Confidentiality of Substance Use Disorder Patient Records, 5485-5490 [2017-00742]

Download as PDF Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Proposed Rules Dated: December 13, 2016. Anthony J. Ceraolo, Captain, U.S. Coast Guard,Captain of the Port San Francisco. [FR Doc. 2017–01050 Filed 1–17–17; 8:45 am] BILLING CODE 9110–04–P menu and selecting ‘‘Smoking’’ from the list of policy subjects. Michael Bean, Principal Deputy Assistant Secretary for Fish and Wildlife and Parks. [FR Doc. 2017–01060 Filed 1–17–17; 8:45 am] BILLING CODE 4312–52–P DEPARTMENT OF THE INTERIOR National Park Service DEPARTMENT OF HEALTH AND HUMAN SERVICES 36 CFR Parts 1 and 2 Office of the Secretary 42 CFR Part 2 [NPS–WASO–REGS–17326; GPO Deposit Account 4311H2] [SAMHSA–4162–20] RIN 0930–ZA07 RIN 1024–AE30 Withdrawal of the Proposed Rule To Revise General Provisions; Electronic Cigarettes AGENCY: ACTION: National Park Service; Interior. Proposed rule; withdrawal. The National Park Service withdraws the proposed rule that would revise the regulation that defines smoking to include the use of electronic cigarettes and other electronic nicotine delivery systems; and would allow a superintendent to close an area, building, structure, or facility to smoking when necessary to maintain public health and safety. The withdrawal is based upon a need to engage in additional interagency coordination and review of the proposal. SUMMARY: The January 6, 2017, proposed rule (82 FR 1647) is withdrawn as of January 18, 2017. DATES: The withdrawal of the proposed rule, and comments, are available at www.regulations.gov by searching for Regulation Identifier Number (RIN) 1024–AE30. ADDRESSES: Sara Newman, Director, Office of Public Health, by telephone 202–513–7225, or email sara_newman@nps.gov. FOR FURTHER INFORMATION CONTACT: This withdrawal does not affect Director’s Order #50D (Smoking Policy), originally issued in 2003 and then revised and reissued in 2009, and Policy Memorandum 15–03 (Use of Electronic Nicotine Delivery Systems), issued on September 10, 2015, which remain in effect and are available online on the NPS Office of Policy Web site at https:// www.nps.gov/applications/npspolicy/ index.cfm by clicking on the drop-down mstockstill on DSK3G9T082PROD with PROPOSALS SUPPLEMENTARY INFORMATION: VerDate Sep<11>2014 16:51 Jan 17, 2017 Jkt 241001 Confidentiality of Substance Use Disorder Patient Records Substance Abuse and Mental Health Services Administration, HHS. ACTION: Supplemental notice of proposed rulemaking. AGENCY: On Feb. 9, 2016, the Substance Abuse and Mental Health Services Administration (SAMHSA) published a Notice of Proposed Rulemaking (NPRM) that proposed policy changes to update and modernize the Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR part 2). SAMHSA explained in the NPRM that these changes were intended to better align the regulations with advances in the U.S. health care delivery system while retaining important privacy protections for individuals seeking treatment for substance use disorders. The last substantive update to these regulations was in 1987. SAMHSA is issuing this Supplemental Notice of Proposed Rulemaking (SNPRM) to propose additional clarifications to the part 2 regulations as amended by the concurrently issued final rule. As noted in the final rule, 42 CFR part 2 Confidentiality of Substance Use Disorder Patient Records, questions raised by commenters highlighted varying interpretations of the 1987 rule’s restrictions on lawful holders and their contractors and subcontractors’ use and disclosure of part 2-covered data for purposes of carrying out payment, health care operations, and other health care related activities. In consideration of this feedback and given the critical role that third-party payers, other lawful holders, and their contractors, subcontractors, and legal representatives play in the provision of health care services, SAMHSA is issuing this SNPRM to seek further comments on our proposals to address and help SUMMARY: PO 00000 Frm 00055 Fmt 4702 Sfmt 4702 5485 clarify these matters before establishing any appropriate restrictions on disclosures to contractors, subcontractors and legal representatives. DATES: To be assured consideration, comments must be received at one of the addresses provided below, no later than 5 p.m. on February 17, 2017. ADDRESSES: You may submit comments, identified by Regulatory Information Number (RIN) 0930–AA21, by any of the following methods: Electronically: Federal eRulemaking Portal: Go to https://www.regulations.gov and follow the instructions for submitting comments. Regular, Express or Overnight Mail, or Hand Delivery or Courier: Written comments sent by hand delivery, or mailed by regular, express, or overnight mail must be sent to the following address ONLY: The Substance Abuse and Mental Health Services Administration, Department of Health and Human Services, Attn: Danielle Tarino, SAMHSA, 5600 Fishers Lane, Room 13E89A, Rockville, Maryland 20857. Please allow sufficient time for mailed comments to be received before the close of the comment period. Instructions: To avoid duplication, please submit only one copy of your comments by only one method. All submissions received must include the agency name and docket number or RIN for this rulemaking. All comments received will become a matter of public record and will be posted without change to https://www.regulations.gov, including any personal information provided. For detailed instructions on submitting comments and additional information on the rulemaking process and viewing public comments, see the ‘‘Request for Public Comments’’ heading of the SUPPLEMENTARY INFORMATION section of this document. Docket: For access to the docket to read background documents or comments received, go to https:// www.regulations.gov. FOR FURTHER INFORMATION CONTACT: Danielle Tarino, SAMHSA, 5600 Fishers Lane, Room 13E89A, Rockville, Maryland 20857, 240–276–2857, Email address: Danielle.Tarino@ samhsa.hhs.gov SUPPLEMENTARY INFORMATION: Background On February 9, 2016, SAMHSA published an NPRM in the Federal Register (81 FR 6987) proposing updates to regulations for the Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR part 2). These regulations implement title 42, section E:\FR\FM\18JAP1.SGM 18JAP1 mstockstill on DSK3G9T082PROD with PROPOSALS 5486 Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Proposed Rules 290dd–2 of the United States Code pertaining to Confidentiality of Records. SAMHSA explained in that NPRM, it proposed to update these regulations, last substantively amended in 1987, to reflect development of integrated health care models and growing use of electronic means for exchanging patient information. At the same time, SAMHSA wished to maintain protections for (part 2) patient identifying information, as persons with substance use disorders still may encounter significant discrimination if their information is improperly disclosed. Elsewhere in this issue of the Federal Register SAMHSA published a final rule. In response to public comments, the final rule provides for greater flexibility in disclosing (part 2) patient identifying information within the health care system while continuing to address the privacy concerns of patients seeking treatment for a substance use disorder. SAMHSA received 376 comments on the NPRM. SAMHSA received a number of comments to the NPRM that went beyond what SAMHSA was proposing. Some commenters to the NPRM urged SAMHSA to clarify the scope of permitted disclosures of (part 2) patient identifying information by third-party payers. Some commenters asked that the current and proposed Qualified Service Organization (QSO) (part 2) patient identifying information disclosure provisions be applied to disclosures by third-party payers and other lawful holders of (part 2) patient identifying information to support health care operations and payment. Some commenters suggested doing this through the expansion of the definition of QSO. For instance, one commenter suggested that the definition of qualified service organization include ‘‘lawful holders of [p]art 2 patient identifying information,’’ stating that ACOs often engage analytics companies to provide support in identifying those high-risk patients who would benefit from care management and other services. Another commenter suggested expanding provisions concerning audits and evaluations to permit CMS to disclose (part 2) patient identifying information to ACOs and bundled payment participating entities for program audit and evaluation purposes. Others noted that QSOs themselves, as well as state Medicaid programs often use software vendors and other contractors, subcontractors, and legal representatives to carry out administrative and claims processing functions. A commenter further urged that the tasks that could be carried out VerDate Sep<11>2014 16:51 Jan 17, 2017 Jkt 241001 under the QSO policies not only be broadened to include population health management activities but also ‘‘clinical professional support services (e.g., quality improvement initiatives, utilization review and management services); third-party liability and coordination of benefit support services; activities related to preventing fraud, waste and abuse; and other activities and functions typically performed by contractors for or on behalf of thirdparty payers.’’ In developing the final rule, SAMHSA responded directly to several of these public comments about the NPRM. For instance, the ‘‘To Whom’’ discussion in the preamble to the final rule provides that: ‘‘[f]or purposes of payment-related activities, to the extent that federal or state law authorizes or requires that the Medicaid or Medicare agency or program share data or enter into a contractual arrangement or other formal agreements to do so, written consent to disclose patient identifying information to the agencies or programs (as a thirdparty payer) under section 2.31(a)(4)(iii)(A) is considered to extend to the contractors, subcontractors, and legal representatives of the agencies or programs.’’ SAMHSA discussed in the final rule preamble that a ‘‘lawful holder’’ of (part 2) patient identifying information is an individual or entity who has received such information as the result of a part 2-compliant patient consent (with a prohibition on redisclosure notice) or as permitted under the part 2 statute, regulations, or guidance and, therefore, is bound by 42 CFR part 2. One commenter indicated that state Medicaid agencies hire contractors for a wide array of ‘‘administrative functions’’; and that those contractors and vendors accessed (part 2) patient identifying information to carry out these activities. Other comments noted the role of third-parties in Medicaid program claims processing. Another commenter suggested that, given the role of MCOs, state Medicaid agencies and other programs, whether a patient designated the ‘‘name of the state agency, the MCO or simply Medicaid, the rule should consider consent to apply to the State and its contracted delivery system.’’ Another commenter similarly urged that ‘‘In order to ensure that Medicaid programs can carry out its operational requirements, consent that names the Medicaid agency or the MCO should permit disclosure to the entity’s contractors, when necessary.’’ With respect to lawful holders, certain commenters requested changes to or highlighted the need for additional guidance regarding how third-party PO 00000 Frm 00056 Fmt 4702 Sfmt 4702 payers may use and disclose (part 2) patient identifying information (as defined in 42 CFR 2.11) as they carry out their payment and health care operations. One commenter asked for explicit confirmation that Medicaid plans were allowed to process claims through a contracted entity (e.g., Medicaid managed care organizations (MCOs)). Similarly, another commenter recommended that the rule clarify that a patient’s naming of the state agency, the MCO, or simply Medicaid were all adequate to consent to allowing the patient’s information to be released to whichever entity actually conducted the required functions on behalf of the third-party payer. One commenter suggested that such payers should be viewed as intermediaries for purposes of sharing substance use disorder information with treating providers. Other commenters noted that Medicaid agencies and MCOs both require access to (part 2) patient identifying information for the purposes of payment. Another commenter discussed the history of the part 2 rules and asserted that the governing statute, 42 U.S.C. 290dd–2, does not require treating third-party payers differently than other payers. The commenter further asserted that ‘‘[e]ssentially all third-party payers contract with third parties to obtain services and perform activities that involve specialized expertise, equipment or other resources that the payer does not maintain inhouse due to the associated administrative and other costs.’’ These comments, while not addressing specific changes proposed in the NPRM, have prompted SAMHSA to propose additional clarifications and modifications to the part 2 rules to clarify the scope of permissible disclosures. In an effort to address some of the commenters’ requests and recommendations for clarity SAMHSA is concurrently issuing this SNPRM with the final rule to elicit public comment on these additional proposals to further clarify and expound upon these pertinent comments. We seek comment on our proposals regarding the following concepts and provisions: The payment and health care operationsrelated disclosures that can be made to contractors, subcontractors, and legal representatives by lawful holders under the part 2 rule consent provisions; and the provisions governing disclosures for purposes of carrying out a Medicaid, Medicare or Children’s Health Insurance Program (CHIP) audit or evaluation. SAMHSA will take any such comments under consideration if it engages in further rulemaking in the future. E:\FR\FM\18JAP1.SGM 18JAP1 Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Proposed Rules SAMHSA will consider the public comments on this SNPRM, any relevant comments already received on these subjects in response to the February 9, 2016, NPRM and relevant comments made at the June 11, 2014 listening session on part 2 (see 79 FR 26929) before issuing a final rule. Proposed Provisions SAMHSA seeks comment on proposals in this SNPRM to retain the notice found in § 2.32 but consider whether an abbreviated notice would be appropriate and in which circumstances, further revise § 2.33 (Disclosures permitted with written consent) define and limit the circumstances in which certain disclosures for the purposes of payment and health care operations can be made; and similarly to further revise § 2.53 (Audit and Evaluation) to expressly address further disclosures by contractors, subcontractors, and legal representatives for purposes of carrying out a Medicaid, Medicare, or CHIP audit or evaluation. SAMHSA also seeks comment on its proposals regarding the establishment of appropriate restrictions and safeguards on lawful holders and their contractors, subcontractors, and legal representatives’ use and disclosure of (part 2) patient identifying information for the purposes discussed in this SNPRM. SAMHSA is not soliciting comments on any other issues relating to the final rule and will not consider comments at this time that address changes to part 2 other than those contemplated in this SNPRM. mstockstill on DSK3G9T082PROD with PROPOSALS Section 2.32 Prohibition on ReDisclosure SAMHSA does not propose to substantively modify the existing notice at 2.32, but seeks comment on whether it should add a shorter abbreviated statement in subsection (a) Notice to accompany re-disclosure to be used in certain circumstances (e.g., for particular types of disclosures or technical systems) where a shorter notice may be warranted. An abbreviated statement could read, for example, ‘‘Data is subject to 42 CFR part 2. Use/disclose in conformance with part 2.’’ Section 2.33 Disclosures Permitted With Written Consent SAMHSA understands that contractors, subcontractors, and legal representatives play an integral role in the management, delivery, and payment of health care services, but believes that limits should be placed on disclosures of (part 2) patient identifying information to such entities to carry out VerDate Sep<11>2014 16:51 Jan 17, 2017 Jkt 241001 these activities. As such, SAMHSA seeks public comment on its proposal to explicitly list and limit under § 2.33(b), specific types of activities for which any lawful holder of (part 2) patient identifying information would be allowed to further disclose the minimal information necessary for specific payment and health care operations activities described below. While lawful holders may disclose (part 2) patient identifying information to contractors, subcontractors, and legal representatives for these purposes, this proposal makes clear the scope and requirements for those permitted disclosures. To the extent that a written consent permits the use of part 2 patient identifying information for payment or healthcare operations, this provision at § 2.33(b) specifies that the further disclosures specified below can be made. SAMHSA notes that this list of activities related to payment and health care operation is similar to the HIPAA Privacy Rule’s definition of the terms ‘‘payment’’ and ‘‘health care operations,’’ although SAMHSA is not adopting those definitions in their entirety. The payment and health care operation activities listed in this section does not include activities that SAMHSA considers to be related to the patient’s diagnosis, treatment, or referral for treatment. SAMHSA believes it is important to maintain patient choice in disclosing information to health care providers with whom they will have direct contact. For these reasons, this provision will not cover care coordination or case management and the proposal provides that disclosures to contractors, subcontractors, and legal representatives to carry out other purposes are not permitted under this section. SAMHSA will consider certain payment or health care operationsrelated activities permissible for lawful holders to disclose to contractors, subcontractors, or legal representatives as long as the activities fit within the overall purpose of the written consent. See paragraphs (b)(1) through (17) of § 2.33 SAMHSA also solicits comment on whether the proposed listing of explicitly permitted activities is adequate and appropriate to ensure the health care industry’s ability to conduct necessary payment and the described health care operational functions, while still affording adequate privacy protections for the individuals who were diagnosed, treated, or referred for treatment. We note that contractors, subcontractors, and legal representatives that would receive data under this provision would become lawful holders PO 00000 Frm 00057 Fmt 4702 Sfmt 4702 5487 upon receipt of such data, and, as such, would themselves be subject to the part 2 requirements. Moreover, consent would still be required and disclosures must be made in accordance with section 2.13(a), Confidentiality restrictions and safeguards, which states that ‘‘[a]ny disclosure made under these regulations must be limited to that information which is necessary to carry out the purpose of the disclosure.’’ Consequently, the stated purpose of a written consent limits the scope of the disclosures with respect to the (part 2) patient identifying information disclosed. In addition, lawful holders that disclose (part 2) patient identifying information to contractors, subcontractors, and legal representatives for payment and the described health care operations may only disclose (part 2) patient identifying information to contractors, subcontractors, and legal representatives that perform a function that is consistent with the stated purpose of the consent and only to perform that function. SAMHSA seeks comments on the proper mechanisms to convey the scope of the consent to lawful holders, contractors, subcontractors, and legal representatives, including those who are downstream recipients of (part 2) patient identifying information given current electronic data exchange technical designs. SAMHSA also believes that it is critical that contractors, subcontractors, and legal representatives understand their obligations with respect to (part 2) patient identifying information. Accordingly, SAMHSA proposes new regulatory text under § 2.33(c) requiring that lawful holders that engage contractors and subcontractors to carry out payment and the described health care operations that will entail using or disclosing (part 2) patient identifying information include specific contract and subcontract provisions requiring contractors and subcontractors to comply with the provisions of part 2. An appropriate comparable instrument will suffice in cases where there is otherwise no contract between the lawful holder and a legal representative who is retained voluntarily (as opposed to one who is required to represent the lawful holder by law, in which case the requirement for a contract or comparable instrument in 2.33(c) shall not apply). SAMHSA proposes to amend subsection (b) and add a new subsection (c) to the disclosure permitted with written consent provisions at § 2.33. SAMHSA seeks comment on the proposal to revise E:\FR\FM\18JAP1.SGM 18JAP1 5488 Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Proposed Rules disclosures permitted with written consent provision in § 2.33. Section 2.53 Audit and Evaluation SAMHSA recognized in the final rule the critical importance of audits and evaluations. Accordingly, SAMHSA made clear that disclosures of patient identifying information to ACO’s and similar CMS-regulated entities to carry out Medicare, Medicaid and Children’s Health Insurance Program (CHIP) audit and evaluation activities are permitted. However, public comments requested further specification regarding the permitted disclosures of (part 2) patient identifying information for audit and evaluation purposes. Public commenters noted that, as with other payment and health care operations, contractors, subcontractors, and legal representatives may be tasked with conducting audit and evaluation activities. Such entities may not be CMS-regulated, and may be conducted for private payers as well as Medicare and Medicaid programs. In addition, commenters noted that audits and evaluations may include quality improvement activities, as well as efforts related to reimbursement and financing. As such, SAMHSA proposes further amendment as set out in the regulatory text of section 2.53. mstockstill on DSK3G9T082PROD with PROPOSALS Request for Public Comments SAMHSA believes that the new proposals and clarifications discussed above will provide the desired solutions and understanding sought by commenters to the NPRM, while also offering patient protections appropriate to the current health care environment. In making these proposals, SAMHSA notes that such payment and the described health care operations and audit and evaluation functions will still be governed by other applicable laws and regulations, such as the HIPAA Privacy and Security Rules, in addition to 42 CFR part 2. SAMHSA notes that the fact that lawful holders and part 2 programs are permitted to disclose data in no way obviates the overarching purpose of part 2: to protect (part 2) patient identifying information for patients seeking diagnosis, treatment, or referral for treatment for substance use disorders. Lawful holders and part 2 programs have responsibility to exercise due diligence with respect to their contractors, subcontractors, or legal representatives to whom they disclose or with whom they exchange (part 2) patient identifying information. Should the changes in this SNPRM be adopted, SAMHSA anticipates issuing further guidance about these topics. VerDate Sep<11>2014 16:51 Jan 17, 2017 Jkt 241001 SAMHSA seeks specific comment on the implications of these proposed changes on the privacy and confidentiality of records concerning substance use disorder diagnosis, prognosis and treatment, and referral for treatment and overall goals of the part 2 rules, and the regulatory and financial impact, if any, of these proposals. SAMHSA also seeks comments on the following for its consideration in future rulemaking and guidance: (1) Additional purposes for which lawful holders should be able to disclose (part 2) patient identifying information, (2) Further subregulatory guidance that SAMHSA and other agencies could provide to help facilitate implementation of 42 CFR part 2 in the current healthcare environment. Regulatory Impact Analysis (RIA) In this SNPRM, SAMHSA proposes clarifications and revisions of the following: The disclosures permitted with written consent (§ 2.33), the payment and health care operations activities for which lawful holders may disclose (part 2) patient identifying information to their contractors, subcontractors, and legal representatives; and the audit and evaluation provision that permit certain disclosures for purposes of carrying out a Medicaid, Medicare or CHIP audit and evaluation (§ 2.53). SAMHSA has analyzed the costs of complying with the proposed regulations in this supplemental NPRM. SAMHSA does not believe these revisions, if ultimately adopted, will result in any additional costs to Part 2 programs. Based on public comments, SAMHSA anticipates that these modifications will enhance efficiency of such payment and health care operations as claims processing, business management, training and customer service. The proposal specifies that lawful holders who receive part 2 records under the terms of a patient’s written consent are permitted to further disclose those records to their contractors, subcontractors, and legal representatives to carry out payment and certain health care operations described in the SNPRM. When information is shared with contractors, subcontractors, and legal representatives, contract and subcontract provisions (or provisions in an appropriate comparable instrument in the case of certain legal representatives) must be included requiring these entities to comply with the provisions of part 2. Changes proposed to the audit and evaluation provisions will make clear that the PO 00000 Frm 00058 Fmt 4702 Sfmt 4702 individual or entity receiving (part 2) patient identifying information for audit and evaluation or quality improvement purposes is permitted to further disclose this information to contractor(s) or subcontractor(s) to complete these activities. Should these proposals ultimately be adopted, SAMHSA does not anticipate entities will incur any additional costs beyond those analyzed in the Final Rule. Nonetheless, SAMHSA seeks comments on costs and benefits of this change for part 2 programs and any burdens these proposed changes may impose on regulated entities. Under the Paperwork Reduction Act of 1995 (PRA), agencies are required to provide a 60-day notice in the Federal Register and solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. PRA issues are discussed in the final rule. SAMHSA anticipates no substantive changes in PRA requirements should changes proposed in the SNPRM be adopted. SAMHSA seeks and will consider public comment on our assumptions as they relate to the PRA requirements. SAMHSA has examined the impact of this proposed rule under Executive Order 12866 on Regulatory Planning and Review (September 30, 1993), Executive Order 13563 on Improving Regulation and Regulatory Review (January 18, 2011), the Regulatory Flexibility Act of 1980 (Pub. L. 96–354, September 19, 1980), the Unfunded Mandates Reform Act of 1995 (Pub. L. 104–4, March 22, 1995), and Executive Order 13132 on Federalism (August 4, 1999). Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health, and safety effects; distributive impacts; and equity). Executive Order 13563 is supplemental to and reaffirms the principles, structures, and definitions governing regulatory review as established in Executive Order 12866. SAMHSA expects that the changes proposed in this SNPRM, if adopted, will not have an annual effect on the economy of $100 million or more in at least 1 year. Therefore, this rule will not be an economically significant regulatory action as defined by Executive Order 12866. The Regulatory Flexibility Act (RFA) requires agencies that issue a regulation to analyze options for regulatory relief of small businesses if a rule has a E:\FR\FM\18JAP1.SGM 18JAP1 Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Proposed Rules significant impact on a substantial number of small entities. The RFA generally defines a ‘‘small entity’’ as (1) a proprietary firm meeting the size standards of the Small Business Administration; (2) a nonprofit organization that is not dominant in its field; or (3) a small government jurisdiction with a population of less than 50,000 (States and individuals are not included in the definition of ‘‘small entity’’). For similar rules, HHS considers a rule to have a significant economic impact on a substantial number of small entities if at least 5 percent of small entities experience an impact of more than 3 percent of revenue. SAMHSA anticipates that the proposals in this SNPRM, if adopted, will not have a significant economic impact on a substantial number of small entities. Section 202(a) of the Unfunded Mandates Reform Act of 1995 requires that agencies prepare a written statement, which includes an assessment of anticipated costs and benefits, before proposing ‘‘any rule that includes any Federal mandate that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100,000,000 or more (adjusted annually for inflation) in any one year.’’ The current threshold after adjustment for inflation is $146 million, using the most current (2015) implicit price deflator for the gross domestic product. The proposals in this SNPRM, if adopted, would not trigger the Unfunded Mandate Reform Act because it will not result in expenditures of this magnitude by states or other government entities. List of Subjects in 42 CFR Part 2 Alcohol abuse, Alcoholism, Drug abuse, Grant programs—health, Health records, Privacy, Reporting, and Recordkeeping requirements. For the reasons stated in the preamble, SAMHSA proposes to amend 42 CFR part 2 as follows: PART 2—CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS 1. The authority citation for part 2 continues to read as follows: mstockstill on DSK3G9T082PROD with PROPOSALS ■ Authority: Sec. 408 of Pub. L. 92–255, 86 Stat. 79, as amended by sec. 303(a), (b) of Pub L. 93–282, 83 Stat. 137, 138; sec. 4(c)(5)(A) of Pub. L. 94–237, 90 Stat. 244; sec. 111(c)(3) of Pub. L. 94–581, 90 Stat. 2852; sec. 509 of Pub. L. 96–88, 93 Stat. 695; sec. 973(d) of Pub. L. 97–35, 95 Stat. 598; and transferred to sec. 527 of the Public Health Service Act by sec. 2(b)(16)(B) of Pub. L. 98–24, 97 Stat. 182 and as amended by sec. 106 of Pub. L. 99–401, 100 Stat. 907 (42 U.S.C. 290ee–3) VerDate Sep<11>2014 16:51 Jan 17, 2017 Jkt 241001 and sec. 333 of Pub. L. 91–616, 84 Stat. 1853, as amended by sec. 122(a) of Pub. L. 93–282, 88 Stat. 131; and sec. 111(c)(4) of Pub. L. 94– 581, 90 Stat. 2852 and transferred to sec. 523 of the Public Health Service Act by sec. 2(b)(13) of Pub. L. 98–24, 97 Stat. 181 and as amended by sec. 106 of Pub. L. 99–401, 100 Stat. 907 (42 U.S.C. 290dd–3), as amended by sec. 131 of Pub. L. 102–321, 106 Stat. 368, (42 U.S.C. 290dd–2). Subpart B—General Provisions ■ 2. Revise § 2.33 to read as follows: § 2.33 Disclosures permitted with written consent. (a) If a patient consents to a disclosure of their records under § 2.31, a program may disclose those records in accordance with that consent to any person or category of persons identified or general designated in the consent, except that disclosures to central registries and in connection with criminal justice referrals must meet the requirements of §§ 2.34 and 2.35, respectively. (b) If a patient consents to a disclosure of their records under § 2.31 for payment and/or health care operations activities, a lawful holder who receives such records under the terms of the written consent may further disclose those records as may be necessary for its contractors, subcontractors, or legal representatives to carry out payment and/or the following health care operations on behalf of such lawful holder. Disclosures to contractors, subcontractors, and legal representatives to carry out other purposes are not permitted under this section. In accordance with § 2.13(a), disclosures under this section must be limited to that information which is necessary to carry out the stated purpose of the disclosure. (1) Billing, claims management, collections activities, obtaining payment under a contract for reinsurance, claims filing and related health care data processing; (2) Clinical professional support services (e.g., quality assessment and improvement; initiatives, utilization review and management services); (3) Patient safety activities; (4) Activities pertaining to: (i) The training of student trainees and health care professionals; (ii) The assessment of practitioner competencies; and (iii) The assessment of provider and/ or health plan performance; (iv) Training of non-health care professionals; (5) Accreditation, certification, licensing, or credentialing activities; (6) Underwriting, enrollment, premium rating, and other activities PO 00000 Frm 00059 Fmt 4702 Sfmt 4702 5489 related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care; (7) Third-party liability coverage; (8) Activities related to addressing fraud, waste and abuse; (9) Conducting or arranging for medical review, legal services, and auditing functions; (10) Business planning and development, such as conducting costmanagement and planning-related analyses related to managing and operating, including formulary development and administration, development or improvement of methods of payment or coverage policies; (11) Business management and general administrative activities, including, but not limited to, management activities relating to implementation of and compliance with the requirements of this or other statutes or regulations; (12) Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers; (13) Resolution of internal grievances; (14) The sale, transfer, merger, consolidation, or dissolution of an organization; (15) Determinations of eligibility or coverage (e.g. coordination of benefit services or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims; (16) Risk adjusting amounts due based on enrollee health status and demographic characteristics; (17) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges. (c) Lawful holders who wish to disclose patient identifying information pursuant to subsection (b) of this section must enter into a written contract with the contractor (or appropriate comparable instrument in the case of a legal representative retained voluntarily by the lawful holder), which provides that the contractor and any subcontractor or legal representative are or will be fully bound by the provisions of part 2 upon receipt of the patient identifying data, and, as such that each disclosure shall be accompanied by the notice required under § 2.32. In making such disclosure, the lawful holder should specify permitted uses of patient identifying information consistent with the written consent, by the contractor and any subcontractors or legal E:\FR\FM\18JAP1.SGM 18JAP1 5490 Federal Register / Vol. 82, No. 11 / Wednesday, January 18, 2017 / Proposed Rules representatives to carry out the payment and health care operations activities listed in the preceding subparagraph, require such recipients to implement appropriate safeguards to prevent unauthorized uses and disclosures and require such recipients to report any unauthorized uses, disclosures, or breaches of patient identifying information to the lawful holder. The lawful holder should only disclose information to the contractor or subcontractor or legal representative that is necessary for the contractor or subcontractor to perform its duties under the contract. Also, the contract does not permit a contractor or subcontractor or legal representative to re-disclose information to a third party unless that third party is a contract agent of the contractor or subcontractor, helping them provide services described in the contract, and only as long as the agent only further discloses the information back to the contractor or lawful holder from which the information originated. ■ 3. Amend § 2.53 by: ■ a. Revising paragraph (a)(1)(i). ■ b. Revising paragraphs (b)(2)(i) and (ii). ■ c. Revising paragraph (c)(5). The revisions and addition read as follows: mstockstill on DSK3G9T082PROD with PROPOSALS § 2.53 Audit and evaluation. (a) * * * (1) * * * (i) Any Federal, State, or local governmental agency which provides financial assistance to the program or is authorized by law to regulate the activities of the part 2 program or those of the lawful holder; * * * * * (b) * * * (2) * * * (i) Any federal, state, or local governmental agency which provides financial assistance to the program or is authorized by law to regulate the activities of the part 2 program or those of the lawful holder; or (ii) Any individual or entity which provides financial assistance to the part 2 program, which is a third-party payer covering patients in the part 2 program, or which is a quality improvement organization performing a utilization or quality control review, or such individual’s or entity’s or quality improvement organization’s contractors, subcontractors, or legal representatives. * * * * * (c) * * * (5) If a disclosure to an individual or entity is authorized under this section for a Medicare, Medicaid, or CHIP audit VerDate Sep<11>2014 16:51 Jan 17, 2017 Jkt 241001 or evaluation, including a civil investigation or administrative remedy, as those terms are used in paragraph (c)(2) of this section, the individual or entity may further disclose the patient identifying information that is received for such purposes to its contractor(s) or subcontractor(s) to carry out the audit or evaluation, and a quality improvement organization which obtains such information under paragraph (a) or (b) of this section may disclose the information to that individual or entity (or, to such individual’s or entity’s contractors, subcontractors, or legal representatives, but only for the purposes of this section. * * * * * Dated: January 5, 2017. Kana Enomoto, Acting Deputy Assistant Secretary for Mental Health and Substance Use. Approved: Sylvia M. Burwell, Secretary. [FR Doc. 2017–00742 Filed 1–13–17; 11:15 am] BILLING CODE 4162–20–P DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR Parts 2, 4, 7, 11, 23, 36, 39, 42, and 52 [FAR Case 2015–033; Docket No. 2015– 0033; Sequence No. 1] RIN 9000–AN28 Federal Acquisition Regulation: Sustainable Acquisition Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Proposed rule. AGENCIES: DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to implement Executive Order, Planning for Federal Sustainability in the Next Decade, and the biobased product acquisition provisions of the Agricultural Act of 2014 (also known as the 2014 Farm Bill). DATES: Interested parties should submit written comments to the Regulatory Secretariat Division at one of the addresses shown below on or before March 20, 2017 to be considered in the formation of the final rule. SUMMARY: PO 00000 Frm 00060 Fmt 4702 Sfmt 4702 Submit comments in response to FAR Case 2015–033 by any of the following methods: • Regulations.gov: https:// www.regulations.gov.Submit comments via the Federal eRulemaking portal by searching for ‘‘FAR Case 2015–033’’. Select the link ‘‘Comment Now’’ that corresponds with ‘‘FAR Case 2015– 033.’’ Follow the instructions provided on the screen. Please include your name, company name (if any), and ‘‘FAR Case 2015–033’’ on your attached document. • Mail: General Services Administration, Regulatory Secretariat, ATTN: Ms. Flowers, 1800 F Street NW., 2nd floor, Washington, DC 20405. Instructions: Please submit comments only and cite ‘‘FAR Case 2015–033’’ in all correspondence related to this case. All comments received will be posted without change to https:// www.regulations.gov, including any personal and/or business confidential information provided. To confirm receipt of your comment(s), please check www.regulations.gov, approximately two to three days after submission to verify posting (except allow 30 days for posting of comments submitted by mail). FOR FURTHER INFORMATION CONTACT: Mr. Charles Gray, Procurement Analyst, at 703–795–6328 for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat Division at 202–501–4755. Please cite ‘‘FAR Case 2015–033.’’ SUPPLEMENTARY INFORMATION: ADDRESSES: I. Background DoD, GSA, and NASA are proposing to revise the FAR to implement policy that will improve agencies’ environmental performance and Federal sustainability. Federal agencies have been the leaders in reducing building and fleet energy use, using renewable energy, and buying more sustainable products and services as the United States works to build a clean energy economy. Building on the progress achieved to date, President Obama issued Executive Order (E.O.) 13693, Planning for Federal Sustainability in the Next Decade, on March 19, 2015, published in the Federal Register at 80 FR 15869, on March 25, 2015, to plan for and further expand agency progress in reducing greenhouse gas emissions over the next decade. The changes made in this proposed rule continue the improvements made by the Federal Government to lead by example in protecting the health of our environment by purchasing sustainable E:\FR\FM\18JAP1.SGM 18JAP1

Agencies

[Federal Register Volume 82, Number 11 (Wednesday, January 18, 2017)]
[Proposed Rules]
[Pages 5485-5490]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-00742]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

42 CFR Part 2

[SAMHSA-4162-20]
RIN 0930-ZA07


Confidentiality of Substance Use Disorder Patient Records

AGENCY: Substance Abuse and Mental Health Services Administration, HHS.

ACTION: Supplemental notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: On Feb. 9, 2016, the Substance Abuse and Mental Health 
Services Administration (SAMHSA) published a Notice of Proposed 
Rulemaking (NPRM) that proposed policy changes to update and modernize 
the Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR 
part 2). SAMHSA explained in the NPRM that these changes were intended 
to better align the regulations with advances in the U.S. health care 
delivery system while retaining important privacy protections for 
individuals seeking treatment for substance use disorders. The last 
substantive update to these regulations was in 1987. SAMHSA is issuing 
this Supplemental Notice of Proposed Rulemaking (SNPRM) to propose 
additional clarifications to the part 2 regulations as amended by the 
concurrently issued final rule. As noted in the final rule, 42 CFR part 
2 Confidentiality of Substance Use Disorder Patient Records, questions 
raised by commenters highlighted varying interpretations of the 1987 
rule's restrictions on lawful holders and their contractors and 
subcontractors' use and disclosure of part 2-covered data for purposes 
of carrying out payment, health care operations, and other health care 
related activities. In consideration of this feedback and given the 
critical role that third-party payers, other lawful holders, and their 
contractors, subcontractors, and legal representatives play in the 
provision of health care services, SAMHSA is issuing this SNPRM to seek 
further comments on our proposals to address and help clarify these 
matters before establishing any appropriate restrictions on disclosures 
to contractors, subcontractors and legal representatives.

DATES: To be assured consideration, comments must be received at one of 
the addresses provided below, no later than 5 p.m. on February 17, 
2017.

ADDRESSES: You may submit comments, identified by Regulatory 
Information Number (RIN) 0930-AA21, by any of the following methods:
    Electronically: Federal eRulemaking Portal: Go to https://www.regulations.gov and follow the instructions for submitting 
comments.
    Regular, Express or Overnight Mail, or Hand Delivery or Courier: 
Written comments sent by hand delivery, or mailed by regular, express, 
or overnight mail must be sent to the following address ONLY: The 
Substance Abuse and Mental Health Services Administration, Department 
of Health and Human Services, Attn: Danielle Tarino, SAMHSA, 5600 
Fishers Lane, Room 13E89A, Rockville, Maryland 20857.
    Please allow sufficient time for mailed comments to be received 
before the close of the comment period.
    Instructions: To avoid duplication, please submit only one copy of 
your comments by only one method. All submissions received must include 
the agency name and docket number or RIN for this rulemaking. All 
comments received will become a matter of public record and will be 
posted without change to https://www.regulations.gov, including any 
personal information provided. For detailed instructions on submitting 
comments and additional information on the rulemaking process and 
viewing public comments, see the ``Request for Public Comments'' 
heading of the SUPPLEMENTARY INFORMATION section of this document.
    Docket: For access to the docket to read background documents or 
comments received, go to https://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Danielle Tarino, SAMHSA, 5600 Fishers 
Lane, Room 13E89A, Rockville, Maryland 20857, 240-276-2857, Email 
address: Danielle.Tarino@samhsa.hhs.gov

SUPPLEMENTARY INFORMATION:

Background

    On February 9, 2016, SAMHSA published an NPRM in the Federal 
Register (81 FR 6987) proposing updates to regulations for the 
Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR part 
2). These regulations implement title 42, section

[[Page 5486]]

290dd-2 of the United States Code pertaining to Confidentiality of 
Records. SAMHSA explained in that NPRM, it proposed to update these 
regulations, last substantively amended in 1987, to reflect development 
of integrated health care models and growing use of electronic means 
for exchanging patient information. At the same time, SAMHSA wished to 
maintain protections for (part 2) patient identifying information, as 
persons with substance use disorders still may encounter significant 
discrimination if their information is improperly disclosed.
    Elsewhere in this issue of the Federal Register SAMHSA published a 
final rule. In response to public comments, the final rule provides for 
greater flexibility in disclosing (part 2) patient identifying 
information within the health care system while continuing to address 
the privacy concerns of patients seeking treatment for a substance use 
disorder. SAMHSA received 376 comments on the NPRM. SAMHSA received a 
number of comments to the NPRM that went beyond what SAMHSA was 
proposing. Some commenters to the NPRM urged SAMHSA to clarify the 
scope of permitted disclosures of (part 2) patient identifying 
information by third-party payers. Some commenters asked that the 
current and proposed Qualified Service Organization (QSO) (part 2) 
patient identifying information disclosure provisions be applied to 
disclosures by third-party payers and other lawful holders of (part 2) 
patient identifying information to support health care operations and 
payment. Some commenters suggested doing this through the expansion of 
the definition of QSO. For instance, one commenter suggested that the 
definition of qualified service organization include ``lawful holders 
of [p]art 2 patient identifying information,'' stating that ACOs often 
engage analytics companies to provide support in identifying those 
high-risk patients who would benefit from care management and other 
services. Another commenter suggested expanding provisions concerning 
audits and evaluations to permit CMS to disclose (part 2) patient 
identifying information to ACOs and bundled payment participating 
entities for program audit and evaluation purposes. Others noted that 
QSOs themselves, as well as state Medicaid programs often use software 
vendors and other contractors, subcontractors, and legal 
representatives to carry out administrative and claims processing 
functions. A commenter further urged that the tasks that could be 
carried out under the QSO policies not only be broadened to include 
population health management activities but also ``clinical 
professional support services (e.g., quality improvement initiatives, 
utilization review and management services); third-party liability and 
coordination of benefit support services; activities related to 
preventing fraud, waste and abuse; and other activities and functions 
typically performed by contractors for or on behalf of third-party 
payers.''
    In developing the final rule, SAMHSA responded directly to several 
of these public comments about the NPRM. For instance, the ``To Whom'' 
discussion in the preamble to the final rule provides that: ``[f]or 
purposes of payment-related activities, to the extent that federal or 
state law authorizes or requires that the Medicaid or Medicare agency 
or program share data or enter into a contractual arrangement or other 
formal agreements to do so, written consent to disclose patient 
identifying information to the agencies or programs (as a third-party 
payer) under section 2.31(a)(4)(iii)(A) is considered to extend to the 
contractors, subcontractors, and legal representatives of the agencies 
or programs.'' SAMHSA discussed in the final rule preamble that a 
``lawful holder'' of (part 2) patient identifying information is an 
individual or entity who has received such information as the result of 
a part 2-compliant patient consent (with a prohibition on re-disclosure 
notice) or as permitted under the part 2 statute, regulations, or 
guidance and, therefore, is bound by 42 CFR part 2.
    One commenter indicated that state Medicaid agencies hire 
contractors for a wide array of ``administrative functions''; and that 
those contractors and vendors accessed (part 2) patient identifying 
information to carry out these activities. Other comments noted the 
role of third-parties in Medicaid program claims processing. Another 
commenter suggested that, given the role of MCOs, state Medicaid 
agencies and other programs, whether a patient designated the ``name of 
the state agency, the MCO or simply Medicaid, the rule should consider 
consent to apply to the State and its contracted delivery system.'' 
Another commenter similarly urged that ``In order to ensure that 
Medicaid programs can carry out its operational requirements, consent 
that names the Medicaid agency or the MCO should permit disclosure to 
the entity's contractors, when necessary.''
    With respect to lawful holders, certain commenters requested 
changes to or highlighted the need for additional guidance regarding 
how third-party payers may use and disclose (part 2) patient 
identifying information (as defined in 42 CFR 2.11) as they carry out 
their payment and health care operations. One commenter asked for 
explicit confirmation that Medicaid plans were allowed to process 
claims through a contracted entity (e.g., Medicaid managed care 
organizations (MCOs)). Similarly, another commenter recommended that 
the rule clarify that a patient's naming of the state agency, the MCO, 
or simply Medicaid were all adequate to consent to allowing the 
patient's information to be released to whichever entity actually 
conducted the required functions on behalf of the third-party payer. 
One commenter suggested that such payers should be viewed as 
intermediaries for purposes of sharing substance use disorder 
information with treating providers. Other commenters noted that 
Medicaid agencies and MCOs both require access to (part 2) patient 
identifying information for the purposes of payment. Another commenter 
discussed the history of the part 2 rules and asserted that the 
governing statute, 42 U.S.C. 290dd-2, does not require treating third-
party payers differently than other payers. The commenter further 
asserted that ``[e]ssentially all third-party payers contract with 
third parties to obtain services and perform activities that involve 
specialized expertise, equipment or other resources that the payer does 
not maintain in-house due to the associated administrative and other 
costs.''
    These comments, while not addressing specific changes proposed in 
the NPRM, have prompted SAMHSA to propose additional clarifications and 
modifications to the part 2 rules to clarify the scope of permissible 
disclosures. In an effort to address some of the commenters' requests 
and recommendations for clarity SAMHSA is concurrently issuing this 
SNPRM with the final rule to elicit public comment on these additional 
proposals to further clarify and expound upon these pertinent comments. 
We seek comment on our proposals regarding the following concepts and 
provisions: The payment and health care operations-related disclosures 
that can be made to contractors, subcontractors, and legal 
representatives by lawful holders under the part 2 rule consent 
provisions; and the provisions governing disclosures for purposes of 
carrying out a Medicaid, Medicare or Children's Health Insurance 
Program (CHIP) audit or evaluation. SAMHSA will take any such comments 
under consideration if it engages in further rulemaking in the future.

[[Page 5487]]

    SAMHSA will consider the public comments on this SNPRM, any 
relevant comments already received on these subjects in response to the 
February 9, 2016, NPRM and relevant comments made at the June 11, 2014 
listening session on part 2 (see 79 FR 26929) before issuing a final 
rule.

Proposed Provisions

    SAMHSA seeks comment on proposals in this SNPRM to retain the 
notice found in Sec.  2.32 but consider whether an abbreviated notice 
would be appropriate and in which circumstances, further revise Sec.  
2.33 (Disclosures permitted with written consent) define and limit the 
circumstances in which certain disclosures for the purposes of payment 
and health care operations can be made; and similarly to further revise 
Sec.  2.53 (Audit and Evaluation) to expressly address further 
disclosures by contractors, subcontractors, and legal representatives 
for purposes of carrying out a Medicaid, Medicare, or CHIP audit or 
evaluation. SAMHSA also seeks comment on its proposals regarding the 
establishment of appropriate restrictions and safeguards on lawful 
holders and their contractors, subcontractors, and legal 
representatives' use and disclosure of (part 2) patient identifying 
information for the purposes discussed in this SNPRM. SAMHSA is not 
soliciting comments on any other issues relating to the final rule and 
will not consider comments at this time that address changes to part 2 
other than those contemplated in this SNPRM.

Section 2.32 Prohibition on Re-Disclosure

    SAMHSA does not propose to substantively modify the existing notice 
at 2.32, but seeks comment on whether it should add a shorter 
abbreviated statement in subsection (a) Notice to accompany re-
disclosure to be used in certain circumstances (e.g., for particular 
types of disclosures or technical systems) where a shorter notice may 
be warranted. An abbreviated statement could read, for example, ``Data 
is subject to 42 CFR part 2. Use/disclose in conformance with part 2.''

Section 2.33 Disclosures Permitted With Written Consent

    SAMHSA understands that contractors, subcontractors, and legal 
representatives play an integral role in the management, delivery, and 
payment of health care services, but believes that limits should be 
placed on disclosures of (part 2) patient identifying information to 
such entities to carry out these activities. As such, SAMHSA seeks 
public comment on its proposal to explicitly list and limit under Sec.  
2.33(b), specific types of activities for which any lawful holder of 
(part 2) patient identifying information would be allowed to further 
disclose the minimal information necessary for specific payment and 
health care operations activities described below. While lawful holders 
may disclose (part 2) patient identifying information to contractors, 
subcontractors, and legal representatives for these purposes, this 
proposal makes clear the scope and requirements for those permitted 
disclosures. To the extent that a written consent permits the use of 
part 2 patient identifying information for payment or healthcare 
operations, this provision at Sec.  2.33(b) specifies that the further 
disclosures specified below can be made. SAMHSA notes that this list of 
activities related to payment and health care operation is similar to 
the HIPAA Privacy Rule's definition of the terms ``payment'' and 
``health care operations,'' although SAMHSA is not adopting those 
definitions in their entirety. The payment and health care operation 
activities listed in this section does not include activities that 
SAMHSA considers to be related to the patient's diagnosis, treatment, 
or referral for treatment. SAMHSA believes it is important to maintain 
patient choice in disclosing information to health care providers with 
whom they will have direct contact. For these reasons, this provision 
will not cover care coordination or case management and the proposal 
provides that disclosures to contractors, subcontractors, and legal 
representatives to carry out other purposes are not permitted under 
this section. SAMHSA will consider certain payment or health care 
operations-related activities permissible for lawful holders to 
disclose to contractors, subcontractors, or legal representatives as 
long as the activities fit within the overall purpose of the written 
consent. See paragraphs (b)(1) through (17) of Sec.  2.33
    SAMHSA also solicits comment on whether the proposed listing of 
explicitly permitted activities is adequate and appropriate to ensure 
the health care industry's ability to conduct necessary payment and the 
described health care operational functions, while still affording 
adequate privacy protections for the individuals who were diagnosed, 
treated, or referred for treatment. We note that contractors, 
subcontractors, and legal representatives that would receive data under 
this provision would become lawful holders upon receipt of such data, 
and, as such, would themselves be subject to the part 2 requirements. 
Moreover, consent would still be required and disclosures must be made 
in accordance with section 2.13(a), Confidentiality restrictions and 
safeguards, which states that ``[a]ny disclosure made under these 
regulations must be limited to that information which is necessary to 
carry out the purpose of the disclosure.'' Consequently, the stated 
purpose of a written consent limits the scope of the disclosures with 
respect to the (part 2) patient identifying information disclosed. In 
addition, lawful holders that disclose (part 2) patient identifying 
information to contractors, subcontractors, and legal representatives 
for payment and the described health care operations may only disclose 
(part 2) patient identifying information to contractors, 
subcontractors, and legal representatives that perform a function that 
is consistent with the stated purpose of the consent and only to 
perform that function. SAMHSA seeks comments on the proper mechanisms 
to convey the scope of the consent to lawful holders, contractors, 
subcontractors, and legal representatives, including those who are 
downstream recipients of (part 2) patient identifying information given 
current electronic data exchange technical designs.
    SAMHSA also believes that it is critical that contractors, 
subcontractors, and legal representatives understand their obligations 
with respect to (part 2) patient identifying information. Accordingly, 
SAMHSA proposes new regulatory text under Sec.  2.33(c) requiring that 
lawful holders that engage contractors and subcontractors to carry out 
payment and the described health care operations that will entail using 
or disclosing (part 2) patient identifying information include specific 
contract and subcontract provisions requiring contractors and 
subcontractors to comply with the provisions of part 2. An appropriate 
comparable instrument will suffice in cases where there is otherwise no 
contract between the lawful holder and a legal representative who is 
retained voluntarily (as opposed to one who is required to represent 
the lawful holder by law, in which case the requirement for a contract 
or comparable instrument in 2.33(c) shall not apply). SAMHSA proposes 
to amend subsection (b) and add a new subsection (c) to the disclosure 
permitted with written consent provisions at Sec.  2.33. SAMHSA seeks 
comment on the proposal to revise

[[Page 5488]]

disclosures permitted with written consent provision in Sec.  2.33.

Section 2.53 Audit and Evaluation

    SAMHSA recognized in the final rule the critical importance of 
audits and evaluations. Accordingly, SAMHSA made clear that disclosures 
of patient identifying information to ACO's and similar CMS-regulated 
entities to carry out Medicare, Medicaid and Children's Health 
Insurance Program (CHIP) audit and evaluation activities are permitted.
    However, public comments requested further specification regarding 
the permitted disclosures of (part 2) patient identifying information 
for audit and evaluation purposes. Public commenters noted that, as 
with other payment and health care operations, contractors, 
subcontractors, and legal representatives may be tasked with conducting 
audit and evaluation activities. Such entities may not be CMS-
regulated, and may be conducted for private payers as well as Medicare 
and Medicaid programs. In addition, commenters noted that audits and 
evaluations may include quality improvement activities, as well as 
efforts related to reimbursement and financing. As such, SAMHSA 
proposes further amendment as set out in the regulatory text of section 
2.53.

Request for Public Comments

    SAMHSA believes that the new proposals and clarifications discussed 
above will provide the desired solutions and understanding sought by 
commenters to the NPRM, while also offering patient protections 
appropriate to the current health care environment.
    In making these proposals, SAMHSA notes that such payment and the 
described health care operations and audit and evaluation functions 
will still be governed by other applicable laws and regulations, such 
as the HIPAA Privacy and Security Rules, in addition to 42 CFR part 2.
    SAMHSA notes that the fact that lawful holders and part 2 programs 
are permitted to disclose data in no way obviates the overarching 
purpose of part 2: to protect (part 2) patient identifying information 
for patients seeking diagnosis, treatment, or referral for treatment 
for substance use disorders. Lawful holders and part 2 programs have 
responsibility to exercise due diligence with respect to their 
contractors, subcontractors, or legal representatives to whom they 
disclose or with whom they exchange (part 2) patient identifying 
information. Should the changes in this SNPRM be adopted, SAMHSA 
anticipates issuing further guidance about these topics.
    SAMHSA seeks specific comment on the implications of these proposed 
changes on the privacy and confidentiality of records concerning 
substance use disorder diagnosis, prognosis and treatment, and referral 
for treatment and overall goals of the part 2 rules, and the regulatory 
and financial impact, if any, of these proposals.
    SAMHSA also seeks comments on the following for its consideration 
in future rulemaking and guidance:
    (1) Additional purposes for which lawful holders should be able to 
disclose (part 2) patient identifying information,
    (2) Further subregulatory guidance that SAMHSA and other agencies 
could provide to help facilitate implementation of 42 CFR part 2 in the 
current healthcare environment.

Regulatory Impact Analysis (RIA)

    In this SNPRM, SAMHSA proposes clarifications and revisions of the 
following: The disclosures permitted with written consent (Sec.  2.33), 
the payment and health care operations activities for which lawful 
holders may disclose (part 2) patient identifying information to their 
contractors, subcontractors, and legal representatives; and the audit 
and evaluation provision that permit certain disclosures for purposes 
of carrying out a Medicaid, Medicare or CHIP audit and evaluation 
(Sec.  2.53).
    SAMHSA has analyzed the costs of complying with the proposed 
regulations in this supplemental NPRM. SAMHSA does not believe these 
revisions, if ultimately adopted, will result in any additional costs 
to Part 2 programs. Based on public comments, SAMHSA anticipates that 
these modifications will enhance efficiency of such payment and health 
care operations as claims processing, business management, training and 
customer service. The proposal specifies that lawful holders who 
receive part 2 records under the terms of a patient's written consent 
are permitted to further disclose those records to their contractors, 
subcontractors, and legal representatives to carry out payment and 
certain health care operations described in the SNPRM. When information 
is shared with contractors, subcontractors, and legal representatives, 
contract and subcontract provisions (or provisions in an appropriate 
comparable instrument in the case of certain legal representatives) 
must be included requiring these entities to comply with the provisions 
of part 2. Changes proposed to the audit and evaluation provisions will 
make clear that the individual or entity receiving (part 2) patient 
identifying information for audit and evaluation or quality improvement 
purposes is permitted to further disclose this information to 
contractor(s) or subcontractor(s) to complete these activities. Should 
these proposals ultimately be adopted, SAMHSA does not anticipate 
entities will incur any additional costs beyond those analyzed in the 
Final Rule. Nonetheless, SAMHSA seeks comments on costs and benefits of 
this change for part 2 programs and any burdens these proposed changes 
may impose on regulated entities.
    Under the Paperwork Reduction Act of 1995 (PRA), agencies are 
required to provide a 60-day notice in the Federal Register and solicit 
public comment before a collection of information requirement is 
submitted to the Office of Management and Budget (OMB) for review and 
approval. PRA issues are discussed in the final rule. SAMHSA 
anticipates no substantive changes in PRA requirements should changes 
proposed in the SNPRM be adopted. SAMHSA seeks and will consider public 
comment on our assumptions as they relate to the PRA requirements.
    SAMHSA has examined the impact of this proposed rule under 
Executive Order 12866 on Regulatory Planning and Review (September 30, 
1993), Executive Order 13563 on Improving Regulation and Regulatory 
Review (January 18, 2011), the Regulatory Flexibility Act of 1980 (Pub. 
L. 96-354, September 19, 1980), the Unfunded Mandates Reform Act of 
1995 (Pub. L. 104-4, March 22, 1995), and Executive Order 13132 on 
Federalism (August 4, 1999).
    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health, and safety 
effects; distributive impacts; and equity). Executive Order 13563 is 
supplemental to and reaffirms the principles, structures, and 
definitions governing regulatory review as established in Executive 
Order 12866. SAMHSA expects that the changes proposed in this SNPRM, if 
adopted, will not have an annual effect on the economy of $100 million 
or more in at least 1 year. Therefore, this rule will not be an 
economically significant regulatory action as defined by Executive 
Order 12866.
    The Regulatory Flexibility Act (RFA) requires agencies that issue a 
regulation to analyze options for regulatory relief of small businesses 
if a rule has a

[[Page 5489]]

significant impact on a substantial number of small entities. The RFA 
generally defines a ``small entity'' as (1) a proprietary firm meeting 
the size standards of the Small Business Administration; (2) a 
nonprofit organization that is not dominant in its field; or (3) a 
small government jurisdiction with a population of less than 50,000 
(States and individuals are not included in the definition of ``small 
entity''). For similar rules, HHS considers a rule to have a 
significant economic impact on a substantial number of small entities 
if at least 5 percent of small entities experience an impact of more 
than 3 percent of revenue. SAMHSA anticipates that the proposals in 
this SNPRM, if adopted, will not have a significant economic impact on 
a substantial number of small entities.
    Section 202(a) of the Unfunded Mandates Reform Act of 1995 requires 
that agencies prepare a written statement, which includes an assessment 
of anticipated costs and benefits, before proposing ``any rule that 
includes any Federal mandate that may result in the expenditure by 
State, local, and tribal governments, in the aggregate, or by the 
private sector, of $100,000,000 or more (adjusted annually for 
inflation) in any one year.'' The current threshold after adjustment 
for inflation is $146 million, using the most current (2015) implicit 
price deflator for the gross domestic product. The proposals in this 
SNPRM, if adopted, would not trigger the Unfunded Mandate Reform Act 
because it will not result in expenditures of this magnitude by states 
or other government entities.

List of Subjects in 42 CFR Part 2

    Alcohol abuse, Alcoholism, Drug abuse, Grant programs--health, 
Health records, Privacy, Reporting, and Recordkeeping requirements.
    For the reasons stated in the preamble, SAMHSA proposes to amend 42 
CFR part 2 as follows:

PART 2--CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS

0
1. The authority citation for part 2 continues to read as follows:

    Authority: Sec. 408 of Pub. L. 92-255, 86 Stat. 79, as amended 
by sec. 303(a), (b) of Pub L. 93-282, 83 Stat. 137, 138; sec. 
4(c)(5)(A) of Pub. L. 94-237, 90 Stat. 244; sec. 111(c)(3) of Pub. 
L. 94-581, 90 Stat. 2852; sec. 509 of Pub. L. 96-88, 93 Stat. 695; 
sec. 973(d) of Pub. L. 97-35, 95 Stat. 598; and transferred to sec. 
527 of the Public Health Service Act by sec. 2(b)(16)(B) of Pub. L. 
98-24, 97 Stat. 182 and as amended by sec. 106 of Pub. L. 99-401, 
100 Stat. 907 (42 U.S.C. 290ee-3) and sec. 333 of Pub. L. 91-616, 84 
Stat. 1853, as amended by sec. 122(a) of Pub. L. 93-282, 88 Stat. 
131; and sec. 111(c)(4) of Pub. L. 94-581, 90 Stat. 2852 and 
transferred to sec. 523 of the Public Health Service Act by sec. 
2(b)(13) of Pub. L. 98-24, 97 Stat. 181 and as amended by sec. 106 
of Pub. L. 99-401, 100 Stat. 907 (42 U.S.C. 290dd-3), as amended by 
sec. 131 of Pub. L. 102-321, 106 Stat. 368, (42 U.S.C. 290dd-2).

Subpart B--General Provisions

0
2. Revise Sec.  2.33 to read as follows:


Sec.  2.33  Disclosures permitted with written consent.

    (a) If a patient consents to a disclosure of their records under 
Sec.  2.31, a program may disclose those records in accordance with 
that consent to any person or category of persons identified or general 
designated in the consent, except that disclosures to central 
registries and in connection with criminal justice referrals must meet 
the requirements of Sec. Sec.  2.34 and 2.35, respectively.
    (b) If a patient consents to a disclosure of their records under 
Sec.  2.31 for payment and/or health care operations activities, a 
lawful holder who receives such records under the terms of the written 
consent may further disclose those records as may be necessary for its 
contractors, subcontractors, or legal representatives to carry out 
payment and/or the following health care operations on behalf of such 
lawful holder. Disclosures to contractors, subcontractors, and legal 
representatives to carry out other purposes are not permitted under 
this section. In accordance with Sec.  2.13(a), disclosures under this 
section must be limited to that information which is necessary to carry 
out the stated purpose of the disclosure.
    (1) Billing, claims management, collections activities, obtaining 
payment under a contract for reinsurance, claims filing and related 
health care data processing;
    (2) Clinical professional support services (e.g., quality 
assessment and improvement; initiatives, utilization review and 
management services);
    (3) Patient safety activities;
    (4) Activities pertaining to:
    (i) The training of student trainees and health care professionals;
    (ii) The assessment of practitioner competencies; and
    (iii) The assessment of provider and/or health plan performance;
    (iv) Training of non-health care professionals;
    (5) Accreditation, certification, licensing, or credentialing 
activities;
    (6) Underwriting, enrollment, premium rating, and other activities 
related to the creation, renewal, or replacement of a contract of 
health insurance or health benefits, and ceding, securing, or placing a 
contract for reinsurance of risk relating to claims for health care;
    (7) Third-party liability coverage;
    (8) Activities related to addressing fraud, waste and abuse;
    (9) Conducting or arranging for medical review, legal services, and 
auditing functions;
    (10) Business planning and development, such as conducting cost-
management and planning-related analyses related to managing and 
operating, including formulary development and administration, 
development or improvement of methods of payment or coverage policies;
    (11) Business management and general administrative activities, 
including, but not limited to, management activities relating to 
implementation of and compliance with the requirements of this or other 
statutes or regulations;
    (12) Customer services, including the provision of data analyses 
for policy holders, plan sponsors, or other customers;
    (13) Resolution of internal grievances;
    (14) The sale, transfer, merger, consolidation, or dissolution of 
an organization;
    (15) Determinations of eligibility or coverage (e.g. coordination 
of benefit services or the determination of cost sharing amounts), and 
adjudication or subrogation of health benefit claims;
    (16) Risk adjusting amounts due based on enrollee health status and 
demographic characteristics;
    (17) Review of health care services with respect to medical 
necessity, coverage under a health plan, appropriateness of care, or 
justification of charges.
    (c) Lawful holders who wish to disclose patient identifying 
information pursuant to subsection (b) of this section must enter into 
a written contract with the contractor (or appropriate comparable 
instrument in the case of a legal representative retained voluntarily 
by the lawful holder), which provides that the contractor and any 
subcontractor or legal representative are or will be fully bound by the 
provisions of part 2 upon receipt of the patient identifying data, and, 
as such that each disclosure shall be accompanied by the notice 
required under Sec.  2.32. In making such disclosure, the lawful holder 
should specify permitted uses of patient identifying information 
consistent with the written consent, by the contractor and any 
subcontractors or legal

[[Page 5490]]

representatives to carry out the payment and health care operations 
activities listed in the preceding subparagraph, require such 
recipients to implement appropriate safeguards to prevent unauthorized 
uses and disclosures and require such recipients to report any 
unauthorized uses, disclosures, or breaches of patient identifying 
information to the lawful holder. The lawful holder should only 
disclose information to the contractor or subcontractor or legal 
representative that is necessary for the contractor or subcontractor to 
perform its duties under the contract. Also, the contract does not 
permit a contractor or subcontractor or legal representative to re-
disclose information to a third party unless that third party is a 
contract agent of the contractor or subcontractor, helping them provide 
services described in the contract, and only as long as the agent only 
further discloses the information back to the contractor or lawful 
holder from which the information originated.
0
3. Amend Sec.  2.53 by:
0
a. Revising paragraph (a)(1)(i).
0
b. Revising paragraphs (b)(2)(i) and (ii).
0
c. Revising paragraph (c)(5).
    The revisions and addition read as follows:


Sec.  2.53  Audit and evaluation.

    (a) * * *
    (1) * * *
    (i) Any Federal, State, or local governmental agency which provides 
financial assistance to the program or is authorized by law to regulate 
the activities of the part 2 program or those of the lawful holder;
* * * * *
    (b) * * *
    (2) * * *
    (i) Any federal, state, or local governmental agency which provides 
financial assistance to the program or is authorized by law to regulate 
the activities of the part 2 program or those of the lawful holder; or
    (ii) Any individual or entity which provides financial assistance 
to the part 2 program, which is a third-party payer covering patients 
in the part 2 program, or which is a quality improvement organization 
performing a utilization or quality control review, or such 
individual's or entity's or quality improvement organization's 
contractors, subcontractors, or legal representatives.
* * * * *
    (c) * * *
    (5) If a disclosure to an individual or entity is authorized under 
this section for a Medicare, Medicaid, or CHIP audit or evaluation, 
including a civil investigation or administrative remedy, as those 
terms are used in paragraph (c)(2) of this section, the individual or 
entity may further disclose the patient identifying information that is 
received for such purposes to its contractor(s) or subcontractor(s) to 
carry out the audit or evaluation, and a quality improvement 
organization which obtains such information under paragraph (a) or (b) 
of this section may disclose the information to that individual or 
entity (or, to such individual's or entity's contractors, 
subcontractors, or legal representatives, but only for the purposes of 
this section.
* * * * *

    Dated: January 5, 2017.
Kana Enomoto,
Acting Deputy Assistant Secretary for Mental Health and Substance Use.
    Approved:
Sylvia M. Burwell,
Secretary.
[FR Doc. 2017-00742 Filed 1-13-17; 11:15 am]
 BILLING CODE 4162-20-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.