Confidentiality of Substance Use Disorder Patient Records, 42986-43039 [2020-14675]

Agencies

• DEPARTMENT OF HEALTH AND HUMAN SERVICES
• Office of the Secretary

[Federal Register Volume 85, Number 136 (Wednesday, July 15, 2020)]
[Rules and Regulations]
[Pages 42986-43039]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-14675]



[[Page 42985]]

Vol. 85

Wednesday,

No. 136

July 15, 2020

Part II





Department of Health and Human Services





-----------------------------------------------------------------------





42 CFR Part 2





Confidentiality of Substance Use Disorder Patient Records; Final Rule

Federal Register / Vol. 85, No. 136 / Wednesday, July 15, 2020 / 
Rules and Regulations

[[Page 42986]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

42 CFR Part 2

[SAMHSA-4162-20]
RIN 0930-AA32


Confidentiality of Substance Use Disorder Patient Records

AGENCY: Substance Abuse and Mental Health Services Administration 
(SAMHSA), U.S. Department of Health and Human Services (HHS).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule makes changes to the Department of Health and 
Human Services' (HHS) regulations governing the Confidentiality of 
Substance Use Disorder Patient Records. These changes were prompted by 
the need to continue aligning the regulations with advances in the U.S. 
health care delivery system, while retaining important privacy 
protections for individuals seeking treatment for substance use 
disorders (SUDs). SAMHSA strives to facilitate information exchange for 
safe and effective SUD care, while addressing the legitimate privacy 
concerns of patients seeking treatment for a SUD. Within the 
constraints of the authorizing statute, these changes are also an 
effort to make the regulations more understandable and less burdensome.

DATES: This final rule is effective August 14, 2020.

FOR FURTHER INFORMATION CONTACT: Ms. Deepa Avula, (240) 276-2542.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Background
II. Summary of the Major Provisions
III. Overview of Public Comments
IV. Final Modifications to 42 CFR Part 2 and Discussion of Public 
Comments
    A. General Comments on the Proposed Rule
    1. General Feedback on the Proposed Rule
    a. General Support for the Proposed Rule
    b. General Opposition for the Proposed Rule
    c. General Request for Clarification and Guidance Related to 
Part 2
    2. General Comments on Realigning the Part 2 Rule to the HIPAA 
Privacy Rule
    B. Definitions (Sec.  2.11)
    C. Applicability (Sec.  2.12)
    D. Consent Requirements (Sec.  2.31)
    E. Prohibition on Re-Disclosure (Sec.  2.32)
    F. Disclosures Permitted With Written Consent (Sec.  2.33)
    G. Disclosures To Prevent Multiple Enrollments (Sec.  2.34)
    H. Disclosures to Prescription Drug Monitoring Programs (Sec.  
2.36)
    I. Medical Emergencies (Sec.  2.51)
    J. Research (Sec.  2.52)
    K. Audit and Evaluation (Sec.  2.53)
    L. Orders Authorizing the Use of Undercover Agents and 
Informants (Sec.  2.67)
V. Collection of Information Requirements
VI. Regulatory Impact Analysis
    A. Statement of Need
    B. Overall Impact
    C. Alternatives Considered
    D. Conclusion

Acronyms

ADAMHA Alcohol, Drug Abuse, and Mental Health Administration
CEHRT Certified Electronic Health Record Technology
CFR Code of Federal Regulations
DEA Drug Enforcement Agency
DOJ Department of Justice
DS4P Data Segmentation for Privacy
EHR Electronic Health Record
FAX Facsimile
FDA Food and Drug Administration
FEMA Federal Emergency Management Agency
FHIR Fast Healthcare Interoperability Resources
FR Federal Register
HHS Department of Health and Human Services
HIPAA Health Insurance Portability and Accountability Act of 1996
HIE Health Information Exchange
HIN Health Information Network
IHS Indian Health Service
MAT Medication-Assisted Treatment
NPRM Notice of Proposed Rulemaking
ONC Office of the National Coordinator for Health Information 
Technology
OTP Opioid Treatment Program
OUD Opioid Use Disorder
PDMP Prescription Drug Monitoring Program
QIO Quality Improvement Organization
TPO Treatment, Payment, and Health Care Operations
SAMHSA Substance Abuse and Mental Health Services Administration
SNPRM Supplemental Notice of Proposed Rulemaking
SUD Substance Use Disorder
U.S.C. United States Code

I. Background

    The Confidentiality of Substance Use Disorder Patient Records 
regulations (42 CFR part 2) implement section 543 of the Public Health 
Service Act, 42 U.S.C. 290dd-2. The regulations were originally issued 
to ensure the confidentiality of patient records for the treatment of 
substance use disorder, at a time when there was no broader privacy and 
data security standard for protecting health care data. Under the 
regulations, a ``substance use disorder'' is a defined term, which 
refers to a cluster of cognitive, behavioral, and physiological 
symptoms indicating that an individual continues using a substance, 
despite significant substance-related problems such as impaired 
control, social impairment, risky use, and pharmacological tolerance 
and withdrawal. For the purposes of part 2, this definition does not 
include tobacco or caffeine use.
    The regulations were first promulgated as a final rule in 1975 (40 
FR 27802) and amended thereafter in 1987 (52 FR 21796) and 1995 (60 FR 
22296). On February 9, 2016, SAMHSA published a notice of proposed 
rulemaking (NPRM) (81 FR 6988) (the ``2016 proposed rule''), inviting 
comment on proposals to update the regulations, to reflect the 
development of integrated health care models and the growing use of 
electronic platforms to exchange patient information, as well as the 
new laws and regulations implemented since 1975, that more broadly 
protect patient data. At the same time, consistent with the authorizing 
statute, we (note that throughout this final rule, ``we'' refers to 
SAMHSA) wished to preserve the confidentiality protections that part 2 
establishes for patient identifying information originating from 
covered programs, because persons with SUDs may encounter significant 
discrimination or experience other negative consequences if their 
information is improperly disclosed.
    In response to public comments, on January 18, 2017, SAMHSA 
published a final rule (82 FR 6052) (the ``2017 final rule''), 
providing for greater flexibility in disclosing patient identifying 
information within the health care system, while continuing to protect 
the confidentiality of SUD patient records. SAMHSA concurrently issued 
a supplemental notice of proposed rulemaking (SNPRM) (82 FR 5485) (the 
``2017 proposed rule'') to solicit public comment on additional 
proposals. In response to public comments, SAMHSA subsequently 
published a final rule on January 3, 2018 (83 FR 239) (the ``2018 final 
rule'') that provided greater clarity regarding payment, health care 
operations, and audit or evaluation-related disclosures, and provided 
language for an abbreviated prohibition on re-disclosure notice.
    In both the 2017 and 2018 final rules, SAMHSA signaled its intent 
to continue to monitor implementation of 42 CFR part 2, and to explore 
potential future rulemaking to better address the complexities of 
health information technology, patient privacy, and interoperability, 
within the constraints of the statute. The emergence of the opioid 
crisis, with its catastrophic impact on individuals, families, and 
caregivers, and corresponding clinical and safety challenges for 
providers, has highlighted the need for thoughtful

[[Page 42987]]

updates to 42 CFR part 2. The laws and regulations governing the 
confidentiality of substance abuse records were originally written out 
of concern for the potential for misuse of those records against 
patients in treatment for a SUD, thereby undermining trust and leading 
individuals with SUDs not to seek treatment. As observed in the 1983 
proposed rule, the purpose of 42 CFR part 2 is to ensure that patients 
receiving treatment for a SUD in a part 2 program ``are not made more 
vulnerable to investigation or prosecution because of their association 
with a treatment program than they would be if they had not sought 
treatment'' (48 FR 38763).
    In recent years, the devastating consequences of the opioid crisis 
have resulted in an unprecedented spike in overdose deaths related to 
both prescription and illegal opioids including heroin and fentanyl,\1\ 
as well as correspondingly greater pressures on the SUD treatment 
system, and heightened demand for SUD treatment services.\2\ On August 
26, 2019, SAMHSA published a Notice of Proposed Rulemaking (NPRM) (84 
FR 44568) that proposed changes to the part 2 regulations that SAMHSA 
believed would better align with the needs of individuals with SUD and 
of those who treat these patients in need, and help facilitate the 
provision of well-coordinated care, while ensuring appropriate 
confidentiality protection for persons in treatment through part 2 
programs.
---------------------------------------------------------------------------

    \1\ Mortality statistics published by the Centers for Disease 
Control and Prevention reflected a spike in the rate of opioid-
related overdose deaths during the period from 2013-2017. See 
https://www.cdc.gov/mmwr/volumes/67/wr/mm675152e1.htm?s_cid=mm675152e1_w. More recent data from the State 
Unintentional Drug Overdose Reporting System (SUDORS), showed that 
opioid-involved overdose deaths in 25 states slightly decreased from 
July-December 2017 to January-June 2018. However, even in that time 
period, increases in illicitly-manufactured fentanyl overdose deaths 
involving multiple drugs almost negated decreases in fentanyl analog 
deaths and prescription opioid-involved overdose deaths. See https://www.cdc.gov/mmwr/volumes/68/wr/mm6834a2.htm).
    \2\ With regard to heightened demand for, and pressures upon, 
SUD treatment services in the opioid epidemic, see for example, 
``HHS Acting Secretary Declares Public Health Emergency to Address 
National Opioid Crisis,'' Department of Health and Human Services, 
October 26, 2017 (at https://www.hhs.gov/about/news/2017/10/26/hhs-acting-secretary-declares-public-health-emergency-address-national-opioid-crisis.html); ``Today's Heroin Epidemic: More People at Risk, 
More Drugs Abused,'' Centers for Disease Control and Prevention, 
July 7, 2015 (at https://www.cdc.gov/vitalsigns/heroin/).
---------------------------------------------------------------------------

    SAMHSA requested public input of the proposed changes during a 60-
day public comment period.
    After consideration of the public comments received in response to 
the NPRM, SAMHSA is issuing this final rule substantially as proposed, 
with one caveat. On March 27, 2020, President Trump signed the 
Coronavirus Aid, Relief and Economic Security Act (``CARES Act'') into 
law (Pub. L. 116-136). The CARES Act was enacted to provide emergency 
assistance to individuals, families and businesses affected by the 
COVID-19 pandemic; to support the U.S. health care system; and to make 
emergency appropriations to the Executive Branch. Section 3221 of the 
CARES Act, Confidentiality and Disclosure of Records Relating to 
Substance Use Disorder, substantially amended several sections of the 
part 2 authorizing statute; specifically, sections 42 U.S.C. 290dd-
2(b), (c) and (f), which specify requirements for patient consent, 
restrict the use of records in legal proceedings, and set penalties for 
violations of the statute, respectively.\3\ The CARES Act provides far 
greater flexibility for patients and health care providers to share SUD 
records than presently allowed under 42 U.S.C. 290dd-2. Most notably, 
some sections in the new statute seek to align the part 2 
confidentiality standards more closely with the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA). The CARES Act 
requires HHS to update its regulations to implement these new statutory 
changes; therefore, HHS intends to publish a new NPRM and subsequently 
to issue a new final implementing rulemaking for the CARES Act in the 
future. Because both Congress and SAMHSA have sought to address many of 
the same barriers to information sharing by patients and among health 
care providers, we expect that the CARES Act implementing regulations 
will further modify several of the amendments adopted in this final 
rule.
---------------------------------------------------------------------------

    \3\ Section 3221 of the CARES Act also added several new 
provisions to the Part 2 authorizing statute, codified at 42 U.S.C. 
290dd-2(i), (j), and (k), regarding antidiscrimination, notification 
of breach and definitions, respectively.
---------------------------------------------------------------------------

    The statutory timeline in Sec.  3221 prevents the part 2-related 
provisions of the CARES Act from taking effect before March 27, 2021. 
In the interim, we believe that this final rule makes important changes 
that can help safeguard the health and outcomes of individuals with 
SUD, and specifically takes important first steps toward the greater 
flexibility for information sharing envisioned by Congress in its 
passage of Sec.  3221 of the CARES Act. Thus, several of the regulatory 
amendments in this final rule will serve as interim and transitional 
standards, until regulations conforming to the CARES Act legislation 
can be promulgated.

II. Summary of the Major Provisions

    Proposed modifications to 42 CFR part 2 were published as an NPRM 
on August 26, 2019 (84 FR 44568). After consideration of the public 
comments received in response to the NPRM, SAMHSA is issuing this final 
rule as follows:
    Definitions (Sec.  2.11) revises the definition of ``Records'' to 
create an exception so that information conveyed orally by a part 2 
program to a non-part 2 provider for treatment purposes with consent of 
the patient does not become a record subject to part 2 regulations 
merely because that part 2 information is reduced to writing by that 
non-part 2 provider.
    Applicability (Sec.  2.12) revises the regulatory text to state 
that the recording of information about an SUD and its treatment by a 
non-part 2 provider does not, by itself, render a medical record 
subject to the restrictions of 42 CFR part 2, provided that the non-
part 2 provider segregates any specific SUD records received from a 
part 2 program (either directly, or through another lawful holder).
    Consent requirements (Sec.  2.31) revises consent requirements to 
allow patients to consent to the disclosure of their information to a 
wide range of entities without naming a specific individual to receive 
this information on behalf of a given entity, and includes special 
instructions applicable to consents for disclosure of information to 
information exchanges and research institutions. The final rule 
provides additional guidance, with regard to consent for disclosures 
for the purpose of care coordination and case management.
    Prohibition on redisclosure (Sec.  2.32) revises the prohibition on 
redisclosure notices to clarify that non-part 2 providers do not need 
to redact information in a non-part 2 record regarding SUD and allows 
re-disclosure if expressly permitted by written consent of the patient 
or permitted under part 2 regulations.
    Disclosures permitted with written consent (Sec.  2.33) expressly 
allows disclosure to specified entities and individuals for 18 types of 
payment and health care operational activities, including the 17 
proposed activities and the addition of disclosures for the purpose of 
care coordination and case management.
    Disclosures to prevent multiple enrollments (Sec.  2.34) revises 
disclosure requirements to allow non-opioid

[[Page 42988]]

treatment providers with a treating provider relationship to access 
central registries.
    Disclosures to Prescription Drug Monitoring Programs (Sec.  2.36) 
creates new permissions to allow opioid treatment programs (OTPs) to 
disclose dispensing and prescribing data, as required by applicable 
state law, to prescription drug monitoring programs (PDMPs), subject to 
patient consent.
    Medical Emergencies (Sec.  2.51) authorizes disclosures of patient 
information to another part 2 program or other SUD treatment provider 
during State or Federally-declared natural and major disasters.
    Research (Sec.  2.52) permits research disclosures of part 2 
patient data by a HIPAA covered entity to individuals and organizations 
who are neither HIPAA covered entities, nor subject to the Common Rule, 
for the purpose of conducting scientific research. The revised Sec.  
2.52 better aligns the requirements of part 2, the Common Rule, and the 
Privacy Rule around the conduct of research on human subjects, and 
seeks to streamline duplicative requirements for research disclosures 
under part 2 and the Privacy Rule in some instances. This final rule 
also revises Sec.  2.52 to permit research disclosures to recipients 
who are covered by Food and Drug Administration (FDA) regulations for 
the protection of human subjects in clinical investigations (at 21 CFR 
parts 50 and 56).
    Audit and evaluation (Sec.  2.53) clarifies that federal, state and 
local governmental agencies and third-party payers may conduct audits 
and evaluations to identify needed actions at the agency or payer level 
to improve care; that audits and evaluations may include reviews of 
appropriateness of medical care, medical necessity, and utilization of 
services; and that auditors may include quality assurance organizations 
as well as entities with direct administrative control over a part 2 
program or lawful holder. Section 2.53 also updates language related to 
quality improvement organizations (QIOs), and allows for patient 
identifying information to be disclosed to federal, state, or local 
government agencies, and to their contractors, subcontractors, and 
legal representatives for audit and evaluations required by statute or 
regulation.
    Orders authorizing use of undercover agents and informants (Sec.  
2.67) amends the period for court-ordered placement of an undercover 
agent and informant within a part 2 program to 12 months and clarifies 
that the 12-month time period starts when an undercover agent or 
informant is placed in the part 2 program.

Use of Personal Devices and Accounts

    This final rule preamble also provides guidance on how employees, 
volunteers and trainees of part 2 facilities should handle 
communications using personal devices and accounts, especially in 
relation to Sec.  2.19 concerning disposition of records by 
discontinued programs. In Sec.  2.11, the current regulation defines 
``Records'' to include information relating to a patient that could 
include email and texts. In Sec.  2.19, the regulation codifies the 
requirements for disposition of records from a discontinued part 2 
program. These requirements state that records which are electronic 
must be ``sanitized'' within one year of the discontinuation of the 
part 2 program. This sanitization must render the patient identifying 
information non-retrievable in accordance with Sec.  2.16 (security for 
records). Read together, current Sec. Sec.  2.11, 2.16, and 2.19 could 
be interpreted to mean that, if an individual working in a part 2 
program receives a text or email from a patient on his or her personal 
phone which he or she does not use in the regular course of employment 
in the part 2 program, and this part 2 program is discontinued, then 
the personal device may need to be sanitized. Depending on the policies 
and procedures of the part 2 program, this sanitization may render the 
device no longer useable to that individual. SAMHSA clarifies that this 
interpretation is not the intent of the regulations.
    Although SAMHSA does not encourage patient communication through 
personal email and cell phones, we recognize that patients may make 
contact through the personal device or account of an employee (or 
volunteer or trainee) of a part 2 program, even if the employee (or 
volunteer or trainee) does not use such device or account in the 
regular course of their employment in the part 2 program. In such 
instances, SAMHSA wishes neither to convey that these devices become 
part of the part 2 record, nor that, if the part 2 program is 
discontinued, these devices must be sanitized. Instead, SAMHSA 
clarifies that, in the case that patient contact is made through an 
employee's (or volunteer's or trainee's) personal email or cell phone 
account which he or she does not use in the regular course of business 
for that part 2 program, the employee should immediately delete this 
information from his or her personal account and only respond via an 
authorized channel provided by the part 2 program, unless responding 
directly from the employee's account is required in order to protect 
the best interest of the patient.\4\ If the email or text contains 
patient identifying information, the employee should forward this 
information to such authorized channel and then delete the email or 
text from any personal account. These authorized channels are then 
subject to the normal standards of sanitization under Sec. Sec.  2.16 
and 2.19 and any other applicable federal and state laws. SAMHSA 
believes that this process will both protect the employee's personal 
property and the confidentiality of the patient's records if the 
patient makes such unauthorized contact.
---------------------------------------------------------------------------

    \4\ When the circumstances requiring a response from the 
employee's account due to the best interest of the patient have 
ended or otherwise permit, the messages should be forwarded to an 
authorized channel (if containing patient identifying information) 
and deleted.
---------------------------------------------------------------------------

    Following the proposed rule, SAMHSA received the following comments 
on its guidance concerning how employees, volunteers and trainees of 
part 2 facilities should handle communications using personal devices 
and accounts.
Public Comments
    Many commenters supported the clarification on sanitizing personal 
devices. A few commenters noted that while this change will require 
education and monitoring, the clarification is important and valuable 
for part 2 programs to properly handle patient communication. Some 
commenters also noted that this clarification reduces burden for 
providers in rural areas where communication on authorized channels may 
not always be available.
SAMHSA Response
    We appreciate comments in support of this clarification.
Public Comments
    Some commenters had additional questions regarding the use of 
personal devices. One commenter requested guidance pertaining to the 
sanitizing of any other devices synchronized (``synced'') to personal 
accounts. A few commenters requested clarification as to whether 
deleting content from a personal account contravenes any state record 
retention requirements. One commenter requested clarification that this 
guidance applies only to personal devices, not professional devices 
from which EHRs are accessed. One commenter requested that 
``incidental'' communication be defined more clearly. One commenter 
suggested that the rise of personal devices and changing nature of 
communication with patients may

[[Page 42989]]

warrant greater consideration from SAMHSA in future rulemaking.
SAMHSA Response
    We appreciate questions from commenters to further clarify the use 
of personal devices. Providers should ensure that any patient 
communication accessible from synced devices is deleted from each 
device. Additionally, if a patient communication is contained solely on 
a personal device, providers should ensure that the communication is 
forwarded to and stored within an authorized channel prior to deleting 
the communication from the personal device. Providers concerned about 
state record retention requirements may include a note that the 
information has been forwarded to and stored within an authorized 
channel and deleted in compliance with 42 CFR part 2; however, this 
rule does not preempt more restrictive state record retention 
requirements Given that the definition of what constitutes incidental 
communication varies for providers in different settings (e.g., rural), 
we decline to further define the phrase at this time. We appreciate the 
suggestion to further consider personal devices and will continue 
monitoring the issue.
    The other sections in 42 CFR part 2 that are not referenced above 
are not addressed in this final rule nor were they discussed in the 
NPRM because SAMHSA is maintaining their content substantively 
unchanged from the 2017 and 2018 final rules.

III. Overview of Public Comments Received

    SAMHSA received 684 public comment submissions on the proposed rule 
from medical and behavioral health care providers; combined medical/
behavioral health care providers; third-party payers; privacy/consumer 
advocates; medical health care provider associations; behavioral health 
care provider associations; accrediting organizations; researchers; 
individuals (with no stated affiliation); attorneys (with no stated 
affiliation); health information technology (HIT) vendors; and state/
local governments. The comments ranged from general support or 
opposition to the proposed provisions, to specific questions or 
comments regarding the proposed rules.
    Some comments were outside the scope of or inconsistent with 
SAMHSA's legal authority regarding the confidentiality of SUD patient 
records. Likewise, other comments did not pertain to specific proposals 
made by SAMHSA in the NPRM. In some instances, commenters raised policy 
or operational issues that are best addressed through sub-regulatory 
guidance that SAMHSA will consider issuing subsequent to this final 
rule. Consequently, SAMHSA did not address these comments in this final 
rule.

IV. Final Modifications to 42 CFR Part 2 and Discussion of Public 
Comments

    In this section of the final rule, SAMHSA explains the finalized 
revisions to the part 2 regulations and responds to public comments 
received. If a 42 CFR part 2 section is not addressed below, it is 
because SAMHSA did not propose changes to that part 2 provision and 
this final rule maintains the existing language in that section.

A. General Comments on the Proposed Rule

1. General Feedback on the Proposed Rule
a. General Support for the Proposed Rule
Public Comments
    Many commenters expressed general support for the proposed rule. 
Among them, many believed that providers will be better able to offer a 
fully integrated model of care as a result, thereby allowing SUD 
services to be accessed more seamlessly, while increasing access to 
critically-needed SUD treatment. Other commenters expressed general 
support for the proposed rule because they saw it as protecting patient 
privacy, while making electronic health information sharing less 
burdensome and more efficient. Another set of commenters articulated 
support for SAMHSA's efforts to balance privacy protections with 
advances in the health care delivery system. Some commenters who 
expressed broad support for the proposed rule also suggested that HHS 
should carry out a comprehensive assessment of how well all the HHS 
patient privacy rules are currently working. A few commenters who 
expressed support for the proposed rule also expressed concern that it 
might not be flexible enough to support the rapid pace of care 
coordination that is needed to improve SUD patient care.
SAMHSA Response
    SAMHSA appreciates the support for updating the part 2 regulations. 
This final rule is intended to modernize part 2 by continuing to align 
the regulations with advances in the U.S. health care delivery system. 
In general, SAMHSA aims to facilitate information exchange for safe and 
effective SUD care, while addressing the legitimate privacy concerns of 
patients seeking treatment for a SUD. But in recent years, the 
devastating consequences of the opioid crisis have resulted in an 
unprecedented spike in overdose deaths related to both prescription and 
illegal opioids, as well as correspondingly greater pressures on the 
SUD treatment system, and heightened demand for SUD treatment services. 
This final rule implements changes that SAMHSA believes will better 
align the needs of individuals with SUD and of the providers who treat 
them, thereby facilitating the coordination of care, while ensuring 
appropriate confidentiality protection for patients. SAMHSA will 
continue to monitor part 2 and its impact on both persons with SUD and 
providers, and will likewise continue to consider opportunities for 
further refinement of the rule in alignment with the provisions set 
forth in the CARES Act.
b. General Opposition to the Proposed Rule
Public Comments
    Many commenters opposed the proposed rule, either without stating a 
specific reason, or else expressing that the proposed rule would 
constitute an invasion of patient privacy generally, or of their own 
personal privacy in particular. Many commenters opposed the rule on the 
grounds that it would exacerbate the stigma of substance use disorder, 
increase the potential for law enforcement access to patient records, 
deter people from seeking SUD treatment, and/or result in harm to SUD 
patients in several other ways, as through discrimination by health 
insurers. A different group of commenters expressed a competing concern 
about continuing administrative, financial and clinical barriers to 
better SUD care, and more effective coordination of care, under the 
proposed rule. Several of these commenters said that they believed the 
barriers could continue to endanger the safety of patients.
SAMHSA Response
    SAMHSA wants to ensure that persons with SUD will have access to 
treatment services that include better coordination of care, and that 
deliver better quality of care and enhanced patient safety, while 
continuing to respect the legitimate privacy concerns of patients. The 
current final rule is consistent with this aim, and with the intent of 
the governing statute (42 U.S.C. 290dd-2) and regulations at 42 CFR 
part 2, which is to facilitate entry into SUD care by protecting the 
confidentiality of SUD patient records. SAMHSA believes that this final 
rule reflects an appropriate balancing of interests

[[Page 42990]]

toward achieving these ends. SAMHSA does not believe that this final 
rule will generally exacerbate stigma for persons with SUD, deter them 
from seeking treatment, or lead to other broadly negative downstream 
effects. SAMHSA will continue to consider opportunities for future 
refinements to the part 2 regulations, consistent with the provisions 
of the CARES Act.
c. General Request for Clarification and Guidance Related to Part 2
Public Comments
    Several commenters broadly requested that SAMHSA provide 
clarification and guidance, in connection with confusing language and 
complexity in the proposed rule. Many other commenters said that 
educational outreach and guidance should be targeted to providers, to 
ensure that they understand the terms of the proposed rule.
SAMHSA Response
    SAMHSA has provided further clarification through its responses to 
public comments in several sections of the final rule. SAMHSA 
recognizes the need for educational outreach both to persons with SUD 
and to providers in connection with the final rule, and is considering 
opportunities for further guidance and for carrying out related 
educational outreach. SAMHSA will continue to monitor the response to 
part 2 in the SUD treatment community, and will consider future 
refinements and further clarification to the part 2 rules as needed.
2. General Comments on Realigning the Part 2 Rule to the HIPAA Privacy 
Rule
Public Comments
    Many commenters offered broad feedback that the privacy rules of 42 
CFR part 2 are cumbersome and should be re-aligned with the HIPAA 
privacy rule. The commenters asserted that doing so could strengthen 
patient protections while allowing clinicians access to patient 
information needed to ensure patient safety and provide quality care. 
In a related vein, other commenters expressed support for legislation 
already introduced in Congress, aimed at more fully aligning the 
confidentiality standards of 42 CFR part 2 with the HIPAA privacy rule.
SAMHSA Response
    SAMHSA noted the many comments that requested that SAMHSA align 
part 2 provisions with HIPAA where possible. In some instances, SAMHSA 
has attempted to do so in this final rule, to the extent that such 
changes were permissible under 42 U.S.C. 290dd-2. At the same time, 
part 2 and its governing statute are separate and distinct from HIPAA 
and its implementing regulations. Because of its targeted population, 
part 2 does establish more stringent federal protections than most 
other health privacy laws, including HIPAA.
    Consistent with general comments about alignment of this regulation 
with HIPAA, SAMHSA has modified the definition of ``records'' (Sec.  
2.11) and the applicability section (Sec.  2.12) to facilitate the 
disclosure of records from part 2 programs to non-part 2 providers for 
treatment purposes, while allowing the non-part 2 providers to engage 
in their own clinical encounters and record-keeping without fear that 
those activities will be subject to part 2. In addition, SAMHSA has 
offered revised guidance concerning the part 2 consent requirements 
(Sec.  2.31), in order to more explicitly allow patients to consent to 
disclosure of their records for the purpose of care coordination. As 
discussed below, SAMHSA is also modifying the regulatory text in Sec.  
2.33(b), to include disclosures for the purpose of care coordination 
and case management to the list of permitted activities. All these 
revisions will have the effect of more closely aligning confidentiality 
standards under part 2 with the HIPAA privacy rule.
    As previously noted, on March 27, 2020, the President signed the 
CARES Act into law, and Sec.  3221 of the CARES Act makes a significant 
modification to the authorizing statute for part 2, with the aim of 
realigning the part 2 rules more strongly with the HIPAA privacy rule. 
HHS anticipates releasing a new proposed rule within the next 12 months 
to implement Sec.  3221 of the CARES Act. In the meantime, several of 
the regulatory amendments in this final rule will serve as transitional 
standards, until regulations fully conforming to the CARES Act 
legislation can be promulgated.

B. Definitions (Sec.  2.11)

    SAMHSA is finalizing this section as proposed.
    In the current regulation, ``Records'' is defined to mean ``any 
information, whether recorded or not, created by, received, or acquired 
by a part 2 program relating to a patient.'' In the 2017 final rule, 
SAMHSA noted that some commenters expressed confusion regarding what is 
considered unrecorded information (82 FR 6068); we, therefore, added 
parenthetical examples in an effort to clarify. But with the exception 
of these parenthetical examples, the basic definition for ``records'' 
under part 2 has remained the same since the 1987 final rule.
    In section III.B. of the proposed rule [84 FR 44571] on 
``Applicability'' (at Sec.  2.12), SAMHSA discussed a proposed change 
to the restriction on disclosures under part 2, which would serve to 
clarify some record-keeping activities of non-part 2 providers that 
fall outside the scope of 42 CFR part 2. As explained in section 
III.B., the change was needed to facilitate communication and 
coordination between part 2 programs and non-part 2 providers, and to 
ensure that appropriate communications were not hampered by fear among 
non-part 2 providers of inadvertently violating part 2, as a result of 
receiving and reading a protected SUD patient record and then providing 
care to the patient.
    SAMHSA proposed to make a conforming amendment to the Sec.  2.11 
definition of ``records,'' [84 FR 44571] by adding, at the end of the 
first sentence of the definition, the phrase, ``provided, however, that 
information conveyed orally by a part 2 program to a non-part 2 
provider for treatment purposes with the consent of the patient does 
not become a record subject to this part in the possession of the non-
part 2 provider merely because that information is reduced to writing 
by that non-part 2 provider. Records otherwise transmitted by a part 2 
program to a non-part 2 provider retain their characteristic as a 
``record'' subject to this part in the possession of the non-part 2 
provider, but may be segregated by that provider.''
    The effect of the proposed amendment was to incorporate a very 
limited exception to the definition of ``records,'' such that a non-
part 2 provider who orally receives information from a protected SUD 
record from a part 2 program may subsequently engage in an independent 
conversation with her patient, informed by her discussion with the part 
2 provider, and record SUD information received from the part 2 program 
or the patient, without fear that her own records thereafter would 
become covered by part 2. The intent of this change was to better 
facilitate coordination of care between non-part 2 providers and part 2 
programs, and to resolve lingering confusion among non-part 2 providers 
about when and how they can capture SUD patient care information in 
their own records, without fear of those records being subject to the 
confidentiality requirements of part 2.
    The comments we received on the proposed amendments to Sec.  2.11, 
and our responses, are provided below.

[[Page 42991]]

Public Comments
    Many commenters supported the proposed change to the definition of 
records, saying that it would provide clarification as to which records 
are subject to part 2 protections; enable providers to take account of 
the entirety of a patient's health needs when determining a treatment 
plan; improve care coordination, especially among those with multiple 
medical concerns; better integrate primary and behavioral care for SUD 
patients; enhance patient safety; and potentially incentivize 
clinicians to treat patients with SUD. One commenter said the proposed 
definition of a record may be the most beneficial proposal in the rule, 
and noted that SAMHSA retains in its proposals the necessary 
protections against redisclosure by downstream recipients of part 2 
records absent explicit patient consent. Another commenter expressed a 
desire to have more flexibility for care coordination across their 
delivery system for SUD patients, and observed that any changes to the 
definition of records requires balancing the need for increased 
protection for SUD treatment information with the need for access to 
care coordination.
SAMHSA Response
    We thank the commenters for their support and reflections.
Public Comments
    Several commenters supported the proposal but asked that SAMHSA 
expand the proposal beyond information conveyed orally to cover other 
forms of communications, including secure clinical messages (such as a 
secure web portal), which are common ways for providers to share 
information. One commenter said it would be confusing to allow orally 
communicated information to be covered under HIPAA while the same 
information conveyed via text would retain part 2 requirements. Other 
commenters said that imparting the oral requirement fails to appreciate 
workflow; that secure messaging is just as critical for patient safety; 
and that if information is received through electronic means, such as a 
Health Information Exchange, it should not become a record subject to 
part 2 if the non-part 2 provider includes it in his/her record.
    A few commenters recommended that SAMHSA remove the word ``orally'' 
altogether from the proposed definition of records, to enable non-part 
2 providers to document critical information received from a program 
regardless of the manner and mode in which it is provided. A few 
commenters suggested that non-part 2 providers should be allowed to 
document information such as medications if that information 
constitutes redisclosure with other providers for treatment purposes, 
without penalty hinging on whether the information is conveyed orally 
or by other means.
    Others encouraged SAMHSA to provide greater emphasis on the ways 
that health information can be shared, used, and disclosed for the 
benefit of individuals' treatment, payment processes, and health care 
operations, and to further align definitions in the future such that 
part 2 providers could share pertinent information with non-part 2 
providers.
SAMHSA Response
    Although the change to the definition of ``records'' under Sec.  
2.11 applies to information disclosed orally by a part 2 program to a 
non-part-2 provider, this change will not create a disconnect under 
part 2 with regard to how other forms of communication by a part 2 
program are treated. More specifically, the changes in Sec.  2.12 of 
the rule on ``Applicability'' establish that records containing SUD 
information about a patient created by a non-part 2 provider will not 
be covered by part 2, unless any SUD record previously received from a 
part 2 program is incorporated into such records. Under Sec.  2.12, 
segregation of the received record can be used by non-part 2 providers 
to ensure that their own created patient records can be distinguished 
from the received record, and thus will not become covered by part 2.
    Taken together, the effect of the revisions to Sec. Sec.  2.11 and 
2.12 is to cause both oral and non-oral communications made by a part 2 
program to a non-part 2 provider to be treated in the same way under 
the regulations. In each instance, the intent is to allow the part 2 
program to make a disclosure, with the patient's consent, to the 
recipient non-part 2 provider. In turn, the non-part 2 provider can 
then carry out her own encounter with the patient, and create her own 
patient record, which will not fall under the coverage of part 2. 
Again, segregation of any received SUD record may be used by a non-part 
2 provider to ensure that her own created records can be distinguished, 
and will therefore not become subject to part 2.
    SAMHSA recognizes the importance of secure messaging and other 
forms of electronic communication and record-keeping in SUD care. 
SAMHSA nevertheless believes that the current revisions to Sec. Sec.  
2.11 and 2.12 offer an appropriate fix for allowing a limited transfer 
of information between part 2 programs and non-part 2 providers, 
subject to patient consent, in order to facilitate better coordination 
of care. SAMHSA will continue to consider opportunities for further re-
alignment of part 2 requirements for the disclosure of SUD records for 
treatment, payment and health care operations in the future, to the 
extent permissible under the part 2 enabling statute, and in alignment 
with the provisions of Sec.  3221 of the CARES Act.
Public Comments
    One commenter requested that SAMHSA revise the definition of 
records to allow for oral communication between relevant entities 
without obtaining patient consent. The commenter said that requiring 
the consent of the patient in this instance is contrary to the stated 
intent of facilitating care coordination, and that SAMHSA should 
clarify that conversations between part 2 providers, non-part 2 
providers and other appropriate third parties, including managed care 
organizations, should not require patient consent if undertaken for the 
purpose of treatment, payment or health operations, including care 
coordination and case management. Another commenter recommended 
exempting information about medications and laboratory results from the 
definition of ``records,'' thereby making it possible for a part 2 
program to disclose such information without patient consent. That 
commenter asserted that such an exemption would help to enable a 
patient's [non-part 2] treatment providers to monitor for abuse, 
medication-seeking behavior, drug interactions, and possible diversion.
SAMHSA Response
    SAMHSA believes that the current revisions to Sec. Sec.  2.11 and 
2.12 offer an appropriate fix for allowing a limited transfer of 
information between part 2 programs and non-part 2 providers, subject 
to patient consent, in order to facilitate better coordination of care. 
Other forms of communication between lawful holders of part 2 records 
are also permitted under the part 2 regulations with patient consent, 
consistent with the enabling statute. The revisions to Sec. Sec.  2.11 
and 2.12 reflect a balance of interests between ensuring robust privacy 
protection for part 2 program treatment records, while also pursuing 
patient safety, reduction of adverse events, and better coordination of 
care for persons with SUD. As discussed below, SAMHSA is also modifying 
the

[[Page 42992]]

regulatory text in Sec.  2.33(b), to include disclosures for the 
purpose of care coordination and case management to the list of 
permitted activities. SAMHSA will continue to consider opportunities 
for further re-alignment of part 2 requirements for the disclosure of 
SUD records for treatment, payment and health care operations in the 
future, to the extent permissible under the part 2 enabling statute and 
in alignment with Sec.  3221 of the CARES Act.
Public Comments
    One commenter urged SAMHSA to further update the definitions of 
part 2 to make it clear that entities that are not directly delivering 
SUD treatment services, such as health plans and insurers, are 
explicitly not part 2 programs and are not non-part 2 providers. The 
commenter believes that making this concept more explicit would clarify 
confusion as to whether records created by health plans and insurers, 
independent of information disclosed to the health plan or insurer by a 
part 2 provider, are subject to part 2.
SAMHSA Response
    SAMHSA appreciates this comment. Although outside the scope of the 
current rulemaking, SAMHSA will consider further clarifications to the 
definition of ``part 2 program'' in the future.
Public Comments
    A few commenters expressed concern that the proposed revision to 
Sec.  2.11 may create an-over-reliance upon oral communication and 
transcription, which they believe is inherently less accurate than 
electronic sharing of records; may further fragment patient records; 
and may encourage providers to avoid using electronic health records, 
especially for certain SUD information. Another commenter stated that 
the proposed exception for oral communications will prove difficult for 
part 2 programs and treating providers. The commenter said that 
compliance, privacy, and legal advisors will be hesitant to permit part 
2 program staff to communicate with other health care providers orally 
due to concerns about misunderstandings or inaccurate transcriptions of 
oral communications, especially if there is no written record. Several 
commenters encouraged SAMHSA to recognize the need for accurate, 
complete, and efficient electronic exchange of information, such as 
through the new interoperable electronic health records that CMS and 
ONC seek to promote with their recent rulemaking, and move away from 
paper charts and manual faxing.
SAMHSA Response
    Although the change to the definition of ``records'' under Sec.  
2.11 applies to information communicated orally by a part 2 program to 
a non-part-2 provider, this change will not result in a disconnect 
under part 2 with regard to how other forms of disclosure by a part 2 
program are treated. Rather than creating a new reliance on oral 
communications over other methods of sharing records, SAMHSA believes 
that the change in Sec. Sec.  2.11 and 2.12 will have the opposite 
effect, by making it more clear how a non-part-2 provider can receive 
and segregate an electronic or paper record from a part 2 program, 
without incurring the risk that any subsequent patient records directly 
created by the recipient provider will then become covered by part 2. 
For example, in the context of receiving an electronic part 2 record, 
such as a summary of care document, shared between interoperable EHR 
systems that meet DS4P standards, ``segregation'' might be carried out 
by segmenting the received SUD record so as to preserve the recipient's 
ability not to disclose it based on the sensitivity of its content. 
SAMHSA has been collaborating with both ONC and CMS in connection with 
their rulemaking efforts on the interoperability of electronic 
healthcare records, to ensure that health IT policies consider the 
impacts for part 2 providers and vice versa.
Public Comments
    One commenter recommended that SAMHSA devote resources toward 
ensuring that patients understand the implications of the new policy. 
The commenter stated that when a patient consents to the release of a 
part 2 record to a non-part 2 provider, he or she must understand that 
they are not simply consenting to use of the information for a one-time 
conversation with the non-part 2 provider, but rather they are 
consenting to the information potentially becoming a part of his or her 
main medical record. The commenter believes that both the part 2 
provider and the non-part 2 provider should make this clear, or else it 
could have a significant chilling effect on patients seeking SUD 
treatment, as those patients may believe that their right to 
confidentiality has been removed.
SAMHSA Response
    SAMHSA appreciates this comment. We are considering opportunities 
for further guidance and patient and provider education, in connection 
with the new part 2 rule.
Public Comments
    Several commenters opposed the changes proposed in the revised 
Sec.  2.11. Some commenters explicitly opposed excluding from the 
definition of ``records'' any oral communication from a part 2 program 
that is received and later reduced to writing by a non-part 2 provider. 
These commenters said the ability to transmit SUD information orally 
would circumvent part 2, because the information would thereby lose its 
protection, and that patients who consent to sharing their records with 
a non-part 2 provider will not understand that information shared 
orally is not protected by part 2 in the recipient provider's records.
SAMHSA Response
    Although the change to the definition of ``records'' under Sec.  
2.11 does apply to information communicated orally by a part 2 program 
to a non-part-2 provider, this change will serve to clarify, rather 
than to modify, the application of part 2 to patient records created by 
downstream non-part 2 providers. Neither the enabling statute, nor 
older versions of the part 2 regulations going back to 1987, ever 
intended the outcome that an oral communication made by a part 2 
program to a non-part 2 provider, subject to patient consent, would 
make all subsequent clinical recordkeeping by the non-part 2 provider 
subject to the requirements of part 2.
    The revisions to Sec. Sec.  2.11 and 2.12 will help to clarify the 
longstanding balance of interests that part 2 requires, ensuring robust 
privacy protection for part 2 program treatment records, while also 
promoting patient safety, reduction of adverse events, and effective 
coordination of care for persons with SUD. Meanwhile, SAMHSA does 
acknowledge the importance of making sure that patients understand the 
contours of their part 2 privacy rights under the revised rule. Again, 
we are considering opportunities for further guidance and patient and 
provider education, in connection with the new part 2 rule, as well as 
in connection with other applicable laws, such as Jessie's Law, which 
was enacted as section 7051 of the Substance Use-Disorder Prevention 
that Promotes Opioid Recovery and Treatment for Patients and 
Communities Act (SUPPORT Act) (Pub. L. 115-271). Jessie's Law calls for 
best practice development and dissemination around the display of an 
opioid use disorder diagnosis in health care records.

[[Page 42993]]

Public Comments
    A few commenters said the proposed changes would allow sensitive 
information about a patient's substance use diagnosis or treatment that 
is included the general medical record to be shared much more broadly, 
putting the patient at greater risk of legal prosecution and 
discrimination. Commenters noted that while HIPAA may still protect the 
information, it permits much greater access to patient records by law 
enforcement, insurance companies, entities performing healthcare 
operations and courts. One commenter said that HIPAA is not 
sufficiently protective of health condition information that may be 
highly stigmatized or criminalized. Another said that patients must be 
able to access care for a SUD without fear of their highly sensitive 
information being transferred into HIPAA records that offer less 
protections. A few commenters said the changes will discourage people 
from seeking help or staying in treatment, including individuals living 
in areas that are already heavily policed. One commenter said that if 
any program or activity related to SUD knows that oral communications 
are no longer considered ``records'', then actions encompassing the 
identity, diagnosis, prognosis or treatment of any patient acquired in 
connection with the performance of that activity will be compromised, 
which runs counter to SAMHSA's claim of wanting to promote better 
quality of care for patients.
SAMHSA Response
    SAMHSA believes that the revisions to Sec. Sec.  2.11 and 2.12 
offer an appropriate transitional fix for allowing a limited transfer 
of information between part 2 programs and non-part 2 providers, 
subject to patient consent, in order to facilitate better coordination 
of care. The revised provisions continue to require patient consent, 
even with oral communications. SAMHSA does not believe that this rule 
will create the downstream effects of substantially increased 
discrimination and stigma, nor of substantially decreased patient 
willingness to enter treatment.
Public Comments
    A few commenters said the change to the definition of ``records'' 
under Sec.  2.11 would be confusing to patients and providers, 
including one commenter who found the distinction between receiving an 
oral disclosure versus a disclosure of paper or electronic records 
unclear. The commenter noted that all of the part 2 protections cease 
to apply once a patient begins sharing information through a patient 
portal with a non-part 2 provider, since part 2 only applies to part 2 
programs.
    Several commenters said the proposed change would cause confusion 
for patients and providers in non-part 2 settings, by requiring 
different privacy standards for information disclosed orally versus in 
writing, different layers of protection for the same information, and a 
process to reconcile written records and oral communications in the 
receiving provider's system. Another commenter questioned how EHRs will 
distinguish among information received verbally, information received 
electronically and scanned, and information received in writing and 
then rewritten into the chart, which would presumably still enjoy part 
2 protection.
SAMHSA Response
    As discussed above, although the change to the definition of 
``records'' under Sec.  2.11 applies to oral disclosures made by a part 
2 program to a non-part-2 provider, this change will not create a 
disconnect under part 2 with regard to how other forms of disclosure 
are treated. Notably, there is no requirement for a recipient, non-part 
2 provider to reconcile a received oral disclosure with her own written 
records. More broadly, the revised Sec. Sec.  2.11 and 2.12 create no 
new requirements for the use of EHRs, and no new risks for non-part 2 
providers who are already using EHRs in the care of patients with SUDs. 
Rather, Sec. Sec.  2.11 and 2.12 together make it clear that non-part 2 
providers can create their own patient records, including SUD 
information, without that activity becoming subject to part 2. Any 
records previously received from a part 2 program may be segregated, in 
order to distinguish them from the independent recordkeeping activity 
of the non-part-2 provider recipient based on her own clinical 
encounters. And these basic parameters apply equally, regardless of 
what technology the non-part 2 provider is using to keep his or her own 
records. SAMHSA does note that using an EHR that supports data tagging 
and segmentation for privacy and consent management is one path by 
which a non-part 2 provider could comply with the final rule, 
particularly with regard to a received electronic record.
    In order to address any confusion in the patient and provider 
communities, SAMHSA is considering opportunities for guidance and 
educational outreach, in connection with Sec. Sec.  2.11 and 2.12 
specifically, and the new part 2 rule more broadly.
Public Comments
    One commenter asked if a patient must give written consent to 
``verbal'' disclosure as well as to ``written or electronic'' 
disclosures, and if they could do so by checking distinct boxes.
SAMHSA Response
    In general, the part 2 requirements for patient consent to a 
disclosure of his SUD treatment record by a part 2 program or lawful 
holder apply regardless of the medium by which any such disclosure is 
made. Under revisions in this final rule, a patient still must provide 
written consent in order for a part 2 program to orally share his or 
her part 2 information with a non-part 2 provider, unless an exception 
provided for under this Part applies.
Public Comments
    One commenter asked for clarification on the difference between the 
terms, ``record,'' ``part 2 record,'' and ``part 2-covered record.'' 
The commenter said these terms are not defined. Likewise, another 
commenter said confusion remains about what constitutes a part 2 record 
and recommended that SAMHSA engage with stakeholders to inform future 
guidance that clarifies ambiguity.
SAMHSA Response
    SAMHSA appreciates these comments. Although the term ``records'' is 
defined under Sec.  2.11, the expressions ``part 2 record'' and ``part 
2-covered record'' are not defined in the regulation. Broadly speaking, 
``part 2 record'' and ``part-2 covered record'' both refer to an SUD 
patient record which is subject to the requirements of part 2, by 
virtue of originating from a part 2 program. In order to address any 
confusion in the patient and provider communities, SAMHSA is 
considering guidance and opportunities for educational outreach, in 
connection with Sec. Sec.  2.11 and 2.12 specifically and the new part 
2 rule more broadly.
Public Comments
    One commenter said it was not clear whether certain facilities, 
like health centers, would benefit from the changes in Sec. Sec.  2.11 
and 2.12.
SAMHSA Response
    SAMHSA appreciates this comment. SAMHSA will monitor the 
implementation of revised Sec. Sec.  2.11 and 2.12 in the field, and 
will consider further guidance on the impact of the revisions to 
Sec. Sec.  2.11 and 2.12, including with regard to disclosures by part 
2 programs made to non-part 2 health centers.

[[Page 42994]]

Public Comments
    One commenter appreciated the attempt to bring 42 CFR part 2 into 
alignment with other privacy rules but said there is still more work to 
be done to align with HIPAA and across agencies. The commenter said a 
paper-based workflow point of view is outdated and runs counter to 
burden-reduction efforts.
SAMHSA Response
    SAMHSA appreciates these comments. SAMHSA will consider further 
revisions to the part 2 regulations in the future, particularly to 
implement Sec.  3221 of the CARES Act. Several of the related CARES Act 
provisions will likely have the effect of more strongly aligning part 2 
confidentiality standards with the HIPAA privacy rule.
Public Comments
    A few commenters said that despite SAMHSA's statement that it does 
not intend to permit wholesale transcription of the patient's part 2 
records into the primary care record, the proposed change may lead to 
that outcome, especially given the availability of text-to-speech 
technology applications. One commenter said SAMHSA had provided no 
parameters on what is permissible beyond the term ``clinical purpose,'' 
which could result in inappropriate and broad sharing of extensive and 
potentially damaging information, exposing SUD patients to legal 
prosecution and discrimination. Another commenter said that if SAMHSA 
finalizes the proposed amendment to Sec.  2.11, it should include 
limits on the quantity of information to be transcribed, a clear 
prohibition on the use of text-to-speech technology for the purposes of 
this provision, and a requirement that the primary care practitioner 
counsel the patient on the privacy implications of consenting to such a 
disclosure, including the ways that HIPAA is less protective of patient 
privacy than part 2 or applicable state privacy laws.
    One commenter applauded SAMHSA's inclusion of language in the 
preamble addressing the possibility that a non-part 2 provider might 
transcribe extensively from a part 2 record without having a clinical 
purpose for doing so and the agency's explicit statement that this is 
not the intent of the proposal. The commenter urged SAMHSA to 
incorporate this concept into regulatory text so that non-part 2 
providers and other lawful holders are on notice that the intent behind 
SAMHSA's revised definition of ``records'' is to facilitate a treatment 
discussion between a non-part 2 provider and a patient and not a 
loophole to circumvent patient privacy and consent. The commenter urged 
that both Sec. Sec.  2.11 and 2.12 reference this principle, and asked 
that Sec.  2.11 specifically note that oral communications from part 2 
providers to payers or other third parties are not to be used as the 
basis of the creation of separate record streams for patients. The 
commenter also said that SAMHSA should make clear in regulations that 
its intent behind the revisions to Sec. Sec.  2.11 and 2.12 is to 
promote a clinical purpose, such as to allow a treatment note based on 
a direct clinical encounter with the patient. Short of this 
clarification, the commenter said SAMHSA should not revise the 
definition of records to exclude oral communications.
    Another commenter suggested that SAMHSA provide sub-regulatory 
guidance and narrative examples that illustrate acceptable practices 
regarding the extent of transcription and/or documentation permitted 
from this change.
SAMHSA Response
    As we explained above, the effect of the revision in Sec.  2.11 is 
to incorporate a very limited exception to the definition of 
``records,'' such that a non-part 2 provider who orally receives a 
protected SUD information from a part 2 program may subsequently engage 
in an independent conversation with her patient, informed by her 
discussion with the part 2 provider, and record SUD information 
received from the part 2 program or the patient, without fear that her 
own records for that patient thereafter would become covered by part 2. 
This provision will not immunize the misconduct of a non-part 2 
provider who engages in the wholesale transcription of a received SUD 
patient record, without her own direct patient encounter and without 
clinical purpose.
    SAMHSA will consider issuing future guidance on acceptable 
practices regarding the extent of transcription and/or documentation 
permitted under Sec. Sec.  2.11 and 2.12 if we find it is necessary.
Public Comments
    One commenter said the proposed revisions to the definition of 
``records'' and ``applicability'' are vague and do not provide any 
meaningful or clear guidance on what can be added to a medical record 
without triggering the requirements of 42 CFR part 2. Another commenter 
asked for clarification as to whether part 2 redisclosure limitations 
apply when a treating non-part 2 provider reviews the part 2 program 
record, transcribes information from that record which has been validly 
shared pursuant to patient consent, and then inserts it into his or her 
own treatment record. The commenter asked SAMHSA to confirm that doing 
so would avoid application of part 2 to the treating provider's record 
and to broaden the exception to permit portions, summaries, or other 
extractions from the record to be redisclosed without consent.
SAMHSA Response
    As discussed above, the preamble and revisions to Sec. Sec.  2.11 
and 2.12 speak with specificity to the circumstances in which a non-
part 2 provider can receive and hold a treatment record from a part 2 
program, while nevertheless being able to create her own patient 
records without fear that these will become covered by part 2. Taken 
together, the effect of the revisions to Sec. Sec.  2.11 and 2.12 is to 
allow a part 2 program to make a disclosure, with the patient's 
consent, to the recipient non-part 2 provider. In turn, the non-part 2 
provider can then carry out her own encounter with the patient, and 
create her own patient record, which will not fall under the coverage 
of part 2. Again, segregation of any received SUD record may be used by 
a non-part 2 provider to ensure that her own created records can be 
distinguished and will therefore not become subject to part 2.
    Consistent with the foregoing explanation, SAMHSA believes that the 
revised Sec. Sec.  2.11 and 2.12 strike the appropriate balance in 
describing how part 2 will apply in these situations.
Public Comments
    One commenter asked whether patient SUD treatment information 
obtained and then recorded by a part 2 program from a non-part 2 
provider could be exempt or outside the definition for a part 2 record.
SAMHSA Response
    No, that information would still receive part 2 protection. There 
is nothing in the final rule that modifies the basic definition of 
``records'' under Sec.  2.11, as this applies to a part 2 program. 
Section 2.11 states, in pertinent part, that ``Records means any 
information, whether recorded or not, created by, received, or acquired 
by a part 2 program relating to a patient.''

C. Applicability (Sec.  2.12)

    SAMHSA is finalizing this section as proposed.

[[Page 42995]]

    In the 1987 final rule, SAMHSA broadly established that the 
restrictions on disclosure under 42 CFR part 2 would apply to any 
alcohol and drug abuse information obtained by a federally assisted 
alcohol or drug abuse program. As explained in 1987, by limiting the 
applicability of 42 CFR part 2 to specialized programs--that is, to 
those programs that hold themselves out as providing and which actually 
provide alcohol or drug abuse diagnosis, treatment, and referral for 
treatment--the aim was to simplify the administration of the 
regulations, but without significantly affecting the incentive to seek 
treatment provided by the confidentiality protections. Limiting the 
applicability of 42 CFR part 2 to specialized programs was intended to 
lessen the adverse economic impact of the regulations on a substantial 
number of facilities which provide SUD care only as incident to the 
provision of general medical care. The exclusion of hospital emergency 
departments and general medical or surgical wards from coverage was not 
seen as a significant deterrent to patients seeking assistance for 
alcohol and drug abuse. SAMHSA's experience in the more than 30 years 
since 1987 has been consistent with this expectation.
    The 2017 final rule elaborated on this policy, by establishing that 
the disclosure restrictions on SUD patient records would extend to 
individuals or entities who receive such records either from a part 2 
program or from another lawful holder. See 42 CFR 2.12(d)(2)(i)(C). As 
explained in the 2017 final rule, a ``lawful holder'' of patient 
identifying information is an individual or entity who has received 
such information as the result of a part 2-compliant patient consent, 
or as a result of one of the exceptions to the consent requirements in 
the statute or implementing regulations (82 FR 6068). Thus, the effect 
of the 2017 rule was to expand the scope of application for part 2 
confidentiality, by ensuring that records initially created by a part 2 
program would remain protected under 42 CFR part 2 throughout a chain 
of subsequent re-disclosures, even into the hands of a downstream 
recipient not itself a part 2 program. The reason for the 2017 change 
was, once again, to avoid any deterrent effect on patients seeking 
specialized SUD care through part 2 treatment programs, by virtue of 
the patient records from those programs losing their part 2 
confidentiality protection following a disclosure downstream to other 
``lawful holder'' recipients of those records (81 FR 6997).
    Although that policy was established in the 2017 final rule, 
specifically in Sec.  2.12(d)(2)(i)(C), there remains some confusion 
within the provider community about what information collected by non-
part 2 entities is (or is not) covered by the part 2 restrictions on 
re-disclosure. When SAMHSA expanded the reach of the Applicability 
provision in 2017, the intent was not to change the policy established 
in the 1987 rulemaking, nor to make the records of non-part 2 entities 
(such as some primary care providers) directly subject to 42 CFR part 
2, simply because information about SUD status and treatment might be 
included in those records. Rather, the intent underlying the 2017 
provision was to clarify the applicability of 42 CFR part 2 in a 
targeted manner, so that records initially created under the protection 
of part 2 would continue to be protected following disclosure to 
downstream recipients. In doing so, SAMHSA sought to encourage 
individuals to enter into SUD treatment through part 2 programs, by 
strengthening the confidentiality protection for records that originate 
from those programs. Implicit in SAMHSA rulemaking since 1987 has been 
the pursuit of a balance of policy interests: On the one hand, 
consistent with the Congressionally stated purpose of the drug abuse 
confidentiality statute, to encourage entry into SUD treatment by 
ensuring that the records of treatment through a part 2 program would 
not be publicly disclosed, and on the other hand, to reduce the adverse 
impact of part 2 burdens on general medical care providers and 
facilities and on patient care.
    In the wake of the nation's opioid epidemic and continuing trends 
related to alcohol use disorder and cannabis use disorder, it has 
become increasingly important for primary care providers and general 
medical facilities not covered by 42 CFR part 2 to be able to carry out 
treatment and health care operations that sometimes involve creating 
new records that mention SUD status and care. Such records and 
activities are not covered by 42 CFR part 2. However, coordination of 
care between part 2 programs and non-part 2 providers would involve the 
disclosure of SUD records and information by the former to the latter. 
Under the current 42 CFR part 2 regulation, such disclosures of records 
by a part 2 program to a non-part 2 provider do not render all 
subsequent records on SUD caretaking activity undertaken by the non-
part 2 provider subject to the part 2 regulation. For example, when a 
non-part 2 provider is directly treating her own patient, and creates a 
record based on her own patient contact that includes SUD information, 
then that record is not covered by part 2.
    Nevertheless, SAMHSA recognizes that there may be significant 
confusion or misunderstanding as to the applicability of part 2 rules 
to non-part 2 providers. This results in increased burden on non-part 2 
providers, and the potential for impaired coordination of care for 
patients, which could be life threatening, for example, if an affected 
patient has an opioid use disorder. Although the existing text of 42 
CFR 2.12 (d)(2)(i)(C) on Applicability does not compel these results, 
SAMHSA's experience in recent years has demonstrated the need for 
clearer regulatory language, to better delineate the records of non-
part 2 entities which are not covered by the 42 CFR part 2 rules.
    Based on the above considerations, SAMHSA proposed to add a new 
Sec.  2.12(d)(2)(ii), to better clarify that a non-part 2 treating 
provider's act of recording information about a SUD and its treatment 
would not make that record subject to 42 CFR part 2. SUD records 
received by that non-part 2 entity from a part 2 program are subject to 
part 2 restrictions on redisclosure of part 2 information by lawful 
holders, including redisclosures by non-part 2 providers. However, the 
records created by the non-part 2 provider in its direct patient 
encounter(s) would not be subject to part 2, unless the records 
received from the part 2 program are incorporated into such records. 
Segregation or segmentation of any part 2 records previously received 
from a part 2 program can be used to ensure that new records (e.g., a 
treatment note based on a direct clinical encounter with the patient) 
created by non-part 2 providers during their own patient encounters 
would not become subject to the part 2 rules.
    SAMHSA believed that this addition will further clarify the 2017 
revisions, by affirming that the independent record-keeping activities 
of non-part 2-covered entities remain outside the coverage of 42 CFR 
part 2, despite such providers' (segregated) possession, as lawful 
holders, of part 2-covered records. The part 2 disclosure restrictions 
only apply to SUD patient records originating with part 2 providers. 
Such part 2 originating records are subject to the part 2 limitations 
on use and disclosure as they move through the hands of other ``lawful 
holders'' and part 2 programs. Even where part 2 does not apply to a 
patient record created by a non-part 2 provider following a direct 
patient encounter, that record will nevertheless be subject to the 
HIPAA Privacy Rule.

[[Page 42996]]

    One means by which non-part 2 treating providers could benefit from 
the above proposal would be through the segregated storage of part 2-
covered SUD records received from a part 2 program or other lawful 
holder. In the context of a paper record received from a part 2 
program, the proposed requirement could be met by the ``segregation'' 
or ``holding apart'' of these records; in the context of electronic 
records from a part 2 program, the proposed requirement could be met by 
logical ``segmentation'' of the record in the electronic health record 
(EHR) system in which it is held. As under the current rule, when a 
non-part 2 entity receives a protected SUD record from a part 2 program 
or other lawful holder, the received record is subject to the 
heightened confidentiality requirements under part 2. ``Segregating'' 
the received record, whether by segmenting it or otherwise labeling or 
holding it apart, would allow the recipient entity to identify and keep 
track of a record that requires heightened protection.
    Under both the proposed and the current text of part 2, the lawful 
holder recipient entity remains subject to part 2 re-disclosure 
restrictions with regard to the part 2 record, whether or not the 
recipient entity is able to segregate it. But ``segregating'' allows 
the recipient entity both to keep track of the part 2 records, and 
readily distinguish them from all the other patient records that the 
entity holds which are not subject to part 2 protection. As mentioned 
above, ``segregating'' the part 2 record may involve physically holding 
apart any part 2-covered records from the recipient's other records, 
which would be quite feasible in the case of a received paper record or 
an email attachment containing such data. Alternately, ``segregating'' 
can involve electronic solutions, such as segmenting an electronic SUD 
patient record received from a part 2 program by use of electronic 
privacy and security tags such as those in an EHR platform leveraging 
the HL7 Data Segmentation for Privacy (DS4P) standard, in which 
segmentation is carried out electronically based on the standards of 
DS4P architecture (discussed further below). Either of these methods 
for ``segregating'' part 2 covered records is a satisfactory way for 
the recipient entity to keep track of them, and to distinguish them 
from all the other patient records that the entity holds which are not 
subject to part 2 protection. We note that ``segregating'' a received 
part 2 record does not require the use of a separate server for holding 
the received part 2 records. We do not intend this rule to result in 
the creation of separate servers or health IT systems for part 2 
documents. Our policy is intended to be consistent with existing 
technical workflows for data aggregation, storage, and exchange.
    One concern that the proposed provision raises is the possibility 
that a non-part 2 provider might transcribe extensively from a part 2 
record without having a clinical purpose for doing so. This, however, 
is not the intent of the provision. Briefly, the intent is to allow a 
non-part 2 provider to receive SUD information about a patient from a 
part 2 program, and then to engage in a treatment discussion with that 
patient, informed by that information, and then be able to create her 
own treatment records including SUD content, without the latter 
becoming covered by part 2. This level of flexibility is needed in 
order to improve coordination of care efforts, and to save lives. It is 
not SAMHSA's intent to encourage a non-part 2 provider to abuse the 
rules, by transcribing extensively from a conversation with a part 2 
program or from a received part 2 record when creating her own records, 
without having a clinical purpose for doing so. Our intent is to 
expressly permit an avenue of communication, with patient consent, 
between a part 2 program and non-part 2 provider to facilitate better 
coordination of care, without automatically triggering application of 
the rule to the independent records of non-part 2 providers.
    In the 2017 final rule, SAMHSA responded to several public comments 
about data segmentation issues connected to 42 CFR part 2. We 
acknowledged then that although significant challenges exist for data 
segmentation of SUD records within some current EHR systems, SAMHSA has 
led the development of use-case discussions related to the technical 
implementation of the DS4P standard and recently contributed to the 
development of the Fast Healthcare Interoperability Resources (FHIR) 
implementation guide for Consent2Share.\5\ We believe that the existing 
health IT standards which enable data tagging and data segmentation and 
which support the SAMHSA Consent2Share tool are important to help 
advance the needs of part 2 providers and providers across the care 
continuum. SAMHSA recognizes and encourages the further development of 
DS4P standards, and the adoption by developers and vendors of EHR 
systems that meet those standards. The final revisions at Sec.  2.12 do 
not, however, impose on non-part 2 entities any new requirement for 
data segmentation as a practice, nor do they establish any new 
standards or requirements for EHR technology. SAMHSA considered 
including, in the proposed rule, the policy option of defining 
``segmented'' and ``segmentation'' under 42 CFR part 2, in order to 
offer greater clarity about what these terms mean under the rule. 
Segmentation involves technical capabilities and implementation for 
tagging and consent management, as well as technical specifications to 
accurately effect disclosure or non-disclosure of data based on 
federal, state, and local jurisdictions privacy restrictions and 
patient consent. This requires both technical specifications as well as 
supporting policies and governance for the treatment of sensitive data 
that is tagged. The latter is essential for effective segmentation, and 
segmentation is not achievable solely via adoption of a specific 
standard, nor is part 2 the only applicable use case for segmentation. 
For these reasons, we decided not to define segmentation for the 
purposes of this rulemaking, as such a definition might have unforeseen 
technical ramifications for EHR and HIE systems implementation in the 
future. In addition, SAMHSA believes this policy should be flexible, to 
allow providers with different operational standards and capabilities 
to implement the policy with regard to segregation or segmentation in 
the least burdensome way to their practices, while still maintaining 
confidentiality of patient records subject to part 2. Nevertheless, 
using health IT to support data tagging and data segmentation for 
privacy and consent management is one path that a provider could use to 
support their effort to meet part 2 requirements, including those 
described in the proposed rule.
---------------------------------------------------------------------------

    \5\ ``Consent2Share FHIR Profile Design.docx'' can be accessed 
at https://gforge.hl7.org/gf/project/cbcc/frs/.
---------------------------------------------------------------------------

    In addition to the proposed revision to 42 CFR 2.12(d) above, 
SAMHSA proposed conforming changes to the regulatory text of several 
other sections of 42 CFR 2.12, to provide further clarification of the 
applicability of part 2 restrictions on patient records.
    In Sec.  2.12(a), SAMHSA proposed to change the text to reflect 
that the restrictions on disclosure apply to ``any records,'' rather 
than to ``any information, whether recorded or not.'' We also proposed 
a conforming change to Sec.  2.12(a)(ii), to indicate that the 
restrictions of this part apply to any records which ``contain drug 
abuse information obtained . . .'' or ``contain

[[Page 42997]]

alcohol abuse information obtained . . . .'' Taken together, these 
changes are congruent with the amendment to Sec.  2.12(d) and help to 
make it clear that part 2 applies to ``records'' (as defined under 
Sec.  2.11).
    In Sec.  2.12(e)(3), SAMHSA proposed to change the text to reflect 
that the restrictions on disclosure apply to the recipients ``of part 
2-covered records,'' rather than to the recipients ``of information.'' 
This proposed change is congruent with the proposed amendment to Sec.  
2.12(d) and would help to make explicit that downstream restrictions on 
re-disclosure by non-Part 2 entities are tied to protected records 
which originate from a part 2 program in the first instance. SAMHSA 
believes that this proposed conforming change is important, because it 
would further establish that the re-disclosure burden for non-part 2 
entities as lawful holders ties specifically to the protected records 
that they receive from a part 2 program, and not to any other records 
that the non-part 2 entity creates by itself, regardless of whether the 
latter might include some SUD-related content.
    In Sec.  2.12(e)(4), SAMHSA likewise proposed a conforming change 
to the text, by adding language to reflect that a diagnosis prepared by 
a part 2 program for a patient who is neither treated by nor admitted 
to that program, nor referred for care elsewhere, is nevertheless 
covered by the regulations in this part. The change to the regulatory 
text is for clarity, to ensure that this section could not be misread 
as applying directly to the activities of a non-part 2 entity or 
provider.
    Similarly, and congruent with the above conforming changes, SAMHSA 
also proposed to modify the definition of ``Records'' in Sec.  2.11 as 
discussed in Section III.A. above and to modify and streamline the 
language in Sec.  2.32 as discussed in Section III.D. below. Readers 
are referred to those sections of the proposed rule for specifics on 
those proposals and the rationales for such proposed policies.
    The comments we received on the proposed amendments to Sec.  2.12, 
and our responses, are provided below.
Public Comments
    Many commenters supported our proposal to clarify that a non-part 2 
treating provider's act of recording information about a SUD and its 
treatment would not make that record subject to 42 CFR part 2, stating 
that, since the information disclosed to non-part 2 providers will 
still be governed and protected by HIPAA, the proposal strikes the 
appropriate balance between allowing for coordination of care and 
encouraging patients to seek treatment for a SUD by ensuring patient 
records remain confidential. Another commenter said SAMHSA's proposal 
to allow non-part 2 treating providers to record information about a 
SUD and its treatment during direct patient encounters without 
subjecting the information and the record to part 2 would reduce 
confusion and burden on providers. Several commenters also stated that 
the policy could help facilitate meaningful communication between part 
2 programs and non-part 2 providers. One commenter specifically noted 
that patients are often surprised when they find out that their records 
cannot be shared between providers, and this policy may alleviate that 
concern. Another commenter specifically noted that this proposal is 
necessary because the schema of DS4P and specifically the Consent to 
Share tool that SAMHSA proposed in the 2017 Final Rule does not work 
within a shared electronic health record, but this proposal could.
SAMHSA Response
    We thank the commenters for their support.
Public Comments
    One commenter, while supporting the proposal, asked for further 
clarification and guidance on the implementation of the proposed 
changes so that providers can assure compliance with the regulations.
SAMHSA Response
    SAMHSA thanks the commenter for this support. SAMHSA will consider 
issuing implementation guidance for providers in connection with this 
rule.
Public Comments
    Several commenters opposed our proposal to clarify that a non-part 
2 treating provider's act of recording information about a SUD and its 
treatment would not make that record subject to 42 CFR part 2, stating 
that confidentiality is imperative for building trust, establishing 
rapport, and creating a therapeutic environment in which individuals 
are able to explore their mental health needs and substance use 
history. Some commenters argued that this proposal would deter 
treatment, infringe the patient-provider relationship, increase stigma, 
and lead to criminalization. One commenter specifically noted that 
recent research suggests that healthcare providers perceive patients 
with documented substance use more negatively than patients with other 
documented health conditions, and widely sharing records could lead to 
negative impacts on care.
SAMHSA Response
    SAMHSA believes that the revisions to Sec. Sec.  2.11 and 2.12 
offer an appropriate transitional fix for allowing a limited transfer 
of information between part 2 programs and non-part 2 providers, 
subject to patient consent, in order to facilitate better coordination 
of care. The revised provisions continue to require patient consent for 
disclosure of a patient record by a part 2 program for the purpose of 
treatment, even in the case of oral disclosures. SAMHSA does not 
believe that these regulations will create downstream effects of 
substantially increased discrimination and stigma, or of substantially 
decreased patient willingness to enter into treatment.
Public Comments
    One commenter opposed the proposal because of the belief that it 
made a problematic and stigmatizing assumption that patients have not 
disclosed their treatment information to their providers. 
Alternatively, another commenter stated that the proposal would not fix 
the existing challenges for patient safety, because providers may not 
be aware of a patient's history of opioid use disorder when treating 
the patient for other conditions, even if those other conditions are 
related to the SUD.
SAMHSA Response
    SAMHSA believes that the revisions to Sec. Sec.  2.11 and 2.12 will 
help to improve the coordination of care between part 2 programs and 
non-part 2 providers, as well as by non-part 2 providers who receive an 
SUD patient record disclosed to them by a part 2 program. Rather than 
making a stigmatizing assumption that patients have not disclosed their 
SUD treatment information to their [non-part 2] providers, the 
revisions to Sec. Sec.  2.11 and 2.12 are intended to facilitate both 
patients and providers in carrying out exactly those disclosures. 
Although SAMHSA anticipates that these revisions will help to enhance 
quality of care efforts and to improve patient safety, it is unlikely 
that any single policy reform under part 2 will fully resolve the 
adverse events and safety problems associated with the opioid epidemic. 
SAMHSA will continue to consider a range of other policies and 
interventions to address the public health impact of the opioid 
epidemic in the future.

[[Page 42998]]

Public Comments
    Several commenters asked for clarification regarding the recording 
of part 2 information by a non-part 2 provider in a patient's record. 
One commenter stated that the proposal was too vague and did not 
provide any meaningful or clear guidance on what can be added to a 
medical record without triggering the requirements of 42 CFR part 2. 
Another commenter asked if the proposal would result in the entire 
record being enveloped in part 2. A few commenters asked us to clarify 
whether a non-part 2 provider's act of copying and pasting relevant 
information from a patient's part 2 program record into a non-part 2 
record would constitute the ``recording'' of SUD information and thus 
preclude the application of part 2 to the non-part 2 record. Commenters 
requested detailed guidance to ensure part 2 programs and treating 
providers are aware of the permissible means to transfer SUD 
information. One commenter specifically requested guidance on the 
nature and extent of data that can arise from treatment discussions 
informed by part 2 data or clinically relevant transcription and 
whether data segmentation/tagging of such a non-part 2 record is 
required. The commenter also urged more evaluation and real-world 
implementation testing with respect to the implementation, standards, 
and technology issues associated with both clarifications.
SAMHSA Response
    As discussed above, we believe both the preamble and revisions to 
Sec. Sec.  2.11 and 2.12 speak with specificity to the circumstances in 
which a non-part-2 provider can receive and hold a treatment record 
from a part 2 program, while nevertheless being able to create her own 
subsequent patient records without fear that these will become covered 
by part 2. Notably, there is nothing in the final rule that would cause 
an entire record to be ``enveloped in part 2,'' any more so than is the 
case now. Again, the effect of the revisions to Sec. Sec.  2.11 and 
2.12 is to allow the part 2 program to make a disclosure, with the 
patient's consent, to the recipient non-part 2 provider. In turn, the 
non-part 2 provider can then carry out her own encounter with the 
patient, and create her own patient record, which will not fall under 
the coverage of part 2. Segregation of any received SUD record may be 
used by a non-part 2 provider to ensure that her own created records 
can be distinguished, and will therefore not become subject to part 2.
    Taken together, SAMHSA believes that the revised Sec. Sec.  2.11 
and 2.12 strike the appropriate balance in describing how part 2 will 
apply in these situations. SAMHSA is considering future guidance to 
clarify the requirements of Sec. Sec.  2.11 and 2.12 for providers, and 
SAMHSA will continue to collaborate with other federal agencies in 
regard to technology implementation and standard-setting that touches 
on part 2 records.
Public Comments
    One commenter stated opposition to any limitations on how, when or 
how much SUD information the non-part 2 provider can document within 
its own record, even when that information is transcribed from a 
received record from a part 2 program. This commenter stated that the 
preamble implies that, in order for part 2 not to apply, the non-part 2 
provider needs to document the SUD information as part of a direct 
clinical patient encounter and upon reviewing it with the patient 
first, as opposed to directly copying from a record received from a 
part 2 program. The commenter stated that for appropriate care, non-
part 2 providers should be able to document SUD information for safe 
patient care without the information becoming subject to 42 CFR part 2, 
regardless of how a part 2 program originally provides the information, 
or whether information is independently discussed with the patient 
during a visit.
SAMHSA Response
    SAMHSA believes that the revisions to Sec. Sec.  2.11 and 2.12 
offer the appropriate fix for allowing a limited transfer of 
information between part 2 programs and non-part 2 providers, subject 
to patient consent, in order to facilitate better coordination of care. 
As discussed below, SAMHSA is also modifying the regulatory text in 
Sec.  2.33(b), to add disclosures for the purpose of care coordination 
and case management to the list of permitted activities. Other forms of 
communication between lawful holders of part 2 records are also 
permitted under the part 2 regulations with patient consent, consistent 
with the enabling statute. The revisions to Sec. Sec.  2.11 and 2.12 
reflect a balance of interests between ensuring robust privacy 
protection for part 2 program treatment records, while also pursuing 
patient safety, reduction of adverse events, and better coordination of 
care for persons with SUD. SAMHSA will continue to consider 
opportunities for further re-alignment of part 2 requirements for the 
disclosure of SUD records for treatment, payment and health care 
operations in the future, to the extent permissible under the part 2 
enabling statute and consistent with Sec.  3221 of the CARES Act.
Public Comments
    One commenter asked if the process of using the capabilities of 
certified electronic health record technology (CEHRT) to electronically 
``copy'' a medication item, a problem or a medication allergy from the 
received part 2 document as an external list to the internal list 
maintained by the non-part 2 provider's CEHRT is considered 
``transcription.'' This commenter asked that we include an example 
discussing a form of transcription that is permitted that does not 
violate the handling of a part 2 record received by a non-part 2 
provider.
    Likewise, another commenter specifically recommended that we revise 
the proposed regulations to allow health systems/providers using an 
integrated EHR to include the following in the patient's EHR without 
the patient's consent: Part 2 SUD in the integrated common problem 
list; Part 2 SUD treatment/post treatment medications on the integrated 
common medications list; medication allergies found during Part 2 SUD 
treatment/post treatment encounters on the integrated common medication 
allergy list; and an exception to obtaining a patient's consent to 
share this information for health systems/providers who use an 
integrated EHR.
SAMHSA Response
    Currently, a part 2 program may make a disclosure with the 
patient's consent to a non-part 2 provider. Taken together, the effect 
of the revisions to Sec. Sec.  2.11 and 2.12 is to clarify that the 
non-part 2 provider can then discuss that information in her own 
encounter with the patient, and create her own patient record that 
includes SUD information which will not be subject to part 2. The 
recipient non-part 2 provider is permitted but not required to 
segregate the received part 2 record (in whatever medium is relevant), 
as a way to ensure that her own subsequent record-keeping activity can 
be distinguished. These general principles continue to apply, 
regardless of whether the recipient non-part 2 provider is using a 
CEHRT [certified electronic health record technology ]or whether the 
recipient non-part 2 provider and the part 2 program exchange their 
communications through a common, integrated EHR platform.
    SAMHSA believes that revised Sec. Sec.  2.11 and 2.12 strike the 
right balance of interests between ensuring robust privacy protection 
for part 2 program

[[Page 42999]]

treatment records, while also promoting patient safety, reduction of 
adverse events, and better coordination of care for persons with SUD. 
SAMHSA will continue to consider future guidance and refinement to the 
part 2 rules, and will continue to work with ONC to support and 
implement health IT policies consistent with the part 2 rules.
Public Comments
    Many commenters asked for further clarification from SAMHSA in 
determining which records and providers are subject to part 2 
requirements. Commenters specifically asked for definitions as to what 
``holding oneself out as providing'' entails. Other commenters noted 
that, in the current healthcare environment and its emphasis on 
integrated care, providers are likely to apply the Part 2 requirements 
to more treatment settings and providers than required, creating excess 
compliance burden. Some commenters also noted that it is hard to 
imagine a scenario in which part 2 would prevent a specialist for any 
other chronic disease from supporting a treatment team without 
subjecting the entire team to unwieldy regulations. Commenters also 
stated that further clarification of the definition of a part 2 program 
could help patients choose which type of providers--and, consequently, 
confidentiality protections--they should seek.
    One commenter recommended that SAMHSA clarify that Medication-
Assisted Treatment (MAT) services and their associated workflows 
provided as part of a general medical facility do not meet the 
definition of a part 2 program, as long as the providers rendering the 
MAT services do not do so as their primary function within the 
facility. This commenter also recommended that SAMHSA clarify that any 
education or outreach (including posting notices, advertising and 
informing patients) about the availability of MAT services at a general 
medical facility, including Indian Health Service (IHS) and tribal 
facilities, would not change its status as a non-part 2 provider.
SAMHSA Response
    SAMHSA appreciates these comments. Although outside the scope of 
the current rulemaking, SAMHSA will consider issuing guidance in the 
future to further clarify when a general medical facility is subject to 
the part 2 regulations.
Public Comments
    A few commenters asked us to provide further guidance to clarify 
how health plans may similarly communicate with non-part 2 providers 
without subjecting their own records to part 2. Commenters asked if the 
proposed change applies to other lawful holders, specifically health 
plans.
SAMHSA Response
    The revisions in Sec.  2.12 establish that SUD treatment records 
created by a non-part 2 provider will not be covered by part 2, unless 
any SUD record previously received from a part 2 program is 
incorporated into such records. Under Sec.  2.12, segregation of the 
received record can be used by non-part 2 providers to ensure that 
their own created patient records can be distinguished from the 
received record, and thus will not become covered by part 2.
    The revisions in Sec.  2.12 do not address the direct disclosure 
made by a health plan to a non-part 2 provider. In general, the broader 
part 2 framework concerning disclosures made by health plans as 
``lawful holders'' continue to apply. SAMHSA will consider issuing 
future guidance to clarify the application of part 2 to disclosures of 
SUD records by health plans.
Public Comments
    One commenter suggested that rather than modifying Sec.  2.12 in 
order to facilitate disclosures by part 2 programs to non-part 2 
providers in support of care coordination, it would instead be more 
effective under Sec.  2.33 to add care coordination to the list of 
payment and operations activities for which a disclosure may be made 
with patient consent.
SAMHSA Response
    SAMHSA believes that the current revisions to Sec.  2.12 create an 
appropriate and limited pathway for part 2 programs to disclose SUD 
records to non-part 2 providers, and then to allow non-part 2 providers 
to create their own treatment records based on subsequent clinical 
encounters with their patients. However, as we explain below under 
Sec.  2.33, SAMHSA has decided to modify the regulatory text in Sec.  
2.33(b), by adding disclosures for the purpose of care coordination and 
case management to the list of permitted activities under that section.
Public Comments
    One commenter specifically recommended that SAMHSA clarify that 
systems that permit secure communication between patients, their 
permitted designates and non-part 2 caregivers may be used by part 2 
caregivers that are employed by the same healthcare organization, or 
that use the same implementation of the secure communications system. 
This commenter also asked us to exempt communications between part 2 
providers and non-part 2 healthcare providers that are actively engaged 
in the care of the same patient, but are not employed by the same 
healthcare organization. This commenter also asked that we specify that 
part 2 providers performing hospital consultation work may communicate 
with non-part 2 providers within the same organization without 
generating a part 2 covered record.
SAMHSA Response
    Communications between patients, part 2 programs, and non-part 2 
providers through patient portals and integrated EHR platforms can 
present an array of challenges and scenarios for patient consent under 
part 2. The current rulemaking does not attempt to address or resolve 
all such situations, nor does it change the status quo of how part 2 
applies in many such situations.
    SAMHSA will consider future guidance with regard to the application 
of part 2 to integrated EHR platforms, and particularly within 
integrated healthcare systems that include both part 2 programs and 
non-part 2 providers within the same system.
Public Comments
    One commenter noted that SAMHSA did not make any proposals related 
to ``Jessie's Law.'' The commenter explained that Jessie's Law requires 
HHS to develop best practices for prominently displaying information 
relating to a patient's history of substance use in his or her 
treatment records when the patient makes a request for such disclosure.
SAMHSA Response
    We will continue to work within HHS to ensure that we are complying 
with any applicable legal requirements stemming from Jessie's Law.
Public Comments
    Several commenters noted support for our description of segregating 
records, specifically appreciating that we did not impose any new 
requirement for data segmentation as a practice or establish new 
standards for EHR technology. Commenters stated that this segregation 
policy should be flexible to allow providers with different operational 
capabilities to implement the policy in the least burdensome way and to 
offer an opportunity for the health IT industry to continue to work 
with stakeholders in the development of standards to meet patient 
privacy

[[Page 43000]]

expectations. One commenter stated the proposal would not incur 
significant additional burden on vendors because segmenting part 2 data 
has become an industry norm with the implementation of the Data 
Segmentation for Privacy standard, as well as the recent FHIR 
implementation guide for Consent2Share.
SAMHSA Response
    We thank the commenters for their support.
Public Comments
    A few commenters expressed clinical concerns with segmenting 
records, stating that to do so erodes the reliability of those records 
to support the delivery of safe care and may discourage the use of EHRs 
for specific types of SUD information. One commenter noted that this 
concern is especially important because FDA medical device guidance 
requires visibility into how IT systems arrive at their 
recommendations, which may not be possible in a world of segmented 
data. One commenter cautioned us, for these reasons, to only use data 
segmentation and separation in a limited way.
SAMHSA Response
    The revisions in Sec.  2.12 do not impose any requirements for non-
part 2 providers to segment their electronic health records. Neither do 
the current revisions in Sec.  2.12 impose any standards for segmenting 
electronic health records more generally. We believe it is important 
that providers include clinically relevant information within their 
records, while still respecting confidentiality requirements.
    SAMHSA is sensitive to concerns about segmentation standards for 
EHRs. However, SAMHSA is not introducing new segmentation requirements 
or standards under this rule-making.
Public Comments
    Some commenters supported the policy of segregating records under 
Sec.  2.12, but said it is not a practical or best solution to promote 
the effective handling of SUD information to permit treatment and care 
coordination, noting that that the proposed changes still do not allow 
the exchange of information for these purposes without the written 
consent of the patient. These commenters argued that the policy would 
be burdensome and costly, and, because of the multitude of different 
operational standards and capabilities, part 2 programs will find 
themselves in an economically burdensome and legally questionable 
position as legal holders of information disclosed to them by patients 
seeking care. A few of these commenters also noted, however, that these 
burdens could not be overcome without statutory changes.
SAMHSA Response
    We appreciate these comments. The revised Sec.  2.12 does continue 
to require patient consent for the disclosure of a patient SUD record 
by a part 2 program to a non-part 2 provider. The revised Sec.  2.12 
reflects a balance of interests between ensuring robust privacy 
protection for part 2 program treatment records, while also promoting 
patient safety, reducing adverse events, and facilitating better 
coordination of care for persons with SUD.
    SAMHSA does not believe that the revised Sec.  2.12 will place part 
2 programs under any greater operational or legal burden than they 
currently face, with regard to making disclosures to non-part 2 
providers. Meanwhile, it would go considerably beyond the current 
rulemaking, and the current authorizing statute, to permit the 
disclosure of a patient record by a part 2 program to a non-part 2 
provider, without the consent of the patient, except as otherwise 
permitted under Part 2.
Public Comments
    A few commenters asked us to clarify the scenario in which one 
entity has Part 2 and non-Part 2 providers utilizing the same EHR that 
automatically populates diagnosis and prescription information. 
Commenters requested SAMHSA expand its proposal to clarify that if a 
general medical facility includes both Part 2 and non-Part 2 providers, 
then basic information that prepopulates, such as diagnosis and 
prescription information, is not subject to Part 2 requirements. 
Commenters further explained that some providers are unable to 
segregate records with any degree of confidence in their current 
workflows, and noted that many health systems either use separate EHRs 
or consider all providers in the system Part 2 providers due to burden 
and cost, which makes the referral of SUD and non-SUD patients and 
their health records more complicated. Other commenters similarly noted 
that they must treat all possible Part 2 information as if it were 
subject to the rule, and that requiring segmentation of part 2-
protected patient records to prevent unauthorized redisclosure may be 
strictly interpreted by the non-part 2 recipients, causing the 
information to be inaccessible for care coordination or other purposes 
beneficial for the patient.
SAMHSA Response
    Taken together, the effect of the revisions to Sec. Sec.  2.11 and 
2.12 is to allow the part 2 program to make a disclosure, with the 
patient's consent, to the recipient non-part 2 provider. In turn, the 
non-part 2 provider can then carry out her own encounter with the 
patient, and create her own patient record, which will not fall under 
the coverage of part 2. The recipient non-part 2 provider is permitted, 
but not required, to segregate the received part 2 record (in whatever 
medium is relevant), as a way to ensure that her own subsequent record-
keeping activity can be distinguished. These general principles 
continue to apply, regardless of whether the recipient non-part 2 
provider and the part 2 program exchange their communications through a 
shared, integrated EHR platform.
    SAMHSA believes that revised Sec. Sec.  2.11 and 2.12 strike the 
right balance of interests between ensuring robust privacy protection 
for part 2 program treatment records, while also promoting patient 
safety, reduction of adverse events, and better coordination of care 
for persons with SUD. SAMHSA will consider future guidance with regard 
to the application of part 2 to integrated EHR platforms, and 
particularly within integrated healthcare systems that include both 
part 2 programs and non-part 2 providers within the same system.
Public Comments
    One commenter specifically noted concerns for IHS or tribal 
facilities still using the full Resource and Patient Management System 
(RPMS) EHR system. This commenter stated that, while non-part 2 IHS or 
tribal facilities could segregate a paper record fairly easily, the 
RPMS system does not allow for the segregation of electronic records. 
For this reason, the commenter recommended that IHS and tribal 
facilities using RPMS be exempted as to compliance with part 2 until 
IHS modernizes its EHR system. This commenter also asked that SAMHSA 
conduct tribal consultation to negotiate with tribes on part 2 
compliance as to IHS and tribal facilities.
SAMHSA Response
    It is beyond the scope of the current rulemaking for SAMHSA to 
address specific operational challenges for IHS or tribal facilities 
associated with part 2. SAMHSA notes, however, that there is no new 
requirement under Sec.  2.12 for a non-part 2 provider to segregate any 
SUD records received from a part 2 program. There is also no 
requirement

[[Page 43001]]

under the revised Sec.  2.12 for record-keeping practice at IHS or 
tribal facilities to change. Segregating a received part 2 record under 
Sec.  2.12 is entirely at the option of the recipient provider.
    Regardless, SAMHSA will consider conducting future tribal 
consultations and outreach around the revised part 2 rule, as an input 
to future guidance on implementation and compliance.
Public Comments
    Several commenters stated what is meant by requiring the records to 
be ``segregated'' or ``segmented'' is unclear and unrealistic, and may 
mean creating an entirely separate EHR or resorting to paper medical 
records. One commenter suggested that SAMHSA should propose alternate 
solutions to segmentation by non-part 2 providers of records received 
from part 2 programs, which could ease provider burden. Commenters 
specifically noted concerns with technological barriers to segmenting 
non-Part 2 covered patient data, because current EHR technology does 
not allow for a provider to share just the non-Part 2 covered patient 
information with other providers, and asked SAMHSA to offer guidance. 
Commenters noted that, currently, there are no federal requirements for 
EHRs to include DS4P standards, and that, absent a requirement imposed 
on electronic medical record vendors to adopt DS4P and requirements for 
receiving providers to have a consent management system, this situation 
is unlikely to improve. Commenters also questioned whether it is 
feasible to require DS4P standards in all EHRs and urged SAMHSA to 
pursue additional testing of the DS4P standards and to work with 
developers and ONC on a solution. One commenter said that expecting 
programs to adopt compliant medical records could be expensive, 
disruptive to patient care, and problematic for many programs. As an 
alternative, this commenter suggested establishing minimum requirements 
for all EHRs through the appropriate EHR regulations.
SAMHSA Response
    There is no requirement under revised Sec.  2.12 for a non-part 2 
provider to segregate or segment an SUD treatment record received from 
a part 2 program. It is beyond the scope of the current rulemaking to 
address a wide range of technical concerns about support for 
segmentation under specific EHR technologies; or concerns about the 
development or refinement of future DS4P standards; or concerns about 
the cost or burden to providers of adopting EHR systems in the future. 
None of these concerns detracts from the central premise of Sec.  2.12, 
which is to establish that a patient record created by a non-part 2 
provider will not become subject to part 2, simply because SUD 
information may be included within that record.
    Nevertheless, SAMHSA remains broadly sensitive to concerns about 
segmentation, DS4P standards, and EHRs. SAMHSA will continue to 
collaborate with ONC and CMS on efforts that relate more directly to 
interoperability and standard-setting for EHRs.
Public Comments
    Although some commenters appreciated that SAMHSA did not 
prescriptively state a requirement for use of the electronic data 
segmentation approaches, they similarly noted that DS4P and FHIR 
standards are still unsettled topics. Commenters explained that, while 
policies have been adopted and are being further proposed to ``tag'' 
sensitive health information in various ways, no progress has been made 
to provide support to identification of ``what'' is sensitive in a way 
that is semantically interoperable or at a meaningful level of data 
granularity. To make data segmentation a reality that is not 
burdensome, these commenters stated that many stakeholders must decide 
how sensitive health information can be ``tagged.'' Even with this 
consensus, some commenters expressed concern that tags are not 
persistent through transfer because DS4P does not detail how recipient 
systems should handle tagged data, and the scenarios under which it is 
appropriate to use/disclose data tagged as sensitive.
    Commenters noted that these technical aspects will require a 
significant investment in time and resources to ensure the alignment of 
technical infrastructure and policy approaches for both EHRs and health 
information exchanges, requiring policy responses as well as the 
upgrade and maintenance of data dictionaries and technology components. 
Therefore, commenters urged SAMHSA to continue working with ONC on 
these issues. One commenter strongly urged SAMHSA to demonstrate 
commitment to greater interoperability and privacy protections by 
prioritizing data segmentation in development, testing, and 
policymaking, specifically noting the need for data segmentation to be 
made accessible and affordable to physicians.
SAMHSA Response
    SAMHSA acknowledges that many technical issues and standards with 
regard to data segmentation and tagging practices remain unresolved, 
and are continuing to evolve rapidly. SAMHSA will monitor the field and 
continue to work with ONC on these issues, and will likewise 
collaborate with ONC and CMS on efforts that relate more directly to 
interoperability and standard-setting for EHRs. Regardless, SAMHSA 
continues to believe that EHRs that support tagging and segmentation 
offer one approach for implementing part 2 compliant clinical 
workflows.
Public Comments
    A few commenters asked us to clarify if ``segregation'' or 
``holding apart'' applies to claims data, which may hold information 
about a patient's diagnosis and treatment. One commenter asked that we 
work with ONC to clarify how treatment of SUD data by non-Part 2 
providers will work under information blocking and TEFCA and 
administrative transaction policies.
SAMHSA Response
    Under Sec.  2.12, it is contemplated that a part 2 program may 
disclose a treatment record to a non-part 2 provider with the consent 
of the patient, in support of better coordination of care. In turn, the 
non-part 2 provider may then carry out her own clinical encounter with 
the patient, and create her own patient record that includes SUD 
information, without that record being subject to part 2. The non-part 
2 provider may segregate any record previously received from the part 2 
program as a way to distinguish this from her own clinical records. 
Note that all of the foregoing assumes an initial disclosure of a 
clinical record or information for treatment purposes, rather than a 
disclosure of claims data, by the part 2 program to the non-part 2 
provider. A disclosure involving a claim would typically involve a 
health plan as a recipient, which is beyond the scope of the current 
revision of Sec.  2.12 to address.
    SAMHSA will continue to collaborate within the department on any 
potential future guidance as may involve health IT.
Public Comments
    One commenter noted support of our proposal to clarify the language 
of Sec.  2.12 from the use of ``any information'' to ``any records,'' 
and agrees that it better illustrates the intent SAMHSA describes in 
the preamble.

[[Page 43002]]

SAMHSA Response
    We thank the commenter for its support.
Public Comments
    One commenter asked for clarification on whether there is a 
distinction (or conversely, an ambiguity) between what constitutes the 
legally recognized medical record, versus shared information that is 
structured and record-like. In other words, at what threshold of 
structure and formality of conveyance does ``information'' become 
``record?''
SAMHSA Response
    SAMHSA does not draw any distinction between ``records'' as defined 
under Sec.  2.11, versus ``shared information that is structured and 
record-like.'' Per the regulatory text of Sec.  2.11, a ``record'' is 
defined as ``any information, whether recorded or not, created by, 
received, or acquired by a part 2 program relating to a patient.''

D. Consent Requirements (Sec.  2.31)

    SAMHSA is finalizing this section as proposed, and adding further 
guidance concerning the application of Sec.  2.31 to disclosures for 
the coordination of care, as outlined below.
    In the 2017 final rule, SAMHSA made several changes to the consent 
requirements at Sec.  2.31, to facilitate the sharing of information 
within the health care context, while ensuring the patient is fully 
informed and the necessary confidentiality protections are in place. 
Among those changes, SAMHSA amended the written consent requirements 
regarding identification of the individuals and entities to whom 
disclosures of protected information may be made (82 FR 6077). 
Specifically, SAMHSA adopted a framework for disclosures to entities 
that made several distinctions between recipients that have a treating 
provider relationship with the patient and recipients that do not. 
Under the current rules at Sec.  2.31(a)(4), if the recipient entity 
does not have a treating provider relationship with the patient whose 
information is being disclosed and is not a third-party payer, such as 
an entity that facilitates the exchange of health care information or 
research institutions, the written consent must include the name of the 
entity and one of the following: The name(s) of an individual 
participant(s); the name(s) of an entity participant(s) that has a 
treating provider relationship with the patient whose information is 
being disclosed; or a general designation of an individual or entity 
participant(s) or class of participants that must be limited to a 
participant(s) who has a treating provider relationship with the 
patient whose information is being disclosed. As stated in the 2017 
final rule, SAMHSA wants to ensure that patient identifying information 
is only disclosed to those individuals and entities on the health care 
team with a need to know this sensitive information (82 FR 6084). 
SAMHSA, accordingly, limited the ability to use a general designation 
in the `to whom' section of the consent requirements to those 
individuals or entities with a treating provider relationship to the 
patient at issue.
    Since the 2017 final rule was published, SAMHSA has learned that 
some patients with SUDs would like part 2 programs to disclose their 
protected information to entities for reasons including eligibility 
determinations and seeking non-medical services or benefits from 
governmental and non-governmental entities (e.g., social security 
benefits, local sober living or halfway house programs). Because these 
entities lack a treating provider relationship with the patient, the 
current rules preclude them from being designated by name to receive 
the information, unless they are third-party payers, or the patient 
knows the identity of the specific individual who would receive the 
information on behalf of the benefit program or service provider. In 
addition, many of these entities may not be able to identify a specific 
employee to receive application information, and instead are likely to 
encourage patients to contact them or apply online, such that 
information is submitted to the organization rather than to a specific 
person. SAMHSA has heard that many patients have encountered 
frustration and delays in applying for and receiving services and 
benefits from, and in authorizing part 2 providers to release their 
information to, entities providing such services and benefits, by 
virtue of the inability to designate these entities by organization 
name only on the written consent for disclosure of part 2 information.
    We also understand that the requirement to include an individual's 
name could make it more burdensome for part 2 programs or lawful 
holders to facilitate a patient's specific consent to share their 
information with a contractor or subcontractor that performs care 
coordination or case management activities on behalf of the program or 
lawful holder. It is not SAMHSA's intent to limit patients' ability to 
consent to the disclosure of their own information or create barriers 
to care coordination. We wish, rather, to empower patients to consent 
to the release and use of their health information in whatever way they 
choose, consistent with statutory and regulatory protections designed 
to ensure the integrity of the consent process.
    Therefore, in this final rule, SAMHSA is amending the current 
regulations to clarify when patients may consent to disclosures of part 
2 information to organizations without a treating provider 
relationship. In particular, SAMHSA has amended Sec.  2.31(a)(4)(i), 
which previously required a written consent to include the names of 
individual(s) to whom a disclosure is to be made. The amended section 
inserts the words ``or the name(s) of the entity(-ies)'' to that 
section, so that a written consent must include the name(s) of the 
individual(s) or entity(-ies) to whom or to which a disclosure is to be 
made. SAMHSA believes that this language aligns more closely with the 
wording of the regulation before the January 2017 final rule changes, 
and would alleviate problems caused by the inability to designate by 
name an individual recipient at an entity. For example, if a patient 
wants a part 2 program to disclose impairment information to the Social 
Security Administration for a determination of benefits, such patient 
would only need to authorize this agency on the ``to whom'' section of 
the consent form, rather than identify a specific individual at the 
agency to receive such information. In addition, in response to the 
many comments requesting that SAMHSA provide more flexibility 
throughout the rule to facilitate care coordination and case 
management, the change at Sec.  42 CFR 2.31(a)(4)(i) will also make it 
easier for patients to consent to the disclosure of their information 
for the purposes of care coordination and case management, including to 
contracted organizations of lawful holders, by naming such 
organizations on the consent form.
    SAMHSA has removed old Sec.  2.31(a)(4)(ii) and (iii)(A), and 
redesignated old Sec.  2.31(a)(4)(iii)(B) as Sec.  2.31(a)(4)(ii) in 
the final rule. SAMHSA has also amended the newly redesignated Sec.  
2.31(a)(4)(ii), so that it applies only to entities that facilitate the 
exchange of health information (e.g., health information exchanges 
(HIEs)) or research institutions. The section establishes that, if the 
recipient entity is an entity that facilitates the exchange of health 
information or is a research institution, the consent must include the 
name of the entity and one of the following: (1) The name(s) of an 
individual or entity participant(s); or (2) a general designation of an 
individual or entity participant(s) or class of participants, limited 
to a participant(s)

[[Page 43003]]

who has a treating provider relationship with the patient whose 
information is being disclosed. We have also made conforming amendments 
to Sec. Sec.  2.12(d)(2)(a) and 2.13(d). The revised language of 
2.31(a)(4) does continue to permit patient consent to disclosures to 
third-party payers based on naming the recipient entity, without 
specifying an individual recipient at that entity.
    The comments we received on this proposal and our responses are 
provided below.
Public Comments
    Many commenters supported our proposal to allow patients to consent 
to disclosure to entities without a treating provider relationship 
without naming the specific individual receiving the information. These 
commenters stated that this proposal would break down barriers for 
patients and remove delays in seeking and receiving often life-saving 
services or benefits from entities, allowing integrated information 
exchange between all necessary services, including collaborative non-
treatment services related to substance use. Commenters believed that 
this proposal would empower patients to determine whether it is in 
their interest to share their own protected SUD information with health 
and social service entities, putting ``patients over paperwork.'' 
Commenters also noted that this proposed change would align with the 
modern innovations of complex, fluid teams that meet individual patient 
needs and ``whole person'' care models, many of which may address 
underlying social determinants that can affect a patient's health 
status. Commenters also noted the proposal would significantly enhance 
efforts at interoperability and getting information where and when it 
is needed at the point of care. Finally, commenters applauded this 
change because is more closely aligns with HIPAA standards.
SAMHSA Response
    We thank the commenters for their support.
Public Comments
    Several commenters opposed this proposal, fearing that information 
would be given to interconnected health care systems, unknown future 
entities, and vendors with one general consent and signature. One 
commenter asked that the consent continue to include the specific 
information to be shared, with whom specifically, and the time 
constraints of the release of information. A few commenters stated that 
the proposal raised trust, privacy, and confidentiality concerns and 
would deter treatment. One commenter asked that this consent be an 
``option'' rather than ``preferred.''
SAMHSA Response
    As noted above, SAMHSA has learned that some patients with SUDs may 
want part 2 programs to disclose protected information to entities for 
reasons including eligibility determinations and seeking nonmedical 
services or benefits from governmental and non-governmental entities 
(e.g., social security benefits, local sober living or halfway house 
programs). However, the old rule precluded patients from designating an 
entity's name by itself on the consent form, unless the entity was a 
third-party payer. To alleviate frustration and delays in applying for 
and receiving services and benefits, SAMHSA amended the regulations to 
clarify that patients may consent to disclosures of part 2 information 
to organizations without a treating provider relationship. We note that 
Sec.  2.31(a)(5) requires the consent form to include the purpose of 
the disclosure, which must be limited to that information which is 
necessary to carry out the stated purpose. Under Sec.  2.31(a)(7), the 
consent form must include the date, event, or condition upon which the 
consent will expire if not revoked before. This date, event, or 
condition must ensure that the consent will last no longer than 
reasonably necessary to serve the purpose for which it is provided. We 
believe that these safeguards will alleviate any concerns that the 
consent may be too broad, while appropriately allowing the patient to 
choose to whom their records are disclosed.
Public Comments
    Many commenters asked us to further expand the proposal to allow 
broader consent. A few commenters recommended that we make additional 
revisions which would permit generalized consents, authorizing both 
disclosures and re-disclosures of Part 2 records for treatment, 
payment, and health care operations (TPO) purposes among HIPAA 
``covered entities,'' Part 2 programs, and HIPAA ``business 
associates'' to receive their full medical records, noting this global 
consent would result in better care coordination and avoid delays. 
Another commenter recommended adding regulatory language to specify 
that patients may consent to permit both their Part 2 facility and 
health information exchange networks of their choosing to disclose 
their health information to past, present, and future treating 
providers. Another commenter requested that we allow consent for 
information to be disclosed to categories or types of organizations. 
Similarly, a few commenters requested that we clarify that 
organizations like accountable care organizations and health homes can 
be considered to have a ``treating provider relationship'' with a 
patient. Likewise, a few commenters asked us to clarify whether the 
proposed changes apply to entities that receive information from Part 2 
providers for non-treatment purposes such as health plans, business 
associates, healthcare clearinghouses, and third-party payers. These 
commenters claimed that there is little to no legal distinction between 
broadening the To Whom requirement for non-treatment and treatment 
purposes under Part 2, and that broadening in this way could help to 
streamline Part 2 and HIPAA.
SAMHSA Response
    As noted above, under Sec.  2.31, patients control to whom and for 
what purposes they consent to disclosure of information. Under this 
proposal, SAMHSA is amending the regulations to clarify that patients 
may consent to disclosures of part 2 information to organizations 
without a treating provider relationship. We believe that this policy 
appropriately balances patients' empowerment with confidentiality 
concerns.
    However, the change we are making will make it easier for patients 
to consent to share their records for the purposes of care coordination 
and case management. Patients may consent to share their information 
with a contractor or subcontractor that performs care coordination or 
case management on behalf of a part 2 program or lawful holder, if the 
consent form specifies the contracted organization name in the ``to 
whom'' section, describes the specific types of activities to be 
undertaken in the ``purpose'' section; and meets all other required 
elements outlined in Sec.  2.31. Similarly, a patient may consent to 
share their records for the purpose of care coordination with his or 
her treating provider organization or health insurer, if the provider 
organization or health plan is named in the ``to whom'' section and the 
specific types of care coordination or case management activities are 
described in the purpose section of the consent form.
    SAMHSA will consider making further revisions to the consent 
requirements under Sec.  2.31 in the future, particularly as needed to 
implement Sec.  3221 of the CARES Act.

[[Page 43004]]

Public Comments
    One commenter requested clarification regarding the proposed 
changes to Sec.  2.31 (a)(4)(ii)(B), specifically asking about a 
scenario in which a part 2 program includes a statement on a consent 
form to share part 2 information with a PDMP, and must, upon request, 
provide the patient with a list of entities to which their information 
has been disclosed pursuant to the general designation in Sec.  
2.13(d). The commenter inquired about the level of specificity that is 
required for the ``list of entities.'' This commenter noted that a 
state may only have the ability to disclose that a patient's 
information was accessed by another state's PDMP, but may not have 
access to the records for individual end-users in that state's PDMP.
SAMHSA Response
    Under Sec.  2.36, disclosures to PDMPs will be accomplished by 
direct consent and not using a general designation to which the List of 
Disclosures requirement in Sec.  2.13(d) applies. As a result, a 
patient would not be able to request a list of entities under Sec.  
2.13(d) to which the PDMP made disclosures.
Public Comments
    One commenter argued that there should be an option for a ``general 
designation'' that encompasses all providers within an organization, 
not just those who already have a treatment relationship with the 
patient. This commenter asked that we add the following language to the 
regulation: ``A general designation of an individual or entity 
participant(s) or class of participants that must be limited to a 
participant(s) who has a treating provider relationship with the 
patient whose information is being disclosed or who has in place a 
written contract or comparable legal instrument with the individual or 
entity that requires the participant(s) to be fully bound by the 
provisions of Part 2 upon receipt of patient identifying information.''
SAMHSA Response
    As stated in the January 2017 final rule (82 FR 6084), for entities 
that facilitate the exchange of health information or are research 
institutions, SAMHSA wants to ensure that patient identifying 
information is only disclosed to those individuals and entities on the 
health care team with a need to know this sensitive information. 
Therefore, in instances where information is disclosed to entities that 
facilitate the exchange of health information or research institutions, 
SAMHSA will continue to limit the ability to use a general designation 
(e.g., ``all my treating providers'') in the ``to whom'' section of the 
consent requirements to those individuals or entities with a treating 
provider relationship.
Public Comments
    A few commenters supported our proposal, but asked us to provide 
additional examples and definitions of ``entity'' in the final rule. 
Commenters noted that this clarification would help providers comply 
with the provision. One commenter asked that we clarify the 
applicability of Sec.  2.31(a)(4)(i) to third-party administrators and/
or representatives that operate on behalf of a governmental and/or 
nongovernmental entity. The commenter also asked us to clarify under 
the proposed rule the applicability of Sec.  2.31(a)(4)(i) in instances 
in which the requirements of Sec.  2.15(a)(1) have been met and a 
patient's guardian or personal representative authorized under state 
law may act on behalf of the patient. A few commenters asked us to 
carefully define ``entity'' to specify an individual or entity that has 
a direct treating provider or clinical relationship with the patient.
SAMHSA Response
    SAMHSA is amending Sec.  2.31 to enable patients to broadly consent 
to disclose their records to any entity of their choosing, without 
naming an individual recipient within such entity. A patient may choose 
to disclose their records to an entity with which they do not have a 
treating provider relationship, except in situations where a general 
designation is used to disclose information to entities that facilitate 
the exchange of health information or to research institutions. In that 
case, a general designation of an individual or entity participant(s) 
or class of participants must be limited to a participant(s) with a 
treating provider relationship with the patient whose information is 
being disclosed. Given our desire to ensure patients may consent to any 
entity or its representatives as they so choose, SAMHSA does not 
believe that further defining the term ``entity'' is necessary. Section 
2.15(a) states that in the case where a patient has been adjudicated as 
lacking the capacity, for any reason other than insufficient age, to 
manage their own affairs, any consent that is required under the 
regulations in this part may be given by the guardian or other 
individual authorized under state law to act in the patient's behalf.
Public Comments
    A few commenters asked us to include anti-discrimination 
protections in the regulations that forbid the use of any information 
disclosed for the purposes of limiting access to health, life, or 
disability insurance coverage; limiting access to protections under the 
ADA; limiting access to health care; criminal or civil investigation or 
prosecution; sharing information with the patient's employer; sharing 
information with child welfare agencies or family courts; or limiting 
or denying the patient's rights or benefits in any way.
SAMHSA Response
    As we have previously indicated, promulgating rules that address 
discriminatory action is outside the scope of SAMHSA's current legal 
authority (see 83 FR 248). However, we refer the commenter to Sec.  
2.13(a), which states that patient records subject to the Part 2 
regulations may be disclosed or used only as permitted by the 
regulations and may not otherwise be disclosed or used in any civil, 
criminal, administrative, or legislative proceedings conducted by any 
federal, state, or local authority. Further, Sec. Sec.  2.64 and 2.65 
describe required procedures and criteria for orders authorizing 
disclosures for criminal investigations of patients and for non-
criminal purposes (such as a civil action), which provide safeguards 
for patients. Finally, we note that Sec.  3221(g) of the CARES Act does 
include antidiscrimination language, and we anticipate implementing 
that provision in future rulemaking.
Public Comments
    One commenter requested clarification as to how the proposal would 
apply to a medical entity such as a clinic. The commenter asked if all 
providers dealing with the patient in a clinic would have access to the 
disclosed information. The commenter stated that it is their 
understanding that some treatment records can be marked as confidential 
in certain electronic health records, but that medications and 
diagnoses typically are not.
SAMHSA Response
    Although SAMHSA has amended the current regulations to clarify that 
a patient may consent to the disclosure of part 2 information to an 
entity without naming a specific individual as the recipient, current 
rules already allow consent to an entity with a treating provider 
relationship, and this consent flows to entity staff with a need to 
access the Part 2-covered information.

[[Page 43005]]

We note that Sec.  2.31(a)(5) of the regulations continues to require 
the consent form to include the purpose of the disclosure. The 
disclosure of patient identifying information must be limited to that 
information which is necessary to carry out the stated purpose. Thus, a 
clinic receiving the disclosed information may only share the patient's 
information in order to meet the purpose of the disclosure as described 
on the consent form.
Public Comments
    One commenter recommended that a tribally operated or American 
Indian part 2 program be authorized to share a patient's SUD treatment 
information with IHS, tribal, or urban Indian health primary care 
providers for treatment purposes without patient consent, stating that 
this change is needed to facilitate care within the Indian health 
system.
SAMHSA Response
    We appreciate the comment and concern for ensuring patients within 
the Indian Health Service receive effective care. SAMHSA does not have 
the authority to exempt patients within the IHS from the part 2 consent 
requirements. However, we note that the changes we are finalizing in 
this final rule to promote care coordination between part 2 programs 
and primary care doctors would similarly apply to IHS providers and 
patients.
Public Comments
    One commenter asked us to develop template consent forms that meet 
the requirements of the final rules for ease and convenience of 
patients and providers.
SAMHSA Response
    We thank the commenter for the suggestion and will consider issuing 
guidance related to the consent form requirements in the future.
Public Comments
    A few commenters asked that we allow for an ``opt-out'' consent 
process similar to that under HIPAA, in which patient information would 
be permitted to be used and disclosed for treatment, payment, and 
health care operations unless the patient opts-out.
SAMHSA Response
    The authorizing statute for the part 2 rules expressly requires 
written consent for most uses and disclosures of SUD patient records. 
We believe that this policy appropriately balances patients' 
empowerment with confidentiality concerns. We further note, however, 
that Sec.  3221 of the CARES Act contemplates modifying the parameters 
for consent to the disclosure of a patient record for the purpose of 
treatment, payment and health care operations. We anticipate making 
further revisions to part 2 in the future, in order to implement the 
relevant provisions of the CARES Act.
Public Comments
    One commenter encouraged us to expand the list of safe harbors for 
those acting in good faith who are trying to help an individual obtain 
housing, health care, or other necessary services. The commenter also 
asked us to align with the HHS Office for Civil Rights (OCR) on future 
regulations and guidance specifically discussing these scenarios and 
the ability to share health information for critical individual needs.
SAMHSA Response
    We thank the commenter for the suggestions and will consider them 
in the future.
Public Comment
    One commenter requested clarification on how patient 
confidentiality will be assured under this proposal.
SAMHSA Response
    As noted above, records are only disclosed at the patient's request 
and after consent under this section; therefore, the patient remains in 
control of his/her records and with whom and for what purposes these 
records are shared. Records disclosed under this section will retain 
their status as protected part 2 records in the hands of downstream 
recipients. We refer the commenter to Sec.  2.32, which describes the 
notice that must be provided to recipients of part 2 records disclosed 
under Sec.  2.31. The notice prohibits redisclosure of the records 
unless expressly permitted by the written consent of the individual 
whose information is being disclosed or, otherwise permitted by 42 CFR 
part 2.
Public Comments
    One commenter stated that the rule change needed to be clarified 
across the regulation to ensure that individuals do not need to be 
listed to consent to an entity.
SAMHSA Response
    SAMHSA believes that clarifying this change in the regulatory text 
of Sec.  2.31 is sufficient to ensure that individuals do not need to 
be listed when a patient consents to sharing his or her records with an 
entity.
Public Comments
    One commenter, although supporting our proposal, noted the 
importance of the safeguards inherent in the general designation that 
allow the individual to request a list of entities to which their 
information has been disclosed.
SAMHSA Response
    We appreciate feedback regarding the importance of safeguards that 
allow an individual to request a list of entities to which their 
information has been disclosed under the general designation option.
Public Comments
    A few commenters requested that we allow individuals to consent to 
disclosure to entities without listing an individual as the recipient, 
in instances where information is disclosed to entities that facilitate 
the exchange of health information or research institutions. These 
commenters stated that patients are not aware of the information 
sharing happening at the provider level by Health Information Networks 
(HINs) and HIEs, most of which is done to coordinate care and benefit a 
patient's care. Without this change, commenters said that Part 2 
information sharing that is happening at the HIN and HIE level could be 
halted, and burden to providers may increase. Commenters also argued 
that this change is also not legally different than adopting the same 
position with respect to treatment purposes and this change would align 
with the CMS and ONC interoperability goals.
SAMHSA Response
    Newly finalized language in Sec.  2.31(a)(4)(ii) continues to allow 
patients to use a general designation in consenting to disclose their 
records to organizations that facilitate the exchange of health 
information. Specifically, if a recipient entity facilitates the 
exchange of health information or is a research institution, a written 
consent must include the name(s) of the entity and either the name of 
the individual or entity participants, or a general designation of an 
individual or entity participant(s) or class of participants that must 
be limited to a participant(s) who has a treating provider relationship 
with the patient whose information is being disclosed (e.g., ``my 
treating providers'').
Public Comments
    One commenter noted that SAMHSA did not provide a definition in the

[[Page 43006]]

proposed rule on what constitutes an HIE, and asked us to define what 
types of organizations qualify as HIEs.
SAMHSA Response
    On May 1, 2020, ONC published its final rule on interoperability 
under the 21st Century Cures Act (85 FR 25642). As a part of the final 
interoperability rule, ONC did provide a definition for what 
constitutes an HIE (to be codified at 45 CFR 171.102). SAMHSA is hereby 
incorporating that definition by reference, for the purpose of this 
rule.
Public Comments
    One commenter noted the tension between the functionality of an HIE 
and protecting patient privacy. This commenter encouraged us to 
carefully explore the relationship between part 2 data and HIEs in 
future guidance, in order to identify solutions that can allow for 
rapid data transfer while protecting patient privacy.
SAMHSA Response
    We thank the commenter for this suggestion and will consider 
issuing additional guidance related to HIEs in the future. SAMHSA will 
also consider other educational activities, such as trainings and 
webinars, should SAMHSA determine the need during implementation of the 
final rule.
Public Comments
    One commenter noted that the exclusion of HIEs is overbroad, 
stating that if SAMHSA wants to ensure that organizations that access a 
patient's information under a general designation only do so for 
purposes of caring for the patient, it could adopt a provision that 
simply says an HIE can only use a general designation on its consent 
form if it has policies to ensure that participants obtain information 
under the general designation only for limited purposes, such as 
treatment, payment, or health care operations as defined under HIPAA.
SAMHSA Response
    At this time, we do not believe this exclusion to be overbroad. As 
stated above, newly finalized language in Sec.  2.31(a)(4)(ii) 
continues to allow patients to use a general designation in consenting 
to disclose their records to organizations that facilitate the exchange 
of health information. Specifically, if a recipient entity facilitates 
the exchange of health information or is a research institution, a 
written consent must include the name(s) of the entity and either the 
name of the individual or entity participants, or a general designation 
of an individual or entity participant(s) or class of participants that 
must be limited to a participant(s) who has a treating provider 
relationship with the patient whose information is being disclosed 
(e.g., ``my treating providers''). We will, however, consider this 
suggestion in the future if we find the current language to be limiting 
to patients.

E. Prohibition on Re-Disclosure (Sec.  2.32)

    SAMHSA is finalizing this section as proposed.
    In the 2017 final rule, SAMHSA clarified that the disclosure 
restrictions on SUD patient records would extend to individuals or 
entities who receive such records either from a part 2 program or from 
another lawful holder. We further emphasized this clarification in the 
notice requirements in Sec.  2.32 in the 2017 final rule. Under Sec.  
2.32, each disclosure made with a patient's consent must contain a 
written statement notifying the recipient of the applicability of 42 
CFR part 2 to any re-disclosure of the protected record. In the 2017 
final rule, SAMHSA noted that the prohibition on redisclosure provision 
only applied to information from the record that would identify, 
directly or indirectly, an individual as having been diagnosed, 
treated, or referred for treatment for a SUD by a part 2-covered 
provider. The prohibition still allowed other health-related 
information shared by the part 2 program to be re-disclosed, if 
permissible under the applicable law (82 FR 6089).
    SAMHSA has since heard from the provider community that this 
section of the regulation prompted downstream, non-part 2 providers to 
manually redact portions of their disclosure data files that identify a 
patient as having or having had a SUD. This activity is operationally 
burdensome and not the intent of the 2017 final rule. As noted in 
Section IV.C. above, SAMHSA has proposed to modify Sec.  2.12 to 
clarify that the recording of information about an SUD and its 
treatment by a non-part 2 provider is permitted and not subject to part 
2, and that the non-part 2 provider may segregate or segment any 
patient record previously received from a part 2 program to ensure that 
she can distinguish them from her own patient records created following 
clinical encounters. Therefore, a downstream non-part 2 provider would 
not need to redact SUD information in its own records in an effort to 
comply with part 2, provided that any outside patient record previously 
received from a part 2 program or other lawful holder is segregated or 
segmented.
    To ensure that downstream non-part 2 providers are aware that they 
do not need to redact information in their files if they have means of 
identifying the part 2-covered data (e.g., by segregating or segmenting 
the files received from the part 2 program), SAMHSA proposed to modify 
and streamline the notice language in Sec.  2.32(a)(1) to remove the 
superfluous language that has contributed to confusion regarding the 
restrictions on re-disclosures (84 FR 44574). Specifically, we proposed 
to remove ``information in'' and ``that identifies a patient as having 
or having had a SUD either directly, by reference to publicly available 
information, or through verification of such identification by another 
person,'' from the current notice language established in the 
regulation. Additionally, SAMHSA added language to specifically state 
that only the part 2 record is subject to the prohibition on re-
disclosure in Sec.  2.32, unless further disclosure either is expressly 
permitted by written consent of the individual whose information is 
being disclosed in the record or is otherwise permitted by 42 CFR part 
2 (84 FR 44574).
    The comments we received on the proposed amendments to Sec.  2.32 
and our responses are provided below.
Public Comments
    Several commenters supported our proposal to streamline the 
redisclosure language in Sec.  2.32, stating that the change would 
reduce counterproductive provider burden, decrease confusion, and would 
also support enhanced, whole-person care coordination for the benefit 
of the patient. One commenter specifically noted that because of the 
way the provision was previously worded, providers would redact 
critical patient information for fear of violating Part 2, leading to 
gaps in care. One commenter, while supporting the proposal, noted that 
the need to revise this language may be limited, because of the ability 
to use an alternative short form of the notice which was implemented in 
the 2018 final rule. Some commenters, while supporting the proposal, 
requested additional clarification on how patient confidentiality will 
be assured.
SAMHSA Response
    We thank the commenters for their support. As noted above, part 2 
records will continue to be protected by part 2: The changes in Sec.  
2.32 of the final rule merely provide clarity so that non-part 2 
providers will better understand that they do not need to redact 
patient information from their own clinical records that are not 
protected by part 2.

[[Page 43007]]

Thus, we believe that patient confidentiality will still be 
appropriately maintained under this proposal.
Public Comments
    Some commenters opposed our proposal to streamline the redisclosure 
language in Sec.  2.32, noting confidentiality concerns and potential 
negative impacts to clinical decision-making. One commenter 
specifically stated that patients would be reluctant to sign a consent 
for disclosure of their records for legitimate reasons, knowing that 
once the medical records are sent out, they can be disseminated without 
the patient's consent.
SAMHSA Response
    SAMHSA does not believe that the final rule on Sec.  2.32 changes 
the basic consent requirements in the regulations. Instead, as stated 
above, the change in Sec.  2.32 simply streamlines the required 
``Notice'' language, to ensure that non-part 2 providers are not 
burdensomely seeking to redact large amounts of text from a patient's 
general medical record that is not protected under Part 2. In addition, 
SAMHSA does not anticipate any adverse impact from the final rule on 
Sec.  2.32 on clinical decision making. In fact, the more information 
received by a downstream clinician in a record that is not redacted, 
the better informed that clinician will be, thereby facilitating better 
informed patient-clinician decisions.
Public Comments
    A few commenters specifically stated that they did not support this 
proposal because of the corresponding changes being proposed to Sec.  
2.11. These commenters asserted that information conveyed from a part 2 
program to a non-part 2 provider for treatment purposes with the 
consent of the patient would no longer be protected by the Part 2 rules 
and only subject to HIPAA, which has fewer protections and could lead 
to medical care discrimination and increased legal prosecution.
SAMHSA Response
    As stated above, under this rule, any record disclosed by a part 2 
program to a non-part 2 provider will still be subject to part 2, and 
the recipient's own clinical record might also become subject to part 2 
if the received record is wholly incorporated into the non-part 2 
provider's own patient record. Thus, Sec.  2.33 would continue to apply 
to records in these instances.
Public Comments
    A few commenters, although supporting the intent of the proposal, 
noted difficulties in operationalizing the provision with EHRs. These 
commenters recommended that future regulations clarify the re-
disclosure requirements, and recognize the existing challenges within 
both paper and electronic environments. The commenters encouraged 
SAMHSA to provide better examples and guidance for successfully 
implementing the redisclosure requirements. One commenter specifically 
asked SAMHSA to engage in pilot testing and evaluation of relevant 
standards and technologies and suggested establishing a temporary safe 
harbor for enforcement while the technical issues are studied. This 
commenter also asked that, given the difficulty of distinguishing part 
2 records from general medical information, SAMHSA consider lesser 
penalties for ``good faith'' errors in contrast to malicious or other 
intentionally wrongful disclosures.
SAMHSA Response
    In the 2018 final rule, SAMHSA explicitly adopted an abbreviated 
notice that is 80 characters long to fit in standard free-text space 
within health care electronic systems (83 FR 240). SAMHSA has not 
proposed any change to this abbreviated notice language in Sec.  2.32; 
thus, stakeholders may continue using this language in their EHR 
systems. As we previously noted in the 2018 final rule, SAMHSA 
acknowledges that there may be technical issues connected to compliance 
with Sec.  2.32 which will require future guidance to resolve. 
Nevertheless, SAMHSA believes that the current final rule on Sec.  2.32 
involves an appropriate balance of interests at present. SAMHSA will 
continue to work with stakeholders, as needed, to provide guidance in 
the future.
Public Comments
    One commenter stated that the proposal will need to be enforced to 
be effective, citing examples of third parties re-disclosing records, 
even though all the pages are stamped with the non-re disclosure 
statement.
SAMHSA Response
    We also believe enforcing part 2 is important to protect 
confidentiality of patients. We will continue to pursue enforcement of 
this and other provisions under part 2.
Public Comments
    A few commenters asked us to take the proposal further, by 
completely eliminating the redisclosure prohibition, stating that the 
statute does not require it. Commenters noted that downstream 
redisclosures would fall under HIPAA protections, which are robust in 
nature and familiar to those entities and individuals who would be 
engaging in the redisclosures.
SAMHSA Response
    As stated in the 2017 final rule, while the statute may not be 
explicit with regard to all provisions in 42 CFR part 2, the statute 
directs the Secretary to provide for such safeguards and procedures as, 
in the judgment of the Secretary, are necessary or proper to effectuate 
the purposes of this statute, to prevent circumvention or evasion 
thereof, or to facilitate compliance therewith (82 FR 6089). At this 
time, SAMHSA believes that Sec.  2.32 is still necessary, on balance, 
to appropriately protect the confidentiality of patients.
    We do anticipate making further revisions to part 2 in the future, 
in order to implement the relevant provisions of the CARES Act, and we 
will review the status of Sec.  2.32 in any future rulemaking.
Public Comments
    One commenter recommended that SAMHSA add notice language to Sec.  
2.32, to reinforce that the non-part 2 provider/entity has received the 
part 2-protected SUD information for the permissible purpose of 
improving service delivery for the patient, and that although 
unauthorized redisclosure of part 2-protected information is 
prohibited, this information should be used as intended for the 
permissible purpose.
SAMHSA Response
    The final rule at Sec.  2.32 does not specify particular purposes 
for which part 2 protected records must be used, once the patient 
consents to such use. We believe it is best to empower patients to 
specify the terms for a limited disclosure, rather than adding 
compulsory requirements for the use of disclosed records, which might 
be confusing and could cause providers to limit the disclosure of 
important information intended to be conveyed by the patient.

F. Disclosures Permitted With Written Consent (Sec.  2.33)

    In response to comments received on the proposed rule and the CARES 
Act provision incorporating into 42 U.S.C. 290dd-2 the HIPAA Privacy 
Rule definition of health care operations, which includes care 
coordination and case management activities, SAMHSA is

[[Page 43008]]

modifying this section of the rule from what was proposed, to add care 
coordination and case management as an example of an activity for which 
a lawful holder may make a further disclosure to its contractors, 
subcontractors and/or legal representatives, in support of health care 
payment or operations. In order to avoid confusion about the extent of 
Sec.  2.33(b), SAMHSA has also deleted from the regulatory text the 
statement that ``Disclosures to contractors, subcontractors, and legal 
representatives to carry out other purposes such as substance use 
disorder patient diagnosis, treatment, or referral for treatment are 
not permitted under this section.''
    While we did not specifically propose to include care coordination 
and case management in the list of activities under Sec.  2.33(b), the 
NPRM addressed the issue of how to facilitate these types of services, 
and we received public comments on this point. More recently, Congress 
passed the CARES Act, which expressly permits disclosure of Part 2 
information for these very purposes. To the extent that there may be a 
concern that we did not formally and specifically solicit public 
comment on listing care coordination and case management in Sec.  
2.33(b), we believe that further notice and comment on this matter is 
unnecessary. The Department's statements in the NPRM elicited comments 
on this issue, and the subsequent passage of the CARES Act would 
otherwise effectuate Sec.  2.33(b) of this final rule starting March 
27, 2021. Additionally, permitting disclosures under Sec.  2.33(b) for 
case management and care coordination services in this final rule will 
have the effect of granting providers, part 2 programs and lawful 
holders more time in which to establish processes for carrying out 
these essential services in accordance with the requirements of this 
final rule and the CARES Act provisions. Therefore, the Department 
finds good cause to forego notice and comment on whether care 
coordination and case management activities should be included in the 
illustrative list of permissible payment and health care operations 
activities under 2.33(b). 5 U.S.C. 553(b)(B)(an agency is exempt from 
the notice and comment requirements of the Administrative Procedure Act 
if the agency ``for good cause finds . . . notice and public procedure 
thereon are impracticable, unnecessary, or contrary to the public 
interest'').
    In the 2018 final rule (83 FR 241), SAMHSA clarified at Sec.  
2.33(b), the scope and requirements for permitted disclosures by a 
lawful holder to contractors, subcontractors, and legal 
representatives, for the purpose of payment and certain health care 
operations. In the 2017 proposed rule, SAMHSA proposed to include in 
the regulatory text a list of 17 specific types of permitted categories 
of payment and health care operations (82 FR 5487).
    Based on the numerous comments received requesting additions or 
clarifications to the list, as well as concerns that the changes 
occurring in the health care payment and delivery system could rapidly 
render any list of activities included in the regulatory text outdated, 
SAMHSA decided not to include the list of 17 activities in the 
regulation text in the 2018 final rule, and, instead, decided to 
include a list of the types of permitted activities in the preamble of 
the 2018 final rule. SAMHSA stated in the 2018 final rule that we 
included this list of activities in the preamble in order to make clear 
that it is an illustrative rather than exhaustive list of the types of 
payment and health care operations activities that would be acceptable 
to SAMHSA (83 FR 241). By removing the list from the regulatory text, 
SAMHSA intended for other appropriate payment and health care 
operations activities to be permitted under Sec.  2.33 as the health 
care system continues to evolve.
    Since the 2018 final rule was published, SAMHSA has learned that 
including an illustrative list of permissible activities in the 
preamble rather than in the text of the regulation did not fully 
clarify the circumstances under which part 2 information could be 
further disclosed under Sec.  2.33. Specifically, stakeholders may have 
believed that a particular activity was not permissible unless 
explicitly identified within the regulatory text. Therefore, to clear 
up any remaining confusion, SAMHSA proposed to amend Sec.  2.33(b) to 
expressly include the illustrative list of permissible activities that 
was contained in the preamble of the 2018 final rule (83 FR 243). It is 
important to note, as was noted in the preamble to the 2018 final rule, 
that this list is illustrative rather than exhaustive.
    Specifically, SAMHSA proposed to add the following examples of 
permissible activities that SAMHSA considers to be payment and health 
care operations activities to Sec.  2.33(b):
     Billing, claims management, collections activities, 
obtaining payment under a contract for reinsurance, claims filing and 
related health care data processing;
     Clinical professional support services (e.g., quality 
assessment and improvement initiatives; utilization review and 
management services);
     Patient safety activities;
     Activities pertaining to:
    [cir] The training of student trainees and health care 
professionals;
    [cir] The assessment of practitioner competencies;
    [cir] The assessment of provider and/or health plan performance; 
and/or
    [cir] Training of non-health care professionals;
     Accreditation, certification, licensing, or credentialing 
activities;
     Underwriting, enrollment, premium rating, and other 
activities related to the creation, renewal, or replacement of a 
contract of health insurance or health benefits, and/or ceding, 
securing, or placing a contract for reinsurance of risk relating to 
claims for health care;
     Third-party liability coverage;
     Activities related to addressing fraud, waste and/or 
abuse; Conducting or arranging for medical review, legal services, and/
or auditing functions;
     Business planning and development, such as conducting cost 
management and planning-related analyses related to managing and 
operating, including formulary development and administration, 
development or improvement of methods of payment or coverage policies;
     Business management and/or general administrative 
activities, including management activities relating to implementation 
of and compliance with the requirements of this or other statutes or 
regulations;
     Customer services, including the provision of data 
analyses for policy holders, plan sponsors, or other customers;
     Resolution of internal grievances;
     The sale, transfer, merger, consolidation, or dissolution 
of an organization;
     Determinations of eligibility or coverage (e.g., 
coordination of benefit services or the determination of cost sharing 
amounts), and adjudication or subrogation of health benefit claims;
     Risk adjusting amounts due based on enrollee health status 
and demographic characteristics; and
     Review of health care services with respect to medical 
necessity, coverage under a health plan, appropriateness of care, or 
justification of charges.
    To further clarify that the list is not exhaustive, SAMHSA also 
proposed to add ``other payment/health care operations activities not 
expressly prohibited'' in this provision to the end of the list. SAMHSA 
also again clarified in the preamble to the proposed rule (84 FR 44575) 
that Sec.  2.33(b) was not intended to cover disclosures to 
contractors, subcontractors, and legal

[[Page 43009]]

representatives for the purposes of care coordination or case 
management, and disclosures to carry out such purposes were not 
permitted under this section. We noted that this policy differs from 
the HIPAA Privacy Rule, under which `health care operations' 
encompasses such activities as case management and care coordination. 
SAMHSA previously emphasized the importance of maintaining patient 
choice in disclosing information to health care providers with whom 
they will have direct contact (83 FR 243). We stated in the proposed 
rule that although Sec.  2.33(b) does not cover disclosures for the 
purpose of care coordination or case management, such disclosures may 
nevertheless be made under other provisions of Sec. Sec.  2.31 and 
2.33. Additionally, we noted that several of the proposals to revise 
other sections of part 2 in this rulemaking would help to facilitate 
coordination of care, as under Sec.  2.12 (Applicability). However, as 
discussed above, due to recent CARES Act amendments as well as public 
comments, SAMHSA has decided to include care coordination and case 
management in the illustrative list of examples of payment and health 
care operations activities for which disclosures may be made under 
Sec.  2.33(b).
    At this time, we note that this rule provides transitional 
regulations until such time as implementing regulations for Sec.  3221 
of the CARES Act come into effect. In future rulemaking, we will 
consider further revisions to Sec.  2.33, as needed to implement 
relevant provisions under the CARES Act.
    The comments we received on the proposed amendments to Sec.  2.33 
and our responses are provided below.
Public Comments
    Several commenters expressed support for the proposed changes, 
saying that moving the list to the regulatory text reduces confusion; 
appropriately acknowledges the modern health care landscape and the 
role of third-party entities in facilitating access to SUD treatment 
services; and provides a helpful guide as to what information may be 
shared and for what purposes. One commenter said that SAMHSA is trying 
to do what it can to enable appropriate disclosures for the sake of 
part 2 program operations and coordination of care and still reasonably 
protect the privacy of the part 2 patient. Another appreciated the 
addition of the 18th item, ``other payment/health care operations 
activities not expressly prohibited,'' to clarify that the list is not 
exhaustive. One commenter supported the changes but said that adding 
these fairly numerous exceptions will add greater complexity to a 
regulation with which providers and payers already struggle. Other 
commenters supported the change but requested that SAMHSA include care 
coordination and case management in the list of permitted activities, 
as discussed further below.
SAMHSA Response
    We thank the commenters for their support and insights about the 
change. We address in a subsequent answer below public comments 
requesting the addition of care coordination and case management to the 
list of permitted activities in Sec.  2.33(b).
Public Comments
    One commenter supported the changes to Sec.  2.33 but requested 
additional clarification on how patient confidentiality will be 
assured.
SAMHSA Response
    We refer the commenter to Sec.  2.33(c), which outlines contract 
provisions for disclosures made under Sec.  2.33(b), ensuring that that 
contractors, subcontractors or voluntary legal representatives who 
receive information pursuant to this section are fully bound by the 
part 2 regulations, among other requirements. We also refer the 
commenter to Sec.  2.13(a), which states that any disclosures made 
under the regulations must be limited to that information that is 
necessary to carry out the purposes of the disclosure. As we have 
previously stated, to comply with Sec.  2.13, lawful holders should 
ensure that the purpose section of the consent form is consistent with 
the role of or services provided by the contractor or subcontractor 
(e.g. ``payment and health care operations'') (83 FR 244).
Public Comments
    One commenter requested additional clarification that a qualified 
service organization (QSO) under Sec.  2.11 can provide the same health 
care operation services that will now be codified in Sec.  2.33 for 
contractors of non-part 2 programs.
SAMHSA Response
    A QSO is an individual or entity who provides services to a part 2 
program consistent with a qualified service organization agreement 
(QSOA). Examples of services provided by QSOs include data processing, 
bill collecting, dosage preparation, laboratory analyses, or legal, 
accounting, population health management, medical staffing, or other 
professional services, or services to prevent or treat child abuse or 
neglect, including training on nutrition and child care and individual 
and group therapy. We believe many of these activities would overlap 
with those articulated in Sec.  2.33(b) related to information 
disclosures to a lawful holder's contractors, subcontractors and legal 
representatives for the purposes of payment and/or health care 
operations.
Public Comments
    One commenter recommended that SAMHSA clarify the term 
``information which is necessary to carry out the stated purpose'' in 
regard to activities related to training of student trainees and 
healthcare professionals; business planning and development; 
management; and customer services. Alternatively, the commenter 
suggested that the regulations could require that these individuals use 
the part 2 information in a manner that is compliant with the HIPAA 
privacy regulations.
SAMHSA Response
    Under Sec.  2.33(b), disclosures to a lawful holder's contractors, 
subcontractors and legal representatives for payment and health care 
operations must be limited to that information which is necessary to 
carry out the stated purpose of the disclosure. This provision helps to 
ensure that information is not shared more broadly than the purposes 
for which the patient consents. Thus, disclosures for any of the 
activities under Sec.  2.33(b) must be limited to that minimal amount 
of information that is truly necessary to carry out the purpose of the 
specific health care and payment operations activity intended. 
Likewise, under Sec.  2.13(a), information disclosed under the part 2 
regulations must be limited to that information which is necessary to 
carry out the purpose of the disclosure. To comply with Sec.  2.13, we 
have previously stated that part 2 programs and lawful holders 
disclosing information under Sec.  2.33(b) should ensure that the 
purpose section of the consent form is consistent with the role of or 
services provided by the contractor or subcontractor (e.g. ``payment 
and health care operations'') (83 FR 244).
    At this time, we note that this rule provides transitional 
regulations until such time as implementing regulations for Sec.  3221 
of the CARES Act come into effect. In future rulemaking, we will 
consider making further revisions to Sec.  2.33, consistent with the 
CARES Act.
Public Comments
    A few commenters requested additional clarity on the types of 
activities that are permitted. Commenters suggested expanding the list 
and providing examples of

[[Page 43010]]

permitted activities, as well as describing expectations for activities 
that are not on the list. One commenter suggested that, rather than 
listing the 17 activities, the language ``unless explicitly 
prohibited'' would provide more clarity. A few commenters said SAMHSA 
should be clearer that the list is not all-inclusive.
    One commenter asked that several items on the list of permitted 
activities be clarified to include specific activities. The commenter 
asked that the second item on the list, clinical professional support 
services (e.g., quality assessment and improvement initiatives, 
utilization review and management services), be further clarified to 
include the calculation of quality measures and creation of appropriate 
benchmarks; that the third item on the list, patient safety activities, 
be further clarified to include determination of drug-drug interaction 
and notification of a prescriber and pharmacy provider if a medication 
is being prescribed that would be contraindicated for an individual 
receiving MAT; that the fourth item on the list, activities pertaining 
to training, practitioner assessment and practitioner plan performance, 
and training of non-health care professionals, be clarified to permit 
health plans and their contractors to make site visits and review 
records of a part 2 program provider as part of the accreditation 
process and reaccreditation process; and that the 13th item on the 
list, business planning and development, including the development or 
improvement of methods of payment or coverage policies, include 
activities related to the development and implementation of delivery 
system and payment reform. One commenter asked SAMHSA to clarify that 
this section would allow part 2 claims information to be utilized to 
evaluate whether an individual is an appropriate candidate for a 
prescriber or pharmacy restriction program.
SAMHSA Response
    SAMHSA is finalizing in regulatory text under Sec.  2.33(b) an 
illustrative and lengthy set of categories of activities for which 
lawful holders would be allowed to further disclose the minimal 
information necessary to contractors, subcontractors, or legal 
representatives for payment and health care operations. SAMHSA expects 
that this list will provide needed direction and guidance to 
stakeholders about the reasons for which information may be disclosed 
under this section, and its broad language should also provide 
flexibility for stakeholders to carry out necessary activities within 
each category to provide part 2 patients with quality care. SAMHSA 
believes the categories are largely self-explanatory, and we decline to 
list examples of all the potential activities that fit within each 
category, given the variation in and the evolving nature of the health 
care delivery system. SAMHSA does expect that additional payment and 
health care operations activities beyond those explicitly named would 
be permitted under Sec.  2.33, and thus we are finalizing our proposal 
to add a final item to the list, indicating that other payment and 
health care operations activities not expressly prohibited are also 
allowed. The final item is intended to help ensure that stakeholders 
understand the list is not exclusive.
Public Comments
    A commenter asked if activities described in Sec.  2.33(b)(1)-(3) 
are only permissible with written patient consent, and if any of these 
activities fall under Sec.  2.12(c)(3). The commenter believed a part 2 
program needs consent before it shares information for operational 
activities such as supervision, training, quality assurance, peer 
review, etc. with an entity having direct administrative control over 
it.
SAMHSA Response
    The activities listed in Sec.  2.33(b) require a patient's consent 
to disclose his or her information for payment and health care 
operations. However, the part 2 regulations provide leeway for part 2 
programs to share information within their larger health care 
organizations. Section 2.12(c)(3) states that, ``The restrictions on 
disclosure in the regulations in this part do not apply to 
communications of information between or among personnel having a need 
for the information in connection with their duties that arise out of 
the provision of diagnosis, treatment, or referral for treatment of 
patients with SUDs if the communications are: (i) Within a part 2 
program; or (ii) Between a part 2 program and an entity that has direct 
administrative control over the program.'' The phrase ``direct 
administrative control'' refers to the situation in which a substance 
use disorder unit is a component of a larger behavioral health program 
or of a general health program.'' Additionally, under Sec.  2.53(a)(2), 
part 2 programs may determine that individuals or entities within their 
health care organizations are qualified to conduct audits and 
evaluations and may share information pursuant to such reviews. 
Further, information may be shared for audit and evaluation purposes 
under new Sec.  2.53(a)(1)(iii) and (b)(2)(iii) with entities that have 
direct administrative control over part 2 programs.
Public Comments
    Several commenters opposed the change, stating that it has the 
potential for strong negative impacts to patients who may not fully 
understand to what they are consenting; would greatly expand the number 
of redisclosures without consent, including to entities that are not 
involved in direct patient care; and make it more difficult to respond 
to emerging practices that threaten patient privacy. One commenter said 
that aside from treatment purposes and a business associate-styled 
exception (with protections) for EMR and HIE vendors, disclosures 
should generally require written consent of the patient. Another said 
that the proposed change would permit disclosure without consent so 
broadly as to undercut the idea of protections and make the rules 
unenforceable as injured parties would not be able to identify who 
violated the rules. One commenter said it may be more appropriate for 
the agency to provide the illustrative list of activities that fall 
under ``payment and health care operations'' as regulatory guidance 
instead of including it in the regulation itself, as publishing the 
list as guidance may enable providers to feel more comfortable 
participating in activities not explicitly listed, but important to 
providing coordinated patient care.
SAMHSA Response
    SAMHSA recognizes that lawful holders of part 2 information have 
legitimate needs to disclose that information to contractors, 
subcontractors and legal representatives, which play an integral role 
in the management, delivery and payment of health care services. The 
list of permitted activities was initially finalized as guidance in the 
2018 final rule preamble. SAMHSA has learned that including an 
illustrative list of permissible activities in the preamble rather than 
in the text of the regulation did not fully clarify the circumstances 
under which part 2 information could be further disclosed under Sec.  
2.33. Specifically, stakeholders may believe that a particular activity 
is not permissible unless it is explicitly identified within the 
regulatory text. SAMHSA is now codifying the list in the regulatory 
text for added clarity. SAMHSA believes it has struck the correct 
balance between protecting patient confidentiality and ensuring that 
lawful holders involved in providing and paying for SUD treatment can 
reasonably function in today's complex

[[Page 43011]]

health care delivery framework. While Sec.  2.33(b) allows for 
disclosures to contractors, subcontractors and legal representatives 
for health care payment and operational activities, SAMHSA has also 
placed limits on disclosures of part 2 information to such entities for 
such purposes. Specifically, Sec.  2.33(c) outlines contract provisions 
for disclosures made under Sec.  2.33(b) ensuring that that 
contractors, subcontractors or voluntary legal representatives are 
fully bound by part 2, among other requirements.
Public Comments
    A few commenters said that the activities included in the term 
``health care operations'' are so wide-ranging that they could be 
interpreted as permitting activities that could harm SUD patients by 
potentially allowing protected SUD information to be disclosed to 
employers. Commenters recommended the inclusion of anti-discrimination 
protection language in this section.
SAMHSA Response
    As we have previously indicated, promulgating rules that address 
discriminatory action is outside the scope of SAMHSA's legal authority 
(83 FR 248). However, we refer the commenter to Sec.  2.13(a), which 
states that patient records subject to the part 2 regulations may be 
disclosed or used only as permitted by the regulations and may not 
otherwise be disclosed or used in any civil, criminal, administrative, 
or legislative proceedings conducted by any federal, state, or local 
authority. Further, Sec. Sec.  2.64 and 2.65 describe required 
procedures and criteria for orders authorizing disclosures for criminal 
investigations of patients and for non-criminal purposes (such as a 
civil action).
Public Comments
    One commenter said that although this section does not cover care 
coordination or case management, other clarifications in the proposed 
rule address those questions sufficiently.
SAMHSA Response
    We appreciate this comment, but we also refer to our response below 
with regard to the addition of care coordination and case management to 
the list of permitted activities under Sec.  2.33(b).
Public Comments
    Many commenters objected to the exclusion of care coordination and 
case management under Sec.  2.33(b) and asked SAMHSA to align its 
policy with the HIPAA privacy rule by including these activities in the 
definition of health care operations, or to otherwise allow care 
coordination and case management to be included in the list of 
permitted activities. A few commenters specifically noted that SAMHSA 
has the authority under 42 U.S.C. 290dd-2 to enact this change. One 
commenter suggested these activities be reclassified as health coaching 
or other legitimate health plan operational activities in order to 
ensure the appropriate coordination of care, while another urged SAMHSA 
to adopt a specific care coordination exception to the consent 
requirement.
    Commenters gave many reasons for objecting to the exclusion of care 
coordination and case management from the list of permitted activities. 
Some commenters said the current policy is harmful to individuals with 
SUDs because it increases the risk of negative drug interactions, 
medical errors, overdose, or death; creates delays in care or in the 
receipt of MAT; and maintains and reinforces the stigma of SUD. Other 
commenters stated that disallowing care coordination and case 
management from the list of permitted activities is inconsistent with 
best practices and incompatible with the way health care is delivered 
today, hindering the ability to provide comprehensive, integrated, 
coordinated care that decreases emergency room and inpatient services. 
Commenters emphasized that optimal, safe care requires access to a 
patient's entire treatment history and current medications. Some 
commenters said that the current policy prevents insurers, Medicaid 
agencies, administrators, peer support organizations, and providers 
from making a more meaningful personal care impact and creates more 
difficulty in helping patients obtain better health outcomes.
    A few commenters said the current rule causes confusion and 
administrative burden for providers as well as health plans that have 
difficulty obtaining written consent from enrollees, patients who must 
sign multiple consent forms, and other parties involved with the 
provision of health care. A few commenters also emphasized that the 
current policy is misaligned with HIPAA and that allowing for care 
coordination and case management under Sec.  2.33(b) would ease 
administrative burden for entities subject to both part 2 and HIPAA. 
Another commenter said it would avoid the ``slippery slope'' of 
possibly expanding the proposed part 2 applicability changes to other 
non-part 2 lawful holders and for purposes beyond TPO. A few commenters 
also said that established definitions of ``care coordination'' and 
``case management'' do not refer to treatment, diagnosis and referral, 
but instead refer to more operational, or management-based activities.
    Several commenters emphasized potential benefits of including care 
coordination and case management in the list of permitted activities, 
such as increasing access to integrated, whole-person care; improving 
treatment adherence and outcomes; enabling managed care organizations 
to more easily provide valuable supports to their beneficiaries with 
SUD; avoiding duplicative prescriptions; facilitating communication 
with appropriate community-based organizations; alleviating complex 
consent requirements; and lowering overall health care costs. Another 
commenter said that recovery should be coordinated to address self-care 
practices, family, housing, employment, transportation, education, 
clinical treatment for mental disorders and SUDs, services and 
supports, primary healthcare, dental care, complementary and 
alternative services, faith, spirituality, creativity, social networks, 
and community participation.
    One commenter said that SAMHSA has offered no legal or policy basis 
for this unique definition and handling of care coordination and case 
management for SUDs. A few commenters felt that part 2 limits or 
prohibits sharing of SUD records for critical care coordination 
activities while allowing it for less essential payment and health care 
operations. One commenter emphasized that SUD treatment providers must 
be treated equally--or with parity--to other health care providers. 
Others observed that changing the current policy would be consistent 
with the proposal's goals of improving appropriate information flow and 
integrated care and is philosophically aligned with CMS' and HHS' 
broader efforts to create a more integrated and efficient care delivery 
system.
SAMHSA Response
    SAMHSA understands and acknowledges the commenters' concerns. 
SAMHSA recognizes that care coordination activities have numerous 
benefits described by the commenters, including the ability to protect 
patient safety, improve quality of care, and lower costs. SAMHSA also 
recognizes, consistent with commenter feedback, that many activities 
involving care coordination and case management are operational in 
nature, and distinguishable from the direct

[[Page 43012]]

disclosure of a treatment record from one provider (e.g., a part 2 
program) to another (e.g., a non-part 2 primary care physician) for the 
purpose of treatment and diagnosis.
    Because of the public comments that SAMHSA received on this issue 
in the proposed rule and the CARES Act amendments incorporating into 42 
U.S.C. 290dd-2 provisions permitting disclosure of part 2 information 
for care coordination and case management activities, SAMHSA has 
decided to add care coordination and case management to the list of 
examples of permissible activities under the heading of payment and 
health care operations in Sec.  2.33(b) in the regulatory text of the 
final rule. Under the final provision, a lawful holder who receives an 
SUD record subject to a patient's written consent may further disclose 
that record to its contractors, subcontractors, and/or legal 
representatives, for the purpose of carrying out care coordination or 
case management services in support of health care payment or 
operations. In order to avoid confusion about the extent of Sec.  
2.33(b), SAMHSA has also deleted from the regulatory text the statement 
that ``Disclosures to contractors, subcontractors, and legal 
representatives to carry out other purposes such as substance use 
disorder patient diagnosis, treatment, or referral for treatment are 
not permitted under this section.'' The revised, final rule language of 
Sec.  2.33(b), taken on its face, applies to a patient's consent to a 
disclosure of his records for the purpose of payment and/or health care 
operations.
    With regard to the revised, final rule language of Sec.  2.33(b), 
we also note that the passage of the CARES Act by Congress will result 
in a major change to the authorizing statute, and will provide far 
greater flexibility for patients and health care providers to share SUD 
records than currently allowed under 42 U.S.C. 290dd-2. The revised, 
final rule language of Sec.  2.33(b) represents an interim and 
transitional step towards more flexibility in consented-to disclosures 
for purposes of care coordination and case management, consistent with 
the realignment to the HIPAA privacy rule that is required by several 
provisions under the CARES Act. Again, HHS intends to publish a new 
NPRM and subsequently to issue final implementing regulations for the 
CARES Act in the future.
    In the interim, note also that several other sections of this final 
rule, particularly at Sec.  2.11 and Sec.  2.12, separately will help 
to facilitate instances in which a care coordination activity is 
intermediated by a disclosure directly from a part 2 program to a non-
part 2 provider for the purpose of treatment.
Public Comments
    A few commenters said it is unclear whether care coordinators can 
be considered to have a treating provider relationship with the patient 
for purposes of the general designation option, and/or that they should 
be recognized as having a treating provider relationship for the 
purposes of part 2. One commenter said that this ambiguity is 
particularly challenging for accountable care organizations (ACOs), as 
patients may be passively attributed to the ACO and may not recognize 
the ACO's role in coordinating his or her care. The commenter requested 
that SAMHSA clarify under what circumstances an ACO can use disclosed 
part 2 information when the patient often is unaware that he/she is 
participating in the ACO due to passive attribution.
SAMHSA Response
    As SAMHSA has previously indicated, individuals and entities that 
meet the definition of having a treating provider relationship with the 
patient are considered treating providers. The determination is fact-
specific. (82 FR 6082). SAMHSA declines to explicitly broaden the term 
``treating provider relationship'' to include all persons and entities 
that engage in any form of care coordination activity in this final 
rule. However, SAMHSA also has noted previously (82 FR 6085) that the 
definition of ``treating provider relationship'' is sufficiently broad 
to cover the necessary components of a patient's care team. SAMHSA may 
provide further sub-regulatory guidance in the future with regard to 
ACOs, if further clarification is needed.
Public Comments
    A few commenters suggested that SAMHSA allow part 2 records to be 
disclosed for the purposes of care coordination with specific written 
patient consent that is clear and understandable. A few commenters said 
that SAMHSA could permit the use of a one-time, generalized consent 
that would allow for the disclosures and redisclosures for treatment, 
payment, and health care operations purposes to HIPAA-covered entities 
and part 2 programs. Similarly, a commenter emphasized that allowing 
general consent to share SUD information with caregivers for ``other 
treatment'' purposes, including placement and care coordination, would 
reduce the significant administrative burden associated with generating 
a specific consent prior to each instance that this information is 
shared with caregivers. Another commenter recommended that SAMHSA 
revise 42 CFR 2.33(b) to allow lawful holders that receive part 2 
records pursuant to a patient's consent to disclose such information to 
their contractors, subcontractors, and legal representative for ``all 
purposes authorized by the patient.'' One commenter urged SAMHSA to 
adhere to the American Academy of Family Physicians' (AAFP's) policy on 
Patient/Physician Confidentiality regarding the privacy of medical 
information, and specifically that third-party payer and self-insured 
employer policies and contracts should explicitly describe the patient 
information that may be released, the purpose of the information 
release, the party who will receive the information, and the time 
period limit for release.
SAMHSA Response
    As explained above, SAMHSA has made a change to the regulatory text 
of Sec.  2.33(b), to add care coordination and case management to the 
list of examples of permissible disclosures under the heading of 
payment and operations. Under the final provision, a lawful holder who 
receives an SUD record subject to a patient's written consent may 
further disclose that record to its contractors, subcontractors, and/or 
legal representatives, for the purpose of carrying out care 
coordination or case management services in support of health care 
payment or operations. SAMHSA believes that this revision to Sec.  
2.33(b) will strike the appropriate balance in facilitating disclosures 
with patient consent, for the purpose of operational care coordination 
and case management activities. SAMHSA believes that it is beyond the 
scope of the current rule-making to address AAFP's policy, with regard 
to instituting new requirements for third-party payer and self-insured 
employer policies and contracts, and thereby describing and limiting 
any corresponding release of information from patient records.
Public Comments
    One commenter expressed concern that SAMHSA has also continued to 
exclude diagnosis, treatment, and referral to treatment from the 
proposed rule's definition of health care operations, and urged SAMHSA 
to further revise the rule to include these critical activities in its 
definition of health care operations.

[[Page 43013]]

SAMHSA Response
    SAMHSA is making a change to Sec.  2.33(b) in the final rule 
addressing these issues, as described above.
Public Comments
    A few commenters advocated that 42 CFR part 2 be brought into full 
alignment with HIPAA, saying it would streamline consents; reduce 
barriers to data sharing, care coordination and treatment; and maintain 
appropriate privacy protections. Commenters emphasized that full 
alignment with HIPAA would better reflect current health care 
operations as well as legal and social healthcare policy. One commenter 
said that the HIPAA privacy framework includes protections for 
healthcare records, conversations with providers about care decisions 
or treatment, and personal information, such as billing information. 
Another commenter noted that providers have years of experience with 
the HIPAA framework, have processes in place to ensure that coverage 
and treatment information is protected, and face the risk of 
enforcement penalties under HIPAA. A few commenters urged SAMHSA to 
allow part 2 records to be shared without re-disclosure restrictions as 
long as any re-disclosures are for similar treatment, payment and 
health care operations purposes, or alternatively that SAMHSA include 
the sharing of medical records from part 2 providers with HIPAA-covered 
providers, health plans and care coordination entities without patient 
consent, including the exchange of that information through Health 
Information Exchanges. Another commenter recommended that if such 
streamlining cannot be accomplished, SAMHSA provide further guidance to 
industry regarding ways in which important patient care objectives can 
still be achieved despite the restrictions.
SAMHSA Response
    Due to its targeted population, part 2 provides more stringent 
federal protections than most other health privacy rules, including 
HIPAA. In light of the part 2 authorizing statute and its intent, 
SAMHSA is unable to create the alignment suggested by the commenters. 
However, in this final rule, SAMHSA does make numerous revisions to the 
part 2 regulations that will improve information sharing among a 
patient's treating providers, which should enhance the ability to 
coordinate care and better serve patients receiving treatment from part 
2 programs. In this regard, we also note that the current rule provides 
a transitional standard until such time as implementing regulations for 
Sec.  3221 of the CARES Act come into effect. In future rulemaking, we 
will consider making additional revisions to Sec.  2.33, as needed to 
implement relevant provisions under the CARES Act.
Public Comments
    One commenter suggested clarifying that a patient does not need to 
complete the ``purpose'' section of a 42 CFR part 2-compliant consent 
form for it to be a valid authorization. The commenter said that 
denying a patient-directed release of information because the patient 
has failed to complete this section is not appropriate or consistent 
with SAMHSA's commitment to ``patient choice in disclosing 
information.''
SAMHSA Response
    We disagree with the commenter. Section 2.31(a)(5) requires the 
consent to include the purpose of the disclosure. Section 2.31(b) 
states that a disclosure may not be made on the basis of a consent 
which on its face substantially fails to conform to any of the 
requirements set forth in Sec.  2.31(a).
Public Comments
    Several commenters offered ideas for topics that future regulations 
or guidance could address, including phone screenings; new care models; 
the use of digitized voice consent; and a templated, plain language 
part 2 record consent form that could be used to better standardize 
disclosures, provided in an electronic format that would allow 
populated data to be easily integrated into information management 
systems.
SAMHSA Response
    We thank the commenters for their suggestions and will consider 
these ideas for future guidance.

G. Disclosures To Prevent Multiple Enrollments (Sec.  2.34)

    SAMHSA is finalizing this section as proposed.
    In the 2017 final rule, SAMHSA modernized Sec.  2.34 by updating 
terminology and revising corresponding definitions. Section 2.34 
permits, with consent, disclosure of patient records to a withdrawal 
management or maintenance treatment program within 200 miles of a part 
2 program. After considering comments, we retained the specificity of 
``200 miles'' to prevent multiple enrollments that could result in 
patients receiving multiple streams of SUD treatment medications, which 
in turn may increase the likelihood of an adverse event or of diversion 
(82 FR 6094).
    Central registries, defined in Sec.  2.11, do not exist in all 
states, and the defining parameters for the operation of the registries 
vary somewhat across states and across part 2 programs. However, in the 
context of the opioid epidemic, recent experience has demonstrated that 
it is important for all providers who work with SUD patients, including 
non-opioid treatment program (non-OTP) providers, to have access to the 
information in the central registries, for the purpose of helping 
prevent duplicative patient enrollment for opioid use disorder 
treatment. Access to central registry information is also needed by 
non-OTP providers to fully inform their decisions when considering 
appropriate prescription drugs, including opioids, for their patients.
    Methadone is a long-acting opioid used to treat opioid use 
disorders and for pain that, when used at levels higher than 
recommended for an individual patient, can lead to low blood pressure, 
decreased pulse, decreased respiration, seizures, coma, or even death. 
When used as a part of a supervised MAT program, methadone is a safe 
and effective treatment for SUD, including opioid use disorder (OUD). 
Methadone is a long-acting opioid, subject to accumulation when its 
metabolism is inhibited. Its effects may be potentiated by certain 
other drugs with which it may have pharmacodynamic interactions, so the 
medication is specifically tailored to each individual patient and must 
be used exactly as prescribed. Exceeding the specific dosing can lead 
to dangerous side effects and potential overdose. Other medications, 
including other SUD treatments, such as buprenorphine, as well as other 
medication including other opioids, benzodiazepines, HIV medications, 
certain antipsychotics and anti-depressants, also have the potential to 
interact dangerously with methadone.
    Buprenorphine products are also long-acting opioid formulations 
approved by FDA for treatment of opioid use disorder, subject to 
limitations, which can be dispensed at OTPs, and in outpatient 
settings. While buprenorphine is demonstrated to exhibit a ceiling 
effect on respiratory depression in persons with opioid tolerance, it 
has significant opioid effects in those without tolerance which can 
contribute to adverse events including opioid overdose. Both of these 
long acting opioids (methadone and buprenorphine) have potential drug 
interactions with other medications that could lead to adverse events, 
including drug toxicity and opioid overdose.
    These realities underscore the reason it is important for a 
prescriber to check

[[Page 43014]]

central registries, when possible, to assure that it is appropriate to 
prescribe the contemplated opioid therapies for a particular 
individual. The ability to query a central registry regarding any 
duplicative enrollment in similar treatment can also be crucial to 
effective care, and to ensuring patient safety. Similarly, to avoid 
opioid-related adverse events, it is imperative that prescribing 
clinicians be aware of any opioid therapy that may be in current use by 
a patient prior to making further medication prescribing decisions.
    Under the current language of Sec.  2.34(a), a part 2 program may 
seek a written patient consent in order to disclose treatment records 
to a central registry. In turn, the recipient central registry may only 
disclose patient contact information for the purpose of preventing 
multiple enrollments under Sec.  2.34(b). Currently, under Sec.  
2.34(c), the central registry may only disclose when asked by a 
``member program'' whether an identified patient is enrolled in another 
member program.
    SAMHSA proposed to expand the scope of Sec.  2.34 to make non-OTP 
providers with a treating provider relationship with the patient 
eligible to query a central registry to determine whether the specific 
patient is already receiving opioid treatment through a member program 
to prevent duplicative enrollments and prescriptions for excessive 
opioids, as well as to prevent any adverse effects that may occur as a 
result of drug interactions with other needed medications. 
Specifically, SAMHSA proposed to amend Sec.  2.34(b) to include the use 
of central registry information to coordinate care with a non-part 2 
program. In addition, we proposed to add a new subsection (d) to 
specifically permit non-member treating providers to access the central 
registries. Previous subsection (d) would be re-designated as 
subsection (e).
    SAMHSA believes that disclosures by central registries to non-OTP 
treating providers will help to ensure patient safety, and to prevent 
duplicative treatment plans and medications or medication doses that 
could place a patient receiving SUD treatment at risk.
    The comments we received on the proposed amendments to Sec.  2.34 
and our responses are provided below.
Public Comments
    Many commenters believed the proposed changes will prevent 
duplicative prescriptions, avoid adverse drug events, ensure patient 
safety, foster care coordination, and improve care quality.
SAMHSA Response
    SAMHSA appreciates the comments and agrees that the finalized 
changes will give all providers with a treating relationship important 
information for treating patients with SUD, thereby increasing 
coordination and quality of care and improving patient safety.
Public Comments
    A few commenters expressed concern that the proposed changes, if 
finalized, would reduce patient privacy and increase stigma and harm. 
Some commenters drew a distinction between changes proposed in Sec.  
2.36 and changes proposed in this section, noting that sharing 
information from central registries would infringe upon patient privacy 
protections in a way that contravenes 42 CFR part 2. One commenter 
expressed concern that the proposed changes are unnecessary and that 
medication information can be gathered through drug screens.
SAMHSA Response
    SAMHSA is committed to improving the lives of people living with 
SUD, and individuals with SUD face real stigma. We believe that 
allowing medical professionals with a treating provider relationship 
access to central registries will improve the quality and safety of 
care for these individuals. We also believe that increasing care 
coordination and information access within an individual's care team 
will reduce stigma by giving providers accurate and comprehensive 
information about a patient's medical needs. We appreciate commenters' 
concerns regarding patient privacy and remain dedicated to protecting 
information for individuals with SUD. SAMHSA believes that privacy 
cannot come at the cost of patient care and safety, and the proposed 
changes seek to balance the critical importance of patient 
confidentiality with the vital information required for medical 
professionals to provide the highest quality care to individuals with 
SUD. We also note that central registries already exist as defined in 
Sec.  2.11 and the proposed changes in this rule would not create new 
registries. SAMHSA acknowledges that some information can be obtained 
from patient drug screens. However, accurate dosing and frequency of 
medications cannot be obtained from drug screens and these types of 
screens do not offer a reliable substitute for the proposed changes.
Public Comments
    A few commenters in Sec. Sec.  2.34 and 2.36 expressed concern 
about the concept of central registries, and noted that they were 
opposed to requiring patients with SUD to be listed on a registry.
    Several commenters requested clarification on the process to obtain 
consent for the proposed changes. Other commenters requested 
clarification on how the proposed changes would or would not compel 
corresponding changes in state law to permit access to central 
registries.
    A few commenters requested clarification on the privacy protections 
afforded to information obtained by non-OTP providers from central 
registries if the information in the non-OTP record is not segmented. 
Some of these commenters also asked if the access to central registries 
was limited to physicians or open to other health care professionals 
with a treating provider relationship such as physician assistants or 
nurse practitioners.
SAMHSA Response
    As noted earlier, SAMHSA understands the concerns of these 
commenters and would like to clarify that central registries as defined 
under Sec.  2.11 already exist within OTPs and are used solely for the 
purpose of maintaining health care information. The proposals within 
this section would not create new requirements that compel patients 
with SUD to register on any lists.
    SAMHSA anticipates that OTPs may update existing consent forms to 
include new language regarding information shared with non-OTP treating 
providers, or create new consent forms for this purpose. It is SAMHSA's 
understanding that while many state laws do not inherently prevent 
access to central registries, some states may consider legal updates to 
ensure that non-OTP providers are not expressly prohibited from such 
access.
    We appreciate commenter questions regarding the privacy protections 
afforded to information shared with non-OTP providers. Central registry 
information consists primarily of basic patient contact information and 
medication and dosage information limited to any treatment an 
individual is receiving from that OTP. Any information recorded by a 
non-OTP provider in her own practice's patient record originating from 
a central registry query would be similarly limited. We anticipate that 
a non-OTP provider would discuss a patient's SUD treatment history at a 
specific OTP prior to querying that OTP's central registry. Therefore, 
any information obtained from the central registry query will 
supplement information provided by the patient in that encounter with 
the non-OTP provider. While SAMHSA

[[Page 43015]]

does not limit central registry queries to physicians, any non-OTP 
providers including physicians and non-physician (i.e. nurse 
practitioners, physician assistants) must demonstrate a treating 
provider relationship in accordance with relevant state law prior to 
querying a central registry.
Public Comments
    A few commenters noted that while they are supportive of the 
proposed changes to permit non-OTP providers access to central 
registries, they would prefer the language in Sec.  2.34 to require 
central registries to report to non-OTP treating providers. A few 
commenters expressed a preference for requiring such reporting without 
patient consent to ensure information accuracy, noting that permitting 
such reporting does not go far enough to protect patient safety. One 
commenter suggested that Part 2 programs be required to undertake such 
reporting in addition to central registries.
SAMHSA Response
    We appreciate these comments and understand concerns that these 
proposed changes offer maximum impact for patient safety and 
information accuracy. Central registries vary widely. Some states may 
operate robust central registries while others may have more limited 
capabilities or may not operate a central registry at all. Given this 
variation, it is infeasible to require central registries or part 2 
programs to report to external non-part 2 providers. Furthermore, 
SAMHSA has no authority under 42 U.S.C. 290dd-2 to impose such a 
requirement and declines to do so at this time.
Public Comments
    One commenter recommended that SAMHSA utilize existing health 
information exchanges or networks to coordinate queries to central 
registries.
    A few commenters recommended that SAMHSA establish minimum 
standards for central registries and require OTP participation in a 
central registry. These commenters noted that while the proposed 
changes will improve care coordination and patient safety, the lack of 
standardization and wide variation across central registries creates 
challenges for all providers treating patients with SUD. Some of these 
commenters stated that they were not aware of any central registries in 
their area even though they were aware of OTPs providing SUD services 
and requested that SAMHSA reconsider the role of central registries.
SAMHSA Response
    We will consider these suggestions and continue to assess 
opportunities to improve the operational efficiency and efficacy of 
central registries.

H. Disclosures to Prescription Drug Monitoring Programs (Sec.  2.36)

    SAMHSA is finalizing this section as proposed.
    A prescription drug monitoring program (PDMP) is a statewide 
electronic database that collects, analyzes, and makes available 
prescription data on controlled substances prescribed by practitioners 
and non-hospital pharmacies.\6\ Forty-nine states, St. Louis County, 
Missouri \7\ and the District of Columbia have legislatively mandated 
the creation of PDMPs. Most states had developed their own PDMP prior 
to the current opioid crisis; however, few prescribers accessed 
them.\8\ As opioid use disorder rates, overdoses and deaths increased 
significantly since 1999, the majority of states began requiring health 
professionals to check the state's PDMP \9\ before prescribing 
controlled substances to patients. Currently, 41 states require 
physicians to use their state's PDMP to analyze prescription history 
prior to writing a prescription for opioids or other controlled 
substances.\10\ Studies have shown that states that have implemented 
such a requirement have seen declines in overall opioid prescribing, 
drug-related hospitalizations, and overdose deaths.\11\
---------------------------------------------------------------------------

    \6\ SAMHSA's Center for the Application of Prevention 
Technologies; Using Prescription Drug Monitoring Program Data to 
Support Prevention Planning. Available at: https://www.samhsa.gov/capt/sites/default/files/resources/pdmp-overview.pdf.
    \7\ Former Missouri Gov. Greitens ordered the creation of a 
statewide PDMP in July 2017, but state lawmakers have not yet 
authorized funding for the program. St. Louis County started its own 
PDMP in April 2017, which covers nearly 80 percent (28 counties and 
6 cities) of Missouri physicians and pharmacists.
    \8\ Brandeis University Prescription Drug Monitoring Program 
Training and Technical Assistance Center. Available at: https://www.pdmpassist.org/pdf/Resources/Briefing_on_mandates_3rd_revision_A.pdf.
    \9\ Pew Charitable Trusts and National Alliance for State Model 
Drug Laws. Available at: https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2017/12/29/in-opioid-epidemic-states-intensify-prescription-drug-monitoring.
    \10\ Pew Charitable Trusts. When are Prescribers Required to Use 
Prescription Drug Monitoring Programs? January 24, 2018. Available 
at: https://www.pewtrusts.org/en/research-and-analysis/datavisualizations/2018/when-are-prescribers-required-to-use-prescription-drug-monitoring-programs.
    \11\ Brandeis University Prescription Drug Monitoring Program 
Training and Technical Assistance Center. Available at: https://www.pdmpassist.org/pdf/Resources/Briefing_on_mandates_3rd_revision_A.pdf.
---------------------------------------------------------------------------

    Most PDMPs track prescription drug information on Schedule II-V 
controlled medications. Pharmacies must submit the prescription data 
required by their state's PDMP, depending on the state's statutory 
requirements. More robust PDMP programs have been associated with 
greater reductions in prescription opioid overdoses.\12\ As noted 
above, this data allows providers to ensure that a patient is not 
receiving multiple prescriptions and to enhance patient care and 
patient safety.
---------------------------------------------------------------------------

    \12\ Pew Charitable Trusts. When are Prescribers Required to Use 
Prescription Drug Monitoring Programs? January 24, 2018. Available 
at: Available at: https://www.pewtrusts.org/en/research-and-analysis/datavisualizations/2018/when-are-prescribers-requiredd-to-use-prescription-drug-monitoring-programs.
---------------------------------------------------------------------------

    Presently, OTPs are not required to report methadone or 
buprenorphine dispensing to their states' PDMP. In our 2011 guidance 
letter, SAMHSA encouraged OTP staff to access PDMPs, but stated that 
OTPs could not disclose patient identifying information to a PDMP 
unless an exception applies, consistent with the federal 
confidentiality requirements.\13\ SAMHSA no longer believes this policy 
is advisable in light of the current public health crisis arising from 
opioid use, misuse, and abuse. In the past 10 years, there has been a 
substantial increase in prescription drug misuse, admissions to 
substance use facilities, emergency department visits and opioid-
related deaths.\14\ The omission of OTP data from a PDMP can lead to 
potentially dangerous adverse events for patients who may receive 
duplicate or potentially contraindicated prescriptions as part of 
medical care outside of an OTP, thereby placing them at risk for 
adverse events, including possible overdose or even fatal drug 
interactions.
---------------------------------------------------------------------------

    \13\ Clark HW. Dear Colleague letter. September 27, 2011. 
Available at: https://www.samhsa.gov/sites/default/files/programs_campaigns/medication_assisted/dear_colleague_letters/2011-colleague-letter-state-prescription-drug-monitoring-programs.pdf.
    \14\ SAMHSA. In Brief: Prescription Drug Monitoring Programs: A 
Guide For Healthcare Providers. Volume 10, Issue 1 (Winter 2017). 
Available at: https://store.samhsa.gov/system/files/sma16-4997.pdf.
---------------------------------------------------------------------------

    SAMHSA believes that permitting part 2 programs, including OTPs, 
and lawful holders to enroll in PDMPs and submit the dispensing data 
for controlled substances required by states currently for other 
prescribed, controlled substances would allow for greater patient 
safety, better patient treatment, and better care coordination among 
the patient's providers. Therefore, SAMHSA proposed to add a new 
section Sec.  2.36, permitting part 2

[[Page 43016]]

programs, OTPs and other lawful holders to report the required data to 
their respective state PDMPs when dispensing medications with written 
consent from the patient whose identifying information will be 
disclosed prior to making such reports. This update is consistent with 
the proposal under Sec.  2.34(c) to allow non-OTPs to query central 
registries to prevent duplicate enrollment.
    SAMHSA acknowledges that the proposed provision may raise concerns 
about law enforcement access to PDMPs, particularly in those states in 
which PDMPs are operated by a law enforcement agency. However, 
individuals are not limited to OTPs when seeking OUD treatment. 
Prescriptions written for OUD opioid pharmacotherapy by non-OTP 
providers are already recorded in the state PDMP. By implication, PDMPs 
operated by law enforcement agencies are already receiving some patient 
data related to SUD treatment. Although the current proposal might 
expand that practice, it would not create it. And because the 
disclosure of SUD patient records by OTPs would be made contingent on 
written patient consent, any negative impact on patient confidentiality 
seems likely to be small. By contrast, the omission from PDMPs of 
dispensing and prescribing data from OTPs presents serious safety risks 
for SUD patients. While the reporting of patient data to a PDMP by an 
OTP would make it possible for law enforcement, prescribers, and 
pharmacies with access to a PDMP to determine that a specific patient 
had received services at a specific OTP, law enforcement would still 
require a court order meeting the requirements of Sec.  2.65 to access 
the covered records of that patient or any other patient served at the 
OTP. SAMHSA believes that allowing for OTP reporting to PDMPs further 
enhances PDMPs as a tool to help prevent prescription drug misuse and 
opioid overdose, while providing more complete and accurate data. In 
turn, more robust PDMP data is imperative for prescribers and providers 
to make better and more accurate patient care decisions while 
increasing patient safety and assuring appropriate care.
    We note that, under Sec.  3221(k) of the CARES Act, it is the sense 
of Congress that any person treating a patient through a program or 
activity with respect to which 42 CFR part 2 protections apply is 
encouraged to access the applicable PDMP when clinically appropriate. 
In future rulemaking, we will consider the possibility of making 
revisions to Sec.  2.36, as needed to implement relevant provisions 
under the CARES Act. The comments we received on the proposed new 
provision of Sec.  2.36 and our responses are provided below.
Public Comments
    Many commenters supported the proposed changes, noting that PDMPs 
are an important tool for improving care coordination and safety for 
patients with SUD and that completeness of information is critical for 
all providers treating patients with SUD. Several commenters believed 
that this proposal will reduce deaths from adverse drug interactions. A 
few other commenters noted that many physicians and health care 
professionals are not aware that PDMPs do not currently contain 
comprehensive information on patient medications and they believed that 
this proposal is essential for improving patient care and safety, 
particularly for individuals receiving MAT.
SAMHSA Response
    We appreciate the supportive comments and agree that the proposal 
will improve the quality and safety of care for individuals with SUD.
Public Comments
    Many commenters opposed the proposed changes and expressed concerns 
about the potential breach of privacy patients may face and noted 
specific concerns regarding stigma, discrimination, and decreased 
likelihood of seeking treatment as a result of the proposed changes.
SAMHSA Response
    As stated previously, SAMHSA is committed to improving the lives of 
people living with SUD, and individuals with SUD face real stigma. We 
believe that increasing care coordination and information access within 
an individual's care team will reduce stigma by giving providers 
accurate and comprehensive information about a patient's medical needs.
Public Comments
    One commenter expressed concern about PDMP data being utilized for 
pre-employment physical examinations and Department of Transportation 
medical examinations and requested clarification on the appropriateness 
of PDMP data for occupational health purposes.
    One commenter questioned the language in the proposed changes that 
includes medications prescribed and dispensed, noting that providers 
report only dispensed medications and not prescribed medications.
    Several commenters requested SAMHSA to provide further 
clarification to states to legally permit OTPs to enroll in PDMPs in 
instances where doing so may currently contravene state PDMP laws or 
where state PDMP laws do not currently support OTP reporting.
    Some of these commenters noted that state PDMP capabilities vary 
and some systems have more robust information than others. These 
commenters encouraged SAMHSA to work with states to facilitate PDMPs 
that can accommodate the proposed changes.
    A couple commenters requested clarification on the patient consent 
process given the changing nature of PDMP capabilities. One commenter 
expressed concern that a patient's willingness to consent may change if 
the components or capabilities of a PDMP also change, and this should 
be taken into consideration in the proposed changes.
    One commenter requested clarification for states as they work to 
modernize PDMPs, and expressed concern about unfunded costs to states 
to operationalize PDMPs for the type of reporting in the proposed 
changes.
    A few commenters requested clarification on whether consent to 
disclose to PDMPs would be a separate consent or if it could be added 
to existing patient consent documentation. Some of these commenters 
also requested clarification on the level of specificity required if a 
patient requests a list of entities per Sec.  2.31. A couple of 
commenters requested clarification as to whether additional consent is 
required regarding redisclosure and the sharing of part 2 information 
to each PDMP registered end user. One commenter requested clarification 
on the decision to support OTP disclosures to PDMPs but not for the 
purposes of care coordination or case management under Sec.  2.33.
SAMHSA Response
    SAMHSA acknowledges concerns about the use of PDMP data for 
occupational health decisions. It is not the intention of SAMHSA to 
permit the use of SUD information in pre-employment occupational health 
examinations, although SAMHSA does not have the statutory authority to 
control how states choose to utilize the data captured within their 
PDMPs. We note, however, that pursuant to Sec.  2.13(a), patient 
records subject to the part 2 regulations may be disclosed or used only 
as permitted by the regulations and may not otherwise be disclosed or 
used in any civil, criminal, administrative, or legislative

[[Page 43017]]

proceedings conducted by any federal, state, or local authority. While 
many state PDMPs require information solely upon dispensing, some state 
PDMP laws require prescribers to enter information at the point of 
prescribing and our language reflects the variation in these laws.
    SAMHSA appreciates comments regarding PDMP capabilities and 
variations across states. Because PDMPs are operated by each state, it 
will be up to each state to update PDMP laws in a way that permits OTPs 
to enroll in PDMPs and maintain systems that accommodate the needs of 
registered users.
    We understand commenter concern regarding the consent process. 
PDMPs are updated to provide maximum usability and information 
accuracy. Inherent in a patient's consent is the understanding that a 
PDMP database is continuously updated with current prescribing and 
dispensing information. Part 2 programs may consider periodic updates 
to their consent forms to reflect any substantial changes to their 
state PDMP.
    SAMHSA appreciates the costs to states as they modernize and update 
PDMPs. While the proposed changes may require some state PDMPs to adapt 
or adopt new capabilities, we note that the goal of PDMPs is to provide 
accurate, timely information on prescribing and dispensing. The 
evolving nature of medical and pharmaceutical care requires routine 
maintenance and updates and we do not believe these proposed changes 
exceed those obligations. SAMHSA anticipates that OTPs may update 
existing consent forms to include new language regarding information 
shared with non-OTP treating providers, or create new consent forms for 
this purpose. We do not expect the proposed changes to require 
additional consent for redisclosure to each registered PDMP end-user.
    Changes proposed under Sec.  2.36 require that the patient 
specifically consent to the disclosure to a PDMP. This is distinct from 
disclosures for care coordination under Sec.  2.33, which require only 
that the patient generally consent to the part 2 program making a 
disclosure for payment and/or health care operations activities.
Public Comments
    Several commenters requested that patient consent not be required 
because of the potential adverse effects on safety if an individual 
declines treatment due to the PDMP consent requirement and/or provides 
incomplete or inaccurate information as a result of the consent 
requirement. A few commenters requested that OTPs be required to report 
to PDMPs to provide the most complete information and to fill in gaps 
that may be created by varied PDMP usability and/or inconsistent 
standards and availability of central registry data.
SAMHSA Response
    As stated previously, we appreciate these comments and understand 
concerns that these proposed changes offer maximum impact for patient 
safety and information accuracy. State operation of PDMPs and part 2 
program operation of central registries vary widely. Furthermore, 
SAMHSA has no authority under 42 U.S.C. 290dd-2 to impose such a 
requirement and declines to do so at this time.
Public Comments
    One commenter recommended leveraging the use of statewide HIEs and 
HINs to coordinate queries to central registries and PDMPs.
    A few commenters recommended a national prescription drug 
monitoring database as an alternative to state-level PDMPs and central 
registries.
    A few commenters noted that common industry standards for PDMPs 
would be valuable given their utility in fighting the opioid crisis. 
One of these commenters also noted that e-prescribing provides a 
valuable alternative to tracking opioid prescriptions. This commenter 
expressed concerns about the lack of interoperability between EHRs and 
PDMPs and noted that this could create barriers for clinicians 
attempting to use PDMPs in real-time during patient encounters.
    One commenter recommended educating non-OTP providers as the 
proposed changes may bring individuals with SUD into contact with 
clinicians who are unfamiliar with OTP protocols, terms, benefits, and 
limitations.
    One commenter recommended moving proposed changes related to PDMPs 
to Sec.  2.31(a)(4)(B) to say, ``such as an entity that facilitates the 
exchange of health information, prescription drug monitoring program, 
or a research institution.''
    A few commenters recommended notifying PDMP users that information 
related to medications dispensed from OTPs may still be incomplete as a 
result of patient consent requirements.
SAMHSA Response
    SAMHSA appreciates suggestions from commenters to better facilitate 
the integration of PDMP reporting among OTPs. PDMPs are overseen by 
states, and SAMHSA does not govern their operation. We agree that OTPs 
may find benefit in educating providers about PDMPs and expect that the 
registration process will inform registered OTP users about the 
specific regulations governing the use and capabilities of the PDMP 
within their state. We also believe that non-OTP providers may benefit 
from education on SUD to become familiar with the unique needs of the 
patients they treat who may be living with SUD.
Public Comments
    Many commenters expressed specific concerns regarding law 
enforcement access to PDMPs and shared fears of increased criminal 
prosecution or adverse legal action for patients with SUD. One 
commenter requested clarification on how a request for information 
regarding a specific patient traceable by the law enforcement agency 
with oversight of the PDMP to an OTP provider would be outside the 
definition of ``disclose'' in Sec.  2.11.
    A couple of commenters noted that specific guidance from SAMHSA 
reiterating that law enforcement may not seek individual patient 
records without a court order may be reassuring for patients. Other 
commenters noted that even though 42 CFR part 2 requires a court order 
from law enforcement to obtain individual patient records, many state 
PDMPs do not currently require a court order which could open a 
backdoor for law enforcement access without immediate changes to state 
PDMP law. Several commenters noted that while law enforcement may be 
required to obtain a court order before seeking additional records, 
sensitive inferences can be made from prescription records alone.
    One commenter suggested that states with law enforcement agency 
oversight of the PDMP should move the operations to a different agency 
authority. A couple of other commenters suggested the addition of anti-
discrimination language within Sec.  2.36 that would provide more 
explicit protections against insurance, health care, and legal 
discrimination.
    One commenter expressed concern about state laws that penalize 
pregnant or parenting women with SUD and noted that OTP reporting to 
PDMPs would create a significant disincentive for those women to seek 
necessary treatment.
SAMHSA Response
    SAMHSA understands concerns from commenters regarding law 
enforcement interaction with PDMPs. As stated previously, PDMPs are 
overseen by states and SAMHSA does not govern

[[Page 43018]]

their operation. While we appreciate concerns about the challenges 
faced by individuals with SUD, especially with regard to interactions 
with law enforcement, we believe that allowing for OTP reporting to 
PDMPs further enhances PDMPs as a tool to help prevent prescription 
drug misuse and opioid overdose, while providing more complete and 
accurate data. This robust data is critical for providers and 
prescribers to make accurate and safe decisions for patient care. As 
stated in our response to similar comments on anti-discrimination 
language in response to the 2018 Final Rule, promulgating rules that 
address discriminatory action is outside the scope of SAMHSA's current 
legal authority (83 FR 248). With this being said, note that we 
anticipate revisiting Sec.  2.36 in future rulemaking to implement the 
CARES Act, and we will continue to consider the concerns about PDMPs 
and law enforcement in that context.

I. Medical Emergencies (Sec.  2.51)

    SAMHSA is finalizing this section as proposed.
    Under Sec.  2.51, disclosures of SUD treatment records without 
patient consent are permitted in a bona fide medical emergency. 
Although not a defined term under part 2, a ``bona fide medical 
emergency'' most often refers to the situation in which an individual 
requires urgent clinical care to treat an immediately life-threatening 
condition (including, but not limited to, heart attack, stroke, 
overdose), and in which it is infeasible to seek the individual's 
consent to release of relevant, sensitive SUD records prior to 
administering potentially life-saving care. SAMHSA proposed to amend 
this section to address the impact of major \15\ and natural disasters, 
declared by state or federal authorities, on access to substance use 
treatment and services, in addition to the more common situation of an 
individual experiencing a ``bona fide medical emergency.''
---------------------------------------------------------------------------

    \15\ The Federal Emergency Management Agency (FEMA) notes that 
the President can declare a major disaster for any natural event, 
regardless of cause, that is determined to have caused damage of 
such severity that it is beyond the combined capabilities of state 
and local governments to respond. https://www.fema.gov/disaster-declaration-process.
---------------------------------------------------------------------------

    Disasters (e.g., hurricanes, wildfires) can present unique 
challenges for patients with SUDs, and for their treating providers. 
These events may disrupt the usual access to services and medications 
across a geographic region. As a result, patients may be required to 
seek treatment at facilities or with providers who do not have full 
access to their records.
    When access to, or operation of, substance use disorder treatment 
facilities and services are disrupted on a regional basis in the wake 
of a disaster like a hurricane or wildfire, many patients become unable 
to access care through their usual providers, while many providers may 
be unable to follow usual consent-based procedures in order to obtain 
and/or release records for large numbers of patients. Thus, the 
disclosure requirements of 42 CFR part 2 may be too burdensome in these 
instances. For example, in the case of a hurricane, normal policies and 
procedures for obtaining consent according to Sec. Sec.  2.31 and 2.32 
may not be operational. At the same time, the inability of SUD patients 
to access needed care through their usual providers (or other 
providers) that have access to part 2-protected records concerning 
their condition, may constitute or lead to medical emergencies. As a 
result of these factors, SAMHSA stated in the 2019 proposed rule that 
we believe that it is necessary--and consistent with our statutory 
authority--to include natural and major disasters within the meaning of 
medical emergency for which there would be an exception to the 
requirement of consent for disclosure of part 2 records. In this final 
rule, such an exception is finalized.
    SAMHSA underscores that consent should still be obtained if at all 
feasible, but appropriate care should be the priority in these often-
devastating scenarios and an exception should be allowed. Thus, SAMHSA 
proposed to revise Sec.  2.51(a) to facilitate expedient access to care 
for patients with SUDs during natural and major disasters. 
Specifically, SAMHSA proposed to authorize, under Sec.  2.51(a), a part 
2 program to disclose patient identifying information to medical 
personnel, without patient consent, as needed in the event of a natural 
or major disaster to deliver effective ongoing SUD services to patients 
in such disasters. Specifically, SAMHSA proposed that this medical 
emergency exception would apply only when a state or federal authority 
declares a state of emergency as a result of a disaster and the part 2 
program is closed and unable to provide services or obtain the informed 
consent of the patient as a result of the disaster, and would 
immediately be rescinded once the part 2 program resumes operations.
    The comments we received on the proposed amendments to Sec.  2.51 
and our responses are provided below.
Public Comments
    Many commenters supported the proposal to amend Sec.  2.51 to 
include natural and major disasters within the meaning of medical 
emergency for which there would be an exception to the requirement of 
consent for disclosure of part 2 records.
SAMHSA Response
    We thank commenters for their support.
Public Comments
    One commenter requested clarification whether a disaster would 
qualify as a medical emergency for every impacted patient. The 
commenter requested further clarification whether the closed part 2 
program would need to determine if it is a medical emergency for each 
patient.
SAMHSA Response
    If a patient's part 2 program has closed and is unable to provide 
services or obtain the written consent of the patient due to a state of 
emergency caused by a natural or major disaster, then that part 2 
program may disclose part 2 patient records to other medical personnel 
to deliver effective ongoing SUD services. We note that consent should 
still be obtained if at all feasible. However, if the situation we 
describe above occurs, and the part 2 program is unable to obtain 
consent or to provide services, the part 2 program may consider the 
event a medical emergency and is permitted to disclose the part 2 
records without patient consent. The exception would be rescinded when 
the part 2 program resumes operations.
Public Comments
    One commenter recommended that SAMHSA develop further guidance on 
how patients and other medical personnel may be notified that the 
program is closed and unable to provide services or obtain consent. The 
commenter recommended that the guidance also include examples of how 
part 2 records may be disclosed to medical personnel in the event the 
program is closed. One commenter recommended that SAMHSA work with the 
HHS Office for Civil Rights to coordinate communication and outreach 
efforts regarding the proposals to Sec.  2.51 to ensure that medical 
personnel and health information professionals are aware of the 
changes. One commenter also recommended that SAMHSA work with the HHS 
Assistant Secretary for Preparedness and Response (ASPR) and other 
federal and state agencies to communicate a clear ``start'' and ``end'' 
for these situations.

[[Page 43019]]

SAMHSA Response
    We appreciate the commenters' suggestions. We will consider 
potential future options, including issuing further guidance and 
outreach as well as partnering with other HHS agencies, to ensure that 
medical personnel and other professionals are aware of the changes to 
Sec.  2.51.
Public Comments
    One commenter requested clarification on whether medical personnel 
includes peer recovery support personnel, recognizing that peer 
recovery support is a part of SUD treatment.
SAMHSA Response
    Under the authorizing statute at 42 U.S.C. 290dd-2(b)(2)(A), part 2 
records may be disclosed to medical personnel to the extent necessary 
to meet a bona fide medical emergency. As stated in the 2017 Final 
Rule, it is up to the health care provider or facility treating the 
emergency to determine the existence of a medical emergency and which 
personnel are needed to address the medical emergency. The name of the 
medical personnel to whom the disclosure was made, their affiliation 
with any health care facility, the name of the individual making the 
disclosure, the date and time of the disclosure, and the nature of the 
medical emergency must be documented in the patient's records by the 
part 2 program disclosing the information.
Public Comments
    A few commenters requested that SAMHSA expand the definition of 
emergency for when disclosures to another part 2 program or SUD 
treatment provider is permitted. A few commenters noted that the 
proposal does not consider localized, serious events that could create 
similar barriers as a declared state or federal emergency. One 
commenter recommended allowing a discretionary determination that the 
Part 2 program is unable to provide services to the person or obtain 
consent due to a disaster. A few commenters recommended that providers 
who have a treating relationship should have the discretion to 
determine what constitutes an emergency. One commenter recommended that 
SAMHSA include ``man-made'' disasters, such as cyber-attacks when 
information systems and networks could be impacted. One commenter 
recommended that SAMHSA ensure the proposed changes during a natural 
disaster is aligned with HIPAA.
SAMHSA Response
    We thank commenters for their suggestions. With regard to the 
request that a medical emergency be determined by the treating 
provider, SAMHSA clarifies that any health care provider who is 
treating the patient for a medical emergency can make that 
determination.
Public Comments
    One commenter recommended expanding the proposal to include waivers 
from the part 2 requirements, safe-harbor from penalties and 
enforcement for entities who follow these processes in good faith and 
public health emergencies.
SAMHSA Response
    We appreciate the commenter's suggestion. Under the proposed 
changes to Sec.  2.51, an exception is allowed when normal policies and 
procedures for obtaining consent according to Sec. Sec.  2.31 and 2.32 
may not be operational due to a natural or major disaster. If the part 
2 program is unable to obtain consent or provide services because the 
program is closed, then the part 2 program may disclose the records. We 
decline to explicitly name a safe-harbor provision, because the 
regulatory text describes the exception to the consent requirements. 
Immediately following disclosure, the part 2 program shall document, in 
writing, the disclosure in the patient's records, including the name of 
the medical personnel to whom the disclosure was made, their 
affiliation with any health care facility, the name of the individual 
making the disclosure, the date and time of the disclosure, and the 
nature of the medical emergency.
Public Comments
    One commenter stated that waiting for a bona fide emergency to 
allow providers to share information may be too late for the patient's 
care and that treating providers should be able to share information 
for safe care. One commenter noted that if a part 2 program is closed, 
then they may not be able to disclose information.
SAMHSA Response
    Providers may share treatment information with other providers with 
patient consent at any time. However, we do not have the authority to 
permit information to be disclosed without patient consent prior to the 
medical emergency under the authorizing statute at 42 U.S.C. 290dd-
2(b)(2)(A). Therefore, providers may not share information without 
patient consent prior to the declaration of a state of emergency and 
prior to a part 2 program closing due to the disaster unless the 
program meets another exception in this part.

J. Research (Sec.  2.52)

    In response to comments received, SAMHSA is finalizing this section 
as proposed except for the proposed change allowing research 
disclosures to members of the workforce of a HIPAA covered entity.
    SAMHSA recognizes the need for researchers to use SUD-related data 
to advance scientific research, particularly in light of the national 
opioid epidemic. SAMHSA supports the conduct of scientific research on 
SUD care, and has worked to allow researchers appropriate access to 
healthcare data relating to SUD, while maintaining appropriate 
confidentiality protections for patients.
    Under 42 CFR 2.52, part 2 programs are permitted to disclose 
patient identifying information for research, without patient consent, 
under limited circumstances. In the 2017 Final Rule, SAMHSA made 
several changes to the research exception at Sec.  2.52, including 
permitting the disclosure of data by lawful holders (as well as by part 
2 programs) to qualified personnel for the purpose of conducting 
scientific research.
    As stated in the 2019 proposed rule (84 FR 44577), Sec.  2.52 
allows the disclosure of patient identifying information for research 
purposes without patient consent, if the recipient of the patient 
identifying information is a HIPAA-covered entity or business 
associate, and has obtained and documented authorization from the 
patient, or a waiver or alteration of authorization, consistent with 
the HIPAA Privacy Rule at 45 CFR 164.508 or 164.512(i) or the recipient 
is subject to the HHS regulations regarding the protection of human 
subjects under the Common Rule. (45 CFR part 46).
    Since the 2017 Final Rule, SAMHSA has become aware that limiting 
research disclosures under Sec.  2.52, to only HIPAA-covered entities 
or institutions subject to the Common Rule,\16\ may make it more 
difficult for some legitimate stakeholders to obtain data from SUD 
treatment records, for the purpose of conducting scientific research. 
For example, under the provisions of Sec.  2.52, the disclosure by a 
lawful holder of SUD records for the purpose of research to a state 
agency without a part 2 patient consent may be barred, given that most 
state agencies are neither HIPAA-covered entities nor directly subject 
to the Common Rule. It

[[Page 43020]]

is not SAMHSA's intention or policy to make it more burdensome for 
these sorts of stakeholders to carry out scientific research. SAMHSA 
would like to more closely align the requirements of 42 CFR 2.52 
(disclosures for the purpose of research), with the currently analogous 
provisions on research under the HIPAA Privacy Rule (45 CFR 164.512(i)) 
and the Common Rule, in order to minimize any conflict or duplication 
in the requirements for consent to disclosure of records for the 
purpose of research. Therefore, SAMHSA proposed to modify the text of 
Sec.  2.52(a), in order to allow research disclosures of part 2 data 
from a HIPAA covered entity or business associate to individuals and 
organizations who are neither HIPAA covered entities, nor subject to 
the Common Rule, provided that any such data will be disclosed in 
accordance with the HIPAA Privacy Rule at 45 CFR 164.512(i). This 
change will align the requirements of part 2 with the Privacy Rule 
around the conduct of research on human subjects. SAMHSA stated in the 
proposed rule that we believe this change to Sec.  2.52(a) is needed, 
in order to allow an appropriate range of stakeholders to conduct 
scientific and public health research on SUD care and SUD populations.
---------------------------------------------------------------------------

    \16\ The Common Rule governs research conducted or supported 
(i.e., funded) by the 16 departments and agencies that issued the 
Common Rule.
---------------------------------------------------------------------------

    In addition, SAMHSA proposed two additional changes to the text of 
Sec.  2.52(a). First, SAMHSA proposed to add new Sec.  2.52(a)(1)(iii), 
in order to clarify that research disclosures may be made to members of 
the workforce of a HIPAA-covered entity for purposes of employer-
sponsored research, where that covered entity requires all research 
activities carried out by its workforce to meet the requirements of 
either the Privacy Rule and/or Common Rule, as applicable. Second, 
SAMHSA proposed to add new Sec.  2.52(a)(1)(iv), to permit research 
disclosures to recipients who are covered by FDA regulations for the 
protection of human subjects in clinical investigations (at 21 CFR 
parts 50 and 56), subject to appropriate documentation of compliance 
with FDA regulatory requirements, and pursuant to authority under the 
Federal Food, Drug, and Cosmetic Act. In both instances, these 
proposals would help to align the part 2 requirements for research 
disclosures of SUD data, with analogous requirements for the conduct of 
research on human subjects that may apply under other federal 
regulations in specific circumstances.
    The comments we received on the proposed amendments to Sec.  2.52 
and our responses are provided below.
Public Comments
    Many commenters supported the proposal to broaden part 2 
disclosures for research purposes to include entities not covered by 
HIPAA or the Common Rule so long as the part 2 data is disclosed in 
accordance with the HIPAA Privacy Rule at 45 CFR 164.512(i).
SAMHSA Response
    We thank commenters for their support.
Public Comments
    Several commenters opposed the proposal. A few commenters felt that 
patient consent should be obtained before disclosing part 2 information 
for research purposes to entities not covered by HIPAA or the Common 
Rule. A few commenters felt that the proposed change will result in 
additional legal prosecution and discrimination. One commenter noted 
that it may make it difficult to identify a breach. One commenter 
recommended that SAMHSA clarify what level of protections non-HIPAA 
covered entities will be held to when part 2 data is disclosed for 
research purposes. The commenter suggested that sharing sensitive data 
with non-HIPAA covered entities should require IRB approval and if this 
is not possible then only the minimal amount of identifiable 
information as possible.
SAMHSA Response
    We are seeking a balance between protecting the confidentiality of 
SUD patient records and ensuring that researchers can conduct critical 
research on SUD care and SUD populations. The proposed change to Sec.  
2.52 would align the requirements of part 2 around the conduct of 
research on human subjects with the HIPAA Privacy Rule, the Common Rule 
and other analogous requirements for the conduct of research on human 
subjects that may apply under other federal regulations. Specifically, 
part 2 data may be disclosed from a HIPAA-covered entity or business 
associate to individuals and organizations who are neither HIPAA-
covered entities, nor subject to the Common Rule, provided that any 
such data will be disclosed in accordance with the HIPAA Privacy Rule 
at 45 CFR 164.512(i). The HIPAA Privacy Rule at 45 CFR 164.512(i) 
defines the requirements entities must fulfill to use protected health 
information for research. This includes requirements that the research 
must be conducted under review of an Institutional Review Board (IRB) 
or a privacy board with members of varying backgrounds and appropriate 
professional competency. For the IRB or privacy board to approve a 
waiver of individual authorization, researchers must show that the use 
or disclosure of PHI involves no more than a minimal risk to the 
privacy of individuals and include an adequate plan to protect the 
identifiers from improper use and disclosure, an adequate plan to 
destroy the identifiers at the earliest opportunity, and consistent and 
adequate written assurances that the protected health information will 
not be reused or disclosed to any other person or entity. We further 
note that the research provision (Sec.  2.52(b)) already includes a 
requirement that the researcher receiving the part 2 data is fully 
bound by 42 CFR part 2. We are interested in affording patients 
protected by 42 CFR part 2 the same opportunity to benefit from 
research, including research conducted by non-covered entities, while 
continuing to safeguard their privacy.
Public Comments
    One commenter recommended that SAMHSA develop FAQs or guidance to 
ensure that entities that are not HIPAA-covered entities under HIPAA 
but who are making disclosures in accordance with the HIPAA Privacy 
Rule understand their obligations and responsibilities.
SAMHSA Response
    We thank the commenter for their suggestion. We note that at the 
time of the publication of the proposed rule, we published a Fact 
Sheet, providing a general overview of the proposed rule, available 
here: https://www.hhs.gov/about/news/2019/08/22/hhs-42-cfr-part-2-proposed-rule-fact-sheet.html. We will consider updating subregulatory 
guidance, as applicable, to include any revisions made in the Final 
Rule. We will also consider issuing additional subregulatory guidance, 
as necessary.
Public Comments
    One commenter recommended that SAMHSA clarify how the part 2 EHR 
system should identify characteristics to whom data is sent to 
including entities that receive data for research purposes. The 
commenter recommended referencing standards that support conveying 
these characteristics.
SAMHSA Response
    We appreciate the commenter's recommendations. We will evaluate the 
commenter's suggestions and will consider options to provide technical 
guidance, including working with ONC and other stakeholders.

[[Page 43021]]

Public Comments
    One commenter noted that the provisions which facilitate the 
release of data for research purposes do not necessarily permit 
disclosure for public health analysis and may not satisfy the 
requirements of the research exemption. A few commenters recommended 
including a provision that would explicitly allow the release of data 
to a state or state data repository if the state agency is authorized 
by state law to collect such information for the purpose of public 
health research.
SAMHSA Response
    Under our revisions, a part 2 program or other lawful holder of 
part 2 data is authorized to disclose part 2 data for research 
purposes, including to state agencies, provided that the disclosure is 
made in accordance with the HIPAA Privacy Rule requirements at 45 CFR 
164.512(i). Broadening the research exception further is beyond the 
scope of the current rulemaking activities. Note, however, that the 
CARES Act specifically permits disclosures of de-identified data to a 
public health authority whether or not a patient gives written consent. 
HHS anticipates future rulemaking to implement Sec.  3221 of the CARES 
Act.
Public Comments
    One commenter recommended that SAMHSA require that data released 
should be de-identified and that SAMHSA should define a rigorous 
process for de-identification.
SAMHSA Response
    We encourage the use of de-identified or non-identifiable 
information whenever possible. However, it may be time consuming, labor 
intensive, or technologically difficult for part 2 programs to create 
data that does not contain part 2 identifying information. It may be 
too cumbersome or cost prohibitive for part 2 programs to provide the 
kind of data necessary in a de-identified format. The proposed changes 
will require that data is disclosed in accordance with the HIPAA 
Privacy Rule at 45 CFR 164.512(i), such that researchers from covered 
entities and non-covered entities, must show that ``the research could 
not practicably be conducted without access to and use of the protected 
health information.'' Compliance with HIPAA and the Common Rule (e.g., 
IRB and/or privacy board review), as required under existing 
regulations and the proposed changes to Sec.  2.52, provide sufficient 
assurances of patient confidentiality, including that the researcher 
has a plan to protect and destroy identifiers and to not re-disclose 
the information in an unauthorized manner.
Public Comments
    One commenter recommended that SAMHSA modify the proposal to 
address the rare situation when the holder of the part 2 data is not 
subject to HIPAA.
SAMHSA Response
    We appreciate the commenter's suggestion. The revised research 
exception will permit disclosures of part 2 data for research purposes 
if the part 2 program or other lawful holder of part 2 data is a HIPAA-
covered entity or business associate and the disclosure is made in 
accordance with the HIPAA Privacy Rule. Because we are expanding the 
authority of research disclosures beyond HIPAA-covered entities or 
entities covered by the Common Rule, we believe it is necessary to 
ensure that those disclosing the data are familiar with the HIPAA 
Privacy Rule and the requirements included in the regulations. We agree 
with the commenter that it will likely be a rare situation when the 
holder of the part 2 data is not subject to HIPAA and we do not 
anticipate that it will hinder most research efforts. However, we will 
consider it for any potential future rulemaking.
Public Comments
    One commenter recommended that SAMHSA more closely align with HIPAA 
and suggested removing language that directs an ``individual designated 
as director or managing director, or individual otherwise vested with 
authority to act as chief executive officer or their designee'' to make 
a determination regarding the permissibility of research disclosures.
SAMHSA Response
    We thank the commenter for the suggestion. Revising the language in 
this section is beyond the scope of the current rulemaking activities; 
however, we will evaluate the commenter's suggestion and consider 
potential options including future rulemaking.
Public Comments
    One commenter noted that the proposed change exceeds the language 
or the purpose of the enabling statute.
SAMHSA Response
    Under 42 U.S.C. 290dd-2(b)(2)(B), the content of an SUD treatment 
record may be disclosed without patient consent to qualified personnel 
for the purpose of conducting scientific research provided that such 
personnel does not identify, directly or indirectly, any individual 
patient in any report of such research; thus, we believe that this 
change does not violate the language of the enabling statute.
Public Comments
    Several commenters opposed the proposal to permit research 
disclosures to members of the workforce of a HIPAA-covered entity for 
purposes of employer-sponsored research. The commenters noted that the 
proposal may lead to employment discrimination for those with SUD if 
data is released for purposes of employer-sponsored research. One 
commenter noted that it is unclear what ``employer-sponsored'' research 
would include.
SAMHSA Response
    We proposed to allow part 2 data to be disclosed for research 
purposes to a member of the workforce of a HIPAA-covered entity. The 
proposal would clarify that the lawful holder of part 2 data may 
disclose the data to a member of the workforce of a HIPAA-covered 
entity provided that the research is being conducted at the direction 
or on behalf of that individual's employer. The proposed revisions 
would only permit this disclosure when the employer requires that all 
research conducted at the direction or on behalf of the employer is 
conducted in accordance with the HIPAA Privacy Rule or the Common Rule. 
During the review of comments, we noted that a few commenters 
misinterpreted ``employer-sponsored research'' to include research 
conducted by employers on or about their employees. It was not our 
intent to permit employers to conduct SUD research on their employees. 
Given the concerns and the confusion regarding the proposed changes, we 
are not finalizing this policy at this time. To reflect this in this 
final rule, the regulation text proposed at Sec.  2.52(a)(1)(iii) is 
not being finalized and the regulation text proposed at Sec. Sec.  
2.52(a)(1)(iv) and (v) are being redesignated as Sec. Sec.  
2.52(a)(1)(iii) and (iv), respectively.
Public Comments
    A few commenters supported the proposal to permit disclosures to 
members of the workforce of a HIPAA-covered entity for purposes of 
employer-sponsored research, where that covered entity requires all 
research activities carried out by its workforce to meet the 
requirements of either the Privacy Rule and/or Common Rule, as 
applicable.

[[Page 43022]]

SAMHSA Response
    We thank commenters for their support. While we are not finalizing 
the policy at this time, research disclosures of part 2 data may still 
be made following the requirements at Sec.  2.52(a).
Public Comments
    A few commenters supported the proposal to permit research 
disclosures to recipients who are covered by FDA regulations for the 
protection of human subjects in clinical investigations.
SAMHSA Response
    We thank commenters for their support.
Public Comments
    A few commenters opposed the proposal to permit research 
disclosures to recipients who are covered by FDA regulations. One 
commenter stated that a patient's informed consent should be sought 
when disclosing information for research.
SAMHSA Response
    The proposed changes will help align research disclosure 
requirements among other federal regulations. Allowing research 
disclosures to recipients who are covered by FDA regulations for the 
protection of human subjects will help facilitate critical research on 
SUD treatment and care. We believe it is necessary to strike a balance 
of promoting research while maintaining confidentiality for patient 
records. Like the HIPAA Privacy Rule, the FDA regulatory requirements 
generally require informed consent, except in limited circumstances as 
explained in 21 CFR part 50. The proposed changes require that the 
research is in compliance with the requirements of the FDA regulations, 
including review by an IRB when applicable.

K. Audit and Evaluation (Sec.  2.53)

    In response to comments received, SAMHSA, in Sec.  2.53(c)(1), is 
removing the expectation that certain audits and evaluations conducted 
by government agencies and third-party payers would only be conducted 
periodically, and is making changes to the language in (c)(1)(i)-(iii) 
to clarify SAMHSA's intent that revisions are intended to help enhance 
patient care and coverage. SAMHSA is also making several non-
substantive changes to the proposed regulatory text of Sec.  2.53, such 
as updating cross references to other sections of the rule and re-
wording and moving the placement of language related to audits 
conducted by entities that have direct administrative control over a 
part 2 program.
    SAMHSA is finalizing the proposal to permit disclosure of patient 
identifying information to federal, state, or local government 
agencies, and to their contractors, subcontractors, and legal 
representatives for audit and evaluations required by statute or 
regulation.
    Regulations at Sec. Sec.  2.53(a), (b), and (c) describe the 
circumstances under which specified individuals and entities may access 
patient identifying information in the course of an audit or 
evaluation. Section 2.53(a) governs the disclosure of patient 
identifying information for audits and evaluations that do not involve 
the downloading, forwarding, copying, or removing of records from the 
premises of a part 2 program or other lawful holder. In these 
instances, information may be disclosed to individuals and entities who 
agree in writing to comply with the limitations on disclosure and use 
in Sec.  2.53(d) and who perform the audit or evaluation on behalf of 
one of the following: A federal, state, or local governmental agency 
that provides financial assistance to or is authorized to regulate a 
part 2 program or other lawful holder; an individual or entity which 
provides financial assistance to a part 2 program or other lawful 
holder; a third-party payer covering patients in a part 2 program; or a 
quality improvement organization (QIO) performing certain types of 
reviews. The regulations permit disclosure to contractors, 
subcontractors, or legal representatives performing audits and 
evaluations on behalf of certain individuals, entities, third-party 
payers, and QIOs described directly above. At Sec.  2.53(a)(2), the 
regulations also allow part 2 programs or other lawful holders to 
determine that other individuals and entities are qualified to conduct 
an audit or evaluation of the part 2 program or other lawful holder. In 
these instances, patient information may be disclosed during an on-
premises review of records, as long as the individuals and entities 
agree in writing to comply with the limitations on disclosure and use 
in Sec.  2.53(d).
    Section 2.53(b) of the regulation governs the copying, removing, 
downloading, or forwarding of patient records in connection with an 
audit or evaluation performed on behalf of government agencies, 
individuals, and entities described in 42 CFR 2.53(b)(2), which are 
identical to the agencies, individuals, and entities described in Sec.  
2.53(a)(1) above. In these audits, records containing patient 
identifying information may be copied or removed from the premises of a 
part 2 program or other lawful holder, or downloaded or forwarded to 
another electronic system or device from the part 2 program's or other 
lawful holder's electronic records, by an individual or entity who 
agrees to the records maintenance standards and disclosure limitations 
outlined in Sec.  2.53(b)(1)(i) through (iii).
    Additionally, patient identifying information may be disclosed to 
individuals and entities who conduct Medicare, Medicaid, or CHIP audits 
or evaluations as set forth in Sec.  2.53(c).
    SAMHSA understands there is confusion about Sec.  2.53 as it 
applies to several specific situations, and therefore proposed to make 
the following changes to the regulations to improve clarity about what 
is permissible under these sections. SAMHSA also proposed to update 
part 2 regulatory language related to quality improvement organizations 
(QIO) to align with 42 CFR 476.1. Specifically, we proposed to replace 
references to ``utilization or quality control review'' with the term 
``QIO review,'' which is defined in 42 CFR 476.1 as a review performed 
in fulfillment of a contract with CMS, either by the QIO or its 
subcontractors.
    First, some stakeholders have voiced frustration that part 2 
programs have been unwilling or unable to disclose patient records that 
may be needed by federal, state, and local agencies, to better serve 
and protect patients with SUD. For example, a state Medicaid Agency or 
state or local health department may need to know about specific types 
of challenges faced by patients receiving opioid therapy treatment, 
such as co-occurring medical or psychiatric conditions, or social and 
economic factors that impede treatment or recovery. An agency may need 
this kind of information to recommend or mandate improved medical care 
approaches; to target limited resources more effectively to care for 
patients; or to adjust specific Medicaid or other program policies or 
processes related to payment or coverage to facilitate adequate 
coverage and payment. Government agencies may also wish to know how 
many patients test positive for a new and harmful illicit drug, and how 
part 2 programs are actually treating those patients, as an input to 
agency decisions aimed at improving quality of care. For example, 
agencies may wish to modify requirements for part 2 programs, educate 
or provide additional oversight of part 2 providers, and/or update 
corresponding payment or coverage policies. Third-party payers covering 
patients in a part 2 program may have similar objectives for obtaining 
part 2 information.

[[Page 43023]]

    Current regulations allow part 2 programs to share information for 
the purposes described above in two ways, using either de-identified or 
identifiable information. Only SUD records containing patient 
identifying information are subject to part 2 protections, and 
therefore a part 2 program or other lawful holder may share non-
identifiable information with government agencies (federal, state and 
local) for many types of activities.
    SAMHSA encourages the use of de-identified or non-identifiable 
information whenever possible. However, it may be time consuming, labor 
intensive, or technologically difficult for part 2 programs to create, 
and for government agencies to obtain quickly, data that does not 
contain part 2 identifying information. It may be too cumbersome or 
cost prohibitive for part 2 programs to provide the kind of data 
necessary in a de-identified format. It also may be challenging for 
part 2 programs to provide information quickly in more urgent 
situations, without potentially diverting resources away from patient 
care.
    Patient identifying information may also be used to help agencies 
and third-party payers improve care in certain circumstances. Under 
current regulations at Sec.  2.53(a) and (b), federal, state, and local 
government agencies that have the authority to regulate or that provide 
financial assistance to part 2 programs, and third-party payers with 
covered patients in part 2 programs, may receive patient identifying 
information in the course of conducting audits or evaluations. 
Additionally, patient identifying information may be disclosed to 
individuals and entities to conduct Medicare, Medicaid, or CHIP audits 
or evaluations under Sec.  2.53(c). Thus, a Medicaid agency may 
evaluate the part 2 providers that participate in its Medicaid program; 
a state health department may audit the facilities it licenses pursuant 
to its regulatory authority; and a health plan may review part 2 
programs that serve its enrollees.
    The current regulations do not define audit and evaluation, nor do 
they direct the manner in which evaluations are carried out, as noted 
by Sec.  2.2(b)(2). Nevertheless, we stated in the proposed rule that 
we believe that the concept of audit or evaluation is not restricted to 
reviews that examine individual part 2 program performance. We 
specifically said they may also include periodic reviews of part 2 
programs to determine if there are any needed actions at an agency 
level to improve care and outcomes across the individual part 2 
programs the agency regulates or supports financially. Likewise, we 
noted that audits or evaluations may include reviews to determine if 
there are needed actions at a health plan level to improve care and 
outcomes for covered patients in part 2 programs. In other words, 
audits or evaluations may be conducted with a goal to identify 
additional steps agencies or third-party payers should be taking to 
support the part 2 programs and their patients. This includes reviews 
that allow agencies or third-party payer entities to identify larger 
trends across part 2 programs, in order to respond to emerging areas of 
need in ways that improve part 2 program performance and patient 
outcomes.
    SAMHSA proposed to clarify that under Sec.  2.53, government 
agencies and third-party payer entities would be permitted to obtain 
part 2 records without written patient consent to periodically conduct 
audits or evaluations for purposes such as identifying agency or health 
plan actions or policy changes aimed at improving care and outcomes for 
part 2 patients (e.g., provider education, recommending or requiring 
improved health care approaches); targeting limited resources more 
effectively to better care for patients; or adjusting specific Medicaid 
or other insurance components to facilitate adequate coverage and 
payment. These agencies and third-party payers are required to abide by 
the restrictions on disclosure and other relevant confidentiality 
requirements outlined in Sec.  2.53. Additionally, SAMHSA stated in the 
proposed rule that it did not believe it was generally necessary to 
conduct these types of audits or evaluations on a routine or ongoing 
basis. Rather, we stated that we would generally expect that they would 
be performed periodically, unless they are required by applicable law 
or other compelling circumstances exist, such as unique cases in which 
an oversight agency determines there is a need for ongoing review. We 
also stated that information disclosed for the purpose of a program 
audit or evaluation may not be used to directly provide or support care 
coordination. As stated previously (83 FR 243), SAMHSA believes it is 
important to maintain patient choice in disclosing information to 
health care providers with whom patients have direct contact. Agencies 
or health plans could, for example, use information from the aggregated 
results of part 2 program evaluations to determine that a new benefit 
or payment category is needed in order to facilitate better care 
coordination.
    The preamble to the 2017 final rule noted that the authorizing 
statute for part 2 does not provide a general exception to the consent 
requirement for disclosure of SUD records for the purpose of sharing 
records with public health officials (82 FR 6079). Furthermore, the 
preamble also noted that SAMHSA does not have the statutory authority 
to authorize routine disclosure of part 2 information for public health 
purposes (82 FR 6079). In the 2019 proposed rule, SAMHSA emphasized 
that audits or evaluations using aggregated data for such purposes 
described above are distinct from a broader public health exception. 
Specifically, under current regulations, part 2 programs may share 
information with the agencies that have the authority to regulate or 
provide financial support to the part 2 program, in order to safeguard 
or improve the care and outcomes for current and future patients in 
those programs, or to ensure the integrity of the funding program and 
the appropriate use of financial support by the part 2 program. A 
broader public health exception would conceivably enable part 2 
programs to share identifiable information with any public health 
agency, regardless of its relationship with the part 2 program, for 
many types of purposes (e.g., preventative efforts aimed at a wider 
population).
    To clarify allowable program evaluation activities using patient 
identifying information, SAMHSA proposed several changes to Sec.  2.53. 
First, SAMHSA proposed to redesignate current Sec.  2.53(c) and (d) as 
Sec.  2.53(e) and (f), respectively, and insert a new Sec.  2.53(c) 
titled: ``Activities Included.'' Proposed new paragraph Sec.  
2.53(c)(1) specified that audits or evaluations may include periodic 
activities to identify actions that an agency or third-party payer 
entity can make, such as changing its policies or procedures to improve 
patient care and outcomes across part 2 programs; targeting limited 
resources more effectively; or determining the need for adjustments to 
payment policies for the care of patients with SUD. This change was 
intended to clarify that disclosures of patient records by a part 2 
program to an agency or third-party payer entity are permitted for 
these purposes without patient consent, pursuant to this section.
    Second, SAMHSA noted in the proposed rule (84 FR 44579) that it has 
received feedback that stakeholders are unclear about whether Sec.  
2.53 allows federal, state, and local government agencies and third-
party payers to have access to patient information for activities 
related to reviews of appropriateness of medical care, medical 
necessity, and utilization of services. As described above, the

[[Page 43024]]

current regulations allow information to be disclosed to certain 
federal, state, and local governmental agencies and third-party payers 
for audit or evaluation purposes, as long as they agree to specific 
restrictions outlined in the regulations to limit disclosure or use of 
the records and preserve patient confidentiality. While neither the 
statute nor the regulations define audit or evaluation, we stated that 
these terms should and do include audits or evaluations to review 
whether patients are receiving appropriate services in the appropriate 
setting. Assessing whether a part 2 program provides appropriate care 
is a necessary part of any comprehensive part 2 program audit or 
evaluation. Government agencies may be charged with conducting such 
reviews for licensing or certification purposes or to ensure compliance 
with federal or state laws, as may private not-for-profit entities 
granted authority under the applicable statutes or regulations to carry 
out such work in lieu of the agencies. Third-party payers also have a 
stake in the programmatic integrity, as well as the clinical quality, 
of the part 2 programs that serve the patients they cover. Therefore, 
SAMHSA proposed to insert a new Sec.  2.53(c)(2) that clarifies audit 
and evaluations under this section may include, but are not limited to, 
reviews of appropriateness of medical care, medical necessity, and 
utilization of services. Stakeholders were also referred to Sec.  2.33, 
which allows disclosure of information for payment and/or health care 
operations activities with a patient's consent.
    Third, we explained that stakeholders have expressed confusion 
about whether part 2 programs may disclose information for audit or 
evaluation purposes to the larger health care organizations in which 
they operate. For example, Medicare Conditions of Participation 
regulations at 42 CFR 482.21 require individual hospitals to conduct 
quality assessment and performance improvement (QAPI) programs that 
reflect the complexity of each hospital's organization and services, 
and which involve all hospital departments and services. QAPI programs 
are ongoing, hospital-wide, data-driven efforts that focus on 
addressing high-risk, high-volume or problem prone areas that affect 
health outcomes, patient safety, or quality of care.
    As we noted in the proposed rule (84 FR 44580), the part 2 
regulations provide ample leeway for part 2 programs to share 
information within their larger health care organizations for these and 
other types of evaluations. Under Sec.  2.53(a)(2), part 2 programs may 
determine that individuals or entities within their health care 
organizations are qualified to conduct audits and evaluations and may 
share information pursuant to such reviews. Additionally, Sec.  
2.12(c)(3) states that, ``The restrictions on disclosure in the 
regulations in this part do not apply to communications of information 
between or among personnel having a need for the information in 
connection with their duties that arise out of the provision of 
diagnosis, treatment, or referral for treatment of patients with 
substance use disorders if the communications are:
    (i) Within a part 2 program; or
    (ii) Between a part 2 program and an entity that has direct 
administrative control over the program.'' The phrase ``direct 
administrative control'' refers to the situation in which a substance 
use disorder unit is a component of a larger behavioral health program 
or of a general health program.
    In order to eliminate any remaining misunderstanding, however, 
SAMHSA proposed to expand the regulatory language to explicitly clarify 
that this type of information sharing is permitted under the 
regulations. Specifically, we proposed to add language to Sec.  
2.53(a)(2) to state that, ``Auditors may include any non-part 2 entity 
that has direct administrative control over the part 2 program or 
lawful holder.'' Additionally. SAMHSA proposed to include similar 
language in new subsection (b)(2)(iii). We stated that we believed that 
the proposed changes will help to clarify that in these situations, 
identifiable patient diagnosis or treatment information can be shared 
with personnel from an entity with direct administrative control over 
the part 2 program, where those persons, in connection with their audit 
or evaluation duties, need to know the information.
    Fourth, while the regulations at Sec.  2.53(a)(1)(ii) and 
(b)(2)(ii) specifically delineate that information may be disclosed to 
quality improvement organizations, these provisions do not explicitly 
include other types of entities that are responsible for quality 
assurance. For example, the regulations for audit and evaluation do not 
describe entities, such as health care organization accrediting or 
certification bodies, that may need to review patient records to 
evaluate whether a part 2 program meets quality and safety standards. 
To ensure that stakeholders understand that disclosure to these types 
of organizations is permitted, SAMHSA proposed to insert a new Sec.  
2.53(d) stating, ``Quality Assurance Entities Included. Entities 
conducting audits or evaluations in accordance with Sec.  2.53(a) and 
(b) may include accreditation or similar types of organizations focused 
on quality assurance.''
    Additionally, at the time the NPRM was published, SAMHSA understood 
that some federal, state, and local government agencies face challenges 
in meeting statutory or regulatory mandates that require them to 
conduct audits or evaluations involving part 2 information. For 
example, the Centers for Medicare & Medicaid Services conducts risk 
adjustment and data validation in connection with the risk adjustment 
program it is required to operate in accordance with section 1343 of 
the Patient Protection and Affordable Care Act, 42 U.S.C. 18063 and 
implementing regulations. Under risk adjustment data validation, health 
insurance issuers are lawful holders of part 2 identifying information 
and may be required to provide it to CMS or its contractors. Therefore, 
SAMHSA proposed to insert a new Sec.  2.53(g) to permit patient 
identifying information to be disclosed to federal, state, and local 
government agencies, as well as their contractors, subcontractors, and 
legal representatives of such agencies, in the course of conducting 
audits or evaluations mandated by statute or regulation, if those 
audits or evaluations cannot be carried out using de-identified 
information.
    In addition to these changes, SAMHSA proposed to update language 
related to quality improvement organizations. At Sec.  2.53(a)(1)(ii) 
and (b)(2)(ii), it proposed to amend the language to align it with 42 
CFR 476.1. Specifically, SAMHSA proposed to replace references to 
``utilization or quality control review'' with the term ``QIO review.''
    The comments we received on the proposed amendments to Sec.  2.53 
and our responses are provided below.
Public Comments About the Proposals for Audit and Evaluation in General
Public Comments
    Several commenters expressed support for the audit and evaluation 
proposals in general, saying clarification of these provisions can help 
decrease confusion and administrative burden, particularly among 
prescribing practitioners and auditors who conduct inspection and 
evaluation activities. One commenter stated that the proposed changes 
would enable better evaluation of the entire SUD treatment system of 
care. Another emphasized that focused oversight will help measure the 
efficacy of new SUD-related health care benefits offered by government 
and commercial

[[Page 43025]]

programs, reinforcing public trust in such programs while ensuring that 
adequate funds are available for at-risk populations.
SAMHSA Response
    We thank the commenters for their support.
Public Comments
    Several commenters were critical of the changes. A few commenters 
expressed concern about expanded data sharing under the proposals, 
including with non-government and/or non-treatment actors, that could 
ultimately negate the current rule's privacy and consent protections.
SAMHSA Response
    In this rule, SAMHSA is primarily clarifying activities that are 
already permissible under Sec.  2.53. Except for new Sec.  2.53(g), we 
do not interpret the changes as conferring new authority for expanded 
data sharing and do not believe the changes will undermine the rule's 
privacy and consent protections.
Public Comments
    A few commenters expressed concern that activities under the 
proposed Sec.  2.53(c)(1)(ii) and/or Sec.  2.53(c)(2) could be used as 
a means to deny care and/or services to patients with a SUD, and one 
commenter recommended that SAMHSA provide additional examples of 
program activities to ensure that such activities are performed in 
accordance with the regulation. Another commenter said the proposed 
rule will effectively remove the treating provider from the process.
SAMHSA Response
    The goal of our clarifications in Sec.  2.53(c)(1)(ii) and (c)(2) 
is to ensure that appropriate individuals, agencies and entities may 
use audits and evaluations to identify opportunities to improve 
services to patients in part 2 programs, as well as to conduct 
customary oversight activities that have the ability to safeguard 
patients and ensure they receive the right care. Without these 
clarifications, government agencies and third-party payers may be 
reluctant to undertake certain activities that are important to the 
care and safety of patients receiving services in part 2 programs. 
However, as referenced below, SAMHSA is modifying the language at Sec.  
2.53(c)(1)(ii) to clarify that the intent of the changes is to enhance 
care for patients.
Public Comments
    A few commenters raised the issue of providing safeguards to 
prevent release of individually identifiable information, especially 
when patient information is used by third parties. One commenter 
emphasized the importance of ensuring that legitimate contractors use 
de-identified data whenever possible and follow the part 2 protections.
SAMHSA Response
    Section 2.53 includes numerous safeguards to protect patient 
identifying information. For example, patient identifying information 
disclosed under Sec.  2.53(a) and (b) may be disclosed only back to the 
part 2 program or other lawful holder from which it was obtained, and 
may be used only to carry out an audit or evaluation purpose, or to 
investigate or prosecute criminal or other activities if authorized by 
a court order. Under Sec.  2.53(b), individuals, agencies, and entities 
conducting offsite reviews must maintain and destroy the patient 
identifying information in a manner consistent with the policies and 
procedures established under Sec.  2.16. Additionally, Sec.  2.13 
requires that any disclosures made under the part 2 regulations must be 
limited to that information which is necessary to carry out the purpose 
of the disclosure.
Public Comments
    A few commenters raised the question of how eligible individuals 
and organizations may access unredacted part 2 information for audits 
and evaluations under the provisions of the proposed rule, and one 
stated that the rule does not address the problem of providers who are 
unwilling to disclose part 2 information to lawful holders subject to 
state or federal audits, which creates consequences for organizations 
such as Medicare Advantage Plans. One commenter said there was no 
process to verify whether identifiable information is needed, 
emphasizing that patients' private information would be vulnerable to a 
mere assertion that identifiable information must be revealed. The 
commenter believes that due process is removed for patients and that 
the system is ripe for abuse. A commenter suggested that HHS could 
provide data-use agreements or a memorandum of understanding, or revise 
the regulation to require a part 2 program or lawful holder to provide 
part 2 information as necessary to another provider or lawful holder in 
order to respond to an audit. One commenter suggested that 
clarification on the specific types of third parties with the specific 
methods and procedures for obtaining consent would be beneficial.
SAMHSA Response
    In this final rule, SAMHSA is clarifying permissible activities 
under Sec.  2.53 to help clear up confusion about the sharing of 
patient identifying information for the purposes of audit and 
evaluation. SAMHSA does not have the statutory authority to require 
patient records to be disclosed to auditors or evaluators. Further, we 
decline to issue specific direction regarding the processes through 
which patient identifying information is disclosed by part 2 programs 
or lawful holders to auditors and evaluators, as we believe the facts 
surrounding individual requests for information may vary, and those 
discussions are better left to stakeholders with first-hand knowledge 
of each situation. Additionally, SAMHSA believes such questions are out 
of the scope of this final rule, as they were not addressed in the 
proposed rule. We will take the suggestion for the creation of data use 
agreements and/or memorandums of understanding under advisement for 
future guidance or rulemaking.
Public Comments
    A commenter said the correct application of the term ``evaluation'' 
is particularly unclear and subject to different interpretations.
SAMHSA Response
    As stated in the proposed rule (84 FR 165), the current regulations 
do not define audit and evaluation, nor do they direct the manner in 
which evaluations are carried out, as noted by Sec.  2.2(b)(2). 
Nevertheless, SAMHSA believes that the concept of audit or evaluation 
would at least include reviews that examine individual part 2 program 
clinical and/or financial performance as well as reviews of part 2 
programs to determine if there are any needed actions at an agency or 
payer level to improve care and outcomes across individual part 2 
programs.
Public Comments
    One commenter said that Section 704 of the Comprehensive Addiction 
and Recovery Act (CARA) of 2016 included provisions permitting Part D 
sponsors to establish drug management programs (DMPs) for beneficiaries 
at-risk for misuse or abuse of frequently abused drugs and believes 
that part 2 information will be required to be disclosed. The commenter 
suggested that SAMHSA include drug management and utilization review 
programs as program evaluation disclosures that do not require consent 
for disclosure of part 2 information. Alternatively, the commenter

[[Page 43026]]

recommended that the regulations be amended to provide that public 
program beneficiaries are deemed to have consented to part 2 
disclosures when the public program requires such disclosures.
SAMHSA Response
    SAMHSA believes it is important to identify patients at risk for 
misuse or abuse of frequently abused drugs, and that sharing 
information for the purposes of drug utilization review would already 
be allowed under Sec. Sec.  2.31 and 2.33 when a patient consents to 
sharing their information for payment and health care operations. In 
this final rule, we are also adopting new language at Sec.  2.53(c)(2) 
to clarify that audits and evaluations of part 2 programs may include 
reviews of appropriateness of medical care, medical necessity, and 
utilization of services. We agree that part 2 programs would be 
permitted to share information with Part D sponsors seeking to identify 
at-risk patients who may be candidates for drug utilization programs 
under this section as well.
Comments on SAMHSA's Proposals To Clarify Permitted Activities of 
Government Agencies and Third-Party Payers (Sec.  2.53 (c)(1))
Public Comments
    Several commenters expressed support for the proposed changes to 
clarify the permitted activities of government agencies and third-party 
payers, stating that they reduce confusion and ambiguity and will help 
in providing efficient and effective care. A few commenters appreciated 
the recognition in the proposed rule that state agencies have audit and 
evaluation responsibilities that necessitate the receipt of part 2-
protected data. One commenter underscored that states have an urgent 
need to utilize every available analytic tool to address the opioid 
crisis facing our nation.
SAMHSA Response
    We thank the commenters for their support.
Public Comments
    Several commenters opposed the changes, expressing concerns about 
expanded sharing of highly sensitive information without patient 
consent and with few or no parameters, and stating that the audit and 
evaluation exception already provides a fairly comprehensive mechanism 
for entities to share information without the consent of the patient. A 
few believed the changes would permit greater disclosures of patient 
records without consent to entities not involved in direct patient 
care. One commenter said that the proposed rule does not describe how 
granular level information would be shared between agencies or with 
third-party payer entities in ways that would not disclose patient 
identities in any manner and still be useful. One commenter expressed 
concern that virtually every use will be deemed compelling. A few 
commenters said that the proposed language exceeds the part 2 statute 
and that there is no value in maintaining the existing rule without 
enforcement of it. A few commenters also expressed concern that the 
proposed changes would allow patient identifying information to be used 
to reduce care, dictate care, remove the treating provider from the 
care process, limit access, or make decisions about patient care solely 
on what can be found in the files through such reviews. Another 
commenter said that patient records can be inaccurate and are rarely a 
full reflection of who the person is or the myriad of factors that go 
into the care process. One commenter said that the proposal opens 
patients up for discrimination.
SAMHSA Response
    As noted in the proposed rule, SAMHSA has heard from stakeholders 
that there is confusion about what types of activities are permissible 
under Sec.  2.53. The goal of our clarifications in Sec.  2.53(c)(1) is 
to ensure that the appropriate individuals, agencies and entities 
understand that they may use audits and evaluations to identify 
opportunities to improve services to patients in part 2 programs, 
including making changes to payment policies that could increase access 
to effective services and targeting resources more effectively. SAMHSA 
believes the changes in this section represent clarifications of 
permissible activities under current regulations. However, in response 
to concerns expressed above, we are amending the language of this 
section to help clarify that our intent is to help government agencies 
and third-party payers as they seek to enhance the care and treatment 
of patients with SUD. We also note that the regulations include 
numerous safeguards to help ensure the proper handling of patient 
identifying information disclosed for audit and evaluation purposes. 
For example, newly redesignated Sec.  2.53(f) requires that patient 
identifying information disclosed under this section may be disclosed 
only back to the part 2 program or other lawful holder from which it 
was obtained, and may be used only to carry out an audit or evaluation 
purpose, or to investigate or prosecute criminal or other activities, 
as authorized by a court order. Under Sec.  2.53(b), individuals, 
agencies, and entities conducting offsite reviews must maintain and 
destroy the patient identifying information in a manner consistent with 
the policies and procedures established under Sec.  2.16. Additionally, 
Sec.  2.13 requires that any disclosures made under the part 2 
regulations must be limited to that information which is necessary to 
carry out the purpose of the disclosure.
Public Comments
    One commenter noted that the phrase ``across part 2 programs'' 
could be interpreted to mean that evaluations must study only the part 
2 programs themselves, and recommended changing this language to ``to 
improve care and outcomes for patients with SUDs that are treated by 
part 2 programs.''
SAMHSA Response
    We thank the commenter for this suggestion, and agree that ``across 
part 2 programs'' may be interpreted too narrowly. Therefore, in this 
final rule, SAMHSA has changed the wording in Sec.  2.53(c)(1)(i) to 
incorporate the commenter's suggested language.
Public Comments
    One commenter said the ongoing nature of some Medicaid and Medicaid 
managed care organization quality control activities may be precluded 
based on language in the proposed rule stating that these types of 
audit and evaluation activities should only be periodic in nature. The 
commenter recommend that SAMHSA remove the ``periodic'' restriction for 
entities with direct administrative control and third-party payers, 
allowing them to continue to be provided with the flexibility to make 
determinations regarding the appropriate frequency of audit and 
evaluation activities. Another commenter asked for clarification about 
allowing ``periodic'' but not ``routine'' or ``ongoing'' reviews, 
stating that meaningful audits or evaluations that could be 
appropriately considered ``periodic'' could also be described as 
``routine'' or ``ongoing.''
SAMHSA Response
    SAMHSA appreciates the insight provided by the commenters. In the 
proposed rule, SAMHSA sought to clarify that under Sec.  2.53, 
government agencies and third-party payer entities would be permitted 
to obtain part 2 records without written patient consent to 
periodically conduct audits or evaluations for purposes such as 
identifying agency or health plan actions or policy changes aimed at

[[Page 43027]]

improving care and outcomes for part 2 patients; targeting limited 
resources more effectively to better care for patients; or adjusting 
specific Medicaid or other insurance components to facilitate adequate 
coverage and payment. SAMHSA emphasized in the proposed rule that it 
did not believe it was generally necessary to conduct these types of 
audits or evaluations on a routine or ongoing basis. It was not 
SAMHSA's intention to interrupt or otherwise alter established audit 
and evaluation programs that already adhere to a specific schedule. 
Based on the comments received, we do not believe the regulations 
should indicate the frequency with which the permissible activities 
outlined in Sec.  2.53(c)(1) should occur. We believe determinations 
about how often information is disclosed for audits and evaluations of 
this nature are best left to stakeholders with first-hand knowledge of 
each specific situation. Therefore, the final regulation text at Sec.  
2.53(c)(1) will not include the word ``periodically.''
Public Comments
    One commenter appreciated that SAMHSA believes that the concept of 
audit or evaluation includes evaluations to identify additional steps 
and policy changes aimed at improving care and outcomes for part 2 
patients, but also supported a broader public health exception to 
enable part 2 programs to share identifiable information with a public 
health agency for these purposes. The commenter recommended that Sec.  
2.53 be amended to define audit and evaluation as activities to include 
those conducted by a public health agency authorized by law to conduct 
public health research and implement programs aimed at improving care 
and outcomes for part 2 patients.
SAMHSA Response
    We thank the commenter for their support and underscore that 
although the part 2 authorizing statute does not include a broad public 
health exception to the consent requirements, government agencies that 
have the authority to regulate, or that financially support part 2 
programs, may conduct audits and evaluations of those programs in an 
effort to ensure that current and future patients receive the best care 
possible.
Public Comments
    One commenter encouraged SAMHSA to include a requirement that any 
third party acting on behalf of an agency or organization for audits or 
investigations be required to produce a copy of its contract with the 
agency or entity on whose behalf the investigative activities are being 
conducted, in order to ensure that the third party is legitimate and 
has the authority to conduct the audit or investigation. The commenter 
noted that it would be helpful for the entity being audited or 
investigated to have written assurance that the part 2-covered 
information can be disclosed and used for these purposes.
SAMHSA Response
    We thank the commenter for this suggestion and will consider it for 
future rulemaking. We underscore the importance for part 2 programs to 
have processes in place to ensure information is shared appropriately 
with any contractors, subcontractors or legal representatives 
conducting audits and evaluations on behalf of the designated 
individuals, agencies, and entities outlined in Sec.  2.53. SAMHSA 
encourages part 2 programs and third parties to consider using copies 
of these types of contracts as one way to help verify a third-party's 
legitimacy.
    In response to comments discussed above, we are finalizing this 
section with changes. We are removing the word ``periodically'' from 
Sec.  2.53(c)(1) and amending the language of Sec.  2.53(c)(1)(ii) and 
(iii) to help clarify that our intent is to help government agencies 
and third-party payers as they seek to enhance the care and treatment 
of patients with SUD. Additionally, we are amending the wording in 
Sec.  2.53(c)(1)(i) to replace the phrase ``across part 2 programs'' 
with the phrase ``to improve care and outcomes for patients with SUDs 
who are treated by part 2 programs.''
Public Comments on SAMHSA's Proposal To Clarify Activities Related to 
Appropriateness of Care, Medical Necessity, and Utilization of Services 
(Sec.  2.53(c)(2))
Public Comments
    A few commenters supported the proposal, stating that it will 
support quality improvement and cost containment efforts on the part of 
third-party payers and resolve ambiguity, and describing it as an 
essential component that should be retained in final regulations. One 
commenter stated their understanding that the NPRM is aimed at 
clarifying which activities fall within the terms ``audit and 
evaluation'' and does not necessarily expand or increase the activities 
already allowed.
SAMHSA Response
    We thank the commenters for their support.
Public Comments
    Several commenters opposed or expressed concerns about the proposed 
change. A few commenters said it could jeopardize individual patient 
insurance coverage, benefits, and access to care; give third-party 
payers a more defined or interfering role in treatment decisions; and 
subject patients to criminalization or stigma. One commenter noted they 
saw no enforcement measures in place to protect patients. Another 
commenter suggested that the permitted activities could arguably be 
accomplished through health care operations activities already 
permitted under Sec.  2.33(b), following patient consent. Other 
commenters said the proposal exceeded the part 2 authorizing statute 
and raised concerns about the security of the information, believing 
that somehow the information would become available to fraudulent 
individuals marketing the latest SUD miracle cure to patients and 
families. One commenter said that care coordination should be added to 
the list of permitted audit and evaluation activities which would 
involve communication for similar, if not even more beneficial, 
purposes.
SAMHSA Response
    In this rule, SAMHSA is primarily clarifying activities that are 
already permissible under Sec.  2.53. As stated in the proposed rule, 
SAMHSA believes the definition of audit and evaluation should and does 
include reviews to assess whether patients are receiving appropriate 
services in the appropriate setting. Assessing whether a part 2 program 
provides appropriate care is a necessary part of any comprehensive part 
2 program audit or evaluation. With regard to security concerns, Sec.  
2.53 includes numerous safeguards to protect patient identifying 
information disclosed under Sec.  2.53(c)(2). Section 2.53(b), for 
example, requires auditors and evaluators conducting reviews using 
information that has been copied, removed, downloaded or forwarded, to 
maintain and destroy the patient identifying information in a manner 
consistent with the policies and procedures established under Sec.  
2.16. Under newly designated Sec.  2.53(f), patient identifying 
information disclosed under this section may be disclosed only back to 
the part 2 program or other lawful holder from which it was obtained, 
and may be used only to carry out an audit or evaluation purpose, or to 
investigate or prosecute criminal or other activities if authorized by 
a court order. Additionally, Sec.  2.13 requires that any disclosures 
made

[[Page 43028]]

under the part 2 regulations must be limited to that information which 
is necessary to carry out the purpose of the disclosure. We note that 
care coordination is addressed in other parts of this rule.
    For the reasons stated above, we are finalizing these changes as 
proposed.
Public Comments on SAMHSA's Proposal Related to Entities With Direct 
Administrative Control of Part 2 Programs (Sec.  2.53(a)(iii) and 
(b)(iii))
Public Comments
    A few commenters supported the proposed change. One commenter 
described the change as a welcomed clarification.
SAMHSA Responses
    We thank the commenters for their support. SAMHSA is finalizing 
this proposal with minor changes. Specifically, SAMHSA is altering the 
placement and wording of the new language at Sec.  2.53(a) to better 
align it with new language at Sec.  2.53(b).
Public Comments on SAMHSA's Proposal Related to Entities That Provide 
Quality Assurance (Sec.  2.53(d))
Public Comments
    One commenter appreciated the clarification of accrediting 
organizations (AOs) as entities conducting audits and evaluations under 
part 2, stating that it is critical for AOs to review part 2 records to 
ensure that OTPs are meeting certain quality and safety standards in 
the delivery of care to SUD patients.
SAMHSA Responses
    We thank the commenter for their support. We are finalizing this 
change as proposed.
Public Comments on SAMHSA's Proposal Related to Audits and Evaluations 
Mandated by Statute or Regulation (Sec.  2.53(g))
Public Comments
    A few commenters appreciated and supported these clarifications and 
encouraged SAMHSA to finalize them. One commenter suggested that the 
rules should be revised to apply this exception not just for audits and 
evaluations required by law, but for any mandated reporting or 
disclosure required by law.
SAMHSA Response
    We thank the commenter for their support. While the part 2 
authorizing statute includes an exception to the consent requirement 
for the purposes of conducting management and financial audits and 
program evaluations, it does not include such an exception for any type 
of mandated reporting or disclosure.
Public Comments
    One commenter said the proposed rule change exceeds the authority 
in 42 U.S.C. 290dd-2 and should be removed. Another commenter expressed 
concern that the section would act as a catch-all for government 
agencies and their contractors, subcontractors, and legal 
representatives to have access to any information that they determine 
necessary if the state statute mandates the disclosure. The commenter 
believed this would give the government access to any information that 
it deems necessary, including managed care companies working as 
government contractors delivering care to state members. The commenter 
described the proposal as inconsistent with other portions of the 
regulations, without providing any specific details, and suggested that 
SAMHSA should further review the potential implications of this 
section.
SAMHSA Response
    The audit and evaluation exception codified at 42 U.S.C. 290dd-2(B) 
permits disclosure for a wide range of audit and evaluation activities. 
We believe that the proposal to permit audit and evaluation by 
government agencies that are mandated by law is consistent with the 
authorizing statute and current Sec.  2.53(a) and (b). Furthermore, 
redesignated Sec.  2.53(f) reiterates that patient identifying 
information may only be used to carry out the purpose of the audit and 
evaluation. Moreover, Sec.  2.13(a) prohibits the disclosure or use of 
patient identifying information in any civil, criminal, administrative, 
or legislative proceedings conducted by any federal, state, or local 
authority. Therefore, we are finalizing Sec.  2.53(g) as proposed.
Public Comments on SAMHSA's Proposal Related To Updating QIO Language
Public Comments
    One commenter supported SAMHSA's proposed rule change to align part 
2 with current QIO regulations.
SAMHSA Response
    We thank the commenter for their support, and we are finalizing our 
amendments to Sec.  2.53 relating to QIOs as proposed.

L. Orders Authorizing the Use of Undercover Agents and Informants 
(Sec.  2.67)

    SAMHSA is finalizing this section as proposed.
    Under the 1975 final rule, the placement of undercover agents or 
informants in a part 2 program was largely prohibited, other than as 
specifically authorized by a court order for the purpose of 
investigating a part 2 program, or its agents or employees, for 
allegations of serious criminal misconduct. At the time the 1975 final 
rule was promulgated, it was noted that, although the use of undercover 
agents and informants in treatment programs was ordinarily to be 
avoided, there occasionally arise circumstances where their use may be 
justified (42 FR 27809). More narrowly, it was noted that the 
authorizing statute, by itself, did not forbid the use of undercover 
agents or informants, and that the express statutory prohibition 
against direct disclosure of patient records is nevertheless subject to 
the power of the courts to authorize such disclosures under 42 U.S.C. 
290dd-2(b)(2)(C). Building on these statutory considerations, it was 
concluded that the power to regulate the placement of undercover agents 
and informants is limited, and that the importance of criminal 
investigation of part 2 programs offers a legitimate policy basis for 
allowing the placement of undercover agents or informants in such 
programs, given a showing of good cause in specific instances. As 
explained in the preamble to the 1975 final rule, experience has 
demonstrated that medical personnel, no matter how credentialed, can 
engage in the illicit sale of drugs on a large scale, and that the use 
of undercover agents and informants is normally the only effective 
means of securing evidence sufficient to support a successful 
prosecution in such instances. Based on over 40 years of experience 
since then, SAMHSA believes it is still the case that medical personnel 
sometimes engage in the illicit sale or transfer of drugs, and that a 
process for authorizing undercover agents is important to ensure the 
safety of patients in these part 2 programs.
    Under the 1975 final rule, a 60-day time limitation with regard to 
the placement of undercover agents and informants in a part 2 program 
was imposed, with the opportunity for an applicant to seek an extension 
of the court order, for a total of up to 180 days (42 FR 27821). In the 
1987 final rule, that period of placement for undercover agents and 
informants pursuant to a

[[Page 43029]]

court order was extended to 6 months. This policy limitation was 
codified at Sec.  2.67(d)(2).
    Based on consultation with DOJ, the current policy is burdensome 
on, and overly restrictive of, some ongoing investigations of part 2 
programs. Specifically, DOJ has stated that a typical undercover 
operation can often last longer than 6 months, and that 12 months is a 
more realistic timeframe for such operations. Therefore, SAMHSA 
proposed to amend Sec.  2.67(d)(2), to extend the period for court-
ordered placement of an undercover agent or informant to 12 months, 
while authorizing courts to further extend a period of placement 
through a new court order (84 FR 55481).
    In addition, DOJ has stated that the current regulation text is 
ambiguous regarding when the current 6-month, or, as finalized, 12-
month period, should start and stop, in determining whether a court-
order period of placement has elapsed. SAMHSA considered multiple 
policy options regarding the tolling of the time period for an 
undercover placement. We considered having the time period begin on the 
date of the issuance of the court order. Alternatively, SAMHSA also 
considered having the time period begin on the date of placement of the 
undercover agent or informant. In consultations with DOJ, SAMHSA has 
found that there is often a lag of time between the court order and the 
placement of the agent or informant, for many reasons. Therefore, 
starting the time period when the court order is issued could 
significantly curtail the length of time an agent or informant can be 
undercover at a part 2 program. Furthermore, starting the time period 
based on date of placement of the agent or informant would provide 
greater clarity and predictability to law enforcement about exactly how 
long an agent or informant is allowed to be in the field, since the 
agent or informant is aware of the date his or her placement began, but 
may not be aware of the date of the court order. Thus, SAMHSA proposed 
to amend Sec.  2.67(d)(2), to clarify that the proposed 12-month time 
period starts when an undercover agent or informant is placed in the 
part 2 program (84 FR 55481).
    The comments we received on the proposed amendments to Sec.  2.67 
and our responses are provided below.
Public Comments
    Some commenters opposed the presence of undercover officers and 
informants in part 2 programs for any length of time, citing privacy 
concerns, treatment deterrence, ethical violations, and a violation of 
constitutional rights. Some commenters specifically stated this 
proposal would perpetuate stigma. One commenter noted that officers 
should not be allowed in part 2 programs without proper behavioral 
health training.
SAMHSA Response
    The authorizing statute (42 U.S.C. 290dd-2) and the regulations 
promulgated thereunder (42 CFR part 2) contain various safeguards to 
ensure that court orders authorizing the use of undercover agents and 
informants are not misused. For example, there must be an application 
citing certain good cause criteria, a court order noting the good 
cause, and notice provided to the director of the program. Furthermore, 
no information obtained by an undercover agent or informant placed in a 
part 2 program under the court order may be used to investigate or 
prosecute any patient in connection with a criminal matter (42 CFR 
2.67(d)). Thus, we believe the regulations strike the appropriate 
balance between protecting patients from criminal activities by 
employees of part 2 programs and safeguarding the confidentiality and 
rights of these same patients.
Public Comments
    A few commenters noted that this proposal is particularly 
concerning given the simultaneous proposal by SAMHSA (at 84 FR 44568) 
to remove ``allegedly committed by the patient'' from Sec.  2.63 of the 
regulations. These commenters argued that, coupled together, the 
changes would allow the regulations to become a tool of prosecution and 
not recovery.
SAMHSA Response
    As noted above, the authorizing statute (42 U.S.C. 290dd-2) and the 
regulations promulgated thereunder (42 CFR part 2) contain various 
safeguards against misuse of these provisions. Further, Sec.  2.13(a) 
of the regulations specifically provide that ``[t]he patient records 
subject to the regulations in this part may be disclosed or used only 
as permitted by the regulations in this part and may not otherwise be 
disclosed or used in any civil, criminal, administrative, or 
legislative proceedings conducted by any federal, state, or local 
authority. Any disclosure made under the regulations in this part must 
be limited to that information which is necessary to carry out the 
purpose of the disclosure.'' Thus, we believe that these changes will 
serve to protect patients from crimes committed in part 2 programs 
while still safeguarding their confidentiality.
Public Comments
    Many commenters disagreed with extending the length of placement of 
a court-order for an undercover agent or informant from 6 to 12 months, 
stating that this proposal does not purport to improve care 
coordination or patient safety. These commenters believe that this 
proposal may be interpreted by patients and providers as evidence that 
they are not safe in SUD treatment and may further deter treatment, 
stating that, given the current nationwide opioid crisis, it is 
important that SAMHSA strike an appropriate balance and promote greater 
access to comprehensive and coordinated SUD treatment. Commenters also 
requested additional details or examples regarding why 12 months is 
necessary for placement, arguing that there is no evidence that the 
current policy is encumbering ongoing investigations of part 2 programs 
or that allowing undercover agents in part 2 programs would address the 
causes of the opioid crisis. Some commenters noted that this proposal 
is particularly harmful to individuals living in areas that are already 
heavily policed.
SAMHSA Response
    We disagree that this proposal does not improve patient safety. As 
noted above, the intent of the regulations is to protect patients, and 
the regulations at Sec.  2.13(a) provide safeguards to ensure that 
``[t]he patient records subject to the regulations in this part may be 
disclosed or used only as permitted by the regulations in this part and 
may not otherwise be disclosed or used in any civil, criminal, 
administrative, or legislative proceedings conducted by any federal, 
state, or local authority.'' In some situations, in order to build a 
case of wrong-doing in a part 2 program or by an employee in such a 
program, evidence must be collected for more than 6 months. We believe 
that 12 months appropriately strikes a balance between ensuring the 
necessary time for informants and safeguarding the confidentiality of 
patients.

V. Collection of Information Requirements

    Under the Paperwork Reduction Act of 1995 (PRA), agencies are 
generally required to provide a 30-day notice in the Federal Register 
and solicit public comment before a collection of information 
requirement can be approved by the Office of Management and Budget 
(OMB) for review and approval. Currently, the information collection is 
approved under OMB Control No. 0930-0092. In order to

[[Page 43030]]

fairly evaluate whether changes to an information collection should be 
approved by OMB, section 3506(c)(2)(A) of the PRA requires that SAMHSA 
solicit comment on the following issues: (a) Whether the information 
collection is necessary and useful to carry out the proper functions of 
the agency; (b) The accuracy of the agency's estimate of the 
information collection burden; (c) The quality, utility, and clarity of 
the information to be collected; and (d) recommendations to minimize 
the information collection burden on the affected public, including 
automated collection techniques. We solicited public comment in the 
proposed rule on each of the required issues under section 
3506(c)(2)(A) of the PRA for the following information collection 
requirements (84 FR 44581 through 44584).
    Under the PRA, the time, effort, and financial resources necessary 
to meet the information collection requirements referenced in this 
section are to be considered in rule making. SAMHSA explicitly sought, 
and considered, public comment on our assumptions as they relate to the 
PRA requirements summarized in this section.
    This final rule includes changes to information collection 
requirements, that is, reporting, recordkeeping or third-party 
disclosure requirements, as defined under the PRA (5 CFR part 1320). 
Some of the provisions involve changes from the information collections 
set out in the previous regulations. Below, SAMHSA briefly discusses 
each finalized proposal and whether each includes changes to 
information collection requirements.
    In section IV.B. of this final rule, SAMHSA is finalizing its 
proposal to modify the existing definition of ``Records'' in Sec.  2.11 
to conform with other finalized revisions in this final rule. See 
section IV.B. for further information about this finalized proposal. 
SAMHSA does not believe this finalized proposal will result in any 
change in collection of information requirements since unrecorded 
information is, by its nature, not collected.
    In section IV.C. of this final rule, SAMHSA is finalizing 
amendments to Sec.  2.12 to clarify in that section that non-part 2 
entities may record SUD treatment about a patient in its own records 
without triggering part 2 provided that such providers are able to 
differentiate their records from those received from a part 2 program 
and part 2 records received from lawful holders. See section IV.C. for 
further information about this finalized proposal. As stated in that 
section, SAMHSA is finalizing new regulatory text to clarify existing 
policies; thus, SAMHSA is not finalizing any changes to any collection 
of information requirements. Furthermore, we believe that the 
clarification represents standard practice in many, if not all, part 2 
programs and among other lawful holders. That is, non-part 2 entities 
are already either segregating or segmenting any SUD records received 
from a part 2 program or deciding not to do so, based on their standard 
operations. This finalized proposal will merely clarify that if the 
non-part 2 entity does, in fact, segregate or segment these records, 
the recording of information about a SUD and its treatment by a non-
part 2 entity does not by itself render a medical record subject to the 
restrictions of 42 CFR part 2. Thus, SAMHSA does not believe this 
finalized proposal results in any changes in collection of information 
requirements.
    In section IV.D. of this final rule, SAMHSA is finalizing 
amendments to Sec.  2.31, to allow patients to consent to disclosure of 
their information to entities, without naming the specific individual 
receiving this information on behalf of a given entity. See section 
IV.D. for further information about this finalized proposal. This 
finalized proposal may result in providers needing to update their 
standard consent forms to allow for certain disclosures to such 
entities; that additional burden is discussed in the Regulatory Impact 
Analysis, below. SAMHSA believes this finalized proposal may result in 
part 2 program disclosing more information to certain entities. We 
discuss this additional burden, in total, with the additional 
collection of information requirements that may result from the 
finalized proposals in sections IV.J., and IV.K, below. This amendment 
is also anticipated to decrease burden on patients by removing barriers 
to sharing their own information in order to receive benefits, 
services, or treatment, but we do not have the data to quantify this 
reduction.
    In section IV.E. of this final rule, SAMHSA is finalizing 
modifications to the language in Sec.  2.32(a)(1), to remove the 
superfluous language that has contributed to confusion regarding the 
restrictions on re-disclosure. See section IV.E. for further 
information about this finalized proposal. Since part 2 providers are 
already required, upon disclosure, to provide a written statement 
notifying the recipient of the applicability of 42 CFR part 2 to any 
re-disclosure of the protected record, consistent with the prior 
revisions to part 2, including the 2017 final rule (82 FR 6106), SAMHSA 
does not believe this finalized modification of the language results in 
any changes in collection of information requirements.
    In section IV.F. of this final rule, SAMHSA is finalizing with 
modification its proposal to specify in regulatory text an illustrative 
list of 17 permitted activities for the purpose of disclosures under 
Sec.  2.33. SAMHSA is modifying the list of permitted activities to add 
to Sec.  2.33 that disclosures for care coordination and case 
management, and disclosures for other payment and/or health care 
operations activities not expressly prohibited under this provision, 
are also permitted. See section IV.F. for further information about 
this finalized proposal. As noted in that section, SAMHSA has 
previously stated that most of these activities are permitted (83 FR 
241); this language will only further clarify the previously finalized 
policy. Moreover with regard to the addition of care coordination and 
case management activities to Sec.  2.33, SAMHSA does not believe that 
this finalized modification of the language will result in providers 
seeking additional consents to disclosure in the future, nor in any 
additional burden for providers with regard to documenting consents. 
Therefore, SAMHSA does not believe this finalized proposal results in 
any changes in collection of information requirements.
    In section IV.G. of this final rule, SAMHSA is finalizing 
provisions to expand the scope of Sec.  2.34(d) to make non-OTP 
providers with a treating provider relationship eligible to query a 
central registry with their patient's consent to determine whether a 
patient is already receiving treatment through a member program to 
prevent duplicative enrollments and prescriptions for methadone or 
buprenorphine, as well as to prevent any adverse effects with other 
prescribed medications. See section IV.G. for further information about 
this finalized proposal. Based on SAMHSA's research, the policies and 
procedures governing central registries vary widely by each state; in 
fact, many states do not have central registries in place. Because of 
this lack of information, it is not possible to estimate either the 
number of additional queries which central registries may receive as a 
result of this finalized proposal or the time or effort required to 
answer these queries. Therefore, it is difficult to estimate any 
additional collection of information requirements which may result from 
this finalized proposal. Instead, SAMHSA requested that central 
registries and providers that would query central registries provide 
comments on any additional

[[Page 43031]]

information collection requirements this finalized proposal would cause 
and any resulting burden. SAMHSA did not receive any comments that 
would improve estimates of this burden. However, this provision removes 
barriers and expands eligibility, without requiring non-OTP providers 
to query the central registry.
    In section IV.H. of this final rule, SAMHSA is finalizing its 
proposal to add a new Sec.  2.36 permitting part 2 programs to report 
any data for controlled substances dispensed or prescribed to patients 
to PDMPs, as required by the applicable state law. See section III.G. 
for further information about this finalized proposal. SAMHSA 
anticipates that this finalized proposal may result in additional 
burden for part 2 programs choosing to report to PDMPs in two ways. If 
a part 2 program chooses to report to a PDMP, the program will need to 
update its consent forms to request consent for disclosure to PDMPs. 
That burden is discussed in the Regulatory Impact Analysis, below. The 
second part of the finalized proposal permits part 2 programs to report 
any data for controlled substances dispensed to patients to PDMPs, as 
required by the applicable state law. To estimate the additional 
collection of information requirements associated with this finalized 
proposal, SAMHSA used the average number of opiate treatment admissions 
from SAMHSA's 2014-2016 Treatment Episode Data Set (TEDS) as the 
estimate of the number of clients treated on an annual basis by part 2 
programs (531,965). Although not all programs would need to report this 
information under state law or may choose to do so, SAMHSA has used 
this number to be conservative and comprehensive of any future burden 
if states require reporting in the future. TEDS ``comprises data that 
are routinely collected by States in monitoring their individual 
substance abuse treatment systems. In general, facilities reporting 
TEDS data are those that receive State alcohol and/or drug agency funds 
(including Federal Block Grant funds) for the provision of substance 
abuse treatment.'' \17\ Although TEDS does not represent all of the 
admissions to part 2 programs, as reporting varies by state, SAMHSA 
believes it represents the vast majority of admissions. Conservatively, 
we assumed that each of these clients would consent to the re-
disclosure of their information to PDMPs and would be dispensed 
medication required to be reported to a PDMP. SAMHSA assumes that part 
2 programs, based on other state and federal requirements, already are 
required to query PDMP databases; therefore, SAMHSA does not include 
registration and infrastructure costs in this estimate. For example, 
several states require medical directors of OTPs to query their 
respective state PDMPs at minimum intervals, including IN, MN, MI, ND, 
NC, RI, TN, VT, WA, and WV.\18\ Based on discussions with providers, 
SAMHSA also estimates that, in addition to an initial update to the 
PDMP database for existing patients, the PDMP database would typically 
need to be accessed and updated quarterly for each patient, on average. 
Likewise, based on discussion with providers, SAMHSA believes accessing 
and reporting to the database would take approximately 2 minutes per 
patient, resulting in a total annual burden of 8 minutes (4 database 
accesses/updates x 2 minutes per access/update) or 0.133 hours annually 
per patient. For the labor costs associated with this activity, SAMHSA 
used the average wage rate of $24.01 \19\ per hour for substance abuse, 
behavioral disorder, and mental health counselors (multiplied by two to 
account for benefits and overhead costs) to estimate a total burden in 
year 1 for the initial update of the PDMP database of $851,498 (531,965 
clients x 2 minutes (0.033 hours) per access/update x $48.02/hour) and 
an annual burden in each year of $3,405,992 (531,965 clients x 0.133 
hours x $48.02/hour). Therefore, we estimate that this finalized 
proposal will result in an additional cost of $4,085,489 ($851,498 + 
$3,405,992), as reflected in Table 1, below.
---------------------------------------------------------------------------

    \17\ https://wwwdasis.samhsa.gov/webt/information.htm.
    \18\ https://www.pdmpassist.org/pdf/Resources/Use%20of%20PDMP%20data%20by%20opioid%20treatment%20programs.pdf.
    \19\ Bureau of Labor Statistics, U.S. Department of Labor, 
Occupational Employment Statistics, May 2019, Substance Abuse, 
Behavioral Disorder, and Mental Health Counselors, Standard 
Occupations Classification code (21-1018) [www.bls.gov/oes/current/oes_nat.htm].
---------------------------------------------------------------------------

    In section IV.I. of this final rule, SAMHSA is finalizing an 
addition to Sec.  2.51 to allow disclosure of patient information 
during natural and major disasters. See section IV.I. for further 
information about this finalized proposal. Because this finalized 
proposal by its very nature does not require additional consent 
requirements or other paperwork, SAMHSA does not believe it will result 
in any changes in collection of information requirements. Providers, 
under their own policies and procedures or other laws, may need to keep 
track of the disclosures made, which, could require additional 
paperwork. Such requirements, however, are not discussed in this rule, 
nor does SAMHSA have any way of estimating them, as policies and 
procedures may vary across providers.
    In section IV.J., and section IV.K. of this final rule, SAMHSA is 
finalizing changes with modifications to amend Sec. Sec.  2.52 and 2.53 
to allow or clarify the ability to make certain disclosures without 
patient consent. First, in section IV.J. of this final rule, SAMHSA is 
finalizing to modify the text of Sec.  2.52(a) in order to allow 
research disclosures of part 2 data from a HIPAA-covered entity or 
business associate to individuals and organizations who are neither 
HIPA-covered entities, nor subject to the Common Rule, provided that 
any such data will be disclosed in accordance with the HIPAA Privacy 
Rule. See section IV.J. for further information about this finalized 
proposal. Second, SAMHSA is clarifying allowed disclosures for audit 
and evaluation purposes under Sec.  2.53 for activities undertaken by a 
federal, state, or local governmental agency or third-party payer to 
identify needed actions to improve the delivery of care, to manage 
resources effectively to care for patients, and/or to determine the 
need for adjustments to payment policies to enhance care or coverage 
for patients with SUD. SAMHSA is also finalizing language to clarify 
that (1) audits and evaluations may include reviews of appropriateness 
of medical care, medical necessity, and utilization of services; (2) 
part 2 programs may disclose information, without consent, to non-part 
2 entities that have direct administrative control over such part 2 
programs; and (3) entities conducting audits or evaluations in 
accordance with Sec.  2.53(a) and (b) may include accreditation or 
similar types of organizations focused on quality assurance. Further, 
SAMHSA is finalizing the proposal under Sec.  2.53(g) to permit patient 
identifying information to be disclosed to government agencies in the 
course of conducting audits or evaluations mandated by statute or 
regulation, if those audits or evaluations cannot be carried out using 
de-identified information. Finally, SAMHSA is finalizing updates to 
language related to QIOs. See section IV.K. for further information 
about these finalized proposals. As stated in that section, SAMHSA 
believes that the regulations already permit audits and evaluations for 
reviews of appropriateness of medical care, medical necessity, and 
utilization of services. Likewise, SAMHSA also believes that the 
current regulations permit disclosure to a non-part 2 entity with 
direct administrative control over a part 2 program and to 
accreditation

[[Page 43032]]

and similar organizations. Therefore, although SAMHSA is finalizing 
language to clarify any confusion that may exist, it believes that 
these activities are already permitted and that they will not, 
therefore, result in any new collection of information requirements or 
any other burden. It also believes updating the QIO language will not 
create new collection of information requirements or increase burden. 
As noted above, SAMHSA is also finalizing a provision to clarify that 
patient identifying information may be disclosed to government agencies 
and third-party payers to identify needed actions at the agency or 
payer level, although we are removing the expectation that these 
reviews would take place periodically due to ambiguity about that term 
and to avoid interfering with currently-established audit schedules. We 
are not revising our burden estimates as a result of this modification 
because the frequency of these reviews is unaffected by the change. 
Additionally, SAMHSA is adopting a new provision to allow patient 
identifying information to be shared with government agencies in the 
course of conducting audits or evaluations mandated by statute or 
regulation, if those audits and evaluations cannot be carried out using 
de-identified information. In section IV.D of this final rule, SAMHSA 
is also finalizing a proposal to allow disclosure to entities with 
patient consent. SAMHSA believes that the finalized proposals in 
sections IV.D., J, and K, may result in additional collection of 
information requirements, as part 2 programs may be asked to disclose 
information to agencies and entities as a result. Although SAMHSA is 
not able to anticipate the increase in these disclosures, to estimate 
the potential cost, we first estimated the number of potentially 
impacted part 2 programs based on the anticipated number of requests 
for a disclosure in a calendar year. SAMHSA used the average number of 
substance abuse treatment admissions from SAMHSA's 2014-2016 TEDS 
(1,658,732) as the number of patients treated annually by part 2 
programs. SAMHSA then estimated that part 2 programs would need to 
disclose an average of 15 percent of these records (248,810) as a 
result of these finalized proposals. We then estimated that 10 percent 
or 24,881 (248,810 x 10%) of impacted records would be held by part 2 
programs who would use paper records to comply with these requests for 
disclosure reports while the remaining 90% or 223,929 (248,810 x 90%) 
would use a health IT system. For part 2 programs using paper records, 
SAMHSA expects that a staff member would need to gather and aggregate 
the information from paper records, and manually track disclosures; for 
those part 2 programs with a health IT system, we expect records and 
tracking information would be available within the system.
    SAMHSA assumed medical record technicians would be the staff with 
the primary responsibility for compiling the information for a list of 
disclosures from both paper records and health IT systems. The average 
hourly rate for medical record and health information technicians is 
$22.40.\20\ In order to account for benefits and overhead costs 
associated with staff time, we multiplied the hourly wage rate by two 
for a total average hourly wage rate of $44.80. Absent any existing 
information on the amount of time associated with producing a list of 
disclosures, SAMHSA assumed it would take a medical record technician 4 
hours, on average, to produce the information from paper records at a 
cost of $179.20 (4 hours x $44.80/hour) and 0.25 hours, on average, to 
produce information from a health IT system at a cost of $11.20 (0.25 
hours x $44.80/hour). Finally, SAMHSA assumes that agencies will 
request that these disclosures be made on secure, online databases, and 
would not require notification via email or first class mail, thus 
resulting in no additional cost to transmit this information. Based on 
these assumptions, SAMHSA estimates that this finalized proposal will 
result in an additional cost of $6,966,680 {(24,881 requests x $179.20 
per request) + (223,929 requests x $11.20 per request){time} , as 
reflected in Table 1, below.
---------------------------------------------------------------------------

    \20\ Bureau of Labor Statistics, U.S. Department of Labor, 
Occupational Employment Statistics, May 2019, Medical Dosimetrists, 
Medical Records Specialists, and Health Technologists and 
Technicians, All Other, Standard Occupations Classification code 
(29-2098) [www.bls.gov/oes/current/oes_nat.htm].
---------------------------------------------------------------------------

    In section IV.L. of this final rule, SAMHSA is finalizing 
amendments to Sec.  2.67 to extend the period for court-ordered 
placement of an undercover agent or informant to 12 months, while 
authorizing courts to further extend a period of placement through a 
new court order. In that section, SAMHSA is also finalizing changes to 
explicitly state when the 12- month period begins to run. See section 
IV.L. for further information about this finalized proposal. The 
requirements of the Paperwork Reduction Act do not apply ``During the 
conduct of a Federal criminal investigation or prosecution, or during 
the disposition of a particular criminal matter'' (5 CFR 1320.4(a)(1)), 
or to information collections by the federal judiciary or state courts 
(5 CFR 1320.3(a)).\21\
---------------------------------------------------------------------------

    \21\ Except, for this latter case, in the rare circumstance that 
those information collections are conducted or sponsored by an 
executive branch department (5 CFR 1320.3(a)).
---------------------------------------------------------------------------

    Below, SAMHSA summarizes the estimated cost of the change in 
collection of information requirements discussed above. Along with 
publication of this rule, SAMHSA will submit the information collection 
revisions associated with this rule to the Office of Management and 
Budget for approval. After receiving a final action, SAMHSA swill 
publish a notice in the Federal Register to inform the public.

                                                          Table 1: Annualized Burden Estimates
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                          Annual  number
                                                of         Responses per       Total         Hours per     Total hourly     Hourly wage    Total hourly
                                            respondents     respondent       responses       response         burden           cost            cost
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sec.   2.36.............................         531,965               5       2,659,825           0.033          88,661          $48.02      $4,257,491
Sec.  Sec.   2.31, 2.52, 2.53 (Paper              24,881               1          24,881               4          99,524           44.80       4,458,675
 Records)...............................
Sec.  Sec.   2.31, 2.52, 2.53 (Health IT         223,929               1         223,929            0.25          55,982           44.80       2,508,005
 Systems)...............................
                                         ---------------------------------------------------------------------------------------------------------------
    Total...............................         780,775  ..............       2,908,633  ..............         244,167  ..............      11,224,171
--------------------------------------------------------------------------------------------------------------------------------------------------------


[[Page 43033]]

VI. Regulatory Impact Analysis

A. Statement of Need

    This final rule is necessary to update the Confidentiality of 
Substance Use Disorder Patient Records regulations at 42 CFR part 2 to 
respond to the emergence of the opioid crisis, with its catastrophic 
impact on patients and corresponding clinical and safety challenges for 
providers. The goal of this final rule is to clarify existing 
requirements in 42 CFR part 2 and reduce barriers to information 
sharing to ensure appropriate care and patient safety.
    As noted in the tables below, SAMHSA believes that the finalized 
policies in this final rule will result in some near-term non-recurring 
and annual recurring financial burdens. We have weighed these potential 
burdens against the potential benefits, and believe, on balance, the 
potential benefits outweigh any potential costs. Specifically, the 
finalized proposals in this rule are meant to allow providers to better 
understand the needs of their patients by clarifying the requirements 
under part 2 and to break down barriers to information sharing among 
part 2 programs and other providers. SAMHSA believes this information 
sharing would benefit patients because both part 2 programs and other 
providers would be able to more fully understand the patient's health 
history and avoid dangerous and even lethal adverse drug events. In 
addition, these finalized proposals are also intended to protect and 
empower patients by giving them more control over their consent and 
control of their records, for example, by allowing them to consent to 
disclosure to entities, should they so choose. Furthermore, in drafting 
these finalized proposals, SAMHSA was cognizant of privacy concerns and 
specifically drafted these finalized proposals to protect the privacy 
of patients; for example, the finalized proposal regarding OTP provider 
disclosure to PDMPs requires the consent of the patient. SAMHSA 
believes that increasing patient safety and the empowerment of patients 
will lead to better health outcomes, therefore balancing any burdens 
discussed below and any remaining privacy concerns.

B. Overall Impact

    SAMHSA has examined the impacts of this final rule as required by 
Executive Order 12866 on Regulatory Planning and Review (September 30, 
1993), Executive Order 13563 on Improving Regulation and Regulatory 
Review (January 18, 2011), the Regulatory Flexibility Act (RFA) 
(September 19, 1980, Pub. L. 96-354), section 1102(b) of the Social 
Security Act, section 202 of the Unfunded Mandates Reform Act of 1995 
(March 22, 1995; Pub. L. 104-4), Executive Order 13132 on Federalism 
(August 4, 1999), the Congressional Review Act (5 U.S.C. 804(2)), and 
Executive Order 13771 (Reducing and Controlling Regulatory Costs). 
Executive Orders 12866 and 13563 direct agencies to assess all costs 
and benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects, distributive impacts, and equity). Section 3(f) of Executive 
Order 12866 defines a ``significant regulatory action'' as an action 
that is likely to result in a rule: (1) Having an annual effect on the 
economy of $100 million or more in any 1 year, or adversely and 
materially affecting a sector of the economy, productivity, 
competition, jobs, the environment, public health or safety, or state, 
local or tribal governments or communities (also referred to as 
``economically significant''); (2) creating a serious inconsistency or 
otherwise interfering with an action taken or planned by another 
agency; (3) materially altering the budgetary impacts of entitlement 
grants, user fees, or loan programs or the rights and obligations of 
recipients thereof; or (4) raising novel legal or policy issues arising 
out of legal mandates, the President's priorities, or the principles 
set forth in the Executive Order. We have a conducted a regulatory 
impact analysis for this rule, which we present here.
    As discussed in the regulatory impact analysis, we believe this 
final rule meets the necessary is a de-regulatory action because it 
eliminates some of the burdens of, and barriers to, SUD treatment 
record-keeping previously imposed by 42 CFR part 2. The goal of this 
final rule is to improve the coordination of care for persons with SUD 
by reducing administrative burdens related to maintenance of 
disclosures and patient records for downstream, non-part 2 providers. 
By facilitating care coordination in this way, we anticipate primary 
care and general medical providers will be more able and more willing 
to coordinate care for their patients with SUD, and by extension, that 
quality of care and safety outcomes in the context of the opioids 
epidemic will improve. This final rule also seeks to facilitate 
appropriate maintenance of SUD patient records and communications, as 
by clarifying that the rule for disclosing SUD treatment records in a 
``medical emergency'' can also apply in natural and major disaster 
situations. Here again, the goal is de-regulatory, and will reduce the 
administrative burden for providers in disclosing SUD treatment records 
in appropriate situations, while also improving care coordination, 
access to care, and safety during medical emergencies. While we are 
unable to quantify the benefits related to access and quality of care 
as well as improved safety and health outcomes for patients with SUD, 
we believe them to be substantial and to outweigh any additional 
regulatory burden or economic impacts that may result from the policies 
finalized in this rule.
    The RFA requires agencies to analyze options for regulatory relief 
of small businesses. For purposes of the RFA, small entities include 
small businesses (including independent contractors), nonprofit 
organizations, and small governmental jurisdictions. Individuals and 
states are not included in the definition of a small entity. The final 
rule will allow patients to consent to disclosure of their information 
to entities; permit part 2 programs to report data for controlled 
substances dispensed to patients to PDMPs with patient consent; and 
allow part 2 programs to comply with disclosure requests from federal, 
state, or local governmental agencies, third-party payers and 
researchers. These finalized proposals will result in additional 
reporting burden as well as near-term non-recurring and annual 
recurring regulatory impacts to part 2 programs. As shown in Table 2 
and as discussed in the Collection of Information Requirements (Section 
V), we estimate the average cost impact per substance abuse treatment 
admission for staff training, updates to consent forms, and disclosures 
to agencies will be $4.32 in year 1 ($7,168,135 / 1,658,732 patients) 
and $4.20 in years 2 through 10 ($6,966,680 / 1,658,732 patients). For 
opiate treatment patients, we also estimate the average cost impact for 
disclosure to PDMPs to be $8.00 per patient in year 1 ($4,257,491 / 
531,965 patients) and $6.40 in years 2 through 10 ($3,405,992 / 531,965 
patients). When this is added to the costs for staff training, updates 
to consent forms, and disclosures to agencies, the aggregate cost 
impact per opiate treatment admission is $12.32 in year 1 and $10.60 in 
years 2 through 10. While we are unable to determine how many part 2 
programs qualify as small businesses based on the minimum threshold for 
small business size of $38.5 million

[[Page 43034]]

(https://www.sba.gov/federal-contracting/contracting-guide/size-standards), we believe that on a per-patient basis, this final rule 
will not significantly affect part 2 treatment programs of any size. 
SAMHSA has not prepared an analysis for the RFA because it has 
determined, and the Secretary certifies, that this final rule does not 
have a significant economic impact on a substantial number of small 
entities.
    As further described in section V., above, when estimating the 
total costs associated with changes to the 42 CFR part 2 regulations, 
SAMHSA estimated costs related to collection of information for the 
finalized changes to Sec. Sec.  2.31, 2.52, 2.53, and (new) 2.36. In 
addition, we estimate that there may be additional burden related to 
updating consent forms as a result of the finalized proposals in 
Sec. Sec.  2.31 and (new) 2.36. In section IV.D. of this final rule, 
SAMHSA is finalizing its proposal to amend Sec.  2.31 to allow patients 
to consent to disclosure of their information to entities, without 
naming the specific individual receiving this information on behalf of 
a given entity. In section IV.H. of this final rule, SAMHSA is 
finalizing its proposal to add a new Sec.  2.36, permitting part 2 
programs to report to PDMPs; patients must consent to disclosure before 
this reporting can occur. See sections IV.D. and IV.H. for further 
information about these finalized proposals. These finalized proposals 
may result in providers needing to update their standard consent forms 
to allow for certain disclosures. As stated in the 2016 proposed rule 
(81 FR 7009 through 7010), based from a 2008 study from the Mayo Clinic 
Health Care Systems,\22\ the reported cost to update authorization 
forms was $0.10 per patient. Adjusted for inflation,\23\ costs 
associated with updating the patient consent forms in 2019 would be 
$0.12 per patient (2018 dollars). SAMHSA used the average number of 
substance abuse treatment admissions from SAMHSA's 2014-2016 TEDS 
(1,658,732) as an estimate of the number of clients treated on an 
annual basis by part 2 programs. Therefore, the total cost burden 
associated with updating the consent forms to reflect the updated 42 
CFR part 2 regulations is estimated to be a one-time cost of $199,048 
(1,658,732 * $0.12), as reflected in Table 2, below. Further, the 
finalized proposal to amend Sec.  2.31 is likely to result in a 
decrease in the number of consents to disclosures that patients must 
make, due to the ability to consent to entities without naming a 
specific individual. Because of a lack of data regarding the number of 
consents patients have made to multiple individuals within the same 
entity which would become duplicative as a result of the finalized 
amendment, we are unable to quantify the reduction in burden related to 
the expected reduction in the number of required consents.
---------------------------------------------------------------------------

    \22\ Williams, A.R., Herman, D.C., Moriarty, J.P., Beebe, T.J., 
Bruggeman, S.K., Klavetter, E.W. & Bartz, J.K. (2008). HIPAA costs 
and patient perceptions of privacy safeguards at Mayo Clinic. Joint 
Commission Journal on Quality and Patient Safety, 34(1), 27-35.
    \23\ https://www.bls.gov/cpi/tables/supplemental-files/historical-cpi-u-201905.pdf.
---------------------------------------------------------------------------

    In prior proposed rules (e.g., 81 FR 7009), SAMHSA estimated one 
hour of training per staff to achieve proficiency in the 42 CFR part 2 
regulations. SAMHSA assumes that training associated with the new 
requirements discussed in this final rule can be accomplished within 
the existing one hour of training; therefore, we are not finalizing any 
additional costs for training counseling staff.
    With regard to training materials, SAMHSA will assume 
responsibility for updating and distributing training materials in year 
1 at no cost to part 2 programs. A 2017 study by the Association for 
Talent Development determined the average time to develop training 
materials for one hour of classroom instruction is 38 hours.\24\ 
Because we assume that SAMHSA will be updating rather than developing 
training materials, we estimate the time for training development to be 
one-half that of developing new materials, or 19 hours and would be 
performed by an instructor with experience in healthcare at the average 
wage rate of $63.34 per hour for a health specialty teacher \25\ and 
multiplied the average wage rate by 2 in order to account for benefits 
and overhead costs. Based on these assumptions, the updating of 
training materials is estimated to cost $2,407 (19 hours x $126.68/
hour). SAMHSA estimates that the updates to consent forms (Sec. Sec.  
2.31 and 2.36) will be one-time costs the first year the final rule 
will be in effect and will not carry forward into future years. Staff 
training costs other than those associated with updating training 
materials are assumed to be ongoing annual costs to part 2 programs, 
also beginning in the first year that the final rule is in effect. 
Costs associated with disclosing information to PDMPs (Sec.  2.36) and 
agencies (Sec.  2.53) are assumed to be ongoing annual costs to part 2 
programs.
---------------------------------------------------------------------------

    \24\ https://www.td.org/insights/how-long-does-it-take-to-develop-one-hour-of-training-updated-for-2017.
    \25\ Bureau of Labor Statistics, U.S. Department of Labor, 
Occupational Employment Statistics, May 2019, Health Specialty 
Teachers, Postsecondary, Standard Occupations Classification code 
(25-1071) [www.bls.gov/oes/current/oes_nat.htm].
---------------------------------------------------------------------------

Public Comments
    A few commenters expressed their belief that SAMHSA has 
underestimated the associated training time required for staff to 
achieve proficiency with the proposed policies. However, these 
commenters did not suggest a specific alternative estimate.
SAMHSA Response
    We believe that the finalized policies do not substantively add 
requirements for counseling staff, but are instead modifications, 
revisions, and clarifications to existing requirements. Therefore, we 
believe the previously approved estimate of one hour is still 
appropriate and are not making any updates as a result of the comments 
received.
    In section III.L. of this final rule, SAMHSA is finalizing 
amendments to Sec.  2.67 to extend the period for court-ordered 
placement of an undercover agent or informant to 12 months, while 
authorizing courts to further extend a period of placement through a 
new court order. In that section, SAMHSA is also finalizing changes to 
explicitly state when the 12- month period begins to run. See section 
III.L. for further information about this finalized proposal. Since the 
requirements for seeking this court order will be the same, and the 
finalized proposal will merely be extending the time of the court 
order, SAMHSA does not believe this finalized proposal results in any 
additional regulatory burden.
    Based on the above, SAMHSA estimates in the first year that the 
final rule will be in effect, the costs associated with the finalized 
updates to 42 CFR part 2 will be $11,425,625 as shown in Table 2. In 
years 2 through 10, SAMHSA estimates that costs will be $10,372,672. 
Over the 10-year period of 2020-2029, the total undiscounted cost of 
the finalized changes will be $104,779,677 in 2018 dollars. As shown in 
Table 3, when future costs are discounted at 3 percent or 7 percent per 
year, the total costs become approximately $89.5 million or $73.8 
million, respectively. These costs are presented in the tables below.

[[Page 43035]]



                                                     Table 2--Total Cost of 42 CFR Part 2 Revisions
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                     Disclosure to  Staff training    Updates to    Disclosures to
                               Year                                      PDMPs           costs       consent forms     agencies          Total costs
--------------------------------------------------------------------------------------------------------------------------------------------------------
2020..............................................................      $4,257,491          $2,407        $199,048      $6,966,680           $11,425,625
2021..............................................................       3,405,992               0               0       6,966,680            10,372,672
2022..............................................................       3,405,992               0               0       6,966,680            10,372,672
2023..............................................................       3,405,992               0               0       6,966,680            10,372,672
2024..............................................................       3,405,992               0               0       6,966,680            10,372,672
2025..............................................................       3,405,992               0               0       6,966,680            10,372,672
2026..............................................................       3,405,992               0               0       6,966,680            10,372,672
2027..............................................................       3,405,992               0               0       6,966,680            10,372,672
2028..............................................................       3,405,992               0               0       6,966,680            10,372,672
2029..............................................................       3,405,992               0               0       6,966,680            10,372,672
                                                                   -------------------------------------------------------------------------------------
    Total.........................................................      34,911,423           2,407         199,048      69,666,800           104,779,677
--------------------------------------------------------------------------------------------------------------------------------------------------------


                       Table 3--Total Cost of 42 CFR Part 2 Revisions--Annual Discounting
----------------------------------------------------------------------------------------------------------------
                                                                                    Total cost      Total cost
                              Year                                  Total costs       with 3%         with 7%
                                                                                    discounting     discounting
----------------------------------------------------------------------------------------------------------------
2020............................................................     $11,425,625     $11,092,840     $10,678,154
2021............................................................      10,372,672       9,777,239       9,059,894
2022............................................................      10,372,672       9,492,465       8,467,190
2023............................................................      10,372,672       9,215,985       7,913,262
2024............................................................      10,372,672       8,947,558       7,395,572
2025............................................................      10,372,672       8,686,950       6,911,750
2026............................................................      10,372,672       8,433,932       6,459,579
2027............................................................      10,372,672       8,188,283       6,036,990
2028............................................................      10,372,672       7,949,790       5,642,047
2029............................................................      10,372,672       7,718,242       5,272,941
                                                                 -----------------------------------------------
    Total.......................................................     104,779,677      89,503,284      73,837,379
----------------------------------------------------------------------------------------------------------------

    We estimated the total annual cost of this rule to be $10,372,672, 
ignoring initial transition costs (such as training in the first year). 
In the Paperwork Reduction Act section, we also estimated that the 
number of clients treated annually by a Part 2 program to be 1,658,732. 
Thus, the cost and benefits would break even if the average benefit 
were $6.25 per year per client (even if the benefit accrued to 
providers or others, rather than directly the client). Based on public 
comments received from affected providers, organizations and entities 
that this rule will be burden reducing, a deregulatory description 
seems reasonable. In addition, we note that the estimated costs of this 
rule come after the first year from disclosure to PDMPs and new 
disclosures to agencies. However, this rule removes regulatory barriers 
to those disclosures. It does not require those disclosures.
    Because disclosure to PDMPs is permitted, but not required, by this 
rule, we assume that such disclosures will only be made when providers 
(and/or states) have decided that the benefits of that disclosure 
outweigh the costs. Similarly, this final rule permits new disclosures 
to agencies, including for audit or research purposes, but does not 
itself require them. As described above, the rule contains other 
deregulatory provisions that we have not quantified, such as treatment 
records from non-Part 2 providers not being covered by Part 2, 
clarifying sanitation procedures, reducing restrictions on disclosure 
to organizations with patient consent, and reducing burden/barriers in 
emergency situations and for research. Thus, this rule is an Executive 
Order 13771 deregulatory action.

C. Alternatives Considered

    In drafting this final rule, SAMHSA considered potential policy 
alternatives and, when possible, finalized the least burdensome 
alternatives. For example, in section IV.C. of this final rule, we 
considered finalizing, specifically, the technological and operational 
requirements required for segmenting records but decided to allow 
providers more latitude to define their best practices, understanding 
that specific requirements could pose more burden, specifically to 
small and rural providers. In section IV.D. of this final rule, SAMHSA 
also considered only allowing patients to allow disclosure to state, 
federal, and local government entities that provide benefits. Instead, 
however, it decided to finalize to allow patients to more broadly 
specify disclosure to entities, so that patients can more widely 
control their information. On balance, SAMHSA believes that the 
finalized proposals in this rule most appropriately balance the often-
competing interests of burden, privacy, and patient safety.

D. Conclusion

    SAMHSA finalized amendments to 42 CFR part 2. With respect to our 
finalized proposals to revise the regulations, SAMHSA does not believe 
that the finalized proposals will have a significant impact. As 
discussed above, we are not preparing an analysis for the RFA because 
SAMHSA has determined, and the Secretary certifies, that this final 
rule will not have a significant economic impact on a substantial 
number of small entities. SAMHSA is not preparing an analysis for 
section 1102(b) of the RFA because it has determined, and the Secretary 
certifies, that this final rule will not have a significant impact on 
the operations of a substantial number of small rural hospitals. In 
addition, SAMHSA does not believe this final rule imposes substantial 
direct effects on (1) states,

[[Page 43036]]

including subdivisions thereof, (2) the relationship between the 
federal government and the states, or (3) the distribution of power and 
responsibilities among the various levels of government. Therefore, the 
requirements of Executive Order 13132 on federalism would not be 
applicable.
    SAMHSA invited public comments on this section and requests any 
additional data that would help it to determine more accurately the 
impact on individuals and entities of the proposed rule. Below are the 
comments we received as well as our responses.
Public Comments
    A few commenters expressed their belief that significant 
Information Technology barriers involving storing, segmenting, and 
disclosing/exchanging part 2 information exist which may create 
disincentives to provide SUD-related services or delays in sharing a 
patient's SUD record. One commenter recommended that SAMHSA issue a 
Request for Information to solicit input regarding the specific Health 
Information Technology (HIT) barriers involved and take steps to 
address those barriers accordingly. Another commenter stated that while 
the proposed policies would greatly expand options for our existing 
service delivery model by allowing clinics to store SUD records in 
their Electronic Health Record (EHR), the additional capital expense 
related to purchasing and deploying an upgraded EHR would be 
prohibitive.
SAMHSA Response
    We understand the commenters' concerns and acknowledge that 
Information Technology challenges and expenses related to the policies 
being finalized in this rule may exist for certain clinics that provide 
SUD-related services. However, we believe the specific challenges are 
not applicable to all SUD providers and are highly unique to those who 
may experience them to the point where estimating the related expenses 
would require an assessment of each provider's specific HIT 
implementation. With specific regard to the cost of upgrading EHR 
systems, we do not believe the finalized policies would require such an 
investment and leave the decision to do so to the discretion of each 
clinic. We thank the commenter for their recommendation that a Request 
for Information soliciting input on specific HIT barriers be issued, 
and we will take it under consideration in consultation with ONC.
Public Comments
    One commenter expressed its concern regarding additional costs to 
states to operationalize the segregation of data for PDMPs which may 
require technological assistance from vendors.
SAMHSA Response
    We understand the commenter's concerns and acknowledge that 
additional costs to states to operationalize the segregation of data 
for PDMPs may exist for certain states. However, we believe the 
specific costs may vary substantially and are highly unique to each 
state to the point where estimating the costs would require an 
assessment of each state and/or PDMP. We are therefore unable to 
provide an estimate of the costs states may experience related to this 
finalized policy.
Public Comments
    A few commenters stated their concern that because jurisdictions 
have not consistently developed or adopted context-specific value sets 
or machine-readable consent and disclosure rules to allow for automated 
sensitivity tagging, the updated DS4P standards will result in 
increased documentation burden and difficult workflows due to the 
requirement to have to manually tag data as sensitive.
SAMHSA Response
    SAMHSA shares the commenters' concerns regarding documentation 
burden and workflow, however the revised part 2 rule does not involve 
any update to DS4P standards, and does not impose any requirement for 
providers to use compliant EHR systems. The revised part 2 rule also 
does not require non-part 2 providers to segregate any records received 
from a part 2 program. For these reasons, there is no increased burden 
to providers under this rule associated with DS4P standards. Any future 
update to DS4P standards, and any hypothetical burden therefrom, is 
outside the scope of the current rulemaking. If this issue is addressed 
through future rulemaking, we may revisit these concerns at that time.
    In accordance with the provisions of Executive Order 12866, this 
final rule has been reviewed by the Office of Management and Budget. 
Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.), the 
Office of Information and Regulatory Affairs designated this rule as 
not a major rule, as defined by 5 U.S.C. 804(2).

List of Subjects in 42 CFR Part 2

    Alcohol abuse, Alcoholism, Drug abuse, Grant programs--health, 
Health records, Privacy, Reporting and recordkeeping requirements.

    For the reasons set forth in the preamble, the Department of Health 
and Human Services amends 42 CFR part 2 as follows:

PART 2--CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS

0
1. The authority citation for part 2 continues to read as follows:

    Authority: 42 U.S.C. 290dd-2.


0
2. Amend Sec.  2.11 by revising the definition of ``Records'' to read 
as follows:


Sec.  2.11  Definitions.

* * * * *
    Records means any information, whether recorded or not, created by, 
received, or acquired by a part 2 program relating to a patient (e.g., 
diagnosis, treatment and referral for treatment information, billing 
information, emails, voice mails, and texts), provided, however, that 
information conveyed orally by a part 2 program to a non-part 2 
provider for treatment purposes with the consent of the patient does 
not become a record subject to this Part in the possession of the non-
part 2 provider merely because that information is reduced to writing 
by that non-part 2 provider. Records otherwise transmitted by a part 2 
program to a non-part 2 provider retain their characteristic as records 
in the hands of the non-part 2 provider, but may be segregated by that 
provider. For the purpose of the regulations in this part, records 
include both paper and electronic records.
* * * * *

0
3. Amend Sec.  2.12 by--
0
a. Revising paragraphs (a)(1) introductory text and (a)(1)(ii);
0
b. In paragraph (d)(2)(i)(A) by removing the reference ``Sec.  
2.31(a)(4)(iii)(A)'' and adding in its place the reference ``Sec.  
2.31(a)(4)(i)'';
0
c. Adding paragraph (d)(2)(ii); and
0
d. Revising paragraph (e)(3) and paragraph (e)(4) introductory text.
    The revisions and additions read as follows:


Sec.  2.12  Applicability.

    (a) * * *
    (1) Restrictions on disclosure. The restrictions on disclosure in 
the regulations in this part apply to any records which:
* * * * *
    (ii) Contain drug abuse information obtained by a federally 
assisted drug abuse program after March 20, 1972

[[Page 43037]]

(part 2 program), or contain alcohol abuse information obtained by a 
federally assisted alcohol abuse program after May 13, 1974 (part 2 
program); or if obtained before the pertinent date, is maintained by a 
part 2 program after that date as part of an ongoing treatment episode 
which extends past that date; for the purpose of treating a substance 
use disorder, making a diagnosis for that treatment, or making a 
referral for that treatment.
* * * * *
    (d) * * *
    (2) * * *
    (ii) Notwithstanding paragraph (d)(2)(i)(C) of this section, a non-
part 2 treating provider may record information about a substance use 
disorder (SUD) and its treatment that identifies a patient. This is 
permitted and does not constitute a record that has been re-disclosed 
under part 2, provided that any SUD records received from a part 2 
program or other lawful holder are segregated or segmented. The act of 
recording information about a SUD and its treatment does not by itself 
render a medical record which is created by a non-part 2 treating 
provider subject to the restrictions of this part 2.
* * * * *
    (e) * * *
    (3) Information to which restrictions are applicable. Whether a 
restriction applies to the use or disclosure of a record affects the 
type of records which may be disclosed. The restrictions on disclosure 
apply to any part 2-covered records which would identify a specified 
patient as having or having had a substance use disorder. The 
restriction on use of part 2 records to bring criminal charges against 
a patient for a crime applies to any records obtained by the part 2 
program for the purpose of diagnosis, treatment, or referral for 
treatment of patients with substance use disorders. (Restrictions on 
use and disclosure apply to recipients of part 2 records under 
paragraph (d) of this section.)
    (4) How type of diagnosis affects coverage. These regulations cover 
any record reflecting a diagnosis identifying a patient as having or 
having had a substance use disorder which is initially prepared by a 
part 2 provider in connection with the treatment or referral for 
treatment of a patient with a substance use disorder. A diagnosis 
prepared by a part 2 provider for the purpose of treatment or referral 
for treatment, but which is not so used, is covered by the regulations 
in this part. The following are not covered by the regulations in this 
part:
* * * * *

0
4. Amend Sec.  2.13 by revising paragraphs (d) introductory text, 
(d)(2) introductory text, and (d)(3) to read as follows:


Sec.  2.13  Confidentiality restrictions and safeguards

* * * * *
    (d) List of disclosures. Upon request, patients who have consented 
to disclose their patient identifying information using a general 
designation pursuant to Sec.  2.31(a)(4)(ii)(B) must be provided a list 
of entities to which their information has been disclosed pursuant to 
the general designation.
* * * * *
    (2) Under this paragraph (d), the entity named on the consent form 
that discloses information pursuant to a patient's general designation 
(the entity that serves as an intermediary, as described in Sec.  
2.31(a)(4)(ii)(B)) must:
* * * * *
    (3) The part 2 program is not responsible for compliance with this 
paragraph (d); the entity that serves as an intermediary, as described 
in Sec.  2.31(a)(4)(ii)(B), is responsible for compliance with the 
requirement.

0
5. Amend Sec.  2.31 by revising paragraph (a)(4) to read as follows:


Sec.  2.31  Consent requirements.

    (a) * * *
    (4)(i) General requirement for designating recipients. The name(s) 
of the individual(s) or the name(s) of the entity(-ies) to which a 
disclosure is to be made.
    (ii) Special instructions for entities that facilitate the exchange 
of health information and research institutions. Notwithstanding 
paragraph (a)(4)(i) of this section, if the recipient entity 
facilitates the exchange of health information or is a research 
institution, a written consent must include the name(s) of the entity(-
ies) and
    (A) The name(s) of individual or entity participant(s); or
    (B) A general designation of an individual or entity participant(s) 
or class of participants that must be limited to a participant(s) who 
has a treating provider relationship with the patient whose information 
is being disclosed. When using a general designation, a statement must 
be included on the consent form that the patient (or other individual 
authorized to sign in lieu of the patient), confirms their 
understanding that, upon their request and consistent with this part, 
they must be provided a list of entities to which their information has 
been disclosed pursuant to the general designation (see Sec.  2.13(d)).
* * * * *

0
6. Amend Sec.  2.32 by revising paragraph (a)(1) to read as follows:


Sec.  2.32  Prohibition on re-disclosure.

    (a) * * *
    (1) This record which has been disclosed to you is protected by 
federal confidentiality rules (42 CFR part 2). The federal rules 
prohibit you from making any further disclosure of this record unless 
further disclosure is expressly permitted by the written consent of the 
individual whose information is being disclosed in this record or, is 
otherwise permitted by 42 CFR part 2. A general authorization for the 
release of medical or other information is NOT sufficient for this 
purpose (see Sec.  2.31). The federal rules restrict any use of the 
information to investigate or prosecute with regard to a crime any 
patient with a substance use disorder, except as provided at Sec. Sec.  
2.12(c)(5) and 2.65; or
* * * * *

0
7. Amend Sec.  2.33 by revising paragraph (b) to read as follows:


Sec.  2.33  Disclosures permitted with written consent.

* * * * *
    (b) If a patient consents to a disclosure of their records under 
Sec.  2.31 for payment or health care operations activities, a lawful 
holder who receives such records under the terms of the written consent 
may further disclose those records as may be necessary for its 
contractors, subcontractors, or legal representatives to carry out 
payment and/or health care operations on behalf of such lawful holder. 
In accordance with Sec.  2.13(a), disclosures under this section must 
be limited to that information which is necessary to carry out the 
stated purpose of the disclosure. Examples of permissible payment or 
health care operations activities under this section include:
    (1) Billing, claims management, collections activities, obtaining 
payment under a contract for reinsurance, claims filing, and/or related 
health care data processing;
    (2) Clinical professional support services (e.g., quality 
assessment and improvement initiatives; utilization review and 
management services);
    (3) Patient safety activities;
    (4) Activities pertaining to:
    (i) The training of student trainees and health care professionals;
    (ii) The assessment of practitioner competencies;
    (iii) The assessment of provider or health plan performance; and/or
    (iv) Training of non-health care professionals;

[[Page 43038]]

    (5) Accreditation, certification, licensing, or credentialing 
activities;
    (6) Underwriting, enrollment, premium rating, and other activities 
related to the creation, renewal, or replacement of a contract of 
health insurance or health benefits, and/or ceding, securing, or 
placing a contract for reinsurance of risk relating to claims for 
health care;
    (7) Third-party liability coverage;
    (8) Activities related to addressing fraud, waste and/or abuse;
    (9) Conducting or arranging for medical review, legal services, 
and/or auditing functions;
    (10) Business planning and development, such as conducting cost 
management and planning-related analyses related to managing and 
operating, including formulary development and administration, 
development or improvement of methods of payment or coverage policies;
    (11) Business management and general administrative activities, 
including management activities relating to implementation of and 
compliance with the requirements of this or other statutes or 
regulations;
    (12) Customer services, including the provision of data analyses 
for policy holders, plan sponsors, or other customers;
    (13) Resolution of internal grievances;
    (14) The sale, transfer, merger, consolidation, or dissolution of 
an organization;
    (15) Determinations of eligibility or coverage (e.g., coordination 
of benefit services or the determination of cost sharing amounts), and 
adjudication or subrogation of health benefit claims;
    (16) Risk adjusting amounts due based on enrollee health status and 
demographic characteristics;
    (17) Review of health care services with respect to medical 
necessity, coverage under a health plan, appropriateness of care, or 
justification of charges;
    (18) Care coordination and/or case management services in support 
of payment or health care operations; and/or
    (19) Other payment/health care operations activities not expressly 
prohibited in this provision.
* * * * *

0
8. Amend Sec.  2.34 by--
0
a. Revising paragraph (b);
0
b. Redesignating paragraph (d) as paragraph (e); and
0
c. Adding a new paragraph (d).
    The revision and addition read as follows:


Sec.  2.34  Disclosures to prevent multiple enrollments.

* * * * *
    (b) Use of information limited to prevention of multiple 
enrollments. A central registry and any withdrawal management or 
maintenance treatment program to which information is disclosed to 
prevent multiple enrollments may not re-disclose or use patient 
identifying information for any purpose other than the prevention of 
multiple enrollments or to ensure appropriate coordinated care with a 
treating provider that is not a part 2 program unless authorized by a 
court order under subpart E of this part.
* * * * *
    (d) Permitted disclosure by a central registry to a non-member 
treating provider, to prevent a multiple enrollment. When, for the 
purpose of preventing multiple program enrollments or duplicative 
prescriptions, or to inform prescriber decision making regarding 
prescribing of opioid medication(s) or other prescribed substances, a 
provider with a treating provider relationship that is not a member 
program asks a central registry if an identified patient is enrolled in 
a member program, the registry may disclose:
    (1) The name, address, and telephone number of the member 
program(s) in which the patient is enrolled;
    (2) Type and dosage of any medication for substance use disorder 
being administered or prescribed to the patient by the member 
program(s); and
    (3) Relevant dates of any such administration or prescription. The 
central registry and non-member program treating prescriber may 
communicate as necessary to verify that no error has been made and to 
prevent or eliminate any multiple enrollments or improper prescribing.
* * * * *

0
9. Add Sec.  2.36 to subpart C to read as follows:


Sec.  2.36  Disclosures to prescription drug monitoring programs.

    A part 2 program or other lawful holder is permitted to report any 
SUD medication prescribed or dispensed by the part 2 program to the 
applicable state prescription drug monitoring program if required by 
applicable state law. A part 2 program or other lawful holder must 
obtain patient consent to a disclosure of records to a prescription 
drug monitoring program under Sec.  2.31 prior to reporting of such 
information.

0
10. Amend Sec.  2.51 by revising paragraph (a) to read as follows:


Sec.  2.51  Medical emergencies.

    (a) General rule. Under the procedures required by paragraph (c) of 
this section, patient identifying information may be disclosed to 
medical personnel to the extent necessary to:
    (1) Meet a bona fide medical emergency in which the patient's prior 
written consent cannot be obtained; or
    (2) Meet a bona fide medical emergency in which a part 2 program is 
closed and unable to provide services or obtain the prior written 
consent of the patient, during a temporary state of emergency declared 
by a state or federal authority as the result of a natural or major 
disaster, until such time that the part 2 program resumes operations.
* * * * *

0
11. Amend Sec.  2.52 by revising paragraph (a) to read as follows:


Sec.  2.52  Research.

    (a) Notwithstanding other provisions of this part, including 
paragraph (b)(2) of this section, patient identifying information may 
be disclosed for the purposes of the recipient conducting scientific 
research if:
    (1) The individual designated as director or managing director, or 
individual otherwise vested with authority to act as chief executive 
officer or their designee, of a part 2 program or other lawful holder 
of part 2 data, makes a determination that the recipient of the patient 
identifying information is:
    (i) A HIPAA-covered entity or business associate that has obtained 
and documented authorization from the patient, or a waiver or 
alteration of authorization, consistent with the HIPAA Privacy Rule at 
45 CFR 164.508 or 164.512(i), as applicable;
    (ii) Subject to the HHS regulations regarding the protection of 
human subjects (45 CFR part 46), and provides documentation either that 
the researcher is in compliance with the requirements of 45 CFR part 
46, including the requirements related to informed consent or a waiver 
of consent (45 CFR 46.111 and 46.116) or that the research qualifies 
for exemption under the HHS regulations (45 CFR 46.104) or any 
successor regulations;
    (iii) Subject to the FDA regulations regarding the protection of 
human subjects (21 CFR parts 50 and 56) and provides documentation that 
the research is in compliance with the requirements of the FDA 
regulations, including the requirements related to informed consent or 
an exception to, or waiver of, consent (21 CFR part 50) and any 
successor regulations; or
    (iv) Any combination of a HIPAA covered entity or business 
associate,

[[Page 43039]]

and/or subject to the HHS regulations regarding the protection of human 
subjects, and/or subject to the FDA regulations regarding the 
protection of human subjects; and has met the requirements of paragraph 
(a)(1)(i), (ii) (iii), and/or (iv) of this section, as applicable.
    (2) The part 2 program or other lawful holder of part 2 data is a 
HIPAA covered entity or business associate, and the disclosure is made 
in accordance with the HIPAA Privacy Rule requirements at 45 CFR 
164.512(i).
    (3) If neither paragraph (a)(1) or (2) of this section apply to the 
receiving or disclosing party, this section does not apply.
* * * * *

0
12. Amend Sec.  2.53:
0
a. In paragraph (a) introductory text by removing the reference to 
``paragraph (d)'' and adding in its place ``paragraph (f)'';
0
b. By revising paragraph (a)(1)(ii);
0
c. By adding paragraphs (a)(1)(iii);
0
d. In paragraph (b)(1)(iii) by removing the reference to ``paragraph 
(d)'' and adding in its place ``paragraph (f)'';
0
e. By revising paragraph (b)(2)(ii);
0
f. By adding paragraph (b)(2)(iii)
0
g. By redesignating paragraphs (c) and (d) as paragraphs (e) and (f), 
respectively;
0
h. By adding new paragraphs (c) and (d);
0
i. In newly redesignated paragraph (e)(1) introductory text, by 
removing the reference ``paragraph (c)'' and adding in its place the 
reference ``paragraph (e)'';
0
j. In newly redesignated paragraph (e)(1)(iii), by removing the 
reference ``paragraph (d)'' and adding in its place the reference 
``paragraph (f)'';
0
k. In newly redesignated paragraph (e)(3)(ii)(F), by removing the 
reference ``paragraph (c)(1)'' and adding in its place the reference 
``paragraph (e)(1)'';
0
l. In newly redesignated paragraphs (e)(4) and (5), by removing the 
reference ``paragraph (c)(2)'' and adding in its place the reference 
``paragraph (e)(2)'';
0
m. In newly redesignated paragraph (e)(6), by removing the reference 
``paragraph (c)'' and adding in its place the reference ``paragraph 
(e)'';
0
n. In newly designated paragraph (f), by removing the reference 
``paragraph (c)'' and adding in its place ``paragraph (e)'';
0
o. Adding paragraph (g).
    The revisions and additions read as follows:


Sec.  2.53  Audit and evaluation.

    (a) * * *
    (1) * * *
    (ii) Any individual or entity which provides financial assistance 
to the part 2 program or other lawful holder, which is a third-party 
payer covering patients in the part 2 program, or which is a quality 
improvement organization performing a QIO review, or the contractors, 
subcontractors, or legal representatives of such individual, entity, or 
quality improvement organization.
    (iii) An entity with direct administrative control over the part 2 
program or lawful holder.
    (b) * * *
    (1) * * *
    (2) * * *
    (ii) Any individual or entity which provides financial assistance 
to the part 2 program or other lawful holder, which is a third-party 
payer covering patients in the part 2 program, or which is a quality 
improvement organization performing a QIO review, or the contractors, 
subcontractors, or legal representatives of such individual, entity, or 
quality improvement organization.
    (iii) An entity with direct administrative control over the part 2 
program or lawful holder.
    (c) Activities included. Audits and evaluations under this section 
may include, but are not limited to:
    (1) Activities undertaken by a federal, state, or local 
governmental agency, or a third-party payer entity, in order to:
    (i) Identify actions the agency or third-party payer entity can 
make, such as changes to its policies or procedures, to improve care 
and outcomes for patients with SUDs who are treated by part 2 programs;
    (ii) Ensure that resources are managed effectively to care for 
patients; or
    (iii) Determine the need for adjustments to payment policies to 
enhance care or coverage for patients with SUD.
    (2) Reviews of appropriateness of medical care, medical necessity, 
and utilization of services.
    (d) Quality assurance entities included. Entities conducting audits 
or evaluations in accordance with paragraphs (a) and (b) of this 
section may include accreditation or similar types of organizations 
focused on quality assurance.
* * * * *
    (g) Audits and evaluations mandated by statute or regulation. 
Patient identifying information may be disclosed to federal, state, or 
local government agencies, and the contractors, subcontractors, and 
legal representatives of such agencies, in the course of conducting 
audits or evaluations mandated by statute or regulation, if those 
audits or evaluations cannot be carried out using deidentified 
information.

0
13. Amend Sec.  2.67 by revising paragraph (d)(2) to read as follows:


Sec.  2.67  Orders authorizing the use of undercover agents and 
informants to investigate employees or agents of a part 2 program in 
connection with a criminal matter.

* * * * *
    (d) * * *
    (2) Limit the total period of the placement to twelve months, 
starting on the date that the undercover agent or informant is placed 
on site within the program. The placement of an undercover agent or 
informant must end after 12 months, unless a new court order is issued 
to extend the period of placement;
* * * * *

    Dated: June 22, 2020.
Elinore F. McCance-Katz,
Assistant Secretary for Mental Health and Substance Use, Substance 
Abuse and Mental Health Services Administration.
    Approved: July 1, 2020.
Alex M. Azar II,
Secretary, Department of Health and Human Services.
[FR Doc. 2020-14675 Filed 7-13-20; 11:15 am]
BILLING CODE 4162-20-P