Confidentiality of Substance Use Disorder Patient Records, 44568-44589 [2019-17817]

Agencies

• DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Federal Register Volume 84, Number 165 (Monday, August 26, 2019)]
[Proposed Rules]
[Pages 44568-44589]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-17817]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

42 CFR Part 2

[SAMHSA-4162-20]
RIN 0930-AA32


Confidentiality of Substance Use Disorder Patient Records

AGENCY: Substance Abuse and Mental Health Services Administration 
(SAMHSA), U.S. Department of Health and Human Services (HHS).

ACTION: Notice of proposed rulemaking (NPRM).

-----------------------------------------------------------------------

SUMMARY: This notice of proposed rulemaking proposes changes to the 
Confidentiality of Substance Use Disorder Patient Records regulations. 
These proposals were prompted by the need to continue aligning the 
regulations with advances in the U.S. health care delivery system, 
while retaining important privacy protections for individuals seeking 
treatment for substance use disorders (SUDs). SAMHSA strives to 
facilitate information exchange for safe and effective substance use 
disorder care, while addressing the legitimate privacy concerns of 
patients seeking treatment for a substance use disorder. Within the 
constraints of the statute, these proposals are also an effort to make 
the regulations more understandable and less burdensome.

DATES: To be assured consideration, comments must be received at one of 
the addresses provided below, no later than 5 p.m. on October 25, 2019.

ADDRESSES: In commenting, please refer to file code SAMHSA 4162-20. 
Because of staff and resource limitations, we cannot accept comments by 
facsimile (FAX) transmission.
    You may submit comments in one of four ways (to avoid duplication, 
please submit your comments in only one of the ways listed):
    1. Electronically. Federal eRulemaking Portal. You may submit 
comments electronically to https://www.regulations.gov. Follow the 
``Submit a comment'' instructions.
    2. By regular mail. Written comments mailed by regular mail must be 
sent to the following address ONLY: The Substance Abuse and Mental 
Health Services Administration, Department of Health and Human 
Services, Attention: SAMHSA--Deepa Avula, 5600 Fishers Lane, Room 
17E41, Rockville, MD 20857.
    Please allow sufficient time for mailed comments to be received 
before the close of the comment period.
    3. By express or overnight mail. Written comments sent by express 
or overnight mail must be sent to the following address ONLY:
    The Substance Abuse and Mental Health Services Administration, 
Department of Health and Human Services, Attention: SAMHSA--Deepa 
Avula, 5600 Fishers Lane, Room 17E41, Rockville, MD 20857.
    4. By hand or courier. Written comments delivered by hand or 
courier must be delivered to the following address ONLY: The Substance 
Abuse and Mental Health Services Administration, Department of Health 
and Human Services, Attention: SAMHSA--Deepa Avula, 5600 Fishers Lane, 
Room 17E41, Rockville, MD 20857.
    For information on viewing public comments, see the beginning of 
the SUPPLEMENTARY INFORMATION section.

FOR FURTHER INFORMATION CONTACT: Ms. Deepa Avula, (240) 276-2542.

SUPPLEMENTARY INFORMATION: 
    Inspection of Public Comments: All comments received before the 
close of the comment period are available for viewing by the public, 
including any personally identifiable or confidential business 
information that is included in a comment. We post all comments 
received before the close of the comment period on the following 
website as soon as possible after they have been received: https://www.regulations.gov. Follow the search instructions on that website to 
view public comments.

Table of Contents

I. Background
II. Overview of the Proposed Regulations
III. Provisions of the Proposed Rule
    A. Definitions (Sec.  2.11)
    B. Applicability (Sec.  2.12)
    C. Consent Requirements (Sec.  2.31)
    D. Prohibition on Re-disclosure (Sec.  2.32)
    E. Disclosures Permitted with Written Consent (Sec.  2.33)
    F. Disclosures to Prevent Multiple Enrollments (Sec.  2.34)
    G. Disclosures to Prescription Drug Monitoring Programs (Sec.  
2.36)
    H. Medical Emergencies (Sec.  2.51)
    I. Research (Sec.  2.52)
    J. Audit and Evaluation (Sec.  2.53)
    K. Orders Authorizing the Use of Undercover Agents and 
Informants (Sec.  2.67)
IV. Collection of Information Requirements
V. Response to Comments
VI. Regulatory Impact Analysis
    A. Statement of Need
    B. Overall Impact
    C. Alternatives Considered
    D. Conclusion

Acronyms

ADAMHA Alcohol, Drug Abuse, and Mental Health Administration

[[Page 44569]]

CFR Code of Federal Regulations
DEA Drug Enforcement Agency
DOJ Department of Justice
DS4P Data Segmentation for Privacy
EHR Electronic Health Record
FAX Facsimile
FDA Food and Drug Administration
FEMA Federal Emergency Management Agency
FR Federal Register
HHS Department of Health and Human Services
HIPAA Health Insurance Portability and Accountability Act of 1996
HIE Health Information Exchange
NPRM Notice of Proposed Rulemaking
ONC Office of the National Coordinator for Health Information 
Technology
OTP Opioid Treatment Program
OUD Opioid Use Disorder
PDMP Prescription Drug Monitoring Program
SAMHSA Substance Abuse and Mental Health Services Administration
SNPRM Supplemental Notice of Proposed Rulemaking
SUD Substance Use Disorder
U.S.C. United States Code

I. Background

    The Confidentiality of Substance Use Disorder Patient Records 
regulations (42 CFR part 2) implement section 543 of the Public Health 
Service Act, 42 United States Code (U.S.C.) 290dd-2, as amended by 
section 131 of the Alcohol, Drug Abuse and Mental Health Administration 
Reorganization Act (ADAMHA Reorganization Act), Public Law, 102-321 
(July 10, 1992). The regulations were originally issued to prevent 
access to patient records for the treatment of substance use disorder, 
in a time when there was not broader privacy and data security standard 
for health data Under the regulations, a ``substance use disorder'' is 
a defined term, which refers to a cluster of cognitive, behavioral, and 
physiological symptoms indicating that an individual continues using a 
substance despite significant substance-related problems such as 
impaired control, social impairment, risky use, and pharmacological 
tolerance and withdrawal. For the purposes of part 2, this definition 
does not include tobacco or caffeine use.
    The regulations were first promulgated as a final rule in 1975 (40 
FR 27802) and amended thereafter in 1987 (52 FR 21796) and 1995 (60 FR 
22296). On February 9, 2016, SAMHSA published a notice of proposed 
rulemaking (NPRM) (81 FR 6988) (the ``2016 proposed rule''), inviting 
comment on proposals to update the regulations, to reflect the 
development of integrated health care models and the growing use of 
electronic platforms to exchange patient information, as well as the 
breadth of laws and regulatory actions implemented since 1975, that 
more broadly protect patient data, as patients and as consumers. At the 
same time, consistent with the statute, we (note that throughout this 
proposed rule, ``we'' refers to SAMHSA) wished to preserve 
confidentiality protections it establishes for patient identifying 
information from covered programs because persons with substance use 
disorders may encounter significant discrimination or experience other 
negative consequences if their information is improperly disclosed.
    In response to public comments, on January 18, 2017, SAMHSA 
published a final rule (82 FR 6052) (the ``2017 final rule''), 
providing for greater flexibility in disclosing patient identifying 
information within the health care system, while continuing to protect 
the confidentiality of substance use disorder patient records. SAMHSA 
concurrently issued a supplemental notice of proposed rulemaking 
(SNPRM) (82 FR 5485) (the ``2017 proposed rule'') to solicit public 
comment on additional proposals. In response to public comments, SAMHSA 
subsequently published a final rule on January 3, 2018 (83 FR 239) (the 
``2018 final rule'') that provided greater clarity regarding payment, 
health care operations, and audit or evaluation-related disclosures, 
and provided language for an abbreviated prohibition on re-disclosure 
notice.
    In both the 2017 and 2018 final rules, SAMHSA signaled its intent 
to continue to monitor implementation of 42 CFR part 2, and to explore 
potential future rulemaking to better address the complexities of 
health information technology, patient privacy, and interoperability, 
within the constraints of the statute. The emergence of the opioid 
crisis, with its catastrophic impact on individuals, families, and 
caregivers, and corresponding clinical and safety challenges for 
providers, has highlighted the need for thoughtful updates to 42 CFR 
part 2. The laws and regulations governing the confidentiality of 
substance abuse records were originally written out of concern for the 
potential for misuse of those records against patients in treatment for 
a SUD, thereby undermining trust and leading individuals with substance 
use disorders not to seek treatment. As observed in the 1983 proposed 
rule, the purpose of 42 CFR part 2 is to ensure that patients receiving 
treatment for a substance use disorder in a part 2 program ``are not 
made more vulnerable to investigation or prosecution because of their 
association with a treatment program than they would be if they had not 
sought treatment'' (48 FR 38763).
    In recent years, the devastating consequences of the opioid crisis 
have resulted in an unprecedented spike in overdose deaths related to 
both prescription and illegal opioids including heroin and fentanyl,\1\ 
as well as correspondingly greater pressures on the SUD treatment 
system, and heightened demand for SUD treatment services. This proposed 
rule proposes changes to the regulation that SAMHSA believes would 
better align with the needs of individuals with SUD and of those who 
treat these patients in need, and help facilitate the provision of 
well-coordinated care, as while ensuring appropriate confidentiality 
protection for persons in treatment through part 2 programs.
---------------------------------------------------------------------------

    \1\ Recent statistics published by the Centers for Disease 
Control and Prevention reflect a spike in the rate of opioid-related 
overdose deaths in recent years. See https://www.cdc.gov/mmwr/volumes/67/wr/mm675152e1.htm?s_cid=mm675152e1_w.
---------------------------------------------------------------------------

II. Overview of the Proposed Regulations

    Balancing the concerns noted above, SAMHSA proposes several changes 
to the regulations at 42 CFR part 2 (part 2). First, we propose to 
amend language throughout the regulation to clarify several aspects of 
the applicability and disclosure requirements. Specifically, in Section 
III.B., Applicability, SAMHSA proposes to amend Sec.  2.12 to clearly 
state in the regulatory text that the recording of information about a 
SUD and its treatment by a non-part 2 entity does not, by itself, 
render a medical record subject to the restrictions of 42 CFR part 2, 
provided that the non-part 2 entity segregates any specific SUD records 
received from a part 2 program (either directly, or through another 
lawful holder). SAMHSA believes this proposed language would encourage 
part 2 programs and non-part 2 providers to deliver better and safer 
coordinated care, while also protecting the confidentiality of 
individuals seeking such care. SAMHSA explains this proposal more fully 
in Section III.B.
    In addition, SAMHSA proposes several changes to 42 CFR part 2, 
consistent with the proposed policy described above. Specifically, in 
Section III.A., Definitions, we propose to amend and clarify the 
definition of ``Records'' in Sec.  2.11, in a manner that aligns with 
the proposed revision to Sec.  2.12 described above. And in Section 
III.D., Prohibition on Re-disclosure, SAMHSA proposes to amend the 
standard written notice in Sec.  2.32, to clarify the disclosure and 
re-disclosure limits under 42 CFR part 2.

[[Page 44570]]

    Additionally, SAMHSA seeks to reduce barriers to care coordination 
for patients with SUD, in Section III.F., Disclosure to Prevent 
Multiple Enrollments, by proposing to amend Sec.  2.34 to allow non-
opioid treatment providers (e.g., non-part 2 providers who nevertheless 
manage care for patients with SUD from time to time) to access central 
registries. In Section III.G., Disclosure to Prescription Drug 
Monitoring Programs, SAMHSA proposes to add new Sec.  2.36 to permit 
opioid treatment programs (OTPs) to disclose dispensing and prescribing 
data, as required by applicable state law, to prescription drug 
monitoring programs (PDMPs), subject to patient consent. As noted 
above, patient safety is of paramount importance, and many drugs 
prescribed and dispensed by non-OTPs could have life-threatening and 
even deadly consequences if not properly coordinated with those 
prescribed and dispensed by OTPs. Therefore, SAMHSA believes it 
necessary for both OTPs and non-OTPs to report, and to access, 
prescription drug records in central registries and PDMPs, and to 
monitor dosing accordingly.
    SAMHSA also makes several proposals that specifically decrease 
burden for patients accessing care, without compromising patient 
confidentiality. First, in Section III.C., Consent Requirements, SAMHSA 
proposes to amend Sec.  2.31, to allow patients to consent to the 
disclosure of their information to a wide range of entities, without 
naming the specific individual receiving this information on behalf of 
a given entity; special instructions would apply with respect to 
consents for disclosure of information to information exchanges and 
research institutions. We believe this proposal would give patients the 
ability to apply for and access federal, state, and local resources and 
benefits more easily, (e.g., social security benefits; local sober 
living or halfway house programs). Second, in Section III.H., Medical 
Emergencies, SAMHSA proposes to amend to Sec.  2.51 to allow disclosure 
of patient information to another part 2 program or other SUD treatment 
provider during State or Federally declared natural and major 
disasters. SAMHSA believes this proposal would reduce the burden of 
disclosure requirements both for patients to receive, and for 
clinicians to provide, care that may not be otherwise feasible during 
natural and major disasters, ensuring that patients can continue to 
receive on-going and appropriate care.
    In Section III.E., Disclosures Permitted with Written Consent, 
SAMHSA proposes amendments to Sec.  2.33 to expressly allow disclosure 
to specified entities and individuals for 17 types of payment and 
health care operational activities. Although SAMHSA believes these 
activities were already permitted by the regulation, we have received 
feedback from stakeholders that there remains some confusion on these 
points. Therefore, we believe it necessary to more clearly state this 
regulatory permission in the regulatory text, to avoid any further 
confusion. SAMHSA also proposes amendments to Sec.  2.53 (Audit and 
Evaluation) together with clarifying guidance, under Section III.J. The 
amendments to Sec.  2.53 would help to resolve confusion about 
permitted types of disclosures to and from federal, state and local 
governmental agencies and to and from third-party payers, for the 
purpose of audit and evaluation, among other changes. They would also 
allow patient identifying information to be disclosed to federal, 
state, and local agencies, and the contractors, subcontractors, and 
legal representatives of such agencies in the course of conducting 
audits or evaluations mandated by statute or regulation, if those 
audits or evaluations cannot be carried out using de-identified 
information. Likewise, in section III.I., Research, SAMHSA proposes to 
allow research disclosures of part 2 patient data by a HIPAA covered 
entity to individuals and organizations who are neither HIPAA covered 
entities, nor subject to the Common Rule, for the purpose of conducting 
scientific research. SAMHSA believes this change will better align the 
requirements of part 2, the Common Rule, and the Privacy Rule around 
the conduct of research on human subjects, and will help to streamline 
duplicative requirements for research disclosures under part 2 and the 
Privacy Rule in some instances. SAMHSA is also proposing to amend 
section Sec.  2.52 (Research) to clarify that research disclosures may 
be made to members of the workforce of a HIPAA covered entity for 
purposes of employer-sponsored research, as well as to permit research 
disclosures to recipients who are covered by FDA regulations for the 
protection of human subjects in clinical investigations (at 21 CFR part 
50).
    In Section III.K., Orders Authorizing Use of Undercover Agents and 
Informants, SAMHSA proposes to revise our policies in Sec.  2.67 for 
the placement of undercover agents and informants within a part 2 
program, to provide more clarity regarding the permitted time period 
for placement pursuant to court order.
    Finally, SAMHSA provides the following guidance on how employees, 
volunteers and trainees of part 2 facilities should handle 
communications using personal devices and accounts, especially in 
relation to Sec.  2.19 concerning disposition of records by 
discontinued programs. In Sec.  2.11, the current regulation defines 
``Records'' to include information relating to a patient that could 
include email and texts. In Sec.  2.19, the regulation codifies the 
requirements for disposition of records from a discontinued part 2 
program. These requirements state that records which are electronic 
must be ``sanitized'' within one year of the discontinuation of the 
part 2 program. This sanitization must render the patient identifying 
information non-retrievable in accordance with Sec.  2.16 (security for 
records). Read together, current Sec. Sec.  2.11, 2.16, and 2.19 could 
be interpreted to mean that, if an individual working in a part 2 
program receives a text or email from a patient on his or her personal 
phone which he or she does not use in the regular course of their 
employment in the part 2 program, and this part 2 program is 
discontinued, the personal device may need to be sanitized. Depending 
on the policies and procedures of the part 2 program, this sanitization 
may render the device no longer useable to that individual. SAMHSA 
clarifies that this interpretation is not the intent of the 
regulations.
    Although SAMHSA does not encourage patient communication through 
personal email and cell phones, it recognizes that patients may make 
contact through the personal devices or accounts of an employee (or 
volunteer or trainee) of a part 2 program, even if the employee (or 
volunteer or trainee) does not use such device or account in the 
regular course of their employment in the part 2 program. In such 
instances, SAMHSA wishes neither to convey that these devices become 
part of the part 2 record, nor that, if the part 2 program is 
discontinued, these devices must be sanitized. Instead, SAMHSA 
clarifies that, in the case that patient contact is made through an 
employee's (or volunteer's or trainee's) personal email or cell phone 
account which he or she does not use in the regular course of business 
for that part 2 program, the employee should immediately delete this 
information from his or her personal account and only respond via an 
authorized channel provided by the part 2 program, unless responding 
directly from the employee's account is required in order to protect 
the best interest of the patient. If the email or

[[Page 44571]]

text contains patient identifying information, the employee should 
forward this information to such authorized channel and then delete the 
email or text from any personal account. These authorized channels are 
then subject to the normal standards of sanitization under Sec. Sec.  
2.16 and 2.19 and any other applicable federal and state laws. SAMHSA 
believes that this process will both protect the employee's personal 
property and the confidentiality of the patient's records if the 
patient makes such unauthorized contact.

III. Provisions of the Proposed Rule

A. Definitions (Sec.  2.11)

    In the current regulation, ``Records'' is defined to mean ``any 
information, whether recorded or not, created by, received, or acquired 
by a part 2 program relating to a patient.'' In the 2017 final rule, 
SAMHSA noted that some commenters expressed confusion regarding what is 
considered unrecorded information (82 FR 6068); it, therefore, added 
parenthetical examples in an effort to clarify. But with the exception 
of these parenthetical examples, the basic definition for ``records'' 
under part 2 has remained the same since the 1987 final rule.
    In a subsequent section of this proposed rule (III.B.) on 
``Applicability'' (at Sec.  2.12), SAMHSA discusses a proposed change 
to the restriction on disclosures under part 2, which would serve to 
clarify some record-keeping activities of non-part 2 providers that 
fall outside the scope of 42 CFR part 2. As explained in section 
III.B., the proposed change is needed to facilitate communication and 
coordination between part 2 programs and non-part 2 providers, and to 
ensure that appropriate communications are not hampered by fear among 
non-part 2 providers of inadvertently violating part 2, as a result of 
receiving and reading a protected SUD patient record and then providing 
care to the patient.
    SAMHSA proposes here to make a conforming amendment to the Sec.  
2.11 definition of ``records,'' by adding, at the end of the first 
sentence of the definition, the phrase, ``provided, however, that 
information conveyed orally by a part 2 program to a non-part 2 
provider for treatment purposes with the consent of the patient does 
not become a record subject to this part in the possession of the non-
part 2 provider merely because that information is reduced to writing 
by that non-part 2 provider. Records otherwise transmitted by a part 2 
program to a non-part 2 provider retain their characteristic as a 
``record'' subject to this part in the possession of the non-part 2 
provider, but may be segregated by that provider.''
    The effect of this proposed amendment would be to incorporate a 
very limited exception to the definition of ``records,'' such that a 
non-part 2 provider who orally receives a protected SUD record from a 
part 2 program may subsequently engage in an independent conversation 
with her patient, informed by her discussion with the part 2 provider, 
and record SUD information received from the part 2 program or the 
patient, without fear that her own records thereafter would become 
covered by part 2. As discussed below in the proposed revisions to the 
``Applicability'' section of part 2 (at Sec.  2.12), the intent of 
these proposed clarifications is to better facilitate coordination of 
care between non-part 2 providers and part 2 programs, and to resolve 
lingering confusion among non-part 2 providers about when and how they 
can capture SUD patient care information in their own records, without 
fear of those records being subject to the confidentiality requirements 
of part 2.

B. Applicability (Sec.  2.12)

    In the 1987 final rule, SAMHSA broadly established that the 
restrictions on disclosure under 42 CFR part 2 would apply to any 
alcohol and drug abuse information obtained by a federally assisted 
alcohol or drug abuse program. As explained in 1987, by limiting the 
applicability of 42 CFR part 2 to specialized programs--that is, to 
those programs that hold themselves out as providing and which actually 
provide alcohol or drug abuse diagnosis, treatment, and referral for 
treatment--the aim was to simplify the administration of the 
regulations, but without significantly affecting the incentive to seek 
treatment provided by the confidentiality protections. Limiting the 
applicability of 42 CFR part 2 to specialized programs was intended to 
lessen the adverse economic impact of the regulations on a substantial 
number of facilities which provide SUD care only as incident to the 
provision of general medical care. The exclusion of hospital emergency 
departments and general medical or surgical wards from coverage was not 
seen as a significant deterrent to patients seeking assistance for 
alcohol and drug abuse. SAMHSA's experience in the more than 30 years 
since 1987 has been consistent with this expectation.
    The 2017 final rule elaborated on this policy, by establishing that 
the disclosure restrictions on SUD patient records would extend to 
individuals or entities who receive such records either from a part 2 
program or from another lawful holder. See 42 CFR 2.12(d)(2)(i)(C). As 
explained in the 2017 final rule, a ``lawful holder'' of patient 
identifying information is an individual or entity who has received 
such information as the result of a part 2-compliant patient consent, 
or as a result of one of the exceptions to the consent requirements in 
the statute or implementing regulations (82 FR 6068). Thus, the effect 
of the 2017 rule was to expand the scope of application for part 2 
confidentiality, by ensuring that records initially created by a part 2 
program would remain protected under 42 CFR part 2 throughout a chain 
of subsequent re-disclosures, even into the hands of a downstream 
recipient not itself a part 2 program. The reason for the 2017 change 
was, once again, to avoid any deterrent effect on patients seeking 
specialized SUD care through part 2 treatment programs, by virtue of 
the patient records from those programs losing their part 2 
confidentiality protection following a disclosure downstream to other 
``lawful holder'' recipients of those records (81 FR 6997).
    Although that policy was established in the 2017 final rule, 
specifically in Sec.  2.12(d)(2)(i)(C), there remains some confusion 
within the provider community about what information collected by non-
part 2 entities is (or is not) covered by the part 2 restrictions on 
re-disclosure. When SAMHSA expanded the reach of the Applicability 
provision in 2017, the intent was not to change the policy established 
in the 1987 rulemaking, nor to make the records of non-part 2 entities 
(such as some primary care providers) directly subject to 42 CFR part 
2, simply because information about SUD status and treatment might be 
included in those records. Rather, the intent underlying the 2017 
provision was to clarify the applicability of 42 CFR part 2 in a 
targeted manner, so that records initially created under the protection 
of part 2 would continue to be protected following disclosure to 
downstream recipients. In doing so, SAMHSA sought to encourage 
individuals to enter into SUD treatment through part 2 programs, by 
strengthening the confidentiality protection for records that originate 
from those programs. Implicit in SAMHSA rulemaking since 1987 has been 
the pursuit of a balance of policy interests: On the one hand, 
consistent with the Congressionally stated purpose of the drug abuse 
confidentiality statute, to encourage entry into SUD treatment by 
ensuring that the records of treatment

[[Page 44572]]

through a part 2 program would not be publicly disclosed, and on the 
other hand, to reduce the adverse impact of part 2 burdens on general 
medical care providers and facilities and on patient care.
    In the wake of the nation's opioid epidemic and continuing trends 
related to alcohol use disorder and cannabis use disorder, it has 
become increasingly important for primary care providers and general 
medical facilities not covered by 42 CFR part 2 to be able to carry out 
treatment and health care operations that sometimes involve creating 
new records that mention SUD status and care. Such records and 
activities are not covered by 42 CFR part 2. However, coordination of 
care between part 2 programs and non-part 2 providers would involve the 
disclosure of SUD records and information by the former to the latter. 
Under the current 42 CFR part 2 regulation, such disclosures of records 
by a part 2 program to a non-part 2 provider do not render all 
subsequent records on SUD caretaking activity undertaken by the non-
part 2 provider subject to the part 2 regulation. For example, when a 
non-part 2 provider is directly treating her own patient, and creates a 
record based on her own patient contact that includes SUD information, 
then that record is not covered by part 2.
    Nevertheless, SAMHSA recognizes that there may be significant 
confusion or misunderstanding as to the applicability of part 2 rules 
to non-part 2 providers. This results in increased burden on non-part 2 
providers, and the potential for impaired coordination of care for 
patients, which could be life threatening, for example, if an affected 
patient has an opioid use disorder. Although the existing text of 42 
CFR 2.12 (d)(2)(i)(C) on Applicability does not compel these results, 
SAMHSA's experience in recent years has demonstrated the need for 
clearer regulatory language, to better delineate the records of non-
part 2 entities which are not covered by the 42 CFR part 2 rules.
    Based on the above considerations, SAMHSA proposes to add a new 
subsection (d)(2)(ii) to Sec.  2.12, to better clarify that a non-part 
2 treating provider's act of recording information about a SUD and its 
treatment would not make that record subject to 42 CFR part 2. SUD 
records received by that non-part 2 entity from a part 2 program are 
subject to part 2 restrictions on redisclosure of part 2 information by 
lawful holders, including redisclosures by non-part 2 providers. 
However, the records created by the non-part 2 provider in its direct 
patient encounter(s) would not be subject to part 2, unless the records 
received from the part 2 program are incorporated into such records. 
Segregation of any part 2 records previously received from a part 2 
program can be used to ensure that new records (e.g., a treatment note 
based on a direct clinical encounter with the patient) created by non-
part 2 providers during their own patient encounters would not become 
subject to the part 2 rules.
    SAMHSA believes that this addition would further clarify the 2017 
revisions, by affirming that the independent record-keeping activities 
of non-part 2-covered entities remain outside the coverage of 42 CFR 
part 2, despite such providers' (segregated) possession, as lawful 
holders, of part 2-covered records. The part 2 disclosure restrictions 
only apply to SUD patient records originating with part 2 providers. 
Such part 2 originating records are subject to the part 2 limitations 
on use and disclosure as they move through the hands of other ``lawful 
holders'' and part 2 programs. Even where part 2 does not apply to a 
patient record created by a non-part 2 provider following a direct 
patient encounter, that record will nevertheless be subject to the 
HIPAA Privacy Rule.
    One means by which non-part 2 treating providers could benefit from 
the above proposal would be through the segregated storage of part 2-
covered SUD records received from a part 2 program or other lawful 
holder. In the context of a paper record received from a part 2 
program, the proposed requirement could be met by the ``segregation'' 
or ``holding apart'' of these records; in the context of electronic 
records from a part 2 program, the proposed requirement could be met by 
logical ``segmentation'' of the record in the electronic health record 
(EHR) system in which it is held. As under the current rule, when a 
non-part 2 entity receives a protected SUD record from a part 2 program 
or other lawful holder, the received record is subject to the 
heightened confidentiality requirements under part 2. ``Segregating'' 
the received record, whether by segmenting it or otherwise labeling or 
holding it apart, would allow the recipient entity to identify and keep 
track of a record that requires heightened protection.
    Under both the proposal and the current text of part 2, the lawful 
holder recipient entity remains subject to part 2 re-disclosure 
restrictions with regard to the part 2 record, whether or not the 
recipient entity is able to segregate it. But ``segregating'' allows 
the recipient entity both to keep track of the part 2 records, and 
readily distinguish them from all the other patient records that the 
entity holds which are not subject to part 2 protection. As mentioned 
above, ``segregating'' the part 2 record may involve physically holding 
apart any part 2-covered records from the recipient's other records, 
which would be quite feasible in the case of a received paper record or 
an email attachment containing such data. Alternately, ``segregating'' 
can involve electronic solutions, such as segmenting an electronic SUD 
patient record received from a part 2 program by use of a Data 
Segmentation for Privacy (DS4P) compliant EHR platform, in which 
segmentation is carried out electronically based on the standards of 
DS4P architecture (discussed further below). Either of these methods 
for ``segregating'' part 2 covered records is a satisfactory way for 
the recipient entity to keep track of them, and to distinguish them 
from all the other patient records that the entity holds which are not 
subject to part 2 protection. We note that ``segregating'' a received 
part 2 record does not require the use of a separate server for holding 
the received part 2 records. We do not intend this rule to result in 
the creation of separate servers or health IT systems for part 2 
documents. Our policy is intended to be consistent with existing 
technical workflows for data aggregation, storage, and exchange.
    One concern that this proposal raises is the possibility that a 
non-part 2 provider might transcribe extensively from a part 2 record 
without having a clinical purpose for doing so. This, however, is not 
the intent of the proposal. Briefly, the intent is to allow a non-part 
2 provider to receive SUD information about a patient from a part 2 
program, and then to engage in a treatment discussion with that 
patient, informed by that information, and then be able to create her 
own treatment records including SUD content, without the latter 
becoming covered by part 2. This level of flexibility is needed in 
order to improve coordination of care efforts, and to save lives. It is 
not SAMHSA's intent to encourage a non-part 2 provider to abuse the 
rules, by transcribing extensively from a conversation with a part 2 
program or from a received part 2 record when creating her own records, 
without having a clinical purpose for doing so.
    In the 2017 final rule, SAMHSA responded to several public comments 
about data segmentation issues connected to 42 CFR part 2. We 
acknowledged then that although significant challenges exist for data 
segmentation of SUD records within

[[Page 44573]]

some current EHR systems, SAMHSA has led the development of use- case 
discussions related to the technical implementation of the Data 
Segmentation for Privacy (DS4P) standard and recently contributed to 
the development of the FHIR implementation guide for Consent2Share.\2\ 
We believe that DS4P and Consent2Share are important tools to advance 
the needs of part 2 providers and providers across the care continuum. 
SAMHSA recognizes and encourages the further development of DS4P 
standards, and the adoption by providers of EHR systems that meet those 
standards. The current proposal for revising Sec.  2.12 does not, 
however, impose on non-part 2 entities any new requirement for data 
segmentation as a practice, nor does it establish any new standards or 
requirements for EHR technology. SAMHSA considered including, in this 
proposed rule, the policy option of defining ``segmented'' and 
``segmentation'' under 42 CFR part 2, in order to offer greater clarity 
about what these terms mean under the rule. We decided not to do so, 
however, since a formal definition of segmentation might have 
unforeseen technical ramifications for EHR and HIE systems 
implementation in the future. In addition, SAMHSA believes this policy 
should be flexible, to allow providers with different operational 
standards and capabilities to implement the policy with regard to 
segregation or segmentation in the least burdensome way to their 
practices, while still maintaining confidentiality of patient records 
subject to part 2. Nevertheless, using health IT to support data 
segmentation for privacy and consent management is one path that a 
provider could use to support their effort to meet part 2 requirements 
including those described in this proposed rule.
---------------------------------------------------------------------------

    \2\ ``Consent2Share FHIR Profile Design.docx'' can be accessed 
at https://gforge.hl7.org/gf/project/cbcc/frs/.
---------------------------------------------------------------------------

    In addition to the proposed revision to 42 CFR 2.12(d) above, 
SAMHSA proposes conforming changes to the regulatory text of several 
other sections of 42 CFR 2.12, to provide further clarification of the 
applicability of part 2 restrictions on patient records.
    In Sec.  2.12(a), SAMHSA proposes to change the text to reflect 
that the restrictions on disclosure apply to ``any records,'' rather 
than to ``any information, whether recorded or not.'' We also propose a 
conforming change to Sec.  2.12(a)(ii), to indicate that the 
restrictions of this part apply to any records which ``contain drug 
abuse information obtained . . .'' or ``contain alcohol abuse 
information obtained . . .'' Taken together, these changes are 
congruent with the amendment to Sec.  2.12(d) and help to make it clear 
that part 2 applies to ``records'' (as defined under Sec.  2.11).
    In Sec.  2.12(e)(3), SAMHSA proposes to change the text to reflect 
that the restrictions on disclosure apply to the recipients ``of part 
2-covered records,'' rather than to the recipients ``of information.'' 
This proposed change is congruent with the proposed amendment to Sec.  
2.12(d) and would help to make explicit that downstream restrictions on 
re-disclosure by non-Part 2 entities are tied to protected records 
which originate from a part 2 program in the first instance. SAMHSA 
believes that this proposed conforming change is important, because it 
would further establish that the re-disclosure burden for non-part 2 
entities ties specifically to the protected records that they receive 
from a part 2 program, and not to any other records that the non-part 2 
entity creates by itself, regardless of whether the latter might 
include some SUD-related content.
    In Sec.  2.12(e)(4), SAMHSA likewise proposes a conforming change 
to the text, by adding language to reflect that a diagnosis prepared by 
a part 2 program for a patient who is neither treated by nor admitted 
to that program, nor referred for care elsewhere, is nevertheless 
covered by the regulations in this part. The proposed change to the 
regulatory text is for clarity, to ensure that this section could not 
be misread as applying directly to the activities of a non-part 2 
entity or provider.
    Similarly, and congruent with the above conforming changes, SAMHSA 
is also proposing to modify the definition of ``Records'' in Sec.  2.11 
as discussed in Section III.A. above and to modify and streamline the 
language in Sec.  2.32 as discussed in Section III.D. below. Readers 
are referred to those sections of the proposed rule for specifics on 
those proposals and the rationales for such proposed policies.

C. Consent Requirements (Sec.  2.31)

    In the 2017 final rule, SAMHSA made several changes to the consent 
requirements at Sec.  2.31, to facilitate the sharing of information 
within the health care context, while ensuring the patient is fully 
informed and the necessary confidentiality protections are in place. 
Among those changes, SAMHSA amended the written consent requirements 
regarding identification of the individuals and entities to whom 
disclosures of protected information may be made (82 FR 6077). 
Specifically, SAMHSA adopted a framework for disclosures to entities 
that made several distinctions between recipients that have a treating 
provider relationship with the patient, and recipients that do not. 
Under the current rules at Sec.  2.31(a)(4), if the recipient entity 
does not have a treating provider relationship with the patient whose 
information is being disclosed and is not a third-party payer, such as 
an entity that facilitates the exchange of health care information or 
research institutions, the written consent must include the name of the 
entity and one of the following: ``the name(s) of an individual 
participant(s); the name(s) of an entity participant(s) that has a 
treating provider relationship with the patient whose information is 
being disclosed; or a general designation of an individual or entity 
participant(s) or class of participants that must be limited to a 
participant(s) who has a treating provider relationship with the 
patient whose information is being disclosed.'' As stated in the 2017 
final rule, SAMHSA wants to ensure that patient identifying information 
is only disclosed to those individuals and entities on the health care 
team with a need to know this sensitive information (82 FR 6084). 
SAMHSA, accordingly, limited the ability to use a general designation 
in the `to whom' section of the consent requirements to those 
individuals or entities with a treating provider relationship to the 
patient at issue.
    Since the 2017 final rule was published, SAMHSA has learned that 
some patients with substance use disorders may want part 2 programs to 
disclose protected information to entities for reasons including 
eligibility determinations and seeking non-medical services or benefits 
from governmental and non-governmental entities (e.g., social security 
benefits, local sober living or halfway house programs). Because these 
entities lack a treating provider relationship with the patient, the 
current rules preclude them from being designated by name to receive 
the information, unless they are third-party payers, or the patient 
knows the identity of the specific individual who would receive the 
information on behalf of the benefit program or service provider. In 
addition, many of these entities may not be able to identify a specific 
employee to receive application information, and instead are likely to 
encourage patients to contact them or apply online, such that 
information is submitted to the organization rather than to a specific 
person. SAMHSA has heard that many patients have encountered 
frustration and delays in applying for and receiving services and

[[Page 44574]]

benefits from, and in authorizing part 2 providers to release their 
information to, entities providing such services and benefits, by 
virtue of the inability to designate these entities by organization 
name only on the written consent for disclosure of part 2 information. 
It is not SAMHSA's intent to limit patients' ability to consent to the 
disclosure of their own information. We wish, rather, to empower 
patients to consent to the release and use their health information in 
whatever way they choose, consistent with statutory and regulatory 
protections designed to ensure the integrity of the consent process.
    Therefore, SAMHSA proposes to amend the current regulations to 
clarify that patients may consent to disclosures of part 2 information 
to organizations without a treating provider relationship. We propose 
to amend Sec.  42 CFR 2.31(a)(4)(i), which currently requires a written 
consent to include the names of individual(s) to whom a disclosure is 
to be made. The amendment would insert the words ``or the name(s) of 
the entity(-ies)'' to that section, so that a written consent must 
include the name(s) of the individual(s) or entity(-ies) to whom or to 
which a disclosure is to be made. SAMHSA believes that this language 
aligns more closely with the wording of the regulation before the 
January 2017 final rule changes and would alleviate problems caused by 
the inability to designate by name an individual recipient at an 
entity. For example, if a patient wants a part 2 program to disclose 
impairment information to the Social Security Administration for a 
determination of benefits, such patient would only need to authorize 
this agency on the ``to whom'' section of the consent form, rather than 
identify a specific individual at the agency to receive such 
information.
    SAMHSA proposes to remove Sec.  2.31(a)(4)(ii) and (iii)(A), and 
redesignate current Sec.  2.31(a)(4)(iii)(B) as Sec.  2.31(a)(4)(ii). 
SAMHSA also proposes to amend the newly redesignated Sec.  
2.31(a)(4)(ii), so that it applies only to entities that facilitate the 
exchange of health information (e.g., health information exchanges 
(HIEs)) or research institutions. The proposed amendment would provide 
that, if the recipient entity is an entity that facilitates the 
exchange of health information or is a research institution, the 
consent must include the name of the entity and one of the following: 
(1) The name(s) of an individual or entity participant(s); or (2) a 
general designation of an individual or entity participant(s) or class 
of participants, limited to a participant(s) who has a treating 
provider relationship with the patient whose information is being 
disclosed. As stated in the January 2017 final rule (82 FR 6084), for 
entities that facilitate the exchange of health information or are 
research institutions, SAMHSA wants to ensure that patient identifying 
information is only disclosed to those individuals and entities on the 
health care team with a need to know this sensitive information. 
Therefore, in instances where information is disclosed to entities that 
facilitate the exchange of health information or research institutions, 
SAMHSA will continue to limit the ability to use a general designation 
(e.g., ``all my treating providers'') in the ``to whom'' section of the 
consent requirements to those individuals or entities with a treating 
provider relationship.

D. Prohibition on Re-Disclosure (Sec.  2.32)

    As discussed in Section III.B. above, in the 2017 final rule, 
SAMHSA clarified that the disclosure restrictions on SUD patient 
records would extend to individuals or entities who receive such 
records either from a part 2 program or from another lawful holder. We 
further emphasized this clarification in the notice requirements in 
Sec.  2.32. Under Sec.  2.32, each disclosure made with a patient's 
consent must contain a written statement notifying the recipient of the 
applicability of 42 CFR part 2 to any re-disclosure of the protected 
record. In the 2017 final rule, SAMHSA noted that the prohibition on 
re-disclosure provision only applies to information from the record 
that would identify, directly or indirectly, an individual as having 
been diagnosed, treated, or referred for treatment for a substance use 
disorder by a part 2-covered provider. The prohibition still allows 
other health-related information shared by the part 2 program to be re-
disclosed, if permissible under the applicable law (82 FR 6089).
    SAMHSA has heard from the provider community that this section of 
the regulation has prompted downstream, non-part 2 providers to 
manually redact portions of their disclosure data files that identify a 
patient as having or having had a substance use disorder. This activity 
is operationally burdensome and not the intent of the 2017 final rule. 
As noted in Section III.B. above, SAMHSA proposes to modify the 
regulations such that the recording of information about a SUD and its 
treatment by a non-part 2 entity is permitted and does not constitute 
records that have been redisclosed under part 2 (and, thus, subjected 
to part 2 protections), provided that any specific SUD records received 
from a part 2 program or other lawful holder are segregated or 
segmented. Therefore, a downstream entity would not need to redact SUD 
information in its records, provided that the original record received 
from the part 2 program or other lawful holder is segregated or 
segmented.
    To ensure that downstream entities are aware that they do not need 
to redact information in their files if they have means of identifying 
the part 2-covered data (e.g., by segregating or segmenting the files 
received from the part 2 program), as proposed above, SAMHSA proposes 
to modify and streamline the notice language in Sec.  2.32(a)(1), to 
remove the superfluous language that has contributed to confusion 
regarding the restrictions on re-disclosures. Specifically, we propose 
to remove ``information in'' and ``that identifies a patient as having 
or having had a substance use disorder either directly, by reference to 
publicly available information, or through verification of such 
identification by another person,'' from the current notice language 
established in the regulation. Additionally, SAMHSA has added language 
to specifically state that only the record is subject to the 
prohibition on re-disclosure in Sec.  2.32, unless further disclosure 
either is expressly permitted by written consent of the individual 
whose information is being disclosed in the record or is otherwise 
permitted by 42 CFR part 2.

E. Disclosures Permitted With Written Consent (Sec.  2.33)

    In the 2018 final rule (83 FR 241), SAMHSA clarified at Sec.  
2.33(b), the scope and requirements for permitted disclosures by a 
lawful holder to contractors, subcontractors, and legal 
representatives, for the purpose of payment and certain health care 
operations. In the 2017 proposed rule, SAMHSA proposed to include a 
list of 17 specific types of permitted payment and health care 
operations (82 FR 5487).
    Based on the numerous comments received requesting additions or 
clarifications to the list, as well as concerns that the changes 
occurring in the health care payment and delivery system could rapidly 
render any list of activities included in the regulatory text outdated, 
SAMHSA decided not to include the list of 17 activities in the 
regulation text in the 2018 final rule, and, instead, decided to 
include a list of the types of permitted activities in the preamble of 
the 2018 final rule. SAMHSA stated in the 2018 final rule that we 
included this list of activities in the preamble in order to make clear 
that it is an illustrative rather than

[[Page 44575]]

exhaustive list of the types of payment and health care operations 
activities that would be acceptable to SAMHSA (83 FR 241). By removing 
the list from the regulatory text, SAMHSA intended for other 
appropriate payment and health care operations activities to be 
permitted under Sec.  2.33 as the health care system continues to 
evolve.
    Since the 2018 final rule was published, SAMHSA has learned that 
including an illustrative list of permissible activities in the 
preamble rather than in the text of the regulation did not fully 
clarify the circumstances under which part 2 information could be 
further disclosed under Sec.  2.33. Specifically, stakeholders may 
believe that a particular activity is not permissible unless it is 
explicitly identified within the regulatory text. Therefore, to clear 
up any remaining confusion, SAMHSA proposes to amend Sec.  2.33(b) to 
expressly include the illustrative list of permissible activities that 
was contained in the preamble of the 2018 final rule (83 FR 243). It is 
important to note, as was noted in the preamble to the 2018 final rule, 
that this list is illustrative rather than exhaustive.
    Specifically, examples of permissible activities that SAMHSA 
considers to be payment and health care operations activities to be 
added under Sec.  2.33(b) include:
     Billing, claims management, collections activities, 
obtaining payment under a contract for reinsurance, claims filing and 
related health care data processing;
     Clinical professional support services (e.g., quality 
assessment and improvement initiatives; utilization review and 
management services);
     Patient safety activities;
     Activities pertaining to:
    [cir] The training of student trainees and health care 
professionals;
    [cir] The assessment of practitioner competencies;
    [cir] The assessment of provider and/or health plan performance; 
and/or
    [cir] Training of non-health care professionals;
     Accreditation, certification, licensing, or credentialing 
activities;
     Underwriting, enrollment, premium rating, and other 
activities related to the creation, renewal, or replacement of a 
contract of health insurance or health benefits, and/or ceding, 
securing, or placing a contract for reinsurance of risk relating to 
claims for health care;
     Third-party liability coverage;
     Activities related to addressing fraud, waste and/or 
abuse;
     Conducting or arranging for medical review, legal 
services, and/or auditing functions;
     Business planning and development, such as conducting cost 
management and planning-related analyses related to managing and 
operating, including formulary development and administration, 
development or improvement of methods of payment or coverage policies;
     Business management and/or general administrative 
activities, including management activities relating to implementation 
of and compliance with the requirements of this or other statutes or 
regulations;
     Customer services, including the provision of data 
analyses for policy holders, plan sponsors, or other customers;
     Resolution of internal grievances;
     The sale, transfer, merger, consolidation, or dissolution 
of an organization;
     Determinations of eligibility or coverage (e.g., 
coordination of benefit services or the determination of cost sharing 
amounts), and adjudication or subrogation of health benefit claims;
     Risk adjusting amounts due based on enrollee health status 
and demographic characteristics; and
     Review of health care services with respect to medical 
necessity, coverage under a health plan, appropriateness of care, or 
justification of charges.

To further clarify that the list is not exhaustive, SAMHSA also 
proposes to add ``other payment/health care operations activities not 
expressly prohibited'' in this provision to the end of the list. For 
example, SAMHSA previously added language to the regulatory text in 
Sec.  2.33(b) to clarify that disclosures to contractors, 
subcontractors and legal representatives are not permitted for 
activities related to a patient's diagnosis, treatment, or referral for 
treatment. SAMHSA again clarifies that Sec.  2.33(b) is not intended to 
cover care coordination or case management, and disclosures to 
contractors, subcontractors, and legal representatives to carry out 
such purposes are not permitted under this section. We note that this 
policy differs from the Health Insurance Portability and Accountability 
Act Privacy Rule, under which `health care operations' encompasses such 
activities as case management and care coordination. SAMHSA has 
previously emphasized the importance of maintaining patient choice in 
disclosing information to health care providers with whom they will 
have direct contact (83 FR 243). Although Sec.  2.33(b) does not cover 
disclosures for the purpose of care coordination or case management, 
such disclosures may nevertheless be made under other provisions of 
Sec. Sec.  2.31 and 2.33. Additionally, several of the proposals to 
revise other sections of part 2 in this rule-making will help to 
facilitate coordination of care, as under Sec.  2.12 (Applicability).

F. Disclosures To Prevent Multiple Enrollments (Sec.  2.34)

    In the 2017 final rule, SAMHSA modernized Sec.  2.34 by updating 
terminology and revising corresponding definitions. Section 2.34 
permits consensual disclosure of patient records to a withdrawal 
management or maintenance treatment program within 200 miles of a part 
2 program. After receiving comments, we retained the specificity of 
``200 miles'' to prevent multiple enrollments that could result in 
patients receiving multiple streams of SUD treatment medications, which 
in turn may increase the likelihood of an adverse event or of diversion 
(82 FR 6094).
    Central registries, defined in Sec.  2.11, do not exist in all 
states, and the defining parameters for the operation of the registries 
vary somewhat across states and across part 2 programs. However, in the 
context of the opioid epidemic, recent experience has demonstrated that 
it is important for all providers who work with SUD patients, including 
non-opioid treatment program (non-OTP) providers, to have access to the 
information in the central registries, for the purpose of helping 
prevent duplicative patient enrollment for opioid use disorder 
treatment. Access to central registry information is also needed by 
non-OTP providers to fully inform their decisions when considering 
appropriate prescription drugs, including opioids, for their patients.
    Methadone is a long-acting opioid used to treat opioid use 
disorders and for pain that, when used at levels higher than 
recommended for an individual patient, can lead to low blood pressure, 
decreased pulse, decreased respiration, seizures, coma, or even death. 
When used as a part of a supervised medication assisted treatment (MAT) 
program, methadone is a safe and effective treatment for SUD, including 
OUD. Methadone is a long acting opioid, subject to accumulation when 
its metabolism is inhibited. Its effects may be potentiated by certain 
other drugs with which it may have pharmacodynamic interactions, so the 
medication is specifically tailored to each individual patient and must 
be used exactly as prescribed. Exceeding the specific dosing can lead 
to dangerous side effects and potential overdose. Other medications, 
including

[[Page 44576]]

other SUD treatments, such as buprenorphine, as well as other 
medication including other opioids, benzodiazepines, HIV medications, 
certain antipsychotics and anti-depressants, also have the potential to 
interact dangerously with methadone.
    Buprenorphine products are also long-acting opioid formulations 
approved by the Food and Drug Administration (FDA) for treatment of 
opioid use disorder, subject to limitations, which can be dispensed at 
OTPs, and in outpatient settings. While buprenorphine is demonstrated 
to exhibit a ceiling effect on respiratory depression in persons with 
opioid tolerance, it has significant opioid effects in those without 
tolerance which can contribute to adverse events including opioid 
overdose. Both of these long acting opioids (methadone and 
buprenorphine) have potential drug interactions with other medications 
that could lead to adverse events, including drug toxicity and opioid 
overdose.
    These realities underscore the reason it is important for a 
prescriber to check central registries, when possible, to assure that 
it is appropriate to prescribe the contemplated opioid therapies for a 
particular individual. The ability to query a central registry 
regarding any duplicative enrollment in similar treatment can also be 
crucial to effective care, and to ensuring patient safety. Similarly, 
to avoid opioid-related adverse events, it is imperative that 
prescribing clinicians be aware of any opioid therapy that may be in 
current use by a patient prior to making further medication prescribing 
decisions.
    Under the current language of Sec.  2.34(a), a part 2 program may 
seek a written patient consent in order to disclose treatment records 
to a central registry. In turn, the recipient central registry may only 
disclose-patient contact information for the purpose of preventing 
multiple enrollments under Sec.  2.34(b). Currently, under Sec.  
2.34(c), the central registry may only disclose when asked by a 
``member program'' whether an identified patient is enrolled in another 
member program.
    SAMHSA proposes to expand the scope of Sec.  2.34 to make non-OTP 
providers with a treating provider relationship with the patient 
eligible to query a central registry to determine whether the specific 
patient is already receiving opioid treatment through a member program 
to prevent duplicative enrollments and prescriptions for excessive 
opioids, as well as to prevent any adverse effects that may occur as a 
result of drug interactions with other needed medications. 
Specifically, SAMHSA proposes to amend Sec.  2.34(b) to include the use 
of central registry information to coordinate care with a non-part 2 
program. In addition, we propose to add a new subsection (d) to 
specifically permit non-member treating providers to access the central 
registries. Previous subsection (d) will be re-designated as subsection 
(e).
    SAMHSA believes that disclosures by central registries to non-OTP 
treating providers will help to ensure patient safety, and to prevent 
duplicative treatment plans and medications or medication doses that 
could place a patient receiving SUD treatment at risk.
    For the reasons above, SAMHSA proposes to amend Sec.  2.34(b) and 
(d) to allow non-OTP providers that have a treating relationship to the 
patient to access the central registries to inquire about that patient.

G. Disclosure to Prescription Drug Monitoring Programs (Sec.  2.36)

    A prescription drug monitoring program (PDMP) is a statewide 
electronic database that collects, analyzes, and makes available 
prescription data on controlled substances prescribed by practitioners 
and non-hospital pharmacies.\3\ Forty-nine states, St. Louis County, 
Missouri \4\ and the District of Columbia have legislatively mandated 
the creation of PDMPs. Most states had developed their own PDMP prior 
to the current opioid crisis; however, few prescribers accessed 
them.\5\ As opioid use disorder rates, overdoses and deaths increased 
significantly since 1999, the majority of states began requiring health 
professionals to check the state's PDMP \6\ before prescribing 
controlled substances to patients. Currently, 41 states require 
physicians to use their state's PDMP to analyze prescription history 
prior to writing a prescription for opioids or other controlled 
substances.\7\ Studies have shown that states that have implemented 
such a requirement have seen declines in overall opioid prescribing, 
drug-related hospitalizations, and overdose deaths.\8\
---------------------------------------------------------------------------

    \3\ SAMHSA's Center for the Application of Prevention 
Technologies; Using Prescription Drug Monitoring Program Data to 
Support Prevention Planning. Available at: https://www.samhsa.gov/capt/sites/default/files/resources/pdmp-overview.pdf.
    \4\ Former Missouri Gov. Greitens ordered the creation of a 
statewide PDMP in July 2017, but state lawmakers have not yet 
authorized funding for the program. St. Louis County started its own 
PDMP in April 2017, which covers nearly 80 percent (28 counties and 
6 cities) of Missouri physicians and pharmacists.
    \5\ Brandeis University Prescription Drug Monitoring Program 
Training and Technical Assistance Center. Available at: https://www.pdmpassist.org/pdf/Resources/Briefing_on_mandates_3rd_revision_A.pdf.
    \6\ Pew Charitable Trusts and National Alliance for State Model 
Drug Laws. Available at: https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2017/12/29/in-opioid-epidemic-states-intensify-prescription-drug-monitoring.
    \7\ Pew Charitable Trusts. When are Prescribers Required to Use 
Prescription Drug Monitoring Programs? January 24, 2018. Available 
at: https://www.pewtrusts.org/en/research-and-analysis/data-visualizations/2018/when-are-prescribers-required-to-use-prescription-drug-monitoring-programs.
    \8\ Brandeis University Prescription Drug Monitoring Program 
Training and Technical Assistance Center. Available at: https://www.pdmpassist.org/pdf/Resources/Briefing_on_mandates_3rd_revision_A.pdf.
---------------------------------------------------------------------------

    Most PDMPs track prescription drug information on Schedule II-V 
controlled medications. Pharmacies must submit the prescription data 
required by their state's PDMP, depending on the state's statutory 
requirements. More robust PDMP programs have been associated with 
greater reductions in prescription opioid overdoses.\9\ As noted above, 
this data allows providers to ensure that a patient is not receiving 
multiple prescriptions and to enhance patient care and patient safety.
---------------------------------------------------------------------------

    \9\ Pew Charitable Trusts. When are Prescribers Required to Use 
Prescription Drug Monitoring Programs? January 24, 2018. Available 
at: Available at: https://www.pewtrusts.org/en/research-and-analysis/data-visualizations/2018/when-are-prescribers-requiredd-to-use-prescription-drug-monitoring-programs.
---------------------------------------------------------------------------

    Presently, OTPs are not required to report methadone or 
buprenorphine dispensing to their states' PDMP. In our 2011 guidance 
letter, SAMHSA encouraged OTP staff to access PDMPs, but stated that 
OTPs could not disclose patient identifying information to a PDMP 
unless an exception applies, consistent with the federal 
confidentiality requirements.\10\ SAMHSA no longer believes this policy 
is advisable in light of the current public health crisis arising from 
opioid use, misuse, and abuse. In the past 10 years, there has been a 
substantial increase in prescription drug misuse, admissions to 
substance use facilities, emergency department visits and opioid-
related deaths.\11\ The omission of OTP data from a PDMP can lead to 
potentially dangerous adverse events for patients who may receive 
duplicate or potentially contraindicated prescriptions as part of 
medical care outside of an OTP, thereby placing them at risk for 
adverse events, including

[[Page 44577]]

possible overdose or even fatal drug interactions.
---------------------------------------------------------------------------

    \10\ Clark HW. Dear Colleague letter. September 27, 2011. 
Available at: https://www.samhsa.gov/sites/default/files/programs_campaigns/medication_assisted/dear_colleague_letters/2011-colleague-letter-state-prescription-drug-monitoring-programs.pdf.
    \11\ SAMHSA. In Brief: Prescription Drug Monitoring Programs: A 
Guide For Healthcare Providers. Volume 10, Issue 1 (Winter 2017). 
Available at: https://store.samhsa.gov/system/files/sma16-4997.pdf.
---------------------------------------------------------------------------

    SAMHSA believes that permitting part 2 programs, including OTPs, 
and lawful holders to enroll in PDMPs and submit the dispensing data 
for controlled substances required by states currently for other 
prescribed, controlled substances would allow for greater patient 
safety, better patient treatment, and better care coordination among 
the patient's providers. Therefore, SAMHSA proposes to add a new 
section Sec.  2.36, permitting OTPs and other lawful holders to report 
the required data to their respective state PDMPs when dispensing 
medications. The proposed rule would require part 2 providers to obtain 
written consent from the patient whose identifying information will be 
disclosed prior to making such reports. This update is consistent with 
the proposal under Sec.  2.34(c) to allow non-OTPs to query central 
registries to prevent duplicate enrollment.
    SAMHSA acknowledges that this proposal may raise concerns about law 
enforcement access to PDMPs, particularly in those states in which 
PDMPs are operated by a law enforcement agency. However, individuals 
are not limited to OTPs when seeking OUD treatment. Prescriptions 
written for OUD opioid pharmacotherapy by non-OTP providers are already 
recorded in the state PDMP. By implication, PDMPs operated by law 
enforcement agencies are already receiving some patient data related to 
SUD treatment. Although the current proposal might expand that 
practice, it would not create it. And because the disclosure of SUD 
patient records by OTPs would be made contingent on written patient 
consent, any negative impact on patient confidentiality seems likely to 
be small. By contrast, the omission from PDMPs of dispensing and 
prescribing data from OTPs presents serious safety risks for SUD 
patients. While the reporting of patient data to a PDMP by an OTP would 
make it possible for law enforcement, prescribers, and pharmacies with 
access to a PDMP to determine that a specific patient had received 
services at a specific OTP, law enforcement would still require a court 
order meeting the requirements of 42 U.S.C. 290dd-2(c) to access the 
covered records of that patient or any other patient served at the OTP. 
SAMHSA believes that allowing for OTP reporting to PDMPs further 
enhances PDMPs as a tool to help prevent prescription drug misuse and 
opioid overdose, while providing more complete and accurate data. In 
turn, more robust PDMP data is imperative for prescribers and providers 
to make better and more accurate patient care decisions while 
increasing patient safety and assuring appropriate care.

H. Medical Emergencies (Sec.  2.51)

    Under Sec.  2.51, disclosures of substance use disorder treatment 
records without patient consent are permitted in a bona fide medical 
emergency. Although not a defined term under part 2, a ``bona fide 
medical emergency'' most often refers to the situation in which an 
individual requires urgent clinical care to treat an immediately life-
threatening condition (e.g., heart attack, stroke, overdose, etc.), and 
in which it is infeasible to seek the individual's consent to release 
of relevant, sensitive SUD records prior to administering potentially 
life-saving care. SAMHSA proposes to amend this section to address the 
impact of major \12\ and natural disasters, declared by state or 
federal authorities, on access to substance use treatment and services, 
in addition to the more common situation of an individual experiencing 
a ``bona fide medical emergency.''
---------------------------------------------------------------------------

    \12\ The Federal Emergency Management Agency (FEMA) notes that 
the President can declare a major disaster for any natural event, 
regardless of cause, that is determined to have caused damage of 
such severity that it is beyond the combined capabilities of state 
and local governments to respond. https://www.fema.gov/disaster-declaration-process.
---------------------------------------------------------------------------

    Disasters (e.g., hurricanes, wildfires) can present unique 
challenges for patients with substance use disorders, and for their 
treating providers. These events may disrupt the usual access to 
services and medications across a geographic region. As a result, 
patients may be required to seek treatment at facilities or with 
providers who do not have full access to their records.
    When access to, or operation of, substance use disorder treatment 
facilities and services are disrupted on a regional basis in the wake 
of a disaster like a hurricane or wildfire, many patients become unable 
to access care through their usual providers, while many providers may 
be unable to follow usual consent-based procedures in order to obtain 
and/or release records for large numbers of patients. Thus, the 
disclosure requirements of 42 CFR part 2 may be too burdensome in these 
instances. For example, in the case of a hurricane, normal policies and 
procedures for obtaining consent according to Sec. Sec.  2.31 and 2.32 
may not be operational. At the same time, the inability of SUD patients 
to access needed care through their usual providers (or other 
providers) that have access to part 2-protected records concerning 
their condition, may constitute or lead to medical emergencies. As a 
result of these factors, SAMHSA believes that it is necessary--and 
consistent with its statutory authority--to include natural and major 
disasters within the meaning of medical emergency for which there would 
be an exception to the requirement of consent for disclosure of part 2 
records. In this NPRM, such an exception is proposed.
    SAMHSA underscores that consent should still be obtained if at all 
feasible, but appropriate care should be the priority in these often-
devastating scenarios and an exception should be allowed. Thus, SAMHSA 
proposes to revise Sec.  2.51(a) to facilitate expedient access to care 
for patients with SUDs during natural and major disasters. 
Specifically, SAMHSA proposes to authorize, under Sec.  2.51(a), a part 
2 program to disclose patient identifying information to medical 
personnel, without patient consent, as needed in the event of a natural 
or major disaster to deliver effective ongoing substance use disorder 
services to patients in such disasters. Specifically, SAMHSA proposes 
that this medical emergency exception would apply only when a state or 
federal authority declares a state of emergency as a result of a 
disaster and the part 2 program is closed and unable to provide 
services or obtain the informed consent of the patient as a result of 
the disaster, and would immediately be rescinded once the part 2 
program resumes operations.

I. Research (Sec.  2.52)

    SAMHSA recognizes the need for researchers to use SUD-related data 
to advance scientific research, particularly in light of the national 
opioid epidemic. SAMHSA supports the conduct of scientific research on 
SUD care, and has worked to allow researchers appropriate access to 
healthcare data relating to SUD, while maintaining appropriate 
confidentiality protections for patients.
    Under 42 CFR 2.52, part 2 programs are permitted to disclose 
patient identifying information for research, without patient consent, 
under limited circumstances. In the 2017 Final Rule, SAMHSA made 
several changes to the research exception at Sec.  2.52, including 
permitting the disclosure of data by lawful holders (as well as by part 
2 programs) to qualified personnel for the purpose of conducting 
scientific research.
    Currently Sec.  2.52 allows the disclosure of patient identifying 
information for research purposes without patient consent, if the 
recipient of the patient identifying information is a HIPAA-covered 
entity or business associate, and has obtained and documented 
authorization from the patient, or a

[[Page 44578]]

waiver or alteration of authorization, consistent with the HIPAA 
Privacy Rule at 45 CFR 164.508 or 164.512(i) or the recipient is 
subject to the HHS regulations regarding the protection of human 
subjects under the Common Rule. (45 CFR part 46).
    Since the 2017 Final Rule, SAMHSA has become aware that limiting 
research disclosures under Sec.  2.52, to only HIPAA-covered entities 
or institutions subject to the Common Rule,\13\ may make it more 
difficult for some legitimate stakeholders to obtain data from SUD 
treatment records, for the purpose of conducting scientific research. 
For example, under the current provisions of Sec.  2.52, the disclosure 
by a lawful holder of SUD records for the purpose of research to a 
State agency without a part 2 patient consent may be barred, given that 
most State agencies are neither HIPAA-covered entities nor directly 
subject to the Common Rule. It is not SAMHSA's intention or policy to 
make it more burdensome for these sorts of stakeholders to carry out 
scientific research. SAMHSA would like to more closely align the 
requirements of 42 CFR 2.52 (disclosures for the purpose of research), 
with the currently analogous provisions on research under the HIPAA 
Privacy Rule (45 CFR 164.512(i)) and the Common Rule, in order to 
minimize any conflict or duplication in the requirements for consent to 
disclosure of records for the purpose of research. Therefore, SAMHSA is 
proposing to modify the text of Sec.  2.52(a), in order to allow 
research disclosures of part 2 data from a HIPAA covered entity or 
business associate to individuals and organizations who are neither 
HIPAA covered entities, nor subject to the Common Rule, provided that 
any such data will be disclosed in accordance with the HIPAA Privacy 
Rule at 45 CFR 164.512(i). This change will align the requirements of 
part 2 with the Privacy Rule around the conduct of research on human 
subjects. SAMHSA believes this change to Sec.  2.52(a) is needed, in 
order to allow an appropriate range of stakeholders to conduct 
scientific and public health research on SUD care and SUD populations.
---------------------------------------------------------------------------

    \13\ The Common Rule governs research conducted or supported 
(i.e., funded) by the 16 departments and agencies that issued the 
Common Rule.
---------------------------------------------------------------------------

    In addition, SAMHSA is proposing two additional changes to the text 
of Sec.  2.52(a). First, SAMHSA is proposing to add new Sec.  
2.52(a)(1)(iii), in order to clarify that research disclosures may be 
made to members of the workforce of a HIPAA covered entity for purposes 
of employer-sponsored research, where that covered entity requires all 
research activities carried out by its workforce to meet the 
requirements of either the Privacy Rule and/or Common Rule, as 
applicable. Second, SAMHSA is also proposing to add new Sec.  
2.52(a)(1)(iv), to permit research disclosures to recipients who are 
covered by FDA regulations for the protection of human subjects in 
clinical investigations (at 21 CFR part 50), subject to appropriate 
documentation of compliance with FDA regulatory requirements, and 
pursuant to authority under the Food, Drugs and Cosmetics Act. In both 
instances, these proposals would help to align the part 2 requirements 
for research disclosures of SUD data, with analogous requirements for 
the conduct of research on human subjects that may apply under other 
federal regulations in specific circumstances.

J. Audit and Evaluation (Sec.  2.53)

    Current regulations at Sec. Sec.  2.53(a), (b), and (c) describe 
the circumstances under which specified individuals and entities may 
access patient identifying information in the course of an audit or 
evaluation. Section 2.53(a) governs the disclosure of patient 
identifying information for audits and evaluations that do not involve 
the downloading, forwarding, copying, or removing of records from the 
premises of a part 2 program or other lawful holder. In these 
instances, information may be disclosed to individuals and entities who 
agree in writing to comply with the limitations on disclosure and use 
in Sec.  2.53(d) and who perform the audit or evaluation on behalf of 
one of the following: A federal, state, or local governmental agency 
that provides financial assistance to or is authorized to regulate a 
part 2 program or other lawful holder; an individual or entity which 
provides financial assistance to a part 2 program or other lawful 
holder; a third-party payer covering patients in a part 2 program; or a 
quality improvement organization (QIO) performing a utilization or 
quality control review. The regulations permit disclosure to 
contractors, subcontractors, or legal representatives performing audits 
and evaluations on behalf of certain individuals, entities, third-party 
payers, and QIOs described directly above. At Sec.  2.53(a)(2), the 
regulations also allow part 2 programs or other lawful holders to 
determine that other individuals and entities are qualified to conduct 
an audit or evaluation of the part 2 program or other lawful holder. In 
these instances, patient information may be disclosed during an on-
premises review of records, as long as the individuals and entities 
agree in writing to comply with the limitations on disclosure and use 
in Sec.  2.53(d).
    Section 2.53(b) of the regulation governs the copying, removing, 
downloading, or forwarding of patient records in connection with an 
audit or evaluation performed on behalf of government agencies, 
individuals, and entities described in 42 CFR 2.53(b)(2), which are 
identical to the agencies, individuals, and entities described in Sec.  
2.53(a)(1) above. In these audits, records containing patient 
identifying information may be copied or removed from the premises of a 
part 2 program or other lawful holder, or downloaded or forwarded to 
another electronic system or device from the part 2 program's or other 
lawful holder's electronic records, by an individual or entity who 
agrees to the records maintenance standards and disclosure limitations 
outlined in Sec.  2.53(b)(1)(i)-(iii).
    Additionally, patient identifying information may be disclosed to 
individuals and entities who conduct Medicare, Medicaid, or CHIP audits 
or evaluations as set forth in Sec.  2.53(c).
    SAMHSA understands there is confusion about Sec.  2.53 as it 
applies to several specific situations, and therefore proposes to make 
the following changes to the regulations to improve clarity about what 
is permissible under these sections. SAMHSA also proposes to update 
part 2 regulatory language related to quality improvement organizations 
(QIO) to align with current QIO regulations.
    First, some stakeholders have voiced frustration that part 2 
programs have been unwilling or unable to disclose patient records that 
may be needed by federal, state, and local agencies, to better serve 
and protect patients with SUD. For example, a state Medicaid Agency or 
state or local health department may need to know about specific types 
of challenges faced by patients receiving opioid therapy treatment, 
such as co-occurring medical or psychiatric conditions, or social and 
economic factors that impede treatment or recovery. An agency may need 
this kind of information to recommend or mandate improved medical care 
approaches; to target limited resources more effectively to care for 
patients; or to adjust specific Medicaid or other program policies or 
processes related to payment or coverage to facilitate adequate 
coverage and payment. Government agencies may also wish to know how 
many patients test positive for a new and harmful illicit drug, and how 
part 2 programs are actually treating those patients, as an input to 
agency decisions aimed at improving

[[Page 44579]]

quality of care. For example, agencies may wish to modify requirements 
for part 2 programs, educate or provide additional oversight of part 2 
providers, and/or update corresponding payment or coverage policies. 
Third-party payers covering patients in a part 2 program may have 
similar objectives for obtaining part 2 information.
    Current regulations allow part 2 programs to share information for 
the purposes described above in two ways, using either de-identified or 
identifiable information. Only SUD records containing patient 
identifying information are subject to part 2 protections, and 
therefore a part 2 program or other lawful holder may share non-
identifiable information with government agencies (federal, state and 
local) for many types of activities.
    SAMHSA encourages the use of de-identified or non-identifiable 
information whenever possible. However, it may be time consuming, labor 
intensive, or technologically difficult for part 2 programs to create, 
and for government agencies to obtain quickly, data that does not 
contain part 2 identifying information. It may be too cumbersome or 
cost prohibitive for part 2 programs to provide the kind of data 
necessary in a de-identified format. It also may be challenging for 
part 2 programs to provide information quickly in more urgent 
situations, without potentially diverting resources away from patient 
care.
    Patient identifying may also be used to help agencies and third-
party payers improve care in certain circumstances. Under current 
regulations at Sec.  2.53(a) and (b), federal, state, and local 
government agencies that have the authority to regulate or that provide 
financial assistance to part 2 programs, and third-party payers with 
covered patients in part 2 programs, may receive patient identifying 
information in the course of conducting audits or evaluations. 
Additionally, patient identifying information may be disclosed to 
individuals and entities to conduct Medicare, Medicaid, or CHIP audits 
or evaluations under Sec.  2.53(c). Thus, a Medicaid agency may 
evaluate the part 2 providers that participate in its Medicaid program; 
a state health department may audit the facilities it licenses pursuant 
to its regulatory authority; and a health plan may review part 2 
programs that serve its enrollees.
    The current regulations do not define audit and evaluation, nor do 
they direct the manner in which evaluations are carried out, as noted 
by Sec.  2.2(b)(2). Nevertheless, SAMHSA believes that the concept of 
audit or evaluation is not restricted to reviews that examine 
individual part 2 program performance. They may also include periodic 
reviews of part 2 programs to determine if there are any needed actions 
at an agency level to improve care and outcomes across the individual 
part 2 programs the agency regulates or supports financially. Likewise, 
audits or evaluations may include reviews to determine if there are 
needed actions at a health plan level to improve care and outcomes for 
covered patients in part 2 program. In other words, audits or 
evaluations may be conducted with a goal to identify additional steps 
agencies or third-party payers should be taking to support the part 2 
programs and their patients. This includes reviews that allow agencies 
or third-party payer entities to identify larger trends across part 2 
programs, in order to respond to emerging areas of need in ways that 
improve part 2 program performance and patient outcomes.
    SAMHSA proposes to clarify that under Sec.  2.53, government 
agencies and third-party payer entities would be permitted to obtain 
part 2 records without written patient consent to periodically conduct 
audits or evaluations for purposes such as identifying agency or health 
plan actions or policy changes aimed at improving care and outcomes for 
part 2 patients (e.g., provider education, recommending or requiring 
improved health care approaches); targeting limited resources more 
effectively to better care for patients; or adjusting specific Medicaid 
or other insurance components to facilitate adequate coverage and 
payment. These agencies and third-party payers are required to abide by 
the restrictions on disclosure and other relevant confidentiality 
requirements outlined in Sec.  2.53. Additionally, SAMHSA does not 
believe it is generally necessary to conduct these types of audits or 
evaluations on a routine or ongoing basis. Rather, we would generally 
expect that they would be performed periodically, unless they are 
required by applicable law or other compelling circumstances exist, 
such as unique cases in which an oversight agency determines there is a 
need for ongoing review. Information disclosed for the purpose of a 
program audit or evaluation may not be used to directly provide or 
support care coordination. As stated previously (83 FR 243), SAMHSA 
believes it is important to maintain patient choice in disclosing 
information to health care providers with whom patients have direct 
contact. Agencies or health plans could, for example, use information 
from the aggregated results of part 2 program evaluations to determine 
that a new benefit or payment category is needed in order to facilitate 
better care coordination.
    The preamble to the 2017 final rule noted that the authorizing 
statute for part 2 does not provide a general exception to the consent 
requirement for disclosure of SUD records, for the purpose of sharing 
records with public health officials (82 FR 6079). Furthermore, the 
preamble also noted that SAMHSA does not have the statutory authority 
to authorize routine disclosure of part 2 information for public health 
purposes (82 FR 6079). SAMHSA emphasizes that audits or evaluations 
using aggregated data for such purposes described above are distinct 
from a broader public health exception. Specifically, under current 
regulations, part 2 programs may share information with the agencies 
that have the authority to regulate or provide financial support to the 
part 2 program, in order to safeguard or improve the care and outcomes 
for current and future patients in those programs, or to ensure the 
integrity of the funding program and the appropriate use of financial 
support by the part 2 program. A broader public health exception would 
conceivably enable part 2 programs to share identifiable information 
with any public health agency, regardless of its relationship with the 
part 2 program, for many types of purposes (e.g., preventative efforts 
aimed at a wider population).
    To clarify allowable program evaluation activities using patient 
identifying information, SAMHSA proposes to redesignate current 
Sec. Sec.  2.53(c) and (d) as Sec. Sec.  2.53(e) and (f), respectively, 
and insert a new Sec.  2.53(c) titled: ``Activities Included.'' 
Proposed new paragraph Sec.  2.53(c)(1) would specify that audits or 
evaluations may include periodic activities to identify actions that an 
agency or third-party payer entity can make, such as changing its 
policies or procedures to improve patient care and outcomes across part 
2 programs; targeting limited resources more effectively; or 
determining the need for adjustments to payment policies for the care 
of patients with SUD. This change would clarify that disclosures of 
patient records by a part 2 program to an agency or third-party payer 
entity are permitted for these purposes without patient consent, 
pursuant to this section.
    Second, SAMHSA has received feedback that stakeholders are unclear 
about whether Sec.  2.53 allows federal, state, and local government 
agencies and third-party payers to have access to patient information 
for activities related

[[Page 44580]]

to reviews of appropriateness of medical care, medical necessity, and 
utilization of services. As described above, the current regulations 
allow information to be disclosed to certain federal, state, and local 
governmental agencies and third-party payers for audit or evaluation 
purposes, as long as they agree to specific restrictions outlined in 
the regulations to limit disclosure or use of the records and preserve 
patient confidentiality. While neither the statute nor the regulations 
define audit or evaluation, these terms should and do include audits or 
evaluations to review whether patients are receiving appropriate 
services in the appropriate setting. Assessing whether a part 2 program 
provides appropriate care is a necessary part of any comprehensive part 
2 program audit or evaluation. Government agencies may be charged with 
conducting such reviews for licensing or certification purposes or to 
ensure compliance with federal or state laws, as may private not-for-
profit entities granted authority under the applicable statutes or 
regulations to carry out such work in lieu of the agencies. Third-party 
payers also have a stake in the programmatic integrity, as well as the 
clinical quality, of the part 2 programs that serve the patients they 
cover. Therefore, SAMHSA proposes to insert a new Sec.  2.53 (c)(2) 
that clarifies audit and evaluations under this section may include, 
but are not limited to, reviews of appropriateness of medical care, 
medical necessity, and utilization of services. Stakeholders are also 
referred to Sec.  2.33, which allows disclosure of information for 
payment and/or health care operations activities with a patient's 
consent.
    Third, stakeholders have expressed confusion about whether part 2 
programs may disclose information for audit or evaluation purposes to 
the larger health care organizations in which they operate. For 
example, Medicare Condition of Participation regulations at 42 CFR 
482.21 require individual hospitals to conduct quality assessment and 
performance improvement (QAPI) programs that reflect the complexity of 
each hospital's organization and services, and which involve all 
hospital departments and services. QAPI programs are ongoing, hospital-
wide, data-driven efforts that focus on addressing high-risk, high-
volume or problem prone areas that affect health outcomes, patient 
safety, or quality of care.
    The part 2 regulations provide ample leeway for part 2 programs to 
share information within their larger health care organizations for 
these and other types of evaluations. Under Sec.  2.53(a)(2), part 2 
programs may determine that individuals or entities within their health 
care organizations are qualified to conduct audits and evaluations and 
may share information pursuant to such reviews. Additionally, Sec.  
2.12(c)(3) states that, ``The restrictions on disclosure in the 
regulations in this part do not apply to communications of information 
between or among personnel having a need for the information in 
connection with their duties that arise out of the provision of 
diagnosis, treatment, or referral for treatment of patients with 
substance use disorders if the communications are:
    (i) Within a part 2 program; or
    (ii) Between a part 2 program and an entity that has direct 
administrative control over the program.'' The phrase ``direct 
administrative control'' refers to the situation in which a substance 
use disorder unit is a component of a larger behavioral health program 
or of a general health program.''
    In order to eliminate any remaining misunderstanding, however, 
SAMHSA proposes to expand the regulatory language to explicitly clarify 
that this type of information sharing is permitted under the 
regulations. Specifically, we propose to add language to Sec.  
2.53(a)(2) to state that, ``Auditors may include any non-part 2 entity 
that has direct administrative control over the part 2 program or 
lawful holder.'' Additionally, SAMHSA proposes to include similar 
language in new subsection (b)(2)(iii). We believe that the proposed 
changes will help to clarify that in these situations, identifiable 
patient diagnosis or treatment information can be shared with personnel 
from an entity with direct administrative control over the part 2 
program, where those persons, in connection with their audit or 
evaluation duties, need to know the information.
    Fourth, while the regulations at Sec. Sec.  2.53(a)(1)(ii) and 
(b)(2)(ii) specifically delineate that information may be disclosed to 
quality improvement organizations performing utilization or quality 
control reviews, these provisions do not explicitly include other types 
of entities that are responsible for quality assurance. For example, 
the regulations for audit and evaluation do not describe entities, such 
as health care organization accrediting or certification bodies, that 
may need to review patient records to evaluate whether a part 2 program 
meets quality and safety standards. To ensure that stakeholders 
understand that disclosure to these types of organizations is 
permitted, SAMHSA proposes to insert a new Sec.  2.53(d) stating, 
``Quality Assurance Entities Included. Entities conducting audits or 
evaluations in accordance with Sec. Sec.  2.53(a) and (b) may include 
accreditation or similar types of organizations focused on quality 
assurance.''
    Additionally, SAMHSA understands that some federal, state, and 
local government agencies face challenges in meeting statutory or 
regulatory mandates that require them to conduct audits or evaluations 
involving part 2 information. For example, the Centers for Medicare & 
Medicaid Services conducts risk adjustment data validation in 
connection with the risk adjustment program it is required to operate 
in accordance with section 1343 of the Patient Protection and 
Affordable Care Act, 42 U.S.C. 18063 and implementing regulations. 
Under risk adjustment data validation, health insurance issuers are 
lawful holders of part 2 identifying information and may be required to 
provide it to CMS or its contractors. Therefore, SAMHSA is proposing to 
insert a new Sec.  2.53(g) to permit patient identifying information to 
be disclosed to federal, state, and local government agencies, as well 
as their contractors, subcontractors, and legal representatives of such 
agencies, in the course of conducting audits or evaluations mandated by 
statute or regulation, if those audits or evaluations cannot be carried 
out using de-identified information.
    In addition to these changes, SAMHSA proposes to update language 
related to quality improvement organizations. Specifically, at 
Sec. Sec.  2.53(a)(1)(ii) and (b)(2)(ii), it proposes to amend the 
language to align it with the current QIO regulations.

K. Orders Authorizing the Use of Undercover Agents and Informants 
(Sec.  2.67)

    Under the 1975 final rule, the placement of undercover agents or 
informants in a part 2 program was largely prohibited, other than as 
specifically authorized by a court order for the purpose of 
investigating a part 2 program, or its agents or employees, for 
allegations of serious criminal misconduct. At the time the 1975 final 
rule was promulgated, it was noted that, although the use of undercover 
agents and informants in treatment programs was ordinarily to be 
avoided, there occasionally arise circumstances where their use may be 
justified (42 FR 27809). More narrowly, it was noted that the 
authorizing statute, by itself, did not forbid the use of undercover 
agents or informants, and that the express statutory prohibition 
against direct disclosure of patient records is

[[Page 44581]]

nevertheless subject to the power of the courts to authorize such 
disclosures under 42 U.S.C. 290dd-2(b)(2)(C). Building on these 
statutory considerations, it was concluded that the power to regulate 
the placement of undercover agents and informants is limited, and that 
the importance of criminal investigation of part 2 programs offers a 
legitimate policy basis for allowing the placement of undercover agents 
or informants in such programs, given a showing of good cause in 
specific instances. As explained in the preamble to the 1975 final 
rule, experience has demonstrated that medical personnel, no matter how 
credentialed, can engage in the illicit sale of drugs on a large scale, 
and that the use of undercover agents and informants is normally the 
only effective means of securing evidence sufficient to support a 
successful prosecution in such instances. Based on over 40 years of 
experience since then, SAMHSA believes it is still the case that 
medical personnel sometimes engage in the illicit sale or transfer of 
drugs, and that a process for authorizing undercover agents is 
important to ensure the safety of patients in these part 2 programs.
    Under the 1975 final rule, a 60-day time limitation with regard to 
the placement of undercover agents and informants in a part 2 program 
was imposed, with the opportunity for an applicant to seek an extension 
of the court order, for a total of up to 180 days (42 FR 27821). In the 
1987 final rule, that period of placement for undercover agents and 
informants pursuant to a court order was extended to 6 months. This 
policy limitation was codified at Sec.  2.67(d)(2).
    Based on consultation with DOJ, the current policy is burdensome 
on, and overly restrictive of, some ongoing investigations of part 2 
programs. Specifically, DOJ has stated that a typical undercover 
operation can often last longer than 6 months, and that 12 months is a 
more realistic timeframe for such operations. Therefore, SAMHSA 
proposes to amend Sec.  2.67(d)(2), to extend the period for court-
ordered placement of an undercover agent or informant to 12 months, 
while authorizing courts to further extend a period of placement 
through a new court order.
    In addition, DOJ has stated that the current regulation text is 
ambiguous regarding when the 6-month, or, as proposed, 12-month period, 
should start and stop, in determining whether a court-order period of 
placement has elapsed. SAMHSA considered multiple policy options 
regarding the tolling of the time period for an undercover placement. 
We considered having the time period begin on the date of the issuance 
of the court order. Alternatively, SAMHSA also considered having the 
time period begin on the date of placement of the undercover agent. In 
consultations with DOJ, SAMHSA has found that there is often a lag of 
time between the court order and the placement of the agent, for many 
reasons. Therefore, starting the time period when the court order is 
issued could significantly curtail the length of time an agent can be 
undercover at a part 2 program. Furthermore, starting the time period 
based on date of placement of the agent would provide greater clarity 
and predictability to law enforcement about exactly how long an agent 
or informant is allowed to be in the field, since the agent is aware of 
the date his or her placement began, but may not be aware of the date 
of the court order. Thus, SAMHSA proposes to amend Sec.  2.67(d)(2), to 
clarify that the proposed 12-month time period starts when an 
undercover agent is placed, or an informant is identified, in the part 
2 program.

IV. Collection of Information Requirements

    Under the Paperwork Reduction Act of 1995 (PRA), agencies are 
required to provide a 60-day notice in the Federal Register and solicit 
public comment before a collection of information requirement can be 
approved by the Office of Management and Budget (OMB) for review and 
approval. Currently, the information collection is approved under OMB 
Control No. 0930-0092. The collection of information in this proposed 
rule has been submitted to OMB for review under section 3507(d) of the 
PRA, and any public comments on this collection of information should 
be directed to the Office of Information and Regulatory Affairs of OMB, 
Attention: Desk Officer for SAMHSA.
    In order to fairly evaluate whether changes to an information 
collection should be approved by OMB, section 3506(c)(2)(A) of the PRA 
requires that SAMHSA solicit comment on the following issues: (a) 
Whether the information collection is necessary and useful to carry out 
the proper functions of the agency; (b) The accuracy of the agency's 
estimate of the information collection burden; (c) The quality, 
utility, and clarity of the information to be collected; and (d) 
Recommendations to minimize the information collection burden on the 
affected public, including automated collection techniques.
    Under the PRA, the time, effort, and financial resources necessary 
to meet the information collection requirements referenced in this 
section are to be considered in rule making. SAMHSA explicitly seeks, 
and will consider, public comment on our assumptions as they relate to 
the PRA requirements summarized in this section.
    This proposed rule includes changes to information collection 
requirements, that is, reporting, recordkeeping or third-party 
disclosure requirements, as defined under the PRA (5 CFR part 1320). 
Some of the provisions involve changes from the information collections 
set out in the previous regulations. Below, SAMHSA briefly discusses 
each proposal and whether such proposal includes changes to information 
collection requirements.
    In section III.A. of this proposed rule, SAMHSA proposes to modify 
the existing definition of ``Records'' in Sec.  2.11 to conform with 
other proposed revisions in this proposed rule. See section III.A. for 
further information about this proposal. SAMHSA does not believe this 
proposal will result in any change in collection of information 
requirements since unrecorded information is, by its nature, not 
collected.
    In section III.B. of this proposed rule, SAMHSA proposes to amend 
Sec.  2.12 to clarify in that section that non-part 2 entities may 
record SUD treatment about a patient in its own records without 
triggering part 2 provided that such providers are able to 
differentiate their records from those received from a part 2 program 
and part 2 records received from lawful holders. See section III.B. for 
further information about this proposal. As stated in that section, 
SAMHSA proposes new regulatory text to clarify existing policies; thus, 
SAMHSA does not propose to change any collection of information 
requirements. Furthermore, we believe that the clarification represents 
standard practice in many, if not all, part 2 programs and among other 
lawful holders. That is, non-part 2 entities are already either 
segregating or segmenting any SUD records received from a part 2 
program or deciding not to do so, based on their standard operations. 
This proposal would merely clarify that if the non-part 2 entity does, 
in fact, segregate or segment these records, the recording of 
information about a SUD and its treatment by a non-part 2 entity does 
not by itself render a medical record subject to the restrictions of 42 
CFR part 2. Thus, SAMHSA does not believe this proposal would result in 
any changes in collection of information requirements.

[[Page 44582]]

    In section III.C. of this proposed rule, SAMHSA proposes to amend 
Sec.  2.31, to allow patients to consent to disclosure of their 
information to entities, without naming the specific individual 
receiving this information on behalf of a given entity. See section 
III.C. for further information about this proposal. This proposal may 
result in providers needing to update their standard consent forms to 
allow for certain disclosures to such entities; that additional burden 
is discussed in the Regulatory Impact Analysis, below. SAMHSA believes 
this proposal may result in part 2 program disclosing more information 
to certain entities. We discuss this additional burden, in total, with 
the additional collection of information requirements that may result 
from the proposals in sections III.I., and III.J, below.
    In section III.D. of this proposed rule, SAMHSA proposes to modify 
and streamline the language in Sec.  2.32(a)(1), to remove the 
superfluous language that has contributed to confusion regarding the 
restrictions on re-disclosure. See section III.D. for further 
information about this proposal. Since part 2 providers are already 
required, upon disclosure, to provide a written statement notifying the 
recipient of the applicability of 42 CFR part 2 to any re-disclosure of 
the protected record, consistent with the prior revisions to part 2, 
including the 2017 final rule (82 FR 6106), SAMHSA does not believe 
this proposed modification of the language would result in any changes 
in collection of information requirements.
    In section III.E. of this proposed rule, SAMHSA proposes to specify 
in regulatory text an illustrative list of 17 permitted activities 
under Sec.  2.33. SAMHSA is also proposing to add to Sec.  2.33 that 
other payment and/or health care operations activities not expressly 
prohibited under this provision are also allowed. See section III.E. 
for further information about this proposal. As noted in that section, 
SAMHSA has previously stated that these activities are permitted (83 FR 
241); this proposed language would only further clarify this previously 
finalized policy. Therefore, SAMHSA does not believe this proposal 
would result in any changes in collection of information requirements.
    In section III.F. of this proposed rule, SAMHSA proposes to expand 
the scope of Sec.  2.34(d) to make non-OTP providers with a treating 
provider relationship eligible to query a central registry with their 
patient's consent to determine whether a patient is already receiving 
treatment through a member program to prevent duplicative enrollments 
and prescriptions for methadone or buprenorphine, as well as to prevent 
any adverse effects with other prescribed medications. See section 
III.F. for further information about this proposal. Based on SAMHSA's 
research, the policies and procedures governing central registries vary 
widely by each state; in fact, many states do not have central 
registries in place. Because of this lack of information, it is not 
possible to estimate either the number of additional queries which 
central registries may receive as a result of this proposal or the time 
or effort required to answer these queries. Therefore, it is difficult 
to estimate any additional collection of information requirements which 
may result from this proposal. Instead, SAMHSA requests that central 
registries and providers that would query central registries provide 
comments on any additional information collection requirements this 
proposal would cause and any resulting burden.
    In section III.G. of this proposed rule, SAMHSA proposes to add a 
new Sec.  2.36 permitting part 2 programs to report any data for 
controlled substances dispensed or prescribed to patients to PDMPs, as 
required by the applicable state law. See section III.G. for further 
information about this proposal. SAMHSA anticipates that this proposal 
may result in additional burden for part 2 programs choosing to report 
to PDMPs in two ways. If a part 2 program chooses to report to a PDMP, 
the program will need to update its consent forms to request consent 
for disclosure to PDMPs. That burden is discussed in the Regulatory 
Impact Analysis, below. The second part of the proposal permits part 2 
programs to report any data for controlled substances dispensed to 
patients to PDMPs, as required by the applicable state law. To estimate 
the additional collection of information requirements associated with 
this proposal, SAMHSA used the average number of opiate treatment 
admissions from SAMHSA's 2014-2016 Treatment Episode Data Set (TEDS) as 
the estimate of the number of clients treated on an annual basis by 
part 2 programs (531,965). Although not all programs would need to 
report this information under state law or may choose to do so, SAMHSA 
has used this number to be conservative and comprehensive of any future 
burden if states require reporting in the future. TEDS ``comprises data 
that are routinely collected by States in monitoring their individual 
substance abuse treatment systems. In general, facilities reporting 
TEDS data are those that receive State alcohol and/or drug agency funds 
(including Federal Block Grant funds) for the provision of substance 
abuse treatment.'' \14\ Although TEDS does not represent all of the 
admissions to part 2 programs, as reporting varies by state, SAMHSA 
believes it represents the vast majority of admissions. Conservatively, 
we assumed that each of these clients would consent to the re-
disclosure of their information to PDMPs and would be dispensed 
medication required to be reported to a PDMP. SAMHSA assumes that part 
2 programs, based on other state and federal requirements, already are 
required to query PDMP databases; therefore, SAMHSA does not include 
registration and infrastructure costs in this estimate. For example, 
several states require medical directors of OTPs to query their 
respective state PDMPs at minimum intervals, including IN, MN, MI, ND, 
NC, RI, TN, VT, WA, and WV.\15\ Based on discussions with providers, 
SAMHSA also estimates that, in addition to an initial update to the 
PDMP database for existing patients, the PDMP database would typically 
need to be accessed and updated quarterly for each patient, on average. 
Likewise, based on discussion with providers, SAMHSA believes accessing 
and reporting to the database would take approximately 2 minutes per 
patient, resulting in a total annual burden of 8 minutes (4 database 
accesses/updates x 2 minutes per access/update) or 0.133 hours annually 
per patient. For the labor costs associated with this activity, SAMHSA 
used the average wage rate of $23.04 \16\ per hour for substance abuse 
and behavioral disorder counselors (multiplied by two to account for 
benefits and overhead costs) to estimate a total burden in year 1 for 
the initial update of the PDMP database of $817,098 (531,965 clients x 
2 minutes (0.033 hrs) per access/update x $46.08/hr) and an annual 
burden in each year of $3,268,391 (531,965 clients x 0.133 hours x 
$46.08/hr). Therefore, we estimate that this proposal will result in an 
additional cost of $4,085,489 ($817,098 + $3,268,391), as reflected in 
Table 1, below.
---------------------------------------------------------------------------

    \14\ https://wwwdasis.samhsa.gov/webt/information.htm.
    \15\ https://www.pdmpassist.org/pdf/Resources/Use%20of%20PDMP%20data%20by%20opioid%20treatment%20programs.pdf.
    \16\ Bureau of Labor Statistics, U.S. Department of Labor, 
Occupational Employment Statistics, May 2018, Substance Abuse and 
Behavioral Disorder Counselors, Standard Occupations Classification 
code (21-1018) [www.bls.gov/oes/current/oes_nat.htm].
---------------------------------------------------------------------------

    In section III.H. of this proposed rule, SAMHSA proposes an 
addition to Sec.  2.51 to allow disclosure of patient information 
during natural and major disasters. See section III.H. for further

[[Page 44583]]

information about this proposal. Because this proposal by its very 
nature does not require additional consent requirements or other 
paperwork, SAMHSA does not believe this proposal would result in any 
changes in collection of information requirements. Providers, under 
their own policies and procedures or other laws, may need to keep track 
of the disclosures made, which, could require additional paperwork. 
Such requirements, however, are not discussed in this rule, nor does 
SAMHSA have any way of estimating them, as policies and procedures may 
vary across providers.
    In section III.I., and section III.J. of this proposed rule, SAMHSA 
proposes to amend Sec.  2.52 and Sec.  2.53 to allow certain 
disclosures without patient consent. First, in section III.I. of this 
proposed rule, SAMHSA proposes to modify the text of Sec.  2.52(a) in 
order to allow research disclosures of part 2 data from a HIPAA covered 
entity or business associate to individuals and organizations who are 
neither HIPAA covered entities, nor subject to the Common Rule, 
provided that any such data will be disclosed in accordance with the 
HIPAA Privacy Rule. See section III.I. for further information about 
this proposal. Second, SAMHSA proposes to clarify allowed disclosures 
for audit and evaluation purposes under Sec.  2.53 for activities 
undertaken by a federal, state, or local governmental agency or third-
party payer to improve the delivery of care, to target limited 
resources more effectively and/or to determine the need for adjustments 
to payment policies for the care of patients with SUD. SAMHSA also 
proposes language to clarify that (1) audits and evaluations may 
include reviews of appropriateness of medical care, medical necessity, 
and utilization of services; (2) part 2 programs may disclose 
information, without consent, to non-part 2 entities that have direct 
administrative control over such part 2 programs; and (3) entities 
conducting audits or evaluations in accordance with Sec. Sec.  2.53(a) 
and (b) may include accreditation or similar types of organizations 
focused on quality assurance. Further, SAMHSA proposes to permit 
patient identifying information to be disclosed to government agencies 
in the course of conducting audits or evaluations mandated by statute 
or regulation, if those audits or evaluations cannot be carried out 
using de-identified information. Finally, SAMHSA is proposing to update 
language related to QIOs. See section III.J. for further information 
about these proposals. As stated in that section, SAMHSA believes that 
the regulations already permit audits and evaluations for reviews of 
appropriateness of medical care, medical necessity, and utilization of 
services. Likewise, SAMHSA also believes that the current regulations 
permit disclosure to a non-part 2 entity with direct administrative 
control over a part 2 program and to accreditation and similar 
organizations. Therefore, although SAMHSA proposes language to clarify 
any confusion that may exist, it believes that these activities are 
already permitted and that they would not, therefore, result in any new 
collection of information requirements or any other burden. It also 
believes updating the QIO language would not create new collection of 
information requirements or increase burden. As noted above, SAMHSA 
also proposes to allow patient identifying information to be disclosed 
to government agencies and third-party payers periodically to identify 
needed actions at the agency or payer level, and to contractors hired 
by health insurance issuers and government agencies in the course of 
conducting audits or evaluations mandated by statute or regulation, if 
those audits and evaluations cannot be carried out using de-identified 
information. In section III.C of this proposed rule, SAMHSA also 
proposes to allow disclosure to entities with patient consent. SAMHSA 
believes that the proposals in sections III.C., I, and J, may result in 
additional collection of information requirements, as part 2 programs 
may be asked to disclose information to agencies and entities as a 
result of these proposals. Although SAMHSA is not able to anticipate 
the increase in these disclosures, to estimate the potential cost, we 
first estimated the number of potentially impacted part 2 programs 
based on the anticipated number of requests for a disclosure in a 
calendar year. SAMHSA used the average number of substance abuse 
treatment admissions from SAMHSA's 2014-2016 TEDS (1,658,732) as the 
number of patients treated annually by part 2 programs. SAMHSA then 
estimated that part 2 programs would need to disclose average of 15 
percent of these records (248,810) as a result of these proposals. We 
then estimated that 10 percent or 24,881 (248,810 x 10%) of impacted 
part 2 programs would use paper records to comply with these requests 
for disclosure reports while the remaining 90% or 223,929 (248,810 x 
90%) would use a health IT system. For part 2 programs using paper 
records, SAMHSA expects that a staff member would need to gather and 
aggregate the information from paper records, and manually track 
disclosures; for those part 2 programs with a health IT system, we 
expect records and tracking information would be available within the 
system.
    SAMHSA assumed medical record technicians would be the staff with 
the primary responsibility for compiling the information for a list of 
disclosures from both paper records and health IT systems. The average 
hourly rate for medical record and health information technicians is 
$21.16.\17\ In order to account for benefits and overhead costs 
associated with staff time, we multiplied the hourly wage rate by two 
for a total average hourly wage rate of $42.32. Absent any existing 
information on the amount of time associated with producing a list of 
disclosures, SAMHSA assumed it would take a medical record technician 4 
hours, on average, to produce the information from paper records at a 
cost of $169.28 (4 hours x $42.32/hr) and 0.25 hours, on average, to 
produce information from a health IT system at a cost of $10.58 (0.25 
hours x $42.32/hr). Finally, SAMHSA assumes that agencies will request 
that these disclosures be made on secure, online databases, and would 
not require notification via email or first class mail, thus resulting 
in no additional cost to transmit this information. Based on these 
assumptions, SAMHSA estimates that this proposal would result in an 
additional cost of $6,581,025 {(24,881 requests x $169.28 per request) 
+ (223,929 requests x $10.58 per request){time} , as reflected in Table 
1, below.
---------------------------------------------------------------------------

    \17\ Bureau of Labor Statistics, U.S. Department of Labor, 
Occupational Employment Statistics, May 2018, Medical Records and 
Health Information Technicians, Standard Occupations Classification 
code (29-2071) [www.bls.gov/oes/current/oes_nat.htm].
---------------------------------------------------------------------------

    In section III.K. of this proposed rule, SAMHSA proposes to amend 
Sec.  2.67 to extend the period for court-ordered placement of an 
undercover agent or informant to 12 months, while authorizing courts to 
further extend a period of placement through a new court order. In that 
section, SAMHSA also proposes to explicitly state when the 12-month 
period begins to run. See section III.K. for further information about 
this proposal. The requirements of the Paperwork Reduction Act do not 
apply ``During the conduct of a Federal criminal investigation or 
prosecution, or during the disposition of a particular criminal 
matter'' (5 CFR 1320.4(a)(1)), or to information collections by the 
federal judiciary or state courts (5 CFR 1320.3(a)), except in the rare 
case that those information collections and

[[Page 44584]]

conducted or sponsored by an executive branch department (5 CFR 
1320.3(a)).
    Below, SAMHSA summarizes the estimated cost of the change in 
collection of information requirements discussed above.

                                                          Table 1--Annualized Burden Estimates
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                          Annual  number
                                                of         Responses per       Total         Hours per     Total hourly     Hourly wage    Total hourly
                                            respondents     respondent       responses       response         burden           cost            cost
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sec.   2.36.............................         531,965               5       2,659,825           0.033          88,661          $46.08      $4,085,489
Sec.  Sec.   2.31, 2.52, 2.53 (Paper              24,881               1          24,881               4          99,524           42.32       4,211,856
 Records)...............................
Sec.  Sec.   2.31, 2.52, 2.53 (Health IT         223,929               1         223,929            0.25          55,982           42.32       2,369,169
 Systems)...............................
                                         ---------------------------------------------------------------------------------------------------------------
    Total...............................         780,775  ..............       2,908,633  ..............         244,167  ..............      10,666,513
--------------------------------------------------------------------------------------------------------------------------------------------------------

V. Response to Comments

    Because of the large number of public comments SAMHSA anticipates 
receiving on this Federal Register document, it will not be able to 
acknowledge or respond to them individually. SAMHSA will consider all 
comments received by the date and time specified in the DATES section 
of this proposed rule. When SAMHSA proceeds with a subsequent document, 
it will respond to the comments in the preamble to that document.

VI. Regulatory Impact Analysis

A. Statement of Need

    This proposed rule is necessary to update the Confidentiality of 
Substance Use Disorder Patient Records regulations at 42 CFR part 2 to 
respond to the emergence of the opioid crisis, with its catastrophic 
impact on patients and corresponding clinical and safety challenges for 
providers. The goal of this proposed rule is to clarify existing 
requirements in 42 CFR part 2 and reduce barriers to information 
sharing to ensure appropriate care and patient safety.
    As noted in the tables below, SAMHSA believes that the proposed 
policies in this proposed rule, if finalized, would result in some 
near-term non-recurring and annual recurring financial burdens. We have 
weighed these potential burdens against the potential benefits, and 
believe, on balance, the potential benefits outweigh any potential 
costs. Specifically, the proposals in this rule are meant to allow 
providers to better understand the needs of their patients by 
clarifying the requirements under part 2 and to break down barriers to 
information sharing among part 2 programs and other providers. SAMHSA 
believes this information sharing would benefit patients because both 
part 2 programs and other providers would be able to more fully 
understand the patient's health history and avoid dangerous and even 
lethal adverse drug events. In addition, these proposals are also 
intended to protect and empower patients by giving them more control 
over their consent and control of their records, for example, by 
allowing them to consent to disclosure to entities, should they so 
choose. Furthermore, in drafting these proposals, SAMHSA was cognizant 
of privacy concerns and specifically drafted these proposals to protect 
the privacy of patients; for example, the proposal regarding OTP 
provider disclosure to PDMPs requires the consent of the patient. 
SAMHSA believes that increasing patient safety and the empowerment of 
patients would lead to better health outcomes, therefore balancing any 
burdens discussed below and any remaining privacy concerns. /

B. Overall Impact

    SAMHSA has examined the impacts of this rule as required by 
Executive Order 12866 on Regulatory Planning and Review (September 30, 
1993), Executive Order 13563 on Improving Regulation and Regulatory 
Review (January 18, 2011), the Regulatory Flexibility Act (RFA) 
(September 19, 1980, Pub. L. 96-354), section 1102(b) of the Social 
Security Act, section 202 of the Unfunded Mandates Reform Act of 1995 
(March 22, 1995; Pub. L. 104-4), Executive Order 13132 on Federalism 
(August 4, 1999) and the Congressional Review Act (5 U.S.C. 804(2)), 
and Executive Order 13771 (Reducing and Controlling Regulatory Costs). 
Executive Orders 12866 and 13563 direct agencies to assess all costs 
and benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects, distributive impacts, and equity). Section 3(f) of Executive 
Order 12866 defines a ``significant regulatory ``action'' as an action 
that is likely to result in a rule: (1) Having an annual effect on the 
economy of $100 million or more in any 1 year, or adversely and 
materially affecting a sector of the economy, productivity, 
competition, jobs, the environment, public health or safety, or state, 
local or tribal governments or communities (also referred to as 
``economically significant''); (2) creating a serious inconsistency or 
otherwise interfering with an action taken or planned by another 
agency; (3) materially altering the budgetary impacts of entitlement 
grants, user fees, or loan programs or the rights and obligations of 
recipients thereof; or (4) raising novel legal or policy issues arising 
out of legal mandates, the President's priorities, or the principles 
set forth in the Executive Order. A regulatory impact analysis must be 
prepared for major rules with economically significant effects ($100 
million or more in any 1 year). This rule does not reach the economic 
threshold and thus, is not considered a major rule to which Executive 
Orders 12866 or 13771 apply.
    The RFA requires agencies to analyze options for regulatory relief 
of small businesses. For purposes of the RFA, small entities include 
small businesses (including independent contractors), nonprofit 
organizations, and small governmental jurisdictions. Individuals and 
states are not included in the definition of a small entity. The 
proposed rule would allow patients to consent to disclosure of their 
information to entities; permit part 2 programs to report data for 
controlled substances dispensed to patients to PDMPs with patient 
consent; and allow part 2 programs to comply with disclosure requests 
from federal, state, or local governmental agencies, third-party payers 
and researchers. These proposals will result in additional reporting 
burden as well as near-term non-recurring and annual recurring 
regulatory impacts to part 2 programs. As shown in Table 2 and as 
discussed in the Collection of Information Requirements (Section IV), 
we estimate

[[Page 44585]]

the average cost impact per substance abuse treatment admission for 
staff training, updates to consent forms, and disclosures to agencies 
will be $4.09 in year 1 ($6,782,493 / 1,658,732 patients) and $3.97 in 
years 2 through 10 ($6,581,025 / 1,658,732 patients). For opiate 
treatment patients, we also estimate the average cost impact for 
disclosure to PDMPs to be $7.68 per patient in year 1 ($4,085,489 / 
531,965 patients) and $6.14 in years 2 through 10 ($3,268,391 / 531,965 
patients). When this is added to the costs for staff training, updates 
to consent forms, and disclosures to agencies, the aggregate cost 
impact per opiate treatment admission is $11.77 in year 1 and $10.11 in 
years 2 through 10. While we are unable to determine how many part 2 
programs qualify as small businesses based on the minimum threshold for 
small business size of $38.5 million (https://www.sba.gov/federal-contracting/contracting-guide/size-standards), we believe that on a 
per-patient basis, this proposed rule will not significantly affect 
part 2 treatment programs of any size. SAMHSA has not prepared an 
analysis for the RFA because it has determined, and the Secretary 
certifies, that this rule, if finalized as proposed, would not have a 
significant economic impact on a substantial number of small entities.
    As further described in section IV., above, when estimating the 
total costs associated with changes to the 42 CFR part 2 regulations, 
SAMHSA estimated costs related to collection of information for the 
proposed changes to Sec. Sec.  2.31, 2.52, 2.53, and (new) 2.36. In 
addition, we estimate that there may be additional burden related to 
updating consent forms as a result of the proposals in Sec. Sec.  2.31 
and (new) 2.36. In section III.C. of this proposed rule, SAMHSA 
proposes to amend Sec.  2.31, to allow patients to consent to 
disclosure of their information to entities, without naming the 
specific individual receiving this information on behalf of a given 
entity. In section III.G. of this proposed rule, SAMHSA proposes to add 
a new Sec.  2.36, permitting part 2 programs to report to PDMPs; 
patients must consent to disclosure before this reporting can occur. 
See sections III.C. and III.G. for further information about these 
proposals. These proposals may result in providers needing to update 
their standard consent forms to allow for certain disclosures. As 
stated in the 2016 proposed rule (81 FR 7009 through 7010), based from 
a 2008 study from the Mayo Clinic Health Care Systems,\18\ the reported 
cost to update authorization forms was $0.10 per patient. Adjusted for 
inflation,\19\ costs associated with updating the patient consent forms 
in 2019 would be $0.12 per patient (2018 dollars). SAMHSA used the 
average number of substance abuse treatment admissions from SAMHSA's 
2014-2016 TEDS (1,658,732) as an estimate of the number of clients 
treated on an annual basis by part 2 programs. Therefore, the total 
cost burden associated with updating the consent forms to reflect the 
updated 42 CFR part 2 regulations is estimated to be a one-time cost of 
$199,048 (1,658,732 * $0.12), as reflected in Table 2, below. Further, 
the proposal to amend Sec.  2.31 is likely to result in a decrease in 
the number of consents to disclosures that patients must make, due to 
the ability to consent to entities without naming a specific 
individual. Because of a lack of data regarding the number of consents 
patients have made to multiple individuals within the same entity which 
would become duplicative as a result of the proposed amendment, we are 
unable to quantify the reduction in burden related to the expected 
reduction in the number of required consents.
---------------------------------------------------------------------------

    \18\ Williams, A.R., Herman, D.C., Moriarty, J.P., Beebe, T.J., 
Bruggeman, S.K., Klavetter, E.W. & Bartz, J.K. (2008). HIPAA costs 
and patient perceptions of privacy safeguards at Mayo Clinic. Joint 
Commission Journal on Quality and Patient Safety, 34(1), 27-35.
    \19\ https://www.bls.gov/cpi/tables/supplemental-files/historical-cpi-u-201905.pdf.
---------------------------------------------------------------------------

    In prior proposed rules (e.g., 81 FR 7009), SAMHSA estimated one 
hour of training per staff to achieve proficiency in the 42 CFR part 2 
regulations. SAMHSA assumes that training associated with the new 
requirements discussed in this proposed rule can be accomplished within 
the existing one hour of training, therefore we are not proposing any 
additional costs for training counseling staff.
    With regard to training materials, SAMHSA will assume 
responsibility for updating and distributing training materials in year 
1 at no cost to part 2 programs. A 2017 study by the Association for 
Talent Development determined the average time to develop training 
materials for one hour of classroom instruction is 38 hours.\20\ 
Because we assume that SAMHSA will be updating rather than developing 
training materials, we estimate the time for training development to be 
one-half that of developing new materials, or 19 hours and would be 
performed by an instructor with experience in healthcare at the average 
wage rate of $63.71 per hour for a health specialty teacher \21\ and 
multiplied the average wage rate by 2 in order to account for benefits 
and overhead costs. Based on these assumptions, the updating of 
training materials is estimated to cost $2,421 (19 hours x $127.42/
hour). SAMHSA estimates that the updates to consent forms (Sec. Sec.  
2.31 and 2.36) would be one-time costs the first year the final rule 
would be in effect and would not carry forward into future years. Staff 
training costs other than those associated with updating training 
materials are assumed to be ongoing annual costs to part 2 programs, 
also beginning in the first year that the final rule is in effect. 
Costs associated with disclosing information to PDMPs (Sec.  2.36) and 
agencies (Sec.  2.53) are assumed to be ongoing annual costs to part 2 
programs.
---------------------------------------------------------------------------

    \20\ https://www.td.org/insights/how-long-does-it-take-to-develop-one-hour-of-training-updated-for-2017.
    \21\ Bureau of Labor Statistics, U.S. Department of Labor, 
Occupational Employment Statistics, May 2018, Health Specialty 
Teachers, Postsecondary, Standard Occupations Classification code 
(25-1071) [www.bls.gov/oes/current/oes_nat.htm].
---------------------------------------------------------------------------

    In section III.K. of this proposed rule, SAMHSA proposes to amend 
Sec.  2.67 to extend the period for court-ordered placement of an 
undercover agent or informant to 12 months, while authorizing courts to 
further extend a period of placement through a new court order. In that 
section, SAMHSA also proposes to explicitly state when the 12-month 
period begins to run. See section III.K. for further information about 
this proposal. Since the requirements for seeking this court order 
would be the same, and the proposal would merely be extending the time 
of the court order, SAMHSA does not believe this proposal will result 
in any additional regulatory burden.
    Based on the above, SAMHSA estimates in the first year that the 
final rule would be in effect, the costs associated with the proposed 
updates to 42 CFR part 2 would be $10,867,982 as shown in Table 2. In 
years 2 through 10, SAMHSA estimates that costs would be $9,849,415. 
Over the 10-year period of 2019-2028, the total undiscounted cost of 
the proposed changes would be $99,512,721 in 2018 dollars. As shown in 
Table 3, when future costs are discounted at 3 percent or 7 percent per 
year, the total costs become approximately $85.0 million or $70.1 
million, respectively. These costs are presented in the tables below.

[[Page 44586]]



                                 Table 2--Total Cost of 42 CFR Part 2 Revisions
----------------------------------------------------------------------------------------------------------------
                                   Disclosure to  Staff training    Updates to      Disclosures
              Year                     PDMPs           costs      consent  forms    to agencies     Total costs
----------------------------------------------------------------------------------------------------------------
2019............................      $4,085,489          $2,421        $199,048      $6,581,025     $10,867,982
2020............................       3,268,391               0               0       6,581,025       9,849,415
2021............................       3,268,391               0               0       6,581,025       9,849,415
2022............................       3,268,391               0               0       6,581,025       9,849,415
2023............................       3,268,391               0               0       6,581,025       9,849,415
2024............................       3,268,391               0               0       6,581,025       9,849,415
2025............................       3,268,391               0               0       6,581,025       9,849,415
2026............................       3,268,391               0               0       6,581,025       9,849,415
2027............................       3,268,391               0               0       6,581,025       9,849,415
2028............................       3,268,391               0               0       6,581,025       9,849,415
                                 -------------------------------------------------------------------------------
    Total.......................      33,501,007           2,421         199,048      65,810,245      99,512,721
----------------------------------------------------------------------------------------------------------------


                       Table 3--Total Cost of 42 CFR Part 2 Revisions--Annual Discounting
----------------------------------------------------------------------------------------------------------------
                                                                                    Total cost      Total cost
                              Year                                  Total costs       with 3%         with 7%
                                                                                    discounting     discounting
----------------------------------------------------------------------------------------------------------------
2019............................................................     $10,867,982     $10,551,439     $10,156,992
2020............................................................       9,849,415       9,284,019       8,602,861
2021............................................................       9,849,415       9,013,610       8,040,057
2022............................................................       9,849,415       8,751,078       7,514,072
2023............................................................       9,849,415       8,496,192       7,022,497
2024............................................................       9,849,415       8,248,730       6,563,081
2025............................................................       9,849,415       8,008,476       6,133,721
2026............................................................       9,849,415       7,775,219       5,732,449
2027............................................................       9,849,415       7,548,757       5,357,429
2028............................................................       9,849,415       7,328,890       5,006,943
                                                                 -----------------------------------------------
    Total.......................................................      99,512,721      85,006,411      70,130,104
----------------------------------------------------------------------------------------------------------------

C. Alternatives Considered

    In drafting this proposed rule, SAMHSA considered potential policy 
alternatives and, when possible, proposed the least burdensome 
alternatives. For example, in section III.B. of this proposed rule, we 
considered specifically proposing the technological and operational 
requirements required for segmenting records but decided to allow 
providers more latitude to define their best practices, understanding 
that specific requirements could pose more burden, specifically to 
small and rural providers. In section III.C. of this proposed rule, 
SAMHSA also considered only allowing patients to allow disclosure to 
state, federal, and local government entities that provide benefits. 
Instead, however, it decided to propose to allow patients to more 
broadly specify disclosure to entities, so that patients can more 
widely control their information. On balance, SAMHSA believes that the 
proposals in this rule most appropriately balance the often-competing 
interests of burden, privacy, and patient safety.

D. Conclusion

    SAMHSA is proposing to amend 42 CFR part 2. With respect to our 
proposal to revise the regulations, SAMHSA does not believe that the 
proposal would have a significant impact. As discussed above, we are 
not preparing an analysis for the RFA because SAMHSA has determined, 
and the Secretary certifies, that this proposed rule would not have a 
significant economic impact on a substantial number of small entities. 
SAMHSA is not preparing an analysis for section 1102(b) of the RFA 
because it has determined, and the Secretary certifies, that this 
proposed rule would not have a significant impact on the operations of 
a substantial number of small rural hospitals. In addition, SAMHSA does 
not believe this rule imposes substantial direct effects on (1) states, 
including subdivisions thereof, (2) the relationship between the 
federal government and the states, or (3) the distribution of power and 
responsibilities among the various levels of government. Therefore, the 
requirements of Executive Order 13132 on federalism would not be 
applicable.
    SAMHSA invites public comments on this section and requests any 
additional data that would help it to determine more accurately the 
impact on individuals and entities of the proposed rule. In accordance 
with the provisions of Executive Order 12866, this proposed rule has 
been reviewed by the Office of Management and Budget.

List of Subjects in 42 CFR Part 2

    Alcohol abuse, Alcoholism, Drug abuse, Grant programs--health, 
Health records, Privacy, Reporting and recordkeeping requirements.

VII. Regulation Text

    For the reasons set forth in the preamble, the Department of Health 
and Human Services proposes to amend 42 CFR part 2 to read as follows:

PART 2--CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS

0
 1. The authority citation for part 2 continues to read as follows:

    Authority: Sec. 408 of Pub. L. 92-255, 86 Stat. 79, as amended 
by sec. 303(a), (b) of Pub L. 93-282, 83 Stat. 137, 138; sec. 
4(c)(5)(A) of Pub. L. 94-237, 90 Stat. 244; sec. 111(c)(3) of Pub. 
L. 94-581, 90 Stat. 2852; sec. 509 of Pub. L. 96-88, 93 Stat. 695; 
sec. 973(d) of Pub. L. 97-35, 95 Stat. 598; and transferred to sec. 
527 of the Public Health Service Act

[[Page 44587]]

by sec. 2(b)(16)(B) of Pub. L. 98-24, 97 Stat. 182 and as amended by 
sec. 106 of Pub. L. 99-401, 100 Stat. 907 (42 U.S.C. 290ee-3) and 
sec. 333 of Pub. L. 91-616, 84 Stat. 1853, as amended by sec. 122(a) 
of Pub. L. 93-282, 88 Stat. 131; and sec. 111(c)(4) of Pub. L. 94- 
581, 90 Stat. 2852 and transferred to sec. 523 of the Public Health 
Service Act by sec. 2(b)(13) of Pub. L. 98-24, 97 Stat. 181 and as 
amended by sec. 106 of Pub. L. 99-401, 100 Stat. 907 (42 U.S.C. 
290dd-3), as amended by sec. 131 of Pub. L. 102-321, 106 Stat. 368, 
(42 U.S.C. 290dd-2).

0
2. Amend Sec.  2.11 by revising the definition of ``Records'' to read 
as follows:


Sec.  2.11  Definitions.

* * * * *
    Records means any information, whether recorded or not, created by, 
received, or acquired by a part 2 program relating to a patient (e.g., 
diagnosis, treatment and referral for treatment information, billing 
information, emails, voice mails, and texts), provided, however, that 
information conveyed orally by a part 2 program to a non-part 2 
provider for treatment purposes with the consent of the patient does 
not become a record subject to this Part in the possession of the non-
part 2 provider merely because that information is reduced to writing 
by that non-part 2 provider. Records otherwise transmitted by a part 2 
program to a non-part 2 provider retain their characteristic as records 
in the hands of the non-part 2 provider, but may be segregated by that 
provider. For the purpose of the regulations in this part, records 
include both paper and electronic records.
* * * * *
0
3. Amend Sec.  2.12 by:
0
a. Revising paragraphs (a)(1) introductory text and (a)(1)(ii);
0
b. Adding paragraph (d)(2)(ii); and
0
c. Revising paragraphs (e)(3) and (4) introductory text.
    The revisions and additions read as follows:


Sec.  2.12  Applicability.

    (a) * * *
    (1) Restrictions on disclosure. The restrictions on disclosure in 
the regulations in this part apply to any records which:
* * * * *
    (ii) Contain drug abuse information obtained by a federally 
assisted drug abuse program after March 20, 1972 (part 2 program), or 
contain alcohol abuse information obtained by a federally assisted 
alcohol abuse program after May 13, 1974 (part 2 program); or if 
obtained before the pertinent date, is maintained by a part 2 program 
after that date as part of an ongoing treatment episode which extends 
past that date; for the purpose of treating a substance use disorder, 
making a diagnosis for that treatment, or making a referral for that 
treatment.
* * * * *
    (d) * * *
    (2) * * *
    (ii) Notwithstanding paragraph (2)(i)(C) of this section, a non-
part 2 treating provider may record information about a substance use 
disorder (SUD) and its treatment that identifies a patient. This is 
permitted and does not constitute a record that has been re-disclosed 
under part 2, provided that any SUD records received from a part 2 
program or other lawful holder are segregated or segmented. The act of 
recording information about a SUD and its treatment does not by itself 
render a medical record which is created by a non-part 2 treating 
provider subject to the restrictions of this part 2.
* * * * *
    (e) * * *
    (3) Information to which restrictions are applicable. Whether a 
restriction applies to the use or disclosure of a record affects the 
type of records which may be disclosed. The restrictions on disclosure 
apply to any part 2-covered records which would identify a specified 
patient as having or having had a substance use disorder. The 
restriction on use of part 2 records to bring criminal charges against 
a patient for a crime applies to any records obtained by the part 2 
program for the purpose of diagnosis, treatment, or referral for 
treatment of patients with substance use disorders. (Restrictions on 
use and disclosure apply to recipients of part 2 records under 
paragraph (d) of this section.)
    (4) How type of diagnosis affects coverage. These regulations cover 
any record reflecting a diagnosis identifying a patient as having or 
having had a substance use disorder which is initially prepared by a 
part 2 provider in connection with the treatment or referral for 
treatment of a patient with a substance use disorder. A diagnosis 
prepared by a part 2 provider for the purpose of treatment or referral 
for treatment, but which is not so used, is covered by the regulations 
in this part. The following are not covered by the regulations in this 
part:
* * * * *
0
4. Amend Sec.  2.31 by revising paragraph (a)(4) to read as follows:


Sec.  2.31   Consent requirements.

    (a) * * *
    (4)(i) The name(s) of the individual(s) or the name(s) of the 
entity(-ies) to which a disclosure is to be made.
    (ii) Special instructions for entities that facilitate the exchange 
of health information and research institutions. Notwithstanding 
paragraph (a)(4)(i) of this section, if the recipient entity 
facilitates the exchange of health information or is a research 
institution, a written consent must include the name(s) of the entity(-
ies) and
    (A) The name(s) of individual or entity participant(s); or
    (B) A general designation of an individual or entity participant(s) 
or class of participants that must be limited to a participant(s) who 
has a treating provider relationship with the patient whose information 
is being disclosed. When using a general designation, a statement must 
be included on the consent form that the patient (or other individual 
authorized to sign in lieu of the patient), confirms their 
understanding that, upon their request and consistent with this part, 
they must be provided a list of entities to which their information has 
been disclosed pursuant to the general designation (see Sec.  2.13(d)).
* * * * *
0
5. Amend Sec.  2.32 by revising paragraph (a)(1) to read as follows:


Sec.  2.32   Prohibition on re-disclosure.

    (a) * * *
    (1) This information has been disclosed to you from records 
protected by federal confidentiality rules (42 CFR part 2). The federal 
rules prohibit you from making any further disclosure of this record 
unless further disclosure is expressly permitted by the written consent 
of the individual whose information is being disclosed in this record 
or, is otherwise permitted by 42 CFR part 2. A general authorization 
for the release of medical or other information is NOT sufficient for 
this purpose (see Sec.  2.31). The federal rules restrict any use of 
the information to investigate or prosecute with regard to a crime any 
patient with a substance use disorder, except as provided at Sec. Sec.  
2.12(c)(5) and 2.65; or
* * * * *
0
6. Amend Sec.  2.33 by revising paragraph (b) to read as follows:


Sec.  2.33   Disclosures permitted with written consent.

* * * * *
    (b) If a patient consents to a disclosure of their records under 
Sec.  2.31 for payment and/or health care operations activities, a 
lawful holder who receives such records under the terms of the written 
consent may further disclose those records as may be necessary for its 
contractors, subcontractors, or legal representatives to carry out 
payment

[[Page 44588]]

and/or health care operations on behalf of such lawful holder. 
Disclosures to contractors, subcontractors, and legal representatives 
to carry out other purposes such as substance use disorder patient 
diagnosis, treatment, or referral for treatment are not permitted under 
this section. In accordance with Sec.  2.13(a), disclosures under this 
section must be limited to that information which is necessary to carry 
out the stated purpose of the disclosure. Examples of permissible 
payment and/or health care operations activities under this section 
include:
    (1) Billing, claims management, collections activities, obtaining 
payment under a contract for reinsurance, claims filing, and/or related 
health care data processing;
    (2) Clinical professional support services (e.g., quality 
assessment and improvement initiatives; utilization review and 
management services);
    (3) Patient safety activities;
    (4) Activities pertaining to:
    (i) The training of student trainees and health care professionals;
    (ii) The assessment of practitioner competencies;
    (iii) The assessment of provider and/or health plan performance; 
and/or
    (iv) Training of non-health care professionals;
    (5) Accreditation, certification, licensing, or credentialing 
activities;
    (6) Underwriting, enrollment, premium rating, and other activities 
related to the creation, renewal, or replacement of a contract of 
health insurance or health benefits, and/or ceding, securing, or 
placing a contract for reinsurance of risk relating to claims for 
health care;
    (7) Third-party liability coverage;
    (8) Activities related to addressing fraud, waste and/or abuse;
    (9) Conducting or arranging for medical review, legal services, 
and/or auditing functions;
    (10) Business planning and development, such as conducting cost 
management and planning-related analyses related to managing and 
operating, including formulary development and administration, 
development or improvement of methods of payment or coverage policies;
    (11) Business management and general administrative activities, 
including management activities relating to implementation of and 
compliance with the requirements of this or other statutes or 
regulations;
    (12) Customer services, including the provision of data analyses 
for policy holders, plan sponsors, or other customers;
    (13) Resolution of internal grievances;
    (14) The sale, transfer, merger, consolidation, or dissolution of 
an organization;
    (15) Determinations of eligibility or coverage (e.g., coordination 
of benefit services or the determination of cost sharing amounts), and 
adjudication or subrogation of health benefit claims;
    (16) Risk adjusting amounts due based on enrollee health status and 
demographic characteristics;
    (17) Review of health care services with respect to medical 
necessity, coverage under a health plan, appropriateness of care, or 
justification of charges; and/or
    (18) Other payment/health care operations activities not expressly 
prohibited in this provision.
* * * * *
0
7. Amend Sec.  2.34 by:
0
a. Revising paragraph (b);
0
b. Redesignating paragraph (d) as paragraph (e); and
0
c. Adding a new paragraph (d).
    The revisions and addition read as follows:


Sec.  2.34   Disclosures to prevent multiple enrollments.

* * * * *
    (b) Use of information limited to prevention of multiple 
enrollments. A central registry and any withdrawal management or 
maintenance treatment program to which information is disclosed to 
prevent multiple enrollments may not re-disclose or use patient 
identifying information for any purpose other than the prevention of 
multiple enrollments or to ensure appropriate coordinated care with a 
treating provider that is not a part 2 program unless authorized by a 
court order under subpart E of this part.
* * * * *
    (d) Permitted disclosure by a central registry to a non-member 
treating provider, to prevent a multiple enrollment. When, for the 
purpose of preventing multiple program enrollments or duplicative 
prescriptions, or to inform prescriber decision making regarding 
prescribing of opioid medication(s) or other prescribed substances, a 
provider with a treating provider relationship that is not a member 
program asks a central registry if an identified patient is enrolled in 
a member program, the registry may disclose:
    (1) The name, address, and telephone number of the member 
program(s) in which the patient is enrolled;
    (2) Type and dosage of any medication for substance use disorder 
being administered or prescribed to the patient by the member 
program(s); and
    (3) Relevant dates of any such administration or prescription. The 
central registry and non-member program treating prescriber may 
communicate as necessary to verify that no error has been made and to 
prevent or eliminate any multiple enrollments or improper prescribing.
* * * * *
0
8. Add Sec.  2.36 to Subpart C to read as follows:


Sec.  2.36   Disclosures to prescription drug monitoring programs.

    Permitted disclosure by a part 2 program or other lawful holder to 
a prescription drug monitoring program. A part 2 program or other 
lawful holder is permitted to report any SUD medication prescribed or 
dispensed by the part 2 program to the applicable state prescription 
drug monitoring program if required by applicable state law. A part 2 
program or other lawful holder must obtain patient consent to a 
disclosure of records under Sec.  2.31 prior to reporting of such 
information.
0
9. Amend Sec.  2.51 by revising paragraph (a) to read as follows:


Sec.  2.51   Medical emergencies.

    (a) General rule. Under the procedures required by paragraph (c) of 
this section, patient identifying information may be disclosed o 
medical personnel to the extent necessary to:
    (1) Meet a bona fide medical emergency in which the patient's prior 
informed consent cannot be obtained; or
    (2) Meet a bona fide medical emergency in which a part 2 program is 
closed and unable to provide services or obtain the prior written 
consent of the patient, during a temporary state of emergency declared 
by a state and/or federal authority as the result of a natural or major 
disaster, until such time that the part 2 program resumes operations.
* * * * *
0
10. Amend Sec.  2.52 by revising paragraph (a) to read as follows:


Sec.  2.52  Research.

    (a) Notwithstanding other provisions of this part, including 
paragraph (b)(2) of this section, patient identifying information may 
be disclosed for the purposes of the recipient conducting scientific 
research if:
    (1) The individual designated as director or managing director, or 
individual otherwise vested with authority to act as chief executive 
officer or their designee, of a part 2 program or other lawful holder 
of part 2 data, makes a determination that the recipient of the patient 
identifying information is:

[[Page 44589]]

    (i) A HIPAA-covered entity or business associate that has obtained 
and documented authorization from the patient, or a waiver or 
alteration of authorization, consistent with the HIPAA Privacy Rule at 
45 CFR 164.508 or 164.512(i), as applicable;
    (ii) Subject to the HHS regulations regarding the protection of 
human subjects (45 CFR part 46), and provides documentation either that 
the researcher is in compliance with the requirements of the HHS 
regulations, including the requirements related to informed consent or 
a waiver of consent (45 CFR 46.111 and 46.116) or that the research 
qualifies for exemption under the HHS regulations (45 CFR 46.104) or 
any successor regulations;
    (iii) a member of the workforce of a HIPAA-covered entity that 
requires that all employer-sponsored research carried out by members of 
its workforce be conducted in accordance with the requirements of the 
HIPAA Privacy Rule (45 CFR parts 160 an 164 Subpart E) and/or the HHS 
regulations regarding the protection of human subjects, and has 
obtained and maintained the documentation referenced in paragraph 
(a)(1)(i) or (ii) of this section, respectively; or
    (iv) subject to the FDA regulations regarding the protection of 
human subjects (21 CFR parts 50 and 56) and provides documentation that 
the research is in compliance with the requirements of the FDA 
regulations, including the requirements related to informed consent or 
an exception to, or waiver of, consent (21 CFR part 50) and any 
successor regulations; or
    (v) any combination of a HIPAA covered entity or business 
associate, and/or subject to the HHS regulations regarding the 
protection of human subjects, and/or subject to the FDA regulations 
regarding the protection of human subjects, and has met the 
requirements of paragraph (a)(1)(i), (ii) (iii), and/or (iv) of this 
section, as applicable.
    (2) The part 2 program or other lawful holder of part 2 data is a 
HIPAA covered entity or business associate, and the disclosure is made 
in accordance with the HIPAA Privacy Rule requirements at 45 CFR 
164.512(i).
    (3) If neither paragraph (a)(1) or (a)(2) of this section apply to 
the receiving or disclosing party, this section does not apply.
* * * * *
0
11. Amend Sec.  2.53 by:
0
a. Revising paragraphs (a)(1)(ii), (a)(2), and (b)(2)(ii);;
0
b. Adding paragraph (b)(2)(iii);
0
c. Redesignating paragraphs (c) and (d) as paragraphs (e) and (f) 
respectively;
0
d. In newly redesignated paragraph (e)(1) introductory text, removing 
the reference ``paragraph (c)'' and adding in its place the reference 
``paragraph (e)'';
0
e. In newly redesignated paragraph (e)(1)(iii), removing the reference 
``paragraph (d)'' and adding in its place the reference ``paragraph 
(f)'';
0
f. In newly redesignated paragraph (e)(3)(ii)(F), removing the 
reference ``paragraph (c)(1)'' and adding in its place the reference 
``paragraph (e)(1)'';
0
g. In newly redesignated paragraphs (e)(4) and (5), removing the 
reference ``paragraph (c)(2)'' and adding in its place the reference 
``paragraph (e)(2)'';
0
h. In newly redesignated paragraph (e)(6), removing the reference 
``paragraph (c)'' and adding in its place the reference ``paragraph 
(e)'';
0
i. Adding new paragraphs (c), (d), and (g).
    The revisions and additions read as follows:


Sec.  2.53   Audit and evaluation.

    (a) * * *
    (1) * * *
    (ii) Any individual or entity which provides financial assistance 
to the part 2 program or other lawful holder, which is a third-party 
payer covering patients in the part 2 program, or which is a quality 
improvement organization performing a QIO review, or the contractors, 
subcontractors, or legal representatives of such individual, entity, or 
quality improvement organization.
    (2) Is determined by the part 2 program or other lawful holder to 
be qualified to conduct an audit or evaluation of the part 2 program or 
other lawful holder. Auditors may include any non-part 2 entity that 
has direct administrative control over the part 2 program or lawful 
holder.
    (b) * * *
    (2) * * *
    (ii) Any individual or entity which provides financial assistance 
to the part 2 program or other lawful holder, which is a third-party 
payer covering patients in the part 2 program, or which is a quality 
improvement organization performing a QIO review, or the contractors, 
subcontractors, or legal representatives of such individual, entity, or 
quality improvement organization.
    (iii) An entity with direct administrative control over the part 2 
program or lawful holder.
    (c) Activities Included. Audits and evaluations under this section 
may include, but are not limited to:
    (1) Activities periodically undertaken by a federal, state, or 
local governmental agency, or a third-party payer entity, in order to:
    (i) Identify actions the agency or third-party payer entity can 
make, such as changes to its policies or procedures, to improve care 
and outcomes across part 2 programs;
    (ii) Target limited resources more effectively; or
    (iii) Determine the need for adjustments to payment policies for 
the care of patients with SUD; and
    (2) Reviews of appropriateness of medical care, medical necessity, 
and utilization of services.
    (d) Quality Assurance Entities Included. Entities conducting audits 
or evaluations in accordance with paragraphs (a) and (b) of this 
section may include accreditation or similar types of organizations 
focused on quality assurance.
* * * * *
    (g) Audits and Evaluations Mandated by Statute or Regulation. 
Patient identifying information may be disclosed to federal, state, or 
local government agencies, and the contractors, subcontractors, and 
legal representatives of such agencies, in the course of conducting 
audits or evaluations mandated by statute or regulation, if those 
audits or evaluations cannot be carried out using de-identified 
information.
0
12. Amend Sec.  2.67 by revising paragraph (d)(2) to read as follows:


Sec.  2.67   Orders authorizing the use of undercover agents and 
informants to investigate employees or agents of a part 2 program in 
connection with a criminal matter.

* * * * *
    (d) * * *
    (2) Limit the total period of the placement to twelve months, 
starting on the date that the undercover agent or informant is placed 
on site within the program. The placement of an undercover agent or 
informant must end after 12 months, unless a new court order is issued 
to extend the period of placement;
* * * * *

    Dated: August 1, 2019.
Elinore F. McCance-Katz,
Assistant Secretary for Mental Health and Substance Use, Substance 
Abuse and Mental Health Services Administration.
    Approved: August 7, 2019.
Alex M. Azar II,
Secretary, Department of Health and Human Services.
[FR Doc. 2019-17817 Filed 8-22-19; 4:15 pm]
 BILLING CODE P