursuant to the general designation.
Security for records (Sec. [thinsp]2.16) clarifies that this
section requires both part 2 programs and other lawful holders of
patient identifying information to have in place formal policies and
procedures addressing security, including sanitization of associated
media, for both paper and electronic records.
Disposition of records by discontinued programs (Sec.
[thinsp]2.19) addresses both paper and electronic records. SAMHSA also
added requirements for sanitizing associated media.
In Section I., Notice to Patients of Federal Confidentiality
Requirements (Sec. [thinsp]2.22), SAMHSA clarifies that the written
summary of federal law and regulations may be provided to patients in
either paper or electronic format. SAMHSA also revised Sec. 2.22 to
require the statement regarding the reporting of violations include
contact information for the appropriate authorities.
Consent requirements (Sec. [thinsp]2.31) permits, in certain
circumstances, a patient to include a general designation in the ``To
Whom'' section of the consent form, in conjunction with requirements
that the consent form include an explicit description of the amount and
kind of substance use disorder treatment information that may be
disclosed. SAMHSA decided not to finalize its proposed changes to the
``From Whom'' section, but did make minor updates to the terminology in
the text. SAMHSA also revised Sec. 2.31 to require the part 2 program
or other lawful holder of patient identifying information to include a
statement on the consent form when using a general designation in the
``To Whom'' section of the consent form that patients have a right to
obtain, upon request, a list of entities to which their information has
been disclosed pursuant to the general designation (see Sec.
[thinsp]2.13). In addition, SAMHSA revised Sec. 2.31 to permit
electronic signatures to the extent that they are not prohibited by any
applicable law.
In Section K., Prohibition on Re-disclosure (Sec. [thinsp]2.32),
SAMHSA clarifies that the prohibition on re-disclosure only applies to
information that would identify, directly or indirectly, an individual
as having been diagnosed, treated, or referred for treatment for a
substance use disorder, such as indicated through standard medical
codes, descriptive language, or both, and allows other health-related
information shared by the part 2 program to be re-disclosed, if
permissible under other applicable laws.
Disclosures to prevent multiple enrollments (Sec. [thinsp]2.34)
modernizes the terminology and definitions and moves the definitions to
Sec. [thinsp]2.11 (Definitions).
Medical emergencies (Sec. [thinsp]2.51) revises the medical
emergency exception to make it consistent with the statutory language
and to give providers more discretion to determine when a ``bona fide
medical emergency'' exists.
Research (Sec. [thinsp]2.52) revises the research exception to
permit data protected by 42 CFR part 2 to be disclosed to qualified
personnel for the purpose of conducting scientific research by a part 2
program or any other individual or entity that is in lawful possession
of part 2 data if the researcher provides documentation of meeting
certain requirements related to other existing protections for human
research. SAMHSA also revised Sec. 2.52 to address data linkages to
enable researchers holding part 2 data to obtain linkages to other
datasets, provided that appropriate safeguards are in place as outlined
in section 2.52.
Audit and evaluation (Sec. [thinsp]2.53) modernizes the
requirements to include provisions governing both paper and electronic
patient records. SAMHSA also revised Sec. 2.53 to permit an audit or
evaluation necessary to meet the requirements of a Centers for Medicare
& Medicaid Services (CMS)-regulated accountable care organization (CMS-
regulated ACO) or similar CMS-regulated organization (including a CMS-
regulated Qualified Entity (QE)), under certain conditions.
The other sections in 42 CFR part 2 that are not referenced above
are not addressed in this final rule nor were they discussed in the
NPRM because SAMHSA is maintaining their content substantively
unchanged from the 1987 final rule.
C. Summary of Impacts
In the first year that the final rule is in effect, we estimate
that the total costs associated with updates to 42 CFR part 2 will be
roughly $70,691,000. In year two we estimate that costs will be
$17,680,000, and increase annually as a larger share of entities
implement List of Disclosures requirements and respond to disclosure
requests. Over the 10-year period of 2016-2025, the total undiscounted
cost of the part 2 changes will be about $241 million in 2016 dollars.
When future costs are discounted at 3 percent or 7 percent per year,
the total costs become approximately $217,586,000 or $193,098,000,
respectively. These costs are presented in the tables below.
Costs associated with the 42 CFR part 2 final rule, include:
updates to health IT system costs, costs for staff training and updates
to training curricula, costs to update patient consent forms, costs
associated with providing patients a list of entities to which their
information has been disclosed pursuant to a general designation on the
consent form (i.e., the List of Disclosures requirement), and
implementation costs associated with the List of Disclosures
requirements. We assumed that costs associated with modifications to
existing health IT systems, staff training costs associated with
updating staff training materials, and costs to update consent forms
will be one-time costs the first year the final rule is in effect and
will not carry forward into future years. Staff training costs other
than those associated with updating training materials are assumed to
be ongoing annual costs to part 2 programs, also beginning in the first
year that the final rule is in effect. The List of Disclosures costs
are assumed to be ongoing annual costs to entities named on a consent
form that disclose patient identifying information to their
participants under the general designation. Costs associated with the
List of Disclosures provision are limited to implementation costs for
entities that chose to upgrade their health IT systems in order to
comply with the List of Disclosures requirements. Several provisions in
the final rule reference other lawful holders of patient identifying
information in combination with part 2 programs. These other lawful
holders must comply with part 2 requirements with respect to
information they maintain that is covered by part 2 regulations.
However,
[[Page 6055]]
because this group is not clearly defined with respect to the range of
organizations it may include, we are unable to include estimates
regarding the number and type of these organizations and are only
including part 2 programs in this analysis.
The benefits of modernizing the part 2 regulations is to increase
opportunities for individuals with substance use disorders to
participate in new and emerging health and health care models and
health information technology (IT). The final rule will facilitate the
sharing of information within the health care system to support new
models of integrated health care which, among other things, improve
patient safety while maintaining or strengthening privacy protections
for individuals seeking treatment for substance use disorders.
Moreover, as patients are allowed, in certain circumstances, to include
a general designation in the ``To Whom'' section of the consent form,
we anticipate there will be more individuals with substance use
disorders participating in organizations that facilitate the exchange
of health information (e.g., health information exchanges (HIEs)) and
organizations that coordinate care (e.g., ACOs and coordinated care
organizations (CCOs)), leading to increased efficiency and quality in
the provision of health care for this population. In addition, the
revisions to the research provision (Sec. 2.52) will allow additional
scientific research to be conducted that will facilitate continual
quality improvement of part 2 programs and the important services they
offer.
II. Background
A. Significant Technology Changes
Since the promulgation of 42 CFR part 2, significant technology
changes have impacted the delivery of health care. The Office of the
National Coordinator for Health Information Technology (ONC) was
established as an office within HHS under Executive Order 13335 on
April 27, 2004. Subsequently, on February 17, 2009, the Health
Information Technology for Economic and Clinical Health Act (HITECH
Act) of the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub.
L. 111-5) expanded the Department's health IT work, including the
expansion of ONC's authority and the provision of federal funds for
ONC's activities consistent with the development of a nationwide health
IT infrastructure. This work included the certification of health IT;
the authorization of CMS' Electronic Health Record (EHR) Incentive
Program, including payments to eligible providers for the adoption and
meaningful use of certified EHR technology; and numerous other federal
agencies' programs--all of which served the objective of ensuring
patient health information is secure, private, accurate, and available
where and when needed. SAMHSA's role in encouraging the use of health
IT by behavioral health (substance use disorder and mental health)
providers, included: (1) Collaborating with ONC to develop two sets of
Frequently Asked Questions (FAQs) and convening a number of stakeholder
meetings to provide guidance on the application of 42 CFR part 2 to HIE
models; (2) a one-year pilot project with five state HIEs to support
the exchange of health information among behavioral health and physical
health providers; and (3) the Data Segmentation for Privacy (DS4P)
initiative within ONC's Standards and Interoperability (S&I) Framework
facilitated:
The development of standards to improve the
interoperability of EHRs containing sensitive information that must be
protected to a greater degree than other health information due to 42
CFR part 2 and similar state laws,
six DS4P Implementation Guide (IG) use case pilot projects
including the Department of Veterans Affairs (VA)/SAMHSA Pilot that
implemented all the DS4P use cases and passed all conformance tests,
and
the development of the application branded Consent2Share,
an open-source health IT solution based on DS4P which assists in
consent management and data segmentation. Consent2Share is currently
being used by the Prince Georges County (Maryland) Health Department to
manage patient consent directives while sharing substance use disorder
information with an HIE.
Despite SAMHSA's efforts, some stakeholders continued to request
modernization of 42 CFR part 2 out of concern that part 2, as written
in the current (1987) regulation, continues to be a barrier to the
integration of substance use disorder treatment and physical health
care. As noted below, SAMHSA plans to release shortly an updated
version of Consent2Share with improved functionality and ability to
meet List of Disclosures requirements.
B. Statutory and Rulemaking History
The Confidentiality of Alcohol and Drug Abuse Patient Records
regulations, 42 CFR part 2, implement Section 543 of the Public Health
Service Act, 42 U.S.C. 290dd-2, as amended by Section 131 of the
Alcohol, Drug Abuse and Mental Health Administration Reorganization Act
(ADAMHA Reorganization Act), Public Law 102-321 (July 10, 1992). The
regulations were promulgated as a final rule on July 1, 1975 (40 FR
27802). In 1980, the Department invited public comment on 15
substantive issues arising out of its experience interpreting and
implementing the regulations (45 FR 53). More than 450 public responses
to that invitation were received and taken into consideration in the
preparation of a 1983 NPRM (48 FR 38758). Approximately 150 comments
were received in response to the NPRM and were taken into consideration
in the preparation of the final rule released on June 9, 1987 (52 FR
21798).
The Department published an NPRM again in the Federal Register (FR)
on August 18, 1994 (59 FR 42561), which proposed a clarification of the
definition of ``Program'' in the regulations. Specifically, the
Department proposed to clarify that, as to general medical care
facilities, these regulations cover only specialized individuals or
units in such facilities that hold themselves out as providing and
provide alcohol or drug abuse (now referred to as substance use
disorder) diagnosis, treatment, or referral for treatment and which are
federally assisted, directly or indirectly. On May 5, 1995, the final
rule was released (60 FR 22296).
SAMHSA posted a document in the FR on May 12, 2014, (79 FR 26929)
announcing a public Listening Session planned for June 11, 2014, to
solicit feedback on the Confidentiality of Alcohol and Drug Abuse
Patient Records regulations, 42 CFR part 2. SAMHSA accepted written
comments until June 25, 2014. The Listening Session comments are posted
on the SAMHSA Web site at https://www.samhsa.gov/about-us/who-we-are/laws-regulations/public-comments-confidentiality-regulations.
Prompted by the need to update and modernize the Confidentiality of
Alcohol and Drug Abuse Patient Records regulations at 42 CFR part 2, on
February 9, 2016, SAMHSA published an NPRM that proposed revisions to
the part 2 regulations and requested public input on the proposed
changes during a 60-day public comment period (81 FR 6988). Although
raised in the Listening Session public comments, SAMHSA decided not to
address issues pertaining to e-prescribing and Prescription Drug
Monitoring Programs (PDMPs) in the NPRM because they were not ripe for
rulemaking at the time due to the state of technology and because the
majority of part 2 programs are not prescribing controlled substances
electronically. As noted in the NPRM, SAMHSA intends to monitor
developments in this area to
[[Page 6056]]
see whether further action may be warranted in the future. SAMHSA
received 376 public comment submissions on the part 2 NPRM. The
comments received were detailed, thoughtful, and reflective of the
complex issues addressed and balanced in the part 2 regulations. This
final rule reflects SAMHSA's thorough consideration of all substantive
issues raised in the public comments in response to its proposals in
the NPRM.
III. Overview of the Final Rule
In this final rule, the Department finalizes the modifications to
the Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR
part 2, including renaming it ``Confidentiality of Substance Use
Disorder Patient Records.'' The modifications modernize the rule by
facilitating electronic exchange of substance use disorder information
for treatment and other legitimate health care purposes while ensuring
appropriate confidentiality protections for records that might identify
an individual, directly or indirectly, as having or having had a
substance use disorder.
Overview of Public Comments
We received 376 public comments from medical health care providers;
behavioral health care providers; combined medical/behavioral health
care providers; HIEs, ACOs, CCOs, and certified patient-centered
medical homes (CPCMHs), sometimes called health homes; third-party
payers; privacy/consumer advocates; medical health care provider
associations; behavioral health care provider associations; accrediting
organizations; researchers; individuals (with no stated affiliation);
attorneys (with no stated affiliation); HIT vendors; and state/local
governments. The comments ranged from general support or opposition to
the proposed provisions to very specific questions or comments
regarding the proposed rules.
Some comments were outside the scope of or inconsistent with
SAMHSA's legal authority regarding the confidentiality of substance use
disorder patient records. Likewise, other comments did not pertain to
specific proposals made by SAMHSA in the NPRM. In some instances,
commenters raised policy or operational issues that are best addressed
through subregulatory guidance that SAMHSA will consider issuing
subsequent to this final rule. Consequently, SAMHSA did not address
these comments in this final rule.
Commenters have also provided SAMHSA with informative feedback on
how lawful holders, including third-party payers and others within the
healthcare industry, use health data or hire others to use health data
on their behalf to provide operational services such as independent
auditing, legal services, claims processing, plan pricing and other
functions that are key to the day-to-day operation of entities subject
to this rule. We have previously clarified in responses to particular
questions that contracted agents of individuals and/or entities may be
treated as the individual/entity. Questions raised by commenters during
this rulemaking have, however, highlighted varying interpretations of
the current (1987) rule's restrictions on lawful holders and their
contractors' and subcontractors' use and disclosure of part 2-covered
data for purposes of carrying out payment, health care operations, and
other health care related activities. In consideration of this feedback
and given the critical role that third-party payers, other lawful
holders, and their contractors and subcontractors play in the provision
of health care services, SAMHSA is issuing a supplemental notice of
proposed rulemaking (SNPRM) to seek further comments and information on
this matter.
IV. Effective Date
In this final rule, SAMHSA has established a single effective date
of 30 days after the publication of the final rule, or February 17,
2017. On this date, the revised 42 CFR part 2 will replace the 1987
version of part 2 in the CFR and all part 2 programs and other lawful
holders of patient identifying information must comply with all aspects
of the regulations. In the NPRM, SAMHSA proposed that, with the
exception of Sec. [thinsp]2.13(d), part 2 programs and other lawful
holders of patient identifying information would have to comply with
applicable requirements of the revised part 2 regulations beginning 30
days after the publication of the final rule. See Section V.D.3 below
for a discussion of ``other lawful holders.'' We proposed that entities
would not have to comply with the List of Disclosures requirements of
Sec. 2.13(d) until two-years after the effective date of the final
rule. As explained below, because the right to obtain, upon request, a
List of Disclosures is only available to patients who use a general
designation in the ``To Whom'' section of the consent form, entities
must only have the technical capability to provide the List of
Disclosures if they take advantage of the general designation
provision. Therefore, SAMHSA has revised the effective date from that
proposed to avoid confusion. However, signed consent forms in place
prior to the effective date of this final rule will be valid until they
expire. Nonetheless, part 2 programs may update signed consent forms
consistent with the final rule, prior to the effective date of the
final rule if they so choose. Consents obtained after the effective
date will need to comply with the final rule, regardless of whether the
consents involve patient identifying information obtained prior to or
after the effective date of this final rule.
Public Comments
One commenter urged that the final rule allow for implementation of
the research provision (Sec. 2.52) immediately or shortly after the
rule takes effect. Several commenters raised concerns about how to
interpret the two-year delayed implementation of List of Disclosures
and whether the general designation will be used during that period.
SAMHSA Response
SAMHSA acknowledges commenters' confusion regarding the proposed
two-year delayed compliance date for the List of Disclosures
requirements. After considering the public comments received on this
point, SAMHSA realized that such a two-year delayed compliance date for
the requirements of Sec. 2.13(d) is not helpful. As explained in the
``To Whom'' section of the part 2-compliant consent requirements (see
Section V.J.2 below), an entity that serves as an intermediary (e.g.,
HIE, ACO, CCO) must comply with the List of Disclosures provision in
order to disclose information pursuant to a general designation
provided on the consent form (see Sec. 2.31(a)(4)(iii)(B)(3)(i)).
Therefore, an entity that serves as an intermediary would be prohibited
from electing to disclose information pursuant to a general designation
without the ability to comply with the List of Disclosures requirement.
It would not make sense to implement a two-year delayed compliance date
for the List of Disclosures requirements at Sec. 2.13(d) because the
only reason an entity that serves as an intermediary would have to
comply with the List of Disclosures requirements would be if they
wanted to disclose information pursuant to general designations that
have been included in the ``To Whom'' section of the patient consent
form, which requires alerting patients to the fact that they have a
right to request a list of entities to which their information has been
disclosed (per Sec. 2.13(d)). Thus, an entity that serves as an
intermediary is prohibited from
[[Page 6057]]
disclosing information pursuant to a general designation without having
the capability to comply with the List of Disclosures requirements. For
these reasons, it is not advisable to include a two-year delayed
compliance date for the List of Disclosures provision. Some entities
that serve as intermediaries as described by Sec.
[thinsp]2.31(a)(4)(iii)(B) may elect never to disclose information
pursuant to a general designation and, thus, would not need to comply
with the List of Disclosures requirement. Those that choose to disclose
information pursuant to general designations must ensure the capability
to comply with the List of Disclosures requirements at Sec. 2.13(d)
before they disclose the information pursuant to a general designation.
But there is no timeframe in which they need to comply; only the
condition that if they choose to have the option of disclosing
information pursuant to a general designation on a consent form, they
must also be capable of providing a List of Disclosures upon request
per Sec. 2.13(d).
Regarding the suggestion to allow for implementation of the
Research provision Sec. 2.52 immediately after the final rule takes
effect, SAMHSA declines to make this change. For clarity regarding part
2 compliance, the 1987 part 2 final rule remains in effect until the
effective date for the 2016 part 2 regulations established in this
final rule. Because of the revised definitions that impact the research
provision, it would create unnecessary confusion to make effective
Sec. 2.52 before the rest of the final rule.
V. Discussion of Public Comments and Final Modifications to 42 CFR Part
2
In this section of the final rule, SAMHSA explains the finalized
revisions to the part 2 regulations and responds to public comments
received. If a part 2 CFR section is not addressed below, it is because
SAMHSA did not propose changes to that part 2 provision and that this
final rule maintains the existing language in that section. However,
SAMHSA notes that in addition to the revisions discussed below, SAMHSA
has made other technical, non-substantive, and nomenclature changes to
various part 2 provisions. Those changes are reflected in the
regulatory text at the end of this rule.
A. General Comments on the Proposed Rule
1. General Feedback on the Proposed Rule
a. General Support for the Proposed Rule
Public Comments
Many commenters expressed general support for the proposed rule,
with some noting that the proposed rule would preserve the
confidentiality rights of substance use disorder patients while
facilitating the sharing of health information; would ensure that
patients with a substance use disorder participate in, and benefit
from, new integrated health care models without fear of putting
themselves at risk of adverse consequences; would help reduce the
stigma associated with substance use disorder; and would provide
patients comfort in knowing they have control of their record.
Several commenters expressed general support for the NPRM's
proposed part 2 changes to enhance integrated care and information
exchange. Multiple commenters, with some stressing the need for patient
privacy protections, suggested that integrated networks of care between
medical and behavioral health services is current best practice and
will benefit patients. Two commenters implied general support. The
first of these two commenters stated that the current practice of
keeping paper substance use records separate from the EHR system
increases work required to maintain records, creates redundancies, and
could contribute to providers missing critical information needed for
treating patients. The second commenter stated that the current (1987)
part 2 regulations are out of step with the health care system's rapid
adoption of EHRs, its capacity to quickly exchange information (e.g.,
HIEs), the federal privacy and security regulations (Health Insurance
and Portability and Accountability Act [HIPAA] and HITECH) governing
these EHRs and exchanges, and the increasing treatment of patients'
substance use in health care systems not covered by existing part 2
regulations, but by HIPAA.
Another commenter expressed support for the facilitation of
electronic exchange of substance use disorder treatment information
where the confidentiality protections historically afforded patients by
part 2 are maintained.
A few commenters stated that the proposal would help patients with
substance use disorders benefit from emerging care models that require
enhanced health information exchange for better care coordination
(e.g., CPCMHs, ACOs).
SAMHSA Response
SAMHSA appreciates the support for updating the regulations. This
final rule is intended to modernize the part 2 regulations by
facilitating the electronic exchange of substance use disorder
information for treatment and other legitimate health care purposes
while ensuring appropriate confidentiality protections for records that
might identify an individual, directly or indirectly, as having or
having had a substance use disorder. Many new integrated care models
rely on interoperable health IT and these proposed changes are expected
to support the integration of substance use disorder treatment into
primary and other specialty care, improving the patient experience,
clinical outcomes, and patient safety while at the same time ensuring
patient choice, confidentiality, and privacy. Due to its targeted
population, part 2 provides more stringent federal protections than
most other health privacy laws, including HIPAA.
b. General Opposition to the Proposed Rule
Public Comments
Some commenters expressed general opposition to the proposed rule,
with some arguing that it would eliminate the right of patients to
protect and control personal health information; would introduce
complexity, not simplification; and would maintain the stigma
surrounding drug use. One commenter warned the proposed rule would
create concessions to institutional stakeholders, both providers and
researchers, who find the consent requirements inconvenient and
burdensome.
Many commenters requested that part 2 remain unchanged, with some
stating that loosening part 2 regulations would dissuade substance use
disorder patients from seeking help out of fear of how their
information could be used against them or that the proposed regulations
would not offer the intended protection.
Some commenters asserted that maintaining a separate set of
confidentiality restrictions aimed solely at substance use disorder
providers and patients perpetuates the discrimination associated with
substance use disorder and ultimately negatively impacts patients and
the care they receive, suggesting that issues of substance use disorder
information confidentiality
[[Page 6058]]
should be part of the broader general medical care confidentiality
regulations. Others argued that the fear of discrimination is a real
problem for many individuals suffering from a substance use disorder
and being able to receive treatment without worrying that personal
information will be leaked is crucial in helping these people get the
help they need so that they can return to their communities as
contributing members of society.
SAMHSA Response
SAMHSA wants to ensure that patients with substance use disorders
have the ability to participate in, and benefit from, new and emerging
health care models that promote integrated care and patient safety
while respecting the legitimate privacy concerns of patients seeking
treatment for a substance use disorder due to the potential for
discrimination, harm to their reputations and relationships, and
serious civil and criminal consequences. This approach is consistent
with the intent of the governing statute (42 U.S.C. 290dd-2) and
regulations at 42 CFR part 2, which is to protect the confidentiality
of substance use disorder patient records. SAMHSA has added more
flexibility to some of the consent provisions, including a range of
``To Whom'' consent options that includes the current (1987) ``To
Whom'' consent requirement, but still retained core part 2 protections,
including the prohibition on re-disclosure as well as requiring the
``Amount and Kind'' section of the consent form to include how much and
what kind of information is to be disclosed, including an explicit
description of the substance use disorder information that may be
disclosed. Changes to the research provision also enable patients to
benefit from advanced research protocols while still complying with
part 2 protections regarding patient confidentiality. However, with
these conflicting comments, as well all other comments, SAMHSA was
guided by the governing statute in developing the final rule, which
restricts disclosure without consent other than under a small number of
exceptions
2. The Proposed Rule Did Not Go Far Enough To Facilitate Information
Exchange
Public Comments
Several commenters suggested that the proposed part 2 revisions did
not go far enough to facilitate information exchange and data sharing.
For example, some commenters asserted that the proposed regulations
would maintain previous barriers and create additional barriers that
impede the sharing of information exchange and care coordination
necessary to effectively treat patients who seek care in a variety of
settings. A few commenters said the proposed part 2 revisions go beyond
the protections intended by the statutory requirements in 42 U.S.C.
290dd-2 and suggested that the proposed changes would continue to
decrease access to substance use disorder treatment and the achievement
of positive health outcomes.
Citing concerns about people with substance use disorders who visit
multiple health care providers to obtain medication, one commenter
advocated that substance use disorder health care records should be
accessible to all health care facilities for the sole purpose of better
treating and rehabilitating these patients.
Other commenters requested further clarification on the regulations
to ensure that coordination of care happens smoothly for all patients,
especially those at the highest need of coordination, without
unnecessary barriers. Citing a 2010 report from the President's Council
of Advisors on Science and Technology, a couple of commenters urged
SAMHSA to initiate a broad conversation among other HHS agencies to
develop a granular data specification standard that enables patients to
be in full control of all their health data, not just part 2 data.
Citing technological barriers, a commenter asserted that additional
changes to part 2 are necessary to allow for technological solutions
for sharing data. One commenter said new funding for HIEs permitted by
recent CMS guidance could be maximized by more substantial revisions to
part 2 that would encourage the inclusion of substance use disorder
providers in HIEs. Expressing uncertainty as to whether data
segmentation can be implemented effectively absent clear standards, a
commenter expressed concern the result would be a two-tier system of
how substance use disorder data are defined both by payers and by local
and state jurisdictions that has the effect of having substance use
disorder data exchanged differently depending on if the patient
received services within or beyond the veil of part 2 regulation.
Some commenters suggested that the current (1987) part 2 regulation
and the proposed revisions maintain a status quo of segregated
substance use disorder information with minimal benefits to patients,
high compliance costs, and deterrence for organizations to provide
substance use treatment. Some of these commenters said the part 2
regulations keep the substance use disorder treatment system isolated
from general health care providers and reduce access to substance use
disorder treatment being added by general health care organizations,
which, due to administrative burden and liability fears, are less
likely to add substance use disorder treatment. A few of these
commenters asserted that the part 2 regulations have unintended
consequences, including disadvantaging persons with a substance use
disorder and treatment providers because of the burdens associated with
constantly updating expiring consents. One of these commenters said
that the burdens caused by the part 2 regulations are particularly
costly because patients with substance use disorder are among the
highest cost utilizers in the health care system.
Some commenters asserted that maintaining a separate set of
confidentiality restrictions aimed solely at substance use disorder
providers and patients perpetuates the stigma associated with substance
use disorder and ultimately negatively impacts patients and the care
they receive, suggesting that issues of substance use disorder
information confidentiality should be part of the broader general
medical care confidentiality regulations.
Some commenters expressed concern that the proposed part 2
revisions did not address information exchange issues associated with
specific types of health care services delivery, including integrated
delivery systems operating with a behavioral health organization unit
or department; organizations that include affiliated entities, such as
jointly held and operated hospital-based systems and health insurance
plans; risk-based Medicaid managed care; social service programs
integrated with publicly financed health delivery systems; and combined
behavioral health service delivery.
One commenter urged SAMHSA to include the release of previous
substance use disorder treatment information from insurance companies
to part 2 programs as disclosure permitted without consent under part
2. Another commenter expressed concern that SAMHSA did not propose an
allowance under part 2 regarding appropriate disclosures by a health
plan for the coordination of a health plan member's care.
Expressing concern that the proposed part 2 revisions do not
address many of the issues on which SAMHSA has issued guidance with
respect to health information networks, a commenter asserted that such
guidance is outdated
[[Page 6059]]
and creates unintended obstacles to the desired exchange of information
on patients with substance use disorders.
SAMHSA Response
The governing statute (42 U.S.C. 290dd-2) and regulations at 42 CFR
part 2 protect the confidentiality of substance use disorder patient
records. Consistent with the governing statute, SAMHSA wants to ensure
that patients with substance use disorders have the ability to
participate in, and benefit from new and emerging health care models
which promote integrated care and patient safety while respecting the
legitimate privacy concerns of patients seeking treatment for a
substance use disorder due to the potential for discrimination, harm to
their reputations and relationships, and serious civil and criminal
consequences. Toward that end, SAMHSA held a Listening Session on June
11, 2014, to solicit feedback on the Confidentiality of Alcohol and
Drug Abuse Patient Records regulations. All the feedback received from
the Listening Session was considered and helped to inform the
development of the proposed and final rules. In addition, SAMHSA
collaborated with its federal partner experts in developing this final
rule.
Information exchange is addressed in both the applicability
provision (Sec. 2.12) and the consent requirements provision (Sec.
2.31), among other places in this final rule. SAMHSA has added more
flexibility to the ``To Whom'' section of the consent form, which will
give patients the option to release their records to past, current,
and/or future treating providers. In addition, Sec. 2.13 requires a
part 2-compliant consent form must list the date, event, or condition
upon which the consent will expire, if not revoked before. Thus, it is
not sufficient under part 2 for a consent form to merely state that
that disclosures will be permitted until the consent is revoked by the
patient. It is, however, permissible for a consent form to specify the
event or condition that will result in revocation, such as having its
expiration date be ``upon my death.'' The Applicability provision
includes: ``The restrictions on disclosure in these regulations do not
apply to communications of information between or among personnel
having a need for the information in connection with their duties that
arise out of the provision of diagnosis, treatment, or referral for
treatment of patients with substance use disorders if the
communications are within a part 2 program; or between a part 2 program
and an entity that has direct administrative control over the
program.''
With this rulemaking, SAMHSA has attempted to facilitate the
electronic exchange of substance use disorder treatment records while
ensuring patient privacy. SAMHSA acknowledges that many EHRs and HIEs
are experiencing technical barriers to segmenting or redacting
substance use disorder treatment data. As a result, SAMHSA has spent
several years supporting the continued development of the Consent2Share
application, an open-source health IT solution based on DS4P, which
assists in both consent management and data segmentation. It is
designed to integrate with existing EHR and HIE systems via the
developed standards. Consent2Share enables electronic implementation of
various sensitive health information disclosure policies by applying
the information-sharing rules needed to constrain the disclosure of
sensitive data according to patient preferences. SAMHSA, in conjunction
with ONC and other federal partners, also continues to support the
development of data standards and IGs to further reduce technical
barriers in the field.
Finally, SAMHSA has added additional information from previously
issued FAQ guidance to the preamble discussion in this final rule, such
as information about medical emergencies and ``holds itself out,'' and
plans to issue additional subregulatory guidance after publication of
the final rule.
3. Final Rule Should Balance Patient Protections With Enhanced
Information Exchange
Public Comments
Numerous commenters emphasized that the part 2 revisions must
balance patient protections with enhanced information exchange and data
sharing.
Some commenters suggested that patient confidentiality should not
be compromised by any updates to the part 2 regulations, reasoning that
the stigma associated with having or having had a substance use
disorder and the fear that this information may be used against an
individual would lead them to not seek treatment. To this end, a few of
these commenters cautioned SAMHSA to remain diligent in the oversight
of these regulations to ensure that the information is only being
conveyed to the appropriate parties with the sole intent to improve
patient care. Other commenters emphasized that sharing patient
information should be solely for necessary medical purposes. Another
commenter argued that the interest in integrating mental health care
with physical health care should not result in the erosion or
elimination of the heightened privacy protections that are essential
for effective mental health treatment.
A few commenters urged SAMHSA to ensure that the final rule
respects patient choice for privacy in the treatment of sensitive
information like substance use disorder treatment records, including
the right to control how their records are disclosed, even for health
and payment purposes. A commenter said the proposed part 2 changes have
substantially weakened the privacy protections surrounding the sharing
of a patient's substance use treatment data. One commenter stated that
before an individual's health data can be accessed, there should be a
specific, legitimate reason, and a careful review of the patient's set
of permissions. In addition to suggesting that mental health and
substance abuse records be blocked from view by any providers or staff
not directly involved in the care and treatment of a patient, a
commenter asserted that a patient has the right to have substance abuse
and/or mental health treatment records blocked from view by even their
primary care provider or nurses.
A couple of commenters asserted that it is both necessary and
technologically possible to integrate substance use disorder and other
health care information and effectively exchange substance use
treatment data while maintaining the core protections of part 2,
including consent requirements and the prohibition on re-disclosure.
Emphasizing the importance of patient confidentiality and privacy,
a few commenters asserted that sacrificing the dignity and well-being
of a person seeking help for a substance use disorder in the name of
convenience, administrative efficiency, and research is a poor way to
achieve the well-being of either the person in need or the community.
One of these commenters recommended that SAMHSA delay the part 2
changes until the technology is available to protect persons with
substance use disorder.
Another commenter encouraged a cautious, step-wise approach to
making substance use treatment records more integrated with general
medical records. This commenter expressed concern that making treatment
records more accessible to other providers would exacerbate the
stigmatization of substance use disorder, particularly among pregnant
women, which could lead to these individuals not seeking treatment for
their substance use disorder or prenatal care.
SAMHSA Response
SAMHSA reiterates its intent to ensure that patients with substance
use
[[Page 6060]]
disorders have the ability to participate in, and benefit from new and
emerging health care models which promote integrated care and patient
safety while respecting the legitimate privacy concerns of patients
seeking treatment for a substance use disorder due to the potential for
discrimination, harm to their reputations and relationships, and
serious civil and criminal consequences. This approach is consistent
with the intent of the governing statute (42 U.S.C. 290dd-2) and
regulations at 42 CFR part 2, which is to protect the confidentiality
of substance use disorder patient records.
In response to the commenters who cautioned SAMHSA to remain
diligent in the oversight of these regulations, SAMHSA has the
statutory authority to promulgate 42 CFR part 2, but the Department of
Justice retains the authority for enforcing 42 CFR part 2. Reports of
violation of these regulations may be directed to the United States
Attorney for the judicial district in which the violation occurs. The
report of any violations of these regulations by an opioid treatment
program may be directed to United States Attorney for the judicial
district in which the violation occurs as well as the SAMHSA office for
opioid treatment program oversight. SAMHSA has oversight of opioid
treatment programs through 42 CFR part 8. Related to oversight and
compliance education, SAMHSA expects to issue FAQs as it has done in
the past and develop other subregulatory guidance such as education and
outreach materials.
SAMHSA has added more flexibility to some of the consent provisions
but still retained core part 2 protections, including prohibition on
re-disclosure as well as consent options that would continue to give
patients significant control. For example, the ``To Whom'' section of
the consent form includes an option permitting a general designation
under certain circumstances. However, SAMHSA retained the option of
listing the name(s) of the individual(s) to whom a disclosure is made.
In addition, any disclosure made under these regulations must comply
with the ``Amount and Kind'' of information to be disclosed and the
purpose of the disclosure, as provided on a part 2-compliant consent
form. Furthermore, Sec. 2.13(a) limits the information to be disclosed
to that information which is necessary to carry out the purpose of the
disclosure. Moreover, a patient has the option to withhold consent to
disclosure of any of their substance use disorder information.
SAMHSA is aware that technology adoption is an ongoing process and
that many behavioral health providers have yet to adopt electronic
health records as incentive payments have been unavailable for such
purposes for these providers under the HITECH Meaningful Use Program.
In addition, paper records are still used today in some part 2 programs
and shared through facsimile (FAX). Therefore, in spite of advances in
technology, some stakeholders are concerned that part 2, as currently
written, continues to be a barrier to the integration of substance use
disorder treatment and physical health care. Rather than waiting for
the development and adoption of technology, SAMHSA decided to issue
these final regulations to ensure that patients with substance use
disorders have the ability to participate in, and benefit from new and
emerging health care models which promote integrated care and patient
safety while respecting the legitimate privacy concerns of patients
seeking treatment for a substance use disorder due to the potential for
discrimination, harm to their reputations and relationships, and
serious civil and criminal consequences. SAMHSA understands the
importance of not compromising patient protection, and has, in Sec.
2.13(d) of these final regulations, required an entity that serves as
an intermediary (upon request) to provide a List of Disclosures made
pursuant to the general designation option. Further, as discussed later
in this preamble, the general designation option may not be used until
there is technical capability to provide the required List of
Disclosures.
4. Part 2 Should Align With the Health Insurance Portability and
Accountability Act
Public Comments
Many commenters expressed that part 2 should be aligned with HIPAA.
Some commenters specifically mentioned various areas for HIPAA
alignment, including the consent form; Business Associate Agreement
standards; treatment, payment, and health care operations; patient-
requested restrictions on disclosure; de-identification standards,
medical emergencies; research; the definition of ``Patient identifying
information;'' HIPAA penalties contained in the HITECH Act; and re-
disclosure provisions. Many commenters asserted that aligning the
regulations with HIPAA would help to strike an appropriate balance
between protecting sensitive patient health information while providing
coordinated, quality care. Many commenters urged SAMHSA to align part 2
with HIPAA to broaden the allowable sharing of data for purposes of
care coordination and patient safety.
Numerous commenters urged that substance use disorder records and
treatments should be held to the same level of privacy as all other
health records. Other commenters raised the concern of equal access,
stating that individuals with substance use disorder should have the
same access to the benefits of increased care coordination as
individuals without substance use disorder.
Commenters encouraged the broader harmonization of part 2, HIPAA,
and HITECH into a single uniform set of standards applicable for all
personal health information, including substance use disorder treatment
and payment.
Some commenters asserted that HIPAA is sufficient to protect
patient privacy and part 2 is no longer necessary. Some commenters also
asserted that part 2 also predates the development of EHR and HIEs, and
there is pressing need to reconsider these rules in light of more
recent technological and legal developments. Some commenters expressed
concern that complying with both part 2 and HIPAA would lead to undue
administrative burden and management issues across the continuum of
patient care.
A commenter recommended that SAMHSA should add the same release
requirements for substance use disorder treatment as is required for
psychotherapy notes under HIPAA, which are restricted from release
without the client's consent. According to the commenter, this would
give substance use disorder patients protections with Business
Associates Agreements (instead of additional rules and forms for
Qualified Service Organization Agreements [QSOAs]), notification upon
breach requirements, and other rights already afforded persons
receiving medical and mental health care.
Several commenters said part 2 should be as consistent as possible
with HIPAA, except for the prohibition on use for investigation,
prosecution, or criminal charges.
SAMHSA Response
SAMHSA noted the many comments from a wide range of commenters that
requested that SAMHSA align part 2 provisions with HIPAA where
possible. In some instances, SAMHSA has attempted to do so in this
final rule to the extent the change was permissible under 42 U.S.C.
290dd-2. At the same time, part 2 and its governing statute are
separate and distinct from HIPAA and
[[Page 6061]]
its implementing regulations. Because of its targeted population, part
2 provides more stringent federal protections than most other health
privacy laws, including HIPAA.
In response to comments about alignment of this regulation with
HIPAA, SAMHSA has aligned the interpretation the definition of
``Patient identifying information'' with HIPAA to the extent feasible.
In addition, SAMHSA revised Security for records (Sec. 2.16) to more
closely align with HIPAA.
B. Statutory Authority (Sec. [thinsp]2.1)
SAMHSA is adopting this section as proposed. SAMHSA has combined
what was Sec. Sec. [thinsp]2.1 (Statutory authority for
confidentiality of drug abuse patient records) and 2.2 (Statutory
authority for confidentiality of alcohol abuse patient records) and
renamed the new Sec. [thinsp]2.1, Statutory authority for
confidentiality of substance use disorder patient records. We have re-
designated Sec. Sec. [thinsp]2.2 through 2.5 accordingly. In the new
Sec. 2.1, SAMHSA has deleted references to 42 U.S.C. 290ee-3 and 42
U.S.C. 290dd-3. Sections 290dd-3 and 290ee-3 were omitted by Public Law
102-321 and combined and renamed into Section 290dd-2, Confidentiality
of records. In addition, we have deleted references to laws and
regulations that have been repealed in Sec. [thinsp]2.21.
Public Comments
One commenter urged SAMHSA to assess whether existing statutory
authority is adequate to modernize part 2 regulatory requirements to
keep pace with existing laws and industry developments while also
protecting privacy, and to discuss necessary statutory changes in the
final rule. Further, the commenter recommended that SAMHSA encourage
Congress to convene public hearings to evaluate proposals for statutory
changes and delay issuing a final rule if pending legislative proposals
are enacted that change the legal landscape for substance use disorder
information and related protections.
A commenter urged SAMHSA to address the congressional action that
may be needed to effectively expand the ability to provide coordinated
services, such as including health and human services agencies' field
staff clearly into the definition of treatment terms. A few commenters
suggested that the statutory authority underlying the part 2
regulations (42 U.S.C. 290dd-2) should be revised. Another commenter
asserted that the 1992 confidentiality statute should be reformed to
afford patients greater protections against unlawful disclosure of
their substance use disorder treatment, limit the use of information
shared for non-health purposes, provide meaningful enforcement and
penalties, and more effectively prevent discrimination. Another
commenter recommended that modifications should be made to HIPAA to
incorporate special protections and limitations for substance use
information and that the part 2 regulations should be rescinded. If the
intent of the part 2 changes is to prevent inappropriate adverse
consequences from the disclosure of substance use disorder health data,
a commenter suggested that those specific adverse consequences should
be targeted with legislation reform, rather than providing a blanket
privacy allowance that hides medical information from providers.
SAMHSA Response
SAMHSA does not have the authority to repeal or revise the
governing statute for the regulations codified at 42 CFR part 2 nor any
other statute, as that power is given to Congress. The part 2
authorizing statute, 42 U.S.C. 290dd-2, gives the Secretary broad
authority to carry out the confidentiality provisions therein, but to
promulgate requirements to: (1) Carry out the purposes of the
legislation; (2) prevent its circumvention or evasion; and (3)
facilitate its compliance. These part 2 revisions were drafted to
further these three purposes while, to the extent allowable under the
legislation, permitting disclosure and use to increase access to
treatment and improve treatment services. The intent of the part 2
regulations and its governing statute (42 U.S.C. 290dd-2) is to protect
the confidentiality of substance use disorder patient records. Because
individuals seeking treatment for substance use disorders may
experience a host of negative consequences, including discrimination,
harm to their reputations and relationships, and possibly serious civil
and criminal consequences should information regarding their treatment
be improperly disclosed, there is a specific need for strong privacy
protections for substance use disorder records.
C. Reports of Violations (Sec. [thinsp]2.4)
SAMHSA is adopting this section as proposed. We have revised the
requirement of reporting violations of these regulations by a methadone
program to the FDA (Sec. [thinsp]2.5(b)). The authority over methadone
programs (now referred to as opioid treatment programs) was transferred
from the FDA to SAMHSA in 2001 (66 FR 4076). Suspected violations of 42
CFR part 2 by opioid treatment programs may be reported to the U.S.
Attorney's Office for the judicial district in which the violation
occurred, as well as the SAMHSA office responsible for opioid treatment
program oversight.
Public Comments
SAMHSA received no public comments on this section. This section of
the final rule is adopted as proposed.
D. Definitions (Sec. [thinsp]2.11)
SAMHSA has consolidated all of the definitions in 42 CFR part 2,
with the exception the definition of the term ``Federally assisted,''
into a single section at Sec. [thinsp]2.11. SAMHSA has retained the
definition of the term ``Federally assisted'' in Sec. 2.12
(Applicability) for the purpose of clarity because it is key to
understanding the applicability of the part 2 regulations. SAMHSA is
adopting these structural changes as proposed in the NPRM. Specific
definitions are discussed in the sections below. If a part 2 definition
is not addressed below, it is because SAMHSA did not propose or make
substantive changes to that definition. However, as discussed below,
SAMHSA updated the terms in those definitions, as appropriate (e.g., to
replace ``program'' with ``part 2 program,'' and when ``alcohol abuse''
and ``drug abuse'' were used collectively to replace it with
``substance use disorder''). The definitions in the regulatory text of
this final rule reflect these changes.
1. New Definitions
a. Part 2 Program
SAMHSA is adopting this definition as proposed. SAMHSA defines a
``Part 2 program'' as ``a federally assisted program (federally
assisted as defined in Sec. [thinsp]2.12(b) and program as defined in
Sec. [thinsp]2.11). See Sec. [thinsp]2.12(e)(1) for examples.'' We
have retained the examples provided in Sec. [thinsp]2.12(e)(1) of the
current (1987) regulations, with minor clarifications in Sec.
2.12(e)(1), because they explain the part 2 applicability and coverage.
SAMHSA has replaced the term ``program'' with ``part 2 program,'' where
appropriate. For example, we have revised the definition of QSO,
including replacing ``program'' with ``part 2 program,'' which is
discussed in depth below (see Section V.D.2.i., Existing Definitions).
We also replaced ``program'' with ``part 2 program'' in several other
definitions, while making no additional changes.
While a couple of commenters purported to address the proposed
definition of ``Part 2 program,'' the nature of their comments made
clear that their underlying concern was how
[[Page 6062]]
SAMHSA defined ``Program'' for purposes of part 2. For this reason,
these comments are addressed in the discussion of the definition of
``Program'' below (see Section V.D.2.h).
b. Part 2 Program Director
SAMHSA is adopting this definition as proposed, except for a non-
substantive technical edit. Because of the addition of the ``Part 2
program'' definition, we have defined a ``Part 2 program director'' as:
In the case of a part 2 program that is an individual,
that individual; and
In the case of a part 2 program that is an entity, the
individual designated as director or managing director, or individual
otherwise vested with authority to act as chief executive officer of
the part 2 program.
We have deleted the definition of ``Program Director.''
Public Comments
SAMHSA received no public comments on this definition. This section
of the final rule is adopted as proposed.
c. Substance Use Disorder
SAMHSA is adopting this definition as proposed, except to remove
the final sentence, ``Also referred to as substance abuse.'' Throughout
this rule, SAMHSA made revisions to refer to alcohol abuse and drug
abuse collectively as ``substance use disorder'' but, when referring to
the part 2 governing statute, we use ``substance abuse'' since that is
the term used in 42 U.S.C. 290dd-2. SAMHSA also uses the term
``substance abuse'' when discussing public comments and other
publications that use that term. For consistency, SAMHSA also revised
the title of 42 CFR part 2 from ``Confidentiality of Alcohol and Drug
Abuse Patient Records'' to ``Confidentiality of Substance Use Disorder
Patient Records.'' SAMHSA has replaced ``alcohol or drug abuse'' with
``substance use disorder'' in several definitions.
While SAMHSA has deleted the definitions of ``Alcohol abuse'' and
``Drug abuse,'' we continued to use the terms ``alcohol abuse'' and
``drug abuse'' when referring to 42 U.S.C. 290dd-3 and 42 U.S.C. 290ee-
3 (omitted by Pub. L. 102-321 and combined and renamed into Section
290dd-2), respectively, because they are the terms used in the
statutes.
SAMHSA is defining the term ``Substance use disorder'' in such a
manner as to cover substance use disorders that can be associated with
altered mental status that has the potential to lead to risky and/or
socially prohibited behaviors, including, but not limited to,
substances such as, alcohol, cannabis, hallucinogens, inhalants,
opioids, sedatives, hypnotics, anxiolytics, and stimulants. In
addition, the ``Substance use disorder'' definition clarifies that, for
the purposes of these regulations, the term excludes both tobacco and
caffeine.
Public Comments
Several commenters expressed support for the newly defined term
``substance use disorder'' to replace references to alcohol and drug
abuse. One commenter requested that SAMHSA clarify the scope of
substance use disorder and what constitutes substance use treatment.
Another commenter suggested that, in the definition of substance use
disorder, protected data should be directly related to an objective
measure, such as information related to specific payment or clinical
diagnosis codes submitted in connection with reimbursement for
services.
SAMHSA Response
The final rule adopts the definition of substance use disorder as
proposed, except that the parenthetical of the proposed definition is
not adopted in the final rule. Use of the term is consistent with
recognized classification manuals, current diagnostic lexicon, and
commonly used descriptive terminology. Moreover, SAMHSA declines to
define substance use disorder treatment by specific billing or
diagnostic codes in in the final rule as these codes are subject to
frequent revision.
d. Treating Provider Relationship
SAMHSA is modifying the proposed definition of ``Treating provider
relationship'' slightly to account for the situation of involuntary
commitment and other situations where a patient is diagnosed, evaluated
and/or treated, but may not have actually consented to such care, as
discussed in greater detail below. In summary, a treating provider
relationship means that, regardless of whether there has been an actual
in-person encounter:
A patient is, agrees to, or is legally required to be
diagnosed, evaluated, and/or treated, or agrees to accept consultation,
for any condition by an individual or entity, and;
The individual or entity undertakes or agrees to undertake
diagnosis, evaluation, and/or treatment of the patient, or consultation
with the patient, for any condition.
As explained in the NPRM, the term ``agrees'' as used in the
definition does not necessarily imply a formal written agreement. An
agreement might be evidenced, among other things, by making an
appointment or by a telephone consultation.
It is also important to note that, based on the definition of
treating provider relationship, SAMHSA considers an entity to have a
treating provider relationship with a patient if the entity employs or
privileges one or more individuals who have a treating provider
relationship with the patient.
Public Comments
A few commenters expressed support for the proposed definition of
``treating provider relationship.'' One commenter supported the
definition and added that this type of relationship could be a result
of any action taken to schedule, refer, or order services that are
related to health services to be provided in the future.
Other commenters provided suggestions to improve the definition,
including specifying entities involved in identifying, evaluating, and
referring for treatment any persons in need of substance use disorder
services; adding related services, including social services, and
consultation; accounting for patients who cannot agree or consent to
the relationship; and clarifying that an individual's designated
treating provider is also a treating provider for part 2 purposes, even
before the patient's first appointment. A few commenters requested that
HIEs, health plans, and organizations that provide care coordination be
added to the definition, or that comparable definitions be provided for
these entities.
A few commenters objected to the consent requirements limiting
recipients to entities with a ``treating provider relationship,'' and
suggested that the requirement be eliminated, or the term be redefined
to include entities that provide care management. A few commenters also
disagreed with the interpretation that equates making an appointment
with an agreement to diagnose or treat.
Some commenters raised a number of questions about the definition,
including whether the definition applies to each hospital in a system
or to the system as a whole; whether the definition applies to Medicaid
managed care programs with mandatory enrollment; whether a care
coordination entity can form a treating provider relationship with an
individual; and whether ancillary providers, such as laboratories,
pharmacies, therapists,
[[Page 6063]]
counselors, or mental health specialists, fall within the definition of
treating provider relationship.
SAMHSA Response
A treating provider relationship, as defined in this final rule,
begins when an individual seeks or receives health-related assistance
from an individual or entity who may provide assistance. However, the
relationship is clearly established when the individual or entity
agrees to undertake diagnosis, evaluation, and/or treatment of the
patient, or consultation with the patient, and the patient agrees to be
treated, whether or not there has been an actual in-person encounter
between the individual or entity and the patient. When a patient is not
regarded as being legally competent under the laws of their
jurisdiction, such as when a patient is subject to an involuntary
commitment (i.e., formally committed for behavioral health treatment by
a court, board, commission, or other legal authority), a treating
provider relationship may be established when a patient is, agrees to,
or is legally required to be provided consultation, diagnosis,
evaluation, and/or treatment by an individual or entity. A treating
provider relationship may be established whether or not there has been
an actual in-person encounter between the individual or entity and
patient. A treating provider relationship with a patient may be
established by any member of the health care team as long as the
relationship meets the definition of ``Treating provider
relationship.'' SAMHSA believes that further specification in this
definition is unnecessary.
e. Withdrawal Management
SAMHSA is adopting this definition as proposed. SAMHSA has removed
the definition of ``Detoxification treatment'' and replaced it with the
definition of the currently acceptable term ``Withdrawal management''
as indicated in the American Society of Addiction Medicine (ASAM)
Principles of Addiction Medicine, 5\th\ edition.\1\
---------------------------------------------------------------------------
\1\ ASAM Principles of Addiction Medicine, 5th edition, 2014,
Richard Ries et al., editor. https://www.asam.org/quality-practice/essential-textbooks/principles-of-addiction-medicine (last accessed
Aug. 1, 2016).
---------------------------------------------------------------------------
Public Comments
One commenter supported replacing the term ``Detoxification
treatment'' with the term ``Withdrawal management.''
SAMHSA Response
SAMHSA appreciates this support.
2. Existing Definitions
a. Central Registry
SAMHSA is adopting this definition as proposed. SAMHSA has updated
the definition of ``Central registry'' to incorporate currently
accepted terminology.
Public Comments
One commenter stated that the NPRM preamble described the proposed
revisions to the definition of ``central registry'' as changes to
``update terminology to make the definition clearer,'' rather than
detailing the proposed changes to the definition, so there was
insufficient information for public comment.
SAMHSA Response
Exact language for the definition of ``central registry'' was
provided in the NPRM regulation text and is being adopted as proposed.
b. Disclose or Disclosure
SAMHSA is modifying the proposed definition of ``Disclose'' to
specifically cover diagnosis, treatment, and referral for treatment for
substance use disorder, as follows: ``Disclose means to communicate any
information identifying a patient as being or having been diagnosed
with a substance use disorder, having or having had a substance use
disorder, or being or having been referred for treatment of a substance
use disorder either directly, by reference to publicly available
information, or through verification of such identification by another
person.'' We have updated terminology and made the definition clearer.
SAMHSA has defined only one word, ``Disclose,'' since it is implied
that the same definition applies to other forms of the word.
Public Comments
A commenter encouraged SAMHSA to develop guidance and promote
standards adoption for the identification of part 2 data so that the
implementation and applicability of concrete restrictions and
obligations can be applied to the disclosure of such data. Another
commenter urged coordination between the definitions of ``disclosure''
of a substance use disorder and a current or former ``patient,''
because someone may have a past substance use disorder but may not have
been a former patient. A commenter stated that the NPRM preamble
described the proposed revisions to the definition of ``disclosure'' as
changes to ``update terminology and make the definition clearer,''
rather than detailing the proposed changes to the definition, so there
was insufficient information for public comment.SAMHSA Response
With regard to developing subregulatory guidance and promoting
standards adoption, SAMHSA is an organizational member of Health Level
7 (HL7) and is working to ensure that health IT standards support the
needs of behavioral health treatment patients and providers. SAMHSA has
supported the creation of several HL7 standards, including the
Composite Privacy Consent Directive Domain Analysis Model to capture
the requirement of states and federal agencies. Those requirements were
reflected in the IG for Clinical Document Architecture Release 2 (CDA
R2) to provide a standard-based electronic representation of a consent
to support the management of consent directives and policies.
In response to comments urging coordination between the definition
of ``disclosure'' and a current or former patient, SAMHSA has expanded
the definition of ``disclose'' to include any information identifying a
patient as ``being or having been diagnosed with a substance use
disorder, having or having had a substance use disorder, or being or
having been referred for treatment of a substance use disorder.'' Exact
language for the definition of ``disclosure'' was provided in the NPRM
regulatory text and is being adopted as proposed. We note that to the
extent an individual may have had a past substance use disorder
diagnosis, but never sought or received diagnosis, treatment, or
referral for substance use disorder treatment, the definition of
patient would not cover such individual and the part 2 regulations
would not apply to that individual's health information unless and
until the individual is a patient as defined in these regulations.
c. Maintenance Treatment
SAMHSA is modifying this definition from what was proposed by
replacing the term ``pharmacotherapy'' with the phrase ``long-term
pharmacotherapy'' for purposes of clarity to read as follows:
``Maintenance treatment means long-term pharmacotherapy for individuals
with substance use disorders that reduces the pathological pursuit of
reward and/or relief and supports remission of substance use disorder-
related symptoms.'' As compared to the 1987 final rule definition of
``Maintenance treatment,'' SAMHSA updated terminology in the definition
and moved it from Sec. 2.34 to Sec. 2.11.
[[Page 6064]]
Public Comments
A commenter stated that the NPRM preamble described the proposed
revisions to the definition of ``maintenance treatment'' as changes to
``update terminology and make the definition clearer,'' rather than
detailing the proposed changes to the definition, so there was
insufficient information for public comment.
SAMHSA Response
Exact language for the proposed definition of ``maintenance
treatment'' was provided in the NPRM regulation text at 81 FR 7014.
d. Member Program
In response to comments received, SAMHSA has revised the definition
of ``Member program,'' by replacing a reference to a specific
geographic distance, so it reads as follows: ``Member program means a
withdrawal management or maintenance treatment program which reports
patient identifying information to a central registry and which is in
the same state as that central registry or is in a state that
participates in data sharing with the central registry of the program
in question.''
Public Comments
A commenter asserted that the 125-mile distance to a state border
limitation contained within the definition of ``member program'' does
not adequately recognize the geographic realities of states with
significant rural and frontier areas, and the commenter strongly
suggested that it be eliminated.
SAMHSA Response
In response to the comment, SAMHSA has removed the distance from
the definition to address the concerns about rural areas and replaced
it with ``is in a state that participates in data sharing with the
central registry of the program in question.'' We removed the distance
requirement from the definition of ``Member program'' to reflect that
in some states (e.g., with rural areas) the distance from the border of
the state in which the central registry is located may exceed 125
miles.
e. Patient
SAMHSA is adopting this definition as proposed. To emphasize that
the term ``Patient'' refers to both current and former patients, SAMHSA
has revised the definition as follows: ``Patient means any individual
who has applied for or been given diagnosis, treatment, or referral for
treatment for a substance use disorder at a part 2 program. Patient
includes any individual who, after arrest on a criminal charge, is
identified as an individual with a substance use disorder in order to
determine that individual's eligibility to participate in a part 2
program. This definition includes both current and former patients.''
Public Comments
One comment opposed the inclusion of former patients in the
definition because retrospective outcome studies would be difficult to
conduct because many patients relocate or their contact information
becomes otherwise unobtainable for purposes of obtaining consent to
disclose and use patient identifying information. One commenter opposed
including in the definition individuals who ``applied for'' but did not
receive a diagnosis and also asked who makes the identification of an
individual with a substance use disorder. Another commenter suggested
that the definition should include individuals participating in
prevention programs and recovery support programs. A commenter asked
whether the definition includes an individual who has been
involuntarily committed to a program for treatment and suggested that
the final rule clarify that such an individual is considered a patient
and entitled to part 2's protections.
SAMHSA Response
Regarding the opposition to including former patients in the
definition of ``Patient'' because retrospective outcome studies would
be difficult to conduct, this concern appears to be based on a
misunderstanding that a consent requires a specific expiration date. A
part 2-compliant consent form must list the date, event, or condition
upon which the consent will expire, if not revoked before. Therefore,
it would be permissible for a consent form to specify the event or
condition that will result in revocation, such as having its expiration
date be ``upon my death.'' Consequently, it is possible for researchers
to obtain consents that would permit retrospective outcome studies.
Regarding the inclusion of ``applied for'' in the definition of
``Patient,'' this definition has not changed from that included in the
1987 final rule except to replace ``alcohol and drug abuse'' with
``substance use disorder.'' SAMHSA declines to make the recommended
change since no other concerns regarding the inclusion of ``applied
for'' have been received in over 29 years. Patients who are
involuntarily committed to participating in or receiving substance use
disorder services from a part 2 program are covered by the definition.
SAMHSA declines to accept the suggestion that the definition should be
expanded to cover patients in prevention programs as such programs are
not covered by the definition of a part 2 program.
f. Patient Identifying Information
SAMHSA is modifying the definition as proposed to: (1) Clarify that
SAMHSA intends for the identifiers listed in the HIPAA Privacy Rule at
45 CFR 164.514(b)(2)(i) that are not already included in the definition
of patient identifying information to meet the ``or similar
information'' standard; (2) delete the word ``publicly'' from the
phrase ``can be determined with reasonable accuracy either directly or
by reference to other publicly available information''; and (3) to
revise the last sentence as follows: for internal use only by the part
2 program, if that number does not consist of, or contain numbers (such
as a social security, or driver's license number) that could be used to
identify a patient with reasonable accuracy from sources external to
the part 2 program.''
SAMHSA intends for the identifiers listed in the HIPAA Privacy Rule
at 45 CFR 164.514(b)(2)(i) that are not already included in the
definition of ``Patient identifying information'' to meet the following
clause: ``or similar information.'' Those HIPAA Privacy Rule
identifiers are:
(1) Name;
(2) All geographic subdivisions smaller than a [s]tate, including
street address, city, county, precinct, zip code, and their equivalent
geocodes, except for the initial three digits of a zip code if,
according to the current publicly available data from the Bureau of the
Census:
(i) The geographic unit formed by combining all zip codes with the
same three initial digits contains more than 20,000 people; and
(ii) The initial three digits of a zip code for all such geographic
units containing 20,000 or fewer people is changed to 000;
(3) All elements of dates (except year) for dates directly related
to an individual, including birth date, admission date, discharge date,
date of death; and all ages over 89 and all elements of dates
(including year) indicative of such age, except that such ages and
elements may be aggregated into a single category of age 90 or older;
(4) Telephone numbers;
(5) Fax numbers;
(6) Electronic mail addresses;
(7) Social security numbers;
(8) Medical record numbers;
(9) Health plan beneficiary numbers;
[[Page 6065]]
(10) Account numbers;
(11) Certificate/license numbers;
(12) Vehicle identifiers and serial numbers, including license
plate numbers;
(13) Device identifiers and serial numbers;
(14) Web Universal Resource Locators (URLs);
(15) Internet Protocol (IP) address numbers;
(16) Biometric identifiers, including finger and voice prints;
(17) Full face photographic images and any comparable image; or
(18) Any other unique identifying number, characteristic, or code.
Public Comments
A few commenters urged that the definition of ``Patient identifying
information'' be aligned with the ``protected health information,''
including the patient identifiers, under HIPAA. One commenter
recommended that telephone numbers and email addresses should be
mentioned because they are accessible by electronic means. Another
commenter suggested that SAMHSA delete the reference to publicly
available information; use a phrase such as, ``information with respect
to which there is a reasonable basis to believe that the information
can be used to identify the individual''; and mention other identifiers
assigned to an individual, including credit card numbers, driver's
license numbers, and automobile license numbers.
SAMHSA Response
The HIPAA Privacy Rule, at 45 CFR 164.514(b)(2)(i), enumerates 18
identifiers that make health information individually identifiable.
SAMHSA considers any of these identifiers to be patient identifying
information either because SAMHSA has explicitly listed the identifier
in the definition of patient identifying information in 42 CFR part 2
or because SAMHSA considers the identifier to be `similar information'
(See Sec. 2.11 Definitions). Also as suggested, SAMHSA has deleted the
word ``publicly'' from the phrase ``can be determined with reasonable
accuracy either directly or by reference to other publicly available
information;''
g. Person
SAMHSA is adopting this definition as proposed. SAMHSA has revised
the definition of ``Person'' to clearly indicate that ``Person'' is
also referred to as individual or entity.
Public Comments
A commenter urged SAMHSA to recognize an ``Affiliated Covered
Entity'' under HIPAA as an ``entity'' in the definition of ``Person.''
Another commenter asked that the definition specify that it includes
limited liability companies. A commenter suggested removing the
redundant parenthetical at the end of the proposed definition.
SAMHSA Response
SAMHSA has determined that no change is needed in response to the
comments; the definition covers any legal entity. SAMHSA declines to
delete the clarifying parenthetical at the end of the definition since
the terms ``individual'' and ``entity'' are more intuitive than the
term ``person,'' as defined in these regulations.
h. Program
SAMHSA decided not to finalize its proposed changes to the
definition of ``Program,'' but did make minor updates to the
terminology in the text. We are, however, finalizing certain other
minor changes to the proposed definition to update terminology so that
it is consistent with current best practice.
First, SAMHSA moved the reference to examples from the definition
of ``Program'' to the definition of ``Part 2 program.''
Second, we retain the language changes from drug and/or alcohol
abuse to substance use disorder.
Finally, as stated in the NPRM, SAMHSA clarifies that paragraph (1)
of the definition of ``Program'' would not apply to ``general medical
facilities''. However, paragraphs (2) and (3) of the definition of
``Program'' would apply to ``general medical facilities.''
Public Comments
A few commenters expressed support for the revised definition of
``Program.''
However, many commenters generally opposed the proposed revision to
the definition of ``Program.'' The reasons primarily related to
interpretations that SAMHSA did not intend to imply. Many commenters
asked that SAMHSA not call out general medical practices as a separate
category of provider excluded from paragraph one but included in
paragraphs two and three of the definition of program.
Some commenters requested clarification in various areas, including
the meaning and examples of ``holds itself out;'' determining ``primary
function;'' treatment of behavioral health clinics and community mental
health centers; roles of general medical or dental practices that
engage in screening, brief intervention, and referrals for treatment
(SBIRT) activities, and co-located substance abuse/mental health
counselors; whether covered part 2 facilities provide some, primarily
provide, or only provide substance use disorder diagnosis, treatment,
and referral to treatment; physicians who prescribe buprenorphine
products and pharmacies that fill those prescriptions; a general
psychiatric unit that also provides substance use disorder treatment;
and offering patients integrated behavioral health care in a primary
care setting.
Some commenters suggested limiting programs to those that meet a
minimum standard, are specifically licensed, credentialed, or
accredited, such as state licensure. Several commenters asked that
SAMHSA provide an exception for pharmacists and pharmacies or dentists.
Lastly, a commenter said the rule should include rehabilitation centers
as medical facilities.
SAMHSA Response
Based on the number and type of comments received regarding
including general medical practices in the Program definition, SAMHSA
has decided not to finalize the general medical practices language in
the final rule. The number and type of comments led SAMHSA to believe
separating out general medical practices from general medical
facilities was more confusing than clarifying. Most commenters
indicated a belief that SAMHSA was expanding the definition of program
to include individuals and entities that had not previously been
covered. As we've previously noted in our publicly available FAQ
guidance, a practice comprised of primary care providers could be
considered a ``general medical facility and be subject to 42 CFR part 2
if they are both ``federally assisted'' and meet the definition of a
program under 42 CFR 2.11. Nevertheless, consistent with the definition
of a ``program'':
1. If a provider is not a general medical care facility, then
the provider meets the part 2 definition of a ``Program'' if it is
an individual or entity who holds itself out as providing, and
provides substance use disorder diagnosis, treatment, or referral
for treatment.
2. If the provider is an identified unit within a general
medical facility, it is a ``Program'' if it holds itself out as
providing, and provides, substance use disorder diagnosis,
treatment, or referral for treatment.
3. If the provider consists of medical personnel or other staff
in a general medical facility, it is a ``Program'' if its primary
function is the provision of substance use disorder diagnosis,
treatment, or referral for treatment and is identified as such
specialized medical personnel or other staff by the general medical
facility.
SAMHSA's FAQ guidance further addresses the issue of what
constitutes a general medical facility. This FAQ
[[Page 6066]]
guidance clarifies that, while the term ``general medical care
facility'' is not defined in the definitions section of 42 CFR 2.11,
hospitals, trauma centers, or federally qualified health centers would
generally be considered ``general medical care'' facilities. Therefore,
primary care providers who work in such facilities would only meet part
2's definition of a program if (1) they work in an identified unit
within such general medical facility that holds itself out as
providing, and provides, substance use disorder diagnosis, treatment or
referral for treatment, or (2) the primary function of the provider is
substance use disorder diagnosis, treatment or referral for treatment
and they are identified as providers of such services. In addition, a
practice comprised of primary care providers could be considered a
``general medical facility.'' As such, only an identified unit within
that general medical care facility which holds itself out as providing
and provides substance use disorder diagnosis, treatment or referral
for treatment would be considered a ``program'' under the definition in
the part 2 regulations. Medical personnel or staff within that facility
whose primary function is the provision of those services and who are
identified as such providers would also qualify as a ``program'' under
the definition in the part 2 regulations. Other units or practitioners
within that general medical care facility would not meet the definition
of a part 2 program unless such units or practitioners also hold
themselves out as providing and provide substance use disorder
diagnosis, treatment or referral for treatment.
SAMHSA also clarifies that the program definition does not
categorically exclude buprenorphine providers. However, holding a
waiver to prescribe buprenorphine or holding a waiver and prescribing
buprenorphine as part of primary care practice also does not lead to
categorical inclusion of providers in the definition of a part 2
program; such determinations are fact-specific. Also, a health care
provider that does not otherwise meet the definition of a part 2
program would not become a program simply because they provided
screening, brief intervention, and/or referral to treatment within the
context of general health care. SBIRT is discussed in further detail
under Section V.E (Applicability) below.
Regarding comments on the meaning of ``primary function,'' SAMHSA
did not propose a definition of ``primary function'' because it has not
historically received many, if any, questions on its meaning.
Consistent with previously published FAQ guidance, we reiterate
that ``Holds itself out'' means any activity that would lead one to
reasonably conclude that the individual or entity provides substance
use disorder diagnosis, treatment, or referral for treatment, including
but not limited to:
Authorization by the state or federal government (e.g.
licensed, certified, registered) to provide, and provides, such
services,
Advertisements, notices, or statements relative to such
services, or
Consultation activities relative to such services.
i. Qualified Service Organization
SAMHSA is adopting the definition of ``Qualified Service
Organization'' as proposed. SAMHSA has revised the definition of QSO to
include population health management in the list of examples of
services a QSO may provide. SAMHSA also revised the term ``medical
services'' as listed in the examples of permissible services offered by
a QSO to clarify that it is limited to ``medical staffing services.''
SAMHSA made this revision to emphasize that QSOAs should not be used to
avoid obtaining patient consent.
Public Comments
A large number of commenters supported the proposed QSO definition,
particularly the addition of ``population health management.'' Many
commenters requested a clarification or a narrow definition of
``population health management.''
SAMHSA Response
SAMHSA provided guidance in the NPRM preamble regarding what
constitutes population health management services. Specifically,
population health management refers to increasing desired health
outcomes and conditions through monitoring and identifying individual
patients within a group. To achieve the best outcomes, providers must
supply proactive, preventive, and chronic care to all of their
patients, both during and between encounters with the health care
system. For patients with substance use disorders, who often have
comorbid conditions, proactive, preventive, and chronic care is
important to achieving desired outcomes. Any QSOA executed between a
part 2 program and an organization providing population health
management services would be limited to the office(s) or unit(s)
responsible for population health management in the organization (e.g.,
the ACO, CCO, CPCMH, or managed care organization [MCO]), not the
entire organization and not its participants (e.g., case managers,
physicians, addiction counselors, hospitals, and clinics). However, the
presence of a QSOA does not preclude disclosures of patient identifying
information to other individuals within these organizations based on a
valid part 2-compliant consent.
Public Comments
Some commenters requested clarification about the definition, such
as whether an HIE could be considered a QSO; whether the definition,
which includes ``an individual,'' can include members of the covered
entity's workforce; and whether public health management staff can
share part 2 information with case managers.
A few commenters expressed opposition to the proposed definition of
QSO, asserting that patient consent should be obtained before making a
disclosure of substance use disorder information to multiple entities.
Another commenter warned that under the definition, it would be
difficult to track which part 2 patients may or may not be within a
population health program at any given time.
SAMHSA Response
The NPRM as well as the current (1987) definition of QSO uses the
term person. Person is defined in the current (1987) regulations as:
``Person means an individual, partnership, corporation, federal, state
or local government agency, or any other legal entity.'' The NPRM
definition proposed a parenthetical: ``(also referred to as individual
or entity).'' Because both the 1987 regulations and the NPRM definition
of person includes both individuals and entities, the definition of the
term QSO has always included both individual and entities, the
definition of the term QSO has always included individuals, as well as
entities.
Whether the QSO definition applies to members of an entity's
workforce and case managers depends on whether they meet the definition
of QSO as defined in Sec. 2.11 because such determinations are fact-
specific. An individual or entity who does not meet the definition of a
QSO may, however, meet the definition of ``Treating provider
relationship'' for the purposes of obtaining consent. Likewise, care
coordination was not added to the list of examples of permissible
services offered by a QSO because care coordination has a patient
treatment component.
Under the part 2 governing statute, patient records pertaining to
the patient's substance use disorder may be shared only with the prior
written
[[Page 6067]]
consent of the patient or as permitted under the part 2 statute,
regulations, or guidance. However, the regulations may contain such
definitions, and may provide for such safeguards and procedures,
including procedures and criteria for the issuance and scope of orders,
as in the judgment of the Secretary are necessary or proper to
effectuate the purposes of this statute, to prevent circumvention or
evasion thereof, or to facilitate compliance therewith.
Regarding the concern about disclosing to multiple entities under a
QSOA, as noted above, any QSOA executed between a part 2 program and an
organization providing population health management services would be
limited to the office(s) or unit(s)/entity(ies) responsible for
population health management for the organization (e.g., the ACO, CCO,
CPCMH, or MCO), not the entire organization and not its participants
(e.g., case managers, physicians, addiction counselors, hospitals, and
clinics).
Public Comments
Commenters provided various suggestions to improve the definition.
Several commenters said the definition should be expanded to permit a
multi-party agreement for multi-directional sharing of information.
Commenters said the description of the provision should address
overlapping requirements of HIPAA and part 2 with respect to
contractual agreements and services such as data processing and
billing. A commenter said facilitating entities should be able to enter
into QSO agreements with participating providers to perform quality
improvement activities. Another commenter said the QSO exception to
restrictions on disclosure should apply to third-party payers and other
holders of part 2 information, and the definition should include other
functions to support improved care delivery.
SAMHSA Response
Part 2 and its implementing statute are much more restrictive than
HIPAA. Because 42 CFR part 2 and its governing statute are separate and
distinct from HIPAA, the part 2 regulations use different terminology
than used in HIPAA. However, SAMHSA aligned policy with HIPAA where
possible.
Because a QSOA is a two-way agreement between a part 2 program and
the entity providing the part 2 program and an individual or entity
providing a service to a part 2 program, agreements between more than
those two parties (e.g. multi-party agreements) are prohibited. A QSOA
cannot be used to avoid obtaining patient consent in the treatment
context.
As stated previously in this preamble, SAMHSA is issuing an SNPRM
to seek further comments and information on the disclosure to and use
of part 2 information by the contractors and subcontractors of third-
party payers and other lawful holders for purposes of payment, health
care operations, and other health care related activities before
establishing any appropriate restrictions on disclosures to them.
Public Comments
Commenters generally expressed opposition to the change of
``medical services'' to ``medical staffing services'' in the
definition. A commenter expressed opposition to the interpretation that
the QSO agreement executed between a part 2 program and an organization
that provided population health management services would be limited to
a specific office(s) or unit(s) within the organization that is/are
tasked with carrying out such services.
SAMHSA Response
SAMHSA has revised the term ``medical services'' as listed in the
examples of permissible services offered by a QSO to clarify that it is
limited to ``medical staffing services.'' SAMHSA proposed to make this
revision to emphasize that QSOAs should not be used to avoid obtaining
patient consent. Accordingly, a QSOA could be used by a part 2 program
to contract with a provider of on-call coverage services (previously
clarified in FAQ guidance) or other medical staffing services but could
not be used to disclose John Doe's patient identifying information to
his primary care doctor for the purpose of treatment (other than that
provided under a QSOA for medical staffing services). However, an
individual or entity who is prohibited from providing treatment to an
individual patient under a QSOA may still meet the requirements of
having a treating provider relationship (as that term is defined in
Sec. 2.11) with respect to the consent requirements in Sec. 2.31.
With respect to the comment regarding an organization providing
population health management services, a QSOA is a two-way agreement
between a part 2 program and the entity providing the service. We
reiterate that disclosures by a QSO pursuant to a QSOA executed between
a part 2 program and an organization that provides population health
management services would be limited to a specific office(s) or
unit(s)/entity(ies) that is/are tasked with carrying out such services
for the organization. SAMHSA believes this is a needed safeguard to
limit disclosures to that which is reasonably necessary to carry out
services under the QSOA.
Public Comments
Many commenters expressed opposition to the exclusion of ``care
coordination'' from the QSO definition or requested clarification for
the meaning of ``care coordination.'' Some commenters specifically
requested adding care coordination to the list of services a QSO may
provide, reasoning that it would facilitate integrated substance use
disorder, health, and mental health services. The commenters asserted
that the addition would benefit patients' health, safety, and quality
of life while maintaining confidentiality protections.
SAMHSA Response
In the NPRM, SAMHSA clarified that an individual or entity is
prohibited from providing treatment to an individual patient under a
QSOA. SAMHSA has revised the term ``medical services'' as listed in the
examples of permissible services offered by a QSO to clarify that it is
limited to ``medical staffing services.'' SAMHSA proposed to make this
revision to emphasize that QSOAs should not be used to avoid obtaining
patient consent. Accordingly, a QSOA could be used by a part 2 program
to contract with a provider of on-call coverage services (previously
clarified in FAQ guidance) or other medical staffing services, but
could not be used to disclose John Doe's patient identifying
information to his primary care doctor for the purpose of treatment
(other than that provided under a QSOA for medical staffing services).
For this reason, care coordination and medication management, both of
which have a treatment component, were not added to the list of
examples of permissible services offered by a QSO. However, an
individual or entity who is prohibited from providing treatment to an
individual patient under a QSOA may still meet the requirements of
having a treating provider relationship (as that term is defined in
Sec. 2.11) with respect to the consent requirements in Sec. 2.31.
Regarding the request to clarify the meaning of ``care
coordination'' and how it differs from ``population health
management,'' because SAMHSA decided not to include care coordination
in the examples of permissible services under the definition of a QSO,
we did not define the term ``care coordination'' in the NPRM and,
therefore, decline to do so
[[Page 6068]]
in this final rule. Population health management refers to increasing
desired health outcomes and conditions through monitoring and
identifying patients within a group.
j. Records
SAMHSA has revised the proposed definition. As suggested by
commenters, SAMHSA has modified the definition of ``Records'' by adding
``created by'' and a parenthetical with examples to read as follows:
``Records means any information, whether recorded or not, created by,
received, or acquired by a part 2 program relating to a patient (e.g.,
diagnosis, treatment and referral for treatment information, billing
information, emails, voice mails, and texts). For the purpose of these
regulations, records include both paper and electronic records.''
SAMHSA revised the definition of ``Records'' to include any
information, whether recorded or not, which includes verbal
communications, created, received or acquired by a part 2 program
relating to a patient. The revised definition makes clear that, for the
purpose of the part 2 regulations, records include both paper and
electronic records.
Public Comments
A commenter remarked that the proposed definition of ``records''
does not address ``identifiability,'' asserting that information that
is not individually identifiable, that is not reasonably capable of
being re-identified, or that is aggregate may not need to be covered by
the definition of record. Regarding the phrase ``whether recorded or
not'' in the proposed definition, a couple of commenters requested
guidance on what constitutes ``unrecorded information.''
SAMHSA Response
SAMHSA clarifies that unrecorded information includes verbal
communications and is still considered part of the record. To add
further clarity to the definition, SAMHSA has revised the definition of
``Records'' from the proposed language by adding examples (e.g.,
diagnosis, treatment and referral for treatment information, billing
information, emails, voice mails, and texts). SAMHSA also added the
phrase ``created by'' to clarify that ``records'' includes information
received, acquired, or created by a part 2 program relating to a
patient. Regarding ``identifiability,'' identification is addressed in
the term ``Patient identifying information,'' not in the definition of
``Record.'' The definition of records is just that and does not address
information that may be disclosed.
k. Treatment
SAMHSA is adopting the proposed definition of ``Treatment.'' SAMHSA
has deleted the term ``management'' from the ``Treatment'' definition.
Public Comments
A few commenters opposed the proposed removal of the term
``management'' from the definition of ``treatment'' because the
narrower definition would decrease information sharing and have a
chilling effect on care coordination. A couple of commenters urged that
``treatment'' should be limited to care of the substance use disorder
and not be extended to include care of other medical conditions
secondary to or that arose because of the substance use disorder. One
commenter suggested that ``care'' should be defined as it is used in
the definition of ``treatment.''
SAMHSA Response
SAMHSA removed the term ``management'' from the definition of
``Treatment'' because in today's health care environment,
``management'' has a much broader meaning than it did when the
regulations were last revised. Treatment is not limited to care of the
substance use disorder because patients with a substance use disorder
often have comorbid conditions.
3. Terminology Changes
SAMHSA is adopting the changes proposed in this section, as
described in the NPRM. In addition to changes to several definitions,
SAMHSA is also implementing several terminology changes intended to
ensure consistency in the use of terms throughout the regulations and
to increase the understandability of the rule. First, we made revisions
to consistently refer to law enforcement as ``law enforcement agencies
or officials.'' Secondly, SAMHSA revised the part 2 regulations to use
the term ``entity'' instead of ``organization'' wherever possible.
Thirdly, SAMHSA clarifies that, for the purposes of this regulation,
the term ``written'' includes both paper and electronic documentation.
Fourthly, we use the phrase ``part 2 program or other lawful holder of
patient identifying information'' to refer to a part 2 program or other
individual or entity that is in lawful possession of patient
identifying information. A ``lawful holder'' of patient identifying
information is an individual or entity who has received such
information as the result of a part 2-compliant patient consent (with a
prohibition on re-disclosure notice) or as a result of one of the
exceptions to the consent requirements in the statute or implementing
regulations and, therefore, is bound by 42 CFR part 2.
Public Comments
One commenter requested clarification about what entities are
considered ``lawful holders'' of patient identifying information in the
context of complex health care systems. For example, would the parent
company of a health care system, each specific hospital, or each entity
affiliated with the health care system be considered a ``lawful
holder''?
Another commenter urged that the term ``other lawful holder''
should be clearly defined in the final rule.
SAMHSA Response
A ``lawful holder'' of patient identifying information is an
individual or entity who has received such information as the result of
a part 2-compliant patient consent (with a prohibition on re-disclosure
notice) or as permitted under the part 2 statute, regulations, or
guidance and, therefore, is bound by 42 CFR part 2. SAMHSA cannot
determine what entities are ``lawful holders'' because such
determinations are fact-specific. In addition, SAMHSA determined that
it was not feasible to define all lawful holders of information so has
not included a definition in the rule. As explained in the NPRM,
examples of ``lawful holders'' include a patient's treating provider, a
hospital emergency room, an insurance company, an individual or entity
performing an audit or evaluation, or an individual or entity conducing
scientific research. This list provided in the NPRM was intended only
as an illustrative example of who could be a lawful holder.
4. Other Comments on Definitions
Public Comments
Many commenters expressed general support for the proposed
clarification of definitions. Some commenters sought new definitions
for terms including HIE; recipient; population health management and
care coordination; population health; re-disclosure; law enforcement
agency or official; repository; and scientific research.
Several commenters addressed the ``alternative approach'' discussed
in the NPRM for allowing disclosure to treating providers by requesting
the addition of a definition for ``organization'' to Sec. 2.11.
Commenters generally supported a clear definition of ``organization''
to allow for the exchange of part 2 information. One commenter,
however, opposed relying upon a definition rather than specifying the
process for consent in the rule itself.
[[Page 6069]]
SAMHSA Response
SAMHSA did not propose definitions for the terms suggested and has
decided not to pursue the ``alternative approach'' since that approach
as written received no support and only 2 commenters supported the
``alternative approach with suggested revisions.'' Based on comments
received, the agency has addressed disclosures to treating providers
within this rule's consent requirements.
E. Applicability (Sec. 2.12)
SAMHSA is adopting this section as proposed. In addition to the
revisions to the definition of ``Program'' and the addition of a
definition for ``Part 2 program'' mentioned above, SAMHSA has revised
Sec. ;2.12(d)(2)(i)(C) so that restrictions on disclosures also apply
to individuals or entities who receive patient records from other
lawful holders of patient identifying information (see Sec. 2.11,
Terminology Changes). Patient records subject to these regulations
include patient records maintained by part 2 programs, as well as those
records in the possession of ``other lawful holders of patient
identifying information.'' SAMHSA may issue additional subregulatory
guidance addressing the applicability section, as deemed necessary,
after publication of the final rule.
Public Comments
A few commenters supported the proposed applicability provisions.
Some commenters cited relevant preamble language but remained uncertain
about who qualifies as a part 2 provider. Several commenters requested
greater clarification in identifying part 2 coverage, including whether
the provisions apply to various models of integrated behavioral health
and primary care; mixed-use facilities that provide primary care and
behavioral health services or mental health and substance use
treatment; certified community behavioral health centers that do not
necessarily ``primarily'' furnish substance abuse services but rather
provide a comprehensive approach to care; embedded behavioral health
information within an acute care record; a medical facility providing
several distinct books of business, of which only one receives federal
assistance; pharmacies; dentists; Drug Addiction Treatment Act (DATA
2000)-waived physicians; employee assistance programs that may include
substance use assessment and counseling; a provider who bills Medicaid
and Medicare but is not otherwise a ``federally assisted program;'' and
confidential information related to safety and incident reporting. A
commenter requested clarification about the definition of ``direct
administrative control'' in the proposed provision related to
exceptions for communications within a part 2 program. A commenter
urged consideration for reporting by programs to a public health
registry and suggested advantages of such a requirement.
Some commenters requested applicability exemptions. Some commenters
requested exclusions for employee assistance programs; Medicaid
overutilization control programs; and plans with integrated care
delivery models. Some commenters requested exemptions to consent for
communications between a QSO and a part 2 program or third-party payer
(e.g., Medicaid) and between a part 2 program. One commenter requested
clarification that consent and disclosure requirements would not apply
when the patient directs electronic disclosure for a consumer health
application. A commenter requested clarification that services are only
covered under part 2 if the personnel are identified as providing
substance use disorder treatment outside the organization to the
general public. Commenters favored an exception for reporting of child
abuse and elder abuse. A few commenters mentioned certain concerns
related to the proposed rule. A commenter argued that the proposed rule
would do little to simplify requirements for providers, and this may
result in providers not documenting substance use disorder-related
information in medical records. Other commenters opposed the lack of
protections in the proposal and warned that the rule would impose
constraints and burdens on providing a patient's behavioral health data
and impede information sharing. A commenter stated that general health
care organizations that hire an employee with substance use disorder
expertise would be considered a covered entity, so they may be
discouraged from integrating substance use disorder services into their
operation. Similarly, hospital emergency departments may be discouraged
from hiring staff with specialized experience in substance use
disorders. One commenter expressed concern that the rule may extend
protection not just to records for substance use disorder treatment,
but also to medical conditions and medications that allow an inference
that the patient has a substance use disorder. One commenter argued
that any substance use record should be protected from unauthorized
disclosure for criminal justice investigations. Expressing support for
the continued protection of substance use disorder records from
disclosure and use in criminal investigations except under certain
conditions, a commenter said that while HIPAA and other laws also
provide similar protections, part 2 has more stringent due process and
court order provisions.
One commenter argued that the proposed rule exceeds the underlying
statutory requirements in 42 U.S.C. 290dd-2 by expanding protections of
substance use information and establishing penalties. Another commenter
mentioned that the HITECH revisions to HIPAA already require general
medical facilities to utilize enhanced security measures to protect the
confidentiality and privacy of patient's health records.
A few commenters advocated that the safeguards applied to protected
health information (as defined under HIPAA) for all other health
conditions could apply for substance use disorder-related information.
One commenter urged a focus on the actual information that requires
protection, as opposed to the origin of the treatment records.
Similarly, another commenter expressed disappointment that SAMHSA
rejected the option to redefine the applicability of part 2 based on
the type of substance use disorder treatment services, rather than the
type of provider.
Several commenters suggested exceptions to the applicability of
part 2 regulations. One commenter said SAMHSA should create a due
diligence exception to allow a part 2 program's records to be reviewed
in the event of a proposed sale of the part 2 facility. Another
commenter said SAMHSA should include an exception to allow disclosure
of part 2 records in connection with the seeking of a grant or much
needed funding for substance abuse patients. A commenter said SAMHSA
should create a payment exception that would allow part 2 programs to
submit information to governmental or commercial payers without the
patient's prior authorization.
Other commenters stated that exceptions should be added for the
purpose of seeking involuntary commitment of an individual who poses a
likelihood of serious harm to self or others by reason of a substance
use disorder, in accordance with applicable provisions of state law and
subject to appropriate terms regarding the continued confidentiality of
such data. Another commenter stated that the rule
[[Page 6070]]
should specifically permit continued data collection of substance use
disorder by state agencies. Another commenter stated that an exception
limited disclosures to law enforcement and other appropriate parties in
the event a committed patient escapes from a treatment facility, and to
other part 2 programs and appropriate state agencies as necessary for
purposes of discharge planning or transferring a patient without
consent.
SAMHSA Response
With respect to the comments recommending aligning with HIPAA,
SAMHSA has attempted to do so in this final rule to the extent the
change was permissible under 42 U.S.C. 290dd-2. At the same time, part
2 and its governing statute are separate and distinct from HIPAA and
its implementing regulations. Because of its targeted population, part
2 provides more stringent federal protections than most other health
privacy laws, including HIPAA.
As stated in the preamble discussion of the applicability (Sec.
2.12) in the NPRM, SAMHSA considered options for defining what
information is covered by part 2, including defining covered
information based on the type of substance use disorder treatment
services provided instead of the type of facility providing the
services. SAMHSA however, rejected that approach because more substance
use disorder treatment services are occurring in general health care
and integrated care settings, which typically are not covered under the
current (1987) regulations. Providers who in the past offered only
general or specialized health care services (other than substance use
disorder services) now, on occasion, provide substance use disorder
treatment services, but only as incident to the provision of general
health.
The definitions of ``Part 2 program'' and ``Program'' are critical
to applicability. These terms are defined in Sec. 2.11. The response
to comments on the definition of program in this final rule further
clarifies coverage. Holding a waiver to prescribe buprenorphine or
holding a waiver and prescribing buprenorphine as part of primary care
practice does not lead to categorical inclusion of providers in the
definition of a part 2 program; such determinations are fact-specific.
The same concept applies whenever determining applicability.
With respect to comments on part 2 coverage, although the statute
may not be explicit with regard to certain provisions in 42 CFR part 2,
the statute directs the Secretary to prescribe regulations to carry out
the purpose of the statute, which may include definitions and may
provide for such safeguards and procedures that in the judgment of the
Secretary are necessary or proper to effectuate the purposes of this
section, to prevent circumvention or evasion thereof, or to facilitate
compliance therewith. For various models of integrated behavioral
health, SAMHSA strives to facilitate information exchange within new
health care models while addressing the legitimate privacy concerns of
patients seeking treatment for a substance use disorder. These concerns
include, but are not limited to, the potential for loss of employment,
loss of housing, loss of child custody, discrimination by medical
professionals and insurers, arrest, prosecution, and incarceration.
The response to comments on the definition of program in this final
rule further clarifies coverage.
SBIRT is a cluster of activities designed to identify people who
engage in risky substance use or who might meet the criteria for a
formal substance use disorder. Clinical findings indicate that the
overwhelming majority of individuals screened in a general medical
setting do not have a substance use disorder and do not need substance
use disorder treatment. A health care provider that does not otherwise
meet the definition of a part 2 program would not become a part 2
program simply because they provide SBIRT within the context of general
health care.
For behavioral health facilities, SAMSHA notes that federally
qualified health centers, community mental health centers, and
behavioral health clinics meeting the definition of a part 2 program
must comply with 42 CFR part 2 and those that do not meet the
definition of part 2 program do not have to comply with 42 CFR part 2
unless they become a lawful holder of patient identifying information
because they received patient identifying information via consent
(along with a notice of prohibition on re-disclosure) or as permitted
under the part 2 statute, regulations, or guidance. Rather than offer
definitions or outline an exhaustive list of entities that could meet
the definition of a part 2 program, we prefer to offer illustrative
examples in the explanation of applicability provision of these
regulations (see Sec. 2.12(e)(1)). SAMHSA has not received questions
in the past concerning the definition of general medical facility.
Regarding the question of part 2 applicability when a patient
directs electronic disclosure for a consumer health application, the
NPRM preamble discussion of lawful holder in the Terminology Changes
section stated: ``A patient who has obtained a copy of their records or
a family member who has received such information from a patient would
not be considered a `lawful holder' of patient identifying information
in this context.'' Information disclosed by a part 2 program or a
lawful holder of patient identifying information is covered by 42 CFR
part 2 and requires patient consent unless disclosure is otherwise
permitted under the part 2 statute or regulations. Therefore, it is
permissible for a patient to disclose information to a personal health
record or similar consumer health application but if a part 2 program
or lawful holder of patient identifying information discloses that
information to the personal health record or other similar consumer
application on behalf of the patient, consent would be required.
Regarding patient records and Medicaid overutilization control
programs, the prohibition on re-disclosure (Sec. 2.32) applies to
information that would identify, directly or indirectly, an individual
as having been diagnosed, treated, or referred for treatment for a
substance use disorder, such as indicated through standard medical
codes, descriptive language, or both, and allows other health-related
information shared by the part 2 program to be re-disclosed, if not
prohibited by any other applicable laws. Under the current statutory
authority, patient records pertaining to substance use disorder may be
shared only with the prior written consent of the patient or as
permitted under the part 2 statute and implementing regulations. In
addition, the authorizing statute specifically enumerates the areas of
non-applicability, which includes the reporting under state law of
incidents of suspected child abuse and neglect to appropriate state and
local authorities. Therefore, SAMHSA did not adopt this requested
change. Regarding elder abuse, if a program determines it is important
to report elder abuse, disabled person abuse, or a threat to someone's
health or safety, or if the laws in a program's state require such
reporting, the program must make the report anonymously, or in a way
that does not disclose that the person making the threat is a patient
in the program or has a substance use disorder, or obtain a court order
if time allows.
Some commenters asked about the applicability of the part 2
regulations to various facilities or entities, such as rehabilitation
facilities, dentists, and pharmacies. In summary, if a provider is not
a general medical facility or does
[[Page 6071]]
not hold itself out as providing, and provides, substance use disorder
diagnosis, treatment or referral for treatment, it would not meet the
first section of the definition of ``Program.'' If the provider is
either not an identified unit within a general medical facility that
holds itself out as providing, or does not provide, substance use
disorder diagnosis, treatment, or referral for treatment, it does not
meet the second section of the definition of ``Program.'' If the
provider either does not consist of medical personnel or other staff in
a general medical facility whose primary function is the provision of
substance use disorder diagnosis, treatment, or referral for treatment
or is not identified as such specialized medical personnel or other
staff by the general medical facility, it does not meet the third
section of the definition of ``Program.'' Whether embedded behavioral
health information is covered by 42 CFR part 2 depends on several
factors: First, only patient identifying information is subject to part
2 protections. If the acute care facility meets the definition of a
part 2 program and the information would identify, directly or
indirectly an individual as having been diagnosed, treated, or referred
for treatment for a substance use disorder, the information is subject
to part 2 protections; and if the acute care facility received the
patient identifying information via a valid part 2 consent (with a
notice of prohibition on re-disclosure) or as otherwise permitted under
the part 2 statute or regulations, the information is subject to part 2
protections.
With respect to pharmacies, when they receive prescriptions
directly from part 2 programs, the patient identifying information
related to those prescriptions is subject to 42 CFR part 2
confidentiality restrictions (as indicated by the accompanying
prohibition on re-disclosure notice). Pharmacies that receive paper
prescriptions directly from patients (and do not receive a prohibition
on re-disclosure notice) are, therefore, not subject to the part
2confidentiality restrictions. However, if the pharmacy or pharmacist
meets the definition of a part 2 program, they must comply with the
part 2 regulations.
In response to the commenter's request for clarification that
services are only covered under part 2 if the personnel are identified
as providing substance use disorder treatment outside the organization
to the general public, the third section of the definition of program
uses the term ``personnel'' to state that medical personnel or other
staff in a general medical facility whose primary function is the
provision of substance use disorder diagnosis, treatment or referral
for treatment and who are identified as such providers. This section of
the definition of program does not include the phrase ``holds itself
out'' as do the first two sections of the definition of program. In the
third section of the definition, the medical personnel or other staff
must be identified as such specialized medical personnel or other staff
by the general medical facility.
Although commenters requested an exclusion for employee assistance
programs, the regulation text at Sec. 2,12(d)(1) states: ``Coverage
includes, but is not limited to, those treatment or rehabilitation
programs, employee assistance programs, programs within general
hospitals, school-based programs, and private practitioners who hold
themselves out as providing, and provide substance use disorder
diagnosis, treatment, or referral for treatment.
Commenters requested an exemption for communications between a part
2 program and another entity under common ownership or control, but
SAMHSA declines to make the requested change. However, as stated in the
regulatory text (Sec. 2.12(c)(3) restrictions on disclosure in these
regulations do not apply to communications of information between or
among personnel having a need for the information in connection with
their duties that arise out of the provision of diagnosis, treatment,
or referral for treatment of patients with substance use disorders if
the communications are:
(i) Within a part 2 program; or
(ii) Between a part 2 program and an entity that has direct
administrative control over the program.''
SAMHSA declines to add the various suggested exceptions to the
applicability of the part 2 regulations, and encourages all
stakeholders to consult with legal counsel to ensure compliance with 42
CFR part 2, as well as any other applicable federal, state, or local
laws or regulations. SAMHSA is limited by statute to the specific
exceptions listed in the law; it cannot, therefore, add exceptions. As
stated previously, SAMHSA is authorized to promulgate regulations and
to provide such safeguards and procedures necessary to carry out the
purposes of the authorizing statute. SAMHSA has endeavored to strike an
appropriate balance between the important privacy protections afforded
patients with substance use disorders and the necessary exchange of
information to improve treatment outcomes for these individuals.
F. Confidentiality Restrictions and Safeguards (Sec. 2.13)
SAMHSA is modifying this section slightly from that proposed in the
NPRM by adding a paragraph clarifying responsibility for the List of
Disclosures requirement. As discussed in the proposal, because SAMHSA
is revising the consent requirements to allow a general designation in
certain circumstances, we have revised Sec. 2.13 by adding a paragraph
(d), which requires that, upon request, patients who have included a
general designation in the ``To Whom'' section of their consent form
must be provided, by the entity that serves as an intermediary, a list
of entities to which their information has been disclosed pursuant to
the general designation (List of Disclosures).
The new Sec. 2.13(d) specifies that patient requests for a list of
entities to which their information has been disclosed must be in
writing. Consistent with the NPRM, we consider ``written'' to include
both paper and electronic documentation. The list is limited to
disclosures made within the past 2 years.
Further, entities named on the consent form that disclose
information pursuant to a patient's general designation (entities that
serve as intermediaries as described in Sec. 2.31(a)(4)(iii)(B)) must
respond to requests for a List of Disclosures in 30 or fewer days of
receipt of the request.
1. Delayed Implementation of List of Disclosures Provision
Public Comments
Several commenters raised concerns about how to interpret the two-
year delayed implementation of List of Disclosures and whether the
general designation will be used during that period. A commenter
expressed concern about the immediate implementation of the general
designation while the right of patients to obtain a List of Disclosures
is postponed for two years.
Other commenters stated that, based on the NPRM language, HIEs will
not be able to take advantage of a general designation on the consent
form until they have the ability to comply with the List of Disclosures
requirement.
Commenters said SAMHSA needs to clarify that the duty to begin
collecting and storing disclosures under the general designation begins
two years after the effective date of the final rule and not before.
A commenter recommended that the right to obtain a list of those
who have received the patient's information should be implemented
simultaneously
[[Page 6072]]
with any other revisions to the part 2 regulation. Another commenter
said SAMSHA should implement the List of Disclosures requirement within
90 days.
SAMHSA Response
SAMHSA clarifies that the general designation on a consent form may
not be used until entities have the ability to comply with the List of
Disclosures provision. However, SAMHSA has removed the two-year delayed
compliance date for the List of Disclosures provision for the reasons
discussed in Section IV above.
2. Responsibilities Under the List of Disclosures Process
Public Comments
Commenters said SAMHSA should allow non-treating entities, that do
not have a treating provider relationship with the patient whose
information is being disclosed and serve as intermediaries named on the
consent form, to release the List of Disclosures to the facility where
the patient receives care (or the part 2 program), rather than to the
patient directly. One commenter said because this process, in which the
patient/consumer requests and receives the List of Disclosures from the
site where they receive care/part 2 program, rather than from the HIE,
resembles the process currently being used to meet HIPAA disclosure
requirements, it could be implemented without requiring additional
burdens on HIEs. Since most HIEs are not patient-facing, commenters
stated that there are typically not policies or procedures in place for
interacting with patients directly, particularly for patient
authentication, and suggested it be done at the provider level, and
that the patient communication be maintained at the part 2 program
level.
Other commenters said SAMHSA does not specify what responsibility,
if any, the part 2 program has to coordinate or verify the compliance
of the CCO or HIE with the List of disclosures. One commenter said if
SAMHSA intends for the part 2 program to have any responsibilities
beyond this, then it should obtain additional feedback from part 2
programs before proposing any new obligations. Some commenters appeared
to assume the part 2 program was responsible for the List of
Disclosures and requested that SAMHSA modify the requirement to impose
the duty directly upon the HIE, ACO, CCO, or research institution to
provide the listing to the patient, rather than the part 2 program.
A commenter said SAMSHA should clarify what entities must be
included on the List of Disclosures when the entity is part of a
complex healthcare system.
Another commenter said the absence of requiring disclosure of
individual names undermines the intent of the List of Disclosures and
undermines the purpose of expanding the ``To Whom'' provision and the
patient's incentive or willingness to consent to a general designation.
The commenter said the provision must be very explicit in disclosing
those agencies or individuals that will receive the patients' medical
information.
SAMHSA Response
Regarding the suggestion to allow entities that serve as
intermediaries as described by Sec. 2.31(a)(4)(iii)(B) to release the
List of Disclosures to the facility where the patient receives care (or
the part 2 program) or with the providers to whom the disclosure was
made, rather than directly to the patient, SAMHSA has decided to retain
the NPRM language and proposed responsibilities because the party
making the disclosure under the general designation should be
accountable for that disclosure. SAMHSA has clarified in paragraph
Sec. 2.31(d)(3) that the part 2 program is not responsible for
complying with the List of Disclosures requirement; the entity that
serves as an intermediary, as described in Sec. 2.31(a)(4)(iii)(B), is
responsible for compliance with the List of Disclosures requirement.
SAMHSA plans to issue subregulatory guidance that clarifies how the
patient may request the List of Disclosures from intermediaries as
described by Sec. 2.31(a)(4)(iii)(B).
On the responsibility of part 2 providers to comply with the List
of Disclosures requirement, SAMHSA agrees with the commenters that more
clarity is needed. In the circumstance in which a patient provides a
general designation in the ``To Whom'' part of a consent form, the part
2 program may not know to whom the disclosures have been made by the
entity that serves as an intermediary. As such, the List of Disclosures
provision requires that: The entity named on the consent form that
discloses information pursuant to a patient's general designation (the
entity that serves as an intermediary, as described in Sec.
2.31(a)(4)(iii)(B)) must: (i) Respond in 30 or fewer days of receipt of
the written request; and (ii) Provide, for each disclosure, the name(s)
of the entity(ies) to which the disclosure was made, the date of the
disclosure, and a brief description of the patient identifying
information disclosed. Further, paragraph (d)(3) clarifies that the
part 2 program is not responsible for complying with Sec. 2.13(d).
In response to the request for clarification on what entities must
be listed on the List of Disclosures and suggestion that individuals
(rather than entities with whom such individuals are affiliated) must
be listed, SAMHSA clarifies that the List of Disclosures must include a
list of the entities to which the information was disclosed pursuant to
a general designation. Individuals who received patient identifying
information pursuant to the general designation on a consent form
should be included on the List of Disclosures based on an entity
affiliation, such as the name of their practice or place of employment.
However, if entities that are required to comply with the List of
Disclosures requirement wish to include individuals on the List of
Disclosures, in addition to the required data elements which are
outlined in Sec. 2.13(d)(2)(ii), nothing in this rule prohibits it.
SAMHSA considered requiring both individuals and entities to be
included on the List of disclosures but, after reviewing the Health
Information Technology Privacy Committee's (HITPC's) recommendations
(https://www.healthit.gov/sites/faca/files/PSTT_Transmittal010914.pdf),
decided to require, at a minimum, a list of entities. These
recommendations addressed the HITECH requirement that HIPAA covered
entities and business associates account for disclosures for treatment,
payment, and health care operations made through an EHR. The
Transmittal Letter recommended, ``that the content of the disclosure
report be required to include only an entity name rather than a
specific individual as proposed in the NPRM.'' In addition, the
Transmittal Letter noted that the Organization for Economic Cooperation
and Development (OECD) principles, the Fair Credit Reporting Act, and
the Privacy Act of 1974 do not require that the names of individuals be
provided. The HITPC, a committee established by the American Recovery
and Reinvestment Act of 2009 in accordance with the Federal Advisory
Committee Act (FACA), provides recommendations on health IT policy
issues to the ONC for consideration. The HITPC gave a broad charge to
its Privacy & Security Tiger Team (Tiger Team) ``to provide
recommendations on how to implement the requirements of the HITECH Act
of 2009 for covered entities and business associates to account for
disclosures for treatment, payment and health care operations made
through an EHR. In the referenced Transmittal Letter, the HITPC did not
focus on 42 CFR part 2,
[[Page 6073]]
however, given the similarities of the issues and the importance of the
lessons the Tiger Team learned, SAMHSA was persuaded by the Tiger
Team's discussion.
3. Technological Challenges and Burden of the List of Disclosures
Provision Public Comments
Public Comments
Many commenters argued that entities may not be equipped to
maintain and provide a List of Disclosures. A few commenters expressed
general concern about the burden associated with the List of
Disclosures provision. Several commenters added that the burden is
disproportionate to the anticipated benefit. Other commenters specified
areas of burden, including administering consents; developing a
tracking system; manually reviewing or auditing all records; and
transmitting information by U.S. mail. Some comments mentioned the
operational impact of the provision, including the impact on existing
business practices; uncertainty about interoperability with additional
systems; and operationalizing a different approach for HIPAA. One
commenter argued that HIPAA already provides sufficient protections
through the requirement for tracking and providing an accounting of
certain disclosures. Another commenter expressed concern that there are
varying levels of technical resources available for compliance with the
rule.
A commenter warned that one component of the Affordable Care Act is
its focus on sharing of certain medical information and the proposed
regulation may prevent realization of that goal. Similarly, another
commenter said, if HIEs are included in the disclosure request,
entities would be left with the choice of either not sending this
information, which would then not be available in emergent situations,
or not complying with this requirement. Another commenter said creating
additional accounting requirements, without further clarification on
the interoperability of such EHR systems, can create a state of
continuous uncertainty and flux, deterring investment into substance
use disorder treatment programs within integrated care networks.
Some commenters stated that the proposed provision conflicts with
existing HIPAA accounting of disclosure requirements or state laws.
Other commenters said it would be administratively burdensome to
implement, particularly in light of the fact that the health
information technology industry is still waiting for OCR to determine
how it will address the HITECH changes to HIPAA accounting of
disclosures.
For the above reasons, some commenters urged SAMHSA not to include
the List of Disclosures provision in the final rule; delay promulgating
until OCR decides how it will approach the HITECH provisions concerning
the HIPAA accounting of disclosures requirement; and engage with OCR,
providers, and vendors to fully understand the implications of such a
requirement before establishing an implementation date for the List of
Disclosures requirement.
SAMHSA Response
SAMHSA is including the List of Disclosures requirement in the
final rule to balance the flexibility of allowing a general designation
in the ``To Whom'' section of the consent form against the protection
of patient privacy. We understand commenter concerns about the
technical feasibility of implementing the List of Disclosures
requirement. However, there is no timeframe in which part 2 programs
and lawful holders need to comply with the List of Disclosures
requirements; only the condition that if they choose to have the option
to disclose information pursuant to a general designation on the ``To
Whom'' part of the consent form, they must also be capable of providing
a List of Disclosures upon request per Sec. 2.13(d). Because the
general designation is not mandated on a consent form, this allows
entities time to develop and test the technology needed for compliance
with the List of Disclosures requirements or to decide not to disclose
information pursuant to a general designation and not implement
technology needed for compliance with the List of Disclosures
provision.
Public Comments
A commenter said the List of Disclosures will impose a complex
burden upon all parties involved in the disclosure and receipt of
substance use disorder treatment, asserting that the disclosing party--
if it is not a part 2 program--would need to know that the information
being disclosed is subject to the part 2 requirements. The commenter
said there may be a question of whether this type of disclosure would
be prohibited per the Prohibition on re-disclosure provision, and this
becomes more complex if further disclosures or re-disclosures take
place.
SAMHSA Response
SAMHSA responds that the entity that serves as an intermediary
should be provided a copy of the part 2-compliant consent form or the
pertinent information on the consent form necessary for the
intermediary to comply with the signed consent. The providers with a
treating provider relationship with the patient whose information is
being disclosed would be aware of the part 2 protections because the
disclosure would also be accompanied by the prohibition on re-
disclosure notice.
Public Comments
A commenter said SAMHSA has not addressed whether there will be a
cost to the patient for obtaining a List of Disclosures. If patients
will be required to pay a fee for this list of disclosures, the
commenter said SAMHSA should establish a reasonable fee for the
provision of the List of Disclosures.
SAMHSA Response
SAMHSA strongly encourages entities to provide the List of
Disclosures at no charge to the patient.
4. Recommendations To Further Protect Patient Privacy
Public Comments
A commenter said SAMHSA should require the List of Disclosures to
include all disclosures of the patient's health information, whether
such disclosure was made pursuant to a consent form, QSOA, medical
emergency, or any other means. Similarly, another commenter stated
that, when a record of all uses and disclosures already exists, a
program should be required to make that record available to a patient
upon request. Other commenters asserted that the List of Disclosures
should be presented to the patient at the time the consent is signed,
rather than after the disclosures have been made. A commenter said
patients should also be given the option, at the time of signing, to
cross out entities to whom they do not want their information
disclosed. Also, a commenter said patients should be informed of
changes to the list that may now have access to their information.
Some commenters expressed concern that the List of Disclosures
would be limited to disclosures made within the past two years, which
does not allow the patient to learn about past data breaches. Some
commenters recommended expanding the time period to five years or not
including a time limit.
SAMHSA Response
In response to these concerns and recommendations about increasing
patient privacy rights, SAMHSA
[[Page 6074]]
clarifies that the List of Disclosures provision was proposed in the
NPRM as a way to balance the revision to the consent form allowing a
more general designation in the ``To Whom'' section, which is optional.
The List of Disclosures provision is limited to information disclosed
pursuant to the general designation by the entity that serves as the
intermediary, but these entities as well as part 2 programs are not
prohibited from providing patients with all available information.
Patients will have the right to request this List of Disclosures and
have it produced in a timely fashion; however, SAMHSA has chosen not to
require entities to provide this information at the time of patient
consent as this would be impossible because disclosure of the patient's
information has not occurred at that point. SAMHSA also emphasizes that
patients are not required to use a general designation in the ``To
Whom'' section of the consent form. Therefore, patients can limit
disclosures by a more concrete specification (i.e., named
individual(s)).
In response the comments on expanding the time period that the List
of Disclosures covers, this final rule's provision to limit the List of
Disclosures to those made within the last two years does not preclude
an entity that serves as an intermediary from providing the patient
with a list covering disclosures made for periods greater than two
years.
Public Comments
A commenter said SAMHSA should not include the sample language for
a request for a List of Disclosures under the general designation in
the final rule because HIPAA has shown that entities construe such
sample language as mandates to use the sample language, thereby making
it more difficult for an individual to request such information, and
hindering their ability to obtain such information contrary to the
intent of the proposed rule. The commenter suggested that SAMHSA, as
part of this rule or in subregulatory guidance at a later date,
recommend that certain criteria be included as part of an individual's
request for such disclosures.
SAMHSA Response
SAMHSA did not intend for the sample language for a request for a
list of disclosures provided in the NPRM to be construed as a
requirement for requesting a List of Disclosures, but rather to assist
patients in making such a request. SAMHSA is retaining the sample
language in this rule.
Public Comments
A commenter asserted that states can set a higher standard than
part 2, but the NPRM language would lead the patient to think that they
could get information via unencrypted email. The commenter suggested
the provision be modified to indicate that responses sent to the
patient electronically may be sent by unencrypted email at the request
of the patient ``so long as it is not prohibited by applicable law.''
In addition, the commenter said the final rule should require patients
to be notified that there may be some level of risk that the
information in an unencrypted email could be read by a third party. In
addition, the commenter said the rule should state that, if patients
are notified of the risks and still prefer unencrypted email, the
patient has the right to receive the information in that way, and
entities are not responsible for unauthorized access of the information
while in transmission to the patient based on the patient's request.
SAMHSA Response
The language regarding unencrypted email transmissions appears in
the NPRM preamble only and acknowledges both encrypted and unencrypted
email as acceptable modes of transmission. The language goes on to say:
``Responses sent to the patient electronically may be sent by encrypted
transmission (e.g., encrypted email or portal), or by unencrypted email
at the request of the patient, so long as the patient has been informed
of the potential risks associated with unsecured transmission. Patients
should be notified that there may be some level of risk that the
information in an unencrypted email could be read by a third party. If
patients are notified of the risks and still prefer unencrypted email,
the patient has the right to receive the information in that way, and
entities are not responsible for unauthorized access of the information
while in transmission to the patient based on the patient's request.
Before using an unsecured method to respond to a request for a list of
disclosures, an entity should take certain precautions, such as
checking an email address for accuracy before sending it or sending an
email alert to the patient for address confirmation to avoid unintended
disclosures.'' SAMHSA does not intend to be prescriptive regarding how
the information is relayed to the patient or to preempt applicable
state law that may prohibit unencrypted transmission (see Sec. 2.20).
Public Comments
A commenter said the NPRM abandoned the current statement that the
rule does not restrict a disclosure that ``an identified individual is
not and has never been a patient.'' The commenters said the new
approach militates against fishing by third parties.
SAMHSA Response
SAMHSA agrees with the commenter that prohibiting a disclosure that
``an identified individual is not and has never been a patient''
mitigates against fishing by third parties. In the NPRM, SAMHSA
proposed to remove the concept from Sec. 2.13(c)(2) that the
regulations do not restrict a disclosure that an identified individual
is not and never has been a patient and has retained this position in
the final rule.
Public Comments
Commenters made other recommendations relating to the proposed List
of Disclosures requirement focused on generally improving patients'
rights, including suggestions to keep information confidential; notify
when a treating provider has accessed the patient's confidential
information; ensure patient-approved information sharing; provide a
process by which an individual can raise a complaint; and disclose to
patients in plain language.
SAMHSA Response
SAMHSA acknowledges and shares the commenters' concerns with
patient privacy. We believe that the List of Disclosures requirement as
proposed in the NPRM is adequate to inform patients of how their
information has been shared in the event that they provided a general
designation in the ``To Whom'' portion of their consent. SAMHSA
encourages entities to provide the information associated with a List
of Disclosures in plain language and with sufficient specificity so
that patients understand the List of Disclosures, including the brief
description of the patient identifying information disclosed.
5. Other Comments and Recommendations on the List of Disclosures
Provision
Public Comments
One commenter recommended that SAMHSA allow consent to include a
description of HIE as a function to support patient care, and exclude
this function from the information disclosure accounting [List of
Disclosure] requirement.
[[Page 6075]]
A commenter recommended that SAMHSA offer additional guidance on
best practices and make infrastructure grants available to create the
necessary modifications within providers' EHRs or other consent
tracking systems.
Some commenters made other suggestions. For example, a commenter
requested that SAMHSA define ``in writing'' and ``written requests'' as
those terms are used in the List of Disclosures provision (Sec.
3.13(d)). Another commenter urged SAMHSA to explore options to reduce
the cost of the List of Disclosures provision and further clarify how
the enhanced protection of substance use disorder treatment information
can be consistent and interoperable with other health systems.
SAMHSA Response
As for the request to define ``in writing'' and ``written
requests'' as those terms are used in the List of Disclosures
provision, in the NPRM preamble discussion of Terminology Changes,
SAMHSA explained that for the purposes of this regulation, we also
propose that the term ``written'' include both paper and electronic
documentation.
The consent requirements (Sec. 2.31) include the option of
including in the ``To Whom'' section of the consent form the name of an
entity that does not have a treating provider relationship with the
patient whose information is being disclosed (and is not a third-party
payer that requires patient identifying information for the purposes of
reimbursement for the services rendered by the part 2 program) and
either the name(s) of an individual participant(s); or the name(s) of
an entity participant(s) that has a treating provider relationship with
the patient whose information is being disclosed; or a general
designation of an individual or entity participant(s) or class of
participant(s) who has a treating provider relationship with the
patient whose information is being disclosed. Any HIE that serves as an
intermediary is subject to the List of Disclosures requirement
regardless of its other ``functions.'' Regarding the requests for
guidance, SAMHSA may issue additional subregulatory guidance on this
provision after this final rule is published.
G. Security for Records (Sec. [thinsp]2.16)
SAMHSA is adopting this section as proposed except for some non-
substantive, technical changes to the language in proposed Sec.
2.16(a)(2)(i). SAMHSA is modernizing this section to address both paper
and electronic records. First, SAMHSA revised the heading by deleting
the word ``written'' so that it now reads: Security for Records.
Secondly, SAMHSA clarified that this section requires both part 2
programs and other lawful holders of patient identifying information to
have in place formal policies and procedures for the security of both
paper and electronic records. Finally, SAMHSA has replaced language in
other sections of part 2 with a reference to the policies and
procedures established under Sec. [thinsp]2.16, where applicable. As
noted above, SAMHSA has made some technical changes to the language in
proposed Sec. 2.16(a)(2)(i). In particular, to more closely align with
the HIPAA Security Rule, SAMHSA has revised Sec. 2.16(a)(2)(i) to
require that part 2 program security for electronic records policies
must include ``creating, receiving, maintaining, and transmitting such
records.'' The proposed language was ``copying, downloading,
forwarding, transferring, and removing such records.''
Public Comments
Some commenters supported the proposed provisions on security and
stated that they provide appropriate protections. However, many
commenters asserted that the security provisions of HIPAA should be
followed and that those requirements should satisfy the part 2
provisions.
A commenter also supported the use of internal confidentiality
agreements.
A commenter expressed concern that the rule does not address what a
non-part 2 provider who receives part 2 data must do to ensure adequate
safeguards are in place. Similarly, another commenter expressed concern
about security obligations that would be placed on other lawful
holders, such as courts, law firms, family members, or other private
citizens who are often not the types of providers subject to the
current (1987) part 2.
One commenter recommended an expiration date for electronic
records. Another commenter recommended that the use of secure,
certified HIT be added as a requirement for part 2 program providers,
as well as any services provided that conduct audits and evaluations
related to transition of patient information.
SAMHSA Response
SAMHSA appreciates the support of commenters on this issue. On the
issue of HIPAA, covered entities must comply with all regulations that
are applicable to them. Because some entities subject to this rule are
not subject to HIPAA, SAMHSA may provide subregulatory guidance after
the rulemaking on the extent to which compliance with HIPAA security
requirements, for those subject to them, will satisfy Sec. 2.16.
SAMHSA emphasizes that if an entity already has security practices and
policies in place that meet the requirements of this rule, whether
those practices were developed to meet the regulatory requirements or
simply as a matter of good practice, the entity may not need to take
additional action on this issue. In the NPRM, SAMHSA suggested
resources for part 2 programs and other lawful holders for developing
formal policies and procedures including materials from the HHS Office
for Civil Rights (e.g., Guidance Regarding Methods for De-
identification of Protected Health Information in Accordance with the
Health Insurance Portability and Accountability Act (HIPAA) Privacy
Rule), and the National Institute of Standards and Technology (NIST)
(e.g., the most current version of the Special Publication 800-88,
Guidelines for Media Sanitization).
On the issue of use of internal confidentiality agreements and the
required use of secure, certified Health IT, Sec. 2.16 provides
requirements for formal policies and procedures to reasonably protect
against unauthorized uses and disclosure of patient identifying
information and to protect against reasonably anticipated threats or
hazards to the security of patient identifying information. A part 2
program or other lawful holder of patient identifying information may
impose any additional requirements that they feel will enhance
protections.
With regard to security of the records lawfully obtained by non-
part 2 programs, Sec. 2.16 applies equally to these entities (referred
to as lawful holders of patient identifying information). The required
formal policies and procedures are intended to ensure protection of
patient identifying information when electronic records are exchanged
electronically using health IT, as well as when they are exchanged
using paper records. In addition, the formal policies and procedures
will have to address, among other things, the sanitization of hard copy
and electronic media, which is addressed in the NPRM discussion of
Disposition of Records by Discontinued Programs (Sec. [thinsp]2.19).
On the concern raised that Sec. 2.16 places an unreasonable burden on
courts, law firms, family members, or other private citizens who may
obtain the information, a patient who has obtained a copy of his or her
records or a family member or private citizen who has received such
information from a patient would not be considered a lawful holder of
patient identifying information in this context. Generally,
[[Page 6076]]
consents and permissible disclosures are initiated by a lawful holder
who desires the information and, therefore, the lawful holder would
already be familiar with part 2.
H. Disposition of Records by Discontinued Programs (Sec. 2.19)
SAMHSA is modifying this section from that proposed in the NPRM in
response to public comments, as discussed below. In this section,
SAMHSA addresses the disposition of both paper and electronic records
by discontinued programs, including added requirements for sanitizing
paper and electronic media, which is distinctly different from deleting
electronic records and may involve clearing (using software or hardware
products to overwrite media with non-sensitive data) or purging
(degaussing or exposing the media to a strong magnetic field in order
to disrupt the recorded magnetic domains) the information from the
electronic media. If circumstances warrant the destruction of the
electronic media prior to disposal, destruction methods may include
disintegrating, pulverizing, melting, incinerating, or shredding the
media. SAMHSA expects the process of sanitizing paper media (including
printer and facsimile (FAX) ribbons, drums, etc.) or electronic media
to be permanent and irreversible, so that there is no reasonable risk
that the information may be recovered. For the purpose of this rule,
SAMHSA makes a distinction between electronic devices (something that
has computing capability, such as a laptop, tablet, etc.) and
electronic media (something that can be read on an electronic device,
such as a CD/DVD, flash drive, etc.).
Public Comments
A commenter expressed support for the proposal related to
disposition of records by discontinued programs. Another commenter
recommended that the rule allow for ``selective sanitizing,'' using
methods that will not require overwriting the entire electronic media.
Two commenters asked about patient records when a program is acquired
by another program. A commenter suggested that the rule should address
situations in which a patient cannot be located or is deceased and
cannot give consent. The commenter provided multiple suggestions
relating to disposition of records, including permit more flexible
means of storage; permit scanning and electronic storage of records; do
not require transfer to a portable device; offer an option to store
records in a production encrypted network storage device. This
commenter also asserted that sanitation of electronic communications
would not be feasible in organizations storing millions of electronic
records; requiring storage of a portable electronic device in a sealed
container does not add additional security if it is already encrypted;
and deleting substance use information from records does not conceal
the fact that someone has a substance use disorder but instead
highlights the fact.
SAMHSA Response
SAMHSA acknowledges the support for the proposed provision. With
regard to the issue of multiple sources of records, we have revised the
language in the final rule to allow one year to complete the process of
sanitizing paper or electronic media (see Sec. 2.19(b)(2)(iii)). This
change should allow for select patient records to be removed from both
the specific site and any operational sources without disrupting other
patient records. Regarding acquisition of one program by another, the
Sec. 2.19(a) regulatory text outlines the exceptions to removing
patient identifying information from its records or destroying its
records.
If the patient cannot be located or is deceased and cannot give
consent, the part 2 program that has discontinued operations or is
taken over or acquired by another program, must remove the patient's
identifying information from its records, including sanitizing any
associated hard copy or patient records or patient identifying
information residing on electronic media, to render the patient
identifying information non-retrievable in a manner consistent with
policies and procedures under Sec. 2.16.
Regarding comments on more flexible means of electronic record
storage, SAMHSA has revised Sec. 2.19(b)(2) to allow for more
flexibility. The revised language allows for electronic records to be
transferred to a portable electronic device with implemented encryption
to encrypt the data at rest so that there is a low probability of
assigning meaning without the use of a confidential process or key and
implemented access controls for the confidential process or key (see
Sec. 2.19(b)(2)(i)); or transferred, along with a backup copy, to
separate electronic media, so that both the records and the backup have
implemented encryption to encrypt the data at rest so that there is a
low probability of assigning meaning without the use of a confidential
process or key and implemented access controls for the confidential
process or key (see Sec. 2.19(b)(2)(ii)). For electronic storage of
the records, if the records are scanned, they would have to be
maintained consistent with Sec. 2.19(b)(2) and the paper records would
have to be destroyed consistent with Sec. 2.16. Regarding portable
device storage, the final Sec. 2.19 language specifies that the
portable electronic device or the original and backup electronic media
must be sealed in a container along with any equipment needed to read
or access the information. The sealed container prevents the portable
electronic device or the original and backup electronic media from
being separated from the equipment needed to read or access the
information.
I. Notice to Patients of Federal Confidentiality Requirements (Sec.
2.22)
SAMHSA is adopting this section as proposed. Consistent with the
NPRM, SAMHSA considers the term ``written'' to include both paper and
electronic documentation. Accordingly, the notice to patients may be
either on paper or in an electronic format. SAMHSA also revised Sec.
2.22(b)(2) to require the statement regarding the reporting of
violations to include contact information for the appropriate
authorities.
Public Comments
Several commenters expressed support for the proposed provisions,
particularly the allowing of electronic notice, and they encouraged the
use of plain language and notices in languages other than English.
Several commenters recommended that SAMHSA should make a sample notice
or language available to covered entities. One commenter asked how
written notice can be provided for encounters that are not in person.
Other commenters suggested that the patient be given copies rather
than written summaries of state and federal law; a paper report, if
requested; the right to request and obtain restrictions; and a
description of how patient information may be disclosed for scientific
research.
SAMHSA Response
The final rule requires that the notice include contact information
for the appropriate authorities for reporting violations. SAMHSA
believes this change will make it easier for patients to identify to
whom they should file a complaint of a potential violation of part 2.
Therefore, SAMHSA declines to include a sample complaint form at this
time but may consider whether to issue one outside of this rulemaking
process. SAMHSA also declines to require copies rather than summaries
of state and federal law because the notice to patients of federal
confidentiality requirements is required to provide citations to the
federal law and
[[Page 6077]]
regulations that protect the confidentiality of patient records and
including information concerning state laws and regulations is
optional. The notice must also be provided in writing but as was
discussed in Terminology Changes (Sec. 2.11), the term ``in writing''
includes both paper and electronic documentation. Because the purpose
of the notice is to communicate to the patient the federal law and
regulations that protect the confidentiality of patient records, SAMHSA
declines to require anything additional. However, if a part 2 program
wishes to provide additional information, nothing in this provision
prohibits them from doing so.
J. Consent Requirements (Sec. 2.31)
SAMHSA is finalizing the consent requirements in this section, with
certain modifications as described in greater detail below. In summary,
SAMHSA is adopting all proposed changes to Sec. 2.31 except for two at
this time. In the ``From Whom'' section of the consent requirements
(Sec. 2.31(a)(2)), SAMHSA decided not to finalize its proposal to
remove the general designation option, but did make minor updates to
the terminology in the current (1987) regulatory text. As explained in
greater detail below, the final ``From Whom'' provision of the consent
requirements specifies that a written consent to a disclosure of part 2
information must include the specific name(s) or general designation(s)
of the part 2 program(s), entity(ies), or individual(s) permitted to
make the disclosure. SAMHSA also decided not to finalize the proposed
requirement that a part 2 program or other lawful holder of patient
identifying information obtain written confirmation from the patient
that they understand the terms of the consent.
SAMHSA has revised the section heading from ``Form of written
consent'' to ``Consent requirements.'' SAMHSA also made revisions to
the two other sections of the consent form requirements: the ``To
Whom'' section and the ``Amount and Kind'' section. SAMHSA also revised
Sec. 2.31 to require a part 2 program or other lawful holder of
patient identifying information to include on the consent form that
patients, when using a general designation in the ``To Whom'' section
of the consent form, have the right to obtain, upon request, a List of
Disclosures (see Sec. 2.13). In addition, SAMHSA revised Sec. 2.31 to
permit electronic signatures to the extent that they are not prohibited
by any applicable law.
1. General Comments on Consent Requirements
a. General
Public Comments
SAMHSA received many comments on the proposed rule's updated
consent requirements. Some commenters generally supported the new
consent requirements. Other commenters listed various reasons for their
support, including increased facilitation of informed patient
decisions, increased patient choice with regard to protection of their
health information, and increased sharing of health care records among
providers. One commenter supported the use of paper and electronic
forms of written consent.
Many commenters, however, expressed general opposition to the
proposed consent requirements. Several commenters argued that the
proposed rule created unnecessary burdens for providers, such as staff
training, constant updates to consent forms, and expensive updates to
provider EHRs. Several commenters argued the proposed consent rules
would create obstacles to information sharing and integrated care.
Specifically, a commenter argued that the ``To Whom'' and ``From Whom''
format restricts who within organizations can view a patient's records,
further hampering coordinated care. Another commenter argued that the
proposed consent form requirements would make it difficult for many
HIEs to exchange part 2 information, and that the new requirements do
little to promote a patient's informed consent. A couple of commenters
argued that the proposed regulations would reduce access to substance
use disorder treatment being added by general health care
organizations, due to administrative burden and liability fears.
General health care providers are less likely to add substance use
disorder treatment, or partner or undertake projects with substance use
disorder treatment providers. Another commenter stated this rule may
result in providers not screening patients for substance use disorders
and not documenting substance use disorder related information.
According to a few commenters, the current part 2 regulations
exceed the statutory requirements that led to the regulations. One
commenter suggested that 42 U.S.C 290dd-2 requires consent to share
information and does not allow any shared information to be used for
prosecution. The commenter goes on to state that nothing in Title 42,
U.S.C. 290dd-2 requires an explicit description of what information can
be released, or requires time limits on consent. The commenter
suggested that SAMHSA could reduce confusion and administrative burden
by proposing revisions that are much more consistent with HIPAA than
its current proposal.
SAMHSA Response
Regarding the comments on statutory authority, we do not agree that
the regulations in 42 CFR part 2 exceed the authority provided for in
42 U.S.C. 290dd-2. The statute specifies that patient identifying
information may be disclosed in accordance with prior written patient
consent, ``but only to such extent under such circumstances, and for
such purposes as may be allowed under regulations prescribed'' by the
Secretary.
Regarding concerns about unnecessary burdens for providers, such as
staff training, constant updates to consent forms, and expensive
updates to provider EHRs, these burdens might be offset by the benefits
of increased in flexibility in the consent requirements. With respect
to obstacles to information sharing, one of SAMHSA's goals for this
rulemaking is to ensure that patients with substance use disorders have
the ability to participate in and benefit from new integrated health
care models without fear of putting themselves at risk of adverse
consequences.
Public Comments
Some commenters stressed that consent forms should be easy to read,
accessible to limited English proficiency patients, and should meet
HIPAA's plain language requirements. Commenters stated that language
and literacy concerns could be barriers to actual understanding of the
form's contents. Similarly, suggesting that SAMHSA take into account
the reading level standards in other health programs, including
Medicare and Medicaid, one commenter asserted that the proposed
regulations do not provide adequate options for an individual to easily
and simply determine who can or cannot access their substance use
disorder records.
SAMHSA Response
SAMHSA agrees with the commenters that the consent form should be
written clearly so that the patient can easily understand the form.
SAMHSA is considering issuing subregulatory guidance in the future to
provide examples of forms that comply with the basic consent
requirements in 2.31(a). In addition, SAMHSA encourages part 2 programs
to be sensitive to the cultural and linguistic composition of their
[[Page 6078]]
patient population when considering whether the consent form should
also be provided in a language(s) other than English (e.g., Spanish).
b. Consent Form Validity Period
Public Comments
Several commenters stated that a two-year time limit for the
validity of consent is insufficient, with some commenters suggesting
that consent forms be valid indefinitely or until death. For example,
one commenter asked why SAMHSA would deny a person who has received
substance use disorder treatment the right to decide that they want any
and all information regarding their treatment shared with any and all
of their health care providers indefinitely as needed for coordination
of care. Another commenter stressed the language of Sec. 2.31(a) was
confusing and requested clarification on the permissible length of time
a consent is valid.
SAMHSA Response
Under Sec. 2.31, a part 2-compliant consent form must list the
date, event, or condition upon which the consent will expire, if not
revoked before. Thus, it is not sufficient under part 2 for a consent
form to merely state that that disclosures will be permitted until the
consent is revoked by the patient. It is, however, permissible for a
consent form to specify the event or condition that will result in
revocation, such as having its expiration date be ``upon my death.''
The rule does not set a two-year time limit for consents, as some
commenters thought.
c. Technical Challenges to Proposed Consent Requirements
Public Comments
Commenters expressed concern about the technical challenges
providers would face in complying with the proposed consent
requirements. Generally, commenters expressed concern that few, if any,
EHR systems and/or HIEs have the capability to segregate substance use
disorder patient information in a way that could fully support the rule
by reflecting the patient's consent choices, and many providers would
have to expend significant amounts of funds to create or acquire a
compliant system. Commenters argued that if providers do not have data
segmentation capability, they may simply exclude substance use disorder
patient data from their systems, thus adversely impacting system
integration and patient care.
A couple of commenters asserted that EHR, HIE, and other electronic
records systems have no way of selecting different levels of consent
for treating providers. Specifically, a commenter stated that SAMHSA
should remove requirements for varied levels of consent within a given
organization (e.g., between departments or individuals), instead
limiting such variation to HIEs that share information between or
across organizations. A commenter stated that it is not feasible to do
individual exclusionary consents in an HIE, especially for an entity
that has thousands of employees across multiple states.
A commenter stated that providers in an integrated care network may
be precluded from performing important quality improvement checks
because no set of clinically integrated network officials can be
expected to have a direct treatment relationship with every patient in
the large data pools necessary to drive these important public health
efforts.
A commenter stated that the confidentiality of a substance use
disorder patient's information should not be compromised if some
electronic systems were poorly designed and without regard for part 2.
Similarly, another commenter stated that technology should be regarded
as a tool and should not diminish a patient's privacy rights.
SAMHSA Response
SAMHSA acknowledges the concerns regarding technical challenges to
the consent requirements and data segmentation more broadly. As stated
above, SAMHSA has played a significant role in encouraging the use of
health IT by behavioral health (substance use disorders and mental
health) providers and towards minimizing technical burdens through a
variety of activities. SAMHSA actively participates in the development
and stewarding of data standards to promote data segmentation and
interoperability. Specifically, the Data Segmentation for Privacy
(DS4P) initiative within ONC's Standards and Interoperability (S&I)
Framework facilitated the development of standards to improve the
interoperability of EHRs containing sensitive information that must be
protected to a greater degree than other health information due to 42
CFR part 2 and similar state laws. The DS4P standards were used in
several pilot projects, including the Department of Veterans Affairs
(VA)/SAMHSA Pilot, which implemented all the DS4P use cases and passed
all conformance tests; and SAMHSA's Opioid Treatment Program (OTP)
Service Continuity Pilot that connected OTPs to an HIE to facilitate
continuity of care during disasters or other unexpected disruptions in
service. Additionally, DS4P standards were adopted in ONC's 2015
Edition final rule (80 FR 62702, Oct. 16, 2015) as part of the 2015
Edition Health IT Certification Criteria (2015 Edition). See 45 CFR
170.315(b)(7) and (8). SAMHSA has also supported the development of the
application branded Consent2Share, an open-source health IT solution
based on DS4P, which assists in consent management and data
segmentation and is currently being used by the Prince Georges County
(Maryland) Health Department to manage patient consent directives while
sharing substance use disorder information with an HIE. SAMHSA is
currently updating Consent2Share, slated for release in late 2016, with
the aim that its streamlined data stack and improved functionality will
lower barriers to implementation in the field. SAMHSA is considering
issuing subregulatory guidance in the future to address other technical
solutions to complying with the regulation.
Regarding the comment that it is not feasible to do individual
exclusionary consents in an HIE, the HIE does not have to give the
patient the option to do individual level consent. SAMHSA has provided
more flexibility in the consent provisions in an effort to ensure that
patients with substance use disorders have the ability to participate
in and benefit from new integrated health care models while, at the
same time, maintaining core confidentiality protections.
d. Requests for Exemptions and Exceptions
Public Comments
Several commenters requested various exemptions or exceptions from
the part 2 consent requirements, including a public health exception
similar to that of the HIPAA Privacy Rule (see https://www.hhs.gov/hipaa/for-professionals/special-topics/public-health/), an
exemption for CCOs who have a treating relationship with a patient, an
exemption for ACOs who have integrated delivery systems, an exception
for state health data organizations that collect data under legislative
authority and collection of substance use disorder data by state
agencies, and in instances where part 2 data may be used to improve
patient care coordination, ensure interoperability, and ensure patient
safety. One commenter requested an exception for care coordination
purposes for valid and vital clinical reasons.
[[Page 6079]]
Regarding Sec. 2.20 (Relationship to state laws), a commenter said
SAMHSA should include an exception under part 2, subpart D (Disclosures
Without Patient Consent) allowing disclosures of substance use disorder
treatment information based on state laws that authorize or compel such
disclosures (e.g., for public health or medical assistance reasons).
Another commenter, noting the role of multi-payer claims databases or
MPCDs (also known as all payer claims databases (APCDs)), suggested
that SAMHSA add a new section to include state health data
organizations that collect data under a legislative authority,
reasoning that these states have decades of experience in collecting
and managing sensitive data with strict legal and policy controls.
A commenter said SAMHSA should permit oral consent with
documentation and specific information to be shared.
SAMHSA Response
SAMHSA appreciates the perspectives expressed by those who seek
additional exceptions or exemptions from part 2 consent requirements,
as well as the suggestion that SAMHSA permit oral consents that are
documented in writing.
The part 2 underlying statute, 42 U.S.C. 290dd-2, and this rule
require a written patient consent to disclose part 2 information unless
the disclosure is otherwise permitted under the part 2 statute or
regulations. The statute, for instance, does not provide a general
exception to the consent requirement for the purpose of sharing
information with public health officials. In certain circumstances,
disclosures of part 2 information may be authorized by court order to
protect against an existing threat to life or of serious bodily injury
(see[thinsp]Sec. 2.63, Confidential communications) or to the extent
necessary to meet a bona fide medical emergency in which the patient's
prior informed consent cannot be obtained (see Sec. 2.51, Medical
emergencies). SAMHSA may in the future consider issuing subregulatory
guidance to further describe medical emergencies under Sec. 2.51 and
how such emergencies may relate to public health emergencies declared
at the federal, state, local, and/or tribal levels. SAMHSA does not,
however, have the statutory authority to authorize routine disclosure
of part 2 information for public health reporting, surveillance,
investigation or intervention purposes.
With respect to Sec. 2.20 (Relationship to state laws), in the
proposed and final rules SAMHSA maintains current language regarding
preemption. As discussed above, SAMHSA cannot develop a new general
exception for public health or medical assistance purposes in light of
the statute. Likewise, SAMHSA cannot develop a specific new exception
for APCDs (hereinafter referred to as MPCDs). The role of MPCDs is
discussed in the section of this preamble concerning research (Sec.
2.52). SAMHSA disagrees with the recommendations to consider a specific
exemption to the consent requirements for ACOs that have integrated
delivery systems, except as described in Sec. 2.53 for the purposes of
audits and evaluations. Similarly, SAMHSA is not accepting the
suggestion to provide a specific exemption from the part 2 consent
requirements for CCOs that have a treating provider relationship with a
patient (i.e., that meet the definition of having a treating provider
relationship with the patient whose information is being disclosed).
SAMHSA believes that the final changes to the consent requirements will
facilitate care coordination and information exchange. Improving the
quality of substance use disorder care depends on effective
collaboration of mental health, substance use disorder, general health
care, and other service providers in coordinating patient care.
However, the composition of a health care team varies widely among
entities. Because SAMHSA wants to ensure that patient identifying
information is only disclosed to those individuals and entities on the
health care team with a need to know this sensitive information, we are
limiting a general designation in the ``To Whom'' section of the
consent requirements to those individuals or entities with a treating
provider relationship. Patients may further designate their treating
providers as ``past,'' ``current,'' and/or ``future'' treating
providers. In addition, the consent form can include multiple
authorizations in the ``To Whom'' section. A consent may allow a
patient to designate, by name, one or more individuals with whom they
do not have a treating provider relationship, that they authorize to
receive or access their health care data.
While we are not establishing specific additional exemptions or
exclusions from the consent requirements at this time in response to
commenters' suggestions, in light of the longstanding role that
contractors and subcontractors play in the health care system and their
handling of part 2 data, we are issuing an SNPRM related to lawful
holders' use of contractors and subcontractors.
e. Commenter Recommendations
Public Comments
Some commenters said SAMHSA should expand the list of persons who
could view the patient's medical record without the patient's written
consent to include clergy, social workers, psychologists and family
members if in their professional opinion they were necessary for the
patient's recovery and progress. Another commenter recommended
expanding the list to include all types of professionals involved in
the treatment of individuals receiving substance use treatment into the
respective definitions, including those employed in social services
that are members of the treatment team.
SAMHSA Response
The definition of ``treating provider relationship'' is
sufficiently broad to cover the necessary components of a patient's
care team. The statute, 42 U.S.C. 290dd-2, does not provide an
exception to the consent requirement for the purpose of sharing
information with family members. Part 2, therefore, requires a part 2-
compliant consent to disclose patient identifying information unless
disclosure is otherwise permitted under the statute or regulations.
Public Comments
Many commenters said SAMHSA should provide a sample consent form.
Some commenters stated that any sample consent form should not be
mandated to allow stakeholders flexibility.
SAMHSA Response
SAMHSA may, after publication of this rule, issue subregulatory
guidance that includes a sample consent form that meets the
specifications of the final rule. SAMHSA has never and has no intention
of mandating the use of a specific consent form.
Public Comments
Several commenters generally supported the use of electronic
signatures. Several commenters only supported electronic signatures
when also authorized under state law. A couple of commenters requested
guidance on what steps the provider would need to take to verify
identity, provide the required prefatory information and to obtain a
substance use disorder patient's electronic signature. A commenter
requested guidance from SAMHSA on the areas modified by SAMHSA. A
commenter said SAMHSA should identify the signatory and enforceability
[[Page 6080]]
consideration of electronic consent through reference to other laws.
SAMHSA Response
Because there is no single federal law on electronic signatures and
there may be variation in state laws, SAMHSA recommends that
stakeholders consult their attorneys to ensure they are in compliance
with all applicable laws.
Public Comments
Some commenters made recommendations for patient privacy
protection. One commenter noted that the use of secure, certified
health IT, networks, and devices, especially for the transmission of
patient records, does not appear to be included in the proposed
provisions. Another commenter said meaningful consents could only be
achieved by adding statements that inform the patient of the
unprecedented risks of making highly sensitive substance use disorder
information accessible throughout integrated health care systems or
electronic health information systems that cannot be made secure.
A commenter stated the proposed rule did not address revocation or
refusal of consent. Similarly, another commenter recommended adding
language that makes clear that revocation of consent prevents
unauthorized access but does not remove the information from the
electronic record.
SAMHSA Response
Section 2.16 addresses security for records and requires formal
policies and procedures to reasonably protect against unauthorized use
and disclosures of patient identifying information and to protect
against reasonably anticipated threats or hazards to the security of
patient identifying information. Whereas this provision does not
specifically address the use of certified health IT networks, and
devices, they may be used as long as the requirements of section 2.16
are met. Regarding revocation of consent, Sec. 2.31(a)(6) requires:
``A statement that the consent is subject to revocation at any time
except to the extent that the part 2 program or other lawful holder of
patient identifying information that is permitted to make the
disclosure has already acted in reliance on it. Acting in reliance
includes the provision of treatment services in reliance on a valid
consent to disclose information to a third-party payer.'' To the extent
an individual refuses to consent to the disclosure of their patient
identifying information, part 2 prohibits such disclosure unless
otherwise permitted under the statute or regulations (e.g., audit or
evaluation, or scientific research).
2. To Whom
SAMHSA is adopting this aspect of the proposal. SAMHSA has moved
the former Sec. 2.31(a)(2), ``To Whom'' provision, to Sec.
2.31(a)(4). The following table provides an overview of the options
permitted when completing the designation in the ``To Whom'' section of
the consent form.
Table 1--Designating Individuals and Organizations in the ``To Whom'' Section of the Consent Form
----------------------------------------------------------------------------------------------------------------
Treating provider
Individual or relationship with Required
42 CFR 2.31 entity to whom patient whose Primary additional
disclosure is to information is designation designation
be made being disclosed
----------------------------------------------------------------------------------------------------------------
(a)(4)(i)....................... Individual........ Yes............... Name of None.
individual(s)
(e.g., Jane Doe,
MD).
(a)(4)(i)....................... Individual........ No................ Name of None.
individual(s)
(e.g., John Doe).
(a)(4)(ii)...................... Entity............ Yes............... Name of entity None.
(e.g., Lakeview
County Hospital).
(a)(4)(iii)(A).................. Entity............ No................ Name of entity None.
that is a third-
party payer as
specified under
Sec.
2.31(a)(4)(iii)(A
) (e.g.,
Medicare).
(a)(4)(iii)(B).................. Entity............ No................ Name of entity At least one of
that is not the following:
covered by Sec. 1. The name(s) of
2.31(a)(4)(iii)(A an individual
) (e.g., HIE, or participant(s)
research (e.g., Jane Doe,
institution). MD, or John Doe).
2. The name(s) of
an entity
participant(s)
with a treating
provider
relationship with
the patient whose
information is
being disclosed
(e.g., Lakeview
County Hospital).
3. A general
designation of an
individual or
entity
participant(s) or
a class of
participants
limited to those
participants who
have a treating
provider
relationship with
the patient whose
information is
being disclosed
(e.g., my current
and future
treating
providers).
----------------------------------------------------------------------------------------------------------------
If a general designation is used, the entity must have a mechanism
in place to determine whether a treating provider relationship exists
with the patient whose information is being disclosed. Patients may
further designate their treating providers as ``past,'' ``current,''
and/or ``future'' treating providers. In addition, a patient may
designate, by name, one or more individuals on their health care team
with whom they do not have a treating provider relationship.
a. General
Public Comments
Several commenters generally agreed with the proposed ``To whom''
section of the consent requirements, stating that it allows patients to
disclose substance use disorder information to past, current, or future
treating providers; would improve information and data sharing for
health care, especially for entities that are continually adding new
members; allow patients to remain in control of their substance use
disorder information and understand who had access to their data. One
commenter supported the express permission to designate the name of the
entity for third-party payers that require patient identifying
information for purposes of reimbursement of services rendered to the
patient.
Many commenters offered general support for the proposed rule's
general designation. Some commenters stated that the general
designation creates a
[[Page 6081]]
balance between patient privacy and operational functions, facilitates
internal communication within an integrated delivery system,
streamlines the consent process, reduces administration burdens,
creates new flexibility, may help facilitate increased behavioral
health participation in some HIEs around the country, and would help
improve the quality and continuity of care within integrated delivery
models. A commenter supported the expansion of the use of a general
designation when there is a treating provider relationship, but said it
is unworkable to require an updated consent form every time new
entities are added to the ``umbrella'' consent.
Some commenters generally disagreed with the proposed ``To Whom''
provision of the consent requirements. Several commenters argued that
the proposal was burdensome, would create additional complexity, would
reduce information sharing, and would not improve patient privacy
protections or facilitate informed consent. Commenters stated it is
unnecessary and impractical to require the consent form to name every
HIE and other intermediaries that may assist in transmitting or
providing access to the patient's information. A couple of commenters
stated the proposed rule would restrict the ability of patients to
specifically name an entity or to authorize part 2 programs to send
their information to entities that do not have a treatment relationship
[treating provider relationship]. Another commenter said the regulatory
preface mentions a number of very specific drivers of this purported
need for broader sharing (such as HIEs), but the regulatory language
itself contains no such limitation and offers HIE only as an
illustrative example.
Many commenters specifically did not support the general
designation in the ``To Whom'' section. Some commenters claimed that
the proposal presumes each person entering a treatment process has the
ability to understand the longer-term consequences, or that substance
use disorder patients, who are under tremendous stress, would simply
choose the general designation because it was easiest. A commenter said
the general designation does not guarantee that a HIE or other
organizations will send all patient data, which could be a critical
source of information in the case of an emergency.
SAMHSA Response
A patient may consent to designate, for example, an HIE (an entity
that does not have a treating provider relationship with the patient
whose information is being disclosed) and ``all my treating providers''
(a general designation of an individual or entity participant(s) or a
class of individual or entity participants that must be limited to a
participant(s) who has a treating provider relationship with the
patient whose information is being disclosed). Using the same concept,
an ACO, pursuant to a general designation, may disclose information
described in the ``Amount and Kind'' section of a consent form
(explained further in 3. Amount and Kind) to ``all my entity treating
providers.'' If a general designation is used, the entity must have a
mechanism in place to determine whether a treating provider
relationship exists with the patient whose information is being
disclosed (e.g., an attestation). In the HIE and ACO examples above,
the entity that does not have a treating provider relationship with the
patient whose information is being disclosed and serves as the
intermediary may not further disclose the patient identifying
information except to those providers who have a treating provider
relationship with the patient whose information is being disclosed that
can be verified by the intermediary. The prohibition on re-disclosure
notice must be provided with the disclosure because it also applies to
the treating provider(s) who receive the information from the entity
that serves as an intermediary. In addition, a copy of the part 2-
compliant consent form or the pertinent information on the consent form
necessary for the treating provider(s) to comply with the signed
consent should be provided with the disclosure.
The patient retains the ability to name only specific individuals
or entities to whom their records will be disclosed. Patients have the
option to use a general designation to designate entities with which
they have a treating provider relationship, but are not required to do
so. Although SAMHSA received comments suggesting that the proposed rule
makes it more difficult to disclose necessary information to an
organization that does not have a treating provider relationship with
the patient whose information is being disclosed other than a 3rd party
payer, the commenters did not provide examples of such entities. The
final rule permits the ``To Whom'' section of the consent form to
designate disclosure of information to an entity that does not have a
treating provider relationship with the patient whose information is
being disclosed, as long as the consent also includes one of three
options specified in Sec. 2.31(a)(4)(iii)(B), for example, include the
name(s) of an individual participant(s).
If the patient designates all my current treating providers, and
another of the patient's treating providers becomes a participant in
the entity that does not have a treating provider relationship with the
patient and serves as the intermediary, a new consent form would not be
required. For example, if a patient designates an HIE (an entity that
does not have a treating provider relationship with the patient whose
information is being disclosed and serves as an intermediary) and ``my
current treating providers,'' and subsequently another of the patient's
treating providers becomes a participant in the HIE, a new consent form
would not be required. In addition, more than one HIE or other
intermediary may be listed on the consent form. With respect to burden,
SAMHSA acknowledges that there may be burdens associated with the
revised consent requirements. SAMHSA made these changes based on
comments from stakeholders in the field and SAMHSA strongly believes
that the changes to ``To Whom'' will increase flexibility for patients
and providers.
b. Determination of Treating Provider Relationship
Public Comments
A commenter agreed with SAMHSA's suggestion that entities must have
an established mechanism for determining whether a treating provider
relationship exists. However, several commenters stated that
determining who has a treating provider relationship would be
difficult. Commenters expressed concern that entities do not currently
have mechanisms in place to determine whether a treating provider
relationship exists with the patient whose information is being
disclosed. Another commenter asked how an HIE would be able to
determine which participants have a past/present/future treating
provider relationship with the patient. A commenter stated that
creating this mechanism would require additional resources and would
discourage entities from sharing necessary data. Another commenter
recommended a provision that exempts the provider from liability when
relying in good faith on an attestation or representation from an
outside treating provider.
Several commenters expressed concern that once a consent reflecting
a general designation of recipients with a treating provider
relationship has been executed and relied upon by the part 2 program,
there is no method by which the program can ensure that the recipients
are properly authenticated by the HIE or research institution.
Commenters suggested the proposed
[[Page 6082]]
rule should specify that the HIE, ACOs, CCOs or research institution,
as well as the recipient that has a treating provider relationship with
the patient, be responsible for ensuring that the recipient is actually
a treating provider and that the disclosure is appropriate under part
2.
A commenter requested clarification on whether care managers would
be included as having a ``treating provider relationship.'' Another
commenter requested clarification as to whether care coordinating
entities that have a treating provider relationship may assign
additional designees under the general designation (e.g., treatment
providers with different levels of care or recovery services).
Commenters recommended the language in the ``To Whom'' clause state
``my treating providers'' or ``my service providers.'' A commenter
recommended ``my substance use disorder providers'' or ``my treating
providers except Dr. John Doe.'' Another commenter recommended ``my
treating providers and transferring HIEs''
SAMHSA Response
Although SAMHSA understands the concerns about further clarifying
when an entity is considered a treating provider, it respectfully
declines to provide more specificity in the final rule than was
included in the NPRM. The arrangements between treating providers and
other entities evolve too rapidly to be comprehensively addressed in
regulations. Although, SAMHSA has not revised the proposed text, SAMHSA
may provide additional subregulatory guidance in the future if further
clarification is needed. In addition, only individuals and entities
that meet the definition of having a treating provider relationship
with a patient are considered treating providers. The determination is
fact-specific. Consistent with the NPRM, SAMHSA continues to encourage
innovative solutions to implement this provision. For example, an HIE
could have a policy in place requiring their participant providers to
attest to have a treating provider relationship with a patient, or
provide a patient portal where patients designate their treating
providers.
c. Requests for Clarification
Public Comments
Some commenters requested clarification regarding the patient's
role in consent, including the patient's ability to alter their
consent, how patients can authorize disclosures to non-health entities
other than third-party payers, and what the impact would be if a
patient failed to designate past, present, and future disclosures. One
commenter stated that, if a patient designates an entity without a
treating provider relationship and ``my treating providers'' without
further specifying ``past, present, or future,'' it should be assumed
that the intent is to designate ``current'' treating providers.
SAMHSA Response
Patients may designate on the consent form a specific individual(s)
with whom they either have or do not have a treating provider
relationship and/or a specific entity(-ies) with whom they have a
treating provider relationship. Consents for disclosures to entities
that do not have a treating provider relationship (other than third-
party payers) require at least one of the following: (1) The name(s) of
an individual participant(s); (2) the name(s) of an entity
participant(s) that has a treating provider relationship with the
patient whose information is being disclosed; or (3) a general
designation of an individual or entity participant(s) or a class of
participants that must be limited to a participant(s) who has a
treating provider relationship with the patient whose information is
being disclosed.
If a patient uses a general designation and lists ``my treating
providers'' without further specifying ``past, current, or future,'' it
should be presumed that the intent is to designate ``current'' treating
providers. Finally, a patient can revoke a consent at any time, except
to the extent that the part 2 program or other lawful holder of patient
identifying information that is permitted to make the disclosure has
already acted in reliance on it. Acting in reliance includes the
provision of treatment services in reliance on a valid consent to
disclose information to a third-party payer.
Public Comments
Other commenters requested clarification regarding entity roles,
including whether a CCO can request a single consent for multiple
purposes (e.g., care coordination, treatment, and payment); whether
providers need to maintain the variety of forms to meet the
requirements of Sec. 2.31(a)(4); what limitations (if any) would be
placed on HIE entities or research institutions using substance use
disorder information received via the new consent process, specifically
whether the disclosure would not be limited to treatment purposes; and
whether an HIE-to-HIE disclosure is permissible and, if so, for what
purposes. A few commenters asked whether it would be permissible to
list multiple HIEs on a consent form. Similarly, another commenter
recommended SAMHSA adopt a broad definition of an HIE to allow a
``network of networks,'' such as the statewide health information
network to be considered an HIE. A commenter requested clarification as
to whether 42 CFR part 2 information can flow through other HIEs not
designated on the consent form to transfer the information to the
recipient.
A few commenters requested clarification on how the proposed
changes would impact multi-party consent forms that allow disclosure
``among and between'' all the parties listed on the form. Similarly, a
commenter requested clarification regarding the ``To Whom'' and ``From
Whom'' definitions and how they would apply between two providers to
whom a patient has independently given consent to receive information,
urging that the definitions be general and consistent so that they
allow for bi-directional flow of information.
A commenter said SAMHSA should clarify that the provision of
general consent to disclosure of substance use disorder treatment also
applies to disclosure of information between those responsible for
treatment in the community and those responsible for treatment in
correctional settings.
SAMHSA Response
Under the changes to the consent requirements, an entity that does
not have a treating provider relationship with the patient may further
disclose, with a part 2-compliant consent, to a named individual who
does not have a treating provider relationship with the patient.
Section 2.31(a)(4) of the consent requirements may be completed
with one or more recipients. Section 2.31(a)(5) of the consent
requirements requires that the consent form include the purpose of the
disclosure. Part 2 allows the use of a single consent form authorizing
the disclosure of part 2 patient information to different recipients
for different purposes. However, part 2 also requires a consent form to
specify the amount and kind of information that can be disclosed,
including an explicit description of the substance use disorder
information that may be disclosed, to each of the recipients named in
the consent. The amount of information to be disclosed ``must be
limited to that information which is necessary to carry out the purpose
of the disclosure (see Sec. 2.13(a)). This will vary depending on the
different purposes for which different
[[Page 6083]]
recipients are being allowed to access or receive the information. Thus
the consent form would have to be structured to make it clear what
information may be given to each of the recipients, and for which
purposes.
Disclosure of patient identifying information made with the
patient's written consent must be accompanied by a written notice
regarding the prohibition on re-disclosure (see Sec. 2.32). This
notice informs them that 42 CFR part 2 prohibits the recipients of the
patient identifying information from re-disclosing it to any individual
or organization not specified in the consent form unless otherwise
permitted under the part 2 statute or regulations.
The rule includes an additional patient safeguard, in which
patients who have included a general designation in the ``To Whom''
section of their consent form (see Sec. 2.31) must be provided, upon
request, a list of entities to which their information has been
disclosed pursuant to the general designation.
With respect to multi-party consent, SAMHSA is not finalizing the
``From Whom'' provision (2.31(a)(2)) as proposed for the reasons
discussed in 4. ``From Whom.'' Therefore, consents may authorize
disclosures ``among and between'' the parties designated in the ``To
Whom'' and ``From Whom'' sections of the consent form.
Public Comments
Some commenters requested clarification regarding aspects of the
``To Whom'' provision, such as what would happen if a person does not
want to give a general designation; how the process of designating
past, present, and future treating providers would work in practice;
whether a Performing Provider System (PPS) could be assigned in the
``To Whom'' section of the consent form; and whether a health care
organization would be an appropriate entity to be named for disclosure.
With regard to third-party payers, a commenter asked whether a
general designation for third-party payers could be used for other
purposes, such as care coordination, population health, or other
services that may fall under the definition of health care operations
within the meaning of HIPAA. Some commenters recommended that third-
party payers should not have to be listed in the ``To Whom'' section of
the consent form.
SAMHSA Response
With regard to third-party payers, the regulations require written
consent for disclosure of patient identifying information to third-
party payers. The statute does not provide an exception to this consent
requirement. However, with respect to patients who have both a
substance use disorder and a mental illness, Sec. 2.15 of the
regulations states that, in the case of a patient, other than a minor
or one who has been adjudicated incompetent, that for any period
suffers from a medical condition that prevents knowing or effective
action on their own behalf, the part 2 program director may exercise
the right of the patient to consent to a disclosure under subpart C of
this part for the sole purpose of obtaining payment for services from a
third-party payer. In addition, in the case of minor patients, Sec.
2.14 of the regulations states the regulations do not prohibit a part 2
program from refusing to provide treatment until the minor patient
consents to the disclosure necessary to obtain reimbursement, but
refusal to provide treatment may be prohibited under a state or local
law requiring the program to furnish the service irrespective of
ability to pay.
If an individual does not want to use a general designation, they
have several other options, which are enumerated in Sec. 2.31(a)(4) of
this final rule.
If a patient does not designate ``current, past, and/or future''
treating provider(s), the presumption is that the patient means
``current treating provider(s).'' SAMHSA may, after publication of this
final rule, also provide further clarification on this process of
designating past, present, and future treating providers in
subregulatory guidance.
Whether a PPS or a health care organization may be listed in the
``To Whom'' section of the consent form depends upon whether they have
a treating provider relationship with the patient whose information is
being disclosed. If an entity does have a treating provider
relationship with the patient, the entity name may be listed on the
consent (see Sec. 2.31(a)(4)(ii)). However, if the entity does not
have a treating provider relationship with the patient whose
information is being disclosed, and is not a third-party payer, the
entity name may be listed on the consent form as long as one or more of
the following is also listed: (1) The name(s) of an individual
participant(s); (2) the name(s) of an entity participant(s) that has a
treating provider relationship with the patient whose information is
being disclosed; or (3) a general designation of an individual or
entity participant(s) or a class of participants that must be limited
to those participants who have a treating provider relationship with
the patient whose information is being disclosed.
SAMHSA plans to address issues concerning third-party payer use and
disclosure of part 2 information in greater detail in an SNPRM.
d. Commenter Recommendations
Public Comments
Commenters recommended more flexibility in the ``To Whom'' section.
Commenters recommended that SAMHSA expand the general designation to
include all of the various participants in the modern health care
system and their respective activities: Providers, care managers,
health plans and ACOs, MCO services, CCOs, and similar integrated
health care networks. One commenter said the general designation should
include those who do not have a treating provider relationship with the
patient but who/which require access to the patient's information
solely in relation to fulfilling a specific function for the benefit of
the individual or entity that has the treating provider relationship
with specific patients. Another commenter requested that SAMHSA allow
patients to generally consent to disclose information to any company
assisting in processing their insurance claims. Another commenter
suggested that patients be able to name as many treating providers as
they wish under the general designation. One commenter said patients
should be permitted to provide a generalized consent for all of their
previous providers to disclose information. One commenter said generic
consent (i.e., disclosure through an HIE) is all that should be
required because SAMHSA has previously provided guidance that HIEs may
have access to part 2 information under a QSO agreement without patient
consent. A commenter said the rule should allow for the general
designation of certain types of non-treating providers, rather than
require a listing of the name of each entity.
In contrast, other commenters suggested increased limitations on
the ``To Whom'' designation. A commenter proposed excluding health
information networks and health information organizations (HIOs) from
being specifically identified on patient consent form because they are
not true recipients of patient health information and simply facilitate
electronic exchange of information. One commenter recommended that
SAMHSA preserve the patient's right of consent to disclosures only to
specifically identified practitioners
[[Page 6084]]
involved in their mental health treatment.
Regarding third-party payers, several commenters recommended
allowing third-party payers to act as intermediaries for purposes of
sharing substance use disorder information, allowing them to share
information with all of the patient's treating providers. Another
commenter requested general designation for third-party payers. To
accommodate the operational realities of Medicaid, a commenter stressed
that the rule should explicitly provide that consent to disclose
covered data to Medicaid constitutes consent to release such data to
Medicaid or to the payer's contracted entity (e.g. the MCO) to apply to
both entities as a third-party payer. Similarly, another commenter
recommended that the rule consider a designation to the name of the
state agency, the MCO, or simply Medicaid as consent that applies to
the state and its contracted delivery system, reasoning that not all
Medicaid beneficiaries understand their health care system.
SAMHSA Response
SAMHSA acknowledges the commenters' concerns related to the
recommendations above. SAMHSA has concluded that the proposed changes
to the consent requirements would facilitate care coordination and
information exchange. Improving the quality of substance use disorder
care depends on effective collaboration of mental health, substance use
disorder, general health care, and other service providers in
coordinating patient care. However, the composition of a health care
team varies widely among entities. Because SAMHSA wants to ensure that
patient identifying information is only disclosed to those individuals
and entities on the health care team with a need to know this sensitive
information, we are limiting a general designation to those individuals
or entities with a treating provider relationship. Patients may further
designate their treating providers as ``past,'' ``current,'' and/or
``future'' treating providers. In addition, a patient may designate, by
name, one or more individuals on their health care team with whom they
do not have a treating provider relationship. SAMHSA clarifies that a
QSO can be used to share part 2 information with the HIE when the HIE
is a service provider to the part 2 program, but the QSO cannot be used
to share information with the members of an HIE without patient
consent.
As for third-party payers and others, SAMHSA must balance the need
for and benefits of care coordination with the need for consent and the
requirements of the part 2 governing statute. SAMHSA declines to adopt
commenter recommendations to allow third-party payers to serve as
intermediaries that could share information with all the patient's
treating providers because we conclude that the ``To Whom'' consent
requirements are sufficiently broad to cover the necessary components
of a patient's care team. For purposes of payment-related activities,
to the extent that federal or state law authorizes or requires that the
Medicaid or Medicare agency or program share data or enter into a
contractual arrangement or other formal agreements to do so, consent to
disclose patient identifying information to the agencies or programs
(as a third-party payer) under section 2.31(a)(4)(iii)(A) is considered
to extend to the contractors and subcontractors of the agencies or
programs.
Commenters have provided SAMHSA with informative feedback on how
lawful holders, including third-party payers and others within the
healthcare industry, use health data or hire others to use health data
on their behalf to provide operational services such as independent
auditing, legal services, claims processing, plan pricing and other
functions that are key to the day-to-day operation of entities subject
to this rule. Those comments indicate that there may be varying
interpretations of the part 2 rule's restrictions on lawful holders and
their contractors' and subcontractors' use and disclosure of part 2-
covered data for purposes of carrying out payment, health care
operations, and other health care related activities. In consideration
of this feedback and given the critical role third-party payers, other
lawful holders, and their contractors and subcontractors play in the
provision of health care services, SAMHSA is issuing an SNPRM to seek
further comments and information on this matter before establishing any
appropriate restrictions.
Public Comments
Instead of listing organizations in the ``To Whom'' section, a
commenter recommended that a consent form should specify the reasons
for disclosure (e.g. care coordination, management of benefits).
SAMHSA Response
In addition to the ``To Whom'' section, the consent form is
required to include how much and want kind of information is to be
disclosed, including an explicit description of the substance use
disorder information that may be disclosed. In addition, the consent
form must include the purpose of the disclosure. All the required
elements must be included on the consent form. SAMHSA declines to make
the suggested change to allow the ``Purpose'' of the consent to dictate
the recipients of the patient identifying information. The intent of
SAMHSA's approach to the ``To Whom'' section of the consent form is to
provide the patient options for the degree to which they will be able
to identify, at the point of consent, who they are authorizing to
receive their information.
Public Comments
A commenter stated that SAMHSA should explicitly recognize and
include health plan care services, such as managed care, care
coordination, case management and other integrated care activities as
part of the required elements for written consent for entities that do
not have a treating provider relationship with the patient under
proposed Sec. 2.31(a)(4)(iv).
A commenter stated any privacy concerns could be fixed by requiring
(1) a general designation of a class of participants with a treating
provider relationship; and (2) that the disclosing organization provide
patients, upon request, a list entities to which their information has
been disclosed.
A commenter proposed that Sec. 2.31(a)(4) be revised to allow a
general designation to be used whenever there is a ``treating provider
relationship'' or a ``care management relationship.'' The commenter
stated the ``care management relationship'' should be defined to
include the concepts of assistance in obtaining appropriate care, care
coordination, and assistance in the implementation of a plan of medical
care.
A couple of commenters suggested SAMHSA revise proposed Sec.
2.31(a)(4)(iv)(C) to read: ``. . . to a participant(s) who has a
treating provider relationship with the patient at the time the
disclosure is made.'' (Note, the relevant text is now found at Sec.
2.31(a)(4)(iii)(B)(3) due to renumbering of the final regulation.) The
commenters stated this would make it clear that participants who
develop a treatment relationship with the patient after the date the
consent can gain access.
Commenters recommended that the general authorization mirror the
authorization under HIPAA to ease the transition and reduce compliance
issues.
A commenter recommended SAMHSA work with other federal entities
that are exploring parity enforcement to ensure that the proposed rule
changes would not create barriers for states working on enforcement of
the parity law.
[[Page 6085]]
If a patient notes their information may be shared with current and
future health care providers, one commenter said the specific name of
the ACO or other provider should not be required.
SAMHSA Response
SAMHSA declines to explicitly recognize and include health plan
care services, such as managed care, care coordination, case management
and other integrated care activities as part of the required elements
for written consent for entities that do not have a treating provider
relationship with the patient under proposed Sec. 2.31(a)(4)(iv), or
broaden the ``treating provider relationship'' to also include a ``care
management relationship.'' The definition of ``Treating provider
relationship'' is sufficiently broad to cover the necessary components
of a patient's care team.
A commenter stated any privacy concerns could be fixed by requiring
(1) a general designation of a class of participants with a treating
provider relationship; and (2) that the disclosing organization provide
patients, upon request, a list of entities to which their information
has been disclosed. Another commenter wanted to delete the requirement
of naming the entity without a treating provider relationship with the
patient whose information is being disclosed. SAMHSA is retaining the
consent requirements discussed in this section of the preamble because
we believe it balances increased flexibility with necessary privacy
protections.
SAMHSA declines to mirror the authorization under HIPAA to ease the
transition and reduce compliance issues, as a commenter suggested,
because, due to its targeted population, part 2 provides more stringent
federal protections than most other health privacy laws, including
HIPAA.
SAMHSA may, after publication of this final rule, provide further
subregulatory guidance on specific concerns, such as states working on
enforcement of the parity law.
Public Comments
Several commenters recommended splitting proposed Sec.
2.31(a)(4)(iv) into two sections. The first would contain special
provisions governing disclosures made through HIEs and would retain the
references to ``individual participants'' and ``entity participants.''
The second would cover all entities that do not fall into any of the
other categories in proposed paragraph (a)(4)(iv); in these cases, the
specific entity to which disclosure is made would have to be specified.
SAMHSA Response
SAMHSA proposed Sec. 2.31(a)(4)(iv) to apply to an entity (1) that
does not have a treating provider relationship with the patient whose
information is being disclosed, and (2) is not a third-party payer.
Therefore, SAMHSA declines to make the recommended changes. We note,
however, that due to re-numbering the proposed Sec. 2.31(a)(4)(iv)
provision is found in the final regulation at Sec. 2.31(a)(4)(iii)(B).
Public Comments
A commenter recommended that the use of multi-party consents be
permissible even when the ``To Whom'' section contains a general
designation, and that the party(ies) named in the ``To Whom'' section
be permitted to re-disclose patient information if the patient has
consented to such re-disclosures in order to allow patients' treating
providers to communicate with each other (pursuant to patient consent)
within networks like HIE and integrated care organizations. Another
commenter stated that the general designation is a step in the right
direction but the proposed rule would add a burdensome accounting,
which is not required for disclosures pursuant to a valid authorization
under HIPAA.
SAMHSA Response
On the issue of multi-party consent, a multi-party consent can be
achieved by allowing for bi-directional communication using the general
designation in both the ``To Whom'' and ``From Whom'' sections of the
consent. It can also be created by naming multiple individuals with or
without a treating provider relationship with the patient whose
information is being disclosed or entities with a treating provider
relationship with the patient whose information is being disclosed in
the ``To Whom'' and ``From Whom'' sections of the consent. The key is
to make sure the consent form authorizes each party to disclose to the
other ones the information specified and for the purpose specified, in
the consent. The ``To Whom'' and ``From Whom'' sections of the consent
provisions of the final rule will permit multi-party consents.
With respect to the comment regarding the additional burden of the
List of Disclosures associated with the use of a general designation on
the consent form, SAMHSA addressed this issue in Section F.3, in the
preamble discussion of Confidentiality Restrictions and Safeguards
(Sec. 2.3). That discussion emphasizes the fact that there is no
timeframe in which part 2 programs and lawful holders need to comply
with the List of Disclosures systems requirements; the final rule only
requires that if they choose to disclose information pursuant to a
general designation on the ``To Whom'' part of the consent form, they
must also be capable of providing a List of Disclosures upon request
per Sec. 2.13(d).
e. Proposed Alternative Approach for ``To Whom'' Section
SAMHSA is not finalizing the alternative approach to the ``To
Whom'' consent provision. In the NPRM, SAMHSA proposed an alternative
approach for the ``To Whom'' aspect of a consent form that attempted to
reflect the same policy goal as the proposed regulation text while
attempting to simplify the language that would appear on the consent
form. This alternative approach would not change the existing language
in the ``To Whom'' section of the consent form. Under this alternative
approach, SAMHSA proposed to add a definition of ``organization'' to
Sec. 2.11. Organization would mean, for purposes of Sec. 2.31, (a) an
organization that is a treating provider of the patient whose
information is being disclosed; or (b) an organization that is a third-
party payer that requires patient identifying information for the
purpose of reimbursement for services rendered to the patient by a part
2 program; or (c) an organization that is not a treating provider of
the patient whose information is being disclosed but that serves as an
intermediary in implementing the patient's consent by providing patient
identifying information to its members or participants that have a
treating provider relationship, as defined in Sec. 2.11, or as
otherwise specified by the patient.
Public Comments
No commenters expressed support for the proposed rule's alternative
approach to required elements as stated. One commenter said the
alternative approach would impose fewer burdens on patients and part 2
entities but did not agree with the restriction on dissemination to
only treating entities. Another commenter supported the proposed
alternative if it results in only the name of the HIE and not its
participants being listed on the consent form.
Several commenters expressed general opposition to the proposed
alternative approach. One commenter stated that redefining
``organization'' to make it more expansive would lead to erosion of
trust and would have a chilling effect on the communications
[[Page 6086]]
necessary for effective treatment. Another commenter stated that a more
expansive definition of ``organization'' may defeat a patient's intent
because a patient would have less notice that their information could
be disclosed to an entity not specifically named on the consent form.
SAMHSA Response
Based on the comments, SAMHSA has not adopted the alternate
approach. Although a few commenters supported the adoption of the broad
definition of ``organization,'' none provided sufficient information to
determine how that definition could be implemented to protect the
patient's information from disclosure to parties without a need to
know. It is also unclear how the List of Disclosures requirement would
be applied under a broader definition of ``organization.'' SAMHSA,
therefore, has not adopted a definition of ``organization.'' SAMHSA
disagrees with the recommendation that disclosure to a wider range of
entities should be allowed without the patient's specific consent.
3. Amount and Kind
SAMHSA is adopting this aspect of the proposal. SAMHSA has moved
the former Sec. 2.31(a)(5), ``Amount and Kind'' provision, to Sec.
2.31(a)(3) and revised the provision to require the consent form to
explicitly describe the substance use disorder-related information to
be disclosed. The designation of the ``Amount and Kind'' of information
to be disclosed must have sufficient specificity to allow the
disclosing program or other entity to comply with the request.
a. General
Public Comments
Many commenters provided feedback on the proposed rule's ``Amount
and Kind'' requirements on a patient's consent form. A few commenters
generally supported the provision. However, several commenters
generally disagreed with the proposed provision because it would either
decrease or fail to improve the sharing of patient information; would
hamper integrated care; would result in consent forms routinely
becoming outdated; patients should not decide what information is
disclosed; and the current (1987) rule language is adequate for
protection of patient privacy.
Some commenters said the rule should continue to allow a general
description of the type of information being disclosed. Other
commenters asked SAMHSA to clarify why the revision of the regulatory
language was necessary and why specific information is preferable to
simply stating that the consent form covers all the records maintained
by the part 2 program.
SAMHSA Response
The designation of the ``Amount and Kind'' of information to be
disclosed must explicitly describe the substance use disorder-related
information to be disclosed and have sufficient specificity to allow
the disclosing program or other entity to comply with the request.
However, the entity creating the consent form may provide options by
including free text space, or choices based on a generally accepted
architecture (e.g. the Consolidated-Clinical Document Architecture (C-
CDA)), or document (e.g. the Summary of Care Record as defined by CMS
for the EHR Incentive Programs). It is permissible to include ``all my
substance use disorder information'' as long as more granular options
are also included.
Nothing in the rule would prevent the development and use of broad
categories of the substance use disorder-related information on the
Amount and Kind section of the consent form. The types of information
that might be requested include diagnostic information, medications and
dosages, lab tests, allergies, substance use history summaries, trauma
history summary, elements of a medical record such as clinical notes
and discharge summary, employment information, living situation and
social supports, and claims/encounter data. If options are provided, it
is also permissible to provide check boxes next to each option.
b. Impact of the Amount and Kind Requirement on Providers and Patients
Public Comments
Commenters expressed concern that the proposed ``Amount and Kind''
provision would be unduly burdensome for providers, thus obstructing
communications. Several commenters stated that the proposed rule would
require both patients and providers to have an in-depth understanding
of the precise terms used for substance use disorder information. Some
commenters thought this would put undue burden on patients. Other
commenters argued that the ``Amount and Kind'' requirement would place
an additional burden on patients to anticipate future care and/or
continually update their consent forms. Similarly, commenters stated
that patients do not know what information is necessary to support
their treatment, which could lead to important information being
omitted. Commenters argued that the ``Amount and Kind'' provision would
require requesting health providers to know the format, titling, and
nomenclature used for substance use disorder information in the part 2
program.
A commenter argued that many patients would want all of their
substance use disorder information disclosed if it would improve the
quality and coordination of their care. Many commenters recommended
that patients should be able to sign a consent to sharing their entire
record (i.e., a global consent), with some arguing that the form should
include a statement that covers ``all my records,'' ``all my substance
abuse records,'' ``entire record'' and/or ``full record.'' Other
commenters said patients should be able to choose via a check box
``substance abuse treatment information'' or authorize the entire
medical record and list what cannot be disclosed. Several commenters
stated that an exhaustive list of check boxes on the consent form would
be confusing for many patients.
Some commenters said patients should be able to designate an option
for overall record release with an option for further specification of
dates and materials to be released from the substance use disorder
record. However, another commenter said selections should be ``all or
nothing'' to enable providers to exchange information with HIE, ACO,
CCO or a similar entity according to the patient's consent directive
with other providers.
SAMHSA Response
The patient will be aware that they have substance use disorder
information and can make a determination whether they want that
information disclosed. The 1987 final rule part 2 regulations require
the patient to list ``how much and what kind of information is to be
disclosed'' (Sec. 2.31(a)(5)). SAMHSA has revised the provision to
require that the consent form explicitly describe the substance use
disorder information to be disclosed to ensure patients understand they
are disclosing the specified substance use disorder information. The
amount of specificity patients wish to include in the ``Amount and
Kind'' section of the consent form is left to them, as long as it has
sufficient specificity to allow the disclosing program or other entity
to comply with the request. As such, this section does not prohibit a
patient from listing ``all my substance use disorder information'' or
``none of my substance use disorder information.'' However, the Amount
and Kind section of a consent form must accommodate more specific
options. As stated previously, nothing in the rule
[[Page 6087]]
would prohibit the inclusion on a consent form of broad categories of
the substance use disorder-related information that would generally
appear in patient records to assist patients in identifying the
information they wish to disclose. In developing broad categories of
information to be included on the consent form, part 2 programs and
other lawful holders of patient identifying information would need to
take into consideration reading level standards and the concepts of
plain language. The rule does not require further consent when new
information is added to the substance use disorder record if the new
information is covered by the ``Amount and Kind'' section on the
consent form. If the ``Amount and Kind'' section does include
specificity that the patient doesn't understand, the party obtaining
the consent should explain it to the patient. SAMHSA may, after
publication of this final rule, issue in subregulatory guidance
information for educating staff and patients. We are reliant on the
provider to be clear to patient, which has always been the case.
c. Required Substance Use Disorder Information on Consent Forms
Public Comments
Some commenters said the level of detail required in the ``Amount
and Kind'' section of the consent form was unrealistic, unnecessary,
and confusing. A commenter argued that the level of detail required by
the rule was at odds with the general designations necessary for
information exchange. A commenter stated that EHR infrastructure may
not be able to categorize and segregate information as described in
proposed Sec. 2.31(a)(3).
Some commenters urged SAMHSA to simplify or otherwise revise this
section of the consent form. A commenter recommended that the list
could be simplified by including standardized fields on the consent
form that align with information commonly found on a Continuity of Care
Document (CCD). Commenters recommended narrowing the list to several
broad categories (e.g. employment information, living situation, social
supports). A commenter stated that if more specific categories were
needed, the patient could write in their own terms. Some commenters
said the elements and extent of the consent should be the same under
part 2 as it is in HIPAA. Other commenters said SAMHSA should use the
required elements of a Summary of Care Record as defined by CMS for the
EHR Incentive Program as a basis for the ``kind'' and ``type'' of
information able to be disclosed. Another commenter said SAMHSA should
defer to the expertise of health plans to determine what is necessary
for a treating provider to know about substance use disorder.
SAMHSA Response
The types of information that might be requested include diagnostic
information, medications and dosages, lab tests, allergies, substance
use history summaries, trauma history summary, employment information,
living situation and social supports, and claims/encounter data.
However, the entity creating the consent form may provide options to
include free text space, or choices based on a generally accepted
architecture or document such as the C-CDA, or Summary of Care Record,
as defined by CMS for the EHR Incentive Program. It is permissible to
include ``all my substance use disorder information'' as long as more
granular options are also included. If options are provided, it is also
permissible to provide check boxes next to each option. The designation
of the ``Amount and Kind'' of information to be disclosed must have
sufficient specificity to allow the disclosing program or other entity
to comply with the request.
d. Requests for Clarification
Public Comments
A couple of commenters asked SAMHSA to clarify whether the ``Amount
and Kind'' section is to inform the patient or the providers. A
commenter requested clarification on whether multiple patient consents
would be necessary when the contents of a record changes over time.
Some commenters requested that SAMHSA provide more specific examples of
adequate descriptions of the type of information being disclosed.
Another commenter recommended SAMHSA create a sample consent form.
SAMHSA Response
The ``amount and kind'' section informs both the patient and the
providers. It allows patients the opportunity to specify whether all of
their substance use disorder treatment information or only some may be
disclosed and sets the limits on what a part 2 program or other lawful
holders may disclose. The amount and kind section will generally cover
classes of information so that changes to the record should not trigger
the need for re-consents for the same classes of information. SAMHSA
may provide examples or a sample consent form in subregulatory guidance
following the publication of the final rule.
4. From Whom
SAMHSA is not finalizing the substantive changes that were proposed
for the ``From Whom'' provision in Sec. 2.31(a)(2). In the NPRM,
SAMHSA proposed to move the 1987 Sec. 2.31(a)(1) ``From Whom''
language of the consent requirements provision to Sec. 2.31(a)(2). In
addition, because SAMHSA was also proposing, in certain instances, to
permit a general designation in the ``To Whom'' section of the consent
form, SAMHSA proposed to require the ``From Whom'' section of the
consent form to specifically name the part 2 program(s) or other lawful
holder(s) of the patient identifying information permitted to make the
disclosure.
Public Comments
SAMHSA received comments on the ``From Whom'' section of the
consent form from a group of commenters representing a broad spectrum
of stakeholder organizations. The overwhelming majority of these
commenters were opposed to the proposed change and many suggested
withdrawing the proposal in Sec. 2.31(a)(2) and retaining the 1987
``From Whom'' language (Sec. 2.31(a)(1)).
Commenters expressed concern that the proposed Sec. 2.31(a)(2)
could decrease the sharing of health information; would add complexity
with little or no benefit to patient privacy; would unnecessarily limit
the use of a consent; and may accidentally cause the patient to omit a
provider whom they want or need to see their data; would negatively
impact certain HIE models. A significant majority of the comments
regarding the ``From Whom'' section of the consent form voiced strong
opposition to the proposal. A few commenters said the proposed change
would unnecessarily limit the positive step SAMHSA took in permitting,
in certain circumstance, a general designation in the ``To Whom''
section of the consent form. One commenter suggested revising the
requirements on the basis that the proposed changes do not modernize
the regulation.
SAMHSA Response
SAMHSA was persuaded by the overwhelming opposition to the proposed
``From Whom'' language and, with the exception of minor technical
revisions, will retain in this final rule the language in the current
(1987) regulation. SAMHSA made this decision for several reasons.
First, the existing ``From Whom'' requirements have been in effect for
nearly 30 years and were based on the Department's prior determination
that, even with a general
[[Page 6088]]
designation option, the provision did not jeopardize patient privacy.
The fact that SAMHSA is not aware of any reports of the current (1987)
``From Whom'' requirement resulting in unintended consequences further
supports this position.
Second, in the NPRM, SAMHSA supported the elimination of the
general designation option in the ``From Whom'' section of the consent
form based on concerns that ``[t]he patient may be unaware of possible
permutations of combining the two broad designations (i.e., in the ``To
Whom'' and ``From Whom'' sections) to which they are consenting,
especially if these designations include future unnamed treating
providers.'' Based on the comments received, we believe this concern
may have been overstated. Commenters generally did not agree that the
``unintended consequences'' the NPRM postulated were likely to occur.
Commenters also asserted that SAMHSA's proposal shifted the burden from
the receiver to the sender of health information and would be
burdensome both to providers and patients. In addition, the proposed
change could undermine new models to streamline consent.
While the option of using a general designation in either the ``To
Whom'' or the ``From Whom'' sections (or both) provides the patient
greater flexibility, and may result in two broad designations, it is
still ultimately the patient's decision whether to use these options or
to specifically name both the disclosing and receiving parties on the
consent form. We agree with the remarks of one commenter that the
proposed change to the ``From Whom'' section potentially undermines,
rather than supports, patient choice, which was not SAMHSA's intent.
Another commenter suggested that SAMHSA's proposed revisions may
restrict multi-party consents and disclosures, such as consents that
authorize disclosures ``between and among'' the parties. These types of
consents are an important option for part 2 programs and patients,
which SAMHSA believes would be eliminated if it were to finalize the
proposal articulated in the NPRM. Another characterized the proposed
change as adding greater complexity to the consent process for patients
with little or no benefit to patient privacy.
Third, leaving the 1987 ``From Whom'' section essentially unchanged
may reduce the burden on providers and IT vendors to accommodate this
final regulation. HIE consortiums/associations and state governments
were particularly concerned about the impact of the proposed revisions
on consent-to-access HIE models (sometimes referred to as a community-
wide consent-to-access model). As several commenters said, the only way
for the participant to comply with the NPRM ``From Whom'' requirement
would be for the participant to list the name of every part 2 program
in the relevant state in the ``From Whom'' section of the consent form
in order to inform the patient that there is a possibility that one of
these programs might be the source of the information being accessed.
Not only would this require the listing of hundreds of providers on the
face of a consent form--effectively transforming the document into a
provider directory--but it would also require the listing of part 2
programs that are not participating in the HIE, which would be
misleading and likely draw objections from these programs.
Moreover, the identities of part 2 programs that may be sources of
information are constantly changing as new programs are licensed or
join the HIE. This would mean that every time a participant sought to
access a patient's information in an HIE, it would have to provide the
patient with a consent form listing all of these new providers, and the
participant would constantly need to print new forms with updated lists
of part 2 programs in the state. This would even apply in the vast
majority of cases where no part 2 information would be exchanged, since
a participant in a consent-to-access model often does not know whether
the sought-after information contains part 2 information and,
therefore, needs to assume that it does. Requiring participants to
print lengthy consent forms with an updated list of part 2 programs
every time a new part 2 program is licensed in the relevant state (and
developing a system to inform every participant about such updates) is
simply not feasible. The community consent-to-access model was
implemented specifically in order to meet the spirit and letter of the
1987 part 2 regulations. In addition, federal and state governments
have invested hundreds of millions of dollars to build statewide health
information networks in reliance on the 1987 part 2 regulations, which
allow consent forms to have a general designation of ``From Whom'' the
records are being disclosed. Theoretically, it is possible for part 2
programs to switch to a consent-to-disclose model while all other
participants continue to operate under a consent-to-access model.
Fourth, the flexibility provided in the ``To Whom'' and ``From
Whom'' sections of the consent form are balanced by the specificity in
the ``Amount and Kind'' and ``Purpose'' sections of the consent form.
SAMHSA has revised the ``Amount and Kind'' element on the consent form
to require the consent form to explicitly describe the substance use
disorder-related information to be disclosed so that patients will be
aware of the substance use disorder information they are authorizing to
disclose when they sign the consent form. In addition, under the
current (1987) regulation, consent forms are required to include the
purpose of the disclosure. Any disclosure made under these regulations
must be limited to that information which is necessary to carry out the
purpose of the disclosure.
5. New Requirements
SAMHSA is modifying this aspect of the proposal. SAMHSA proposed to
add two new requirements related to the patient's signing of the
consent form. First, SAMHSA proposed a provision that would have
required the part 2 program or other lawful holder of patient
identifying information to include a statement on the consent form that
the patient understands the terms of their consent. For the reasons
explained below, SAMHSA is not incorporating this requirement into
Sec. 2.31 in this final rule. Second, SAMHSA revised Sec. 2.31 to
require the part 2 program or other lawful holder of patient
identifying information to include a statement on the consent form that
the patient understands their right, pursuant to Sec. 2.13(d), to
request and be provided a list of entities to which their information
has been disclosed when the patient includes a general designation on
the consent form. SAMHSA is including this requirement in the final
rule (see Sec. 2.31(a)(4)(iii)(B)(3)(i)).
Public Comments
A few commenters supported the additional statement clarifying that
the patient understands the terms of consent and their rights. One
commenter suggested expanding the statement to include language about
the potential consequences of utilizing a general designation in the
``To Whom'' and ``From Whom'' fields, which would address concerns
about the use of two general designations, while preserving the
flexibility allowed in the ``From Whom'' section of the current (1987)
regulation.
However, other commenters opposed updating the consent requirements
because doing so would require providers to update consent forms or
would require a separate substance use disorder consent form. Several
commenters questioned the purpose of
[[Page 6089]]
the additional signed statement. A commenter criticized the proposed
language and argued that it was an attempt to avoid liability.
Several commenters argued that patients would not have the capacity
to understand what they are signing. Furthermore, another commenter
stated that a signed statement saying that the patient has read the
terms of the consent does not mean the patient actually read and
understood the consent. A commenter recommended a provision to allow
the treating physician to sign a consent for substance use disorder
records for patients who may lack the cognitive ability to sign a
waiver.
SAMHSA Response
SAMHSA agrees with the commenters that the requirement that the
part 2 program or other lawful holder of patient identifying
information must include a statement on the consent form that the
patient understands the terms of their consent is unnecessary. As
commenters stated, a signature on a confirmation statement does not
assure that the patient has, in fact, read or understood it. It is also
the case, as commenters stated, that some patients may not have the
capacity, at the time they are admitted, to provide an informed
consent. Therefore, SAMHSA has eliminated this requirement.
K. Prohibition on Re-Disclosure (Sec. 2.32)
SAMHSA is adopting this section as proposed except for a clarifying
revision to Sec. 2.32(a). As discussed in the NPRM preamble, the
prohibition on re-disclosure provision only applies to information that
would identify, directly or indirectly, an individual as having been
diagnosed, treated, or referred for treatment for a substance use
disorder and allows other health-related information shared by the part
2 program to be re-disclosed, if permissible under the applicable law.
SAMHSA also clarified in the NPRM preamble that, if data provenance
(the historical record of the data and its origins) reveals information
that would identify, directly or indirectly, an individual as having or
having had a substance use disorder, the information is prohibited from
being re-disclosed. In addition, SAMHSA revised Sec. 2.32 to clarify
that the federal rules restrict any use of the information to
criminally investigate or prosecute any patient with a substance use
disorder, except as provided in Sec. Sec. 2.12(c)(5) and 2.65.
1. General
Public Comments
Several commenters generally supported the prohibition on re-
disclosure, with some stating that the prohibition ensured the
confidentiality of the patient's information and would facilitate
broader sharing of information among providers and programs in support
of integrated care, thus increasing quality of care. A commenter
supported the delineation between substance use disorder data and other
health-related data, particularly the flexibility to share portions of
a patient's record that do not fall under part 2 requirements. Another
commenter supported application of the prohibition on re-disclosure to
individuals or entities that receive confidential identifying
information from lawful holders.
However, many commenters generally disagreed with the prohibition
on re-disclosure. Commenters argued that the prohibition created
unnecessary barriers and challenges for health care providers and would
jeopardize patient treatment and care coordination (e.g., due to over-
restriction of medical records). One commenter argued that the
prohibition would prevent the inclusion of substance use disorder
treatment information within HIE, ACOs, CCOs, and research
institutions. Another commenter stated the prohibition would prevent
substance use disorder treatment clinics from being incorporated into
integrated care networks. A commenter said the prohibition on re-
disclosure would prohibit providers or payers from correcting or
supplementing knowledge of another provider based on fear of violating
the law. Lastly, a commenter said the proposed rules prohibition on re-
disclosure was not different from the current (1987) regulation and
therefore no clarification was necessary.
SAMHSA Response
SAMHSA is adopting Sec. 2.32 as proposed except for a minor
clarification in Sec. 2.32(a). As discussed elsewhere in this final
rule, SAMHSA is attempting to balance the facilitation of information
exchange within new health care models that promote integrated care
with the continued need for confidentiality protections that encourage
patients to seek treatment without fear of compromising their privacy.
SAMHSA acknowledges the legitimate concerns of commenters regarding how
care coordination relates to patient safety. However, SAMHSA must
consider the intent of the governing statute (42 U.S.C. 290dd-2), which
is to protect the confidentiality of substance use disorder patient
records. SAMHSA believes that the prohibition on the re-disclosure of
information that would identify, directly or indirectly, an individual
as having been diagnosed, treated, or referred for treatment for a
substance use disorder comports with its statutory mandate. SAMHSA
notes that the revisions to Sec. 2.32 clarify that the prohibition on
re-disclosure only applies to information that would identify an
individual as having been diagnosed, treated, or referred for treatment
for a substance use disorder, but does not apply to health information
unrelated to the substance use disorder, such as treatment for an
unrelated health condition. These revisions should minimize decisions
by part 2 programs to protect an entire patient record.
Public Comments
Several commenters argued that the original statute for the
substance use disorder regulations did not prohibit re-disclosure.
Another commenter argued that HIPAA did not exist when the original
regulations regarding substance use disorder data were promulgated and
that the re-disclosure prohibition was not needed in today's legal
environment. Another commenter stated that the re-disclosure
prohibition is at odds with the goals of The Mental Health Parity and
Addiction Equity Act and the Affordable Care Act.
SAMHSA Response
While the statute may not be explicit with regard to certain
provisions in 42 CFR part 2, the statute directs the Secretary to
prescribe regulations to carry out the purpose of the statute, which
may include definitions and may provide for such safeguards and
procedures that in the judgment of the Secretary are necessary or
proper to effectuate the purposes of this section, to prevent
circumvention or evasion thereof, or to facilitate compliance
therewith.
Because 42 CFR part 2 and its governing statute are separate and
distinct from HIPAA and due to its targeted population, part 2 provides
more stringent federal protections than most other health privacy laws,
including HIPAA. However, SAMHSA aligned policy with HIPAA where
possible.
SAMHSA strives to facilitate information exchange within new health
care models while addressing the legitimate privacy concerns of
patients seeking treatment for a substance use disorder. These concerns
include: The potential for loss of employment, loss of housing, loss of
child custody, discrimination by medical professionals and insurers,
arrest, prosecution, and incarceration.
[[Page 6090]]
2. Impact of Re-Disclosure Prohibition on Patient Privacy and Patient
Choice
Public Comments
Several commenters expressed concerns that the prohibition on re-
disclosure did not improve patient privacy protections. A commenter
stated that the proposed changes allowed more disclosures without
patient notice, undermining the goal of protecting a patient's privacy.
A commenter argued that any information given by a substance use
disorder treatment program, including a refusal to provide information,
could identify an individual as having a substance use disorder
(whether or not the patient actually does) or having received treatment
for a substance use disorder. Another commenter argued against
expanding the scope of part 2 to non-substance use disorder conditions
which may unfairly suggest the presence of a substance use disorder.
Several commenters expressed concern that the prohibition on re-
disclosure interfered with a patient's choice on whether to disclose
their medical record. Commenters argued that the prohibition on re-
disclosure imposed an unnecessary burden on substance use disorder
patients who wish to have the same level of quality coordinated care as
other patients. Several commenters expressed concern that the
prohibition on re-disclosure required patients to anticipate future
care. Several commenters argued that a patient should be allowed to
consent to or otherwise control the re-disclosure of their information.
SAMHSA Response
Patients may permit re-disclosures of their information via written
consent. Part 2-compliant consent forms can authorize an exchange of
information between multiple parties named in the consent form. The key
is to make sure the consent form authorizes each party to disclose to
the other ones the information specified and for the purpose specified,
in the consent. In addition, the revised consent requirements allow
patients, under certain circumstances, to authorize disclosure of their
information via a general designation (e.g., to ``all my current and
future treating providers'') rather than to specifically name each
recipient.
As SAMHSA has stated in this regulation, the ``To Whom'' section of
the consent form can authorize a disclosure of patient identifying
information to an entity that does not have a treating provider
relationship with the patient whose information is being disclosed and
acts as an intermediary for its participants, such as an HIO, and a
general designation of individual and entities with a treating provider
relationship with the patient whose information is being disclosed that
are participants. The required statement prohibiting re-disclosure
should accompany the information disclosed through consent along with a
copy of the part 2-compliant consent form (or the pertinent information
on the consent form necessary for the intermediary to comply with the
signed consent), so that each subsequent recipient of that information
is notified of the prohibition on re-disclosure.
3. Disclosure of Information that May Indicate a Substance Use Disorder
Public Comments
Several commenters argued that determining which conditions and
medications would ``identify a patient as having or having had a
substance abuse order'' would be a burden on providers. Commenters said
most staff within an HIE do not have the qualifications (e.g., clinical
knowledge regarding medical conditions and medications) to distinguish
which information could indicate an individual's substance use disorder
and would thus need to be trained accordingly. Commenters stressed that
the difficulty in determining what patient information would indicate a
patient had a substance use disorder would discourage providers and
health plans from exchanging information, further inhibiting
coordinated care and enforcing differential treatment of individuals
with substance use disorders.
Several commenters expressed concern that the language of the
proposed rule was too broad. A commenter said the provision was
problematic because many medications are frequently related to
substance use disorder or other physical or mental conditions, so there
is a risk of indicating a patient had a substance use disorder whether
or not the patient actually did have a substance use disorder.
Similarly, commenters argued that preventing disclosure of information
that suggests a substance use disorder is too broad and would overly
restrict the information available to health care providers, thus
endangering patient safety. A commenter recommended that SAMHSA
interpret ``identifies a patient as having or having had a substance
use disorder'' to mean only information that actually identifies a
patient as having a substance use disorder, rather than including
information that merely suggests that a person might have an substance
use disorder. A commenter recommended that the provision be interpreted
as written in the rule language, not as expansively considered in the
NPRM preamble.
One commenter argued that a prescription for a certain drug is not
enough to identify a person as having a substance use disorder, let
alone indicate the person is receiving care from a substance use
disorder program. The commenter stated that this ambiguity is
sufficient to be able to say that the information does not ``identify''
the person as having a substance use disorder or, moreover, that they
are being treated in a program.
A commenter stated that, when the data sharing of the records are
redacted to remove all evidence of substance use disorder they become
worthless in terms of ensuring improved client care. Further, this
commenter said that there is no way to ensure such redaction would be
done effectively and that there is a high risk of inadvertent
disclosure, which cannot be made private again.
SAMHSA Response
Comments received by SAMHSA suggest that the discussion in the NPRM
of re-disclosure regarding medications and examples provided were not
clear. Both the proposed rule and this final rule prohibit re-
disclosure of part 2 information that would identify, directly or
indirectly, an individual as having been diagnosed, treated, or
referred for treatment for a substance use disorder, such as indicated
through standard medical codes, descriptive language, or both, unless
further disclosure is expressly permitted by the written consent of the
individual whose information is being disclosed or is otherwise
permitted by the part 2 statute or regulations. Such information could,
in some circumstances, include part 2 information concerning a
patient's prescription for a medication typically used for medication-
assisted treatment or a disease or condition frequently associated with
substance use disorders. While certain medical information in and of
itself may not identify a patient as having a substance use disorder
and approved medications may be used for various purposes, the context
of this preamble and Sec. 2.32 concerns the re-disclosure of
information that is directly related to the patient's undergoing
treatment for substance use disorders. Therefore, it is considerably
more likely that the re-disclosure of such information would result in
identifying the patient as receiving treatment for a substance use
disorder. By contrast, a
[[Page 6091]]
patient who is not receiving such treatment (and, therefore, whose
health information is not covered by this rule) would not face such
risks even if their medication or condition is frequently associated
with substance use disorders. It is also important to note that in some
cases, patients may expressly consent to further re-disclosure and that
such re-disclosure may in some cases be allowed under other provisions
of this rule. SAMHSA understands that this is an important topic and
may provide additional subregulatory guidance on this issue after the
publication of this final rule.
4. Technical Challenges in Preventing Unauthorized Re-Disclosure
Public Comments
Commenters expressed concern that, due to how information is
exchanged electronically, it may be technically difficult for the
medical industry to prevent re-disclosure. Commenters argued that
providers do not have the technical ability to segregate substance use
disorder content and redact that information from being sent to new
providers who use or review the record. More specifically, a commenter
argued that EHR currently have the ability to contribute patient data
to an HIE or a Regional Health Information Organization (RHIO) at the
patient level, not at the services rendered level. A commenter stated
that this capability was five to ten years away. A commenter argued
that if the outputs of the DS4P's pilots were refined and required
under the federal health IT certification program, there would have
been solution for the re-disclosure of substance use disorder
information.
Several commenters expressed concern about the lack of technical
standards. A commenter recommended that SAMHSA adopt clear technical
methods and standards for recipients of disclosures, by which part 2
providers and programs would be able to identify which records are not
part 2 sensitive and can be incorporated directly into recipient's EHR.
Similarly, a commenter stated there needed to be standards for all EHR
Vendors and HIEs to address the re-disclosure prohibition.
Some commenters expressed concern about the burden of upgrading
their record system to comply with the prohibition on re-disclosure.
Commenters stated that the re-disclosure prohibition would require
upgrades and modifications to EHR and HIEs. A commenter stated that
SAMHSA should provide funding to upgrade HIE systems or HIEs would be
likely to refuse to accept substance use disorder data.
Many commenters said the prohibition on re-disclosure and the
technical limitations many providers faced in preventing re-disclosure
would have adverse impacts on sharing of information and patient care.
A commenter stated that, due to the technical limitations, some
providers would continue to prohibit re-disclosure of the patient's
entire medical record. Other commenters argued that the technical
limitations would result in substance use disorder information being
kept out of the electronic health care environment, leaving gaps that
could contribute to poor patient outcomes. A commenter stated that part
2 programs would be unable to participate in integrated care delivery
models because their system was not equipped to segregate substance use
disorder data.
A commenter stated that SAMHSA should encourage the expansion of
meaningful use to allow behavioral health care providers to adopt data
segmentation technology. A commenter stated that, in light of the EHR
requirements under meaningful use, SAMHSA should consider ways to
reduce the burden on entities using EHR with respect to disclosure
statements under Sec. 2.32. Another commenter argued that SAMHSA
should simply issue consent recommendations and incorporate more
complex structures, such as data segmentation, in a broader mandate or
on other requirements in order to allow sufficient time for
implementation.
SAMHSA Response
SAMHSA actively supports the continued development of data
standards to support the integration of substance use disorder
treatment in emerging health care models. The Data Segmentation for
Privacy (DS4P) initiative within ONC's Standards and Interoperability
(S&I) Framework facilitated the development of standards to improve the
interoperability of EHRs containing sensitive information that must be
protected to a greater degree than other health information due to 42
CFR part 2 and similar state laws. The DS4P standard allows a provider
to tag a C-CDA document with privacy metadata that expresses the data
classification and possible re-disclosure restrictions placed on the
data by applicable law. This aids in the electronic exchange of
sensitive health information. In October 2015, ONC adopted the DS4P
standard as part of the 2015 Edition health IT certification criteria.
The DS4P certification criteria require health IT to demonstrate the
ability to send and received summary care records that are document-
level tagged. SAMHSA will continue to work with ONC to further refine
the DS4P standard so that it can be applied to segment data at the data
element level in the manner described in ONC's ``Connecting Health and
Care for the Nation: A Shared Nationwide Interoperability Roadmap--
Version 1.0 Final (Roadmap),'' \2\ and to accelerate the adopting of
the DS4P send and receive standards.
---------------------------------------------------------------------------
\2\ https://www.healthit.gov/sites/default/files/hie-interoperability/nationwide-interoperability-roadmap-final-version-1.0.pdf.
---------------------------------------------------------------------------
Regarding re-disclosure, the primary advantage of continuing the
prohibition on re-disclosure by recipients of a disclosure with patient
consent is that it assures a greater measure of confidentiality for
patient identifying information. SAMHSA strives to facilitate
information exchange within new health care models while addressing the
legitimate privacy concerns of patients seeking treatment for a
substance use disorder. These concerns include: The potential for loss
of employment, loss of housing, loss of child custody, discrimination
by medical professionals and insurers, arrest, prosecution, and
incarceration.
The prohibition on re-disclosure predates this rulemaking and
providers were already required to comply with the existing provision.
SAMHSA proposed only minor changes to the provision for clarity, which
should not necessitate system upgrades. Therefore, SAMHSA declines to
respond to comments regarding the burdens of system upgrades to comply
with the prohibition on re-disclosure.
Finally, SAMHSA works closely with its federal colleagues to
improve the integration of substance use disorder treatment providers
and their data. Although the part 2 authorizing statute does not give
SAMHSA authority to mandate data segmentation, as noted above, DS4P was
included in the ONC 2015 Edition Health IT Certification Criteria (2015
Edition). SAMHSA has also supported the development of the application
branded Consent2Share, an open-source health IT solution based on DS4P
which assists in consent management and data segmentation and will
continue to work to improve the granularity of how the DS4P standard
operates.
[[Page 6092]]
5. Requests for Clarification of the Re-Disclosure Prohibition
Public Comments
Commenters requested clarification on various aspects of the re-
disclosure prohibition. Some commenters asked for clarification on what
records were subject to the re-disclosure prohibition (e.g., the actual
record, or the part 2-compliant record that is now incorporated into
the physician's notes at the receiving institution). The commenters
requested examples of how data may, or may not, be disclosed after
lawful receipt of part 2 data.
A commenter suggested that SAMHSA confirm that only records that
originated at a part 2 program are subject to the prohibition on re-
disclosure.
SAMHSA Response
Once patient identifying information has been initially disclosed
(with or without patient consent), no re-disclosure is permitted
without the patient's express consent to re-disclose or unless
otherwise permitted by the part 2 statute or regulations. Only
disclosure of patient identifying information made with the patient's
written consent must be accompanied by a written notice regarding the
part 2 prohibition on re-disclosure. Although there is no requirement
to provide such written notice to individuals and entities who receive
information through other means under the part 2 program, all lawful
holders must comply with the part 2 program requirements, including,
but not limited to the limitations on re-disclosure.
Regarding requested confirmation that only records originated at a
part 2 program are subject to the prohibition on re-disclosure, SAMHSA
clarifies that individuals and entities that are not covered by part 2
that possess substance use disorder data that did not originate in a
part 2-covered provider are not subject to the part 2 program
requirements. However, if those individuals and entities received that
information that is subject to part 2 via patient consent (with or
without the notice of prohibition on re-disclosure) or through any
other means under the part 2 program (i.e., through means that made
them a lawful holder), they would be required to comply with part 2.
Public Comments
Several commenters asked for clarification with regard to
disclosing prescription medications. A few commenters asked whether
prescription medications could be disclosed without consent if the
prescriber states that the prescription is not for substance use
disorder treatment. Another commenter asked what the requirements were
for medications that are used ``off label'' to treat substance use
disorder and medications that treat withdrawal. A commenter asked for
clarification on whether providers in part 2 programs, who do not
reveal their part 2 program affiliation, would be prohibited from
disclosing information about substance use disorder prescriptions that
are also prescribed for non-substance use disorder purposes, unless the
patient has consented to the disclosure.
SAMHSA Response
SAMHSA agrees that part 2 would permit the disclosure of
information without patient consent relative to a medication that is
used for both substance use disorder and non-substance use disorder
purposes, even when it is being prescribed for the purpose of substance
use disorder treatment. In disclosing the information, both the
provider and the data provenance must not identify the provider as
being affiliated with a part 2 program or prescribing the substance use
disorder medication for substance use disorder treatment.
Public Comments
Regarding the prohibition on re-disclosure, a commenter requested
that SAMHSA provide clarification on what impact a court order has on
sharing information otherwise deemed confidential under the part 2
regulations.
SAMHSA Response
SAMHSA has previously stated in FAQ guidance concerning re-
disclosures that when information is disclosed pursuant to an
authorizing court order, part 2 requires that steps be taken to protect
patient confidentiality. In a civil case, part 2 requires that the
court order authorizing a disclosure include measures necessary to
limit disclosure for the patient's protection, which could include
sealing from public scrutiny the record of any proceeding for which
disclosure of a patient's record has been ordered [42 CFR 2.64(e)(3)].
In a criminal case, such order must limit disclosure to those law
enforcement and prosecutorial officials who are responsible for or are
conducting the investigation or prosecution, and must limit their use
of the record to cases involving extremely serious crimes or suspected
crimes [42 CRF Sec. 2.65(e)(2)].
Public Comments
A commenter asked how a mixed-use mental health and substance use
treatment facility should handle re-disclosure and how SBIRT would be
addressed under this section.
SAMHSA Response
Only the substance use disorder information is covered by part 2.
The mental health information is not. The prohibition on re-disclosure
only applies to information that would identify, directly or
indirectly, an individual as having been diagnosed, treated, or
referred for treatment for a substance use disorder, such as indicated
through standard medical codes, descriptive language, or both, and
allows other health-related information shared by the part 2 program to
be re-disclosed, if permissible under other applicable laws.
6. Recommendations To Improve the Prohibition on Re-Disclosure
Public Comments
Several commenters recommended exclusions to the prohibition on re-
disclosure of substance use disorder patient data. A commenter said
patients should be able to consent to the disclosure of substance use
disorder information to a covered entity and such information would be
protected by HIPAA, but would be free from the re-disclosure
prohibition. Some commenters said SAMHSA should permit re-disclosure of
substance use disorder treatment information for the purpose of
treatment and/or care coordination. Another commenter suggested an
exemption for providers within a given PDMP, CCO, ACO or HIE, for the
purposes of treatment, payment, or health care operations. A commenter
said SAMHSA should allow re-disclosures without patient consent for
public health purposes to prevent disease or control injury or
disability. Lastly, a commenter said SAMHSA should add a category under
subpart D ``Disclosures without Patient Consent'' to include state
health data organizations that collect data under a legislative
authority.
SAMHSA Response
Due to its targeted population, part 2 provides more stringent
federal protections than most other health privacy laws, including
HIPAA. In light of the statute, SAMHSA declines to create the specific
suggested exclusions from the use and disclosure restrictions. SAMHSA
will specifically address disclosures to subcontractors and contractors
for health care purposes in the SNRPM.
[[Page 6093]]
Public Comments
Commenters requested that SAMHSA provide guidance in several areas,
including the type of permissible information that can be disclosed;
applicability to co-occurring disorders; and applicability to multi-use
organizations. A commenter said SAMHSA should publish the medical codes
(e.g., ICD-10s) that are affected by this provision.
SAMHSA Response
As for the type of permissible information that can be disclosed,
the proposed clarifications to Sec. 2.32 clarify that the prohibition
on re-disclosure only applies to information that would identify,
directly or indirectly, an individual as having been diagnosed,
treated, or referred for treatment for a substance use disorder, such
as indicated through standard medical codes, descriptive language, or
both, and allows other health-related information shared by the part 2
program to be re-disclosed, if permissible under other applicable laws.
Regarding the re-disclosure of information related to co-occurring
disorders, only the substance use disorder information is covered by
part 2. The mental health information in a patient record is not.
However, part 2 programs must ensure adequate confidentiality
protections for mental health patient data that are applicable based on
any relevant federal or state law.
Public Comments
Commenters proposed many other recommendations to improve the re-
disclosure provision. One commenter said the rule should specify the
consequences part 2 providers will face if they violate the proposed
rule's prohibition on re-disclosure. A commenter said non-part 2
programs that prescribe substance use disorder medication should not be
forbidden from disclosing such prescriptions, nor required to state the
purpose of the medication. A commenter said the rule should continue to
prohibit information being shared with law enforcement for criminal
prosecution. A commenter said SAMHSA should include an updated sample
Notice of Prohibition of Re-disclosure in the final rule. One commenter
said patients should have the ability to remove their substance use
disorder history from their medical record after ten years. A commenter
said SAMHSA should rescind the proposed prohibition on re-disclosure
relative to general designations and advocate for the medical community
to do more within their industry to recognize and provide appropriate,
comprehensive care for those living with substance use disorders.
SAMHSA Response
Regarding the consequences for violation of the re-disclosure
prohibition, each disclosure made with the patient's written consent
must be accompanied by the notice of prohibition on re-disclosure.
Under 42 U.S.C. 290dd-2 (f), any person who violates any provision of
this section or any regulation issued pursuant to this section shall be
fined in accordance with Title 18.
Regarding the comment on non-part 2 prescribers, prescribers that
are not covered by part 2 are not prohibited from disclosing such
prescriptions nor required to specify the purpose of such
prescriptions.
On prohibition of information being shared with law enforcement for
criminal prosecution, this prohibition remains in effect. Specifically,
SAMHSA has clarified Sec. 2.32(a) to state ``[t]he federal rules
restrict any use of the information to criminally investigate or
prosecute any patient with a substance use disorder, except as provided
at Sec. Sec. 2.12(c)(5) and 2.65.''
Public Comments
A commenter stated that individuals or entities who are not part 2
programs may not be familiar with the specific consent requirements of
part 2, so the next-to-last sentence of Sec. 2.32 should include a
citation to Sec. 2.31.
SAMHSA Response
SAMHSA appreciates the suggestion and has revised Sec. 2.32 to add
a reference to the Sec. 2.31 to the penultimate sentence in paragraph
(a).
L. Disclosures to Prevent Multiple Enrollments (Sec. 2.34)
SAMHSA is adopting this section as proposed. SAMHSA has modernized
Sec. 2.34 by updating terminology and revising corresponding
definitions. SAMHSA also consolidated definitions by moving definitions
from this section to the part 2 definitions provision (Sec. 2.11), as
discussed in Section III.D.
Public Comments
A few commenters supported disclosures to prevent multiple
enrollments. Some urged the proposed regulations to go further and
specifically allow registries in the form of HIEs or PDMPs to share
controlled substance prescriptions in the same manner that it would
allow withdrawal management or maintenance treatment programs. The aim
would be to prevent multiple prescribing of prescription drugs that can
be abused. Other commenters argued that the registry should be
available to check enrollment beyond 200 miles. Asserting that the
requirement to list every site that may be contacted in the consent
document is an unusual burden, one of these commenters suggested that
the concern can be better addressed by indicating ``any licensed
treatment center within the state when a patient presents for
treatment.'' One commenter requested clarification as to what type of
``central registry'' is being considered for disclosure of patient
records. Another suggested language that allows for multiple payments
to providers in situations where clients are enrolled in multiple
programs and where programs may be obtaining multiple payments for
multiple services.
SAMHSA Response:
Central registries, defined as ``an organization that obtains from
two or more member programs patient identifying information about
individuals applying for withdrawal management or maintenance treatment
for the purpose of avoiding an individual's concurrent enrollment in
more than one treatment program,'' serve a different purpose than HIEs
or PDMPs. According to the Centers for Disease Control and Prevention,
PDMPs are state-run electronic databases used to track the prescribing
and dispensing of controlled prescription drugs to patients. They are
designed, in part, to monitor this information for suspected abuse or
diversion (i.e., channeling drugs into illegal use), and can give a
prescriber or pharmacist critical information regarding a patient's
controlled substance prescription history. Although PDMPs may serve
many valuable purposes, SAMHSA decided not to address issues pertaining
to e-prescribing and PDMPs in the final rule because, as stated in the
NPRM, they were not ripe for rulemaking at the time due to the state of
technology and because the majority of part 2 programs are not
prescribing controlled substances electronically.
Under Sec. 2.34(a)(3)(ii), the consent may authorize a disclosure
to any withdrawal management or maintenance treatment program
established within 200 miles of the program after the consent is given
without naming any such program. Regarding comments on the 200-mile
limit, SAMHSA declines to make any changes to the 200-mile limit
because it is unlikely that a patient would be
[[Page 6094]]
enrolled in multiple programs greater than 200 miles from each other.
The regulations do not confine the 200-mile limit to within a state.
As for the request to allow a consent for disclosure to ``any
licensed treatment center within the state where a patient presents for
treatment,'' SAMHSA has concluded that the proposed specificity is
needed. Section 2.34 requires that the consent must list the name and
address of each central registry and each known withdrawal management
or maintenance treatment program to which a disclosure will be made.
This specificity was retained because the purpose of the section is to
prevent multiple enrollments that would result in a patient receiving
substance use disorder treatment medication from more than one
provider, thereby increasing the likelihood for an adverse event or
diversion.
Regarding the request to allow for multiple payments to providers
in situations where clients are enrolled in multiple programs and where
programs may be obtaining multiple payments for multiple services,
SAMHSA has determined that this request it outside of the scope of the
proposed part 2 changes in the NPRM.
M. Medical Emergencies (Sec. 2.51)
SAMHSA is adopting this section as proposed. SAMHSA has revised the
medical emergency exception to give providers more discretion to
determine when a ``bona fide medical emergency'' (42 U.S.C. 290dd-
2(b)(2)(A)) exists. The revised language states that patient
identifying information may be disclosed to medical personnel to the
extent necessary to meet a bona fide medical emergency in which the
patient's prior informed consent cannot be obtained. SAMHSA continues
to require the part 2 program to immediately document, in writing,
specific information related to the medical emergency.
1. General
Public Comments
Many commenters expressed support for the proposed change in
language of the medical emergency exception to provide medical
personnel with increased discretion to determine a ``bona fide medical
emergency.'' Some commenters expressly supported aligning the
regulatory language with the statutory language for medical
emergencies. A commenter supported the special rule that would allow
the disclosure of patient identifying information to medical personnel
at the FDA who provide reason to believe that the health of any
individual may be threatened by a product under the FDA's jurisdiction
and that the information used solely for notifying the patient or their
physicians of the potential dangers.
However, several commenters warned that part 2 programs should not
be expected to assume the unrealistic burden of liability for a HIE's
capability to comply with all part 2 requirements. Another commenter
argued the current medical emergency exception is clear under current
(1987) law and providers are already making the determination as to
what constitutes an emergency.
SAMHSA Response
SAMHSA appreciates the support of commenters on this issue. With
regard to the comment about the burden of liability, SAMHSA asserts
that the treating provider must make the determination as to whether a
bona fide medical emergency exists. However, concern alone about
potential drug interaction may not be sufficient to meet the standard
of a medical emergency. Thus, based on the circumstances of the
presenting situation, SAMHSA recommends that health care providers
obtain consent from the patient where feasible.
2. Definition of ``Bona Fide Medical Emergency''
Public Comments
Commenters provided various suggestions for expanding the
definition to include disclosure of records for mental health
involuntary commitment evaluations and other psychiatric emergencies;
to detoxification centers; when there is ``risk of serious harm'' to
self or others by reason of an substance use disorder; in order to save
a life or prevent further injury of a person who is not able to make a
rational decision due to mental impairment; and to prevent suicide.
Several commenters asserted the revisions should include an exception
for disclosure without consent in order to prevent medical emergencies
from occurring in the first place. Other commenters suggested not
limiting this section to only medical emergencies, but allowing
disclosures for treatment, payment, and operation purposes. A few
commenters supported adding a duty to warn exception where a substance
use disorder patient discloses intent, plan, or means to inflict harm
onto another individual or the public.
SAMHSA Response
On the request to expand the definition, while the statute
authorizes an exception for a bona fide medical emergency, broadening
this provision to include non-emergency situations would be
inconsistent with the statutory scheme. With respect to warnings, part
2 does not impose a duty to warn--or a duty to disclose any
information. It only governs when disclosures may be made, not when
they must be made. SAMHSA has previously provided FAQ guidance on when
a part 2 program may make a disclosure without divulging patient
identifying information. SAMHSA will monitor this issue and may
consider whether additional subregulatory guidance in the future may be
helpful.
Regarding involuntary commitment, patient identifying information
may be disclosed to medical personnel to the extent necessary to meet a
bona fide medical emergency in which the patient's prior informed
consent cannot be obtained. This may include situations in which the
patient is not regarded as being legally competent under the laws of
their jurisdiction. Such circumstances may apply when a patient is
subject to an involuntary commitment (i.e., formally committed for
behavioral health treatment by a court, board, commission, or other
lawful authority). Consistent with Sec. 2.51, during the period of
time a patient is not regarded as being legally competent, any
previously established, unrevoked, or unmodified general designation
remains valid for their current treating providers until such time as
the individual's competency is restored. The treating provider(s)
would, in such circumstances, be expected to follow provisions of this
rule pursuant to medical emergencies, including all documentation
requirements. Importantly, at any time when a patient is legally
competent, they may modify their general designation consistent with
the provisions of this final rule.
Public Comments
Other commenters suggested restrictions on the definition of ``bona
fide medical emergency'' or other limitations to the medical emergency
exception. Several recommended that the final rule explicitly state
that the medical emergency exception continues to be limited to
circumstances in which an individual needs immediate medical care and
the patient's consent cannot be obtained. The medical emergency
exception does not apply to situations where the patient could but will
not consent, since the exception should not be used to avoid obtaining
consent. A commenter urged that a ``bona fide medical emergency'' be
limited to circumstances in which an individual
[[Page 6095]]
needs immediate medical care because of an immediate (not future)
threat to a person's health.
A commenter asserted that it be specified that a ``medical
emergency'' is determined by the treating provider.
A commenter asserted that the information disclosed in a ``bona
fide medical emergency'' should be more clearly limited and the rule
should require the provider to affirmatively share the required
documentation of the disclosure with the patient.
A commenter stated that part 2 information disclosed in a medical
emergency should not be re-disclosed for criminal investigation or
prosecution.
A few commenters advocated for emergency care providers to be
permitted to access only limited part 2 information available through a
HIE.
SAMHSA Response
On situations in which the patient could but will not consent,
SAMHSA has not revised the regulatory language, but agrees that
``patient consent could not be obtained'' refers to the fact that the
patient was incapable of providing consent, not that the patient
refused consent.
With regard to the request that a ``medical emergency'' be
determined by the treating provider, SAMHSA clarifies that any health
care provider who is treating the patient for a medical emergency can
make that determination.
On limiting the information disclosed, Sec. 2.13(a) of the rule
indicates that the amount of information to be disclosed ``must be
limited to that information which is necessary to carry out the purpose
of the disclosure.''
With regard to the comment on re-disclosure, SAMHSA will address
re-disclosure of part 2 information obtained during a medical emergency
in subregulatory guidance rather than in the rule, as it has in the
past.
Public Comments
Several commenters asserted that automated or pre-determinations
for medical emergencies should be allowed. A commenter suggested that
pre-defining the criteria for medical emergency would enable HIEs to
automate the decisions about whether a patient visit is a medical
emergency. The commenter said such criteria could be defined by each
individual hospital or could be based on national standards. Another
commenter argued that Level of Care Utilization System (LOCUS) scores
and the ASAM levels could be used as clinical standards for determining
``bona fide emergency'' situations where behavioral health information
should be more broadly shared.
SAMHSA Response
Automated electronic health information systems can be programmed
to flag specific patient information for medical personnel to use in
determining whether a bona fide medical emergency exists and may be
programmed to provide alerts to authorized providers. However, as
SAMHSA has explained in previous FAQ guidance, one may not automate the
determination of a medical emergency.
Public Comments
Many commenters requested examples of emergency situations in order
to minimize confusion among providers and organizations as to the
circumstances under which medical emergencies would be valid. Many of
these commenters provided their own instances requesting clarification
if disclosure would be necessary.
SAMHSA Response
SAMHSA plans to provide the requested examples in subregulatory
guidance after the publication of this final rule.
3. Documentation of Medical Emergency
Public Comments
Many commenters argued for removal of the requirement that a part 2
program immediately document a disclosure pursuant to a medical
emergency. A commenter stated that SAMHSA should simplify the existing
onerous documentation requirements that impede vital sharing of
information. Another commenter suggested part 2 programs should rely on
other functionalities that retain disclosure and specific information
related to the medical emergency, such as audit reports.
A commenter suggested the language be modified to allow the part 2
program to document the disclosure ``promptly'' rather than
``immediately.''
Other commenters suggested eliminating the requirement to provide
``the name of the medical personnel to whom disclosure was made.''
Another commenter asserted that the rule should allow an HIE to
maintain documentation of disclosures for the part 2 program and
provide ongoing access to such information.
A commenter suggested that a ``list of the information disclosed''
be added to the list of information that must be entered into the
patient record at the time of the emergency disclosure.
SAMHSA Response
SAMHSA is not convinced of the benefit of replacing ``immediately''
with ``promptly,'' particularly since neither term is defined in the
final rule. With regard to the suggestion to eliminate the requirement
to provide ``the name of the medical personnel to whom disclosure was
made,'' the current (1987) part 2 regulations (as well as the
regulatory language in the NPRM) require part 2 programs to document
the name of the medical personnel to whom disclosure was made and their
affiliation with any health care facility because it is important for
that information to be available to the part 2 program and the patient.
4. Other Comments on Medical Emergencies
Public Comments
Some commenters suggested that SAMHSA expand who is authorized to
access emergency records. Some commenters requested the definition of
``medical personnel'' include any professional who provides health-
related services, including behavioral health services, rather than
being limited to medical doctors, nurses, and emergency medical
technicians. Other commenters suggested the language be changed so that
``non-medical personnel'' who are currently working with clients in an
emergency situation have access to the patient emergency record. A
commenter argued that substance use disorder patients commonly face
medical emergencies and therefore it is prudent for an emergency
department be named or identified under the ``general disclosure''
provision.
SAMHSA Response
Part 2 allows patient identifying information to be disclosed to
medical personnel in a medical emergency. Part 2 does not define the
term ``medical personnel'' but merely provides that information can be
given to medical personnel who have a need for information about a
patient in a bona fide medical emergency. It is up to the health care
provider or facility treating the emergency to determine the existence
of a medical emergency and which personnel are needed to address the
medical emergency. The name of the medical personnel to whom the
disclosure was made, their affiliation with any health care facility,
the name of the individual making the disclosure, the date and time of
the disclosure, and the nature of the medical emergency must be
documented in the patient's records by the part 2 program disclosing
[[Page 6096]]
the information. SAMHSA does not have the authority to permit
information to be disclosed to ``non-medical personnel'' pursuant to a
medical emergency because the authorizing statute for the regulations
codified at 42 CFR part 2 limits disclosures to ``medical personnel.''
With regard to identifying emergency departments under the
``general disclosure'' provision, the medical emergency exception
requires that a provider determine that a bona fide medical emergency
exists and that a patient's visit to an emergency room does not
automatically constitute such an emergency. SAMHSA reiterates that
there is a difference between refusal to consent and being incapable of
consenting to disclosure.
Public Comments
Commenters requested clarification on which entity, the receiving
emergency department or HIE, would be obligated to maintain part 2-
compliance with information received through a declared patient
emergency. A commenter argued the rule should state that a hospital
emergency room or other health care provider that obtains program
information under the medical emergency exception would not be subject
to part 2 rules with respect to such program information.
SAMHSA Response
Part 2 requires that when a disclosure is made in connection with a
medical emergency, the part 2 program must document in the patient's
record the name and affiliation of the recipient of the information,
the name of the individual making the disclosure, the date and time of
the disclosure, and the nature of the emergency. Thus, data systems
must be designed to ensure that the part 2 program is notified when a
``break the glass'' disclosure occurs and part 2 records are released
pursuant to a medical emergency. The notification must include all the
information that the part 2 program is required to document in the
patient's records. The information about emergency disclosures should
also be kept in the HIE's electronic system. Regarding the requests for
clarification on part 2 applicability to information disclosed pursuant
to a medical emergency, SAMHSA understands the importance of these
questions. However, because these issues are not related to specific
proposals made in the NPRM, SAMHSA plans to address them in
subregulatory guidance after the publication of the final rule.
Public Comments
A commenter warned that emergency disclosures for requesting of
part 2 records can occur by means other than solely through an HIE.
SAMHSA Response
The EHR is the vehicle for the disclosure of the part 2 record but
not the decision-maker. The name of the person who makes the
determination to disclose and discloses the information electronically
through an EHR system should be recorded. SAMHSA clarifies that the
example used of an HIE was not meant to be exhaustive to include all
potential sources of disclosures.
N. Research (Sec. 2.52)
SAMHSA is modifying this section from the regulatory text proposed,
as described in detail below. SAMHSA is implementing several changes to
the research provision. First, we have revised the section heading by
deleting the word ``activities.'' In addition, SAMHSA has revised the
research exception to permit data protected by 42 CFR part 2 to be
disclosed by any individual or entity that is in lawful possession of
part 2 data (lawful holder of part 2 data) under certain conditions.
SAMHSA also addressed data linkages because the process of linking
two or more streams of data opens up new research opportunities and
potential risks. In the NPRM, SAMHSA proposed to permit researchers to
request to link data sets that include patient identifying information
if (1) the data linkage uses data from a federal data repository, and
(2) the project, including a data protection plan, is reviewed and
approved by an Institutional Review Board (IRB) registered with the
Office for Human Research Protections (OHRP) in accordance with 45 CFR
part 46. SAMHSA requested comments in the NPRM on whether to expand the
data linkages provision beyond federal data repositories. After
considering the public comments received on this topic, as discussed in
greater detail below, SAMHSA has revised the data linkages provision to
permit researchers to link to federal and non-federal data repositories
provided certain conditions are met.
The revised Sec. 2.52 permits a researcher to include part 2 data
in reports only in aggregate form. SAMHSA clarified in this final rule
that, with respect to these types of reports, the patient identifying
information has been rendered non-identifiable such that the
information cannot be re-identified and serve as an unauthorized means
to identify a patient, directly or indirectly as having or having had a
substance use disorder. SAMHSA requires any individual or entity
conducting scientific research using patient identifying information to
meet additional requirements to ensure compliance with confidentiality
provisions under part 2. Note that de-identified information can be
shared for the purposes of research; this was the status quo under the
previous part 2 regulations, and this final rule does not change that.
Finally, Sec. 2.52 addresses, in addition to the maintenance of
part 2 data, the retention and disposal of such information used in
research. SAMHSA expanded the provisions in Sec. 2.16 (Security for
records) and references the policies and procedures established under
Sec. 2.16 in revised Sec. 2.52. The NPRM language in (a)(1) only
referenced ``the HIPAA privacy rule at 45 CFR 164.512(i)'' while the
final rule regulatory language in (a)(1) now says: ``consistent with
the HIPAA Privacy Rule at 45 CFR 164.508 or 164.512(i), as
applicable''.
1. General
Public Comments
Many commenters expressed support for revising the research
exception to permit data protected by part 2 to be disclosed to
qualified personnel for the purpose of conducting scientific research
by a part 2 program or any other individual or entity that is in lawful
possession of part 2 data (lawful holder of part 2 data). Many
commenters expressed general support for expanding the circumstances in
which research may be conducted with part 2 data. Many commenters
supported disclosure of data from other lawful holders of substance use
disorder records with researchers. Commenters supported the prevention
of data scrubbing of records and other data suppression related to
substance use disorders. Some commenters specified support to stop
``suppression'' of Medicare and Medicaid data from any records
associated with substance use disorder.
SAMHSA Response
SAMHSA's revisions to the research provision address these concerns
regarding access to substance use disorder information from CMS claims/
encounter data disclosed for research purposes. First, the research
provision permits part 2 programs and other lawful holders of patient
identifying information (not just part 2 program directors) to disclose
data protected by
[[Page 6097]]
42 CFR part 2 to qualified personnel for the purpose of conducting
scientific research if the researcher provides documentation of meeting
certain requirements related to other existing protections for human
research. Second, SAMHSA also addressed data linkages to enable
researchers holding part 2 data to link to data sets from federal and
non-federal data repositories provided certain conditions are met as
spelled out in section 2.52.
Public Comments
Another commenter supported the use of data use agreements for all
research transfers of part 2 information and requested the proposed
regulation provide examples of these agreements. A commenter stated
that the agency should allow research of additional administrative data
sets such as those held by HIEs, ACOs, state Medicaid agencies,
commercial insurance companies, and Medicare Advantage plans with
appropriate IRB reviews.
SAMHSA Response
Although not required by Sec. 2.52, the regulation would permit
any lawful holder of patient identifying information to require a
researcher sign a data use agreement spelling out these requirements.
SAMHSA is adopting its proposal regarding the research exception to
permit data protected by 42 CFR part 2 to be disclosed to qualified
personnel for the purpose of conducting scientific research by a part 2
program or any other individual or entity that is in lawful possession
of part 2 data if the researcher provides documentation of meeting
certain requirements related to other existing protections for human
research. If an entity meets the requirements of an ``other lawful
holder of patient identifying information,'' as described in the
preamble of this final rule, the entity would be authorized to disclose
part 2 data for research purposes in accordance with Sec. 2.52.
Public Comments
Another commenter asked a series of questions related to the
release of data by lawful holders that are not part 2 programs (e.g.,
HIEs). The commenter asked how these HIEs, third-party payers, etc.,
will be able to determine that a researcher will maintain the
confidential patient identifying information in accordance with the
security requirements set out in Sec. 2.52(a)(2); how will the
``lawful holders'' be able to assess whether the potential benefits of
the research outweighs any risks to confidentiality as required by
Sec. 2.52(a)(3); and what individual at these various ``lawful
holders'' will be the equivalent of a part 2 program director and have
the authority to make these decisions. The commenter stated that it is
almost certain that these ``lawful holders'' will not sufficiently know
the confidentiality regulations so as to ensure the researchers are
aware of, and will comply with the prohibition against re-disclosure
specified in Sec. 2.52(b).
SAMHSA Response
SAMHSA examined the existing regulations that protect human
subjects in research and concluded that, if those requirements were
fulfilled, 42 CFR part 2 would ensure confidentiality protections
consistent with the statute, while providing the expanded authority for
disclosing patient identifying information. Requirements that ensure
compliance with HIPAA and the Common Rule (e.g., IRB and/or privacy
board review) with respect to research provide these assurances,
including that the researcher has a plan to protect and destroy
identifiers and to not re-disclose the information in an unauthorized
manner. The individual who would make the determination to disclose
part 2 data on behalf of a part 2 program or other lawful holder would
be the individual designated as director or managing director, or
individual otherwise vested with authority to act as chief executive
officer or their designee. In addition, there is nothing in the
regulation that requires this individual to disclose the data, even if
the researcher provides documentation of compliance with the
requirements under Sec. 2.52.
Public Comments
A commenter stated that the proposed rule adopted an overly narrow
approach to disclosures for scientific research, by limiting part 2
disclosures only to entities or individuals subject to the HIPAA
Privacy Rule or the HHS Common Rule. The commenter stated that because
the commenter is not a HIPAA covered entity or business associate under
HIPAA, and is not currently subject to the Common Rule, the commenter
does not appear to meet the conditions required for disclosure for
scientific research. The commenter stated that limiting disclosures for
research purposes only to entities or individuals subject to the HIPAA
Privacy Rule and/or Common Rule is inconsistent with the language and
intent of the governing statute, which broadly authorizes disclosures
to qualified personnel for the purposes of conducting scientific
research.'' (42 U.S.C. 290dd-2(b)(2)(B)). The commenter urged SAMHSA to
interpret research broadly to include state analytic activities to
identify patterns and variations in the cost, quality and delivery of
health care, similar to the approach adopted by CMS for the release of
CMS claims/encounter data to state agencies.
SAMHSA Response
The revised research exception will now permit data protected by 42
CFR part 2 to be disclosed for research purposes by part 2 programs and
other lawful holders of patient identifying information not just by
part 2 program directors as the 1987 final rule regulations require.
Because SAMHSA is expanding the authority for disclosing patient
identifying information beyond part 2 program directors, it was
necessary to establish a mechanism to ensure that confidentiality
protections consistent with the statute were fulfilled in all cases.
SAMHSA determined that the existing regulations that protect human
subjects in research would accomplish this, and, therefore, decided to
limit the permitted disclosures for research purposes under part 2 to
instances in which the researchers would meet the requirements
governing their receipt of protected health information from a covered
entity under the HIPAA privacy rule and/or the requirements governing
research on human subjects under the HHS Common Rule. Under this
expanded authority, the HIPAA standards would be applied as a test
regardless of whether the data source for the disclosure was a HIPAA
covered entity.
Under 42 CFR part 2, the research provision provides clear policies
on conducting research and protecting the confidentiality of patient
identifying information, including their obligations to comply with
requirements under 42 CFR 2.16, Security for Records.
Public Comments
A commenter stated that SAMHSA, in coordination with state
regulators, should work together to issue guidance related to the
application of the federal part 2 requirements to substance use
disorder information that may be requested by states for public health
and other purposes.
SAMHSA Response
The statute authorizing part 2 contains specific limited exceptions
to the consent requirement, and making a change to exempt states from
this requirement, under certain conditions, would be inconsistent with
the statutory scheme.
[[Page 6098]]
Public Comments
One commenter stated that the expansion of the disclosure of
patient identifying information should be limited to CMS and/or state
governmental agencies that have authority over substance use disorder
treatment services. The commenter stated that an unintended consequence
of implementing the potential of wide-spread disclosure of previously
protected information is that the protections the confidentiality
regulations afforded patients will be eviscerated as essentially all
the recipients of protected information, for the last 40 years will no
longer be bound by the prohibition of re-disclosure, subjecting the
patient's information to re-disclosure, without the patient's consent,
to any individual or entity representing that they are conducting
scientific research. The commenter argued that SAMHSA should limit the
number of entities who can release patient identifying information to
those who actually have the resources to verify that such disclosure to
a researcher is for a valid research purpose; can ensure proper
research protections are in place; and affirm the patient will not be
more vulnerable as a result of the disclosure. The vast majority of
lawful holders cannot adequately perform this analysis and therefore
cannot protect the patient's interest as required under the part 2
regulations.
SAMHSA Response
SAMHSA declines to narrow the scope of the research provision as
suggested. In developing the proposed rule, SAMHSA examined the
existing regulations that protect human subjects in research and
concluded that, if those requirements were fulfilled, 42 CFR part 2
would ensure confidentiality protections consistent with the statute,
while providing the expanded authority for disclosing patient
identifying information. Specifically, IRBs determine that, when
appropriate, there are adequate provisions to protect the privacy of
subjects and to maintain the confidentiality of data before approving
the research (45 CFR 46.111(a)(7)). SAMHSA is interested in affording
patients protected by 42 CFR part 2 the same opportunity to benefit
from advanced research protocols while continuing to safeguard their
privacy, and narrowing the scope of lawful holders that may disclose
part 2 data for research purposes, as suggested by the commenter would
limit the ability of patients to benefit from these research efforts.
Public Comments
Other commenters expressed concern about the expanded research
exception. A commenter stated that the proposed provision would create
a wide opportunity for data sharing with increased risk of adverse
impact. Similarly, a commenter warned that the research exception
revision poses unnecessary risk of data breach of patient's
confidentiality.
SAMHSA received a large number of comments, particularly from
researchers, expressing support for the revised research provision.
These commenters expressed concern that, without this revised
provision, researchers' access to substance use disorder-related data
in Medicare and Medicaid claims/encounter databases would be limited to
instances in which consent could be obtained. A number of commenters
cited a study by K. Rough et al. published in the March 15, 2016, issue
of the Journal of the American Medical Association that found the
exclusion of part 2 data from Medicare and Medicaid claims/encounter
data in research contexts coincided with decreases in the rates of
diagnoses for certain conditions commonly co-occurring with substance
use disorder. Commenters reiterated a point made in the article that
underestimating diagnoses has the potential to bias health services
research studies and epidemiological analyses. Some commenters also
stated that implementing appropriate data safeguards can protect
patient privacy while still allowing researchers access to critical
data.
SAMHSA Response
SAMHSA agrees with the commenters' assertions regarding how the
exclusion of this substance use disorder data hampers vital public
health research, particularly in light of the growing national opioid
epidemic and is finalizing the research data access proposal in the
final rule.
With respect to concerns about privacy and the expansion of the
research exception, SAMHSA clarifies that the research exception is
intended to permit data protected by 42 CFR part 2 to be disclosed to
qualified personnel for the purpose of conducting scientific research
by a part 2 program or any other individual or entity that is in lawful
possession of part 2 data (lawful holder of part 2 data).
The research provision (Sec. 2.52(b)) already includes a
requirement that the researcher receiving the part 2 data is fully
bound by 42 CFR part 2. Although not required by Sec. 2.52, the
regulation would permit any lawful holder of patient identifying
information to require a researcher to sign a data use agreement
spelling out these requirements. Lawful holders of patient identifying
information may disclose part 2 data without patient consent for
research purposes only under the specified circumstances under the
research provision.
Public Comments
A commenter requested clarification as to whether ``lawful
holders'' may disclose part 2 data to third parties to conduct research
or whether the ``lawful holder'' has to conduct the research itself.
Citing the HIPAA tracking criteria for disclosures outside the
entity pursuant to a waiver of authorization, another commenter asked
SAMHSA to clarify what tracking requirements would apply to disclosure
of part 2 data for purposes of research. This commenter also asked
SAMHSA to clarify whether disclosure for purposes of research means
sharing the data with anyone for research purposes or only applies when
part 2 data is shared with an outside entity.
SAMHSA Response
The research provision permits part 2 programs and other lawful
holders of patient identifying information to disclose data protected
by 42 CFR part 2 to qualified personnel for the purpose of conducting
scientific research if the researcher provides documentation of meeting
certain requirements related to other existing protections for human
research. ``Qualified personnel'' is a statutory term and SAMHSA has
clarified that this term includes those individuals who meet the
requirements specified in the research provision to receive part 2 data
for the purpose of conducting scientific research.
The proposed rule did not include a tracking requirement for
information disclosed under the research exception and so we are
declining to include such a requirement in the final rule.
Public Comments
Another commenter reasoned that municipalities should be able to
receive and match patient identifying information and then use the de-
identified data for planning and analysis purposes (e.g., determining
how many criminal justice-involved defendants have a previous history
of substance use disorder treatment).
SAMHSA Response
SAMHSA declines to make the recommended expansion to the research
[[Page 6099]]
provision. SAMHSA is revising the research exception to permit data
protected by 42 CFR part 2 to be disclosed to qualified personnel for
the purpose of conducting scientific research by a part 2 program or
any other individual or entity that is in lawful possession of part 2
data (lawful holder of part 2 data).''Qualified personnel'' is a
statutory term and SAMHSA has clarified that this term includes those
individuals who meet the requirements specified in the research
provision to receive part 2 data for the purpose of conducting
scientific research. This term would not preclude researchers from
conducting such research efforts on behalf of a municipality. However,
part 2 prohibits researchers from re-disclosing patient identifying
information except back to the individual or entity from whom that
patient identifying information was obtained or as permitted under
Sec. 2.52(c) of this section, and permits researchers to include part
2 data in reports only in aggregate form in which patient identifying
information has been rendered non-identifiable such that the
information cannot be re-identified and serve as an unauthorized means
to identify a patient, directly or indirectly, as having or having had
a substance use disorder.
Public Comments
A commenter expressed support for the strengthened proposed
research provision whereby patient identifying information may be
released only after the program director has determined the research
recipient has obtained appropriate IRB and/or privacy board approval
and consent. Another commenter asserted that information that is de-
identified and presented in aggregate should be permitted to be more
readily used in research. The commenter stated that this was another
area where SAMHSA can promote greater alignment with HIPAA, which
provides allowances for covered information that is de-identified and
presented in the aggregate.
SAMHSA Response
Part 2 only applies to information that would identify a patient as
having or having had a substance use disorder. The revised research
provision allows researchers to include part 2 data in reports only in
aggregate form in which patient identifying information has been
rendered non-identifiable such that the information cannot be re-
identified and serve as an unauthorized means to identify a patient,
directly or indirectly, as having or having had a substance use
disorder. The revised Sec. 2.52 also requires researchers to maintain
and destroy patient identifying information in accordance with the
security policies and procedures established under Sec. 2.16. SAMHSA
aligned policy with HIPAA where possible. However, 42 CFR part 2 and
its governing statute are separate and distinct from HIPAA, and the
part 2 regulations use different terminology than used in HIPAA.
Public Comments
A commenter requested clarification on whether data disclosed to
qualified personnel under Sec. 2.52 would include ``identifiable
information.'' For example, this commenter asked why a name would be
relevant if the data and information would be used for research.
Another commenter stated that certain patient identifying information
such as social security numbers should not be included, as it serves no
purpose to researchers. The commenter stated that this can easily be
mitigated by data segmentation and consent management, but until then
the rule should be maintained in that the part 2 program director is
the only individual authorized to release of information.
SAMHSA Response
The part 2 data that may be disclosed for research purposes include
patient identifying information, as that term is defined in Sec. 2.11.
One reason researchers would need identifiable information is to link
part 2 data to other data sets, or for conducting data linkages. SAMHSA
also proposed to address data linkages, which requires identifiable
information, because the process of linking two or more streams of data
opens up new research opportunities and potential risks. For example,
the practice of requesting data linkages from other data sources to
study the longitudinal effects of treatment is becoming widespread.
SAMHSA is interested in affording patients protected by 42 CFR part 2
the same opportunity to benefit from these advanced research protocols
while continuing to safeguard their privacy. Likewise, SAMHSA revised
the research provision to enable part 2 data to be disclosed for
research purposes by part 2 programs and other lawful holders of
patient identifying information so that patients may benefit from the
additional scientific research that will be conducted and that will
facilitate continual quality improvement of part 2 programs and the
important services they offer. This additional research would not be
able to be conducted if SAMHSA were to continue to maintain the
existing part 2 research provision, as suggested.
2. Suggestions for Improvement of the Research Provisions
Public Comments
Some commenters made suggestions to improve privacy protections as
it relates to research. A commenter suggested that the research
provision require a certificate of confidentiality as a prerequisite to
researcher access to part 2 information.
SAMHSA Response
The research provision (Sec. 2.52(b)) already includes a
requirement that the researcher receiving the part 2 data is fully
bound by 42 CFR part 2. Although not required by Sec. 2.52, the
regulation would permit any lawful holder of patient identifying
information to require a researcher sign a data use agreement spelling
out these requirements.
According to NIH, certificates of confidentiality do not take the
place of good data security or clear policies and procedures for data
protection, which are essential to the protection of research
participants' privacy. Under 42 CFR part 2, the research provision
provides clear policies on conducting research and protecting the
confidentiality of patient identifying information, including their
obligations to comply with requirements under 42 CFR 2.16, Security for
Records.
Public Comments
A commenter concluded that the number of entities who could release
patient identifying information should be limited to those who have the
resources to verify the research is valid and the patient will not
become more vulnerable as result of disclosure. A commenter suggested
that strict policies be in place at all levels of research
organizations to assure that prohibited re-disclosure of patient
information does not occur. A commenter asserted that aligning part 2's
requirements for a valid written consent with those applicable under
the HIPAA Privacy Rule would avoid confusion. One commenter suggested
that the filing of conflict of interest statements by the primary
investigators and co-investigators be required. A commenter suggested a
change in language to clarify that researchers will resist any judicial
demand for access to patient records, except as permitted by these
regulations.
SAMHSA Response
SAMHSA examined the existing regulations that protect human
subjects in research and concluded that, if those requirements were
fulfilled, 42 CFR part
[[Page 6100]]
2 would ensure confidentiality protections consistent with the statute,
while providing the expanded authority for disclosing patient
identifying information. Requirements that ensure compliance with HIPAA
and the Common Rule (e.g., IRB and/or privacy board review) with
respect to research provide these assurances, including that the
researcher has a plan to protect and destroy identifiers and to not re-
disclose the information in an unauthorized manner. Disclosure of part
2 data also would be allowable for research that qualifies for
exemption under the Common Rule due to the lower risk to subjects in
the circumstances where exemptions apply, and this has been clarified
in Sec. 2.52(a)(2). The individual who would make the determination to
disclose part 2 data on behalf of a part 2 program or other lawful
holder would be the individual designated as director or managing
director, or an individual otherwise vested with authority to act as
chief executive officer or their designee. In addition, there is
nothing in the regulation that requires this individual to disclose the
data, even if the researcher provides documentation of compliance with
the requirements under Sec. 2.52.
SAMHSA declines to make the recommended change regarding conflicts
of interest to the research section (Sec. 2.52). The revised research
provision requires reviews, either by an IRB and/or privacy board, for
the specific purpose of minimizing risk to patients and their privacy.
The research provision also requires researchers requesting data
linkages, as described in Sec. 2.52(c), to have the request reviewed
and approved by an IRB registered with the Department of Health and
Human Services, Office for Human Research Protections in accordance
with 45 CFR part 46 to ensure that patient privacy is considered and
the need for identifiable data is justified. In addition, HHS has
issued subregulatory guidance that, to the extent financial interests
may affect the rights and welfare of human subjects in research, IRBs,
institutions, and investigators need to consider what actions regarding
financial interests may be necessary to protect those subjects.
SAMHSA proposed to require any individual or entity conducting
scientific research using patient identifying information to meet
additional requirements to ensure compliance with confidentiality
provisions under part 2. Among these are a provision (Sec. 2.52(b)(1))
that ``requires researchers to be fully bound by these regulations and,
if necessary, to resist in judicial proceedings any efforts to obtain
access to patient records except as permitted by these regulations.''
Public Comments
Another commenter suggested that the rule allow an extended
disclosure period specific to research that could be included in the
initial disclosure approval.
SAMHSA Response
The part 2 regulations do not specify a disclosure period in the
research provision.
Public Comments
A commenter said that it would bring clarity and aid entities
seeking to comply with the proposed rule if it included a definition of
``repository'' and of ``scientific research.'' The commenter stated
that the HHS Common Rule provisions, referenced repeatedly in the
proposed rule, apply only to activities which meet the definition of
research involving human subjects. It is not clear whether SAMHSA
intends to adopt Common Rule definitions or create a separate scheme.
SAMHSA Response
SAMHSA did not propose a regulatory definition for these terms in
the NPRM and respectfully declines to define the terms in the final
rule as suggested. ``Scientific research'' is a statutory term that is
not defined. Researchers requesting part 2 data for the purposes of
conducting scientific research and whose research is subject to the
Common Rule would need to comply with requirements for the Common Rule
as well as those of part 2. SAMHSA refers to the term ``repository'' in
the context of the data linkages provision, and intended the term to
broadly refer to data that is stored and managed. SAMHSA may address
undefined terms that require further elaboration in subregulatory
guidance or in subsequent rulemaking.
Public Comments
One commenter supported provisions that allow states to work with
outside entities, which are HIPAA and Common Rule compliant, to conduct
research that will improve care and drive quality outcomes for Medicaid
beneficiaries with a substance use disorder.
SAMHSA Response
SAMHSA supports the efforts of part 2 stakeholders to work together
collaboratively and in compliance with the law. Part 2 prohibits
researchers from re-disclosing patient identifying information except
back to the individual or entity from whom that patient identifying
information was obtained or as permitted under the data linkages
provision. Researchers may include part 2 data in reports only in
aggregate form in which patient identifying information has been
rendered non-identifiable such that the information cannot be re-
identified and serve as an unauthorized means to identify a patient,
directly or indirectly, as having or having had a substance use
disorder.
3. HIPAA and HHS Common Rule Requirements
Public Comments
Many commenters expressed support for aligning requirements for
disclosure of information for conducting research with existing
requirements for research as regulated by the HHS Common Rule (45 CFR
part 46). A commenter remarked that an alternate approach would be to
create a single category of consent for research purposes.
SAMHSA Response
In this part 2 final rule, SAMHSA has implemented certain revisions
that are predicated on the current version of the Common Rule (45 CFR
part 46, Protection of Human Subjects, promulgated in 1991). Should
conflicting policies be created in the future, SAMHSA will take
appropriate action (e.g., issue an NPRM or technical correction). With
respect to creating a single category of consent for research, the
existing consent requirements permit patient consent for the disclosure
of patient identifying information for the purpose of scientific
research.
4. Data Linkages
SAMHSA revised Sec. 2.52 from the proposed regulatory text by
separating out the data linkages provisions into its own paragraph,
Sec. 2.52(c) for purposes of clarity and readability. In addition, the
final Sec. 2.52 addresses data linkages to enable researchers holding
part 2 data to link to data sets from federal and non-federal data
repositories as explained in greater detail below. SAMHSA proposed to
permit researchers to request to link data sets that include patient
identifying information under certain conditions. We proposed to limit
the data repositories from which a researcher may request data for data
linkages purposes to federal data repositories because federal agencies
that maintain data repositories have policies and procedures in place
to protect the security and confidentiality of the patient identifying
information that must be submitted by a researcher in order to link the
data sets. SAMHSA
[[Page 6101]]
sought input from the public regarding whether to expand the data
linkages provision beyond federal data repositories; what
confidentiality, privacy, and security safeguards are in place for
those non-federal data repositories; and whether those safeguards are
sufficient to protect the security and confidentiality of the patient
identifying information.
Public Comments
Several commenters suggested that researchers be allowed to perform
data linkages between data sets containing substance use disorder data.
However, some warned that the proposed rule was unclear regarding data
linkages. One commenter said SAMHSA should clarify that researchers
have the option to submit data to a federal data repository, like CMS,
for linking of federal data, but are not required to do so. Other
commenters argued that proposed Sec. 2.52 should explicitly allow
researchers to perform their own data linkages between data sets
containing substance use disorder records. A commenter asserted that
non-profit entities who engage in research should be distinct from for-
profit organizations and that for-profit organizations should not be
allowed access to large linked data sets.
Many commenters expressed support for permitting linkage with non-
federal repositories where adequate, flexible safeguards are in place
to protect the security and confidentiality of part 2 data. A commenter
asserted that only allowing researchers to combine 42 CFR part 2
records received without patient consent with records from a federal
repository is not consistent with the goal of enhancing research
conducted with data protected by part 2. In particular, commenters
pointed out that many state, local, tribal, and corporate data
repositories with hospital emergency department and discharge, trauma
registry, and birth and death records would not be covered by the
federal data linkages language in the proposed rule, thereby hampering
important research and evaluation activities. Additionally, commenters
supported the expansion of data linkages in order to better support the
analysis required by evolving health care delivery and payment models,
such as Accountable Care Organizations.
Commenters urged that appropriate privacy and security protections
are in place, to include physical security and disposition of data if
SAMHSA permits linkages to non-federal data repositories. One commenter
remarked that protections imposed by federal repositories that are not
imposed by other repositories should be identified and considered as
requirements, so as not to lose the insight offered through additional
linkage opportunities. Another suggested implementation of data use
agreement language to non-federal repositories. A commenter reasoned
IRBs or privacy officers could ensure other repositories are in
compliance with part 2 requirements.
However, a few commenters did not support expansion of data linkage
to non-federal repositories. Some commenters expressed concerns about
the security of data in both federal and non-federal data repositories
citing examples of healthcare data breaches. One commenter concluded
data linkage to any data repositories be withdrawn from the proposed
language citing the federal agencies as well as health care data
repositories inability to adequately safeguard personal information.
Another commenter suggested data repositories performing the data
linkages, if outside of part 2 entity, not be given information subject
to part 2.
SAMHSA Response
SAMHSA would like to clarify that the data linkages provision is
not intended to prohibit a researcher from linking a data set in the
researcher's possession that contains part 2 data with a data set from
a third party source, so long as the part 2 data is not further
disclosed in the data linkage process and the researcher adheres to any
applicable confidentiality, privacy, and security requirements and
safeguards. Regarding the comment on for-profit organizations, whether
the researcher is a for-profit or not-for-profit organization, the
researcher would be required to have IRB approval and/or privacy board
review of their research, and, additionally, IRB approval of the
research project that contains the data linkage component, to ensure
risks to the patient and their privacy are minimized. In addition, part
2 prohibits researchers from re-disclosing patient identifying
information except back to the individual or entity from whom that
patient identifying information was obtained or as permitted under the
data linkages provision. Researchers may include part 2 data in reports
only in aggregate form in which patient identifying information has
been rendered non-identifiable such that the information cannot be re-
identified and serve as an unauthorized means to identify a patient,
directly or indirectly, as having or having had a substance use
disorder.
In response to public comments, SAMHSA has decided in the final
rule to permit data linkages to both federal and non-federal data
repositories subject to the conditions explained below. SAMHSA believes
that these changes will enhance research while still ensuring the
protection of part 2 patient identifying information. SAMHSA agrees
with commenters that many non-federal data repositories, as well as
federal data repositories, contain data that is critical to research
and, therefore, SAMHSA is expanding data linkages provisions.
In the data linkages provision of this final rule (Sec. 2.52(c)),
SAMHSA revises its proposal to enable researchers holding part 2 data
to link to data sets from any repository, including non-federal
repositories, provided that the linkage has been reviewed and approved
by an Institutional Review Board registered with the Department of
Health and Human Services, Office for Human Research Protections in
accordance with 45 CFR part 46 to ensure that patient privacy is
considered and the need for identifiable data is justified. In addition
to having the request reviewed and approved by an IRB, the researcher
must ensure that patient identifying information obtained under the
rule's research provisions is not provided to law enforcement agencies
or officials. SAMHSA states in the final rule that the data repository
is fully bound by the provisions of part 2 upon receipt of the patient
identifying data and must, after providing the researcher with the
linked data, destroy or delete the linked data from its records,
including sanitizing any associated hard copy or electronic media, to
render the patient identifying information non-retrievable in a manner
consistent with the policies and procedures established under Sec.
2.16 Security for records. In addition, the data repository must ensure
that any data obtained pursuant to part 2's research provisions is not
provided to law enforcement agencies or officials.
Public Comments
One commenter recommended that SAMHSA expand data linkages beyond
research to the broader need for it to be inclusive of coordinated
care. The commenter stated that this is another area where SAMHSA could
look to existing HIPAA provisions and align the part 2 provisions
accordingly.
SAMHSA Response
SAMHSA declines to make the revision suggested by the commenter.
The transfer of part 2 information for the purposes of research, as
allowed under Sec. 2.52, is an exception to patient consent, and,
therefore, the data linkages provision cannot be expanded
[[Page 6102]]
to other parts of the regulation. Because of its targeted population,
part 2 provides more stringent federal protections than most other
health privacy laws, including HIPAA. However, SAMHSA aligned policy
with HIPAA where possible.
5. Multi-Payer Claims Database
Public Comments
Many commenters urged the final rule to explicitly include a
statement on the authority granted to MPCDs (also referred to as APCDs)
that maintain adequate safeguards to collect, link, and disseminate
substance use disorder records without patient consent for research
purposes. Several commenters argued that many states have established
state-sponsored MPCD systems and urged the proposed rule to
specifically ensure substance use disorder data are not systematically
excluded from state MPCD systems, allowing part 2 data to be collected,
linked, and disseminated without patient consent for research purposes.
A commenter requested specific guidance as to whether MPCDs could be
lawful holders of part 2 data with the same disclosure requirements as
those for HIEs. A commenter stated that the rule should authorize state
data repositories such as an MPCD to link part 2 data to other data for
research purposes.
SAMHSA Response
For an MPCD or any entity to disclose part 2 data for research
purposes under the rule's research exception to consent requirements
(Sec. 2.52), the entity must be a ``lawful holder of patient
identifying information.'' Under the research provision, any lawful
holder of part 2 data may disclose the data to qualified researchers
that meet the requirements under the HHS Common Rule or HIPAA Privacy
Rule. As SAMHSA discussed in the NPRM preamble, a ``lawful holder'' of
patient identifying information is an individual or entity who has
received such information in accordance with the part 2 requirements,
and, therefore, is bound by 42 CFR part 2. Examples of potential
``lawful holders'' of patient identifying information include a
patient's treating provider, a hospital emergency room, an insurance
company, an individual or entity performing an audit or evaluation, or
an individual or entity conducting scientific research. As permitted by
the authorizing statute and under these regulations, any lawful holder
of patient identifying information may disclose part 2 data without
patient consent for research purposes under the circumstances specified
under the research provision.
Regarding the specific scenario raised by commenters, SAMHSA wishes
to clarify that MPCDs and other data intermediaries are permitted to
obtain part 2 data under the research exception provided in Sec. 2.52,
provided that the conditions of the research exception are met.
Furthermore, an MPCD or data intermediary that obtains part 2 data in
this fashion would be considered a ``lawful holder'' under these final
regulations and would therefore be permitted to redisclose part 2 data
for research purposes, subject to the other conditions imposed under
Sec. 2.52. The final rule edits the language under paragraph 2.52(a)
to clarify that the regulations do not prohibit such a disclosure.
Except as provided in paragraph 2.52(c), a researcher may not
redisclose patient identifying information for data linkages purposes.
SAMHSA's data linkages provision permits researchers to request to link
data sets that include patient identifying information if the data
linkages component is reviewed and approved by an IRB registered with
OHRP in accordance with 45 CFR part 46 and certain other conditions are
met. The data linkages provision is not intended to prohibit a
researcher from linking a data set in the researcher's possession that
contains part 2 data with a data set from a third-party source, so long
as the part 2 data is not further disclosed in the data linkage process
and any applicable confidentiality, privacy, and other conditions as
specified in this rule are adhered to.
O. Audit and Evaluation (Sec. 2.53)
SAMHSA is modifying the proposed language as discussed below.
SAMHSA has revised the section heading by deleting the word
``activities.'' SAMHSA modernized this section to include provisions
governing both paper and electronic patient records. In addition, we
revised the requirements for destroying patient identifying information
by citing the expanded Security for Records section (Sec. 2.16).
Furthermore, we updated the Medicare or Medicaid audit or evaluation
paragraph title to include Children's Health Insurance Program (CHIP)
and, in subsequent language, refer to Medicare, Medicaid, and CHIP.
The Sec. 2.53 revisions permit the part 2 program, not just the
part 2 program director, to determine who is qualified to conduct an
audit or evaluation of the part 2 program. The revised language also
permits an audit or evaluation necessary to meet the requirements of a
CMS-regulated ACO or similar CMS-regulated organization (including a
CMS-regulated QE), under certain conditions, by better aligning the
criteria in this section with those set forth in the Affordable Care
Act (regulating ACOs, in part, at 42 U.S.C. 1395jjj). We have specified
that such ACO or similar CMS-regulated entities must have in place
administrative and/or clinical systems. While the NPRM indicated both
types of systems were required, it has been noted that some ACO or
similar CMS-regulated entities will not have both clinical and
administrative systems. We also have clarified in the final rule that
the ACO or similar CMS-regulated organization (including a CMS-
regulated QE) is subject to periodic evaluations by, or receives
patient identifying information from, CMS or its agents. To ensure that
patient identifying information is protected, the ACO or similar CMS-
regulated organization (including a CMS-regulated QE) that is the
subject of, or is conducting, the audit or evaluation must have a
signed Participation Agreement with CMS or similar documentation that
demonstrates that the organization and its auditors or evaluators must
conduct the audit and evaluation activities in full compliance with all
applicable provisions of 42 U.S.C. 290dd-2 and 42 CFR part 2.
Public Comments
Several commenters provided comments with regard to Sec. 2.53,
Audit and Evaluation. A few commenters discussed the application of
this section to Medicare and Medicaid. A couple of commenters
recommended clarifying that Medicaid agencies are permitted under the
QSO exception to disclose part 2 information to third-party payers for
audit or evaluation purposes. These commenters also suggested that
Medicaid and other third-party payers may use (third-party) contractors
and vendors to assist beneficiaries and perform such activities as
program integrity activities. The commenters argued that the QSO
exception described above should include communications between third-
party payers such as Medicaid agencies and other holders of part 2 data
and QSOs to help ensure ``operational efficiency.'' Another commenter
suggested that the revisions concerning the auditing process and
Participation Agreements would be too burdensome, and would be
inconsistently applied because Medicare and Medicaid do not have to
comply with the auditing requirements, whereas providers do. Further, a
couple of commenters stated that part 2 programs would be confused in
[[Page 6103]]
attempting to decipher which organizations have Participating
Agreements with CMS in place, further exacerbating the existing
compliance issues with part 2. A commenter requested that SAMHSA
clarify whether Medicaid program ACOs and external quality review
organizations (EQRO) are considered ``CMS-regulated'' for the purposes
of permitted disclosures. The commenter suggested that Medicaid program
entities should be considered CMS-regulated entities.
SAMHSA Response
A QSO is an individual or entity that provides a service to a part
2 program consistent with a QSOA (see Sec. Sec. 2.11, Definitions;
2.12(c)(4), Applicability). A QSOA is a two-way agreement between a
part 2 program and the individual or entity providing the desired
service. Therefore, to be a QSO, the contracted entity must be
providing the service to a part 2 program. The QSOA authorizes
communication only between the part 2 program and QSO. Third-party
payers, such as Medicaid, are not considered part 2 programs as defined
in this rule, and are not eligible to have QSO through a QSOA. That
said, comments to the proposed rule raised questions that indicate that
there may be varying interpretations of the current (1987) part 2
rule's restrictions regarding the use of contractors/subcontractors in
contexts other than the QSO context, such as the sharing of part 2
information by third-party payers with contractors and subcontractors
to carry out activities related to audit and evaluation and program
integrity, and we intend to address such scenarios with greater clarity
in an SNPRM.. As stated under Sec. 2.12(a)(1), Restrictions on
disclosures, the restrictions on disclosures in these regulations apply
to any information, whether recorded or not, which would identify a
patient as having or having had a substance use disorder either
directly, by reference to publicly available information, or through
verification of such information by another person. Patient identifying
information that has been rendered non-identifiable in a manner that
creates a very low risk of re-identification may be disclosed.
With regard to the concern that the proposed revisions to Sec.
2.53 would be burdensome and create confusion when part 2 programs have
to determine who has a Participation Agreement or similar documentation
in place, CMS-regulated entities that, among other requirements, are
subject to periodic evaluations by CMS or its agents, or are required
by CMS to evaluate participants in the ACO or similar CMS-regulated
organization (including a CMS-regulated QE) relative to CMS-defined or
approved quality and/or cost measures should be able to produce
evidence that they have Participation Agreements or similar
documentation in place with CMS if requested by a part 2 program.
As to whether Medicaid program ACOs and EQROs are considered ``CMS-
regulated,'' this rule explicitly states that ACOs and similar
organizations regulated by CMS may, subject to certain conditions,
disclose or require participants in the organization to disclose part
2-covered information in order for the organization to meet CMS audit
and evaluation requirements. Other entities may also be considered
``CMS-regulated'' depending on the particular circumstances, for
example, as a result of their direct supervision by CMS, the
establishment by CMS of regulations governing their conduct or
qualification, or, in the case of Medicaid and CHIP-related entities,
CMS' approval of state plans or waivers and supervision of the state
agencies. Medicaid program ACOs and EQROs do fit within the entities
covered by the audit and evaluation provisions of the part 2 program.
SAMHSA may further elaborate on this topic in subregulatory guidance
issued following the publication of the final rule.
Public Comments
A few commenters provided input on SAMHSA's proposal to permit
audit or evaluation necessary to meet the requirements of a CMS-
regulated ACO or similar CMS-regulated organization (including a CMS-
regulated QE), under certain conditions. A couple of commenters
recommended that SAMHSA modify part 2 to permit CMS to provide all
claims with substance use disorder treatment information through the
Claim and Claim Line Feed (CCLF) file so patients can receive
comprehensive, quality treatment and programs can operate more
efficiently and effectively. The commenters suggested that because 42
U.S.C. 290dd-2(b)(2)(B) permits substance use disorder treatment
program to disclose treatment records without the consent of the
patient for the purpose of audits or evaluation; Sec. 2.53 of the
proposed rule also permits substance use disorder treatment programs to
disclose treatment records to ACOs or other CMS-regulated organizations
to allow the organizations to meet CMS's audit and evaluation
requirements for participation; therefore the provision could be
expanded, or clarified, to also permit CMS to disclose substance use
disorder treatment information to ACOs and bundled payment participants
for audit and evaluation activities. Another commenter expressed
concern about the expansion of the part 2 audit and evaluation
exception to include ACOs, because ACOs are continually ``auditing''
programs as a continual process of evaluating and monitoring and part
2's language makes clear that an audit or evaluation is a time-limited
activity that is not intended to permit ongoing access to program
records. This commenter asserted that the part 2 audit and evaluation
exception should not be allowed to result in a practice that
circumvents the need to obtain a patient's consent to access their
information.
One commenter noted that CMS's application of part 2 in its removal
of substance use disorder treatment information from the monthly CCLF,
in which CMS redacts any claim submitted by any provider where a
substance use disorder is either the principal or secondary diagnosis,
causes CMS to remove claims from the CCLF file that are not produced by
federally assisted substance use disorder treatment programs. The
commenter urged SAMHSA to work with CMS to develop a pathway to include
substance use disorder treatment information in the CCLF data file.
SAMHSA Response
CMS may disclose patient identifying information to a CMS-regulated
ACO or similar CMS-regulated organization (including a CMS-regulated
QE) for Medicare audit and evaluation purposes pursuant to Sec.
2.53(c), which provides that ``[p]atient identifying information, as
defined in Sec. 2.11, may be disclosed under paragraph (c) of this
section to any individual or entity for the purpose of conducting a
Medicare, Medicaid, or CHIP audit or evaluation. . . .'' Neither the
statute nor the part 2 regulations define audit or evaluation. However,
under this section of the audit and evaluation exception, the purpose
of the disclosure must be to conduct a Medicare, Medicaid, or CHIP
audit or evaluation. This may include audit or evaluation activities,
such as reviews of financial performance or the quality of health care
services delivered, undertaken by the CMS-regulated organization itself
to review its own performance. The exception does not cover any
activities conducted by ACOs that may not be reasonably construed as
being related to such a purpose.
Public Comments
Commenters provided other recommendations related to this section.
A commenter suggested that Sec. 2.53(d) should be revised to permit
disclosure
[[Page 6104]]
of patient information to entities that have administrative control
over auditors. Another commenter suggested that SAMHSA consider
allowing ``lawful holders'' the ability to share information for audit
and evaluation services, with the agreement that the service provider
must adhere to part 2.
Another commenter recommended that SAMHSA convene a group of state,
local, and provider representatives to develop draft guidance.
SAMHSA Response
Regarding the suggestion that Sec. 2.53(d) should be revised to
permit disclosure of patient information to entities that have
administrative control over auditors, except as provided in Sec.
2.53(c), patient identifying information disclosed under this section
may be disclosed only back to the program from which it was obtained
and used only to carry out an audit or evaluation purpose or to
investigate or prosecute criminal or other activities, as authorized by
a court order entered under Sec. 2.66.
As recommended by a commenter, SAMHSA plans to develop and publish
subregulatory guidance regarding the application of Sec. 2.53 audit
and evaluation disclosures after publication of this final rule.
P. Other Public Comments on the Proposed Rule
1. Requests To Extend the Public Comment Period
Public Comments
Several commenters requested extension to the public comment
period. Commenters stated the complexity and importance of the rule
warranted additional time for reflection and comment. A few commenters
requested that the comment period be extended for one year to allow for
a more open process. A couple of commenters suggested that in addition
to extending the comment period for one year, public hearings also be
held across the county.
SAMHSA Response
While SAMHSA recognizes that the issues addressed in the part 2
NPRM are complex and important, we concluded that the 60-day comment
period was sufficient to provide the public a meaningful opportunity to
comment, and this conclusion is supported by the hundreds of complex
and thoughtful comments received. Additionally, the NPRM was available
to the public for a preliminary review on the Federal Register Web site
upon submission of the NPRM to the Federal Register, which was several
days prior to publication, thereby providing stakeholders additional
time prior to the publication date. Finally, on June 11, 2014, SAMHSA
held a public listening session and, invited through a Federal Register
notice, general comments, as well as comments on six key provisions of
42 CFR part 2.
2. Rulemaking Process
Public Comments
One commenter expressed concern that SAMHSA did not summarize or
address specific comments from stakeholders who participated in the
public listening sessions.
Another commenter said that the part 2 changes should move forward
but should be monitored and modified accordingly over the next two to
three years.
SAMHSA Response
SAMHSA will undertake further rulemaking as necessary and intends
to respond to issues raised with respect to the part 2 regulations, as
they have in the past, through subregulatory guidance.
SAMHSA considered all comments received in the June 2014 public
Listening Session on the part 2 regulations. As explained in the NPRM,
feedback from the Listening Session was considered and helped to inform
the development of the February 2016 NPRM (see 81 FR 6988, 6993).
SAMHSA posted all comments received in response to the Listening
Session Federal Register Notice on its Web site: https://www.samhsa.gov/about-us/who-we-are/laws-regulations/public-comments-confidentiality-regulations.
3. Implementation Timeline and Other Barriers to Implementation
Public Comments
To allay privacy concerns, a commenter said that SAMHSA should
delay the proposed part 2 changes to further develop its Consent2Share
application and encourage wider adoption. Similarly, a commenter
recommended further testing and evaluation on IT solutions before
issuing part 2 changes. This commenter further urged SAMHSA to address
these issues in the final rule by specifically detailing a process for
updating the Consent2Share tool so that its design specifications
remain compatible with the rapidly advancing and very fluid EHR design
landscape.
SAMHSA Response
SAMHSA declines to accept these recommendations to delay
publication of a final rule pending technology developments or
Congressional action. Technology adoption is an ongoing process, and
the majority of current EHR and HIE applications may not have the
capability to support the DS4P initiative. In addition, paper records
are still used today in some part 2 programs and shared through
facsimile (FAX). In addition, SAMHSA's publication of a final rule
would not prevent further Congressional action with respect to part 2.
Public Comments
One commenter expressed concern that applying electronic data
segmentation in conjunction with patient privacy preferences can
significantly increase the complexity of the workflow process and have
unintended consequences on system performance and response times at the
point of care. The commenter recommended that SAMHSA, in conjunction
with other federal agencies, advisory bodies, such as the National
Committee on Vital and Health Statistics (NCVHS), and public and
private stakeholders should convene public discussions to evaluate the
possibility of data segmentation standards in electronic systems, the
benefits and potential unintended consequences that may result, along
with the associated costs and anticipated consumer uses of such
standards and processes.
In addition to the technical challenges, a commenter said that
SAMHSA should recognize other barriers to implementation of part 2
changes, including complexity in navigating individual state
regulations, challenges around mapping to clinical codes, and lack of a
standardized service discovery mechanism to ensure capability of
exchanging systems to evaluate the ability to receive and interpret a
tagged document.
SAMHSA Response
SAMHSA recognizes the concerns expressed by the commenter; however,
SAMHSA's jurisdiction is limited to those regulations over which it has
authority. We note that the part 2 regulations permit, but do not
require, data segmentation.
4. Educational Opportunities
Public Comments
Some commenters urged SAMHSA to provide trainings/webinars and
technical assistance after the final rule is adopted so that substance
use disorder providers, other health care providers, and patients will
understand the changes to ensure compliance with the rule. Expressing
concern that many people will not understand the idea of
[[Page 6105]]
an HIE or a registry, one commenter suggested creating paid space for a
nurse visit to walk a consumer through the consent.
A few commenters encouraged SAMHSA to invest in provider and
patient education efforts on the value of integrated care, the role of
information sharing in enabling integrated care, how the consent
process works, patient rights under 42 CFR part 2, and the implications
of providing consent to share personal health information.
A commenter encouraged SAMHSA to continue its efforts to provide
guidance as to how part 2's requirements can be incorporated into HIE
systems, suggesting that many of the perceived part 2 issues can be
resolved by proper education regarding the actual requirements and how
information can be exchanged pursuant to part 2 with little, if any,
additional effort if proper operational practices are utilized by
health care providers and management organizations.
One commenter suggested that SAMHSA establish a consumer engagement
committee or seek input from an existing national consumer advisory
council to support part 2 programs in complying with certain areas of
the rule, such as developing user-friendly consent forms and crafting
educational materials for patients. One commenter suggested that SAMHSA
contract with the Legal Action Center to create a webinar or FAQ to
provide guidance to community health centers and other ``multi-use''
organizations as to the applicability of part 2.
Another commenter recommended that SAMHSA develop educational
materials targeted at pharmacists because of the pharmacy profession's
growing role in substance use disorder treatment.
SAMHSA Response
SAMHSA appreciates these comments on educational opportunities and
plans to address specific commenter requests in subregulatory guidance
after the publication of the final rule. SAMHSA will consider
additional educational activities, such as trainings, webinars, and
establishing engagement committees, should SAMHSA determine the need
during implementation of the final rule.
5. Increased Enforcement
Public Comments
Some commenters urged SAMHSA to ensure that part 2 provides for
meaningful enforcement and penalties, with a few reasoning that the
rule would create new avenues for the exchanges of patients' substance
use disorder information, especially to other parts of the health care
system that may have little to no experience treating substance use
disorder or complying with part 2. One of these commenters asserted
that fines imposed for part 2 violations are so minimal that they are
not a deterrent to intentional or accidental violations. A commenter
suggested that SAMHSA adopt the HIPAA penalties contained in the HITECH
Act and specify that any disclosures of information in violation of
this statute must be excluded from evidence and deemed inadmissible for
use in any administrative, civil, or criminal proceeding.
Urging SAMHSA to review and correct the enforcement concerns of the
underlying statute, one commenter argued that the current
confidentiality obligations have questionable enforcement authority
because there is no express provision in Title 18 pertaining to the
confidentiality of drug and alcohol treatment records. Although the
original part 2 underlying statute set forth specific fines, the
commenter explained that a subsequent revision (by Pub. L. 102-321)
eliminated the fines leaving only a reference to Title 18. Moreover,
the commenter said that by the proposed transfer of the existing
enforcement authority from FDA to SAMHSA, the proposed rule appears to
remove enforcement authority that actually exists to a potential state
of unenforceability. Similarly, another commenter stated that SAMHSA
does not have legislative authority to impose penalties for disclosure.
No mention of privacy law violation fines, penalties, or offenses exist
in Title 18. Thus, the current confidentiality obligations have no
enforcement authority. The commenter stated that entities receiving
unauthorized information would likely not be subject to penalties
unless a common law breach of privacy lawsuit is filed.
SAMHSA Response
The Department of Justice is responsible for enforcing violations
of 42 CFR part 2 in accordance with Title 18 of the United States Code.
Title 42 U.S.C. 290dd-2 provides that ``[a]ny person who violates any
provision of [the] section or any regulation issued pursuant to [the]
section shall be fined in accordance with title 18.'' Reports of
violation of the regulations may be directed to the United States
Attorney's Office (USAO) for the judicial district in which the
violation occurs or may be directed to SAMHSA for possible referral to
the relevant USAO. A report of any violation of these regulations by an
opioid treatment program may be directed to the relevant USAO as well
as the SAMHSA office for opioid treatment program oversight, pursuant
to 42 CFR part 8.
6. Other Miscellaneous Comments on the Proposed Rule
Public Comments
A commenter suggested that SAMHSA revise the title of part 2 to
``Confidentiality of Patient Records Relevant to Substance Use
Disorders and Associated Behavioral Diagnoses,'' to ensure person-
centered language is used.
SAMHSA Response
To be consistent with recognized classification manuals, current
diagnostic lexicon, and commonly used descriptive terminology, SAMHSA
proposed to refer to alcohol abuse and drug abuse collectively as
``substance use disorder,'' and, for consistency, proposed to revise
the title of 42 CFR part 2 from ``Confidentiality of Alcohol and Drug
Abuse Patient Records'' to ``Confidentiality of Substance Use Disorder
Patient Records.''
Public Comments
Some commenters made specific suggestions or requested
clarification regarding parts of the part 2 regulations that were not
the subject of the proposed changes in the NPRM. For example,
commenters addressed Sec. Sec. 2.14 (Minor patients), 2.20
(Relationship to state laws), and 2.21 (Relationship to federal
statutes protecting research subjects against compulsory disclosure of
their identity).
SAMHSA Response
SAMHSA acknowledges commenters' questions and suggestions relating
to all aspects of the part 2 regulations. However, for purposes of this
final rule, SAMHSA generally considered comments submitted on
provisions for which changes were not proposed in the February 2016
NPRM to be outside of the scope of this rulemaking. SAMHSA will take
such comments and recommendations under advisement and may issue
subregulatory guidance in the future to address some of these issues
brought up by commenters.
Public Comments
Another commenter also urged SAMHSA to work with CMS to ensure that
when proper criteria are met, such as through a QSOA and/or a signed
consent form, patient substance use claim information is available to
ACOs through their CCLF files. Asserting that it is a major blind spot
in the ability of an ACO to manage total care if it does
[[Page 6106]]
not have data on substance use disorder data, a commenter encouraged
SAMHSA to work with CMS on ways to effectively manage substance use
disorder care within the administration of the ACO program. One
commenter suggested that SAMHSA work with federal agencies, states,
localities, and providers to identify the cost/burden of the rule on
entities and professionals. The commenter also recommended that SAMHSA
work with the CMS and the Office of the National Coordinator for Health
Information Technology (ONC) to align the rule with guidance permitting
the HITECH enhanced funding for administrative costs to other
providers.
SAMHSA Response
SAMHSA will continue to work with CMS and its other federal
partners to ensure the effective and timely implementation of the part
2 final rule.
Public Comments
Because a state provides health care, including federally funded
substance use disorder treatment programs, to inmates in the state jail
system, a commenter stated that the part 2 regulations impact the
methods by which care is coordinated for inmates and urged SAMHSA to
consider part 2's impact on incarcerated populations.
SAMHSA Response
SAMHSA considered how the regulations would impact part 2 programs
and lawful holders of patient identifying information, as well as other
stakeholders. All part 2 programs and other lawful holders of patient
identifying information must comply with part 2. If a jail or prison
meets the definition of a part 2 program, it would be required to
comply with part 2.
Public Comments
One commenter stated that there should be an option for the patient
to have the ability to remove their substance use disorder history from
their medical record after a ten-year minimum time period.
SAMHSA Response
Although SAMHSA is not prescribing any specific retention period,
the expectation is the both paper and electronic records would comply
with applicable federal, state, and local retention laws.
Public Comments
A commenter requested that SAMHSA provide a description of 42 CFR
part 2-covered entities similar to the designation under HIPAA.
SAMHSA Response
SAMHSA may address applicability in subregulatory guidance or in
subsequent rulemaking.
VI. Rulemaking Analyses
A. Paperwork Reduction Act
Under the Paperwork Reduction Act of 1995 (PRA), agencies are
required to provide a 60-day notice in the FR and solicit public
comment before a collection of information requirement is submitted to
the Office of Management and Budget (OMB) for review and approval. We
provided for this comment period as part of the NPRM. The part 2
information collections are approved under OMB Control No. 0930-0092,
and SAMHSA will shortly submit the changes associated with this rule to
OMB for review.
This rule includes changes to information collection requirements,
that is, reporting, recordkeeping or third-party disclosure
requirements, as defined under the PRA (5 CFR part 1320). Some of the
provisions involve changes from the information collections set out in
the previous regulations. Information collection requirements are: (1)
Section 2.13(d)--Disclosure: Requires entities named by patients using
general designation under Sec. 2.31(a)(4)(iv)(C) to provide a list of
entities to which the patient's information has been disclosed to
participants pursuant to the general designation, (2) Section 2.22--
Disclosure: Requires each program notify each patient that federal law
and regulations protect the confidentiality of substance use disorder
patient records and provide a written summary of the effect of this law
and these regulations, (3) Section 2.51--Recordkeeping: This provision
requires the program to document a disclosure of a patient record to
authorized medical personnel in a bona fide medical emergency as
defined in Sec. 2.51. The regulation is silent on retention period for
keeping these records as this will vary according to state laws. It is
expected that these records will be kept as part of the patients'
health records. The major change from current (1987) regulations is the
list of disclosures requirement at Section 2.13(d). SAMHSA proposed
that entities named on a consent form that disclose patient identifying
information to their participants under the general designation must
provide patients, upon request, a list of entities to which their
information has been disclosed pursuant to a general designation (i.e.,
list of disclosures). Impact of this provision is noted below. SAMHSA
notes that entities are not required to use the general designation
permitted under Sec. 2.31(a)(4)(iii)(B)(3)(i).
Under the PRA, the time, effort, and financial resources necessary
to meet the information collection requirements referenced in this
section are to be considered in rulemaking. The NPRM solicited comments
on PRA issues. Commenters did not raise concerns regarding the burden
for information collection requirements for the recordkeeping and
notification provisions above. Though commenters expressed concern
about some aspects of the list of disclosures requirements, these
comments did not suggest that the burden of information collection
would increase for 42 CFR part 2-compliant entities. Indeed, one
commenter noted that current practice for many facilities to maintain
both paper and electronic records may be both burdensome and
inefficient. By promoting use of EHRs, changes in this rule may help to
improve efficiency for providers. Some commenters also hypothesized
that complying with the list of disclosures requirement would require
such steps as developing a tracking system; or manual review or audit
of all records; and mailing of letters through U.S. mail. Entities
should already be collecting and retaining information needed to comply
with the list of disclosures requirement. The final rule does not
impose requirements to manually review all records, mail letters using
the U.S. Postal Service or develop a tracking system specifically to
comply with the list of disclosures provisions. For instance, we note
below that entities could comply with the List of Disclosures
requirement by either collecting this information electronically by
using audit logs to obtain the required information or by keeping a
paper record. Similarly, we point out that list of disclosures may be
transmitted through such methods as mail or email or through other
means preferred by the patient. We discuss the list of disclosures
requirements further in the impact analysis section below.
Annual burden estimates for these requirements are summarized in
the table below:
[[Page 6107]]
Table 2--Annual Burden Estimates
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annual number
of Responses per Total Hours per Total hour Hourly wage Total cost
respondents respondent responses response burden cost
--------------------------------------------------------------------------------------------------------------------------------------------------------
Disclosures
--------------------------------------------------------------------------------------------------------------------------------------------------------
42 CFR 2.13 (d)......................... \1\ 19,548 1 19,548 \2\ 4.15 81,124 \3\ $36.9175 $2,995,000
42 CFR 2.22............................. \4\ 12,034 155 \5\ 1,861,693 .20 372,338.6 \6\ 40.26 14,990,000
--------------------------------------------------------------------------------------------------------------------------------------------------------
Recordkeeping
--------------------------------------------------------------------------------------------------------------------------------------------------------
42 CFR 2.51............................. 12,034 2 24,068 .167 4,019 \7\ 34.16 137,000
---------------------------------------------------------------------------------------------------------------
Total............................... \8\ 31,582 .............. 1,905,309 .............. 457,482 .............. 18,123,000
--------------------------------------------------------------------------------------------------------------------------------------------------------
\1\ The number of entities required to generate a list of disclosures based on the number of estimated patient requests. Patient requests are based the
total number of annual treatment admissions from SAMHSA's 2010-2012 Treatment Episode Data Set (TEDS) (see footnote 5). The estimated patient requests
equal the average of the total number of requests for a 0.1 percent request rate and a 2 percent request rate. SAMHSA notes that this estimate
reflects the number of patient requests rather than the number of impacted entities as some entities may receive more than one request.
\2\ The estimated time for developing a list of disclosures is 4 hours for entities collecting the information electronically using an audit log and 3
hours for entities that produce such a list from paper records. Because 90 percent of entities are estimated to collect the information electronically
using an audit log and 10 percent are estimated to use paper records, the average weighted time to develop a list of disclosures is 3.9 hours [(0.9 x
4 hours) + (0.1 x 3 hours)]. Including the estimated 15 minutes to prepare each list of disclosures for mailing or transmitting, the total estimated
time for providing a patient a list of disclosures is 4.15 hours (3.9 hours + 0.25 hours).
\3\ The weighted hourly rate for health information technicians, medical technicians and administrative staff who will be preparing the list of
disclosures. The hourly rate is weighted to reflect the fact that health information and medical technicians, who will be generating the list of
disclosures, have a higher wage rate than administrative staff and will contribute more hours to generating the list of disclosures. Bureau of Labor
Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed June 3, 2015], Standard Occupations Classification codes (29-2071,
31-9092) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
\4\ The number of publicly funded alcohol and drug facilities based on SAMHSA's 2013 National Survey of Substance Abuse Treatment Services (N-SSATS).
The estimated annual number of respondents, 12,034, is based on N-SSATS data and reflects facilities receiving federal funding. However, under N-SSATS
an organization may complete survey responses for multiple facilities.
\5\ The average number of annual treatment admissions from SAMHSA's 2010-2012 TEDS.
\6\ Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations
Classification code (21-1011) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
\7\ Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations
Classification code (43-0000) [www.bls.gov/oes/]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
\8\ The combined total of the number of publicly funded alcohol and drug facilities and the number of entities required to generate a list of
disclosures.
As described in greater detail in Section VI.B, Regulatory Impact
Analysis, the respondents for the collection of information under Sec.
2.22 and 2.51 are publicly (federal, state, or local) funded, assisted,
or regulated substance use disorder treatment programs. The estimate of
the number of such programs (respondents) is based on the results of
the 2013 N-SSATS, and the average number of annual total responses is
based on 2010-2012 information on patient admissions reported to the
Treatment Episode Data Set (TEDS), approved under OMB Control No. 0930-
0106 and OMB Control No. 0930-0335.
The respondents for the collection of information under Sec.
2.13(d) are entities named on the consent form that disclose
information to their participants pursuant to the general designation.
These entities primarily would be organizations that facilitate the
exchange of health information (e.g., HIEs) or coordinate care (e.g.,
ACOs, CCOs, and CPCMHs), but other organizations, such as research
institutions, also may disclose patient identifying information to
their participants (e.g., clinical researchers) pursuant to the general
designation on the consent form. Because there are no definitive data
sources for this potential range of organizations, we are not
associating requests for a list of disclosures with any particular type
of organization. Consequently, the number of organizations that must
respond to list of disclosures requests is based on the total number of
requests each year.
B. Regulatory Impact Analysis
1. Public Comments on Notice of Proposed Rulemaking Regulatory Impact
Analysis
a. Support for Cost Estimates
Public Comments
SAMHSA received roughly 376 comments on the proposed rule. However,
relatively few comments focused on the Regulatory Impact Analysis. We
respond to these comments below and have made changes in our analysis,
when appropriate, to reflect these comments.
A few commenters suggested that the estimated costs outlined by
SAMHSA in the proposed rule are in line with actual costs. For
instance, one commenter suggested that the estimated total cost of $239
million over 10 years would not be unduly burdensome and would improve
patient care and safety. A commenter stated that costs would be minimal
for integrating the requirement properly to sanitize and dispose of
records into training and instruction. Another commenter stated that
the costs related to modifying release forms and training staff would
be absorbed by organizations and would not impact business processes.
Explaining that in order to reflect the revision in title of 42 CFR
part 2, a modification of the printed and on-line versions of
applicable CFR Titles would be necessary, a commenter concluded that
because of regular updates to CFRs, the incorporation of amendments
made as part of this rule should not result in a significant economic
impact.
SAMHSA Response
SAMHSA acknowledges and appreciates the comments received that
expressed support for the cost estimates in the NPRM. Though SAMSHA
does not attempt in this rule to quantify benefits, it is important to
note that updates to 42 CFR part 2 may result in long-term cost savings
as well due to improved care coordination and integration and more
efficient use of data for research and performance improvement
purposes.
b. Assertions That SAMHSA Underestimated Costs
Public Comments
Some commenters generally asserted that the compliance and
implementation costs were underestimated. One commenter suggested that
cost effectiveness of complying with the proposed regulation will
impact members and patients because of the additional costs associated
with implementation (e.g., outreach and education, changes to
[[Page 6108]]
consent forms), which undermines care coordination and effective
delivery of services. Another commenter suggested that the projected
costs of complying with part 2 should include costs for other
institutions that are affected with re-disclosure of the provision;
costs to individual practitioners or health organizations with few
clinicians that fall under part 2; vendor-related costs; costs for
software development and upgrades should be added to the costs of
electronic record purchase and maintenance; cost to HIE; and costs to
hire administrative staff.
A few commenters suggested that the estimated $8,000 cost per
facility to implement consent management was too low, failing to
reflect fully development, testing and process costs. One commenter
suggested that the estimated $8,000 cost per facility to implement
consent management likely does not consider vendor-related costs such
as development, testing, training, adoption and process modifications
that may need to occur, only the cost of the infrastructure investment.
Commenters urged SAMHSA and federal partners to consider funding HIT
adoption by behavioral health providers. Another commenter stated that
the proposed rule underestimated the cost of scaling efforts to
integrate DS4P and Consent2Share, including upgrades and iterations
across EHR products. Commenters also suggested SAMHSA modify its DS4P
efforts to reflect updated 42 CFR part 2 requirements. Lastly, a
commenter suggested that the estimate of $8,000 to comply with the
proposal underestimates the costs for existing pharmacy management
systems to add new functionality and applications and does not include
other software or security requirements, training, or other
implementation costs associated with the proposed rule. Another
commenter generally suggested that the estimated cost burden of
transitioning to a new consent form will be greater than proposed in
the proposed rule.
Several commenters mentioned other specific areas in which SAMHSA
underestimated costs. One commenter suggested that the costs estimated
related to EHR customizations are underestimated because there is no
current standard interoperability within EHRs that address part 2
information. Another commenter also shared their own experience in
which they estimated a cost of $30,000 to comply with 42 CFR part 2
when including 2 substance use specialists as part of an integrated
treatment model using an electronic health record. This commenter
asserted based on their own experience that if small entities attempt
to develop integrated substance use disorder treatment programs they
may face similar costs, including information technology time and
efforts to modify EHRs to include restrictions on sharing of 42 CFR
part 2 information in an integrated setting prohibitive. Another
commenter stated that time, resources and training would be required to
implement proposed changes to Sec. Sec. 2.12, 2.31, and 2.32, and that
personnel and financial constraints are common within the health care
industry. The commenter estimated that the ability to adapt currently
used electronic health records to segregate certain patient information
will also take considerable effort and time. A commenter stated that
the proposed cost analysis associated with staff training is inaccurate
because it assumes that only substance use disorder counselors would
need training when, in actuality, other fields would also need to be
trained because they could potentially become lawful holders of the
patient information (e.g., social work, psychology, medicine, managed
care, HIE, research organizations). The commenter added that additional
work will be needed to redact patient records to be in compliance with
the data sharing elements related to information that could identify a
patient as a substantive abuse disorder patient. A commenter stated
that the cost to organizations to comply with the requirement for U.S.
mail transmissions will be significant.
SAMHSA Response
Though commenters suggested anecdotally that SAMHSA underestimated
the burden of 42 CFR part 2-compliance, SAMHSA notes the availability
of data segmentation tools such as Consent2Share, an open source tool
for consent management that is compliant with 42 CFR part 2. As noted
above (in Section V.J.1.c), SAMHSA will be shortly releasing an updated
version of Consent2Share with improved functionality and ability to
meet the list of disclosures requirements. Provided that a facility
already is using electronic health records and can partner with a
health information exchange using Consent2Share or similar software,
SAMHSA believes based on current efforts to pilot an updated version of
Consent2Share that a cost of between $6,000 and $10,000 is reasonable.
At the individual clinic level, initial set-up, training and testing
are expected to constitute the main expenses. D4SP, Consent2Share, and
similar tools make it feasible for entities to comply with updated 42
CFR part 2 requirements at reasonable cost.
While we acknowledge comments that entities other than those
directly subject to this rule may be impacted by its provisions,
including vendors of EHR products, such impacts are outside the scope
of the regulation. We do not mandate vendors to perform additional
activities. Nonetheless, SAMHSA will monitor such impacts and, to the
extent feasible, work with stakeholders and federal partners to develop
fact sheets and other materials to assist in outreach to patients and
others about changes made in this rule. Likewise, while SAMHSA is
unable to directly fund updates to EHRs, SAMHSA continues to work
closely with ONC and others to ensure inclusion of behavioral health
providers in ongoing information technology programs (See https://www.samhsa.gov/health-information-technology/samhsas-efforts; https://www.healthit.gov/policy-researchers-implementers/behavioral-health).
We acknowledge that the cost of updating consent forms may be
greater than we had proposed and have made changes to our cost
estimates in this final rule to reflect the need to update forms to
meet new requirements. We note that most of these costs may only need
to be incurred once and in the past some organizations have made sample
template forms and materials available (See e.g., https://lac.org/resources/substance-use-resources/confidentiality-resources/sample-forms-confidentiality/). SAMHSA may, at a future time, develop sample
templates and forms to ease compliance costs.
c. Other Comments on Costs
Public Comments
Some commenters said existing functionalities within EHR systems
and consent management tools do not easily separate or redact substance
use disorder information from general medical information when such
systems are shared across an integrated health system. Similarly,
commenters expressed concern that the proposed rule could have the
opposite effect of its intended purpose by causing HIEs to exclude part
2 information from information exchanges entirely since most HIEs and
EHRs today do not support data segmentation. Asserting that the
proposed part 2 changes would require HIEs to create an architecture
for data management that provides for the segmentation of substance use
disorder and general behavioral health data from physical health care
data, including a way to have consent operate differently in each of
the environments, one commenter asserted that this is a costly
challenging administrative burden that
[[Page 6109]]
does nothing to promote the sharing of information between all
necessary providers for the integration of coordination of care.
A commenter suggested that the financial burden of the proposed
rule would vary depending on the size or complexity of the covered
entity.
Another commenter asserted that the rule should not be adopted
because it would result in increased health care costs. The commenter
stated that SAMHSA is not able to estimate additional costs that are
likely to occur when adding sensitive substantive abuse disorder
treatment information of patients to electronic health information
systems without patient consent (e.g., additional security, costs
related to breaches, class action lawsuits for breached information,
and loss of business due to breaches). The commenter concluded that,
because these costs do not provide additional substance use disorder or
health care services, and instead remove dollars from health care
services, the proposed rule is in conflict with SAMHSA's proposed goal
of reducing unnecessary health care costs.
SAMHSA Response
SAMHSA agrees that costs may vary based on an institution's size,
complexity and patient population served. However, we anticipate that
over time compliance costs will drop significantly as institutions
implement initial compliance efforts. SAMHSA notes that EHRs already
are widely used in many health care settings with no evidence of class
action lawsuits, loss of business or other speculative impacts (see
e.g., https://dashboard.healthit.gov/quickstats/quickstats.php). Though
SAMHSA is concerned about health care costs, the use of EHRs is likely
both to improve care and reduce costs over time. Changes made in this
rule will help to support EHR adoption and integration of care. Though
in general EHR adoption among behavioral health providers lags behind
that of other health care providers, forthcoming N-SSATS data reflect
that more than 25 percent of surveyed substance use disorder treatment
facilities used EHRs only and more than half use EHRs and paper-based
records. Such growing adoption by substance use disorder treatment
facilities reflects that EHR use is consistent with good quality of
care and 42 CFR part 2 compliance.
2. Statement of Need
This final rule reflects changes in the health care system and
behavioral health, such as the increasing use of electronic health
records and drive toward greater integration of physical and behavioral
health care. Despite efforts to enhance integration and coordination of
care, however, it remains important to ensure persons seeking treatment
for substance use disorders can remain confident as to the safeguarding
of their medical information. This rule updates 42 CFR part 2 to
balance these important needs.
3. Overall Impact
SAMHSA examined the impacts of this final rule as required by
Executive Order 12866 on Regulatory Planning and Review (September 30,
1993), Executive Order 13563 on Improving Regulation and Regulatory
Review (January 18, 2011), the Regulatory Flexibility Act (RFA)
(September 19, 1980, Pub. L. 96-354), Section 1102(b) of the Social
Security Act, section 202 of the Unfunded Mandates Reform Act of 1995
(March 22, 1995; Pub. L. 104-4), Executive Order 13132 on Federalism
(August 4, 1999) and the Congressional Review Act (5 U.S.C. 804(2)).
Executive Orders 12866 and 13563 direct agencies to assess all costs
and benefits of available regulatory alternatives and, if regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, public health and safety
effects, distributive impacts, and equity). Section 3(f) of Executive
Order 12866 defines a ``significant regulatory action'' as an action
that is likely to result in a rule: (1) Having an annual effect on the
economy of $100 million or more in any one year, or adversely and
materially affecting a sector of the economy, productivity,
competition, jobs, the environment, public health or safety, or state,
local or tribal governments or communities (also referred to as
``economically significant''); (2) creating a serious inconsistency or
otherwise interfering with an action taken or planned by another
agency; (3) materially altering the budgetary impacts of entitlement
grants, user fees, or loan programs or the rights and obligations of
recipients thereof; or (4) raising novel legal or policy issues arising
out of legal mandates, the President's priorities, or the principles
set forth in the Executive Order.
A regulatory impact analysis must be prepared for major rules with
economically significant effects ($100 million or more in any one
year). This rule does not reach the economic threshold and thus is not
considered to be an economically significant rule. However, because
this rule raises novel policy issues arising out of legal mandates, the
rule is considered ``a significant regulatory action,'' this regulatory
impact analysis has been prepared, and the rule has been reviewed by
OMB.
When estimating the total costs associated with changes to the 42
CFR part 2 regulations, we assumed five sets of costs: updates to
health IT systems costs, costs for staff training and updates to
training curriculum, costs to update patient consent forms, costs
associated with providing patients a list of entities to which their
information has been disclosed pursuant to a general designation on the
consent form (i.e., the List of Disclosures requirement), and
implementation costs associated with the List of Disclosures
requirements. We assumed that costs associated with modifications to
existing health IT systems, staff training costs associated with
updating staff training materials, and costs to update consent forms
would be one-time costs the first year the final rule is in effect and
would not carry forward into future years. Staff training costs other
than those associated with updating training materials were assumed to
be ongoing annual costs to part 2 programs, also beginning in the first
year that the final rule is in effect. The List of Disclosures costs
were assumed to be ongoing annual costs to entities named on a consent
form that disclose patient identifying information to their
participants under the general designation. In the NPRM, SAMHSA
proposed to require non-treating providers to implement the List of
Disclosures requirement at any time, but they cannot use the general
designation without being able to provide a List of Disclosures.
Therefore, we assumed that starting in year 1 ten percent of entities
would decide to implement each year, resulting in 100 percent of
entities implementing by year 10. We note that it is possible that some
entities will never implement this requirement and choose to forego use
of the general designation.
We estimated, therefore, that in the first year that the final rule
is in effect, the total costs associated with updates to 42 CFR part 2
will be about $70, 691,000. In year two, we estimate that costs will be
roughly $17,680,000 and increase annually as a larger share of entities
implement List of Disclosures requirements and respond to disclosure
requests. Over the 10-year period of 2016-2025, the total undiscounted
cost of the part 2 changes will be about $241 million in 2016 dollars.
When future costs are discounted at 3 percent or 7 percent per year,
the total costs become approximately $217, 586,000 or
[[Page 6110]]
$193,098,000, respectively. These costs are presented in the tables
below.
Table 3--Total Cost of 42 CFR Part 2 Revisions
[Note: Numbers may not add due to rounding]
[Note that all costs presented in this analysis are rounded to avoid communicating inaccurate levels of precision]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Staff training Consent form List of
Year costs updates disclosures Health IT costs Total costs
--------------------------------------------------------------------------------------------------------------------------------------------------------
[2016 dollars]
--------------------------------------------------------------------------------------------------------------------------------------------------------
(A) (B) (C) (D) (E)
--------------------------------------------------------------------------------------------------------------------------------------------------------
2016..................................................... $15,521,000 $2,104,000 $4,930,000 $48,136,000 $70,691,000
2017..................................................... 12,438,000 0 5,242,000 0 17,680,000
2018..................................................... 12,438,000 0 5,554,000 0 17,992,000
2019..................................................... 12,438,000 0 5,866,000 0 18,304,000
2020..................................................... 12,438,000 0 6,178,000 0 18,616,000
2021..................................................... 12,438,000 0 6,490,000 0 18,928,000
2022..................................................... 12,438,000 0 6,802,000 0 19,240,000
2023..................................................... 12,438,000 0 7,114,000 0 19,552,000
2024..................................................... 12,438,000 0 7,426,000 0 19,864,000
2025..................................................... 12,438,000 0 7,738,000 0 20,176,000
Total.................................................... 127,463,000 2,104,000 63,338,000 48,136,000 241,040,000
--------------------------------------------------------------------------------------------------------------------------------------------------------
Table 4--Total Cost of 42 CFR Part 2 Revisions--Annual Discounting
[Note: Numbers may not add due to rounding]
----------------------------------------------------------------------------------------------------------------
Total with 3% Total with 7%
Year Total costs annual annual
discounting discounting
----------------------------------------------------------------------------------------------------------------
[2016 dollars]
----------------------------------------------------------------------------------------------------------------
(E) (F) (G)
----------------------------------------------------------------------------------------------------------------
2016................................................... $70,691,000 $70,691,000 $70,691,000
2017................................................... 17,680,000 17,165,000 16,523,000
2018................................................... 17,992,000 16,959,000 15,715,000
2019................................................... 18,304,000 16,751,000 14,941,000
2020................................................... 18,616,000 16,540,000 14,202,000
2021................................................... 18,928,000 16,327,000 13,495,000
2022................................................... 19,240,000 16,113,000 12,820,000
2023................................................... 19,552,000 15,897,000 12,176,000
2024................................................... 19,864,000 15,681,000 11,561,000
2025................................................... 20,176,000 15,463,000 10,974,200
Total.................................................. 241,040,000 217,586,000 193,098,000
Annualized............................................. ................. 25,507,717.01 27,492,811.02
----------------------------------------------------------------------------------------------------------------
Note: Numbers may not add due to rounding.
The costs associated with the proposed revisions stem from staff
training and updates to training curriculum, updates to patient consent
forms, compliance with the List of Disclosures requirement (including
implementation costs), and updates to health IT infrastructure for
information exchange. Based on data from the 2013 N-SSATS, we estimated
that 12,034 hospitals, outpatient treatment centers, and residential
treatment facilities are covered by part 2. N-SSATS is an annual survey
of U.S. substance use disorder treatment facilities. Data is collected
on facility location, characteristics, and service utilization. Not all
treatment providers included in N-SSATs are believed to be under the
jurisdiction of the part 2 regulations. The 12,034 number is a subset
of the 14,148 substance use disorder treatment facilities that
responded to the 2013 N-SSATS, and includes all federally operated
facilities, facilities that reported receiving public funding other
than Medicare and Medicaid, facilities that reported accepting
Medicare, Medicaid, TRICARE, and/or Access to Recovery (ATR) voucher
payments, or were SAMHSA-certified Opioid Treatment Programs. If a
facility did not have at least one of these conditions, it was
interpreted not to have received any federal funding and, therefore,
not included in the estimate. The estimated annual number of
respondents, 12,034, is based on N-SSATS data and reflects facilities
receiving federal funding. However, under N-SSATS an organization may
complete survey responses for multiple facilities it oversees. Thus, an
organization with three facilities may complete three separate surveys.
If an independently practicing clinician does not meet the
requirements of paragraph (1) of the definition of Program they may be
subject to 42 CFR part 2 if they constitute an identified unit within a
general medical facility which holds itself out as providing, and
provides, substance use disorder diagnosis, treatment, or referral for
treatment or if their primary function in the facility or practice is
the provision of such services and they are identified as providing
such services. Due to data limitations, it was not possible to estimate
the costs
[[Page 6111]]
for independently practicing providers covered by part 2 that did not
participate in the 2013 N-SSATS. For example, data from American Board
of Addiction Medicine (ABAM) provides the number of physicians since
2000 who have active ABAM certification. However, there is no source
for the number of physicians who have not participated in the ABAM
certification process. In addition, it is not possible to determine
which ABAM-certified physicians practice in a general medical setting
rather than in a specialty treatment facility that was already counted
in the N-SSATS data.
Several provisions in the NPRM referenced ``other lawful holders of
patient identifying information'' in combination with part 2 programs.
These other lawful holders must comply with part 2 requirements with
respect to information they maintain that is covered by part 2
regulations. However, because this group could encompass a wide range
of organizations, depending on whether they received part 2 data via
patient consent or as a result of one of the limited exceptions to the
consent requirement specified in the regulations, we are unable to
include estimates regarding the number and type of these organizations
and only included part 2 programs in this analysis.
In addition to the part 2 programs described above, SAMHSA proposed
that entities named on a consent form that disclose patient identifying
information to their participants under the general designation must
provide patients, upon request, a list of entities to which their
information has been disclosed pursuant to a general designation (i.e.,
list of disclosures). These entities primarily would include
organizations that facilitate the exchange of health information (e.g.,
HIEs), and may also include organizations responsible for care
coordination (e.g., ACOs, CCOs, and CPCMHs). The most recent estimates
of these types of entities are 67 functional, publicly funded HIEs and
161 functional, privately funded HIEs in 2013.\1\ As of January 2015,
there were an estimated 744 ACOs covering approximately 23.5 million
individuals.\2\ Finally, the National Committee for Quality Assurance
(NCQA) recently noted that there are now more than 10,000 NCQA-
recognized CPCMHs.\3\ While these types of organizations were the
primary focus of this provision on the consent form, other types of
entities, such as research institutions, may also disclose patient
identifying information to their participants (e.g., clinical
researchers) pursuant to the general designation on the consent form.
Because there are no definitive data sources for this potential range
of organizations, we are not associating requests for lists of
disclosures with any particular type of organization. We, instead,
estimate the number of organizations that must respond to list of
disclosures requests based on the total number of requests each year.
a. Direct Costs of Implementing the Proposed Regulations
There is no known baseline estimate of the current costs associated
with 42 CFR part 2-compliance. However, as reflected by commenters who
requested alignment between HIPAA and 42 CFR part 2, HIPAA
authorization and notification requirements have similarities to
requirements of 42 CFR part 2 (see https://www.hhs.gov/hipaa/for-professionals/privacy/). Instead, therefore, in the absence
of data and studies specifically focused on compliance with 42 CFR part
2, SAMHSA has estimated these costs based on a range of published costs
associated with HIPAA implementation and compliance.4 5
i. Staff Training
Because SAMHSA lacks specific data regarding the cost of staff
training to comply with 42 CFR part 2, SAMHSA has examined analogous
HIPAA implementation costs. A Standard HIPAA training that meets or
exceeds the federal training requirements is, on average, one hour
long.\6\ Therefore, we also estimated one hour of training per staff to
achieve proficiency in the 42 CFR part 2 regulations. To estimate the
labor costs associated with staff training, we averaged the average
hourly costs for counseling staff in specialty treatment centers
($20.33 \7\), hospital treatment centers ($21.80 \8\), and solo
practice offices ($24.67 \[9]\). The resulting average wage rate was
$22.27 per hour. In order to account for benefits and overhead costs
associated with staff time, we multiplied the average hourly wage rate
by two. These estimates were only for training costs associated with
counseling staff, who we assume will have primary responsibility for
executing the functions associated with the part 2 revisions.
It is important as well to note that many current staff already
have familiarity with current (1987) 42 CFR part 2 requirements. With
regard to training materials, most part 2 programs are assumed to
already have training curricula in place that covers current (1987) 42
CFR part 2 regulations, and, therefore, these facilities would only
need to update existing training materials rather than develop new
materials. Part 2 entities may determine the content of this training.
The American Hospital Association estimated that the costs for the
development of Privacy and Confidentiality training, which would
include the development of training materials and instructor labor
costs, was $16 per employee training hour in 2000.\[10]\ Because we
assumed that part 2 programs would be updating existing rather than
developing entirely new training materials, we estimated the cost of
training development to be one-half of the cost of developing new
materials, or $8 per employee. Adjusted for inflation,\[11]\ training
development costs in 2016 would be $11.04 per employee.
Using SAMHSA's 2010-2012 TEDS average annual number of treatment
admissions (n=1,861,693) as an estimate of the annual number of
patients at part 2 programs and calculated staffing numbers based on a
range of counseling staff-to-client ratios (i.e., 1 to 10 \[12]\ and 1
to 5 \[13]\ ). Based on these assumptions, staff training costs
associated with part 2 patient consent procedures were projected to
range from $10.3 million to $20.7 million in 2016. We averaged the two
estimated costs for staff training to determine the final overall
estimate of $15,521,000. We assumed the costs associated with updating
training materials will be a one-time cost. Therefore, in subsequent
years, we assumed the costs associated with staff training would be a
function of the average hourly wage rate (multiplied by two to account
for benefits and overhead costs) and the estimated number of staff
(developed based on the same two staff-to-client ratios described above
multiplied by estimated patient counts). Staff training costs
associated with part 2 revisions were projected to range from $8.3
million to $16.6 million after 2016. We averaged the two estimated
costs for staff training to determine the final overall estimate of
$12,438,000.
ii. Updates to Consent Forms
Updates to the 42 CFR part 2 regulations will need to be reflected
in patient consent forms. As there is no literature to date on costs to
update forms for 42 CFR part 2, we examined results from a 2008 study
from the Mayo Clinic Health Care Systems[thinsp]\[14]\ that reported
actuarial costs for HIPAA implementation activities. These costs were
about $1 per patient visit. Adjusted for inflation, costs associated
with updating the patient consent forms in 2016 would be $1.13 per
patient visit. We used the average number of substance abuse treatment
admissions
[[Page 6112]]
from SAMHSA's 2010-2012 TEDS as our estimate of the number of clients
treated on an annual basis by part 2 facilities. The total cost burden
associated with updating the consent forms to reflect to the updated 42
CFR part 2 regulations would be approximately $2,104,000 (1,861,693 *
$1.13).\[14]\
iii. List of Disclosures Costs
The proposed part 2 regulations allow patients who have consented
to disclose their identifying information using a general designation
to request a list of entities to which their information has been
disclosed pursuant to the general designation. Under this final rule,
entities named on a consent form that disclose patient identifying
information to their participants under the general designation will be
required to provide a list of disclosures after receiving a patient
request. Under the List of Disclosures requirements, a patient could
make a request, for example, to an organization that facilitates the
exchange of health information (e.g., an HIE) or an organization
responsible for coordinating care (e.g., an ACO) for a list of
disclosures that would include the name of the entity to whom each
disclosure was made, the date of the disclosure, and a brief
description of the patient identifying information disclosed, and
include this information for all entities to whom the patient
identifying information has been disclosed pursuant to the general
designation in the past two years.
For purposes of the analysis, we assumed that entities disclosing
patient identifying information to their participants pursuant to a
patient's general designation on a consent form are already collecting
the information necessary to comply with the List of Disclosures
requirement, in some form, either electronically or using paper
records. We also assumed that these entities could comply with the List
of Disclosures requirement by either collecting this information
electronically by using audit logs to obtain the required information
or by keeping a paper record. However, to address possible concerns
about technical feasibility and other implementation issues, SAMHSA
finalizes its proposal that the List of Disclosures requirement may be
implemented at any time, but non-treating providers cannot use the
general designation without being able to provide a List of Disclosures
to allow entities collecting this information time to review their
operations and business processes and to decide whether technological
solutions are needed to enable them to more efficiently comply with the
requirement.
In order to make preliminary estimates of the implementation costs,
we first estimated the number of potentially impacted entities based on
the anticipated number of patient requests for a disclosure report in a
calendar year. We used the average number of substance use disorder
treatment admissions from SAMHSA's 2010-2012 TEDS (n = 1,861,693) as
the number of patients treated annually by part 2 programs. We then
used the average of a 0.1 and 2 percent patient request rate as our
estimate of the number of impacted entities (n = 19,548).
From there, we assumed 10 percent of the impacted entities would
use paper records to comply with the disclosure reporting requirements
(n = 1,995) and would have minimal implementation costs. Among the
remaining entities, many may be able to comply with the disclosure
reporting requirements without developing or implementing new
technologies. For entities that do choose to either update their
existing capabilities or develop and implement new technologies to
facilitate compliance, we assumed two sets of costs: (1) Planning and
policy development costs and (2) system update costs. SAMHSA notes that
the Office of the National Coordinator for Health Information
Technology and other organizations are encouraging adoption of
electronic health records to allow providers to access patient records
remotely, improve communication with patients and other providers and
reduce errors (https://www.healthit.gov/providers-professionals/benefits-electronic-health-records-ehrs)). For these reasons, we
believe that the trend toward adoption of electronic health records
will continue.
Absent any data on the number of facilities that would require new
technology or the type of technology to be implemented, we assumed that
twenty-five percent (n = 4,398) of the remaining entities would choose
to upgrade their existing health IT systems. The actual system upgrade
costs will vary considerably based on the type of upgrades that are
required. Some entities may only require minor system updates to
streamline the reporting requirements, while others may choose to
implement an entirely new system. Given these data limitations, we
assumed an average, per-entity cost, of $2,500 for planning development
costs and an average, per-entity cost, of $8,000 for system upgrades
for a total cost of $10,500. We assume that ten percent of entities
will implement each year, resulting in 100 percent of the 4,398
entities having implemented the system planning and upgrades by year
10. The implementation costs for List of Disclosures reporting
compliance in year 1, and each year thereafter, are estimated to be
approximately $4,618,000 ([4,398*0.10] * [8,000+2,500]). We acknowledge
that without better data on the number of facilities that may require
new technology and the number of facilities that would use the general
designation and therefore be required to comply with the list of
disclosures requirement, this approach may overestimate or
underestimate the costs.
As entities begin to comply with the disclosure reporting
requirements, we assumed that the majority of the costs associated with
the List of Disclosures requirement would primarily come from staff
time needed to prepare a list of disclosures upon a patient's request.
We also assumed that the information would need to be converted to a
format that is accessible to patients.
For those entities with a health IT system, we expected that
disclosure information would be available in the system's audit log. We
also assumed that, unless the audit log has some sort of electronic
filtering system, it would contain information above and beyond the
requirements for complying with a request for a list of disclosures. We
had also assumed that the staff accessing and filtering an audit log to
compile the information for lists of disclosures would be health
information technicians. The average hourly rate for health information
technicians is $19.44 an hour.\[15]\ In order to account for benefits
and overhead costs associated with staff time, we multiplied the hourly
wage rate by two. Absent any existing information on the amount of time
associated with producing a list of disclosures from an audit log, we
assumed it would take a health information technician half a day (or 4
hours) on average, to produce the list from an audit log.
For entities using paper records to track disclosures, we expected
that a staff member would need to gather and aggregate the requested
list of disclosures from paper records. We assumed medical record
technicians would be the staff with the primary responsibility for
compiling the information for a list of disclosures. The average hourly
rate for medical record technicians is $19.44 an hour an hour.\[16]\ In
order to account for benefits and overhead costs associated with staff
time, we multiplied the hourly wage rate by two. Absent any existing
[[Page 6113]]
information on the amount of time associated with producing a list of
disclosures from paper records, we assumed it would take a medical
record technician 3 hours, on average, to produce the list from paper
records. \[17]\
The number of requests for a list of disclosures will determine the
overall burden associated with the List of Disclosures reporting
requirements. However, because this is a new requirement, there were no
data on which to base an estimated number of requests per year. We
expected that the rate of requests will be relatively low. We therefore
calculated the total costs for two rates, 0.1 percent and 2 percent of
patients per year.
We used the average number of substance use disorder treatment
admissions from SAMHSA's 2010-2012 TEDS as the number of patients
treated annually by part 2 programs. Assuming that 10 percent of
patients making requests (n = 186.17 to n = 3,723.39) would request a
list of disclosures from entities that track disclosures through paper
records and 90 percent of patients making requests (n = 1,675.52 to n =
33,510.47) would make such a request of entities that track disclosures
through health IT audit logs, the estimated costs to develop lists of
disclosures range from roughly $21,700 to $434,300 for entities using
paper records, and $261,000 to $5,212,000 for entities using audit
logs. (These ranges reflect the costs based on the two estimated
patient rates of request referenced above (i.e., 0.1 percent and 2
percent of patients per year)).
Once a list of disclosures has been produced, it can be returned to
the patient either by email or mail. Since the method of sending the
list of disclosures depends on patient preference, we assumed that 50
percent of the lists of disclosures would be sent by email and 50
percent by first-class mail. We assumed that mailing and supply costs
related to list of disclosures notifications were $0.10 supply cost per
notification and $0.49 postage cost per mailing. We also estimated that
it would take an administrative staff member 15 minutes to prepare each
list of disclosures for mailing and/or transmitting, and that staff
preparing the letters earn $15.34 \[18]\ per hour. In order to account
for benefits and overhead costs associated with staff time, we
multiplied the hourly wage rate by two. The estimated costs for list of
disclosures notifications range from approximately $7, 700 to $154,000
for notifications sent by first-class mail, and $7, 140 to $143, 000
for notifications sent by email.
To produce the final overall cost estimate, we took the average of
the minimum and maximum estimated costs to develop lists of disclosures
by entities collecting the information electronically by using an audit
log, and the average of the minimum and maximum estimated costs to
develop lists of disclosures by entities using paper records. We then
added the averages together to produce our estimate of the total cost
to entities to develop lists of disclosures. Next we took the average
of the minimum and maximum estimated costs for list of disclosures
notifications sent via email and the minimum and maximum estimated
costs for such notifications sent via first-class mail. We then added
these two averages together to produce our estimate of the total cost
to entities for list of disclosures notifications. Finally, the
development and notification costs for these lists of disclosures were
added together for the final estimate of costs associated with
complying with List of Disclosures reporting requirements. The total
cost for List of Disclosures reporting compliance across all entities
was roughly $3,120,000 in 2016 dollars. Complying with List of
Disclosures requirements is assumed to be an ongoing, annual activity
for entities that have completed the system upgrade and comply with the
disclosure requirements. Since we assume 10 percent of entities begin
to comply with the requirements each year, year 1 reporting compliance
costs is roughly $312,000 (3,120,000*0.10) and $624,000 (3,120,
000*0.20) in year 2, and continues to increase each year until year 10
all entities are complying and have annual compliance costs of
$3,120,000
Table 5--Total Estimated Disclosure Reporting Costs in 2018
[Note: Numbers may not add due to rounding]
----------------------------------------------------------------------------------------------------------------
Minimum estimated Maximum estimated Average estimated
cost cost cost
----------------------------------------------------------------------------------------------------------------
Facilities with a Health IT System..................... $261,000 $5,212,000 $2,736,000
Facilities without a Health IT System.................. 21,700 434,300 228,000
--------------------------------------------------------
Total Costs........................................ ................. ................. 2,964,000
Average Number of Facilities........................... ................. ................. 19,548
----------------------------------------------------------------------------------------------------------------
Table 6--Total Estimated Disclosure Notification Costs in 2018
[Note: Numbers may not add due to rounding]
----------------------------------------------------------------------------------------------------------------
Minimum estimated Maximum estimated Average estimated
cost cost cost
----------------------------------------------------------------------------------------------------------------
Email Notification..................................... $7,100 $143,000 $75,000
First Class Mail Notification.......................... 7,700 154,000 81,000
--------------------------------------------------------
Total Costs........................................ ................. ................. 156,000
----------------------------------------------------------------------------------------------------------------
iv. IT Updates
SAMHSA, in collaboration with ONC and federal and community
stakeholders, has developed Consent2Share which is an open source tool
for consent management and data segmentation that is designed to
integrate with existing EHR and HIE systems. SAMHSA plans to release
shortly an updated version of Consent2Share with improved functionality
and ability to meet list of disclosures requirements.
The Consent2Share architecture has a front-end, patient facing
system known as Patient Consent Management and a backend control system
known as
[[Page 6114]]
Access Control Services. Communications with EHR vendors indicated that
the cost to facilities of purchasing and installing additional
functionality to existing electronic medical records applications, such
as Consent2Share, typically range from $2,500 to $5,000. Because the
add-on systems for part 2 programs may be more complex than standard
patient monitoring systems, we estimated that the cost of adding the
new functionality would be approximately $8,000 per facility. We also
assumed that this would be a one-time expense, rather than a recurring
cost, for each provider. SAMHSA acknowledges that there may be
fluctuation in costs among affected entities from the average cost.
However, though costs could possibly be higher for some entities,
information shared by commenters was largely anecdotal and it is
unclear how such data could be broadly extrapolated to a wide range of
entities.
Furthermore, national estimates indicated that no more than 50
percent of substance use disorder treatment facilities have an
operational ``computerized administrative information system.'' \[19]\
We, therefore, estimated that only half of the 12,034 part 2 programs
(i.e., 6,017 facilities) would have operational health IT systems that
would require modifications to account for the changes to 42 CFR part
2. With 6,017 part 2 programs with operational information systems, we
estimated that each facility would need to spend $8,000 to modify their
health IT system, which would lead to a total burden for updating
health IT systems of $48.1 million. Updating health IT systems would be
a one-time cost, and maintenance costs should be part of general health
IT maintenance costs in later years. The final rule does not require
that part 2 programs adopt health IT systems so there are no health IT
costs associated with substance use disorder treatment facilities that
continue to use paper records.
C. Regulatory Flexibility Act (RFA)
The RFA requires agencies to analyze options for regulatory relief
of small entities. For purposes of the RFA, small entities include
small businesses, nonprofit organizations, and small governmental
jurisdictions. Most hospitals and most other providers are small
entities, either by nonprofit status or by having revenues of less than
$7.5 million to $38.5 million in any one year. Individuals and states
are not included in the definition of a small entity. We are not
preparing an analysis for the RFA because we have determined, and the
Secretary certifies, that this final rule will not have a significant
economic impact on a substantial number of small entities. While the
changes in the regulations will apply to all part 2 programs, the
impact on these entities would be quite small. Specifically, as
described in the Overall Impact section, the cost to part 2 programs
associated with updates to 42 CFR part 2 in the first year that the
final rule is in effect will be $76.1 million, a figure that due to a
number of one-time updates, is the highest for any of the 10 years
estimated. The per-entity economic impact in the first year will be
approximately $6,300 ($76,100,000 / 12,034), a figure that is unlikely
to represent 3 percent of revenues for 5 percent of impacted small
entities. Consequently, it has been determined that the final rule will
not have a significant economic impact on small entities.
In addition, Section 1102(b) of the Act requires us to prepare a
regulatory impact analysis if a rule may have a significant impact on
the operations of a substantial number of small rural hospitals. This
analysis must conform to the provisions of Section 603 of the RFA. For
purposes of Section 1102(b) of the Act, we defined a small rural
hospital as a hospital that is located outside of a Metropolitan
Statistical Area for Medicare payment regulations and has fewer than
100 beds. We are not preparing an analysis for Section 1102(b) of the
Act because we have determined, and the Secretary certifies, that this
final rule will not have a significant impact on the operations of a
substantial number of small rural hospitals.
D. Unfunded Mandates Reform Act
Section 202 of the Unfunded Mandates Reform Act of 1995 also
requires that agencies assess anticipated costs and benefits before
issuing any rule whose mandates require spending in any one year of
$100 million in 1995 dollars, updated annually for inflation. In 2016,
that threshold is approximately $146 million. This rule will have no
consequential effect on state, local, or tribal governments or on the
private sector.
E. Federalism (Executive Order 13132)
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a proposed rule (and subsequent
final rule) that imposes substantial direct requirement costs on state
and local governments, preempts state law, or otherwise has Federalism
implications. Since this rule does not impose any costs on state or
local governments, the requirements of Executive Order 13132 are not
applicable.
SAMHSA is modernizing 42 CFR part 2. With respect to our revisions
to the part 2 regulations, we do not believe that this final rule will
have a significant impact as it gives more flexibility to individuals
and entities covered by 42 CFR part 2 but also adds privacy protections
within the consent requirements for the patient. We are revising the
part 2 regulations in response to concerns that 42 CFR part 2 was
outdated and burdensome.
Executive Order 13132 on Federalism (August 4, 1999) establishes
certain requirements that an agency must meet when it promulgates a
proposed rule (and subsequent final rule) that imposes substantial
direct requirement costs on state and local governments, preempts state
law, or otherwise has Federalism implications. We have reviewed this
final rule under the threshold criteria of Executive Order 13132,
Federalism, and have determined that it will not have substantial
direct effects on the rights, roles, and responsibilities of states,
local or tribal governments.
Conclusion
SAMHSA is enacting changes to modernize 42 CFR part 2. With respect
to our revisions to the regulations, we do not believe that this final
rule will have a significant impact as it gives more flexibility to
individuals and entities covered by 42 CFR part 2 but also increases
privacy protections within the consent requirements and adds an
additional confidentiality safeguard for patients. This final rule does
not reach the threshold for requiring a regulatory impact analysis by
Executive Orders 12866 and 13563 and thus is not considered an
economically significant rule. This rule will not have a significant
economic impact on a substantial number of small entities. This rule
will not have a significant impact on the operations of a substantial
number of small rural hospitals. Since this rule does not impose any
costs on state or local governments, the requirements of Executive
Order 13132 on federalism are not applicable.
Footnotes
1. Trends in Health Information Exchanges (Trends in Health
Information Exchanges) https://innovations.ahrq.gov/perspectives/trends-health-information-exchanges#3.
2. Muhlestein, D. (2015). Growth and Dispersion of Accountable
Care Organizations in 2015. Health Affairs Blog, 19.
3. National Committee for Quality Assurance. A Victory Lap . . .
For Patients.
[[Page 6115]]
Blog, May 15, 2015. https://blog.ncqa.org/a-victory-lap-for-patients/
.
4. Kilbridge, P. (2003). The cost of HIPAA compliance. New
England Journal of Medicine, 348(15), 1423-1477.
5. Williams, A.R., Herman, D.C., Moriarty, J.P., Beebe, T.J.,
Bruggeman, S.K., Klavetter, E.W. & Bartz, J.K. (2008). HIPAA costs
and patient perceptions of privacy safeguards at Mayo Clinic. Joint
Commission Journal on Quality and Patient Safety, 34 (1), 27-35.
6. 65 FR 82462, 82770 (Dec. 28, 2000) (Standards for Privacy of
Individually Identifiable Health Information).
7. Bureau of Labor Statistics, U.S. Department of Labor,
Occupational Employment Statistics, [accessed May 2, 2015]
Outpatient Mental Health and Substance Abuse Centers (NAICS code
621420), Standard Occupations Classification code (211011)
[www.bls.gov/oes/].
8. Bureau of Labor Statistics, U.S. Department of Labor,
Occupational Employment Statistics, [accessed May 2, 2014]
Psychiatric and Substance Abuse Hospitals (NAICS code 622200),
Standard Occupations Classification code (211011) [www.bls.gov/oes/
].
9. Bureau of Labor Statistics, U.S. Department of Labor,
Occupational Employment Statistics, [accessed September 23, 2014]
Offices of Mental Health Practitioners (except Physicians) (NAICS
code 621330), Standard Occupations Classification code (211011)
[www.bls.gov/oes/].
10. These estimates are not HHS estimates nor are they HHS-
endorsed cost estimates of HIPAA implementation and compliance.
11. Calculated using the Consumer Price Index.
12. North Carolina NC Administrative Code [accessed September
23, 2014]. [https://reports.oah.state.nc.us/ncac/title%2010a%20-%20health%20and%20human%20services/chapter%2013%20-%20nc%20medical%20care%20commission/subchapter%20b/10a%20ncac%2013b%20.5203.pdf.]
13. Commonwealth of Pennsylvania--Department of Health Staffing
Requirements for Drug and Alcohol Treatment Activities [accessed
September 23, 2014]. [https://www.pacode.com/secure/data/028/chapter704/s704.12.html.]
14. Williams, A.R., Herman, D.C., Moriarty, J.P., Beebe, T.J.,
Bruggeman, S.K., Klavetter, E.W. & Bartz, J.K. (2008). HIPAA costs
and patient perceptions of privacy safeguards at Mayo Clinic. Joint
Commission Journal on Quality and Patient Safety, 34 (1), 27-35.
15. Bureau of Labor Statistics, U.S. Department of Labor,
Occupational Employment Statistics, Standard Occupations
Classification code (29-2071) [www.bls.gov/oes/].
16. IBID.
17. For facilities that maintain paper records, consent forms
would indicate who has been given access to the record. By contrast,
our understanding of health IT audit logs is that they include a
record of all instances in which a record has been accessed. The
audit log will include a record of who accessed the system, the date
the record was accessed, and what operations were performed. The
audit logs, therefore, will include considerably more data than what
we would anticipate finding in paper records. Unless the audit log
has an electronic filtering system, we are assuming that a health
information technician will need to manually review all records in
an audit log in order to compile the necessary information for a
list of disclosures.
18. Bureau of Labor Statistics, U.S. Department of Labor,
Occupational Employment Statistics, [accessed June 3, 2015],
Standard Occupations Classification code (31-9092) [www.bls.gov/oes/
].
19. McLellan, A.T., Kathleen Meyers, K., Contemporary addiction
treatment: A review of systems problems for adults and adolescents,
Biological Psychiatry, Volume 56, Issue 10, 15 November 2004, Pages
764-770, ISSN 0006-3223, https://dx.doi.org/10.1016/j.biopsych.2004.06.018.
List of Subjects in 42 CFR Part 2
Alcohol abuse, Alcoholism, Drug abuse, Grant programs-health,
Health records, Privacy, Reporting, and Recordkeeping requirements.
0
For the reasons stated in the preamble of this final rule, SAMHSA
revises 42 CFR part 2 to read as follows:
PART 2--CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS
Subpart A--Introduction
Sec.
2.1 Statutory authority for confidentiality of substance use
disorder patient records.
2.2 Purpose and effect.
2.3 Criminal penalty for violation.
2.4 Reports of violations.
Subpart B--General Provisions
Sec.
2.11 Definitions.
2.12 Applicability.
2.13 Confidentiality restrictions and safeguards.
2.14 Minor patients.
2.15 Incompetent and deceased patients.
2.16 Security for records.
2.17 Undercover agents and informants.
2.18 Restrictions on the use of identification cards.
2.19 Disposition of records by discontinued programs.
2.20 Relationship to state laws.
2.21 Relationship to federal statutes protecting research subjects
against compulsory disclosure of their identity.
2.22 Notice to patients of federal confidentiality requirements.
2.23 Patient access and restrictions on use.
Subpart C--Disclosures with Patient Consent
Sec.
2.31 Consent requirements.
2.32 Prohibition on re-disclosure.
2.33 Disclosures permitted with written consent.
2.34 Disclosures to prevent multiple enrollments.
2.35 Disclosures to elements of the criminal justice system which
have referred patients.
Subpart D--Disclosures without Patient Consent
Sec.
2.51 Medical emergencies.
2.52 Research.
2.53 Audit and evaluation.
Subpart E--Court Orders Authorizing Disclosure and Use
Sec.
2.61 Legal effect of order.
2.62 Order not applicable to records disclosed without consent to
researchers, auditors and evaluators.
2.63 Confidential communications.
2.64 Procedures and criteria for orders authorizing disclosures for
noncriminal purposes.
2.65 Procedures and criteria for orders authorizing disclosure and
use of records to criminally investigate or prosecute patients.
2.66 Procedures and criteria for orders authorizing disclosure and
use of records to investigate or prosecute a part 2 program or the
person holding the records.
2.67 Orders authorizing the use of undercover agents and informants
to criminally investigate employees or agents of a part 2 program.
Authority: 42 U.S.C. 290dd-2.
Subpart A--Introduction
Sec. 2.1 Statutory authority for confidentiality of substance use
disorder patient records.
Title 42, United States Code, Section 290dd-2(g) authorizes the
Secretary to prescribe regulations. Such regulations may contain such
definitions, and may provide for such safeguards and procedures,
including procedures and criteria for the issuance and scope of orders,
as in the judgment of the Secretary are necessary or proper to
effectuate the purposes of this statute, to prevent circumvention or
evasion thereof, or to facilitate compliance therewith.
Sec. 2.2 Purpose and effect.
(a) Purpose. Pursuant to 42 U.S.C. 290dd-2(g), the regulations in
this part impose restrictions upon the disclosure and use of substance
use disorder patient records which are maintained in connection with
the performance of any part 2 program. The regulations in this part
include the following subparts:
(1) Subpart B of this part: General Provisions, including
definitions, applicability, and general restrictions;
(2) Subpart C of this part: Disclosures with Patient Consent,
including disclosures which require patient consent and the consent
form requirements;
(3) Subpart D of this part: Disclosures without Patient Consent,
including disclosures which do not require patient
[[Page 6116]]
consent or an authorizing court order; and
(4) Subpart E of this part: Court Orders Authorizing Disclosure and
Use, including disclosures and uses of patient records which may be
made with an authorizing court order and the procedures and criteria
for the entry and scope of those orders.
(b) Effect. (1) The regulations in this part prohibit the
disclosure and use of patient records unless certain circumstances
exist. If any circumstance exists under which disclosure is permitted,
that circumstance acts to remove the prohibition on disclosure but it
does not compel disclosure. Thus, the regulations do not require
disclosure under any circumstances.
(2) The regulations in this part are not intended to direct the
manner in which substantive functions such as research, treatment, and
evaluation are carried out. They are intended to ensure that a patient
receiving treatment for a substance use disorder in a part 2 program is
not made more vulnerable by reason of the availability of their patient
record than an individual with a substance use disorder who does not
seek treatment.
(3) Because there is a criminal penalty for violating the
regulations, they are to be construed strictly in favor of the
potential violator in the same manner as a criminal statute (see M.
Kraus & Brothers v. United States, 327 U.S. 614, 621-22, 66 S. Ct. 705,
707-08 (1946)).
Sec. 2.3 Criminal penalty for violation.
Under 42 U.S.C. 290dd-2(f), any person who violates any provision
of this section or any regulation issued pursuant to this section shall
be fined in accordance with Title 18 of the U.S. Code.
Sec. 2.4 Reports of violations.
(a) The report of any violation of the regulations in this part may
be directed to the United States Attorney for the judicial district in
which the violation occurs.
(b) The report of any violation of the regulations in this part by
an opioid treatment program may be directed to the United States
Attorney for the judicial district in which the violation occurs as
well as to the Substance Abuse and Mental Health Services
Administration (SAMHSA) office responsible for opioid treatment program
oversight.
Subpart B--General Provisions
Sec. 2.11 Definitions.
For purposes of the regulations in this part:
Central registry means an organization which obtains from two or
more member programs patient identifying information about individuals
applying for withdrawal management or maintenance treatment for the
purpose of avoiding an individual's concurrent enrollment in more than
one treatment program.
Diagnosis means any reference to an individual's substance use
disorder or to a condition which is identified as having been caused by
that substance use disorder which is made for the purpose of treatment
or referral for treatment.
Disclose means to communicate any information identifying a patient
as being or having been diagnosed with a substance use disorder, having
or having had a substance use disorder, or being or having been
referred for treatment of a substance use disorder either directly, by
reference to publicly available information, or through verification of
such identification by another person.
Federally assisted--see Sec. 2.12(b).
Informant means an individual:
(1) Who is a patient or employee of a part 2 program or who becomes
a patient or employee of a part 2 program at the request of a law
enforcement agency or official; and
(2) Who at the request of a law enforcement agency or official
observes one or more patients or employees of the part 2 program for
the purpose of reporting the information obtained to the law
enforcement agency or official.
Maintenance treatment means long-term pharmacotherapy for
individuals with substance use disorders that reduces the pathological
pursuit of reward and/or relief and supports remission of substance use
disorder-related symptoms.
Member program means a withdrawal management or maintenance
treatment program which reports patient identifying information to a
central registry and which is in the same state as that central
registry or is in a state that participates in data sharing with the
central registry of the program in question.
Minor, as used in the regulations in this part, means an individual
who has not attained the age of majority specified in the applicable
state law, or if no age of majority is specified in the applicable
state law, the age of 18 years.
Part 2 program means a federally assisted program (federally
assisted as defined in Sec. 2.12(b) and program as defined in this
section). See Sec. 2.12(e)(1) for examples.
Part 2 program director means:
(1) In the case of a part 2 program that is an individual, that
individual.
(2) In the case of a part 2 program that is an entity, the
individual designated as director or managing director, or individual
otherwise vested with authority to act as chief executive officer of
the part 2 program.
Patient means any individual who has applied for or been given
diagnosis, treatment, or referral for treatment for a substance use
disorder at a part 2 program. Patient includes any individual who,
after arrest on a criminal charge, is identified as an individual with
a substance use disorder in order to determine that individual's
eligibility to participate in a part 2 program. This definition
includes both current and former patients.
Patient identifying information means the name, address, social
security number, fingerprints, photograph, or similar information by
which the identity of a patient, as defined in this section, can be
determined with reasonable accuracy either directly or by reference to
other information. The term does not include a number assigned to a
patient by a part 2 program, for internal use only by the part 2
program, if that number does not consist of or contain numbers (such as
a social security, or driver's license number) that could be used to
identify a patient with reasonable accuracy from sources external to
the part 2 program.
Person means an individual, partnership, corporation, federal,
state or local government agency, or any other legal entity, (also
referred to as ``individual or entity'').
Program means:
(1) An individual or entity (other than a general medical facility)
who holds itself out as providing, and provides, substance use disorder
diagnosis, treatment, or referral for treatment; or
(2) An identified unit within a general medical facility that holds
itself out as providing, and provides, substance use disorder
diagnosis, treatment, or referral for treatment; or
(3) Medical personnel or other staff in a general medical facility
whose primary function is the provision of substance use disorder
diagnosis, treatment, or referral for treatment and who are identified
as such providers.
Qualified service organization means an individual or entity who:
(1) Provides services to a part 2 program, such as data processing,
bill collecting, dosage preparation, laboratory analyses, or legal,
accounting, population health management, medical staffing, or other
professional services, or services to prevent or treat child
[[Page 6117]]
abuse or neglect, including training on nutrition and child care and
individual and group therapy, and
(2) Has entered into a written agreement with a part 2 program
under which that individual or entity:
(i) Acknowledges that in receiving, storing, processing, or
otherwise dealing with any patient records from the part 2 program, it
is fully bound by the regulations in this part; and
(ii) If necessary, will resist in judicial proceedings any efforts
to obtain access to patient identifying information related to
substance use disorder diagnosis, treatment, or referral for treatment
except as permitted by the regulations in this part.
Records means any information, whether recorded or not, created by,
received, or acquired by a part 2 program relating to a patient (e.g.,
diagnosis, treatment and referral for treatment information, billing
information, emails, voice mails, and texts). For the purpose of the
regulations in this part, records include both paper and electronic
records.
Substance use disorder means a cluster of cognitive, behavioral,
and physiological symptoms indicating that the individual continues
using the substance despite significant substance-related problems such
as impaired control, social impairment, risky use, and pharmacological
tolerance and withdrawal. For the purposes of the regulations in this
part, this definition does not include tobacco or caffeine use.
Third-party payer means an individual or entity who pays and/or
agrees to pay for diagnosis or treatment furnished to a patient on the
basis of a contractual relationship with the patient or a member of the
patient's family or on the basis of the patient's eligibility for
federal, state, or local governmental benefits.
Treating provider relationship means that, regardless of whether
there has been an actual in-person encounter:
(1) A patient is, agrees to, or is legally required to be
diagnosed, evaluated, and/or treated, or agrees to accept consultation,
for any condition by an individual or entity, and;
(2) The individual or entity undertakes or agrees to undertake
diagnosis, evaluation, and/or treatment of the patient, or consultation
with the patient, for any condition.
Treatment means the care of a patient suffering from a substance
use disorder, a condition which is identified as having been caused by
the substance use disorder, or both, in order to reduce or eliminate
the adverse effects upon the patient.
Undercover agent means any federal, state, or local law enforcement
agency or official who enrolls in or becomes an employee of a part 2
program for the purpose of investigating a suspected violation of law
or who pursues that purpose after enrolling or becoming employed for
other purposes.
Withdrawal management means the use of pharmacotherapies to treat
or attenuate the problematic signs and symptoms arising when heavy and/
or prolonged substance use is reduced or discontinued.
Sec. 2.12 Applicability.
(a) General--(1) Restrictions on disclosure. The restrictions on
disclosure in the regulations in this part apply to any information,
whether or not recorded, which:
(i) Would identify a patient as having or having had a substance
use disorder either directly, by reference to publicly available
information, or through verification of such identification by another
person; and
(ii) Is drug abuse information obtained by a federally assisted
drug abuse program after March 20, 1972 (part 2 program), or is alcohol
abuse information obtained by a federally assisted alcohol abuse
program after May 13, 1974 (part 2 program); or if obtained before the
pertinent date, is maintained by a part 2 program after that date as
part of an ongoing treatment episode which extends past that date; for
the purpose of treating a substance use disorder, making a diagnosis
for that treatment, or making a referral for that treatment.
(2) Restriction on use. The restriction on use of information to
initiate or substantiate any criminal charges against a patient or to
conduct any criminal investigation of a patient (42 U.S.C. 290dd-2(c))
applies to any information, whether or not recorded, which is drug
abuse information obtained by a federally assisted drug abuse program
after March 20, 1972 (part 2 program), or is alcohol abuse information
obtained by a federally assisted alcohol abuse program after May 13,
1974 (part 2 program); or if obtained before the pertinent date, is
maintained by a part 2 program after that date as part of an ongoing
treatment episode which extends past that date; for the purpose of
treating a substance use disorder, making a diagnosis for the
treatment, or making a referral for the treatment.
(b) Federal assistance. A program is considered to be federally
assisted if:
(1) It is conducted in whole or in part, whether directly or by
contract or otherwise by any department or agency of the United States
(but see paragraphs (c)(1) and (2) of this section relating to the
Department of Veterans Affairs and the Armed Forces);
(2) It is being carried out under a license, certification,
registration, or other authorization granted by any department or
agency of the United States including but not limited to:
(i) Participating provider in the Medicare program;
(ii) Authorization to conduct maintenance treatment or withdrawal
management; or
(iii) Registration to dispense a substance under the Controlled
Substances Act to the extent the controlled substance is used in the
treatment of substance use disorders;
(3) It is supported by funds provided by any department or agency
of the United States by being:
(i) A recipient of federal financial assistance in any form,
including financial assistance which does not directly pay for the
substance use disorder diagnosis, treatment, or referral for treatment;
or
(ii) Conducted by a state or local government unit which, through
general or special revenue sharing or other forms of assistance,
receives federal funds which could be (but are not necessarily) spent
for the substance use disorder program; or
(4) It is assisted by the Internal Revenue Service of the
Department of the Treasury through the allowance of income tax
deductions for contributions to the program or through the granting of
tax exempt status to the program.
(c) Exceptions-- (1) Department of Veterans Affairs. These
regulations do not apply to information on substance use disorder
patients maintained in connection with the Department of Veterans
Affairs' provision of hospital care, nursing home care, domiciliary
care, and medical services under Title 38, U.S.C. Those records are
governed by 38 U.S.C. 7332 and regulations issued under that authority
by the Secretary of Veterans Affairs.
(2) Armed Forces. The regulations in this part apply to any
information described in paragraph (a) of this section which was
obtained by any component of the Armed Forces during a period when the
patient was subject to the Uniform Code of Military Justice except:
(i) Any interchange of that information within the Armed Forces;
and
(ii) Any interchange of that information between the Armed Forces
and those components of the Department of Veterans Affairs furnishing
health care to veterans.
[[Page 6118]]
(3) Communication within a part 2 program or between a part 2
program and an entity having direct administrative control over that
part 2 program. The restrictions on disclosure in the regulations in
this part do not apply to communications of information between or
among personnel having a need for the information in connection with
their duties that arise out of the provision of diagnosis, treatment,
or referral for treatment of patients with substance use disorders if
the communications are:
(i) Within a part 2 program; or
(ii) Between a part 2 program and an entity that has direct
administrative control over the program.
(4) Qualified service organizations. The restrictions on disclosure
in the regulations in this part do not apply to communications between
a part 2 program and a qualified service organization of information
needed by the qualified service organization to provide services to the
program.
(5) Crimes on part 2 program premises or against part 2 program
personnel. The restrictions on disclosure and use in the regulations in
this part do not apply to communications from part 2 program personnel
to law enforcement agencies or officials which:
(i) Are directly related to a patient's commission of a crime on
the premises of the part 2 program or against part 2 program personnel
or to a threat to commit such a crime; and
(ii) Are limited to the circumstances of the incident, including
the patient status of the individual committing or threatening to
commit the crime, that individual's name and address, and that
individual's last known whereabouts.
(6) Reports of suspected child abuse and neglect. The restrictions
on disclosure and use in the regulations in this part do not apply to
the reporting under state law of incidents of suspected child abuse and
neglect to the appropriate state or local authorities. However, the
restrictions continue to apply to the original substance use disorder
patient records maintained by the part 2 program including their
disclosure and use for civil or criminal proceedings which may arise
out of the report of suspected child abuse and neglect.
(d) Applicability to recipients of information-- (1) Restriction on
use of information. The restriction on the use of any information
subject to the regulations in this part to initiate or substantiate any
criminal charges against a patient or to conduct any criminal
investigation of a patient applies to any person who obtains that
information from a part 2 program, regardless of the status of the
person obtaining the information or whether the information was
obtained in accordance with the regulations in this part. This
restriction on use bars, among other things, the introduction of that
information as evidence in a criminal proceeding and any other use of
the information to investigate or prosecute a patient with respect to a
suspected crime. Information obtained by undercover agents or
informants (see Sec. [thinsp]2.17) or through patient access (see
Sec. [thinsp]2.23) is subject to the restriction on use.
(2) Restrictions on disclosures--(i) Third-party payers,
administrative entities, and others. The restrictions on disclosure in
the regulations in this part apply to:
(A) Third-party payers with regard to records disclosed to them by
part 2 programs or under Sec. 2.31(a)(4)(iii)(A);
(B) Entities having direct administrative control over part 2
programs with regard to information that is subject to the regulations
in this part communicated to them by the part 2 program under paragraph
(c)(3) of this section; and
(C) Individuals or entities who receive patient records directly
from a part 2 program or other lawful holder of patient identifying
information and who are notified of the prohibition on re-disclosure in
accordance with Sec. 2.32.
(ii) [Reserved]
(e) Explanation of applicability--(1) Coverage. These regulations
cover any information (including information on referral and intake)
about patients receiving diagnosis, treatment, or referral for
treatment for a substance use disorder created by a part 2 program.
Coverage includes, but is not limited to, those treatment or
rehabilitation programs, employee assistance programs, programs within
general hospitals, school-based programs, and private practitioners who
hold themselves out as providing, and provide substance use disorder
diagnosis, treatment, or referral for treatment. However, the
regulations in this part would not apply, for example, to emergency
room personnel who refer a patient to the intensive care unit for an
apparent overdose, unless the primary function of such personnel is the
provision of substance use disorder diagnosis, treatment, or referral
for treatment and they are identified as providing such services or the
emergency room has promoted itself to the community as a provider of
such services.
(2) Federal assistance to program required. If a patient's
substance use disorder diagnosis, treatment, or referral for treatment
is not provided by a part 2 program, that patient's record is not
covered by the regulations in this part. Thus, it is possible for an
individual patient to benefit from federal support and not be covered
by the confidentiality regulations because the program in which the
patient is enrolled is not federally assisted as defined in paragraph
(b) of this section. For example, if a federal court placed an
individual in a private for-profit program and made a payment to the
program on behalf of that individual, that patient's record would not
be covered by the regulations in this part unless the program itself
received federal assistance as defined by paragraph (b) of this
section.
(3) Information to which restrictions are applicable. Whether a
restriction applies to use or disclosure affects the type of
information which may be disclosed. The restrictions on disclosure
apply to any information which would identify a patient as having or
having had a substance use disorder. The restriction on use of
information to bring criminal charges against a patient for a crime
applies to any information obtained by the part 2 program for the
purpose of diagnosis, treatment, or referral for treatment of patients
with substance use disorders. (Note that restrictions on use and
disclosure apply to recipients of information under paragraph (d) of
this section.)
(4) How type of diagnosis affects coverage. These regulations cover
any record of a diagnosis identifying a patient as having or having had
a substance use disorder which is initially prepared by a part 2
provider in connection with the treatment or referral for treatment of
a patient with a substance use disorder. A diagnosis prepared for the
purpose of treatment or referral for treatment but which is not so used
is covered by the regulations in this part. The following are not
covered by the regulations in this part:
(i) Diagnosis which is made solely for the purpose of providing
evidence for use by law enforcement agencies or officials; or
(ii) A diagnosis of drug overdose or alcohol intoxication which
clearly shows that the individual involved does not have a substance
use disorder (e.g., involuntary ingestion of alcohol or drugs or
reaction to a prescribed dosage of one or more drugs).
Sec. 2.13 Confidentiality restrictions and safeguards.
(a) General. The patient records subject to the regulations in this
part may be disclosed or used only as permitted by the regulations in
this part
[[Page 6119]]
and may not otherwise be disclosed or used in any civil, criminal,
administrative, or legislative proceedings conducted by any federal,
state, or local authority. Any disclosure made under the regulations in
this part must be limited to that information which is necessary to
carry out the purpose of the disclosure.
(b) Unconditional compliance required. The restrictions on
disclosure and use in the regulations in this part apply whether or not
the part 2 program or other lawful holder of the patient identifying
information believes that the person seeking the information already
has it, has other means of obtaining it, is a law enforcement agency or
official or other government official, has obtained a subpoena, or
asserts any other justification for a disclosure or use which is not
permitted by the regulations in this part.
(c) Acknowledging the presence of patients: Responding to requests.
(1) The presence of an identified patient in a health care facility or
component of a health care facility which is publicly identified as a
place where only substance use disorder diagnosis, treatment, or
referral for treatment is provided may be acknowledged only if the
patient's written consent is obtained in accordance with subpart C of
this part or if an authorizing court order is entered in accordance
with subpart E of this part. The regulations permit acknowledgement of
the presence of an identified patient in a health care facility or part
of a health care facility if the health care facility is not publicly
identified as only a substance use disorder diagnosis, treatment, or
referral for treatment facility, and if the acknowledgement does not
reveal that the patient has a substance use disorder.
(2) Any answer to a request for a disclosure of patient records
which is not permissible under the regulations in this part must be
made in a way that will not affirmatively reveal that an identified
individual has been, or is being, diagnosed or treated for a substance
use disorder. An inquiring party may be provided a copy of the
regulations in this part and advised that they restrict the disclosure
of substance use disorder patient records, but may not be told
affirmatively that the regulations restrict the disclosure of the
records of an identified patient.
(d) List of disclosures. Upon request, patients who have consented
to disclose their patient identifying information using a general
designation pursuant to Sec. 2.31(a)(4)(iii)(B)(3) must be provided a
list of entities to which their information has been disclosed pursuant
to the general designation.
(1) Under this paragraph (d), patient requests:
(i) Must be made in writing; and
(ii) Are limited to disclosures made within the past two years;
(2) Under this paragraph (d), the entity named on the consent form
that discloses information pursuant to a patient's general designation
(the entity that serves as an intermediary, as described in Sec.
2.31(a)(4)(iii)(B)) must:
(i) Respond in 30 or fewer days of receipt of the written request;
and
(ii) Provide, for each disclosure, the name(s) of the entity(-ies)
to which the disclosure was made, the date of the disclosure, and a
brief description of the patient identifying information disclosed.
(3) The part 2 program is not responsible for compliance with this
paragraph (d); the entity that serves as an intermediary, as described
in Sec. 2.31(a)(4)(iii)(B), is responsible for compliance with the
list of disclosures requirement.
Sec. 2.14 Minor patients.
(a) State law not requiring parental consent to treatment. If a
minor patient acting alone has the legal capacity under the applicable
state law to apply for and obtain substance use disorder treatment, any
written consent for disclosure authorized under subpart C of this part
may be given only by the minor patient. This restriction includes, but
is not limited to, any disclosure of patient identifying information to
the parent or guardian of a minor patient for the purpose of obtaining
financial reimbursement. These regulations do not prohibit a part 2
program from refusing to provide treatment until the minor patient
consents to the disclosure necessary to obtain reimbursement, but
refusal to provide treatment may be prohibited under a state or local
law requiring the program to furnish the service irrespective of
ability to pay.
(b) State law requiring parental consent to treatment. (1) Where
state law requires consent of a parent, guardian, or other individual
for a minor to obtain treatment for a substance use disorder, any
written consent for disclosure authorized under subpart C of this part
must be given by both the minor and their parent, guardian, or other
individual authorized under state law to act in the minor's behalf.
(2) Where state law requires parental consent to treatment, the
fact of a minor's application for treatment may be communicated to the
minor's parent, guardian, or other individual authorized under state
law to act in the minor's behalf only if:
(i) The minor has given written consent to the disclosure in
accordance with subpart C of this part; or
(ii) The minor lacks the capacity to make a rational choice
regarding such consent as judged by the part 2 program director under
paragraph (c) of this section.
(c) Minor applicant for services lacks capacity for rational
choice. Facts relevant to reducing a substantial threat to the life or
physical well-being of the minor applicant or any other individual may
be disclosed to the parent, guardian, or other individual authorized
under state law to act in the minor's behalf if the part 2 program
director judges that:
(1) A minor applicant for services lacks capacity because of
extreme youthor mental or physical condition to make a rational
decision on whether to consent to a disclosure under subpart C of this
part to their parent, guardian, or other individual authorized under
state law to act in the minor's behalf; and
(2) The minor applicant's situation poses a substantial threat to
the life or physical well-being of the minor applicant or any other
individual which may be reduced by communicating relevant facts to the
minor's parent, guardian, or other individual authorized under state
law to act in the minor's behalf.
Sec. 2.15 Incompetent and deceased patients.
(a) Incompetent patients other than minors--(1) Adjudication of
incompetence. In the case of a patient who has been adjudicated as
lacking the capacity, for any reason other than insufficient age, to
their own affairs, any consent which is required under the regulations
in this part may be given by the guardian or other individual
authorized under state law to act in the patient's behalf.
(2) No adjudication of incompetency. In the case of a patient,
other than a minor or one who has been adjudicated incompetent, that
for any period suffers from a medical condition that prevents knowing
or effective action on their own behalf, the part 2 program director
may exercise the right of the patient to consent to a disclosure under
subpart C of this part for the sole purpose of obtaining payment for
services from a third-party payer.
(b) Deceased patients--(1) Vital statistics. These regulations do
not restrict the disclosure of patient identifying information relating
to the cause of death of a patient under laws requiring the collection
of death or other vital statistics or permitting inquiry into the cause
of death.
[[Page 6120]]
(2) Consent by personal representative. Any other disclosure of
information identifying a deceased patient as having a substance use
disorder is subject to the regulations in this part. If a written
consent to the disclosure is required, that consent may be given by an
executor, administrator, or other personal representative appointed
under applicable state law. If there is no such applicable state law
appointment, the consent may be given by the patient's spouse or, if
none, by any responsible member of the patient's family.
Sec. 2.16 Security for records.
(a) The part 2 program or other lawful holder of patient
identifying information must have in place formal policies and
procedures to reasonably protect against unauthorized uses and
disclosures of patient identifying information and to protect against
reasonably anticipated threats or hazards to the security of patient
identifying information. These formal policies and procedures must
address:
(1) Paper records, including:
(i) Transferring and removing such records;
(ii) Destroying such records, including sanitizing the hard copy
media associated with the paper printouts, to render the patient
identifying information non-retrievable;
(iii) Maintaining such records in a secure room, locked file
cabinet, safe, or other similar container, or storage facility when not
in use;
(iv) Using and accessing workstations, secure rooms, locked file
cabinets, safes, or other similar containers, and storage facilities
that use or store such information; and
(v) Rendering patient identifying information non-identifiable in a
manner that creates a very low risk of re-identification (e.g.,
removing direct identifiers).
(2) Electronic records, including:
(i) Creating, receiving, maintaining, and transmitting such
records;
(ii) Destroying such records, including sanitizing the electronic
media on which such records are stored, to render the patient
identifying information non-retrievable;
(iii) Using and accessing electronic records or other electronic
media containing patient identifying information; and
(iv) Rendering the patient identifying information non-identifiable
in a manner that creates a very low risk of re-identification (e.g.,
removing direct identifiers).
(b) [Reserved]
Sec. 2.17 Undercover agents and informants.
(a) Restrictions on placement. Except as specifically authorized by
a court order granted under Sec. 2.67, no part 2 program may knowingly
employ, or enroll as a patient, any undercover agent or informant.
(b) Restriction on use of information. No information obtained by
an undercover agent or informant, whether or not that undercover agent
or informant is placed in a part 2 program pursuant to an authorizing
court order, may be used to criminally investigate or prosecute any
patient.
Sec. 2.18 Restrictions on the use of identification cards.
No person may require any patient to carry in their immediate
possession while away from the part 2 program premises any card or
other object which would identify the patient as having a substance use
disorder. This section does not prohibit a person from requiring
patients to use or carry cards or other identification objects on the
premises of a part 2 program.
Sec. 2.19 Disposition of records by discontinued programs.
(a) General. If a part 2 program discontinues operations or is
taken over or acquired by another program, it must remove patient
identifying information from its records or destroy its records,
including sanitizing any associated hard copy or electronic media, to
render the patient identifying information non-retrievable in a manner
consistent with the policies and procedures established under Sec.
2.16, unless:
(1) The patient who is the subject of the records gives written
consent (meeting the requirements of Sec. 2.31) to a transfer of the
records to the acquiring program or to any other program designated in
the consent (the manner of obtaining this consent must minimize the
likelihood of a disclosure of patient identifying information to a
third party); or
(2) There is a legal requirement that the records be kept for a
period specified by law which does not expire until after the
discontinuation or acquisition of the part 2 program.
(b) Special procedure where retention period required by law. If
paragraph (a)(2) of this section applies:
(1) Records, which are paper, must be:
(i) Sealed in envelopes or other containers labeled as follows:
``Records of [insert name of program] required to be maintained under
[insert citation to statute, regulation, court order or other legal
authority requiring that records be kept] until a date not later than
[insert appropriate date]'';
(A) All hard copy media from which the paper records were produced,
such as printer and facsimile ribbons, drums, etc., must be sanitized
to render the data non-retrievable; and
(B) [Reserved]
(ii) Held under the restrictions of the regulations in this part by
a responsible person who must, as soon as practicable after the end of
the required retention period specified on the label, destroy the
records and sanitize any associated hard copy media to render the
patient identifying information non-retrievable in a manner consistent
with the discontinued program's or acquiring program's policies and
procedures established under Sec. 2.16.
(2) Records, which are electronic, must be:
(i) Transferred to a portable electronic device with implemented
encryption to encrypt the data at rest so that there is a low
probability of assigning meaning without the use of a confidential
process or key and implemented access controls for the confidential
process or key; or
(ii) Transferred, along with a backup copy, to separate electronic
media, so that both the records and the backup copy have implemented
encryption to encrypt the data at rest so that there is a low
probability of assigning meaning without the use of a confidential
process or key and implemented access controls for the confidential
process or key; and
(iii) Within one year of the discontinuation or acquisition of the
program, all electronic media on which the patient records or patient
identifying information resided prior to being transferred to the
device specified in (i) above or the original and backup electronic
media specified in (ii) above, including email and other electronic
communications, must be sanitized to render the patient identifying
information non-retrievable in a manner consistent with the
discontinued program's or acquiring program's policies and procedures
established under Sec. 2.16; and
(iv) The portable electronic device or the original and backup
electronic media must be:
(A) Sealed in a container along with any equipment needed to read
or access the information, and labeled as follows: ``Records of [insert
name of program] required to be maintained under [insert citation to
statute, regulation, court order or other legal authority requiring
that records be kept] until a date not later than [insert appropriate
date];'' and
(B) Held under the restrictions of the regulations in this part by
a responsible person who must store the container in a manner that will
protect the
[[Page 6121]]
information (e.g., climate controlled environment); and
(v) The responsible person must be included on the access control
list and be provided a means for decrypting the data. The responsible
person must store the decryption tools on a device or at a location
separate from the data they are used to encrypt or decrypt; and
(vi) As soon as practicable after the end of the required retention
period specified on the label, the portable electronic device or the
original and backup electronic media must be sanitized to render the
patient identifying information non-retrievable consistent with the
policies established under Sec. 2.16.
Sec. 2.20 Relationship to state laws.
The statute authorizing the regulations in this part (42 U.S.C.
290dd-2) does not preempt the field of law which they cover to the
exclusion of all state laws in that field. If a disclosure permitted
under the regulations in this part is prohibited under state law,
neither the regulations in this part nor the authorizing statute may be
construed to authorize any violation of that state law. However, no
state law may either authorize or compel any disclosure prohibited by
the regulations in this part.
Sec. 2.21 Relationship to federal statutes protecting research
subjects against compulsory disclosure of their identity.
(a) Research privilege description. There may be concurrent
coverage of patient identifying information by the regulations in this
part and by administrative action taken under section 502(c) of the
Controlled Substances Act (21 U.S.C. 872(c) and the implementing
regulations at 21 CFR part 1316); or section 301(d) of the Public
Health Service Act (42 U.S.C. 241(d) and the implementing regulations
at 42 CFR part 2a). These research privilege statutes confer on the
Secretary of Health and Human Services and on the Attorney General,
respectively, the power to authorize researchers conducting certain
types of research to withhold from all persons not connected with the
research the names and other identifying information concerning
individuals who are the subjects of the research.
(b) Effect of concurrent coverage. These regulations restrict the
disclosure and use of information about patients, while administrative
action taken under the research privilege statutes and implementing
regulations protects a person engaged in applicable research from being
compelled to disclose any identifying characteristics of the
individuals who are the subjects of that research. The issuance under
subpart E of this part of a court order authorizing a disclosure of
information about a patient does not affect an exercise of authority
under these research privilege statutes.
Sec. 2.22 Notice to patients of federal confidentiality requirements.
(a) Notice required. At the time of admission to a part 2 program
or, in the case that a patient does not have capacity upon admission to
understand his or her medical status, as soon thereafter as the patient
attains such capacity, each part 2 program shall:
(1) Communicate to the patient that federal law and regulations
protect the confidentiality of substance use disorder patient records;
and
(2) Give to the patient a summary in writing of the federal law and
regulations.
(b) Required elements of written summary. The written summary of
the federal law and regulations must include:
(1) A general description of the limited circumstances under which
a part 2 program may acknowledge that an individual is present or
disclose outside the part 2 program information identifying a patient
as having or having had a substance use disorder;
(2) A statement that violation of the federal law and regulations
by a part 2 program is a crime and that suspected violations may be
reported to appropriate authorities consistent with Sec. 2.4, along
with contact information;
(3) A statement that information related to a patient's commission
of a crime on the premises of the part 2 program or against personnel
of the part 2 program is not protected;
(4) A statement that reports of suspected child abuse and neglect
made under state law to appropriate state or local authorities are not
protected; and
(5) A citation to the federal law and regulations.
(c) Program options. The part 2 program must devise a notice to
comply with the requirement to provide the patient with a summary in
writing of the federal law and regulations. In this written summary,
the part 2 program also may include information concerning state law
and any of the part 2 program's policies that are not inconsistent with
state and federal law on the subject of confidentiality of substance
use disorder patient records.
Sec. 2.23 Patient access and restrictions on use.
(a) Patient access not prohibited. These regulations do not
prohibit a part 2 program from giving a patient access to their own
records, including the opportunity to inspect and copy any records that
the part 2 program maintains about the patient. The part 2 program is
not required to obtain a patient's written consent or other
authorization under the regulations in this part in order to provide
such access to the patient.
(b) Restriction on use of information. Information obtained by
patient access to his or her patient record is subject to the
restriction on use of this information to initiate or substantiate any
criminal charges against the patient or to conduct any criminal
investigation of the patient as provided for under Sec. 2.12(d)(1).
Subpart C--Disclosures With Patient Consent
Sec. 2.31 Consent requirements.
(a) Required elements for written consent. A written consent to a
disclosure under the regulations in this part may be paper or
electronic and must include:
(1) The name of the patient.
(2) The specific name(s) or general designation(s) of the part 2
program(s), entity(ies), or individual(s) permitted to make the
disclosure.
(3) How much and what kind of information is to be disclosed,
including an explicit description of the substance use disorder
information that may be disclosed.
(4)(i) The name(s) of the individual(s) to whom a disclosure is to
be made; or
(ii) Entities with a treating provider relationship with the
patient. If the recipient entity has a treating provider relationship
with the patient whose information is being disclosed, such as a
hospital, a health care clinic, or a private practice, the name of that
entity; or
(iii) Entities without a treating provider relationship with the
patient.
(A) If the recipient entity does not have a treating provider
relationship with the patient whose information is being disclosed and
is a third-party payer, the name of the entity; or
(B) If the recipient entity does not have a treating provider
relationship with the patient whose information is being disclosed and
is not covered by paragraph (a)(4)(iii)(A) of this section, such as an
entity that facilitates the exchange of health information or a
research institution, the name(s) of the entity(-ies); and
(1) The name(s) of an individual participant(s); or
(2) The name(s) of an entity participant(s) that has a treating
provider relationship with the patient whose information is being
disclosed; or
[[Page 6122]]
(3) A general designation of an individual or entity participant(s)
or class of participants that must be limited to a participant(s) who
has a treating provider relationship with the patient whose information
is being disclosed.
(i) When using a general designation, a statement must be included
on the consent form that the patient (or other individual authorized to
sign in lieu of the patient), confirms their understanding that, upon
their request and consistent with this part, they must be provided a
list of entities to which their information has been disclosed pursuant
to the general designation (see Sec. 2.13(d)).
(ii) [Reserved]
(5) The purpose of the disclosure. In accordance with Sec.
2.13(a), the disclosure must be limited to that information which is
necessary to carry out the stated purpose.
(6) A statement that the consent is subject to revocation at any
time except to the extent that the part 2 program or other lawful
holder of patient identifying information that is permitted to make the
disclosure has already acted in reliance on it. Acting in reliance
includes the provision of treatment services in reliance on a valid
consent to disclose information to a third-party payer
(7) The date, event, or condition upon which the consent will
expire if not revoked before. This date, event, or condition must
ensure that the consent will last no longer than reasonably necessary
to serve the purpose for which it is provided.
(8) The signature of the patient and, when required for a patient
who is a minor, the signature of an individual authorized to give
consent under Sec. 2.14; or, when required for a patient who is
incompetent or deceased, the signature of an individual authorized to
sign under Sec. 2.15. Electronic signatures are permitted to the
extent that they are not prohibited by any applicable law.
(9) The date on which the consent is signed.
(b) Expired, deficient, or false consent. A disclosure may not be
made on the basis of a consent which:
(1) Has expired;
(2) On its face substantially fails to conform to any of the
requirements set forth in paragraph (a) of this section;
(3) Is known to have been revoked; or
(4) Is known, or through reasonable diligence could be known, by
the individual or entity holding the records to be materially false.
Sec. 2.32 Prohibition on re-disclosure.
(a) Notice to accompany disclosure. Each disclosure made with the
patient's written consent must be accompanied by the following written
statement: This information has been disclosed to you from records
protected by federal confidentiality rules (42 CFR part 2). The federal
rules prohibit you from making any further disclosure of information in
this record that identifies a patient as having or having had a
substance use disorder either directly, by reference to publicly
available information, or through verification of such identification
by another person unless further disclosure is expressly permitted by
the written consent of the individual whose information is being
disclosed or as otherwise permitted by 42 CFR part 2. A general
authorization for the release of medical or other information is NOT
sufficient for this purpose (see Sec. 2.31). The federal rules
restrict any use of the information to investigate or prosecute with
regard to a crime any patient with a substance use disorder, except as
provided at Sec. Sec. 2.12(c)(5) and 2.65.
(b) [Reserved]
Sec. 2.33 Disclosures permitted with written consent.
If a patient consents to a disclosure of their records under Sec.
2.31, a program may disclose those records in accordance with that
consent to any person identified in the consent, except that
disclosures to central registries and in connection with criminal
justice referrals must meet the requirements of Sec. Sec. 2.34 and
2.35, respectively.
Sec. 2.34 Disclosures to prevent multiple enrollments.
(a) Restrictions on disclosure. A part 2 program, as defined in
Sec. 2.11, may disclose patient records to a central registry or to
any withdrawal management or maintenance treatment program not more
than 200 miles away for the purpose of preventing the multiple
enrollment of a patient only if:
(1) The disclosure is made when:
(i) The patient is accepted for treatment;
(ii) The type or dosage of the drug is changed; or
(iii) The treatment is interrupted, resumed or terminated.
(2) The disclosure is limited to:
(i) Patient identifying information;
(ii) Type and dosage of the drug; and
(iii) Relevant dates.
(3) The disclosure is made with the patient's written consent
meeting the requirements of Sec. 2.31, except that:
(i) The consent must list the name and address of each central
registry and each known withdrawal management or maintenance treatment
program to which a disclosure will be made; and
(ii) The consent may authorize a disclosure to any withdrawal
management or maintenance treatment program established within 200
miles of the program, but does not need to individually name all
programs.
(b) Use of information limited to prevention of multiple
enrollments. A central registry and any withdrawal management or
maintenance treatment program to which information is disclosed to
prevent multiple enrollments may not re-disclose or use patient
identifying information for any purpose other than the prevention of
multiple enrollments unless authorized by a court order under subpart E
of this part.
(c) Permitted disclosure by a central registry to prevent a
multiple enrollment. When a member program asks a central registry if
an identified patient is enrolled in another member program and the
registry determines that the patient is so enrolled, the registry may
disclose:
(1) The name, address, and telephone number of the member
program(s) in which the patient is already enrolled to the inquiring
member program; and
(2) The name, address, and telephone number of the inquiring member
program to the member program(s) in which the patient is already
enrolled. The member programs may communicate as necessary to verify
that no error has been made and to prevent or eliminate any multiple
enrollments.
(d) Permitted disclosure by a withdrawal management or maintenance
treatment program to prevent a multiple enrollment. A withdrawal
management or maintenance treatment program which has received a
disclosure under this section and has determined that the patient is
already enrolled may communicate as necessary with the program making
the disclosure to verify that no error has been made and to prevent or
eliminate any multiple enrollments.
Sec. 2.35 Disclosures to elements of the criminal justice system
which have referred patients.
(a) A part 2 program may disclose information about a patient to
those individuals within the criminal justice system who have made
participation in the part 2 program a condition of the disposition of
any criminal proceedings against the patient or of the patient's parole
or other release from custody if:
(1) The disclosure is made only to those individuals within the
criminal justice system who have a need for the information in
connection with their duty to monitor the patient's progress
[[Page 6123]]
(e.g., a prosecuting attorney who is withholding charges against the
patient, a court granting pretrial or post-trial release, probation or
parole officers responsible for supervision of the patient); and
(2) The patient has signed a written consent meeting the
requirements of Sec. 2.31 (except paragraph (a)(8) which is
inconsistent with the revocation provisions of paragraph (c) of this
section) and the requirements of paragraphs (b) and (c) of this
section.
(b) Duration of consent. The written consent must state the period
during which it remains in effect. This period must be reasonable,
taking into account:
(1) The anticipated length of the treatment;
(2) The type of criminal proceeding involved, the need for the
information in connection with the final disposition of that
proceeding, and when the final disposition will occur; and
(3) Such other factors as the part 2 program, the patient, and the
individual(s) within the criminal justice system who will receive the
disclosure consider pertinent.
(c) Revocation of consent. The written consent must state that it
is revocable upon the passage of a specified amount of time or the
occurrence of a specified, ascertainable event. The time or occurrence
upon which consent becomes revocable may be no later than the final
disposition of the conditional release or other action in connection
with which consent was given.
(d) Restrictions on re-disclosure and use. An individual within the
criminal justice system who receives patient information under this
section may re-disclose and use it only to carry out that individual's
official duties with regard to the patient's conditional release or
other action in connection with which the consent was given.
Subpart D--Disclosures Without Patient Consent
Sec. 2.51 Medical emergencies.
(a) General rule. Under the procedures required by paragraph (c) of
this section, patient identifying information may be disclosed to
medical personnel to the extent necessary to meet a bona fide medical
emergency in which the patient's prior informed consent cannot be
obtained.
(b) Special rule. Patient identifying information may be disclosed
to medical personnel of the Food and Drug Administration (FDA) who
assert a reason to believe that the health of any individual may be
threatened by an error in the manufacture, labeling, or sale of a
product under FDA jurisdiction, and that the information will be used
for the exclusive purpose of notifying patients or their physicians of
potential dangers.
(c) Procedures. Immediately following disclosure, the part 2
program shall document, in writing, the disclosure in the patient's
records, including:
(1) The name of the medical personnel to whom disclosure was made
and their affiliation with any health care facility;
(2) The name of the individual making the disclosure;
(3) The date and time of the disclosure; and
(4) The nature of the emergency (or error, if the report was to
FDA).
Sec. 2.52 Research.
(a) Notwithstanding other provisions of this part, including
paragraph (b)(2) of this section, patient identifying information may
be disclosed by the part 2 program or other lawful holder of part 2
data, for the purpose of conducting scientific research if the
individual designated as director or managing director, or individual
otherwise vested with authority to act as chief executive officer or
their designee makes a determination that the recipient of the patient
identifying information:
(1) If a HIPAA-covered entity or business associate, has obtained
and documented authorization from the patient, or a waiver or
alteration of authorization, consistent with the HIPAA Privacy Rule at
45 CFR 164.508 or 164.512(i), as applicable; or
(2) If subject to the HHS regulations regarding the protection of
human subjects (45 CFR part 46), either provides documentation that the
researcher is in compliance with the requirements of the HHS
regulations, including the requirements related to informed consent or
a waiver of consent (45 CFR 46.111 and 46.116) or that the research
qualifies for exemption under the HHS regulations (45 CFR 46.101(b) and
any successor regulations; or
(3) If both a HIPAA covered entity or business associate and
subject to the HHS regulations regarding the protection of human
subjects, has met the requirements of paragraphs (a)(1) and (2) of this
section; and
(4) If neither a HIPAA covered entity or business associate or
subject to the HHS regulations regarding the protection of human
subjects, this section does not apply.
(b) Any individual or entity conducting scientific research using
patient identifying information obtained under paragraph (a) of this
section:
(1) Is fully bound by the regulations in this part and, if
necessary, will resist in judicial proceedings any efforts to obtain
access to patient records except as permitted by the regulations in
this part.
(2) Must not re-disclose patient identifying information except
back to the individual or entity from whom that patient identifying
information was obtained or as permitted under paragraph (c) of this
section.
(3) May include part 2 data in research reports only in aggregate
form in which patient identifying information has been rendered non-
identifiable such that the information cannot be re-identified and
serve as an unauthorized means to identify a patient, directly or
indirectly, as having or having had a substance use disorder.
(4) Must maintain and destroy patient identifying information in
accordance with the security policies and procedures established under
Sec. 2.16.
(5) Must retain records in compliance with applicable federal,
state, and local record retention laws.
(c) Data linkages--(1) Researchers. Any individual or entity
conducting scientific research using patient identifying information
obtained under paragraph (a) of this section that requests linkages to
data sets from a data repository(-ies) holding patient identifying
information must:
(i) Have the request reviewed and approved by an Institutional
Review Board (IRB) registered with the Department of Health and Human
Services, Office for Human Research Protections in accordance with 45
CFR part 46 to ensure that patient privacy is considered and the need
for identifiable data is justified. Upon request, the researcher may be
required to provide evidence of the IRB approval of the research
project that contains the data linkage component.
(ii) Ensure that patient identifying information obtained under
paragraph (a) of this section is not provided to law enforcement
agencies or officials.
(2) Data repositories. For purposes of this section, a data
repository is fully bound by the provisions of part 2 upon receipt of
the patient identifying data and must:
(i) After providing the researcher with the linked data, destroy or
delete the linked data from its records, including sanitizing any
associated hard copy or electronic media, to render the patient
identifying information non-retrievable in a manner consistent with the
policies and procedures established under Sec. 2.16 Security for
records.
(ii) Ensure that patient identifying information obtained under
paragraph (a) of this section is not provided to law enforcement
agencies or officials.
[[Page 6124]]
(2) Except as provided in paragraph (c) of this section, a
researcher may not redisclose patient identifying information for data
linkages purposes.
Sec. 2.53 Audit and evaluation.
(a) Records not copied or removed. If patient records are not
downloaded, copied or removed from the part 2 program premises or
forwarded electronically to another electronic system or device,
patient identifying information, as defined in Sec. 2.11, may be
disclosed in the course of a review of records on the part 2 program
premises to any individual or entity who agrees in writing to comply
with the limitations on re-disclosure and use in paragraph (d) of this
section and who:
(1) Performs the audit or evaluation on behalf of:
(i) Any federal, state, or local government agency which provides
financial assistance to the part 2 program or is authorized by law to
regulate its activities; or
(ii) Any individual or entity who provides financial assistance to
the part 2 program, which is a third-party payer covering patients in
the part 2 program, or which is a quality improvement organization
performing a utilization or quality control review; or
(2) Is determined by the part 2 program to be qualified to conduct
an audit or evaluation of the part 2 program.
(b) Copying, removing, downloading, or forwarding patient records.
Records containing patient identifying information, as defined in Sec.
2.11, may be copied or removed from a part 2 program premises or
downloaded or forwarded to another electronic system or device from the
part 2 program's electronic records by any individual or entity who:
(1) Agrees in writing to:
(i) Maintain and destroy the patient identifying information in a
manner consistent with the policies and procedures established under
Sec. 2.16;
(ii) Retain records in compliance with applicable federal, state,
and local record retention laws; and
(iii) Comply with the limitations on disclosure and use in
paragraph (d) of this section; and
(2) Performs the audit or evaluation on behalf of:
(i) Any federal, state, or local government agency which provides
financial assistance to the part 2 program or is authorized by law to
regulate its activities; or
(ii) Any individual or entity who provides financial assistance to
the part 2 program, which is a third-party payer covering patients in
the part 2 program, or which is a quality improvement organization
performing a utilization or quality control review.
(c) Medicare, Medicaid, Children's Health Insurance Program (CHIP),
or related audit or evaluation. (1) Patient identifying information, as
defined in Sec. 2.11, may be disclosed under paragraph (c) of this
section to any individual or entity for the purpose of conducting a
Medicare, Medicaid, or CHIP audit or evaluation, including an audit or
evaluation necessary to meet the requirements for a Centers for
Medicare & Medicaid Services (CMS)-regulated accountable care
organization (CMS-regulated ACO) or similar CMS-regulated organization
(including a CMS-regulated Qualified Entity (QE)), if the individual or
entity agrees in writing to comply with the following:
(i) Maintain and destroy the patient identifying information in a
manner consistent with the policies and procedures established under
Sec. 2.16;
(ii) Retain records in compliance with applicable federal, state,
and local record retention laws; and
(iii) Comply with the limitations on disclosure and use in
paragraph (d) of this section.
(2) A Medicare, Medicaid, or CHIP audit or evaluation under this
section includes a civil or administrative investigation of a part 2
program by any federal, state, or local government agency with
oversight responsibilities for Medicare, Medicaid, or CHIP and includes
administrative enforcement, against the part 2 program by the
government agency, of any remedy authorized by law to be imposed as a
result of the findings of the investigation.
(3) An audit or evaluation necessary to meet the requirements for a
CMS-regulated ACO or similar CMS-regulated organization (including a
CMS-regulated QE) must be conducted in accordance with the following:
(i) A CMS-regulated ACO or similar CMS-regulated organization
(including a CMS-regulated QE) must:
(A) Have in place administrative and/or clinical systems; and
(B) Have in place a leadership and management structure, including
a governing body and chief executive officer with responsibility for
oversight of the organization's management and for ensuring compliance
with and adherence to the terms and conditions of the Participation
Agreement or similar documentation with CMS; and
(ii) A CMS-regulated ACO or similar CMS-regulated organization
(including a CMS-regulated QE) must have a signed Participation
Agreement or similar documentation with CMS, which provides that the
CMS-regulated ACO or similar CMS-regulated organization (including a
CMS-regulated QE):
(A) Is subject to periodic evaluations by CMS or its agents, or is
required by CMS to evaluate participants in the CMS-regulated ACO or
similar CMS-regulated organization (including a CMS-regulated QE)
relative to CMS-defined or approved quality and/or cost measures;
(B) Must designate an executive who has the authority to legally
bind the organization to ensure compliance with 42 U.S.C. 290dd-2 and
this part and the terms and conditions of the Participation Agreement
in order to receive patient identifying information from CMS or its
agents;
(C) Agrees to comply with all applicable provisions of 42 U.S.C.
290dd-2 and this part;
(D) Must ensure that any audit or evaluation involving patient
identifying information occurs in a confidential and controlled setting
approved by the designated executive;
(E) Must ensure that any communications or reports or other
documents resulting from an audit or evaluation under this section do
not allow for the direct or indirect identification (e.g., through the
use of codes) of a patient as having or having had a substance use
disorder; and
(F) Must establish policies and procedures to protect the
confidentiality of the patient identifying information consistent with
this part, the terms and conditions of the Participation Agreement, and
the requirements set forth in paragraph (c)(1) of this section.
(4) Program, as defined in Sec. 2.11, includes an employee of, or
provider of medical services under the program when the employee or
provider is the subject of a civil investigation or administrative
remedy, as those terms are used in paragraph (c)(2) of this section.
(5) If a disclosure to an individual or entity is authorized under
this section for a Medicare, Medicaid, or CHIP audit or evaluation,
including a civil investigation or administrative remedy, as those
terms are used in paragraph (c)(2) of this section, then a quality
improvement organization which obtains the information under paragraph
(a) or (b) of this section may disclose the information to that
individual or entity but only for the purpose of conducting a Medicare,
Medicaid, or CHIP audit or evaluation.
(6) The provisions of this paragraph do not authorize the part 2
program, the federal, state, or local government agency, or any other
individual or entity to disclose or use patient identifying
[[Page 6125]]
information obtained during the audit or evaluation for any purposes
other than those necessary to complete the audit or evaluation as
specified in paragraph (c) of this section.
(d) Limitations on disclosure and use. Except as provided in
paragraph (c) of this section, patient identifying information
disclosed under this section may be disclosed only back to the program
from which it was obtained and used only to carry out an audit or
evaluation purpose or to investigate or prosecute criminal or other
activities, as authorized by a court order entered under Sec. 2.66.
Subpart E--Court Orders Authorizing Disclosure and Use
Sec. 2.61 Legal effect of order.
(a) Effect. An order of a court of competent jurisdiction entered
under this subpart is a unique kind of court order. Its only purpose is
to authorize a disclosure or use of patient information which would
otherwise be prohibited by 42 U.S.C. 290dd-2 and the regulations in
this part. Such an order does not compel disclosure. A subpoena or a
similar legal mandate must be issued in order to compel disclosure.
This mandate may be entered at the same time as and accompany an
authorizing court order entered under the regulations in this part.
(b) Examples. (1) A person holding records subject to the
regulations in this part receives a subpoena for those records. The
person may not disclose the records in response to the subpoena unless
a court of competent jurisdiction enters an authorizing order under the
regulations in this part.
(2) An authorizing court order is entered under the regulations in
this part, but the person holding the records does not want to make the
disclosure. If there is no subpoena or other compulsory process or a
subpoena for the records has expired or been quashed, that person may
refuse to make the disclosure. Upon the entry of a valid subpoena or
other compulsory process the person holding the records must disclose,
unless there is a valid legal defense to the process other than the
confidentiality restrictions of the regulations in this part.
Sec. 2.62 Order not applicable to records disclosed without consent
to researchers, auditors and evaluators.
A court order under the regulations in this part may not authorize
qualified personnel, who have received patient identifying information
without consent for the purpose of conducting research, audit or
evaluation, to disclose that information or use it to conduct any
criminal investigation or prosecution of a patient. However, a court
order under Sec. 2.66 may authorize disclosure and use of records to
investigate or prosecute qualified personnel holding the records.
Sec. 2.63 Confidential communications.
(a) A court order under the regulations in this part may authorize
disclosure of confidential communications made by a patient to a part 2
program in the course of diagnosis, treatment, or referral for
treatment only if:
(1) The disclosure is necessary to protect against an existing
threat to life or of serious bodily injury, including circumstances
which constitute suspected child abuse and neglect and verbal threats
against third parties;
(2) The disclosure is necessary in connection with investigation or
prosecution of an extremely serious crime allegedly committed by the
patient, such as one which directly threatens loss of life or serious
bodily injury, including homicide, rape, kidnapping, armed robbery,
assault with a deadly weapon, or child abuse and neglect; or
(3) The disclosure is in connection with litigation or an
administrative proceeding in which the patient offers testimony or
other evidence pertaining to the content of the confidential
communications.
(b) [Reserved]
Sec. 2.64 Procedures and criteria for orders authorizing disclosures
for noncriminal purposes.
(a) Application. An order authorizing the disclosure of patient
records for purposes other than criminal investigation or prosecution
may be applied for by any person having a legally recognized interest
in the disclosure which is sought. The application may be filed
separately or as part of a pending civil action in which the applicant
asserts that the patient records are needed to provide evidence. An
application must use a fictitious name, such as John Doe, to refer to
any patient and may not contain or otherwise disclose any patient
identifying information unless the patient is the applicant or has
given written consent (meeting the requirements of the regulations in
this part) to disclosure or the court has ordered the record of the
proceeding sealed from public scrutiny.
(b) Notice. The patient and the person holding the records from
whom disclosure is sought must be provided:
(1) Adequate notice in a manner which does not disclose patient
identifying information to other persons; and
(2) An opportunity to file a written response to the application,
or to appear in person, for the limited purpose of providing evidence
on the statutory and regulatory criteria for the issuance of the court
order as described in Sec. 2.64(d).
(c) Review of evidence: Conduct of hearing. Any oral argument,
review of evidence, or hearing on the application must be held in the
judge's chambers or in some manner which ensures that patient
identifying information is not disclosed to anyone other than a party
to the proceeding, the patient, or the person holding the record,
unless the patient requests an open hearing in a manner which meets the
written consent requirements of the regulations in this part. The
proceeding may include an examination by the judge of the patient
records referred to in the application.
(d) Criteria for entry of order. An order under this section may be
entered only if the court determines that good cause exists. To make
this determination the court must find that:
(1) Other ways of obtaining the information are not available or
would not be effective; and
(2) The public interest and need for the disclosure outweigh the
potential injury to the patient, the physician-patient relationship and
the treatment services.
(e) Content of order. An order authorizing a disclosure must:
(1) Limit disclosure to those parts of the patient's record which
are essential to fulfill the objective of the order;
(2) Limit disclosure to those persons whose need for information is
the basis for the order; and
(3) Include such other measures as are necessary to limit
disclosure for the protection of the patient, the physician-patient
relationship and the treatment services; for example, sealing from
public scrutiny the record of any proceeding for which disclosure of a
patient's record has been ordered.
Sec. 2.65 Procedures and criteria for orders authorizing disclosure
and use of records to criminally investigate or prosecute patients.
(a) Application. An order authorizing the disclosure or use of
patient records to investigate or prosecute a patient in connection
with a criminal proceeding may be applied for by the person holding the
records or by any law enforcement or prosecutorial officials who are
responsible for conducting investigative or prosecutorial activities
with respect to the enforcement of criminal laws. The application may
be
[[Page 6126]]
filed separately, as part of an application for a subpoena or other
compulsory process, or in a pending criminal action. An application
must use a fictitious name such as John Doe, to refer to any patient
and may not contain or otherwise disclose patient identifying
information unless the court has ordered the record of the proceeding
sealed from public scrutiny.
(b) Notice and hearing. Unless an order under Sec. 2.66 is sought
in addition to an order under this section, the person holding the
records must be provided:
(1) Adequate notice (in a manner which will not disclose patient
identifying information to other persons) of an application by a law
enforcement agency or official;
(2) An opportunity to appear and be heard for the limited purpose
of providing evidence on the statutory and regulatory criteria for the
issuance of the court order as described in Sec. 2.65(d); and
(3) An opportunity to be represented by counsel independent of
counsel for an applicant who is a law enforcement agency or official.
(c) Review of evidence: Conduct of hearings. Any oral argument,
review of evidence, or hearing on the application shall be held in the
judge's chambers or in some other manner which ensures that patient
identifying information is not disclosed to anyone other than a party
to the proceedings, the patient, or the person holding the records. The
proceeding may include an examination by the judge of the patient
records referred to in the application.
(d) Criteria. A court may authorize the disclosure and use of
patient records for the purpose of conducting a criminal investigation
or prosecution of a patient only if the court finds that all of the
following criteria are met:
(1) The crime involved is extremely serious, such as one which
causes or directly threatens loss of life or serious bodily injury
including homicide, rape, kidnapping, armed robbery, assault with a
deadly weapon, and child abuse and neglect.
(2) There is a reasonable likelihood that the records will disclose
information of substantial value in the investigation or prosecution.
(3) Other ways of obtaining the information are not available or
would not be effective.
(4) The potential injury to the patient, to the physician-patient
relationship and to the ability of the part 2 program to provide
services to other patients is outweighed by the public interest and the
need for the disclosure.
(5) If the applicant is a law enforcement agency or official, that:
(i) The person holding the records has been afforded the
opportunity to be represented by independent counsel; and
(ii) Any person holding the records which is an entity within
federal, state, or local government has in fact been represented by
counsel independent of the applicant.
(e) Content of order. Any order authorizing a disclosure or use of
patient records under this section must:
(1) Limit disclosure and use to those parts of the patient's record
which are essential to fulfill the objective of the order;
(2) Limit disclosure to those law enforcement and prosecutorial
officials who are responsible for, or are conducting, the investigation
or prosecution, and limit their use of the records to investigation and
prosecution of the extremely serious crime or suspected crime specified
in the application; and
(3) Include such other measures as are necessary to limit
disclosure and use to the fulfillment of only that public interest and
need found by the court.
Sec. 2.66 Procedures and criteria for orders authorizing disclosure
and use of records to investigate or prosecute a part 2 program or the
person holding the records.
(a) Application. (1) An order authorizing the disclosure or use of
patient records to investigate or prosecute a part 2 program or the
person holding the records (or employees or agents of that part 2
program or person holding the records) in connection with a criminal or
administrative matter may be applied for by any administrative,
regulatory, supervisory, investigative, law enforcement, or
prosecutorial agency having jurisdiction over the program's or person's
activities.
(2) The application may be filed separately or as part of a pending
civil or criminal action against a part 2 program or the person holding
the records (or agents or employees of the part 2 program or person
holding the records) in which the applicant asserts that the patient
records are needed to provide material evidence. The application must
use a fictitious name, such as John Doe, to refer to any patient and
may not contain or otherwise disclose any patient identifying
information unless the court has ordered the record of the proceeding
sealed from public scrutiny or the patient has provided written consent
(meeting the requirements of Sec. 2.31) to that disclosure.
(b) Notice not required. An application under this section may, in
the discretion of the court, be granted without notice. Although no
express notice is required to the part 2 program, to the person holding
the records, or to any patient whose records are to be disclosed, upon
implementation of an order so granted any of the above persons must be
afforded an opportunity to seek revocation or amendment of that order,
limited to the presentation of evidence on the statutory and regulatory
criteria for the issuance of the court order in accordance with Sec.
2.66(c).
(c) Requirements for order. An order under this section must be
entered in accordance with, and comply with the requirements of,
paragraphs (d) and (e) of Sec. 2.64.
(d) Limitations on disclosure and use of patient identifying
information. (1) An order entered under this section must require the
deletion of patient identifying information from any documents made
available to the public.
(2) No information obtained under this section may be used to
conduct any investigation or prosecution of a patient in connection
with a criminal matter, or be used as the basis for an application for
an order under Sec. 2.65.
Sec. 2.67 Orders authorizing the use of undercover agents and
informants to investigate employees or agents of a part 2 program in
connection with a criminal matter.
(a) Application. A court order authorizing the placement of an
undercover agent or informant in a part 2 program as an employee or
patient may be applied for by any law enforcement or prosecutorial
agency which has reason to believe that employees or agents of the part
2 program are engaged in criminal misconduct.
(b) Notice. The part 2 program director must be given adequate
notice of the application and an opportunity to appear and be heard
(for the limited purpose of providing evidence on the statutory and
regulatory criteria for the issuance of the court order in accordance
with Sec. 2.67(c)), unless the application asserts that:
(1) The part 2 program director is involved in the suspected
criminal activities to be investigated by the undercover agent or
informant; or
(2) The part 2 program director will intentionally or
unintentionally disclose the proposed placement of an undercover agent
or informant to the employees or agents of the program who are
suspected of criminal activities.
(c) Criteria. An order under this section may be entered only if
the court determines that good cause exists. To
[[Page 6127]]
make this determination the court must find all of the following:
(1) There is reason to believe that an employee or agent of the
part 2 program is engaged in criminal activity;
(2) Other ways of obtaining evidence of the suspected criminal
activity are not available or would not be effective; and
(3) The public interest and need for the placement of an undercover
agent or informant in the part 2 program outweigh the potential injury
to patients of the part 2 program, physician-patient relationships and
the treatment services.
(d) Content of order. An order authorizing the placement of an
undercover agent or informant in a part 2 program must:
(1) Specifically authorize the placement of an undercover agent or
an informant;
(2) Limit the total period of the placement to six months;
(3) Prohibit the undercover agent or informant from disclosing any
patient identifying information obtained from the placement except as
necessary to investigate or prosecute employees or agents of the part 2
program in connection with the suspected criminal activity; and
(4) Include any other measures which are appropriate to limit any
potential disruption of the part 2 program by the placement and any
potential for a real or apparent breach of patient confidentiality; for
example, sealing from public scrutiny the record of any proceeding for
which disclosure of a patient's record has been ordered.
(e) Limitation on use of information. No information obtained by an
undercover agent or informant placed in a part 2 program under this
section may be used to investigate or prosecute any patient in
connection with a criminal matter or as the basis for an application
for an order under Sec. 2.65.
Dated: December 20, 2016.
Kana Enomoto,
Acting Deputy Assistant Secretary for Mental Health and Substance Use.
Sylvia M. Burwell,
Secretary.
[FR Doc. 2017-00719 Filed 1-13-17; 11:15 am]
BILLING CODE 4162-20-P
