Confidentiality of Substance Use Disorder (SUD) Patient Records, 74216-74287 [2022-25784]

Agencies

• DEPARTMENT OF HEALTH AND HUMAN SERVICES
• Office of the Secretary

[Federal Register Volume 87, Number 231 (Friday, December 2, 2022)]
[Proposed Rules]
[Pages 74216-74287]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-25784]



[[Page 74215]]

Vol. 87

Friday,

No. 231

December 2, 2022

Part II





Department of Health and Human Services





-----------------------------------------------------------------------





42 CFR Part 2

45 CFR Part 164





Confidentiality of Substance Use Disorder (SUD) Patient Records; 
Proposed Rule

Federal Register / Vol. 87, No. 231 / Friday, December 2, 2022 / 
Proposed Rules

[[Page 74216]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

42 CFR Part 2

45 CFR Part 164

RIN 0945-AA16


Confidentiality of Substance Use Disorder (SUD) Patient Records

AGENCY: Office for Civil Rights (OCR), Office of the Secretary, 
Department of Health and Human Services; Substance Abuse and Mental 
Health Services Administration (SAMHSA), Department of Health and Human 
Services.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Department of Health and Human Services (HHS or ``the 
Department'') is issuing this notice of proposed rulemaking (NPRM) to 
solicit public comment on its proposal to modify its regulations to 
implement section 3221 of the Coronavirus Aid, Relief, and Economic 
Security (CARES) Act.

DATES: Comments due on or before January 31, 2023.

ADDRESSES: Written comments may be submitted through any of the methods 
specified below. Please do not submit duplicate comments.
     Federal eRulemaking Portal: You may submit electronic 
comments at https://www.regulations.gov by searching for the Docket ID 
number HHS-OCR-0945-AA16. Follow the instructions at https://www.regulations.gov for submitting electronic comments. Attachments 
should be in Microsoft Word or Portable Document Format (PDF).
     Regular, Express, or Overnight Mail: You may mail written 
comments (one original and two copies) to the following address only: 
U.S. Department of Health and Human Services, Office for Civil Rights, 
Attention: SUD Patient Records, Hubert H. Humphrey Building, Room 509F, 
200 Independence Avenue SW, Washington, DC 20201.
    Inspection of Public Comments: All comments received by the 
accepted methods and due date specified above may be posted without 
change to content to https://www.regulations.gov, which may include 
personal information provided about the commenter, and such posting may 
occur after the closing of the comment period. However, the Department 
may redact certain content from comments before posting, including 
threatening language, hate speech, profanity, graphic images, or 
individually identifiable information about a third-party individual 
other than the commenter.
    Because of the large number of public comments normally received on 
Federal Register documents, OCR is not able to provide individual 
acknowledgments of receipt.
    Please allow sufficient time for mailed comments to be received 
timely in the event of delivery or security delays.
    Please note that comments submitted by fax or email and those 
submitted after the comment period will not be accepted. In addition, 
comments that are labeled as confidential business information or whose 
disclosure to the public is restricted by statute will not be accepted.
    Docket: For complete access to background documents or posted 
comments, go to https://www.regulations.gov and search for Docket ID 
number HHS-OCR-0945-AA16.

FOR FURTHER INFORMATION CONTACT: Lester Coffer at (800) 368-1019 or 
(800) 537-7697 (TDD).

SUPPLEMENTARY INFORMATION: The discussion below includes an Executive 
Summary and overview describing the need for the proposed rules, a 
description of the statutory and regulatory background of the proposed 
rules, a section-by-section description of the proposed modifications, 
and the impact statement and other required regulatory analyses. The 
Department solicits public comment on all aspects of the proposed 
rules. Persons interested in commenting on the provisions of the 
proposed rules can assist the Department by preceding discussion of any 
particular provision or topic with a citation to the section of the 
proposed rule being discussed.

Table of Contents

I. Executive Summary
    A. Overview
    B. Effective and Compliance Dates
    C. Summary of Major Proposals
II. Background and Need for Proposed Rule
    A. Statutory and Regulatory Background
    B. Earlier Efforts To Align Part 2 With the HIPAA Rules
    C. Section 3221 of the Coronavirus Aid, Relief, and Economic 
Security (CARES) Act
III. Section-by-Section Description of Proposed Amendments to 42 CFR 
Part 2
    A. Sec.  2.1--Statutory Authority for Confidentiality of 
Substance Use Disorder Patient Records
    B. Sec.  2.2--Purpose and Effect
    C. Sec.  2.3--Civil and Criminal Penalties for Violations 
(Proposed Heading)
    D. Sec.  2.4--Complaints of Violations (Proposed Heading)
    E. Sec.  2.11--Definitions
    F. Sec.  2.12--Applicability
    G. Sec.  2.13--Confidentiality Restrictions and Safeguards
    H. Sec.  2.14--Minor Patients
    I. Sec.  2.15--Patients Who Lack Capacity and Deceased Patients 
(Proposed Heading)
    J. Sec.  2.16--Security for Records and Notification of Breaches 
(Proposed Heading)
    K. Sec.  2.17--Undercover Agents and Informants
    L. Sec.  2.19--Disposition of Records by Discontinued Programs
    M. Sec.  2.20--Relationship to State Laws
    N. Sec.  2.21--Relationship to Federal Statutes Protecting 
Research Subjects Against Compulsory Disclosure of Their Identity
    O. Sec.  2.22-- Notice to Patients of Federal Confidentiality 
Requirements; and 45 CFR 164.520--Notice of Privacy Practices for 
Protected Health information
    P. Sec.  2.23 --Patient Access and Restrictions on Use and 
Disclosure (Proposed Heading)
    Q. Sec.  2.24--Requirements for Intermediaries (Redesignated and 
Proposed Heading)
    R. Sec.  2.25--Accounting of Disclosures (Proposed Heading)
    S. Sec.  2.26--Right To Request Privacy Protection for Records 
(proposed Heading)
    T. Subpart C--Uses and Disclosures With Patient Consent 
(Proposed Heading)
    U. Sec.  2.31--Consent Requirements
    V. Sec.  2.32--Notice To Accompany Disclosure (Proposed Heading)
    W. Sec.  2.33--Uses and Disclosures Permitted With Written 
Consent (Proposed Heading)
    X. Sec.  2.34 --Uses and Disclosures To Prevent Multiple 
Enrollments (Proposed Heading)
    Y. Sec.  2.35--Disclosures to Elements of the Criminal Justice 
System Which Have Referred Patients
    Z. Subpart D--Uses and Disclosures Without Patient Consent 
(Proposed Heading)
    AA. Sec.  2.51--Medical Emergencies
    BB. Sec.  2.52--Scientific Research (Proposed Heading)
    CC. Sec.  2.53--Management Audits, Financial Audits, and Program 
Evaluation (Proposed Heading)
    DD. Sec.  2.54--Disclosures for Public Health (Proposed Heading)
    EE. Subpart E--Court Orders Authorizing Use and Disclosure 
(Proposed Heading)
    FF. Sec.  2.61--Legal Effect of Order
    GG. Sec.  2.62-- Order Not Applicable to Records Disclosed 
Without Consent to Researchers, Auditors and Evaluators
    HH. Sec.  2.63--Confidential Communications
    II. Sec.  2.64--Procedures and Criteria for Orders Authorizing 
Uses and Disclosures for Noncriminal Purposes (Proposed Heading)
    JJ. Sec.  2.65--Procedures and Criteria for Orders Authorizing 
Use and Disclosure of Records To Criminally Investigate or Prosecute 
Patients (Proposed Heading)
    KK. Sec.  2.66--Procedures and Criteria for Orders Authorizing 
Use and Disclosure of Records To Investigate or Prosecute a Part 2 
Program or Person Holding the Records (Proposed Heading)

[[Page 74217]]

    LL. Sec.  2.67--Orders Authorizing the Use of Undercover Agents 
and Informants To Investigate Employees or Agents of a Part 2 
Program in Connection With a Criminal Matter
    MM. Sec.  2.68--Report to the Secretary (Proposed Heading)
IV. Request for Comments
V. Public Participation
VI. Regulatory Impact Analysis
    A. Executive Orders 12866 and 13563 and Related Executive Orders 
on Regulatory Review
    1. Summary of the Proposed Rule
    2. Need for the Proposed Rule
    3. Cost-Benefit Analysis
    4. Consideration of Regulatory Alternatives
    5. Request for Comments on Costs and Benefits
    B. Regulatory Flexibility Act
    C. Unfunded Mandates Reform Act
    D. Executive Order 13132--Federalism
    E. Assessment of Federal Regulation and Policies on Families
    F. Paperwork Reduction Act of 1995
    1. Explanation of Estimated Annualized Burden Hours for 42 CFR 
Part 2
    2. Explanation of Estimated Capital Expenses for 42 CFR Part 2
    3. Explanation of Estimated Annualized Burden Hours for 45 CFR 
164.520

Executive Summary

Overview

    In this Notice of Proposed Rulemaking (NPRM), the Department 
proposes to modify certain provisions of part 2 of title 42 of the Code 
of Federal Regulations (42 CFR part 2 or ``Part 2'') \1\ to implement 
statutory amendments to section 290dd-2 of title 42 United States Code 
(42 U.S.C. 290dd-2) enacted in section 3221 of the Coronavirus Aid, 
Relief, and Economic Security (CARES) Act.\2\
---------------------------------------------------------------------------

    \1\ For readability, the Department refers to specific sections 
of 42 CFR part 2 using a shortened citation with the ``Sec.  '' 
symbol except where necessary to distinguish title 42 citations from 
other CFR titles, such as title 45 CFR, and in footnotes where the 
full reference is used.
    \2\ Public Law 116-136, 134 Stat. 281 (March 27, 2020).
---------------------------------------------------------------------------

    Part 2 currently imposes different requirements for substance use 
disorder (SUD) treatment records protected by Part 2 (``Part 2 
records'') \3\ than the Health Insurance Portability and Accountability 
Act of 1996 (HIPAA) \4\ Privacy, Security, Breach Notification, and 
Enforcement Rules (``HIPAA Rules'') \5\ apply to protected health 
information (PHI).\6\ The statutory and regulatory schemes apply to 
different types of entities and create dual obligations and compliance 
challenges for HIPAA covered entities \7\ and business associates \8\ 
that maintain PHI and Part 2 records, and thus are subject to both sets 
of rules.\9\ Treatment providers have also expressed concerns that they 
lack access to complete information when treating patients.\10\ Section 
290dd-2, as amended by section 3221 of the CARES Act, aligns certain 
Part 2 requirements more closely to requirements of the HIPAA Rules to 
improve the ability of entities that are subject to Part 2 to use and 
disclose Part 2 records and makes other changes to Part 2, as described 
in this preamble.
---------------------------------------------------------------------------

    \3\ See 42 U.S.C. 290dd-2(a). ``Records of the identity, 
diagnosis, prognosis, or treatment of any patient which are 
maintained in connection with the performance of any program or 
activity relating to substance use disorder education, prevention, 
training, treatment, rehabilitation, or research, which is 
conducted, regulated, or directly or indirectly assisted by any 
department or agency of the United States shall, except as provided 
in subsection (e), be confidential and be disclosed only for the 
purposes and under the circumstances expressly authorized under 
subsection (b)''.
    \4\ See the Administrative Simplification provisions of title 
II, subtitle F, of HIPAA (Public Law 104-191), 110 Stat. 1936 
(August 21, 1996) which added a new part C to title XI of the Social 
Security Act (secs.1171-1179 of the Social Security Act, 42 U.S.C. 
1320d-1320d-8), as amended by the Health Information Technology for 
Economic and Clinical Health (HITECH) Act, enacted as title XIII of 
division A and title IV of division B of the American Recovery and 
Reinvestment Act of 2009 (ARRA), Public Law 111-5, 123 Stat. 226 
(February 17, 2009).
    \5\ See the Privacy Rule, 45 CFR parts 160 and 164, subparts A 
and E; the Security Rule 45 CFR parts 160 and 164, subparts A and C; 
the Breach Notification Rule, 45 CFR part 164, subpart D; and the 
Enforcement Rule, 45 CFR part 160, subparts C, D, and E. Breach 
notification requirements were added by the HITECH Act.
    \6\ PHI is individually identifiable health information 
maintained or transmitted by or on behalf of a HIPAA covered entity. 
See 45 CFR 160.103 (definitions of ``Individually identifiable 
health information'' and Protected health information'').
    \7\ Covered entities are health care providers who transmit 
health information electronically in connection with any transaction 
for which the Department has adopted an electronic transaction 
standard, health plans, and health care clearinghouses. See 45 CFR 
160.103 (definition of ``Covered entity'').
    \8\ A business associate is a person, other than a workforce 
member, that performs certain functions or activities for or on 
behalf of a covered entity, or that provides certain services to a 
covered entity involving the disclosure of PHI to the person. See 45 
CFR 160.103 (definition of ``Business associate'').
    \9\ See ``Part 2 Proposed Rule Brings Clarity and Reduces 
Regulatory Burdens for Substance Use Disorder Providers, but 
Challenges Remain'' (September 2019), https://www.mintz.com/insights-center/viewpoints/2146/2019-09-part-2-proposed-rule-brings-clarity-and-reduces-regulatory; ``HIPAA: A Trap for the Unwary'' 
(May 2014), https://www.dykema.com/resources-alerts-HIPAA-A-Trap-for-the-Unwary_5-2014.html; and correspondence from Partnership to 
Amend 42 CFR part 2 (March 2019), https://www.pcpcc.org/sites/default/files/news_files/Response%20from%20Partnership%20to%20Amend%2042%20CFR%20Part%202.pdf.

    \10\ See Published Comments--Request for Public Comment on the 
Confidentiality of Alcohol and Drug Abuse Patient Records, 79 FR 
26929 (May 2014) Document 26, (June 23, 2014) at page 20, https://www.samhsa.gov/sites/default/files/about_us/who_we_are/comments-100-120.pdf; ``Privacy Laws are Hurting the Care of Patients with 
Addiction'' (July 2018), https://www.statnews.com/2018/07/13/privacy-laws-patients-addiction/.
---------------------------------------------------------------------------

    Paragraphs (b), (c), and (f) of section 290dd-2, as amended by 
section 3221 of the CARES Act, contain modified or new requirements for 
patient consent and redisclosure of Part 2 records; \11\ new rights to 
obtain an accounting of disclosures made with consent \12\ and to 
request restrictions on disclosures; \13\ greater restrictions against 
the use and disclosure of records in civil, criminal, administrative, 
and legislative proceedings against patients; \14\ and new civil money 
penalties (CMPs) for violations of Part 2.\15\ Paragraphs (i), (j), and 
(k) of section 290dd-2, as amended by section 3221 of the CARES Act, 
add new requirements to prohibit discrimination,\16\ impose breach 
notification obligations,\17\ and incorporate definitions from the 
HIPAA Rules into Part 2.\18\ Finally, section 3221(i) of the CARES Act 
requires the Department to update its Notice of Privacy Practices (NPP) 
requirements in the HIPAA Privacy Rule (``Privacy Rule'') at 45 CFR 
164.520 to address uses and disclosures of Part 2 records and 
individual rights with respect to those records.\19\ This NPRM contains 
proposals to implement the CARES Act provisions relating to health 
information privacy; the Department intends to develop a separate 
rulemaking to implement the CARES Act antidiscrimination prohibitions.
---------------------------------------------------------------------------

    \11\ 42 U.S.C. 290dd-2(b)(1).
    \12\ 42 U.S.C. 290dd-2(b)(1)(B).
    \13\ 42 U.S.C. 290dd-2(b)(1)(D). Additionally, section 3221 of 
the CARES Act further emphasizes the patient's right to request 
restrictions on disclosures in both the Rules of Construction and 
the Sense of Congress. See CARES Act secs. 3221(j)(1) and (k)(2), 
respectively.
    \14\ 42 U.S.C. 290dd-2(c).
    \15\ 42 U.S.C. 290dd-2(f).
    \16\ CARES Act sec. 3221(g) added paragraph (i) to 42 U.S.C. 
290dd-2 to insert an express prohibition against discrimination on 
the basis of information received pursuant to a disclosure of 
records. See 42 U.S.C. 290dd-2(i).
    \17\ 42 U.S.C. 290dd-2(j).
    \18\ 42 U.S.C. 290dd-2(k).
    \19\ CARES Act sec. 3221(i)(2).
---------------------------------------------------------------------------

    In addition to changes mandated by the CARES Act, the Department 
proposes to address concerns about potential unintended consequences 
for government agencies of the change in enforcement authority and 
penalties for violations of Part 2. Specifically, the Department 
proposes to create a limitation on liability for agencies and persons 
acting on their behalf, that investigate and prosecute Part 2 programs 
(to be defined as ``investigative agencies'') and unknowingly receive 
records subject to Part 2 before applying for the requisite

[[Page 74218]]

court order, provided they first exercise reasonable diligence by 
attempting to determine if the targeted provider is a Part 2 program. 
The proposal would permit investigative agencies to seek a court order 
after obtaining records in such situations. An additional proposal 
would require agencies using this safe harbor to report annually to the 
Secretary.

Effective and Compliance Dates

    The proposed effective date of a final rule would be 60 days after 
publication and the compliance date would be 22 months after the 
effective date. Entities subject to a final rule would have until the 
compliance date to establish and implement policies and practices to 
achieve compliance.
    Part 2 does not contain a standard compliance period for changes to 
the regulations; however, the HIPAA Rules generally require covered 
entities and business associates to comply with new or modified 
standards or implementation specifications no later than 180 days from 
the effective date of any such standards or implementation 
specifications, except as otherwise provided (e.g., in a specific 
rulemaking).\20\ While the proposed rule would make only minor 
modifications to the Privacy Rule, the Department proposes to provide 
the same, substantial compliance period for both the proposed 
modifications to 45 CFR 164.520 and the more extensive Part 2 
modifications. Accordingly, the Department would begin enforcement of 
the new and revised standards, in both regulations, 24 months after 
publication of a final rule. This compliance period would allow Part 2 
programs to revise existing policies and practices, complete other 
implementation requirements, and train their workforce members on the 
changes, as well as minimize administrative burdens on entities subject 
to the Privacy Rule.
---------------------------------------------------------------------------

    \20\ See 45 CFR 160.105.
---------------------------------------------------------------------------

    The Department requests comment on whether the 22-month compliance 
period is an appropriate length of time for entities subject to a final 
rule to come into compliance and any benefits or unintended adverse 
consequences for entities or individuals of a shorter or longer 
compliance period.
    Additionally, for the proposed accounting of disclosures 
requirements, the Department proposes to toll the compliance date for 
Part 2 programs until the effective date of a final rule on the HIPAA 
accounting of disclosures standard, 45 CFR 164.528. This would ensure 
that Part 2 programs do not incur new compliance obligations before 
covered entities and business associates under the Privacy Rule are 
obligated to comply.

Summary of Major Proposals

    The Department proposes the following changes to 42 CFR part 2 that 
revise, delete, replace, or add sections to implement statutory 
requirements enacted pursuant to section 3221 of the CARES Act. The 
Department also proposes to amend 42 CFR part 2 to reflect applicable 
standards in the HIPAA Rules, reflect language used in the HIPAA Rules, 
align regulatory text with statutory spelling,\21\ and improve clarity 
or readability. Additionally, the Department proposes to modify the NPP 
requirements in 45 CFR 164.520 consistent with section 3221(i) of the 
CARES Act.
---------------------------------------------------------------------------

    \21\ 42 U.S.C. 290dd-2(b)(1)(B) provides in part that ``[a]ny 
information so disclosed may be redisclosed in accordance with the 
HIPAA regulations.'' To align with the statute's spelling of the 
term ``redisclosed'' and for drafting consistency, the Department 
proposes to modify the term ``re-disclosed'' (and related root 
words) to remove the hyphen, where appropriate, throughout this 
document. See, e.g., proposed Sec. Sec.  2.12(d)(2)(i)(C); 
2.12(d)(2)(ii); 2.32(a)(1); 2.33(c); 2.34(b); 2.35(d); 2.52(b)(2); 
2.53(a).
---------------------------------------------------------------------------

    This section summarizes major proposals in this NPRM. Additional 
proposed revisions are not listed here because they are not considered 
major.\22\ All proposed changes are discussed in detail in section III 
of this NPRM:
---------------------------------------------------------------------------

    \22\ Generally, the proposals not listed make wording changes, 
not substantive changes. These proposals are reviewable in the 
regulatory text and include proposals to modify Sec.  2.17, 
Undercover agents and informants; Sec.  2.20, Relationship to state 
laws; Sec.  2.21 Relationship to federal statutes protecting 
research subjects against compulsory disclosure of their identity; 
and Sec.  2.34, Uses and Disclosures to prevent multiple enrollments 
(proposed heading).
---------------------------------------------------------------------------

    1. Sec.  2.1--Statutory authority for confidentiality of substance 
use disorder patient records.
    Revise Sec.  2.1 to more closely reflect the authority granted in 
42 U.S.C. 290dd-2(g), especially with respect to court orders 
authorizing the disclosure of records.
    2. Sec.  2.2--Purpose and effect.
    Amend paragraph (b) of Sec.  2.2 to reflect that Sec.  2.3(b) 
compels disclosures to the Secretary that are necessary for enforcement 
of this rule, using language adapted from the Privacy Rule at 45 CFR 
164.502(a)(2)(ii). Add a new paragraph (b)(3) to this section to 
prohibit any limits on a patient's right to request restrictions on use 
of records for treatment, payment, or health care operations (TPO) or a 
covered entity's choice to obtain consent to use or disclose records 
for TPO purposes as provided in the Privacy Rule.
    3. Sec.  2.3--Civil and criminal penalties for violations (proposed 
heading).
    Amend the heading and replace title 18 U.S.C. enforcement with 
references to the HIPAA enforcement authorities in the Social Security 
Act at sections 1176 (civil enforcement, including the CMP tiers 
established by the Health Information Technology for Economic and 
Clinical Health (HITECH) Act of 2009) and 1177 (criminal 
penalties),\23\ as implemented in the Enforcement Rule.\24\ Create a 
limitation on civil or criminal liability under Part 2 for 
investigative agencies that act with reasonable diligence before making 
a demand for records in the course of an investigation or prosecution 
of a Part 2 program or person holding the record, provided that certain 
conditions are met.\25\
---------------------------------------------------------------------------

    \23\ See Public Law 111-5, 123 Stat. 226 (February 17, 2009). 
Section 13410 of the HITECH Act (codified at 42 U.S.C. 17939) 
amended sections 1176 and 1177 of the Social Security Act (codified 
at 42 U.S.C. 1320d-5) to add civil and criminal penalty tiers for 
violations of the HIPAA Administrative Simplification provisions.
    \24\ See 45 CFR part 160.
    \25\ Although this provision is not expressly required by the 
CARES Act, it falls within the Department's general rulemaking 
authority in 42 U.S.C. 290dd-2(g), and is needed to address the 
logical consequences of the changes required by sec. 3221.
---------------------------------------------------------------------------

    4. Sec.  2.4--Complaints of violations (proposed heading).
    Amend the heading and insert requirements consistent with those 
applicable to HIPAA complaints under 45 CFR 164.530(d), (g), and (h), 
including: a requirement to establish a process for the Part 2 program 
to receive complaints, a prohibition against taking adverse action 
against patients who file complaints, and a prohibition against 
requiring individuals to waive the right to file a complaint as a 
condition of providing treatment, enrollment, payment, or eligibility 
for services.
    5. Sec.  2.11--Definitions.
    Add new terms and definitions to align with the following statutory 
and regulatory HIPAA terms: Breach, Business associate, Covered entity, 
Health care operations, HIPAA, HIPAA regulations, Payment, Person, 
Public health authority, Treatment, Unsecured protected health 
information, and Use. Create new defined terms Intermediary, 
Investigative agency, and Unsecured record, and modify the definitions 
of Informant, Part 2 program director, Patient, Program, Records, 
Third-party payer, Treating provider relationship, and Qualified 
service organization.
    6. Sec.  2.12--Applicability.
    Replace ``Armed Forces'' with ``Uniformed Services'' in paragraph 
(c)(2) of Sec.  2.12. Incorporate four

[[Page 74219]]

statutory examples of restrictions on the use or disclosure of Part 2 
records to initiate or substantiate any criminal charges against a 
patient or to conduct any criminal investigation of a patient. Add 
language to qualify the term third-party payer with the phrase ``as 
defined in this part.'' Revise paragraph (e)(4)(i) to clarify when a 
diagnosis is not covered by Part 2.
    7. Sec.  2.13--Confidentiality restrictions and safeguards.
    Redesignate Sec.  2.13(d) requiring a list of disclosures as new 
Sec.  2.24 and modify the text for clarity. Amend the heading to 
distinguish the right to a list of disclosures made by intermediaries 
from the proposed new right to an accounting of disclosures made by a 
Part 2 program.
    8. Sec.  2.14--Minor patients.
    Change the verb ``judges'' to ``determines'' to describe a program 
director's evaluation and decision that a minor lacks decision making 
capacity.
    9. Sec.  2.15--Patients who lack capacity and deceased patients 
(proposed heading).
    Replace outdated language, clarify that paragraph (a) of this 
section refers to an adjudication by a court of a patient's lack of 
capacity to make health care decisions while paragraph (b) refers to a 
patient's lack of capacity to make health care decisions without court 
adjudication, and add health plans to the list of entities to which a 
program may disclose records without consent.
    10. Sec.  2.16--Security for records and notification of breaches 
(proposed heading).
    Apply the HITECH Act breach notification provisions \26\ that are 
currently implemented in the Breach Notification Rule to breaches of 
records by Part 2 programs and retitle the provision to include breach 
notification to implement CARES Act provisions. Modify the provision to 
refer to the Privacy Rule de-identification standard at 45 CFR 164.514.
---------------------------------------------------------------------------

    \26\ Section 13400 of the HITECH Act (codified at 42 U.S.C. 
17921) defined the term ``Breach''. Section 13402 of the HITECH Act 
(codified at 42 U.S.C. 17932) enacted breach notification 
provisions, discussed in detail below.
---------------------------------------------------------------------------

    11. Sec.  2.19--Disposition of records by discontinued programs.
    Add an exception to clarify that these provisions do not apply to 
transfers, retrocessions, and reassumptions of Part 2 programs pursuant 
to the Indian Self-Determination and Education Assistance Act (ISDEAA), 
in order to facilitate the responsibilities set forth in 25 U.S.C. 
5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C. 5324(e), 25 U.S.C. 5330, 25 
U.S.C. 5386(f), 25 U.S.C. 5384(d), and the implementing ISDEAA 
regulations. Modernize the language to refer to ``non-electronic'' 
records and include ``paper'' records as an example of non-electronic 
records.
    12. Sec.  2.22--Notice to patients of federal confidentiality 
requirements.
    Modify the Part 2 confidentiality notice requirements (hereinafter, 
``Patient Notice'') to align with the NPP and address protections 
required by 42 U.S.C. 290dd-2, as amended by section 3221 of the CARES 
Act, for entities that create or maintain Part 2 records.
    13. Sec.  2.23--Patient access and restrictions on use and 
disclosure (proposed heading).
    Add the term ``disclosure'' to the heading and body of this section 
to clarify that information obtained by patient access to their record 
may not be used or disclosed for purposes of a criminal charge or 
criminal investigation.
    14. Sec.  2.24--Requirements for intermediaries (redesignated and 
proposed heading).
    Retitle the redesignated section (to be moved from Sec.  2.13(d)) 
as ``Requirements for intermediaries'' to clarify the responsibilities 
of recipients of records received under a consent with a general 
designation, such as health information exchanges, research 
institutions, accountable care organizations, and care management 
organizations.
    15. Sec.  2.25--Accounting of disclosures (proposed heading).
    Add this section to implement 42 U.S.C. 290dd-2(b)(1)(B), as 
amended by the section 3221 of the CARES Act, to incorporate into Part 
2 the HITECH Act right to an accounting of certain disclosures of 
records for up to three years prior to the date the accounting is 
requested and add a right to an accounting of disclosures of records 
that mirrors the standard in the Privacy Rule at 45 CFR 164.528.
    16. Sec.  2.26--Right to request privacy protection for records 
(proposed heading).
    Add this section to implement 42 U.S.C. 290dd-2(b)(1)(B), as 
amended by the section 3221 of the CARES Act, to incorporate into Part 
2 the HITECH Act rights implemented in the Privacy Rule at 45 CFR 
164.522, namely: (1) a patient right to request restrictions on 
disclosures of records otherwise permitted for TPO purposes, and (2) a 
patient right to obtain restrictions on disclosures to health plans for 
services paid in full by the patient.
    17. Subpart C--Uses and Disclosures With Patient Consent (proposed 
heading).
    Change the heading of subpart C to ``Uses and Disclosures With 
Patient Consent'' to reflect changes made to the provisions of this 
subpart related to the consent to use and disclose Part 2 records, 
consistent with 42 U.S.C. 290dd-2(b), as amended by the section 3221(b) 
of the CARES Act.
    18. Sec.  2.31--Consent requirements.
    Align the content requirements for Part 2 written consent with the 
content requirements for a valid HIPAA authorization and clarify how 
recipients may be designated in a consent to use and disclose Part 2 
records for TPO.
    19. Sec.  2.32--Notice to accompany disclosure (proposed heading).
    Change the heading of this section and align the content 
requirements for the required notice that accompanies a disclosure of 
records (hereinafter ``notice to accompany disclosure'') with the 
requirements of 42 U.S.C. 290dd-2(b), as amended by section 3221(b) of 
the CARES Act.
    20. Sec.  2.33--Uses and disclosures permitted with written consent 
(proposed heading).
    To align this provision with the statutory authority in 42 U.S.C. 
290dd-2(b)(1), as amended by section 3221(b) of the CARES Act, replace 
the provisions requiring consent for uses and disclosures for payment 
and certain health care operations with permission to use and disclose 
records for TPO with a single consent given once for all such future 
uses and disclosures, until such time as the patient revokes the 
consent in writing. Create redisclosure permissions for two categories 
of recipients of Part 2 records pursuant to a written consent: (1) 
Permit a Part 2 program, covered entity, or business associate that 
receives Part 2 records pursuant to a written consent for TPO purposes 
to redisclose the records in any manner permitted by the Privacy Rule, 
except for certain proceedings against the patient; \27\ and (2) Permit 
a lawful holder that is not a covered entity, business associate, or 
Part 2 program to redisclose Part 2 records for payment and health care 
operations to its contractors, subcontractors, or legal representatives 
as needed to carry out the activities in the consent.
---------------------------------------------------------------------------

    \27\ See 42 U.S.C. 290dd-2(b)(1)(B) and (2)(c).
---------------------------------------------------------------------------

    21. Sec.  2.35--Disclosures to elements of the criminal justice 
system which have referred patients.
    For clarity, replace ``individuals'' with ``persons'' and clarify 
that permitted redisclosures of information are from Part 2 records.
    22. Subpart D--Uses and Disclosures Without Patient Consent 
(proposed heading).
    Change the heading of subpart D to ``Uses and Disclosures Without 
Patient Consent'' to reflect changes made to the

[[Page 74220]]

provisions of this subpart related to the consent to use and disclose 
Part 2 records, consistent with 42 U.S.C. 290dd-2 as amended by the 
CARES Act.
    23. Sec.  2.51--Medical emergencies.
    For clarity in Sec.  2.51(c)(2), replace the term ``individual'' 
with the term ``person.''
    24. Sec.  2.52--Scientific research (proposed heading).
    Revise the heading of Sec.  2.52 to reflect statutory language. To 
further align Part 2 with the Privacy Rule, replace the requirements to 
render Part 2 data in research reports non identifiable with the 
Privacy Rule's de-identification standard in 45 CFR 164.514.
    25. Sec.  2.53--Management audits, financial audits, and program 
evaluation (proposed heading).
    Revise the heading of Sec.  2.53 to reflect statutory language. To 
support implementation of 42 U.S.C. 290dd-2(b)(1), as amended by 
section 3221(b) of the CARES Act, add a provision to acknowledge the 
permission for use and disclosure of records for health care operations 
purposes based on written consent of the patient and the permission to 
redisclose such records as permitted by the HIPAA Privacy Rule if the 
recipient is a Part 2 program, covered entity, or business associate.
    26. Sec.  2.54--Disclosures for public health (proposed heading).
    Add a new Sec.  2.54 to implement 42 U.S.C. 290dd-2(b)(2)(D), as 
amended by section 3221(c) of the CARES Act, to permit disclosure of 
records without patient consent to public health authorities provided 
that the records disclosed are de-identified according to the standards 
established in section 45 CFR 164.514.
    27. Subpart E--Court Orders Authorizing Use and Disclosure 
(proposed heading).
    Change the heading of subpart E to reflect changes made to the 
provisions of this subpart related to the uses and disclosure of Part 2 
records in proceedings consistent with 42 U.S.C. 290dd-2(b) and (2)(c), 
as amended by sections 3221(b) and (e) of the CARES Act.
    28. Sec.  2.61--Legal effect of order.
    Add the term ``use'' to clarify that the legal effect of a court 
order would include authorizing the use and disclosure of records, 
consistent with 42 U.S.C. 290dd-2(b) and (c), as amended by section 
3221(e) of the CARES Act.
    29. Sec.  2.62--Order not applicable to records disclosed without 
consent to researchers, auditors, and evaluators.
    For clarity, replace the term ``qualified personnel'' with a 
reference to the criteria that define such persons.
    30. Sec.  2.63--Confidential communications.
    Revise paragraph (c) of Sec.  2.63 to expressly include civil, 
criminal, administrative, and legislative proceedings as forums where 
the requirements for a court order under this part would apply, to 
implement 42 U.S.C. 290dd-2(c), as amended by section 3221(c) of the 
CARES Act.
    31. Sec.  2.64--Procedures and criteria for orders authorizing uses 
and disclosures for noncriminal purposes (proposed heading).
    Expand the types of forums where restrictions on use and disclosure 
of records in civil proceedings against patients apply \28\ to 
expressly include administrative and legislative proceedings and also 
restrict the use of testimony conveying information in a record in 
civil proceedings against patients, absent consent or a court order. 
Add the term ``uses'' to the heading and in this section to align it 
with current statutory authority.
---------------------------------------------------------------------------

    \28\ See 42 CFR part 2, subpart E.
---------------------------------------------------------------------------

    32. Sec.  2.65--Procedures and criteria for orders authorizing use 
and disclosure of records to criminally investigate or prosecute 
patients (proposed heading).
    Expand the types of forums where restrictions on uses and 
disclosure of records in criminal proceedings against patients apply 
\29\ to expressly include administrative and legislative proceedings 
and also restrict the use of testimony conveying information in a Part 
2 record in criminal proceedings against patients, absent consent or a 
court order.
---------------------------------------------------------------------------

    \29\ Id.
---------------------------------------------------------------------------

    33. Sec.  2.66--Procedures and criteria for orders authorizing use 
and disclosure to investigate or prosecute a part 2 program or the 
person holding the records (proposed heading).
    Create requirements for investigative agencies to follow in the 
event they discover in good faith that they received Part 2 records 
during an investigation or prosecution of a Part 2 program or the 
person holding the records before seeking a court order as required 
under Sec.  2.66.
    34. Sec.  2.67--Orders authorizing the use of undercover agents and 
informants to investigate employees or agents of a part 2 program in 
connection with a criminal matter.
    Add new criteria for issuance of a court order in instances where 
an application is submitted after the placement of an undercover agent 
or informant has already occurred, requiring an investigative agency to 
satisfy the conditions at Sec.  2.3(b).
    35. Sec.  2.68--Report to the Secretary (proposed heading).
    Create new requirements for investigative agencies to file annual 
reports about the instances in which they applied for a court order 
after receipt of Part 2 records or placement of an undercover agent or 
informant as provided in Sec.  2.66 and Sec.  2.67.
    36. 45 CFR 164.520--Notice of privacy practices for protected 
health information.
    Revise 45 CFR 164.520 to implement updates to the NPP to address 
Part 2 confidentiality requirements, as required by section 3221(i)(2) 
of the CARES Act.

Background and Need for Proposed Rule

    There are approximately 16,066 publicly funded SUD treatment 
facilities \30\ and 1.8 million HIPAA covered entities and business 
associates, with an unknown percentage of entities subject to both 
HIPAA and Part 2. Part 2 records often also meet the definition of PHI 
when maintained by HIPAA covered entities (or their business associates 
on the covered entities' behalf). To ensure compliance with both sets 
of regulatory requirements, dually regulated entities subject to both 
Part 2 and the HIPAA Rules (i.e., covered entities that also are Part 2 
programs) must track and segregate the records that are subject to Part 
2 from the records that are subject only to the HIPAA Rules and obtain 
specific written consent for most uses and disclosures of Part 2 
records (including uses and disclosures for non-emergency treatment 
purposes). The Department has been urged by many stakeholders to change 
Part 2 to eliminate the need for data segmentation.\31\
---------------------------------------------------------------------------

    \30\ See Substance Abuse and Mental Health Services 
Administration, National Survey of Substance Abuse Treatment 
Services (N-SSATS): 2020. Data on Substance Abuse Treatment 
Facilities. Rockville, MD: Substance Abuse and Mental Health 
Services Administration, 2021, https://www.samhsa.gov/data/sites/default/files/reports/rpt35313/2020_NSSATS_FINAL.pdf.
    \31\ For example, the Ohio Behavioral Health Providers Network 
(Network) in an August 21, 2020, letter to SAMHSA, and the 
Partnership to Amend Part 2 in a similar January 8, 2021, letter to 
the U.S. Department of Health and Human Services (HHS), both urge 
that there should be no requirement for data segmentation or 
segregation after written consent is obtained and Part 2 records are 
transmitted to a health information exchange or care management 
entity that is a business associate of a covered entity covered by 
the new CARES Act consent language. In the letter, the Network 
states that such requirements are difficult to implement in 
federally qualified health centers and other integrated settings in 
which SUD treatment may be provided. See also public comments 
expressed and summarized in 85 FR 42986, https://www.federalregister.gov/documents/2020/07/15/2020-14675/confidentiality-of-substance-use-disorder-patient-records; and see 
https://aahd.us/wp-content/uploads/2021/01/PartnershipRecommendationsforNextPart2-uleLtrtoNomineeBecerra_01082021.pdf.

---------------------------------------------------------------------------

[[Page 74221]]

    The preamble to the 2000 Final Privacy Rule explained how entities 
subject to the Privacy Rule and Part 2 could comply with both rules 
because in most cases the rules do not conflict. The Privacy Rule 
permits, but does not require, some disclosures that are not permitted 
by Part 2. Complying with Part 2's prohibitions on such disclosures 
would not be a violation of the Privacy Rule. And in instances where 
Part 2 permits disclosures that would otherwise be restricted by the 
Privacy Rule, an entity that is subject to both sets of regulations 
would be able to comply with the Privacy Rule's restrictions without 
violating Part 2.\32\
---------------------------------------------------------------------------

    \32\ See 65 FR 82482 (December 28, 2000).
---------------------------------------------------------------------------

    Although the Department intended to facilitate compliance by 
entities subject to both regulatory schemes, significant differences in 
the statutorily permitted uses and disclosures of Part 2 records and 
PHI contributed to ongoing operational compliance challenges. For 
example, once a HIPAA covered entity or business associate disclosed 
PHI to a person who was not a covered entity or business associate, the 
information was no longer protected by the Privacy Rule, and thus the 
Privacy Rule's limitations on uses and disclosures did not apply. In 
contrast, Part 2 strictly limited the redisclosure of Part 2 records by 
any individual or entity that received a Part 2 record directly from a 
Part 2 program or other ``lawful holder'' of patient identifying 
information, absent written patient consent or as otherwise permitted 
under the regulations.33 34
---------------------------------------------------------------------------

    \33\ See 42 CFR 2.12(d)(2)(i)(C).
    \34\ See 42 CFR 2.11, definitions of ``Patient identifying 
information'' and ``Disclose''.
---------------------------------------------------------------------------

    Regarding Part 2 records, a treating provider that is not a Part 2 
program could record information about the treatment of an individual's 
SUD in its non-Part 2 records, even if it gleaned the information from 
a Part 2 record, and the information in the non-Part 2 records would 
not be subject to Part 2; however, any Part 2 records received from a 
Part 2 program or other lawful holder would need to be segregated or 
segmented.\35\ Previously, the need to segment Part 2 records from 
other health records created data ``silos'' that hampered the 
integration of SUD treatment records into covered entities' electronic 
record systems and billing processes. Some lawmakers have argued that 
these silos perpetuated negative stereotypes about persons with SUD and 
inhibited coordination of care 36 37 during the opioid 
epidemic.\38\ In 2019, the National Association of Attorneys General 
(NAAG) urged Congress to update the 40-year-old Part 2 regulation that 
was created in a time of ``intense stigma'' surrounding SUD treatment 
because it now serves to ``perpetuate that stigma, as the principle 
underlying these rules is that [SUD] treatment is shameful and records 
of it should be withheld from other treatment providers in ways that we 
do not withhold records of treatment of other chronic diseases.'' \39\ 
In that same year ``nearly 50,000 people in the United States died from 
opioid-involved overdoses.'' \40\ During a congressional hearing, ``The 
Opioid Crisis: The Role of Technology and Data in Preventing and 
Treating Addiction,'' Senator Patty Murray (D-WA) observed that, 
``[t]echnology and data offer important opportunities to address the 
opioid crisis, to prevent addi[c]tion, and avoid the tragedy so many 
families are facing.'' \41\
---------------------------------------------------------------------------

    \35\ See 42 CFR 2.12(d)(2)(ii).
    \36\ See, e.g., remarks of U.S. Representative Earl Blumenauer: 
``If substance use disorder treatment is not included in your entire 
medical records, then they are not complete. It makes care 
coordination more difficult and can lead to devastating outcomes. 
This bill works to remove the stigma that comes with substance use 
disorders and ensures necessary information is available for safe, 
efficient, and transparent treatment for all patients.'' See also 
remarks of U.S. Representative Markwayne Mullin: ``It's time that we 
stop stigmatizing those struggling with opioid abuse and give 
physicians the tools they need to help their patients. Mental health 
and physical health have been treated in a silo for too long. Our 
bill breaks down those barriers so the doctor can treat the whole 
patient. I'm proud to introduce this bill with my colleagues so that 
we can provide 21st century care to those who need it the most'', 
https://blumenauer.house.gov/media-center/press-releases/blumenauer-and-mullin-introduce-bipartisan-legislation-address-opioid.
    \37\ But see 85 FR 42986 (July 15, 2020), in which the 
Department finalized a rule permitting the disclosure of Part 2 
records for care coordination by certain ``lawful holders'' that 
receive a record for payment or health care operation activities 
directly from a Part 2 program or other lawful holder.
    \38\ In 2017, the Department declared a public health emergency 
related to the opioid crisis. See Public Health Emergency (October 
26, 2017), https://www.hhs.gov/sites/default/files/opioid%20PHE%20Declaration-no-sig.pdf. https://www.phe.gov/emergency/news/healthactions/phe/Pages/opioids.aspx.
    \39\ NAAG Requests Removal of Federal Barriers to Treat Opioid 
Use Disorder (August 5, 2019), at https://www.naag.org/policy-letter/naag-requests-removal-of-federal-barriers-to-treat-opioid-use-disorder/.
    \40\ Opioid Overdose Crisis, National Institutes of Health 
National Institute on Drug Abuse (March 11, 2021), https://www.drugabuse.gov/drug-topics/opioids/opioid-overdose-crisis. See 
also CDC/NCHS, National Vital Statistics System, Mortality. CDC 
WONDER, Atlanta, GA: US Department of Health and Human Services, 
CDC; 2019, https://wonder.cdc.gov.
    \41\ Hearing of the Committee on Health, Education, Labor, and 
Pensions United States Senate, ``The Role of Technology and Data in 
Preventing and Treating Addiction.'' (February 27, 2018), https://www.govinfo.gov/content/pkg/CHRG-115shrg28855/pdf/CHRG-115shrg28855.pdf.
---------------------------------------------------------------------------

    To address these concerns, Congress enacted the CARES Act, which 
requires the Department to promulgate regulations modifying the 
confidentiality requirements for Part 2 records.\42\ This rulemaking 
proposes modifications to 42 CFR part 2 and the Privacy Rule that are 
necessary to implement the statutory amendments made to 42 U.S.C. 
290dd-2, and additional modifications to Part 2 to better align certain 
provisions of Part 2 to the Privacy Rule and address concerns about 
potential liability for government agencies in the course of 
investigating and prosecuting Part 2 programs under the new penalties 
and enforcement scheme.
---------------------------------------------------------------------------

    \42\ See sec. 3221(i) of the CARES Act.
---------------------------------------------------------------------------

A. Statutory and Regulatory Background

    Congress enacted the first federal confidentiality protections for 
SUD records in section 333 of the Comprehensive Alcohol Abuse and 
Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970.\43\ 
The statute authorized ``persons engaged in research on, or treatment 
with respect to, alcohol abuse and alcoholism to protect the privacy of 
individuals who [were] the subject of such research or treatment'' from 
persons not connected with the conduct of the research or treatment by 
withholding identifying information.
---------------------------------------------------------------------------

    \43\ See sec. 333, Public Law 91-616, 84 Stat. 1853 (December 
31, 1970) (codified at 42 U.S.C. 2688h).
---------------------------------------------------------------------------

    Section 408 of the Drug Abuse Office and Treatment Act of 1972 \44\ 
applied confidentiality requirements to records relating to drug abuse 
prevention authorized or assisted under any provision of the Act. 
Section 408 permitted disclosure, with a patient's written consent, for 
diagnosis or treatment by medical personnel and to government personnel 
for obtaining patient benefits to which the patient is entitled. The 
1972 Act also established exceptions to the consent requirement to 
permit disclosures for bona fide medical emergencies; to qualified 
personnel for conducting certain activities, such as scientific 
research or financial audit or program evaluation, as long as the 
patient is not identified in any reports; and as authorized by court

[[Page 74222]]

order granted after application showing good cause.\45\
---------------------------------------------------------------------------

    \44\ See sec. 408, Public Law 92-255, 86 Stat. 65 (March 21, 
1972) (codified at 21 U.S.C. 1175). Section 408 also prohibited the 
use of a covered record for use or initiation or substantiation of 
criminal charges against a patient or investigation of a patient. 
Section 408 provided for a fine in the amount of $500 for a first 
offense violation, and not more than $5,000 for each subsequent 
offense.
    \45\ Id.
---------------------------------------------------------------------------

    The Comprehensive Alcohol Abuse and Alcoholism Prevention, 
Treatment, and Rehabilitation Act Amendments of 1974 \46\ expanded the 
types of records protected by confidentiality restrictions to include 
records relating to alcoholism, alcohol abuse, and drug abuse 
prevention, maintained in connection with any program or activity 
conducted, regulated, or directly or indirectly federally assisted by 
any United States agency. The 1974 Act also permitted the disclosure of 
records based on prior written patient consent only to the extent such 
disclosures were allowed under Federal regulations. Additionally, the 
1974 Act excluded the interchange of records within the Armed Forces or 
components of the U.S. Department of Veterans Affairs (VA), then known 
as the Veterans' Administration, from the confidentiality 
restrictions.\47\
---------------------------------------------------------------------------

    \46\ See sec. 101, title I, Public Law 93-282, 88 Stat. 126 (May 
14, 1974), providing that: ``This title [enacting this section and 
sections 4542, 4553, 4576, and 4577 of this title, amending sections 
242a, 4571, 4572, 4573, 4581, and 4582 of this title, and enacting 
provisions set out as notes under sections 4581 and 4582 of this 
title] may be cited as the `Comprehensive Alcohol Abuse and 
Alcoholism Prevention, Treatment, and Rehabilitation Act Amendments 
of 1974''.
    \47\ See sec. 408, title I, Public Law 92-255, 86 Stat. 79 
(March 21, 1972) (originally codified at 21 U.S.C. 1175). See 21 
U.S.C. 1175 note for complete statutory history.
---------------------------------------------------------------------------

    In 1992, section 131 of the Alcohol, Drug Abuse, and Mental Health 
Administration Reorganization Act (ADAMHA Reorganization Act) \48\ 
added section 543, Confidentiality of Records, to the Public Health 
Service Act (PHSA) (codified at 42 U.S.C. 290dd-2) (``Part 2 
statute''), which narrowed the grounds upon which a court could grant 
an order permitting disclosure of such records from ``good cause'' 
(i.e., based on weighing the public interest in the need for disclosure 
against the injury to the patient, physician patient relationship and 
treatment services) \49\ to ``the need to avert a substantial risk of 
death or serious bodily harm.'' \50\ Congress also established criminal 
penalties for Part 2 violations under title 18 of the United States 
Code, Crimes and Criminal Procedure.\51\ Finally, section 543 granted 
broad authority to the Secretary to prescribe regulations to carry out 
the purposes of section 543 and provide for safeguards and procedures, 
including criteria for the issuance and scope of court orders to 
authorize disclosure of SUD records, ``as in the judgment of the 
Secretary are necessary or proper to effectuate the purposes of this 
section, to prevent circumvention or evasion thereof, or to facilitate 
compliance therewith.'' \52\
---------------------------------------------------------------------------

    \48\ See sec. 131, Public Law 102-321, 106 Stat. 323 (July 10, 
1992) (codified at 42 U.S.C. 201 note).
    \49\ See sec. 333, Public Law 91-616, 84 Stat. 1853 (December 
31, 1970).
    \50\ See sec. 131, Public Law 102-321, 106 Stat. 323 (July 10, 
1992) (codified at 42 U.S.C. 201 note).
    \51\ Id., adding sec. 543(b)(2)(C) to the PHSA.
    \52\ Id., adding sec. 543(g) to the PHSA.
---------------------------------------------------------------------------

    In 1975, the Department, promulgated the first federal regulations 
implementing statutory SUD confidentiality provisions at 42 CFR part 
2.\53\ In 1987, the Department published a final rule making 
substantive changes to the scope of Part 2 to clarify the regulations 
and ease the burden of compliance by Part 2 programs within the 
parameters of the existing statutory restrictions.\54\ After the 1992 
enactment of the ADAMHA Reorganization Act (Pub. L. 102-321), the 
Department later clarified the definition of ``program'' in a 1995 
final rule to narrow the scope of Part 2 regulations pertaining to 
medical facilities to cover only those entities or units within a 
general medical facility that hold themselves out as providing 
diagnosis, treatment, or referral for treatment, or specialized 
personnel (who are identified as providing such services as a primary 
function) and which directly or indirectly receive federal 
assistance.\55\
---------------------------------------------------------------------------

    \53\ See 40 FR 27802 (July 1, 1975).
    \54\ See 52 FR 21796 (June 9, 1987). See also Notice of Decision 
to Develop Regulations, 45 FR 53 (January 2, 1980) and 48 FR 38758 
(August 25, 1983).
    \55\ See 60 FR 22296 (May 5, 1995). See also 59 FR 42561 (August 
18, 1994) and 59 FR 45063 (August 31, 1994). The ambiguity of the 
definition of ``program'' was identified in United States v. Eide, 
875 F. 2d 1429 (9th Cir. 1989) where the court held that the general 
emergency room is a ``program'' as defined by the regulations.
---------------------------------------------------------------------------

HIPAA and the HITECH Act
    In 1996, Congress enacted HIPAA,\56\ which included Administrative 
Simplification provisions requiring the establishment of national 
standards \57\ to protect the privacy and security of individuals' 
health information and establishing civil money and criminal penalties 
for violations of the requirements, among other provisions.\58\ The 
Administrative Simplification provisions and implementing regulations 
apply to covered entities, which are health care providers who conduct 
covered health care transactions electronically, health plans, and 
health care clearinghouses.\59\ Certain provisions of the HIPAA Rules 
also apply directly to business associates of covered entities.\60\
---------------------------------------------------------------------------

    \56\ See Public Law 104-191, 110 Stat. 1936 (August 21, 1996).
    \57\ Cited at fn. 3. See also sec. 264 of HIPAA (codified at 42 
U.S.C. 1320d-2 note).
    \58\ See 42 U.S.C. 1320d-1-1320d-9. With respect to privacy 
standards, Congress directed the Department to ``address at least 
the following: (1) The rights that an individual who is a subject of 
individually identifiable health information should have. (2) The 
procedures that should be established for the exercise of such 
rights. (3) The uses and disclosures of such information that should 
be authorized or required.'' 42 U.S.C. 1320d-2 note.
    \59\ See 42 U.S.C. 1320d-1 (applying Administrative 
Simplification provisions to covered entities).
    \60\ See ``Office for Civil Rights Fact Sheet on Direct 
Liability of Business Associates under HIPAA'' (May 2019) for a 
comprehensive list of requirements in the HIPAA Rules that apply 
directly to business associates (available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/).
---------------------------------------------------------------------------

    The Privacy Rule, including provisions implemented as a result of 
the HITECH Act,\61\ regulates the use and disclosure of PHI by covered 
entities and business associates, requires covered entities to have 
safeguards in place to protect the privacy of PHI, and requires covered 
entities to obtain the written authorization of an individual to use 
and disclose the individual's PHI unless otherwise permitted by the 
Privacy Rule.\62\ The Privacy Rule includes several use and disclosure 
permissions that are relevant to this NPRM, including the permissions 
for covered entities to use and disclose PHI without written 
authorization from an individual for TPO; \63\ to public health 
authorities for public health purposes; \64\ and for research in the 
form of a limited data set \65\ or pursuant to a waiver of 
authorization by a Privacy Board or Institutional Review Board.\66\ The 
Privacy Rule also establishes the rights of individuals with respect to 
their PHI, including the rights to: receive adequate notice of a 
covered entity's privacy

[[Page 74223]]

practices; to request restrictions of certain uses and disclosures; to 
access (i.e., to inspect and obtain a copy of) their PHI; to request an 
amendment of their PHI; and to receive an accounting of certain 
disclosures of their PHI.\67\ Finally, the Privacy Rule specifies 
standards for de-identification of PHI such that, when applied, the 
information is no longer individually identifiable health information 
and subject to the HIPAA Rules.\68\
---------------------------------------------------------------------------

    \61\ The HITECH Act extended the applicability of certain 
Privacy Rule requirements and all of the Security Rule requirements 
to the business associates of covered entities; required HIPAA 
covered entities and business associates to provide for notification 
of breaches of unsecured PHI (implemented by the Breach Notification 
Rule); established new limitations on the use and disclosure of PHI 
for marketing and fundraising purposes; prohibited the sale of PHI; 
required consideration of whether a limited data set can serve as 
the minimum necessary amount of information for uses and disclosures 
of PHI; and expanded individuals' rights to access electronic copies 
of their PHI in an EHR, to receive an accounting of disclosures of 
their PHI with respect to ePHI, and to request restrictions on 
certain disclosures of PHI to health plans. In addition, subtitle D 
strengthened and expanded HIPAA's enforcement provisions. See 
subtitle D of title XIII of the HITECH Act, entitled ``Privacy'', 
for all provisions (codified in title 42 of U.S.C.).
    \62\ See 45 CFR 164.502(a).
    \63\ See 45 CFR 164.506.
    \64\ See 45 CFR 164.512(b).
    \65\ See 45 CFR 164.514(e)(1-4).
    \66\ See 45 CFR 164.512(i).
    \67\ See 45 CFR 164.520, 164.522, 164.524, 164.526 and 164.528.
    \68\ See 45 CFR 164.514(a-c).
---------------------------------------------------------------------------

    The Security Rule, codified at 45 CFR parts 160 and 164, subparts A 
and C, requires covered entities and their business associates to 
implement administrative, physical, and technical safeguards to protect 
electronic PHI (ePHI). Specifically, covered entities and business 
associates must ensure the confidentiality, integrity, and availability 
of all ePHI they create, receive, maintain, or transmit; \69\ protect 
against reasonably anticipated threats or hazards to the security or 
integrity of the information \70\ and reasonably anticipated 
impermissible uses or disclosures; \71\ and ensure compliance by their 
workforce.\72\
---------------------------------------------------------------------------

    \69\ See 45 CFR 164.306(a)(1).
    \70\ See 45 CFR 164.306(a)(2).
    \71\ See 45 CFR 164.306(a)(3).
    \72\ See 45 CFR 164.306(a)(4).
---------------------------------------------------------------------------

    The Breach Notification Rule, codified at 45 CFR parts 160 and 164, 
subparts A and D, implements HITECH Act requirements \73\ for covered 
entities to provide notification to affected individuals, the 
Secretary, and in some cases the media, following a breach of unsecured 
PHI. The Breach Notification Rule also requires a covered entity's 
business associate that experiences a breach of unsecured PHI to notify 
the covered entity of the breach. A breach is, generally, an 
impermissible use or disclosure under the Privacy Rule that compromises 
the security or privacy of ``unsecured'' PHI, subject to three 
exceptions: \74\ (1) the unintentional acquisition, access, or use of 
PHI by a workforce member or person acting under the authority of a 
covered entity or business associate, if such acquisition, access, or 
use was made in good faith and within the scope of authority; (2) the 
inadvertent disclosure of PHI by a person authorized to access PHI at a 
covered entity or business associate to another person authorized to 
access PHI at the covered entity or business associate, or organized 
health care arrangement (OHCA) in which the covered entity 
participates; and (3) the covered entity or business associate making 
the disclosure has a good faith belief that the unauthorized person to 
whom the impermissible disclosure was made, would not have been able to 
retain the information.
---------------------------------------------------------------------------

    \73\ See sec. 13402 of the HITECH Act (codified at 42 U.S.C. 
17932).
    \74\ See 45 CFR 164.402 para. (1).
---------------------------------------------------------------------------

    The Breach Notification Rule provides that a covered entity may 
rebut the presumption that such impermissible use or disclosure 
constituted a breach by demonstrating that there is a low probability 
that PHI has been compromised based on a risk assessment of at least 
four required factors: (1) the nature and extent of the PHI involved, 
including the types of identifiers and the likelihood of re-
identification; (2) the unauthorized person who used the PHI or to whom 
the disclosure was made; (3) whether the PHI was actually acquired or 
viewed; and (4) the extent to which the risk to the PHI has been 
mitigated.\75\
---------------------------------------------------------------------------

    \75\ Ibid. para. (2).
---------------------------------------------------------------------------

    The Enforcement Rule, codified at 45 CFR part 160, subparts C, D, 
and E, includes standards and procedures relating to investigations 
into complaints about noncompliance with the HIPAA Rules, compliance 
reviews, the imposition of (CMPs), and procedures for hearings. The 
Enforcement Rule states generally that the Secretary will impose a CMP 
upon a covered entity or business associate if the Secretary determines 
that the covered entity or business associate violated a HIPAA 
Administrative Simplification provision.\76\ However, the Enforcement 
Rule also provides for informal resolution of potential 
noncompliance,\77\ which occurs through voluntary compliance by the 
regulated entity, corrective action, or a resolution agreement with the 
payment of a settlement amount to OCR.
---------------------------------------------------------------------------

    \76\ Criminal penalties may be imposed by the Department of 
Justice for certain violations under 42 U.S.C. 1320d-6.
    \77\ See 45 CFR 160.304. See also 45 CFR 160.416 and 160.514.
---------------------------------------------------------------------------

    The Department promulgated or modified key provisions of the HIPAA 
Rules as part of the 2013 Omnibus Final Rule, in which the Department 
implemented applicable provisions of the HITECH Act, among other 
modifications. For example, the Department strengthened privacy and 
security protections for PHI, finalized breach notification 
requirements, and enhanced enforcement by increasing potential CMPs for 
violations, including establishing tiers of penalties based on 
entities' level of culpability.\78\ The Secretary of HHS delegated 
authority to OCR to make decisions regarding the implementation and 
interpretation of the Privacy, Security, Breach Notification, and 
Enforcement Rules.\79\ \80\
---------------------------------------------------------------------------

    \78\ See 78 FR 5566 (January 25, 2013).
    \79\ See Office for Civil Rights; Statement of Delegation of 
Authority, 65 FR 82381 (December 28, 2000); Office for Civil Rights; 
Delegation of Authority, 74 FR 38630 (August 4, 2009); Statement of 
Organization, Functions and Delegations of Authority, 81 FR 95622 
(December 28, 2016).
    \80\ See 65 FR 82381 (December 28, 2000).
---------------------------------------------------------------------------

Earlier Efforts To Align Part 2 With the HIPAA Rules

    Prior to amendment by the CARES Act, section 290dd-2 provided that 
records could be disclosed only with the patient's specific written 
consent for each disclosure, with limited exceptions.\81\ The 
exceptions related to records maintained by VA or the Armed Forces and, 
for example, disclosures for continuity of care in emergency situations 
or between personnel who have a need for the information in connection 
with their duties that arise out of the provision of the diagnosis, 
treatment, or referral for treatment of patients with SUD.\82\ The 
exceptions did not include, for example, a disclosure of Part 2 records 
by a Part 2 program to a third-party medical provider to treat a 
condition other than SUD absent an emergency situation. Therefore, the 
current Part 2 implementing regulations require specific patient 
consent for most uses and disclosures of Part 2 records, including for 
non-emergency treatment purposes. In contrast, the Privacy Rule permits 
covered entities to use and disclose an individual's PHI for TPO 
without the individual's valid HIPAA authorization.\83\
---------------------------------------------------------------------------

    \81\ The limited exceptions are codified in current regulation 
at 42 CFR 2.12(c), 42 CFR part 2 subpart D, and 42 CFR 2.33(b).
    \82\ See 42 CFR 2.12(c)(3). These disclosures are limited to 
communications within a Part 2 program or between a Part 2 program 
and an entity having direct administrative control over the Part 2 
program.
    \83\ See 45 CFR 164.501.
---------------------------------------------------------------------------

    The Department has modified and clarified Part 2 several times to 
align certain provisions more closely with the Privacy Rule,\84\ 
address changes in health information technology, and provide greater 
flexibility for disclosures of patient identifying information within 
the health care system, while continuing to protect the confidentiality 
of Part 2 records.\85\ For example, the Department clarified in a 2017 
final rule that the definition of ``patient identifying information'' 
in Part 2 includes the individual identifiers listed in the Privacy 
Rule at

[[Page 74224]]

45 CFR 164.514(b)(2)(i) for those identifiers that are not already 
listed in the Part 2 definition.\86\
---------------------------------------------------------------------------

    \84\ See 85 FR 42986 and 83 FR 239 (January 3, 2018).
    \85\ 82 FR 6052 (January 18, 2017). See also 81 FR 6988 
(February 9, 2016).
    \86\ See 82 FR 6052, 6064.
---------------------------------------------------------------------------

    In 2018, the Department issued a final rule clarifying the 
circumstances under which lawful holders and their legal 
representatives, contractors, and subcontractors could use and disclose 
Part 2 records related to payment and health care operations in Sec.  
2.33(b) and for audit or evaluation-related purposes. The Department 
clarified that previously listed types of payment and health care 
operations uses and disclosures under the lawful holder permission in 
Sec.  2.33(b) were illustrative, and not necessarily definitive so as 
to be included in regulatory text.\87\ The Department also acknowledged 
the similarity of the list of activities to those included in the 
Privacy Rule definition of ``health care operations'' but declined to 
fully incorporate that definition into Part 2.\88\ The Department 
specifically excluded care coordination and case management from the 
list of payment and health care operations activities permitted without 
patient consent under Part 2 based on a determination that these 
activities are akin to treatment. The Department also codified in 
regulatory text language for an abbreviated notice to accompany 
disclosure of Part 2 records.\89\ Although the rule retained the 
requirement that a patient must consent before a lawful holder may 
redisclose Part 2 records for treatment,\90\ the Department explained 
that the purpose of the Part 2 regulations is to ensure that a patient 
is not made more vulnerable by reason of the availability of a 
treatment record than an individual with a SUD who chooses not to seek 
treatment. The Department simultaneously recognized the legitimate 
needs of lawful holders to obtain payment and conduct health care 
operations as long as the core protections of Part 2 are 
maintained.\91\
---------------------------------------------------------------------------

    \87\ See 83 FR 239, 241-242.
    \88\ Id. at 242.
    \89\ 83 FR 239 (January 3, 2018). See also 82 FR 5485 (January 
18, 2017).
    \90\ Id. at 242.
    \91\ Id.
---------------------------------------------------------------------------

    In a final rule published July 15, 2020,\92\ the Department 
retained the requirement that programs obtain prior written consent 
before disclosing Part 2 records in the first instance (outside of 
recognized exceptions). At the same time the Department reversed its 
previous exclusion of care coordination and case management from the 
list of payment and health care operations in Sec.  2.33(b) for which a 
lawful holder may make further disclosures to its contractors, 
subcontractors, and legal representatives.\93\ The Department based 
this change on comments received on the proposed rule in 2019 and on 
section 3221(d)(4) of the CARES Act, which incorporated the Privacy 
Rule definition of health care operations, including care coordination 
and case management activities, into paragraph (k)(4) of 42 U.S.C. 
290dd-2.\94\ The July 2020 final rule also modified the consent 
requirements in Sec.  2.31 by establishing special requirements for 
written consent \95\ when the recipient of Part 2 records is a health 
information exchange (HIE) (as defined in 45 CFR 171.102 \96\). In this 
NPRM, the Department now proposes a definition for the term 
``intermediary'' \97\ to further facilitate the exchange of Part 2 
records in new models of care, including those involving an HIE, a 
research institution providing treatment, an accountable care 
organization, or a care management organization.
---------------------------------------------------------------------------

    \92\ 85 FR 42986. See also 84 FR 44568.
    \93\ See 42 CFR 2.33(b).
    \94\ See 85 FR 42986, 43008-009. Sec. 3221(k)(4) expressed the 
Sense of Congress that the Department should exclude clause (v) of 
paragraph 6 of 45 CFR 164.501 (relating to creating de-identified 
health information or a limited data set, and fundraising for the 
benefit of the covered entity) from the definition of ``health care 
operations'' in applying the definition to these records.
    \95\ See 85 FR 42986, 43006.
    \96\ See 85 FR 42986, 43006, See also 21st Century Cures Act: 
Interoperability, Information Blocking, and the ONC Health IT 
Certification Program, 85 FR 25642 (May 1, 2020).
    \97\ See proposed 42 CFR 2.11, Definitions: Intermediary means a 
person who has received records under a general designation in a 
written patient consent to be disclosed to one or more of its member 
participants for the treatment of the patient--e.g., a health 
information exchange, a research institution that is providing 
treatment, an accountable care organization, or a care management 
organization.
---------------------------------------------------------------------------

    The Department again modified Part 2 on December 14, 2020,\98\ by 
amending the confidential communications section of Sec.  2.63(a)(2), 
which enumerated a basis for a court order authorizing the use of a 
record when ``the disclosure is necessary in connection with 
investigation or prosecution of an extremely serious crime allegedly 
committed by the patient.'' The December 2020 final rule removed the 
phrase ``allegedly committed by the patient,'' explaining that the 
phrase was included in previous rulemaking by error, and clarifying 
that a court has the authority to permit disclosure of confidential 
communications when the disclosure is necessary in connection with 
investigation or prosecution of an extremely serious crime that was 
allegedly committed by either a patient or an individual other than the 
patient.
---------------------------------------------------------------------------

    \98\ 85 FR 80626 (December 14, 2020).
---------------------------------------------------------------------------

Section 3221 of the Coronavirus Aid, Relief, and Economic Security 
(CARES) Act

    On March 27, 2020, Congress enacted the CARES Act \99\ to provide 
emergency assistance to individuals, families, and businesses affected 
by the COVID-19 pandemic. Section 3221 of the CARES Act, 
Confidentiality and Disclosure of Records Relating to Substance Use 
Disorder, substantially amended 42 U.S.C. 290dd-2 to more closely align 
federal privacy standards applicable to Part 2 records with HIPAA and 
HITECH Act privacy use and disclosure standards, breach notification 
standards, and enforcement authorities that apply to PHI, among other 
modifications.
---------------------------------------------------------------------------

    \99\ Public Law 116-136, 134 Stat. 281 (March 27, 2020). 
Significant components of section 3221 are codified at 42 U.S.C. 
290dd-2 as further detailed in this NPRM.
---------------------------------------------------------------------------

    The requirements in sections 42 U.S.C. 290dd-2(b), (c), and (f), as 
amended by section 3221 of the CARES Act, with respect to patient 
consent and redisclosures of SUD records, now align more closely with 
Privacy Rule provisions permitting uses and disclosures for TPO and 
establish certain patient rights with respect to their Part 2 records 
consistent with provisions of the HITECH Act; restrict the use and 
disclosure of Part 2 records in legal proceedings; and set civil and 
criminal penalties for violations, respectively. Section 3221 also 
amended 42 U.S.C. 290dd-2j) and (k) by adding HITECH Act breach 
notification requirements and new terms and definitions consistent with 
the HIPAA Rules and the HITECH Act, respectively. Finally, section 3221 
requires the Department to modify the NPP \100\ requirements at 45 CFR 
164.520 so that covered entities and Part 2 programs provide notice to 
individuals regarding privacy practices related to Part 2 records, 
including patients' rights and uses and disclosures that are permitted 
or required without authorization.
---------------------------------------------------------------------------

    \100\ Section 3221(i) requires the Secretary to update 45 CFR 
164.520, the Privacy Rule requirements with respect to the NPP.
---------------------------------------------------------------------------

    Paragraph (b) of section 3221, Disclosures to Covered Entities 
Consistent with HIPAA, adds a new paragraph (1), Consent, to section 
543 of the PHSA \101\ and expands the ability of covered entities, 
business associates, and Part 2 programs to use and disclose Part 2 
records for TPO. The text of section 3221(b) adding paragraph (1)(B) to 
42 U.S.C. 290dd-2 states that once

[[Page 74225]]

prior written consent of the patient has been obtained, those contents 
may be used or disclosed by a covered entity, business associate, or a 
program subject to this section for the purposes of treatment, payment, 
and health care operations as permitted by the HIPAA regulations. Any 
disclosed information may then be redisclosed in accordance with the 
HIPAA regulations.
---------------------------------------------------------------------------

    \101\ Paragraph (1) is codified at 42 U.S.C. 290dd-2(b).
---------------------------------------------------------------------------

    To the extent that 42 U.S.C. 290dd-2(b)(1) now provides for a 
general written consent covering all future uses and disclosures for 
TPO ``as permitted by the HIPAA regulations,'' and expressly permits 
the redisclosure of Part 2 records received for TPO ``in accordance 
with the HIPAA regulations,'' the Department believes that this means 
that the entity receiving the records based on such general consent, 
and then redisclosing the records, must be a covered entity, business 
associate, or Part 2 program. The Department's proposals throughout 
this NPRM are premised on its reading of section 3221(b) as applying to 
redisclosures of Part 2 records by covered entities, business 
associates, and Part 2 programs, including those covered entities that 
are Part 2 programs.
    In addition to the provisions of section 3221 described above, 
paragraph (g) of section 3221, Antidiscrimination, adds a new provision 
(i)(1) to 42 U.S.C. 290dd-2 to prohibit discrimination against an 
individual based on their Part 2 records in: (A) admission, access to, 
or treatment for health care; (B) hiring, firing, or terms of 
employment, or receipt of worker's compensation; (C) the sale, rental, 
or continued rental of housing; (D) access to Federal, State, or local 
courts; or (E) access to or maintenance of social services and benefits 
provided or funded by Federal, State, or local governments.\102\ 
Further, the new paragraph (i)(2) prohibits discrimination by any 
recipient of Federal funds against individuals based on their Part 2 
records.\103\ As a recent legal analysis noted, ``The decision to 
protect individuals whose disclosed patient records reveal or appear to 
reveal current illegal use of drugs is also consistent with Section 
3221's specific purpose to remove well-founded fear of discrimination 
as a barrier to treatment.'' \104\ Patients with SUD who are currently 
using illegal drugs are not protected from discrimination on the basis 
of their illegal drug use under existing law of the Rehabilitation Act 
of 1973,\105\ Americans with Disabilities Act (ADA),\106\ the 
Affordable Care Act,\107\ and the Fair Housing Act.\108\ The CARES Act 
nondiscrimination provision, in conjunction with the newly applicable 
HITECH Act penalty tiers, will serve to protect the treatment records 
of all patients with SUD, whether or not they are currently using 
illicit drugs. The Department intends to implement the CARES Act 
antidiscrimination provisions in a separate rulemaking.
---------------------------------------------------------------------------

    \102\ See sec. 3221(g) of the CARES Act.
    \103\ Id.
    \104\ See Dineen, Kelly K., & Pendo, Elizabeth, ``Substance Use 
Disorder Discrimination and the CARES Act: Using Disability Law to 
Inform Part 2 Rulemaking'' (February 2, 2021) (available at https://arizonastatelawjournal.org/wp-content/uploads/2021/02/02-Dineen-_-Pendo.pdf) and Johnson, Kimberly, ``COVID-19: Isolating the Problems 
in Privacy Protection for Individuals with Substance Use Disorder'' 
(May 1, 2021) (available at https://ssrn.com/abstract=3837955). See 
also remarks of U.S. Representative Michael C. Burgess: ``Current 
[P]art 2 law does not protect individuals from discrimination based 
on their treatment records and, to this date, there have been no 
criminal actions undertaken to enforce [P]art 2.'' (available at 
https://www.congress.gov/congressional-record/2018/06/20/house-section/article/H5325-1).
    \105\ See sec. 504, Public Law 93-112, 86 Stat. 355 (September 
26, 1973) (codified at 29 U.S.C. 701, 705).
    \106\ See Public Law 101-336, 104 Stat. 327 (July 26, 1990) 
(codified at 42 U.S.C. 12101, 12210).
    \107\ See sec. 1557, Public Law 111-148, 124 Stat. 119 (March 
23, 2010) (codified at 42 U.S.C. 18001, 18116).
    \108\ See sec. 3601-19, Public Law 90-284, 82 Stat. 81 (April 
11, 1968) (codified at 42 U.S.C. 3601, 3602).
---------------------------------------------------------------------------

Section-by-Section Description of Proposed Amendments to 42 CFR Part 2

    Below, the Department describes the proposals in this NPRM to amend 
42 CFR part 2 and 45 CFR 164.520 to implement changes made to 42 U.S.C. 
290dd-2, as amended by section 3221 of the CARES Act. Some of the 
Department's proposals are not expressly required by the CARES Act, but 
are proposed to align the language of this part with that in the 
Privacy Rule and to clarify already-existing Part 2 permissions or 
restrictions. The Department believes these additional proposals fall 
within the Department's scope of regulatory authority and are necessary 
to facilitate implementation of the CARES Act. For example, 
consistently throughout this NPRM, the Department proposes to re-order 
the terms ``disclosure and use'' to ``use and disclosure'' \109\ to 
better align the language of Part 2 with the Privacy Rule which 
generally regulates the ``use and disclosure'' of PHI.\110\ The 
Department does not believe these proposed changes are substantive, but 
requests comment on this assumption. In another example, the Department 
proposes to add the term ``use'' to where only the term ``disclose'' 
exists in regulatory text, or in some cases to add the term 
``disclose'' to an existing ``use'' because it more accurately 
describes the scope of the activity that is the subject of the 
regulatory provision or could be within the scope of the activity. 
These changes are aligned with changes made to 42 U.S.C. 290dd-2 
paragraph (b)(1)(A) by section 3221(b) of the CARES Act (providing that 
Part 2 records may be used or disclosed in accordance with prior 
written consent); to 42 U.S.C. 290dd-2(b)(1)(B) and (b)(1)(C) by 
section 3221(b) of the CARES Act (providing that the contents of Part 2 
records may be used or disclosed by covered entities, business 
associates, or programs in accordance with the HIPAA Rules for TPO 
purposes); and to paragraph 42 U.S.C. 290dd-2(c) by section 3221(e) of 
the CARES Act (prohibiting disclosure and use of Part 2 records in 
proceedings against the patient). The Department describes these 
proposed additions of terms in each section of this NPRM where 
applicable.\111\ The Department requests

[[Page 74226]]

comment on its proposals to reorder the terms ``use'' and 
``disclosure'' as described, and to add the term ``use'' to clarify 
these regulations as described above.
---------------------------------------------------------------------------

    \109\ See e.g., proposed regulatory text at Sec. Sec.  
2.2(a)(2), (a)(3), and (b)(1), Purpose and effect; 2.12(c)(5) and 
(c)(6), Applicability; 2.13(a) and (b), Confidentiality restrictions 
and safeguards; 2.21(b), Relationship to federal statutes protecting 
research subjects against compulsory disclosure of their identity; 
2.34(b), Disclosures to prevent multiple enrollments; 2.35(d), 
Disclosures to elements of the criminal justice system which have 
referred patients; 2.53(a), (b)(1)(iii), (e)(1)(iii), (e)(6), (f), 
Management audits, financial audits, and program evaluation 
(proposed heading); subpart E, Court Orders Authorizing Use and 
Disclosure (proposed heading); 2.61(a), Legal effect of order; 2.62, 
Order not applicable to records disclosed without consent to 
researchers, auditors and evaluators; 2.65 heading, 2.65(a) and (d), 
2.65(e), (e)(1), and (e)(3), Procedures and criteria for orders 
authorizing use and disclosure of records to criminally investigate 
or prosecute patients (proposed heading); 2.66 heading, 2.66(a)(1) 
and 2.66(d), Procedures and criteria for orders authorizing use and 
disclosure of records to investigate or prosecute a part 2 program 
or the person holding the records (proposed heading).
    \110\ Consistently, the Department refers to ``uses and 
disclosures'' or ``use and disclosure'' in the Privacy Rule. See, 
e.g., 45 CFR 164.502 Uses and disclosures of protected health 
information: General rules.
    \111\ See, e.g., proposed Sec. Sec.  2.12(a)(1), (c)(3) and 
(c)(4), (d)(2), and (e)(3), Applicability; 2.13(a), Confidentiality 
restrictions and safeguards; 2.14(a) and (b), Minor patients; 
2.15(a)(2), (b)(1) and (b)(2), Patients who lack capacity and 
deceased patients; 2.20, Relationship to state laws; 2.23 Patient 
access and restrictions on use and disclosure (proposed heading) and 
2.33(b); Subpart C--Uses and Disclosures With Patient Consent 
(proposed heading); 2.31(a), (a)(1) and (2), (a)(4)(ii)(B), (a)(10), 
and (a)(10)(i) and (ii), Consent requirements; 2.33 Uses and 
disclosures permitted with written consent (proposed heading), and 
paragraphs 2.33(a), (b), (b)(1), and (b)(2); Subpart D--Uses and 
Disclosures Without Patient Consent (proposed heading); 2.53(e)(5), 
Management audits, financial audits, and program evaluation 2.61(a) 
and (b)(1) and (b)(2), Legal Effect of order; 2.64 heading, 
Procedures and criteria for orders authorizing uses and disclosures 
for non-criminal purposes (proposed heading), and paragraphs (a) and 
(e); 2.65(a) Procedures and criteria for orders authorizing use and 
disclosure of records to criminally investigate or prosecute 
patients (proposed heading); 2.67 (d)(3), Orders authorizing the use 
of undercover agents and informants to investigate employees or 
agents of a part 2 program in connection with a criminal matter.
---------------------------------------------------------------------------

    In addition, the Department proposes changes to subpart E, Court 
Orders Authorizing Use and Disclosure, relying on both the Secretary's 
broad rulemaking authority under section 543 of the PHSA and on the 
authority granted in section 3221 of the CARES Act. The Department 
proposes to heighten protections against use or disclosure of records 
in proceedings against patients by aligning the regulatory language 
regarding the scope of proceedings to which subpart E applies with the 
amended statute to expressly include administrative and legislative 
proceedings \112\ and to expressly include testimony that relays 
information contained in records.\113\ Additionally, the Department is 
adopting the HIPAA phrasing of ``use and disclosure'' in most instances 
where only one of those terms is used in the current regulation, 
including throughout subpart E.
---------------------------------------------------------------------------

    \112\ See proposed Sec. Sec.  2.63, 2.64, 2.65.
    \113\ See proposed Sec. Sec.  2.64. 2.65, 2.66.
---------------------------------------------------------------------------

    The Department also proposes additional changes to facilitate 
compliance by investigative agencies when they seek records for 
investigations and prosecutions of Part 2 programs pursuant to 
applicable authorities. In particular, the Department proposes to limit 
liability for violations when an investigative agency unknowingly 
receives Part 2 records in the course of investigating a Part 2 program 
or person holding Part 2 records, provided the agency takes certain 
actions, and to require annual reporting to the Secretary by 
investigative agencies about the use of the proposed safe harbor. The 
Department is proposing these changes because the Department believes 
the proposals are a necessary consequence of the new enforcement 
penalties for violations of Part 2 \114\ pursuant to 42 U.S.C. 290dd-
2(f) as amended by section 3221 (f) and the expanded scope of 
proceedings where a court order is required \115\ pursuant to 42 U.S.C. 
290dd-2(c) as amended by section 3221(e). In particular, the Department 
understands that investigative agencies could potentially become 
subject to the new penalties for violations in the event that they are 
unaware that a provider under investigation is subject to Part 2 and as 
a result they fail to follow the requirements of subpart E before 
obtaining the provider's records. The Department requests comment on 
these additional proposed changes.
---------------------------------------------------------------------------

    \114\ See proposed Sec.  2.3.
    \115\ E.g., Expressly including legislative and administrative 
proceedings and testimony relaying information contained in records, 
as discussed above.
---------------------------------------------------------------------------

    The Department further requests comment on all proposals described 
in the following paragraphs of this NPRM, including those expressly 
implementing CARES Act amendments to section 290dd-2, those the 
Department describes as necessary to further align this part with the 
Privacy Rule, and those proposals described as necessary to clarify the 
full scope of activities that it is regulating in this part. The 
Department also requests comment on all aspects of the Regulatory 
Impact Analysis, including the assumptions and estimates about the 
costs and benefits of the proposed changes, and the alternatives the 
Department considered when developing the proposals in this NPRM. The 
Department proposes the following amendments to this part:

A. Sec.  2.1--Statutory Authority for Confidentiality of Substance Use 
Disorder Patient Records

    The Department proposes to revise Sec.  2.1 to more closely align 
this section with the statutory text of 42 U.S.C. 290dd-2(g) and add 
references to subsection 290dd-2(b)(2)(C) related to the issuance of 
court orders authorizing disclosures of Part 2 records.

Sec.  2.2--Purpose and Effect

    Section 2.2 of 42 CFR part 2 establishes the purpose and effect of 
regulations imposed in this part upon the use and disclosure of Part 2 
records. The Department proposes to add language to paragraph (b) of 
Sec.  2.2 to conform that paragraph to changes proposed to Sec.  2.3(b) 
that would compel disclosures to the Secretary that are necessary for 
enforcement of this rule. The new language is adapted from a similar 
provision of the Privacy Rule at 45 CFR 164.502(a)(2)(ii).
    The Department also proposes to replace the phrase ``disclosure and 
use'' by re-ordering the phrase to ``use or disclosure'' at Sec. Sec.  
2.2(a), (a)(4), and 2.2(b)(1), to align the language with that used in 
the Privacy Rule.
    The Department proposes several changes in Sec.  2.2 that would 
facilitate implementation of the CARES Act in general. For example, in 
Sec. Sec.  2.2(a)(2), (a)(3), and (b)(1), the Department proposes to 
add the phrase ``uses and'' in front of the existing term ``disclose'' 
or ``disclosures.'' The Department proposes these additions in 
Sec. Sec.  2.2(a)(2) and (3), which list subparts C and D of this part, 
to conform to changes the Department proposes to the heading titles of 
subparts C and D. In those heading titles, the Department proposes to 
refer to ``Uses and Disclosures with Patient Consent'' and ``Uses and 
Disclosures without Patient Consent'' respectively.
    In Sec.  2.2(b)(1), Effect, the Department proposes to refer to 
``use and disclosure'' instead of only ``disclosure'' to better 
describe how the regulations in this part, as modified by the CARES 
Act, prohibit the ``use and disclosure'' of Part 2 records. The 
Department proposes to modify the end of Sec.  2.2(b)(1) to provide 
that the regulations generally do not generally require the use or 
disclosure of Part 2 records under any circumstance except when 
disclosure is required by the Secretary to investigate or determine a 
person's compliance with this part pursuant to Sec.  2.3(b), now 
proposed for modification to reflect newly required civil and criminal 
penalties for violations of this part.
    Finally, the Department proposes to add a new paragraph (b)(3) to 
Sec.  2.2 to incorporate the rules of construction in section 
3221(j)(1) and (2) of the CARES Act. Accordingly, the proposed 
paragraphs would provide that nothing in this part shall be construed 
to limit a patient's right to request restrictions on use of records 
for TPO or a covered entity's choice to obtain consent to use or 
disclose records for TPO purposes as provided in the Privacy Rule.
    In addition to the above-described proposed amendments to Sec.  
2.2, the Department proposes minor wording changes to improve 
readability or conform the use of terms to newly proposed definitions. 
These proposals are reflected in proposed regulatory text and may be 
reflected throughout this NPRM and include:
     Inserting a parenthetical reference to ``records'' to 
reflect how the Department proposes to refer to SUD records; and
     Striking the word ``patient'' from in front of the term 
``record''.
    The Department requests comments on all proposed changes to this 
section.

[[Page 74227]]

Sec.  2.3--Civil and Criminal Penalties for Violations (Proposed 
Heading)

    Section 2.3 of 42 CFR part 2 currently requires that any person who 
violates any provision of the Part 2 regulations be criminally fined in 
accordance with title 18 U.S.C. As amended by section 3221(f) of the 
CARES Act, 42 U.S.C. 290dd-2(f) applies the provisions of Sec. Sec.  
1176 and 1177 of the Social Security Act to a Part 2 program for a 
violation of 42 CFR part 2 in the same manner as they apply to a 
covered entity for a violation of part C of title XI of the Social 
Security Act. Therefore, the Department proposes to replace title 18 
criminal enforcement with civil and criminal penalties under Sec. Sec.  
1176 and 1177 of the Social Security Act (42 U.S.C. 1320d-5, 1320d-6), 
respectively, as implemented in the Enforcement Rule.
    Specifically, the Department proposes to rename Sec.  2.3 as Civil 
and criminal penalties for violations and reorganize Sec.  2.3 into 
section paragraphs 2.3(a), (b), and (c). Proposed Sec.  2.3(a) would 
incorporate the penalty provisions of 42 U.S.C. 290dd-2(f), which apply 
the civil and criminal penalties of Sec. Sec.  1176 and 1177 of the 
Social Security Act, respectively, to violations of Part 2.
    After consultation with the Department of Justice, the Department 
proposes in Sec.  2.3(b) to create a limitation on civil or criminal 
liability for persons acting on behalf of investigative agencies when, 
in the course of investigating or prosecuting a Part 2 program or other 
person holding Part 2 records, they may unknowingly receive Part 2 
records without first obtaining the requisite court order, provided 
that specified conditions are met. Such a safe harbor, as proposed, 
would be limited to only instances where records are obtained for the 
purposes of investigating a program or person holding the record, not a 
patient. Investigative agencies are required to follow Part 2 
requirements for obtaining, using, and disclosing Part 2 records as 
part of an investigation or prosecution; such requirements include 
seeking a court order, filing protective orders, maintaining security 
for records, and ensuring that records obtained in program 
investigations are not used in legal actions against patients who are 
the subjects of the records. Investigative agencies' potential 
liability for violating Part 2 has increased due to the expanded 
application of HIPAA/HITECH Act penalties for violations, codified at 
42 U.S.C. 1320d-5 (CMPs) and 1320d-6 (criminal penalties), to 
violations of Part 2. In addition, the need for investigation and 
prosecution of bad actors has increased in accordance with the 
intensity and duration of the opioid overdose epidemic.\116\ The 
Department solicits comments on the need for investigation of Part 2 
programs and holders of Part 2 records and a related safe harbor for 
law enforcement due to proposed changes in enforcement of Part 2 
requirements.
---------------------------------------------------------------------------

    \116\ See Opioid Enforcement Effort, Department of Justice, 
Consumer Protection Branch, https://www.justice.gov/civil/consumer-protection-branch/opioid and Understanding the Epidemic, Centers for 
Disease Prevention and Control, https://www.cdc.gov/drugoverdose/epidemic/.
---------------------------------------------------------------------------

    To address concerns about potential liability for Part 2 violations 
arising from investigators who, in good faith, unknowingly receive Part 
2 records, the Department proposes at Sec.  2.3(b) to create a 
limitation on civil or criminal liability for persons acting on behalf 
of investigative agencies if they unknowingly receive Part 2 records 
without first obtaining the required court order while investigating or 
prosecuting a Part 2 program or other person holding Part 2 records (or 
their employees or agents). The limitation on liability would be 
available for uses or disclosures inconsistent with Part 2 when the 
person acted with reasonable diligence to determine in advance whether 
Part 2 applied to the records or program. Paragraph (b)(1) would also 
clarify what constitutes ``reasonable diligence'' in determining 
whether Part 2 applies to a record or program before an investigative 
agency makes an investigative demand or places an undercover agent with 
the program or person holding the records. Reasonable diligence would 
require acting within a reasonable period of time, but no more than 60 
days prior to, the request for records or placement of an undercover 
agent or informant. Reasonable diligence would include taking the 
following actions to determine whether a health care practice or 
provider (where it is reasonable to believe that the practice or 
provider provides SUD diagnostic, treatment, or referral for treatment 
services) provides such services by:
    (1) checking a prescription drug monitoring program in the state 
where the provider is located, if available and accessible to the 
agency under state law; or
    (2) checking the website or physical location of the provider.
    In addition, Sec.  2.3(b) would require an investigative agency to 
meet any other applicable requirements within Part 2 for any use or 
disclosure of the records that occurred, or will occur, after the 
investigative agency knew, or by exercising reasonable diligence would 
have known, that it received Part 2 records. The Department has added 
applicable requirements in Sec.  2.66 and Sec.  2.67, discussed below, 
and requests comment on the impact of the proposed safe harbor on 
patient privacy and access to SUD treatment.
    The proposed safe harbor could promote public safety by permitting 
government agencies to investigate or prosecute Part 2 programs and 
persons holding Part 2 records for suspected criminal activity, in good 
faith without risk of HIPAA/HITECH Act penalties. The current rule 
contains no mechanism for an investigative agency to correct an error 
if it unknowingly obtains Part 2 records and as a result fails to 
obtain the required court order in advance. By proposing a pathway for 
investigative agencies to seek the required court order after the fact 
(a pathway that is only available for agencies that have first 
exercised reasonable diligence to determine in advance whether Part 2 
applies), the proposal creates an incentive for investigative agencies 
to take steps that should reduce the need for ``after the fact'' court 
orders. Thus, investigative agencies that follow the proposed 
reasonable diligence steps and yet unknowingly receive Part 2 records 
and then seek a court order would be less likely to be denied on the 
basis of a procedural shortcoming and would not risk incurring HIPAA/
HITECH Act penalties. Investigative agencies that do not use reasonable 
diligence as proposed at Sec.  2.3(b)(1) would be precluded from 
seeking a court order to use or disclose Part 2 records that they later 
discover in their possession.
    The Department acknowledges that proposed Sec.  2.3(b) may be 
viewed as a reduction in privacy protection, but believes that the 
exclusive application to investigations and prosecution of programs and 
holders of records affords an overall benefit without harming patient 
confidentiality when the proposed additional protections in Sec. Sec.  
2.66 and 2.67 are applied.\117\ The Department has limited the proposed 
safe harbor to investigative agencies that unknowingly obtain Part 2 
records and relies on the CMP tiers to allow appropriate flexibility 
when a Part 2 program has unknowingly violated Part 2. However, the 
Department solicits comments on situations for which a safe harbor 
should be considered for SUD providers that unknowingly hold Part 2 
records and unknowingly disclose them

[[Page 74228]]

in violation of Part 2. As mentioned above, the Department also 
solicits comments on the impact of this proposed safe harbor to patient 
privacy and access to SUD treatment.
---------------------------------------------------------------------------

    \117\ For example, using ``John Doe'' in the application for a 
court order and keeping records that contain patient identifying 
information under seal.
---------------------------------------------------------------------------

    The Department does not intend to modify the applicability of Sec.  
2.12 or Sec.  2.53 for investigative agencies, but to make the proposed 
safe harbor available in those situations where a court order would 
otherwise be required for a government agency to use or disclose 
records under these regulations. Thus, under Sec.  2.12(c) an agency 
with direct administrative control over a Part 2 program still would 
not be subject to the Part 2 limits on communications between the 
program and the agency for purposes of diagnosis, treatment, or 
referral of patients, although the agency is also an investigative 
agency due to its supervisory role. Similarly, the disclosure 
permission under Sec.  2.53 would continue to apply to audits and 
evaluations conducted by a health oversight agency without patient 
consent. The Department does not believe that the text of section 
3221(e) of the CARES Act indicates congressional intent to alter the 
established oversight mechanisms for Part 2 programs, including those 
that provide services reimbursed by Medicare, Medicaid, and Children's 
Health Insurance Program (CHIP).
    Proposed Sec.  2.3(c) would specify that the Enforcement Rule \118\ 
shall apply to violations of Part 2 in the same manner as they apply to 
covered entities and business associates for violations of part C of 
title XI of the Social Security Act and its implementing regulations 
with respect to PHI.\119\ The Department requests comment on the likely 
benefits and costs of these proposed changes.
---------------------------------------------------------------------------

    \118\ See 45 CFR part 160, subparts C (Compliance and 
Investigations), D (Imposition of Civil Money Penalties), and E 
(Procedures for Hearings). See also sec. 13410 of the HITECH Act 
(codified at 42 U.S.C. 17929).
    \119\ This proposal would implement the required statutory 
framework establishing that civil and criminal penalties apply to 
violations of this part, as the Secretary exercises only civil 
enforcement authority. The Department of Justice has authority to 
impose criminal penalties where applicable. See 68 FR 18895, 18896 
(April 17, 2003).
---------------------------------------------------------------------------

Sec.  2.4--Complaints of Violations (Proposed Heading)

    Paragraphs (a) and (b) of this section currently provide that 
reports of violations of the Part 2 regulations may be directed to the 
U.S. Attorney for the judicial district in which the violation occurs 
and reports of any violation by an opioid treatment program may be 
directed to the U.S. Attorney and also to the Substance Abuse and 
Mental Health Services Administration (SAMHSA). Section 290dd-2(f), as 
amended by section 3221(f) of the CARES Act, grants civil enforcement 
authority to the Department, which currently exercises its HIPAA 
enforcement authority under 1176 of the Social Security Act in 
accordance with the Enforcement Rule. To implement the change from U.S. 
Attorney enforcement, the Department proposes to re-title the heading 
to this section, replacing ``Reports of violations'' with ``Complaints 
of violations,'' and to replace the existing provisions about directing 
reports of Part 2 violations to the U.S. Attorney's Office and to 
SAMHSA with provisions about filing complaints of potential violations 
with a Part 2 program or the Secretary. The Department notes that 
SAMHSA continues to regulate opioid treatment programs (OTPs) and may 
receive reports of alleged violations by OTPs of federal opioid 
treatment standards, including privacy and confidentiality 
requirements.
    Specifically, the Department proposes to add Sec.  2.4(a) to 
require a Part 2 program to have a process to receive complaints 
concerning the program's compliance with the Part 2 regulations. 
Proposed Sec.  2.4(b) would provide that a program may not intimidate, 
threaten, coerce, discriminate against, or take other retaliatory 
action against any patient for the exercise of any right established, 
or for participation in any process provided for, in Part 2, including 
the filing of a complaint. The Department also proposes to add Sec.  
2.4(c) to prohibit a program from requiring patients to waive their 
right to file a complaint as a condition of the provision of treatment, 
payment, enrollment, or eligibility for any program subject to Part 2.
    The proposed changes to Sec.  2.4 would align Part 2 with Privacy 
Rule provisions concerning complaints. Section 2.4(a) is consistent 
with the administrative requirements in 45 CFR 164.530(d), Standard: 
Complaints to the covered entity. Proposed Sec.  2.4(b) would align 
with the Privacy Rule provision at 45 CFR 164.530(g), Standard: 
Refraining from intimidating or retaliatory acts. The proposed Sec.  
2.4(c) would be consistent with the Privacy Rule provision at 45 CFR 
164.530(h), Standard: Waiver of rights. Thus, Part 2 programs that are 
also covered entities already have these administrative requirements in 
place, but programs that are not covered entities would need to adopt 
new policies and procedures.
    The Department requests comment on these proposed changes, 
including any concerns about potential unintended negative consequences 
on programs or patients of aligning Sec.  2.4 with the cited provisions 
of the Privacy Rule.

Sec.  2.11--Definitions

    Section 2.11 includes definitions for key regulatory terms in 42 
CFR part 2. The Department proposes to add thirteen defined regulatory 
terms and modify the definitions of ten existing terms. The proposed 
new or modified definitions would be: Breach, Business associate, 
Covered entity, Health care operations, HIPAA, HIPAA regulations, 
Informant, Intermediary, Investigative agency, Part 2 program director, 
Patient, Payment, Person, Program, Public health authority, Qualified 
service organization, Records, Third-party payer, Treating provider 
relationship, Treatment, Unsecured protected health information, 
Unsecured record, and Use. Most of these terms and definitions would be 
added or modified by referencing existing HIPAA regulatory terms in 45 
CFR parts 160 and 164, either in accordance with the adoption of such 
definitions by section 3221(d) of the CARES Act, which added paragraph 
(k) (containing definitions) to 42 U.S.C. 290dd-2, or as a logical 
outgrowth of CARES Act amendments. Several other definitions would be 
modified for clarity and consistency, as described below. The 
Department requests comment on all proposals to add new or modify 
existing definitions to this part. Breach. The proposed definition of 
Breach would adopt the Breach Notification Rule definition by reference 
to 45 CFR 164.402, but as applied to Part 2 records rather than to PHI. 
The Department proposes this definition to implement paragraph (k) of 
42 U.S.C. 290dd-2, added by section 3221(d) of the CARES Act, requiring 
that the term in this part be given the same meaning of the term for 
the purposes of the HIPAA regulations. Because the CARES Act requires 
Part 2 programs to comply with HITECH Act breach notification 
requirements, a Part 2 regulatory definition of breach is necessary to 
implement and enforce these requirements.
    Business associate. The Department proposes to adopt the same 
meaning of this term as is used in the HIPAA Rules. This proposal would 
implement the new paragraph (k) of 42 U.S.C. 290dd-2, added by section 
3221(d) of the CARES Act, requiring the term in this part be given the 
same meaning of the term for the purposes of the HIPAA regulations.
    Covered entity. The Department proposes to adopt the same meaning 
of this term as is used in the HIPAA Rule. This proposal would 
implement the new paragraph (k) of 42 U.S.C. 290dd-

[[Page 74229]]

2, added by section 3221(d) of the CARES Act, requiring the term in 
this part be given the same meaning of the term for the purposes of the 
HIPAA regulations.
    Health care operations. The proposal would incorporate the HIPAA 
Privacy Rule definition for health care operations.\120\
---------------------------------------------------------------------------

    \120\ See 45 CFR 164.501 (definition of ``Health care 
operations'').
---------------------------------------------------------------------------

    HIPAA. Although not required by the CARES Act, the Department 
proposes to add a definition of HIPAA that encompasses the statutory 
and regulatory provisions pertaining to the privacy, security, breach 
notification, and enforcement standards with respect to PHI. This 
definition would exclude other components of the HIPAA statute, such as 
insurance portability, and other HIPAA regulatory standards, such as 
the standard electronic transactions regulation, which are not relevant 
to this proposed rule. The Department proposes this definition to make 
clear the specific components of the relevant statutes that would be 
incorporated into this part.
    HIPAA regulations. The current rule does not define HIPAA 
regulations. The proposed definition is based on the statutory 
definition added by the CARES Act and has the same meaning as ``HIPAA 
Rules,'' which refers to the HIPAA Privacy, Security, Breach 
Notification, and Enforcement Rules, when used in this document, OCR 
rulemaking, and OCR's guidance and other materials. For purposes of 
this rulemaking, the term does not include Standard Unique Identifiers, 
Standard Electronic Transactions, and Code Sets, 42 CFR part 162--
Administrative Requirements.
    Informant. Within the definition of ``informant,'' the Department 
proposes to replace the term ``individual'' with the term ``person'' as 
is used in the HIPAA Rules and discussed below.
    Intermediary. The current rule uses the term intermediary in Sec.  
2.13(d)(2) \121\ without providing a definition. To improve 
understanding of the requirements for intermediaries, and to 
distinguish those requirements from the proposed accounting of 
disclosure requirements, the Department proposes to establish a 
definition of intermediary.
---------------------------------------------------------------------------

    \121\ Section 2.13(d)(2) refers to the description of an 
intermediary in Sec.  2.31(a)(4)(ii)(B).
---------------------------------------------------------------------------

    Examples of an intermediary include, but are not limited to, a 
health information exchange, a research institution that is providing 
treatment, an accountable care organization, or a care management 
organization. In contrast, a research institution that is not providing 
treatment or a health app that is providing individual patients with 
access to their records would not be considered an intermediary. Member 
participants of an intermediary refers to health care provider 
practices or health-related organizations. It does not include 
individual health plan subscribers or workforce members who share 
access to the same electronic health record system.
    In the current rule, if a patient provides a written consent that 
is specific to treatment, the general designation of a recipient entity 
who is an intermediary may be used and the patient would have a right 
to obtain a list of recipients to whom the intermediary has disclosed 
their record.
    Under section 3221 of the CARES Act, a patient consent may contain 
a general designation of recipients for treatment, payment, and health 
care operations. Without regulatory clarification this could result in 
the recipients exchanging health information through an HIE/HIN or 
other means without triggering the intermediary requirements. To avoid 
this unintended consequence, the Department proposes additional changes 
to Sec.  2.31(a)(4) to ensure that intermediaries continue to be named 
whenever they are used to exchange Part 2 records.
    Under this proposal, an intermediary would be a person who has 
received records, under a general designation in a written patient 
consent, for the purpose of disclosing the records to one or more of 
its member participants who has a treating provider relationship with 
the patient. The term intermediary is based on the function of the 
person--receiving records and disclosing them to other providers as a 
key element of its role--rather than on a title or category of an 
organization or business. For example, an electronic health record 
vendor that enables entities at two different health systems to share 
records likely would be an intermediary. That same vendor would not be 
an intermediary when used by employees in different departments of a 
hospital to access the same patient's records. Where an intermediary is 
also a business associate under the HIPAA Rules, it would be subject to 
the requirements of both an intermediary and a business associate.
    The requirements for intermediaries would remain unchanged but 
would be redesignated from Sec.  2.13(d), Lists of disclosures, to new 
Sec.  2.24, Requirements for intermediaries. These proposed 
modifications are discussed separately below.
    Investigative agency. The Department proposes to create a new 
definition for ``investigative agency'' to describe those government 
agencies with responsibilities for investigating and prosecuting Part 2 
programs and persons holding Part 2 records, such that they would be 
required to comply with subpart E when seeking to use or disclose 
records against a Part 2 program or lawful holder. In conjunction with 
proposed changes to subpart E pertaining to use and disclosure of 
records by law enforcement, the Department proposes to define an 
investigative agency as ``A state or federal administrative, 
regulatory, supervisory, investigative, law enforcement, or 
prosecutorial agency having jurisdiction over the activities of a part 
2 program or other person holding part 2 records.'' By creating a 
definition of investigative agency, the Department does not intend to 
change the applicability of Sec.  2.53 or subpart E, but only to 
establish a limitation on liability for such agencies in certain 
circumstances when a court order is otherwise required by these 
regulations.
    Part 2 program director. Within the definition of ``part 2 program 
director,'' the Department proposes to replace the first instance of 
the term ``individual'' with the term ``natural person'' and the other 
instances of the term ``individual'' with the term ``person'' as used 
in the HIPAA Rules and discussed below.
    Patient. The Department proposes to add language to the existing 
definition to clarify that when the HIPAA regulations apply to Part 2 
records, a patient is an individual as that term is defined in the 
HIPAA regulations.
    Payment. The Department proposes to adopt the same definition for 
this term as in the HIPAA Rules. This proposal would implement the new 
paragraph (k) of 42 U.S.C. 290dd-2, added by section 3221(d) of the 
CARES Act, requiring the term in this part be given the same meaning of 
the term for the purposes of the HIPAA regulations.
    Person. The term ``person'' is currently defined as ``an 
individual, partnership, corporation, federal, state or local 
government agency, or any other legal entity, (also referred to as 
``individual or entity'').'' Thus, the current Part 2 regulation uses 
the term ``individual'' in reference to someone who is not the patient 
and therefore not the subject of the Part 2 record. In contrast, the 
HIPAA Rules at 45 CFR 160.103 define the term ``individual'' to refer 
to the subject of PHI, and ``person'' to refer to ``a natural person, 
trust or estate, partnership, corporation, professional association or 
corporation, or other entity, public or private.'' To further the 
alignment of Part 2 and the

[[Page 74230]]

HIPAA Rules and provide clarity for programs and entities that must 
comply with both sets of requirements, the Department proposes to 
replace the Part 2 definition of ``person'' with the HIPAA definition 
in 45 CFR 160.103. As an extension of this clarification, the 
Department also proposes to replace the term ``individual'' with 
``patient'' when the regulation refers to someone who is the subject of 
Part 2 records, to use the term ``person'' when it refers to someone 
who is not the subject of the records at issue, and to modify the 
definition of ``patient'' in Part 2 to include an ``individual'' as 
that term is used in the HIPAA Rules. The Department believes that this 
combination of modifications would promote the understanding of both 
Part 2 and the HIPAA Rules and requests comment on whether this or 
other approaches would provide more clarity.
    Program. Within the definition of ``program,'' the Department 
proposes to replace the term ``individual or entity'' with the term 
``person'' as is used in the HIPAA Rules and discussed above.
    Public health authority. The Department proposes to adopt the same 
meaning for this term as in the Privacy Rule. This proposal would 
implement the new paragraph (k) of 42 U.S.C. 290dd-2, added by section 
3221(d) of the CARES Act, requiring the term in this part be given the 
same meaning of the term for the purposes of the HIPAA regulations.
    Qualified service organization. The Department proposes to modify 
the definition of Qualified service organization (QSO) by adding HIPAA 
business associates to the regulatory text to clarify that they are 
QSOs in circumstances when Part 2 records also meet the definition of 
PHI (i.e., when a Part 2 program is also a covered entity). The 
Department believes this proposal would facilitate the implementation 
of the CARES Act with respect to disclosures to QSOs. The HIPAA Rules 
generally permit disclosures from a covered entity to a person who 
meets the definition of a business associate (i.e., a person who works 
on behalf of or provides services to the covered entity) \122\ without 
individual authorization, when based on a business associate agreement 
that incorporates certain protections.\123\ Similarly, the use and 
disclosure restrictions of this part do not apply to the communications 
between a Part 2 program and QSO when the information is needed by the 
QSO to provide services to the Part 2 program. This definition is 
proposed in conjunction with a proposal to modify Sec.  2.12, 
Applicability, to clarify that QSOs also use Part 2 records received 
from programs to work ``on behalf of'' the program.
---------------------------------------------------------------------------

    \122\ See 45 CFR 160.103 (definition of ``Business associate'').
    \123\ See, e.g., 45 CFR 164.504(e).
---------------------------------------------------------------------------

    The Department also proposes a wording change to replace the phrase 
``individual or entity'' with the term ``person'' as now proposed to 
comport with the HIPAA meaning of the term.
    Records. The definition of records specifies the scope of 
information that Part 2 protects. The Department proposes to remove the 
last sentence of the definition as unnecessary.\124\ In the five 
decades since the promulgation of the Part 2 regulation, health 
information technology has become widely adopted and it is evident that 
records include both paper and electronic formats. The Department does 
not intend to change the meaning or understanding of records with this 
proposed modification, but only to streamline the description.
---------------------------------------------------------------------------

    \124\ The last sentence reads ``For the purpose of the 
regulations in this part, records include both paper and electronic 
records.'' 42 CFR 2.11 (definition of ``Record'').
---------------------------------------------------------------------------

    The Department offers clarification here about how the definition 
of Part 2 records operates in relation to the HIPAA definitions of PHI, 
designated record set, and psychotherapy notes.
    These issues are most pertinent with respect to the right 
individuals have to access their records under the HIPAA Rules, as 
explained below (Part 2 does not contain a parallel patient right of 
access to records).
    Generally, the HIPAA Privacy Rule gives individuals the right to 
access all of their PHI in a designated record set.\125\ A designated 
record set is a group of records maintained by or for a covered entity 
that are a provider's medical and billing records, a health plan's 
enrollment, payment, claims adjudication, and case or medical 
management record systems, and any other records used, in whole or in 
part, by or for the covered entity to make decisions about 
individuals.\126\ A covered entity's Part 2 records usually fall into 
these categories, and thus are part of the designated record set. This 
is true when a Part 2 program is a covered entity, as well as when a 
covered entity receives Part 2 records but is not a Part 2 program. In 
the latter situation, the Part 2 records become PHI when they are 
received by or for the covered entity, and part of a designated record 
set. As such, they are subject to the Privacy Rule's right of access 
requirements.
---------------------------------------------------------------------------

    \125\ See 45 CFR 164.524.
    \126\ See 45 CFR 164.501 (definition of ``Designated record 
set'').
---------------------------------------------------------------------------

    However, the Privacy Rule right of access excludes psychotherapy 
notes.\127\ If SUD treatment is provided by a mental health 
professional that is a Part 2 program and a covered entity, and the 
provider creates notes of counseling sessions that are kept separate 
from the individual's medical record, those notes would be 
psychotherapy notes as well as Part 2 records. In this case, the 
individual would not have a Privacy Rule right of access to those 
records, but a provider may voluntarily provide access upon request by 
the individual patient. Additionally, psychotherapy notes created by a 
Part 2 program that is a covered entity could only be disclosed with a 
separate written authorization or consent.
---------------------------------------------------------------------------

    \127\ See 45 CFR 164.524(a)(1)(i); see also 45 CFR 164.501 
(definition of ``Psychotherapy notes'').
---------------------------------------------------------------------------

    The Department is considering whether to create a new definition 
similar to psychotherapy notes that is specific to the notes of SUD 
counseling sessions by a Part 2 program professional. Such notes would 
be Part 2 records, but could not be disclosed based on a general 
consent for TPO. They could only be disclosed with a separate written 
consent that is not combined with a consent to disclose any other type 
of health information. The Department solicits comments on the benefits 
and burdens of creating such additional privacy protection for SUD 
counseling notes that are maintained primarily for use by the 
originator of the notes, similar to psychotherapy notes as defined in 
the Privacy Rule. Under consideration is a definition such as this:
    SUD counseling notes means notes recorded (in any medium) by a Part 
2 program provider who is a SUD or mental health professional 
documenting or analyzing the contents of conversation during a private 
counseling session or a group, joint, or family counseling session and 
that are separated from the rest of the patient's record. SUD 
counseling notes excludes medication prescription and monitoring, 
counseling session start and stop times, the modalities and frequencies 
of treatment furnished, results of clinical tests, and any summary of 
the following items: Diagnosis, functional status, the treatment plan, 
symptoms, prognosis, and progress to date.
    As with psychotherapy notes under the Privacy Rule, the separate 
consent requirement, if adopted, would not apply to SUD counseling 
notes in the following situations:
    1. Use by the originator of the SUD counseling notes for treatment;

[[Page 74231]]

    2. Use or disclosure by the program for its own training programs 
in which students, trainees, or practitioners in SUD treatment learn 
under supervision to practice or improve their skills in group, joint, 
family, or individual counseling;
    3. For the program to defend itself in a legal action or other 
proceeding brought by the patient;
    4. Required for the reporting of child abuse or neglect;
    5. Required by law;
    6. Required for oversight of the originator of the SUD counseling 
notes;
    7. To a coroner or medical examiner for the purpose of identifying 
a deceased person, determining a cause of death, or other duties as 
authorized by law; or
    8. When necessary to lessen a serious and imminent threat to the 
health or safety of a person or the public and is to a person or 
persons reasonably able to prevent or lessen the threat, including the 
target of the threat.
    Third-party payer. The term third-party payer refers to an entity 
with a contractual obligation to pay for a patient's Part 2 services 
and includes some health plans, which by definition are covered 
entities. The current regulation, at Sec.  2.12, limits disclosures by 
third-party payers to a shorter list of purposes than the Privacy Rule 
allows for health plans. The Department proposes to exclude covered 
entities from the definition of third-party payer to facilitate 
implementation of 42 U.S.C. 290dd-2(b)(1)(B), as amended by section 
3221(b) of the CARES Act, which enacted a permission for certain 
recipients of Part 2 records to redisclose them according to the HIPAA 
standards. The result of this proposed change would be that the current 
Part 2 disclosure restrictions continue to apply to a narrower set of 
entities, such as grant-funded programs. The Department believes that 
this approach would carry out the intent of the CARES Act, while 
preserving the privacy protections that apply to payers that are not 
covered entities. The Department also proposes a wording change to 
replace the phrase ``individual or entity'' with the term ``person'' as 
now proposed to comport with the HIPAA meaning of the term.
    The Department welcomes comments on the number and type of third-
party payers that would not be considered health plans.
    Treating provider relationship. The Department proposes to modify 
the Part 2 definition of ``treating provider relationship'' by 
replacing the phase ``individual or entity'' with ``person,'' in 
accordance with the proposed changes to the definition of ``person'' 
described above.
    Treatment. The Department proposes to modify the Part 2 definition 
of ``treatment'' by adopting the Privacy Rule definition by reference. 
This proposal would implement the new paragraph (k) of 42 U.S.C. 290dd-
2, added by section 3221(d) of the CARES Act, requiring that the term 
in this part be given the same meaning of the term for the purposes of 
the HIPAA regulations. By replacing the existing language, the 
Department does not intend to change the scope of activities that 
constitute treatment. Thus, it remains true, as provided in the prior 
definition, that treatment includes the care of a patient suffering 
from an SUD, a condition which is identified as having been caused by 
the SUD, or both, in order to reduce or eliminate the adverse effects 
upon the patient.
    Unsecured protected health information. The Department proposes to 
adopt the same meaning of this term as used in the HIPAA Rules. This 
proposal would implement the new paragraph (k) of 42 U.S.C. 290dd-2, 
added by section 3221(d) of the CARES Act, requiring that the term in 
this part be given the same meaning as the term in the purposes of the 
HIPAA regulations.
    Unsecured record. To align with the definition of ``unsecured 
protected health information'' at 45 CFR 164.402, the Department 
proposes to apply a similar concept to records, as defined in this 
part. Thus, an unsecured record would be one that is not rendered 
unusable, unreadable, or indecipherable to unauthorized persons through 
the use of a technology or methodology specified by the Secretary in 
the guidance issued under Public Law 111-5, 13402(h)(2).\128\ The 
Department believes this proposal is necessary to implement the newly 
required breach notification standards for Part 2 records and requests 
comment on this approach.
---------------------------------------------------------------------------

    \128\ See the Guidance to Render Unsecured Protected Health 
Information Unusable, Unreadable, or Indecipherable to Unauthorized 
Individuals at https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/.
---------------------------------------------------------------------------

    Use. The Department proposes to add a definition for this term that 
is consistent with that in the HIPAA Rules at 45 CFR 160.103, and as 
the term is applied to the conduct of proceedings specified in statute 
at 42 U.S.C. 290dd-2(c). The Department believes this proposal is 
necessary to more fully align this part with the HIPAA Rules use of the 
language ``use and disclosure'', as well as make clear, where 
applicable, that many of the activities regulated by this part involve 
not only disclosures but internal uses of Part 2 records by programs or 
recipients of Part 2 records. The Department also proposes this 
definition to make clear that in this part, the term ``use'' has a 
secondary meaning in accordance with the statutory requirements at 42 
U.S.C. 290dd-2(c) for ``use'' of records in proceedings. The Department 
discusses in greater detail the addition of the term ``use'' to 
specific provisions throughout this NPRM, and in particular, in 
connection to Sec.  2.12 below.

Sec.  2.12--Applicability

    Section 2.12 includes five provisions outlining the scope of the 
rule's requirements. Paragraph (a) of Sec.  2.12 describes which 
records are protected and describes the restrictions on use and 
disclosure of Part 2 records; paragraph (b) outlines what constitutes 
federal assistance for purposes of the regulation's applicability; 
paragraph (c) specifies exceptions for certain disclosures; paragraph 
(d) provides restrictions that apply to: (1) any recipient of Part 2 
records, and (2) third-party payers and administrators; and paragraph 
(e) details the types of records and diagnoses to which the 
restrictions in this regulation apply.
    The Department proposes to amend the Part 2 regulation in paragraph 
(c)(2) of Sec.  2.12, which excludes from Part 2 requirements certain 
interchanges of information within the Armed Forces and between the 
Armed Forces and the Department of Veterans Affairs, by replacing 
``Armed Forces'' with ``Uniformed Services.'' This change would align 
the regulatory text with the statutory language at 42 U.S.C. 290dd-
2(e). The change also would create consistency with the Department's 
proposal to expand the Privacy Rule permission for covered entities, at 
45 CFR 164.512(k), to use or disclose the PHI of Armed Services 
personnel when deemed necessary by certain military command authorities 
to all Uniformed Services, which would then include the U.S. Public 
Health Service (USPHS) and the National Oceanic and Atmospheric 
Administration (NOAA) Commissioned Corps.\129\ As the Department noted 
in that NPRM to modify the Privacy Rule, the USPHS and NOAA 
Commissioned Corps share responsibility with the Armed Services for 
certain critical missions, support military readiness and maintain 
medical fitness for deployment in response to urgent and emergency 
public health crises, and maintain fitness for deployment onto

[[Page 74232]]

U.S. Coast Guard manned aircraft and shipboard missions. Because this 
Part 2 proposal with respect to the Uniformed Services is consistent 
with the underlying statute, the Department does not believe the 
modification will change how SUD treatment records are treated for 
USPHS and NOAA Commissioned Corps personnel, but requests comment on 
this assumption.
---------------------------------------------------------------------------

    \129\ See proposed 45 CFR 164.512(k) at 85 FR 6446, 6487.
---------------------------------------------------------------------------

    The Department also proposes to add the term ``use'' to paragraphs 
(a)(1), (c)(3), (c)(4), and (d)(2) of this section, and the term 
``disclosure'' to paragraphs (a)(2) and (d)(1), to make clear that as 
amended by CARES Act section 3221(b), these provisions include both 
uses and disclosures that are restricted by Part 2. The Department also 
proposes to add ``use'' to the second sentence of paragraph (e)(3). 
Historically, the Part 2 regulation associated ``use'' with the 
initiation of legal proceedings against a patient and associated 
``disclosure'' with sharing records to an external entity. In contrast, 
the Privacy Rule applies the term ``use'' to refer to internal use of 
health information within an entity, such as access by staff members. 
With this understanding, a Part 2 record could be both used and 
disclosed for purposes related to the provision of health care, but 
also for the purposes such as the initiation of a legal proceeding. To 
align Part 2 with the Privacy Rule, the Department proposes to adopt 
the ``use and disclosure'' terminology throughout the regulation when 
both actions could apply. The Department requests comment on this 
approach.
    The Department also proposes in paragraph (d)(1) of Sec.  2.12 to 
expand the restrictions on the use of records as evidence in criminal 
proceedings against the patient by incorporating the four prohibited 
actions specified in 42 U.S.C. 290dd-2(c), as amended by the CARES Act, 
and expanding the regulatory prohibition to cover civil, 
administrative, or legislative proceedings in addition to criminal 
proceedings.\130\ Absent patient consent or a court order, the proposed 
prohibitions are: (1) the introduction into evidence of a record or 
testimony in any criminal prosecution or civil action before a Federal 
or State court, (2) reliance on the record or testimony to form part of 
the record for decision or otherwise be taken into account in any 
proceeding before a Federal, State, or local agency, (3) the use of 
such record or testimony by any Federal, State, or local agency for a 
law enforcement purpose or to conduct any law enforcement 
investigation, and (4) the use of such record or testimony in any 
application for a warrant.
---------------------------------------------------------------------------

    \130\ Administrative agencies may issue subpoenas pursuant to 
their authority to investigate matters and several statutes 
authorize the use of administrative subpoenas in criminal 
investigations. For example, these may be cases involving health 
care fraud, child abuse, Secret Service protection, controlled 
substance cases, inspector general investigations, and tracking 
unregistered sex offenders. See Administrative Subpoenas in Criminal 
Investigations: A Brief Legal Analysis, EveryCRSReport.com, 
University of North Texas Libraries Government Documents Department, 
(December 19, 2012), https://www.everycrsreport.com/reports/RL33321.html.
    Legislative investigations may also be conducted in furtherance 
of the functions of Congress or state legislative bodies. See 
``What, Exactly, Does Congress Have the Authority To Investigate?'' 
Molo Lamken, LLP 2018, https://www.mololamken.com/knowledge-What-
Exactly-Does-Congress-Have-the-Authority-To-
Investigate#:~:text=While%20Congress%20can%20investigate%20conduct,ot
herwise%20initiate%20a%20criminal%20prosecution.
---------------------------------------------------------------------------

    The proposed narrowing of the definition of third-party payer in 
Sec.  2.11 would exclude covered entity health plans from the limits on 
redisclosure of Part 2 records in paragraph (d)(2) of Sec.  2.12. To 
clarify the modified scope of this paragraph, the Department proposes 
to insert qualifying language in Sec.  2.12(d)(2) to refer to third-
party payers, ``as defined in this part.'' This approach implements the 
CARES Act changes in a manner that preserves the existing redisclosure 
limitations for any third-party payers that are not covered entities. 
The Department seeks comment and data on the number and types of third-
party payers, as defined in the proposed rule, to which the 
redisclosure limitations would continue to apply. The Department 
especially seeks comment on how this provision would apply to grant-
funded programs.
    The Department proposes to conform paragraph (e)(3) of Sec.  2.12 
to 42 U.S.C. 290dd-2(c), as amended by section 3221(e) of the CARES 
Act, by expanding the restrictions on the use of Part 2 records in 
criminal proceedings against the patient to expressly include 
disclosures of Part 2 records \131\ and to add civil and administrative 
proceedings as additional types of forums where use and disclosure of 
Part 2 records is prohibited, absent written patient consent or a court 
order. Additionally, the Department proposes to clarify the language in 
subparagraph (e)(4)(i) of Sec.  2.12, which excludes from Part 2 those 
diagnoses of SUD that are created solely to be used as evidence in a 
legal proceeding. The proposed change would narrow the exclusion to 
diagnoses of SUD made ``on behalf of and at the request of a law 
enforcement agency or official or a court of competent jurisdiction'' 
to be used as evidence ``in legal proceedings.'' The Department 
believes the proposed clarification would tighten the nexus between a 
law enforcement or judicial request for the diagnosis and the use or 
disclosure of the SUD diagnosis based on that request, and requests 
comment on this approach.
---------------------------------------------------------------------------

    \131\ The Department proposes to add ``disclosures'' to secs. 
2.17(b) and 2.67(d)(3) for the same reason.
---------------------------------------------------------------------------

    The Department proposes to substitute the term ``person'' for the 
term ``entity'' and the phrase ``individuals and entities'' in Sec.  
2.12(d)(2)(i)(B) and (C), respectively. As discussed above in relation 
to Sec.  2.11, Definitions, the Department does not intend this to be a 
substantive change, but rather an alignment with the term as it is 
defined in the Privacy Rule at 45 CFR 160.103.

Sec.  2.13--Confidentiality Restrictions and Safeguards

    The current provisions of this section apply confidentiality 
restrictions and safeguards to how Part 2 records may be ``disclosed 
and used'' in this part, and specifically provide that Part 2 records 
may not be disclosed or used in any civil, criminal, administrative, or 
legislative proceedings. The current provisions also provide that 
unconditional compliance with the part is required by programs and 
lawful holders and restrict the ability of programs to acknowledge the 
presence of patients at certain facilities.
    To more accurately describe how the regulations of this part apply 
to the activities of programs after the amendment of 42 U.S.C. 290dd-2 
by section 3221 of the CARES Act, and to align the language throughout 
this section with language in the Privacy Rule, the Department proposes 
to modify paragraphs (a) and (b) of this section by replacing the 
phrase ``disclosed or used'' with ``used or disclosed'', and in 
paragraph (a), adding the term ``use'' in front of the term 
``disclosure.'' The Department proposes to add the term ``use'' in 
paragraph (a) of this section because sections 3221(b) and (e) of the 
CARES Act amends key provisions of 42 U.S.C. 290dd-2 so that 
confidentiality restrictions and safeguards apply to both uses and 
disclosures.
    Paragraph (d) of Sec.  2.13, List of disclosures, includes a 
requirement for intermediaries to provide patients with a list of 
entities to which an intermediary, such as a health information 
exchange (HIE), has disclosed the patient's identifying information 
pursuant to a general designation. The Department proposes to remove 
Sec.  2.13(d) and redesignate the content as Sec.  2.24, change the 
heading to

[[Page 74233]]

Requirements for Intermediaries, and in Sec.  2.11 create a regulatory 
definition of the term ``intermediary,'' as discussed above. The 
Department's proposal to redesignate Sec.  2.13(d) as 2.24 would move 
the section toward the end of Subpart B--General Provisions, to be 
grouped with the newly proposed Sec. Sec.  2.25 and 2.26 about patient 
rights and disclosure. The Department's proposed change to the heading 
is intended to distinguish the right to a list of disclosures made by 
intermediaries from the proposed new right to an accounting of 
disclosures made by a part 2 program.
    In addition to these proposed structural changes, the Department 
also proposes wording changes to paragraphs (a) through (c) of Sec.  
2.13 to clarify who is subject to the restrictions and safeguards with 
respect to Part 2 records. The Department solicits comment on the 
extent to which Part 2 programs look to the HIPAA Security Rule as a 
guide for safeguarding Part 2 electronic records. The Department also 
requests comment on whether it should modify Part 2 to apply the same 
or similar safeguards requirements to electronic Part 2 records as the 
Security Rule applies to ePHI or whether other safeguards should be 
applied to electronic Part 2 records.

Sec.  2.14--Minor Patients

    Current Sec.  2.14 establishes the consent requirements for the 
disclosure of records of minor patients. To align the description of 
these requirements with 42 U.S.C. 290dd-2(b), as amended by section 
3221(b) of the CARES Act, and to align the language of this provision 
with the Privacy Rule, the Department proposes to add the term ``use'' 
in paragraphs (a) and (b) to clarify that requirements related to 
consent given by minor patients would apply to both uses and 
disclosures of records. For example, as amended by section 3221(b) of 
the CARES Act, 42 U.S.C. 290dd-2(b)(1)(A) and (B) require a program or 
covered entity to obtain the appropriate consent, as determined by this 
section, to use or disclose the Part 2 records of the minor, and to use 
or disclose the same records for TPO purposes in accordance with the 
Privacy Rule. Subsection (c) of this section addresses when a minor's 
application for treatment may be disclosed to the minor's parents. The 
Department proposes to change the verb ``judges'' to ``determines'' to 
describe a program director's evaluation and decision that a minor 
lacks decision making capacity that could trigger a disclosure to the 
patient's parents. This change is intended to distinguish between the 
evaluation by a program director about patient decision making capacity 
and an adjudication of incompetence made by a court, which is addressed 
in Sec.  2.15. The Department also proposes a technical edit to Sec.  
2.14(c)(1) to correct a typographical error from ``youthor'' to ``youth 
or.''
    The Department also proposes to substitute the term ``person'' for 
the term ``individual'' in Sec.  2.14(b)(1), (b)(2), (c), (c)(1), and 
(c)(2), respectively. As discussed above in relation to Sec.  2.11, 
Definitions, the Department does not intend this to be a substantive 
change, but rather an alignment with the term as it is defined in the 
Privacy Rule at 45 CFR 160.103.

Sec.  2.15--Patients Who Lack Capacity and Deceased Patients (Proposed 
Heading)

    Section 2.15 of 42 CFR part 2 addresses who may consent to a 
disclosure of records when a patient lacks capacity to make health care 
decisions or is deceased. The Department proposes to replace the 
outdated term ``incompetent'' and refer instead to patients who lack 
capacity to make health care decisions. This modification is not 
intended as a substantive change, but would replace a term that may be 
considered derogatory. The rule clearly distinguishes between 
situations involving an adjudication and those without adjudication. 
Consistent with 42 U.S.C. 290dd-2, as amended by section 3221(b) of the 
CARES Act, the Department proposes to clarify, by referring to the 
``use'' of records in addition to disclosures of records in paragraphs 
(a)(2) and (b), that confidentiality requirements related to the 
records of patients who lack the capacity to make health care decisions 
and deceased patients apply to both uses and disclosures. The 
Department also proposes to substitute the term ``person'' for the term 
``individual'' as discussed above in relation to Sec.  2.11, 
Definitions. The Department further proposes to clarify that paragraph 
(a) of this section refers to lack of capacity to make health care 
decisions as adjudicated by a court while paragraph (b) refers to lack 
of capacity to make health care decisions that is not adjudicated, and 
to add health plans to the list of entities to which a program may 
disclose records without consent to obtain payment during a period when 
the patient has an unadjudicated inability to make decisions. Finally, 
the Department proposes in paragraphs (b)(1) and (b)(2) of this section 
to clearly identify that the restriction on the ability to use or 
disclose patient identifying information applies to the Part 2 program.

Sec.  2.16--Security for Records and Notification of Breaches (Proposed 
Heading)

    Section 2.16, Security for records, currently includes a set of 
requirements for securing records. Specifically, Sec.  2.16(a) requires 
a Part 2 program or other lawful holder of patient identifying 
information to maintain formal policies and procedures to protect 
against unauthorized uses and disclosures of such information, and to 
protect the security of this information. Sections 2.16(a)(1)-(2) set 
forth minimum requirements for what these policies and procedures must 
address with respect to paper and electronic records, respectively, 
including, for example, transfers of records, maintaining records in a 
secure location, and appropriate destruction of records. Section 
2.16(a)(1)(v) requires part 2 programs to implement formal policies and 
procedures to address removing patient identifying information to 
render it non-identifiable in a manner that creates a low risk of re-
identification.
    The Department proposes to change the requirements in Sec.  2.16(a) 
to more closely align them with the Privacy Rule de-identification 
standard. Specifically, the Department proposes to modify Sec.  
2.16(a)(1)(v) (for paper records) and Sec.  2.16(a)(2)(iv) (for 
electronic records), as follows: ``Rendering patient identifying 
information de-identified in accordance with the requirements of the 
Privacy Rule at 45 CFR 164.514(b), such that there is no reasonable 
basis to believe that the information can be used to identify a patient 
as having or having had a substance use disorder.'' The Department 
requests comment on the extent to which Part 2 programs render patient 
identifying information de-identified under Sec.  2.16(a)(1)(v) and 
Sec.  2.16(a)(2)(iv) in a manner that differs from the Privacy Rule de-
identification standard, such that conforming the Part 2 requirements 
to the Privacy Rule standard would create unintended adverse 
consequences for Part 2 programs or patients. In addition, the 
Department requests comment on examples of situations in which Part 2 
programs or covered entities render Part 2 information not readily 
identifiable but the information is not de-identified in accordance 
with the Privacy Rule.
    The Department's proposals would increase the alignment of 
regulatory requirements for Part 2 with the Privacy Rule \132\ and 
Breach Notification Rule.\133\ The same public policy

[[Page 74234]]

objectives of the Breach Notification Rule as applied to covered 
entities would be furthered by establishing analogous requirements for 
Part 2 programs, namely: (1) greater accountability for Part 2 programs 
through requirements to maintain written policies and procedures to 
address breaches and document actions taken in response to a breach; 
(2) enhanced oversight and public awareness through notification of the 
Secretary, affected patients, and in some cases the media; (3) greater 
protection of patients through obligations to mitigate harm to affected 
patients resulting from a breach; and (4) improved measures to prevent 
future breaches as Part 2 programs timely resolve the causes of a 
breach of records.
---------------------------------------------------------------------------

    \132\ 45 CFR part 164 subparts A and E.
    \133\ 45 CFR part 164 subpart D.
---------------------------------------------------------------------------

    The Department proposes to modify the heading of Sec.  2.16 to add 
``and notification of breaches'' and add a new paragraph Sec.  2.16(b) 
to require Part 2 programs to establish and implement policies and 
procedures for notification of breaches of unsecured part 2 records, 
consistent with the requirements of 45 CFR parts 160 and 164, subpart 
D, as mandated by section 3221(h) of the CARES Act. In the event of a 
breach, Part 2 programs would be required to notify the Secretary, 
affected patients, and in some cases the media, consistent with the 
Breach Notification Rule.
    Section 2.16 applies security requirements for Part 2 records to 
both Part 2 programs and ``lawful holders.'' The term ``lawful holder'' 
is enshrined in several Part 2 regulatory provisions \134\ but not 
defined in regulation. Generally, the term refers to ``an individual or 
entity who has received such information as the result of a part 2-
compliant consent (with a prohibition on redisclosure) or as a result 
of one of the exceptions to the consent requirements in the statute or 
implementing regulations and, therefore, is bound by 42 CFR part 2.'' 
\135\
---------------------------------------------------------------------------

    \134\ See, e.g., 42 CFR 2.31, 2.33, 2.52, and 2.53.
    \135\ See 82 FR 6052, 6068. See also 81 FR 6988, 6997.
---------------------------------------------------------------------------

    However, the Department believes that the requirements of this 
section do not currently apply uniformly across all persons who receive 
Part 2 records pursuant to consent and therefore qualify as ``lawful 
holders'', such that a failure to have ``formal policies and 
procedures'' or to ``protect'' against threats would result in the 
imposition of civil or criminal penalties. The Department does not 
propose to expand the existing scope of persons who are liable for 
noncompliance with requirements that are applicable only to Part 2 
programs and lawful holders. Instead, due to the variety of persons 
that could receive Part 2 records based on a valid written Part 2 
consent, the Department would determine the extent of the duty and 
ability of a particular person to ``reasonably protect against 
unauthorized uses'' and against ``reasonably anticipated threats or 
hazards'' based on the facts and circumstances.
    The Department requests comment on its assumptions, and examples of 
persons who are lawful holders under the existing regulation, but who 
may not be appropriately held liable for compliance with the 
administrative requirements for protecting Part 2 records they have 
received (e.g., policies and procedures to protect against unauthorized 
use or disclosure) or providing breach notification, such as a 
patient's family members. The Department also requests comment on 
whether it would be helpful to create a regulatory definition of 
``lawful holder'' and what persons such definition should 
encompass.\136\
---------------------------------------------------------------------------

    \136\ For example, in the Consideration of Regulatory 
Alternatives section of this NPRM, the Department describes the 
entities it considered expressly including in a definition that 
would be codified in regulatory text, including covered entities, 
business associates, qualified service organizations, and others.
---------------------------------------------------------------------------

    The Department further requests public comment regarding the 
estimated burden of notification, potential regulatory flexibilities 
for Part 2 programs to minimize burdens during their initial 
implementation of the policies and procedures required by the breach 
notification proposal, and the characteristics of programs to which any 
suggested flexibilities should apply. In addition, the Department 
welcomes comments from Part 2 programs that are not covered entities on 
whether they look to the Security Rule generally for guidance on 
protecting electronic Part 2 records or otherwise voluntarily attempt 
to follow the requirements of the Security Rule. For any programs that 
may do so, the Department requests comment on what their experience has 
been, including any implementation costs.

Sec.  2.17--Undercover Agents and Informants

    The current provision prohibits, absent court order, a Part 2 
program from knowingly employing or enrolling a patient as an 
undercover agent and restricts the use of information obtained by an 
undercover agency in any criminal investigation against any patient. To 
fully implement 42 U.S.C. 290dd-2(c)(3), as amended by section 3221(e) 
of the CARES Act, The Department proposes to add ``or disclosed'' 
behind ``used'' in this section so that the use and disclosure of Part 
2 records is prohibited by this section pursuant to the statutory 
authority.

Sec.  2.19--Disposition of Records by Discontinued Programs

    Current Sec.  2.19 requires a Part 2 program to remove patient 
identifying information or destroy the records when a program 
discontinues services or is acquired by another program, unless patient 
consent is obtained or another law requires retention of the records. 
The Department proposes to create a third exception to this general 
requirement to clarify that these provisions do not apply to transfers, 
retrocessions, and reassumptions of Part 2 programs pursuant to the 
Indian Self-Determination and Education Assistance Act (ISDEAA), in 
order to facilitate the responsibilities set forth in 25 U.S.C. 
5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C. Sec.  5324(e), 25 U.S.C. 5330, 
25 U.S.C. 5386(f), 25 U.S.C. 5384(d), and the implementing ISDEAA 
regulations. For example, in the event the Department needs to take 
over operations of a such a program on short notice, the program 
records would remain intact, permitting the Department to ensure 
continuation of services. Without this provision, program records would 
be destroyed if patient consent is unavailable at the time services are 
transferred to the Department, which could occur without sufficient 
opportunity to seek consent from all current or former patients. The 
Department also proposes wording changes to improve readability and 
modernize the regulation, such as by referring to ``non-electronic'' 
records instead of ``paper'' records, and structural changes to the 
numbering of paragraphs.

Sec.  2.20--Relationship to State Laws

    Current Sec.  2.20 establishes the relationship of state laws to 
Part 2 and provides that Part 2 does not preempt the field of law which 
it covers to the exclusion of all applicable state laws, but that no 
state law may either authorize or compel a disclosure prohibited by 
Part 2. The Department proposes to add the term ``use'' to Sec.  2.20 
to clarify that this section applies to both uses and disclosures under 
Part 2 and state law. The Department believes this proposal is 
consistent with 42 U.S.C. 290dd-2, as amended by section 3221(b) CARES 
Act, which imposes requirements related to the use and disclosure of 
Part 2 records.

[[Page 74235]]

    Records subject to regulation by Part 2 frequently are also subject 
to regulation by various state laws. For example, similar to Part 2, 
state laws impose restrictions to varying degree on uses and 
disclosures of records related to SUD \137\ (and often other issues 
commonly considered sensitive, such as reproductive health, HIV, or 
serious mental illness).\138\ The Department assumes that, to the 
extent state laws address SUD records, Part 2 programs generally are 
able to comply with Part 2 and state law. The Department requests 
comment on this assumption and examples of any circumstances in which a 
state law compels a use or disclosure that is prohibited by Part 2, 
such that Part 2 preempts such state law.
---------------------------------------------------------------------------

    \137\ See e.g., Mich. Comp. Laws Sec. Sec.  333.6111 (expressly 
excluding SUD records from an emergency medical service as 
restricted); and NJ Rev. Stat. Sec.  26:2B-20 (2013) (requiring 
records to be confidential except by proper judicial order whether 
connected to pending judicial proceedings or otherwise).
    \138\ See e.g., MO Rev. Stat. Sec.  191.731 (requiring SUD 
records of certain pregnant women remain confidential).
---------------------------------------------------------------------------

Sec.  2.21--Relationship to Federal Statutes Protecting Research 
Subjects Against Compulsory Disclosure of Their Identity

    The current language of Sec.  2.21 recognizes the potential for 
concurrent coverage of certain federal laws that regulate patient 
identifying information. The Department proposes to reorder 
``disclosure and use'' to read ``use and disclosure'' to better align 
the wording of this section with language used in the Privacy Rule.

Sec.  2.22--Notice to Patients of Federal Confidentiality Requirements; 
and 45 CFR 164.520--Notice of Privacy Practices for Protected Health 
Information

    Section 3221(i) of the CARES Act directs the Secretary to modify or 
``update'' the HIPAA NPP requirements at 45 CFR 164.520 \139\ to 
specify new requirements for covered entities and Part 2 programs with 
respect to Part 2 records that are PHI (i.e., records of SUD treatment 
by a Part 2 program that are transmitted or maintained by or for 
covered entities). The CARES Act notice requirements would therefore 
apply to entities that are subject to both Part 2 and HIPAA, which 
include covered entities that are Part 2 programs as well as covered 
entities that receive Part 2 records from a Part 2 program.
---------------------------------------------------------------------------

    \139\ Section 3221(i) requires the Department to consult with 
legal, clinical, privacy and civil rights experts. The Department 
has completed this consultation as part of its internal review 
process with the identified experts.
---------------------------------------------------------------------------

    The Privacy Rule, at 45 CFR 164.520, establishes an individual 
right to receive an NPP, written in plain language, providing adequate 
notice of a covered entity's privacy practices and obligations with 
respect to individuals' PHI. Health care clearinghouses, correctional 
institutions that are covered entities, and certain group health plans 
\140\ are excepted from the requirement, but other covered health plans 
and covered health care providers that maintain a direct treatment 
relationship \141\ with an individual must provide the individual with 
adequate notice about how the covered entity may use and disclose the 
individual's PHI, as well as the individual's rights and the covered 
entity's obligations with respect to the individual's PHI.
---------------------------------------------------------------------------

    \140\ See 45 CFR 164.520(a)(2) and (a)(3).
    \141\ See 45 CFR 164.501 (definitions of ``Direct treatment 
relationship'' and ``Indirect treatment relationship).
---------------------------------------------------------------------------

    To implement section 3221(i)(2) of the CARES Act, the Department 
proposes to modify both the Patient Notice requirements at Sec.  2.22 
and the NPP requirements at 45 CFR 164.520 to provide notice 
requirements for all Part 2 records. While the CARES Act only expressly 
requires the modification of the NPP requirements at 45 CFR 164.520, 
the Department proposes to also modify the Part 2 Patient Notice at 
Sec.  2.22 to align more closely with the NPP requirements. The 
proposal to modify Sec.  2.22 would ensure that patients of Part 2 
programs that are not covered by HIPAA are afforded as much notice and 
transparency as is provided to individuals in the NPP. Accordingly, the 
Department proposes to modify Sec.  2.22 pursuant to the Secretary's 
authority under 42 U.S.C. 290dd-2(g) to prescribe regulations to carry 
out the purposes of that section.
    The Department also believes there is a statutory mandate to modify 
the NPP requirements for some HIPAA covered entities that are not Part 
2 programs, namely, those covered entities that receive and maintain 
Part 2 records, and thus are obligated to comply with certain Part 2 
requirements with respect to such records. Covered entities that 
receive and maintain Part 2 records would need to add a provision to 
their NPP that references the restrictions on use and disclosure of 
Part 2 records in civil, criminal, administrative, and legislative 
proceedings against the individual. The current NPP requirements would 
continue to apply, without change, to covered entities that do not 
receive or maintain Part 2 records. The proposed changes to Sec.  2.22, 
notice of federal confidentiality requirements, for Part 2 programs 
that are not covered entities, followed by proposed changes to 45 CFR 
164.520 for covered entities that are dually subject to HIPAA and Part 
2, and for other covered entities that receive and maintain Part 2 
records, are described below.
    Consistent with the requirements of section 3221(i)(2) of the CARES 
Act, the Department proposes to revise the Patient Notice at Sec.  2.22 
of this part, and to update NPP requirements using plain language that 
is easily understandable and parallel to changes proposed in the NPRM 
modifying the Privacy Rule published on January 21, 2021.\142\ The 
Department specifically requests comment from legal, clinical, privacy, 
and civil rights experts on whether the below proposals achieve this 
goal.
---------------------------------------------------------------------------

    \142\ See Proposed Modifications to the HIPAA Privacy Rule to 
Support, and Remove Barriers to, Coordinated Care and Individual 
Engagement, 86 FR 6446.
---------------------------------------------------------------------------

1. Modifying the Sec.  2.22 Patient Notice
    Because the HIPAA Rules and Part 2 cover different, but often 
overlapping, sets of regulated entities, and because the NPP currently 
offers more robust notice requirements than the Patient Notice, the 
Department proposes to modify Sec.  2.22 to provide the same 
information to individuals under the Privacy Rule as to patients of 
Part 2 programs. The Department's proposed modifications to the Patient 
Notice would also restructure it to substantially mirror the structure 
of the NPP. As discussed below, instead of the Patient Notice 
containing elements described as a ``summary'' of the federal law that 
applies to protect Part 2 records, the Patient Notice would address the 
same key elements of the HIPAA NPP such as a required Header, Uses and 
Disclosures, Individual Rights, and Duties of Part 2 Programs. As 
further discussed below, the Department proposes to add to the Patient 
Notice key features of the NPP, such as explaining to patients that 
they may file a complaint when they believe their privacy rights have 
been violated, and that they have the right to revoke their consent for 
Part 2 programs to disclose records in certain circumstances. The 
Department believes this approach would best implement the intent of 
Congress to apply NPP protections to these records and requests comment 
on this approach, including any burdens associated with this approach.
    Part 2 programs should be mindful that federal civil rights laws 
require certain entities, including recipients of federal financial 
assistance and public

[[Page 74236]]

entities, to take appropriate steps to ensure that communications with 
individuals with disabilities are as effective as communications with 
others, including by providing appropriate auxiliary aids and services 
where necessary.\143\ In addition, recipients of federal financial 
assistance must take reasonable steps to ensure meaningful access to 
their programs and activities for individuals with limited English 
proficiency, including through language assistance services when 
necessary.\144\
---------------------------------------------------------------------------

    \143\ See 45 CFR 92.102 (Section 1557 of the Affordable Care 
Act); 45 CFR 84.4(b), 84.52(a), (c), (d) (Section 504 of the 
Rehabilitation Act of 1973); 28 CFR 35.160(a)-(b) (Title II of the 
Americans with Disabilities Act).
    \144\ See 45 CFR 92.101 (Section 1557 of the Affordable Care 
Act); 45 CFR 80.3(b) (Title VI of the Civil Rights Act of 1964).
---------------------------------------------------------------------------

    Section 2.22, Notice to patients of federal confidentiality 
requirements, requires a Part 2 program, at the time of admitting a 
patient to the program,\145\ to give written notice of and summarize 
the federal law and regulations that protect the confidentiality of SUD 
records. Section 2.22(b) requires that the notice include five 
elements: (1) a general description of the limited circumstances in 
which a Part 2 program may share information that would identify the 
patient as having or having had a SUD; (2) a statement informing the 
patient that violation of the federal law and regulations is a crime 
and contact information for the appropriate authorities; (3) a 
statement that information related to a patient's commission of a crime 
on the premises is not protected as confidential; (4) a statement that 
reports of suspected child abuse and neglect made under state law to 
appropriate state or local authorities are not protected; and (5) a 
citation to the federal law and regulations. Finally, Sec.  2.22 gives 
the option to a Part 2 program to include information about applicable 
state law and its own local policies. Although Sec.  2.22 does not 
expressly apply to covered entities and PHI, any covered entity that 
uses or discloses Part 2 SUD records would be subject to the notice 
requirements of Sec.  2.22 in addition to the NPP requirements in 45 
CFR 164.520. Conversely, Part 2 programs that are not covered entities 
and not subject to HIPAA would only be obligated to comply with Sec.  
2.22.
---------------------------------------------------------------------------

    \145\ In the event a patient lacks capacity at the time of 
admission, 42 CFR 2.22(a) alternatively requires that such notice be 
given as soon as the patient attains capacity.
---------------------------------------------------------------------------

    The Department proposes to modify Sec.  2.22 by incorporating most 
of the notice requirements in the HIPAA NPP at 45 CFR 164.520, and then 
excluding those that are non-applicable or pose special privacy risks, 
and separately addressing certain provisions that have special 
requirements or differences between application to covered entities and 
part 2 programs as specified in 42 U.S.C. 290dd-2, as amended by the 
CARES Act. The Department proposes the following with respect to the 
Patient Notice at Sec.  2.22.
    Header. The Department proposes to require Part 2 programs to 
include a header in the Patient Notice. The header would be nearly 
identical to the header required in the NPP (and as proposed for 
amendment above) at 45 CFR 164.520(b)(1)(i) \146\ except where 
necessary to distinguish components of the notice not applicable to 42 
CFR part 2. For example, the Patient Notice that would be provided 
pursuant to this part would not include notice that patients could 
exercise the right to get copies of records at limited costs or in some 
cases, free of charge, nor would it provide notice that patients could 
inspect or get copies of records under HIPAA.
---------------------------------------------------------------------------

    \146\ The Department proposed to modify the NPP header in a 
separate Privacy Rule NPRM, as described at 86 FR 6446, 6485. The 
proposed regulatory text herein reflects the changes proposed in the 
earlier NPRM, as well as new proposed changes.
---------------------------------------------------------------------------

    Uses and Disclosures. The Department proposes to require a Part 2 
program to include in the Patient Notice descriptions of uses and 
disclosures that are permitted for TPO, permitted without written 
consent, or will only be made with written consent. Consistent with the 
current set of NPP requirement for covered entities, the Department 
proposes to add a requirement that a covered entity that creates or 
maintains Part 2 records include sufficient detail in its Patient 
Notice to place the patient on notice of the uses and disclosures that 
are permitted or required. Although the Department believes section 
3221(k)(4) of the CARES Act--stating that certain de-identification and 
fundraising activities should be excluded from the definition of health 
care operations--has no legal effect as a Sense of Congress, the 
Department believes it prudent to propose new Sec.  2.22(b)(1)(iii). 
This proposal would require that a program provide notice to patients 
that the program must obtain written consent before it may use or 
disclose records for fundraising on behalf of the program. This new 
notice requirement is consistent with a newly proposed consent 
requirement at Sec.  2.31(a)(5) in which a program must obtain a 
patient's permission for such uses and disclosures.
    Before proposing the approach above, the Department first 
considered whether to propose a consent requirement for both de-
identification and fundraising and whether to structure it as an opt-in 
or an opt-out. The Department believes that an opt-in requirement would 
afford patients a greater amount of control over their records and best 
fulfill patients' expectations about how their Part 2 information would 
be protected. However, the Department believes that requiring patient 
consent for de-identification activities would be inconsistent with the 
new permission to disclose de-identified information for public health 
purposes as provided in section 3221(c) of the CARES Act. Such a 
requirement also would create a barrier to de-identification that may 
negatively affect patient privacy by increasing permissible but 
unnecessary uses and disclosures of identifiable Part 2 records in 
circumstances when de-identified records would serve the intended 
purpose. As noted above, the Department believes uses and disclosures 
for fundraising warrant this added privacy protection, consistent with 
congressional intent as expressed in the Sense of Congress.
    Individual Rights. The Department proposes to require that a Part 2 
program include in the Patient Notice statements of patients' rights 
with respect to Part 2 records. The structure would mirror the 
statements of rights required in the NPP for covered entities and PHI 
but, based on amended 42 U.S.C. 290dd-2, would include:
     Right to request restrictions of disclosures made with 
prior consent for purposes of TPO, as provided in 42 U.S.C. 290dd-
2(b)(1)(C) and when a Part 2 program must agree to a request.
     Right to request and obtain restrictions of disclosures of 
Part 2 records to the patient's health plan for those services for 
which the patient has paid in full, in the same manner as 45 CFR 
164.522 applies to restrictions of disclosures of PHI.
     Right to an accounting of disclosures of electronic Part 2 
records for the past 3 years, as provided in 42 U.S.C. 290dd-2(b)(1)(B) 
and right to an accounting of disclosures of Part 2 records that 
mirrors the right in the Privacy Rule at 45 CFR 164.528.
     Right to obtain an electronic or non-electronic copy of 
the notice from the program upon request.
     Right to discuss the notice with a designated contact 
person identified by the program pursuant to paragraph 45 CFR 
164.520(b)(1)(vii).
    Part 2 program's duties. The Department proposes to incorporate 
into the Patient Notice statements describing

[[Page 74237]]

the duties of Part 2 programs with respect to Part 2 records that 
parallel the statements of duties of covered entities required in the 
NPP with respect to PHI. Although this change is not required by 42 
U.S.C. 290dd-2, the statement of duties would put patients on notice of 
the obligations of Part 2 programs to maintain the privacy and security 
of Part 2 records, abide by the terms of the Patient Notice, and inform 
patients that it may change the terms of a Patient Notice. The Patient 
Notice also would include a statement of the new duty under 42 U.S.C. 
290dd-2(j) to notify affected patients following a breach of Part 2 
records.
    Complaints. The Department proposes to require that a Part 2 
program inform patients, in the Patient Notice, that the patients may 
complain to the Part 2 program and Secretary when they believe their 
privacy rights have been violated, as well as a brief description of 
how the patient may file the complaint and a statement that the patient 
will not be retaliated against for filing a complaint. These statements 
would support the implementation of the CARES Act enforcement 
provisions, which apply the civil enforcement provisions of section 
1176 of the Social Security Act to violations of 42 U.S.C. 290dd-
2.\147\
---------------------------------------------------------------------------

    \147\ See 42 U.S.C. 290dd-2(f) and 42 U.S.C. 1320d-5.
---------------------------------------------------------------------------

    Contact and Effective Date. The Department proposes to require that 
the Patient Notice provide the name or title, telephone number, and 
email address of a person a patient may contact for further information 
about the Part 2 Notice, and information about the date the Patient 
Notice takes effect. These provisions would parallel requirements for 
the NPP.
    Optional Elements. The Department proposes to incorporate into the 
Patient Notice the optional elements of an NPP, which a Part 2 program 
could include in its Patient Notice. This provision permits a program 
that elects to place more limits on its uses or disclosures than 
required by Part 2 to describe its more limited uses or disclosures in 
its notice, provided that the program may not include in its notice a 
limitation affecting its ability to make a use or disclosure that is 
required by law or permitted to be made for emergency treatment.
    Revisions to the Patient Notice. The Department proposes to require 
that a Part 2 program must promptly revise and distribute its Patient 
Notice when there has been a material change and provide that, except 
when required by law, such material change may not be implemented prior 
to the effective date of the Patient Notice. These provisions would 
parallel requirements for the NPP.
    Implementation Specifications. The Department proposes to require 
that a Part 2 program provide the Patient Notice to anyone who requests 
it and provide it to a patient not later than the date of the first 
service delivery, including where first service is delivered 
electronically, after the compliance date for the Patient Notice. This 
provision also would require that the Patient Notice be provided as 
soon as reasonably practicable after emergency treatment. Finally, if 
the Part 2 program has a physical delivery site, the Patient Notice 
would have to be posted in a clear and prominent location at the 
delivery site where a patient would be able to read the notice in a 
manner that does not identify the patient as receiving SUD treatment, 
and the Patient Notice would need to be included on a program's 
website, if it has one. These provisions would parallel the 
requirements for provision of the NPP by covered health care 
providers.\148\
---------------------------------------------------------------------------

    \148\ See 45 CFR 164.520(c)(2)(i)(A), (c)(2)(i)(B), 
(c)(2)(iii)(B). See also proposed amendments to this section in the 
NPRM to Modify the Privacy Rule to Support, and Remove Barriers to, 
Coordinated Care and Individual Engagement, 86 FR 6446.
---------------------------------------------------------------------------

    The Department requests comment on each Patient Notice proposal, 
including information on how incorporating NPP elements into the 
Patient Notice requirements would increase or alleviate burdens for 
Part 2 programs.
2. Modifying 45 CFR 164.520
    Applying the NPP requirements to certain entities. Section 
3221(i)(2) of the CARES Act requires the Department to update the NPP 
to provide notice of privacy practices with respect to Part 2 records 
being created or maintained by ``covered entities and entities creating 
or maintaining the records described in subsection (a)'' (referring to 
section 543(a) of the PHSA, 42 U.S.C. 290dd-2(a), specifying and 
defining Part 2 records). The Department proposes all of the following 
changes to 45 CFR 164.520 to update it in accordance with the CARES Act 
and to ensure adequate notice is given to patients who are the subject 
of these records.
    The Department proposes to modify 45 CFR 164.520(a) by adding a new 
paragraph (2) to expressly apply the NPP provisions to covered entities 
using and disclosing Part 2 records. The proposed change would further 
align the Patient Notice requirements for Part 2 records with NPP 
requirements with respect to PHI.
    The Department also proposes to remove paragraph (3) of 45 CFR 
164.520(a), Exception for inmates. The Department no longer believes it 
is appropriate to withhold notice from an incarcerated individual with 
respect to their health information privacy rights and a covered 
entity's practices. When the Department finalized the exception, it 
stated ``[n]o person, including a current or former inmate, has the 
right to notice of such a covered entity's privacy practices'' seeming 
to distinguish correctional facilities that are covered entities from 
other covered entities. The Department is unable to discern a safety or 
security risk associated with providing inmates notice concerning the 
covered entity correctional institute's privacy practices for PHI. This 
proposal would ensure that regulated entities provide an NPP to inmates 
consistent with what is provided to other individuals and retains the 
limitation on the right of access due to security concerns.
    Content of Notice requirements apply to all covered entities, 
including those that are also subject to Part 2. The Department 
proposes to amend the required Header at 45 CFR 164.520(b)(1) to 
specifically reference covered entities maintaining or receiving Part 2 
records. In addition, the proposed regulatory text at 45 CFR 
164.520(b)(1)(i) reflects the changes to 45 CFR 164.520 previously 
proposed in the NPRM to Modify the Privacy Rule to Support, and Remove 
Barriers to, Coordinated Care and Individual Engagement, published in 
2021.\149\ Further, in 45 CFR 164.520(b)(1)(i) and in Sec.  2.22, the 
Department proposes to change the word ``Medical'' to ``Health'' to 
refer to the type of information covered by the NPP. This change is not 
intended to modify substantive requirements, but instead is proposed to 
more accurately reflect and clarify that the information covered by the 
notice is not limited to the information a covered entity places in an 
individual's medical record.
---------------------------------------------------------------------------

    \149\ See 86 FR 6446.
---------------------------------------------------------------------------

    Description of Uses and Disclosures. Section 3221(i)(2)(B) of the 
CARES Act requires the updated NPP for Part 2 records to include 
descriptions for every purpose for which the covered entity is 
permitted or required to use or disclose PHI without the patient's 
written authorization, ``as required by subsection (b)(2) of such 
section 164.520.'' However, 45 CFR 164.520(b)(2) sets out optional 
elements for the NPP and does not address uses or disclosures that are 
permitted or required without the individual's authorization. 
Therefore, the

[[Page 74238]]

Department believes that the drafters of the CARES Act provision 
intended to refer instead to 45 CFR 164.520(b)(1)(ii), which requires 
that the NPP include descriptions of Uses and Disclosures, including a 
description of each use or disclosure that is permitted or required 
without the individual's written authorization.\150\
---------------------------------------------------------------------------

    \150\ See 45 CFR 164.520(b)(ii)(A)-(D).
---------------------------------------------------------------------------

    The Department proposes to add to the description in 45 CFR 
164.520(b)(1)(ii)(C) and (D) the language ``such as 42 CFR part 2'' to 
ensure that covered entities understand their specific obligation to 
address restrictions placed on the use and disclosure of Part 2 
records.
    Section 164.520(b)(1)(iii) includes requirements for Separate 
statements for certain uses or disclosures. In the introductory 
paragraph of this sub-section, the Department proposes to add ``or 
(B)'' to include sub-paragraph (B) in the list of descriptions that 
require a separate statement to describe TPO uses and disclosures under 
45 CFR 164.520(b)(1)(ii)(A) or those made without authorization under 
45 CFR 164.520(b)(1)(ii)(B). The Department also proposes to add new 
sub-paragraph (D) providing notice that Part 2 records or testimony 
relaying the content of such records shall not be used or disclosed in 
certain proceedings against the individual without written consent or 
court order, and new sub-paragraph (E) providing notice that if a 
covered entity that is a Part 2 program intends to engage in activities 
addressed in the Sense of Congress in section 3221(k)(4) of the CARES 
Act,\151\ the program must first obtain the patient's express written 
consent. This provision would support the implementation of 42 U.S.C. 
290dd-2(c).
---------------------------------------------------------------------------

    \151\ Section 3221(k)(4) expresses the Sense of Congress that 
creating de-identified health information, a limited data set, and 
fundraising for the benefit of a covered entity should be excluded 
from the definition of health care operations as applied to the use 
and disclosure of Part 2 records.
---------------------------------------------------------------------------

    Statement of Rights. Section 3221(i)(2)(A) of the CARES Act 
requires the NPP for Part 2 records to include a statement of the 
patient's rights with respect to PHI and how the individual may 
exercise such rights as required by 45 CFR 164.520(b)(1)(iv). The 
statement must address the rights of patients who self-pay (i.e., cash 
or other payment not billed to a third-party payer or health plan).
    Current 45 CFR 164.520(b)(1)(iv) requires a covered entity to 
include in its NPP a statement of an individual's rights with respect 
to PHI. To implement the CARES Act requirements related to a Statement 
of Rights, the Department proposes to revise 45 CFR 
164.520(b)(1)(iv)(C), to require a covered entity, when providing 
notice about the right of access, to include notice about the right to 
inspect and obtain a copy of PHI, the right to do so at limited cost or 
free of charge, and the right to direct a covered health care provider 
to transmit an electronic copy of PHI in an electronic health record to 
a third party. The Department also proposes to add a new Sec.  
164.520(b)(1)(iv)(G) to require a covered entity to provide notice of 
the right to discuss the NPP with a designated contact person 
identified by the covered entity. These changes are made to reflect the 
changes to the NPP provisions proposed by the Department in the NPRM to 
Modify the Privacy Rule to Support, and Remove Barriers to, Coordinated 
Care and Individual Engagement.\152\
---------------------------------------------------------------------------

    \152\ See 86 FR 6446.
---------------------------------------------------------------------------

    Covered entity's duties. The Department proposes, at 45 CFR 
164.520(b)(1)(v)(A), to remove the second reference to ``protected 
health information'' to expand the requirement that a covered entity 
provide individuals with notice of the covered entity's legal duties 
and privacy practices to information beyond that of PHI (i.e., to Part 
2 records). The Department proposes to modify 45 CFR 
164.520(b)(1)(v)(C), a provision that addresses a covered entity's 
right to change the terms of its NPP, to simplify the text, remove the 
reference to the administrative requirements of the Privacy Rule (i.e., 
so that it also applies to Part 2), and insert a limitation that any 
new terms must not be material or contrary to law.
    Other proposed updates to the NPP. The Department proposes other 
changes to conform the NPP requirements at 45 CFR 164.520 to changes 
required by the CARES Act. For example, the Department proposes to 
modify 45 CFR 164.520(b)(1)(iii) to address the Sense of Congress 
expressed at 42 U.S.C. 290dd-2(k)(4). Although the Sense of Congress 
does not give legal effect to the exclusion of fundraising and the 
creation of de-identified health information and limited data sets as 
permissible disclosures under ``health care operations'', the 
Department believes that fundraising is far enough outside an 
individual's reasonable expectation of how their Part 2 records will be 
used or disclosed that entities should obtain written consent. This 
means that the NPP provision at 45 CFR 164.520(b)(1)(iii) would still 
give notice to individuals that a covered entity may use or disclose 
the individual's PHI for fundraising with an option to opt out of such 
communications. However, in the case of a covered entity that is also a 
Part 2 program, it would also provide notice that a covered entity may 
use or disclose the individual's Part 2 records for fundraising on 
behalf of the covered entity only with the written consent of the 
individual. The Department also proposes to incorporate changes 
proposed to the NPP requirements in the NPRM to Modify the Privacy Rule 
to Support, and Remove Barriers to, Coordinated Care and Individual 
Engagement.\153\ These proposals include adding a requirement, at 45 
CFR 164.520(b)(1)(vii), that a covered entity's NPP include the email 
address for a designated person who would be available to answer 
questions about the covered entity's privacy practices; adding a 
permission for a covered entity to provide information, in its NPP, 
concerning the right to direct copies of PHI to third parties when the 
PHI is not in an EHR and the ability to request the transmission using 
an authorization; and removing the existing requirement for a covered 
entity to obtain a written acknowledgement of receipt of the NPP. 
Finally, the Department proposes a new paragraph at 45 CFR 
164.520(d)(4) to prohibit construing the permissions for OHCAs to 
disclose PHI between participants as negating obligations related to 
Part 2 records.
---------------------------------------------------------------------------

    \153\ Id.
---------------------------------------------------------------------------

    The Department is mindful of the compliance burden imposed on all 
entities due to NPP requirements. The Department carefully considered 
how to accomplish the CARES Act mandate to update the NPP and believes 
that the proposed changes to 45 CFR 164.520 implements the statutory 
requirement to inform individuals in a manner that places the least 
burden on regulated entities. The Department requests comment on this 
assumption.

Sec.  2.23--Patient Access and Restrictions on Use and Disclosure 
(Proposed Heading)

    The Department proposes to add the term ``disclosure'' to the 
heading of this section and throughout paragraphs (a) and (b) to 
clarify that a patient is not required to provide written consent or 
authorization in order to access their own Part 2 records. The 
Department proposes additional wording changes to this section to 
improve readability and to replace the word ``information'' to 
``records,'' which more accurately describes the scope of the 
information to which the regulation applies.

[[Page 74239]]

Sec.  2.24--Requirements for Intermediaries (Redesignated and Proposed 
Heading)

    Under Sec.  2.13(d), a patient has a right to request a list of 
disclosures made by an intermediary; the intermediary must provide the 
patient with information regarding disclosures made within the past two 
years. As described above in Sec. Sec.  2.11 Definitions and 2.13 
Confidentiality restrictions and safeguards, the Department proposes to 
remove paragraph (d) of Sec.  2.13 and redesignate it as Sec.  2.24; 
change the subheading from Lists of disclosures to a heading titled 
Requirements for intermediaries; and in Sec.  2.11 create a regulatory 
definition of the term ``intermediary''. The Department proposes 
modifications to clarify the newly designated Sec.  2.24 without 
intending to change the obligations of intermediaries, other than the 
time period covered by the list of disclosures.
    Specifically, the Department proposes to replace the description of 
intermediaries with a new regulatory definition and to move the 
statement of responsibility for complying with the applicable 
requirements from the end of the provision to the beginning. The intent 
is to clarify what types of entities would be considered 
intermediaries--e.g., HIEs, research institutions, accountable care 
organizations, and care management organizations--and their 
responsibilities for providing patients with a list of disclosures made 
to member or participant treating providers. An intermediary may be a 
business associate when a Part 2 program is also a covered entity under 
HIPAA; in such situations, the intermediary would be subject to 
requirements of intermediaries as well as those for business 
associates. The Department proposes to extend the period covered by a 
list of disclosures from two years to three years to align with the new 
right to an accounting of disclosures as proposed in Sec.  2.25(b) for 
disclosures made for purposes of treatment, payment, and health care 
operations, discussed below. The Department also proposes modifications 
to the redesignated section to improve clarity and understanding 
without intending any substantive change.

Sec.  2.25--Accounting of Disclosures (Proposed Heading)

    Except for disclosures made by intermediaries, the existing Part 2 
regulation does not include a right for patients to obtain an 
accounting of disclosures of Part 2 records.\154\ Section 290dd-
2(b)(1)(B) of 42 U.S.C., as amended by section 3221(b) of the CARES 
Act, applies section 13405(c) of the HITECH Act, 42 U.S.C. 17935(c), 
Accounting of Certain Protected Health Information Disclosures Required 
if Covered Entity Uses Electronic Health Record, to Part 2 disclosures 
for TPO with prior written consent. Therefore, the Department proposes 
to add a new Sec.  2.25, Accounting of disclosures, to establish the 
patient's right to receive, upon request, an accounting of disclosures 
of Part 2 records made with written consent for up to three years prior 
to the date the accounting is requested.
---------------------------------------------------------------------------

    \154\ 42 CFR 2.13(d) (specifying List of Disclosures requirement 
applicable to intermediaries).
---------------------------------------------------------------------------

    This proposal would apply to the individual right to an accounting 
of disclosures in the HITECH Act.\155\ The first paragraph of the 
section, (a), would generally require an accounting of disclosures made 
with patient consent, and the second paragraph, (b), would limit the 
requirement with respect to disclosures made with consent for TPO 
purposes, which would only be required for TPO disclosures made from an 
electronic health record system. In both instances, the proposed 
changes would be contingent on the promulgation of HITECH Act 
modifications to the accounting of disclosures standard in the Privacy 
Rule at 42 CFR 164.528.\156\
---------------------------------------------------------------------------

    \155\ OCR published an NPRM to implement this HITECH Act 
provision in 2011 but did not finalize it because of concerns raised 
by public comments. OCR announced its intention to withdraw the 2011 
NPRM and requested public input on new questions to help OCR 
implement the HITECH Act requirement as part of the 2018 HIPAA Rules 
RFI. See 83 FR 64302, 64307 (December 14, 2018). A final HIPAA rule 
on the accounting of disclosures that would apply to TPO disclosures 
by covered entities has not been issued.
    \156\ See also sec. 13405(c) of the HITECH Act (codified at 42 
U.S.C. 17935(c). Since the HITECH Act requirement for accounting of 
disclosures was enacted in 2009, the Department published a Request 
for Information (RFI) at 75 FR 23214 (May 3, 2010) and an NPRM at 76 
FR 31426 (May 31, 2011). Based in part on public comment the RFI, 
the Department proposed to provide individuals with an ``access 
report'' as a means of fulfilling the requirement. Based on feedback 
to the NPRM in which commenters overwhelmingly opposed the report as 
``unworkable,'' the Department, in a follow up RFI published at 83 
FR 64302 (December 14, 2018), explained its intent to withdraw the 
proposal of the 2011 NPRM. The Department received additional public 
comment about implementing sec. 13405(c) and has recently published, 
in the Spring 2021 Regulatory Unified Agenda, an intent to publish a 
second RFI seeking further comment on this HITECH ACT section, 
https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202104&RIN=0945-AA04.
---------------------------------------------------------------------------

    The Department believes this approach is consistent with section 
3221(b) of the CARES Act, 42 U.S.C. 290dd-2(b)(1)(B), as amended. The 
Department notes that the CARES Act applied the HITECH Act timelines 
and structure for accounting of disclosures to ``all disclosures'' and 
not just those disclosures of PHI contained in an EHR. From a policy 
perspective the Department believes it is appropriate apply the 
regulatory framework to all accountings.
    Because the Department has not yet finalized the HITECH Act 
accounting of disclosures modifications within the Privacy Rule, the 
Department does not intend to apply requirements similar to 45 CFR 
164.528 before finalizing the Privacy Rule provision. The Department 
seeks comment on this approach to aligning the accounting of 
disclosures requirements of the Privacy Rule and Part 2 by 
incorporating a general requirement for an accounting of disclosures 
and a limited requirement with respect to TPO disclosures, and by 
tolling the effective date of the accounting of disclosures proposals 
in this rule until the effective date of the modified Privacy Rule 
accounting provision. Additionally, the Department requests data from 
Part 2 programs that are also covered entities or business associates 
on the number and type of requests for an accounting of disclosures of 
PHI received annually and to what extent such covered entities are 
providing an accounting of disclosures for TPO disclosures through an 
electronic health record based on the HITECH Act statutory requirement, 
even absent regulations. For Part 2 programs that are covered entities, 
the Department requests comments concerning the staff time and other 
costs involved in responding to an individual's request for an 
accounting of disclosures of PHI.

Sec.  2.26--Right to Request Privacy Protection for Records (Proposed 
Heading)

    The existing Part 2 regulation does not expressly provide a patient 
the right to request restrictions on disclosures of Part 2 records. 
Section 3221(b) of the CARES Act amended the PHSA to apply section 
13405(a) of the HITECH Act, Restricted restrictions on certain 
disclosures of health information, to all disclosures of Part 2 records 
for TPO purposes with prior written consent. Therefore, the Department 
proposes to codify in Sec.  2.26 patient rights to: (1) request 
restrictions on disclosures of Part 2 records for TPO purposes, and (2) 
obtain restrictions on disclosures to health plans for services paid in 
full. The proposed provision would align with the individual right in 
the HITECH Act,\157\ as implemented in the Privacy Rule at 45 CFR 
164.522. As with the Privacy Rule right to request restrictions, a 
covered entity that denies a request for restrictions still would be

[[Page 74240]]

subject to any applicable state or other law that imposes greater 
restrictions on disclosures than Part 2 requires.
---------------------------------------------------------------------------

    \157\ See 42 U.S.C. 17935(a).
---------------------------------------------------------------------------

    In addition to applying the HITECH Act requirements to Part 2, the 
CARES Act emphasized the importance of the right to request 
restrictions in three provisions, including:
    (1) A rule of construction that the CARES Act should not be 
construed to limit a patient's right under the Privacy Rule to request 
restrictions on the use or disclosure of Part 2 records for TPO; \158\
---------------------------------------------------------------------------

    \158\ CARES Act, sec. 3221(j)(1). The Department believes the 
effect of this Rule of Construction is that 45 CFR 164.522 of the 
Privacy Rule continues to apply without change to covered entities 
with respect to Part 2 records.
---------------------------------------------------------------------------

    (2) A Sense of Congress that patients have the right to request a 
restriction on the use or disclosure of a Part 2 record for TPO; \159\ 
and
---------------------------------------------------------------------------

    \159\ CARES Act, sec. 3221(k)(2).
---------------------------------------------------------------------------

    (3) A Sense of Congress that encourages covered entities to make 
every reasonable effort to the extent feasible to comply with a 
patient's request for a restriction regarding TPO uses or disclosures 
of Part 2 records.\160\
---------------------------------------------------------------------------

    \160\ CARES Act, sec. 3221(k)(3).
---------------------------------------------------------------------------

    The Department requests comments and data on the extent to which 
covered entities currently receive requests from patients to restrict 
disclosures of patient identifying information for TPO purposes, how 
covered entities document such requests, and the procedures and 
mechanisms used by covered entities to ensure compliance with patient 
requests to which they have agreed or that they are otherwise required 
to comply with by law.

Subpart C--Uses and Disclosures With Patient Consent (Proposed Heading)

    The Department proposes to modify the heading of Subpart C from 
``Disclosures with Patient Consent'' to ``Uses and Disclosures with 
Patient Consent'' to make the heading consistent with the changes the 
Department proposes to this subpart.

Sec.  2.31--Consent Requirements

    The Part 2 consent provision in current Sec.  2.31 specifies in 
paragraph (a) the required elements of a valid written patient consent 
for the disclosure of Part 2 records, and in paragraph (b) what 
constitutes a deficient consent upon which a disclosure of Part 2 
records is not permitted. To further align Part 2 with the Privacy Rule 
and implement the requirements of section 3221(b) of the CARES Act, the 
Department proposes numerous changes to the consent requirements in 
paragraph (a). Specifically, the Department proposes to change 
requirements concerning:

 Identity of the discloser
 Description of the information to be disclosed
 Designation of the recipient
 Purpose of the disclosure
 Right to revoke consent
 Expiration of consent

    In addition, the Department proposes new required statements as 
part of a consent for use and disclosure for TPO and a new required 
statement about the consequences to the patient of a failure to sign a 
consent.
    The Department also proposes to add the phrase ``use or'' in Sec.  
2.31(a), and ``used or'' in Sec.  2.31(a)(4)(ii)(B), to clarify that 
the elements of a written consent would address both use and disclosure 
of records. The Department believes these proposals are consistent with 
section 3221(b) of the CARES Act, which addresses permissions and 
restrictions for both uses and disclosures of records for TPO by 
programs and covered entities. The Department also proposes a wording 
change to replace the phrase ``individual or entity'' and the term 
``individual'' with the term ``person'' as now proposed to comport with 
the meaning of the term in the HIPAA Rules. The Department does not 
believe that as amended, 42 U.S.C. 290dd-2 diminishes the ability of a 
patient to only grant consent for disclosure of specific types of 
information contained in the Part 2 record or for specific TPO 
purposes. Additionally, the proposed change to the designation of a 
recipient would continue to permit patients to, for example, name a 
government agency to receive records when applying for public benefits 
and not require the name of a specific employee within the agency.
    The Department notes the permission enacted in 42 U.S.C. 290dd-
2(b)(1)(B), as amended by section 3221(b) of the CARES Act, allows that 
the contents of Part 2 records ``may,'' and are not required, to be 
used or disclosed in accordance with the Privacy Rule for TPO (after 
prior written consent is obtained). The Department believes therefore, 
that the revised statute still permits the disclosing entity to employ 
more granular consent provisions. Further, the rules of construction in 
section 3221(j)(1) of the CARES Act support the continued ability of 
covered entities to obtain consent by stating that nothing in the Act 
shall be construed to limit ``a covered entity's choice, as described 
in section 164.506 of title 45, Code of Federal Regulations, or any 
successor regulation, to obtain the consent of the individual to use or 
disclose a record referred to in such section 543(a) to carry out 
treatment, payment, or health care operation.''
    The Department also notes that its proposal to modify Sec.  
2.31(a)(3) would still require the consent form to include a 
description of the information to be used or disclosed that identifies 
the information ``in a specific and meaningful fashion.'' \161\ This 
language mirrors that in the Privacy Rule standard for written 
authorization requiring that a valid authorization pursuant to 45 CFR 
164.508 contain ``at least . . . [a] description of the information to 
be used or disclosed that identifies the information in a specific and 
meaningful fashion.'' \162\ The Department believes that its treatment 
of consent requirements here remains consistent with that of SAMHSA's 
prior expressed guidance.\163\ The Department requests comment on this 
assumption.
---------------------------------------------------------------------------

    \161\ See proposed 42 CFR 2.31(a)(3).
    \162\ See 45 CFR 164.508(c) for the complete set of 
implementation specifications that apply to written authorization 
under the Privacy Rule.
    \163\ See e.g., 82 FR 6052, 6087.
---------------------------------------------------------------------------

    Several of the proposed changes to the language of the required 
consent elements are not intended to create substantive changes, but 
merely to align with the wording of similar requirements in the Privacy 
Rule. This includes, for example, the identity of the discloser, the 
description of the information to be disclosed, the right to revoke 
consent, and the expiration of consent.
    To fully accomplish the aims of the right to revoke consent, the 
Department expects that Part 2 programs would need to ensure that any 
ongoing or automatic disclosure mechanisms are halted upon receipt of a 
request for revocation. The CARES Act redisclosure permission for a 
covered entity, business associate, and Part 2 program recipients of 
Part 2 records limits the ability to ``pull back'' Part 2 information 
from those entities once it is disclosed. Thus, once a Part 2 program 
discloses a record for TPO purposes to a Part 2 program, covered 
entity, or business associate with prior written consent, a revocation 
would only be effective to prevent additional disclosures to those 
entities. It would not prevent a recipient Part 2 program, covered 
entity, or business associate from using the record for TPO, or 
redisclosing the record as permitted by the Privacy Rule.
    Another set of proposals in this section address general 
designations of the recipient of Part 2 records for TPO, which may be 
an intermediary or a Part 2 program, covered entity or business 
associate. To accommodate TPO written consents, the recipient may be a 
class of

[[Page 74241]]

persons, rather than only an identified person. In addition, for a 
single consent for all future uses and disclosures for TPO, the 
recipient may be described as ``my treating providers, health plans, 
third-party payers, and people helping to operate this program'' or a 
similar statement.
    The proposed changes to the requirements for general designation of 
an intermediary would clarify and simplify the subheading and remove 
the required statement of the patient's right to a list of disclosures 
made by the intermediary for the prior two years. These changes are 
proposed in conjunction with the proposal to add a regulatory 
definition of intermediary that includes as examples the types of 
entities listed in Sec.  2.31 and described in previous Part 2 
rulemaking preamble discussions.\164\ Additionally, the Department 
proposes to add consent requirements that are similar to the Privacy 
Rule authorization elements at 45 CFR 164.508, with modifications to 
address the Part 2 requirement to obtain prior written consent for TPO 
uses and disclosures. Specifically, the Department proposes to require 
Part 2 programs to inform patients in the written consent of the 
potential for their Part 2 records that are disclosed to a Part 2 
program, covered entity, or business associate pursuant to the 
patient's written consent for treatment, payment, and health care 
operations to be further used or disclosed by the recipient to the 
extent permitted by the Privacy Rule and no longer protected by this 
regulation.
---------------------------------------------------------------------------

    \164\ See 82 FR 6052, 6056-6057, 6081, 6090.
---------------------------------------------------------------------------

    However, the Department does not propose to require, similar to the 
Privacy Rule at 45 CFR 164.522 that a written consent inform patients 
of the ability, under certain circumstances, to condition treatment on 
signing a consent for the use or disclosure of Part 2 records, because 
Part 2 does not prohibit the conditioning of treatment. For example, a 
Part 2 program may condition the provision of treatment on the 
patient's consent to disclose information as needed, for example, to 
make referrals to other providers, obtain payment from a health plan 
(unless the patient has paid in full), or conduct quality review of 
services provided.
    The Department is aware of public uncertainty about when a patient 
consent is considered ``written'' under Sec.  2.31. In previous 
guidance, SAMHSA clarified that an electronic signed consent form is 
allowable.\165\ The Department reaffirms the previous guidance 
concerning signatures and further clarifies that, where the Department 
has issued regulations adopting electronic standards to be used for 
patient consent management,\166\ and Part 2 programs have implemented 
such standards, the information conveyed using those standards would 
constitute a ``written'' patient consent where the individual provides 
all of the information required for a valid patient consent under Sec.  
2.31.
---------------------------------------------------------------------------

    \165\ See Frequently Asked Questions: Applying the Substance 
Abuse Confidentiality Regulations to Health Information Exchange 
(HIE). Q15. Does Part 2 require the use of original signed consents? 
https://www.samhsa.gov/sites/default/files/faqs-applying-confidentiality-regulations-to-hie.pdf.
    \166\ See Cures Act Final Rule, 85 FR 25746 (discussing ONC's 
adoption of requirements and standards for authentication and 
authorization). See also CMS' Interoperability and Patient Access 
Rule, 85 FR 25510, 25545 (stating that ``HHS is collectively working 
to explore standards and technical supports for data segmentation 
for privacy and consent management and point commenters to the ONC 
21st Century Cures Act final rule for additional discussion on this. 
We also note that using the appropriate FHIR profiles, such as those 
being finalized by HHS in the ONC 21st Century Cures Act final rule 
. . . for API technical standards, including the SMART IG (using the 
OAuth 2.0 standard) and OpenID Connect as finalized at 45 CFR 
170.215, can be leveraged to support this.''
---------------------------------------------------------------------------

    Regarding revocation of consent, the proposed changes reflect the 
text of the CARES Act with respect to TPO consent and also parallels 
the language of 45 CFR 164.508(c)(2)(i) for the core elements of a 
HIPAA authorization, which requires a statement about ``[t]he 
individual's right to revoke the authorization in writing.'' The intent 
in this section is to align the Part 2 consent requirements with the 
HIPAA authorization core elements to the extent feasible by 
establishing written revocation as a patient right. However, a Part 2 
program still may accept an oral revocation of consent. Consistent with 
HIPAA, if an entity receives a revocation orally, the entity ``knows'' 
that the consent has been revoked and can no longer treat the consent 
as valid under Part 2 and must consider it deficient under Sec.  
2.31(b)(3).\167\ For oral revocations, the Department recommends the 
program obtaining the revocation document the revocation in the 
patient's record.
---------------------------------------------------------------------------

    \167\ See 65 FR 82462, 82515 (December 28, 2000).
---------------------------------------------------------------------------

    The Department's proposal to replace an ``expiration date, event, 
or condition'' with an ``expiration date or an expiration event that 
relates to the individual patient or the purpose of the use or 
disclosure'' is not intended to create substantive change, but only to 
align with the HIPAA authorization required elements. The Department 
believes that a ``condition'' may be considered an event that relates 
to the individual patient. Further, the Department believes the 
modified language would continue to serve an aim of both the HIPAA and 
Part 2 expiration elements, which is to ensure that the consent or 
authorization will last no longer than necessary to accomplish the 
purpose of the use(s) or disclosure(s).
    The Department requests comments on its proposals that would 
implement changes to Sec.  2.31. Specifically, the Department requests 
comment on whether there are other changes that it should make to 
further align Sec.  2.31 with the Privacy Rule using its general 
regulatory authority in Sec.  3221(i)(1) of the CARES Act to ``make 
such revisions to regulations as may be necessary for implementing and 
enforcing the amendments.'' In particular, the Department seeks comment 
from the public, including routine requestors of Part 2 records, on 
whether and to what extent the Department should require Part 2 
programs to inform requestors when a preexisting consent exists for 
disclosure and the scope of such consent for disclosure. This input 
would be helpful as the Department considers how to facilitate covered 
entities' abilities to use the new permissions for TPO disclosures and 
related redisclosures under the Privacy Rule and Part 2. The Department 
also seeks comments on the extent to which Part 2 programs accept or 
rely on oral revocations of consent, and if so, whether and how this is 
documented or tracked.

Sec.  2.32--Notice To Accompany Disclosure (Proposed Heading)

    The Department proposes to change the heading of this section from 
``Prohibition on re-disclosure'' to ``Notice to accompany disclosure'' 
because Sec.  2.32 is wholly a notice requirement, while other 
provisions (Sec.  2.12(d)) prohibit recipients of Part 2 records from 
redisclosing the records without obtaining a separate written patient 
consent. To ensure that recipients of Part 2 records comply with the 
prohibition at Sec.  2.12(d), Sec.  2.32(a) requires that Part 2 
programs attach a notice whenever Part 2 records are disclosed with 
patient consent, notifying the recipient of the prohibition on 
redisclosure and of the prohibition on use of the records in civil, 
criminal, administrative, and legislative proceedings against the 
patient.
    The Department proposes to modify paragraph (a)(1) of Sec.  2.32 to 
reflect the expanded prohibition on use and disclosure of Part 2 
records in certain proceedings against the patient, which includes 
testimony that relays information in a Part 2 record and the

[[Page 74242]]

use or disclosure of such records or testimony in civil, criminal, 
administrative, and legislative proceedings, absent consent or a court 
order. The Department intends for ``proceedings'' to be understood 
broadly, to encompass investigations as in the existing regulation. 
Thus, investigative agencies should understand the continuing 
expectation that the requirement to seek a court order applies at the 
early stages of a proceeding where Part 2 records are sought to be used 
and disclosed.
    In addition, the proposal would list exceptions to the general rule 
prohibiting further use or disclosure of the Part 2 records by 
recipients of such records, which would include an exception for 
covered entities, business associates, and Part 2 programs who receive 
Part 2 records for TPO based on a patient's consent and now may 
redisclose the records as permitted by the Privacy Rule. This exception 
also would apply to entities that received Part 2 records from a 
covered entity or business associate under the Privacy Rule disclosure 
permissions although the legal proceedings prohibition would still 
apply to covered entities and business associates that receive these 
Part 2 records. These changes are necessary to conform Sec.  2.32 with 
42 U.S.C. 290dd-2(b)(1)(B), as amended by section 3221(b) of the CARES 
Act concerning redisclosure permissions for covered entity, business 
associate, and Part 2 program recipients of Part 2 records.
    The Department also proposes a change to the simplified alternative 
language in paragraph (a)(2) of Sec.  2.32. The Department would add 
the term ``use'' to make clear that authorized uses and disclosures are 
prohibited by this part. The Department notes that a Part 2 program or 
other person holding of Part 2 records could still choose whether to 
adopt the more detailed revised notice or to use the simple notice.
    The Department requests comment on the proposed approach to the 
notice to accompany disclosure, including whether the alternative 
simplified notice in paragraph (a)(2) is sufficient to inform 
recipients of Part 2 records and whether the revised notice in 
paragraph (a)(1) should include different elements.

Sec.  2.33--Uses and Disclosures Permitted With Written Consent 
(Proposed Heading)

    Section 2.33 of 42 CFR part 2 currently permits Part 2 programs to 
disclose Part 2 records in accordance with written patient consent in 
paragraph (a); and permits lawful holders, upon receipt of the records 
based on consent for payment or health care operations purposes, to 
redisclose such records to contractors and subcontractors for certain 
activities, such as those provided as examples in paragraph (b).
    To implement sections 3221(b) and (k)(4) of the CARES Act, the 
Department proposes to amend the heading of this section to refer to 
``Uses and disclosures permitted with written consent'' instead of 
solely ``disclosures.'' The Department further proposes to add ``use'' 
to refer to ``use or disclosure'' instead of only ``disclosure'' in 
paragraphs (a) and (b) and (b)(2), as modified. The Department believes 
these changes would align this section with proposed Sec. Sec.  2.31 
and 2.32 as discussed above. The Department further believes these 
proposals are consistent with the congressional intent expressed in 42 
U.S.C. 290dd-2(b)(1), as amended by section 3221(b) of the CARES Act, 
which aligns Part 2 with the Privacy Rule for purposes of TPO uses and 
disclosures.
    The Department also proposes to revise paragraph (b) by removing 
the list of permitted payment and health care operations uses and 
disclosures, adding language to paragraphs (b) and (b)(1), re-
designating paragraph (2) as paragraph (3), and adding a new paragraph 
(b)(2).\168\ Specifically, the Department proposes to create two 
categories of redisclosure permissions. The first category would apply 
to Part 2 programs, covered entities, and business associates that have 
received a Part 2 record with consent for TPO and would permit the 
recipient to redisclose the records for uses and disclosures as 
permitted by the Privacy Rule, subject to the limitations of proposed 
subpart E of Part 2 pertaining to legal proceedings. The second 
category would apply to lawful holders that are not business 
associates, covered entities, or Part 2 programs and have received Part 
2 records with written consent for payment and health care operations 
purposes. This category would permit the recipient to redisclose the 
records for uses and disclosures to its contractors, subcontractors, 
and legal representatives to carry out the intended purpose, also 
subject to the limitations of proposed subpart E of part 2 pertaining 
to legal proceedings. A lawful holder under this provision would not be 
permitted to redisclose Part 2 records it receives for treatment 
purposes before obtaining an additional written consent from the 
patient. The Department has not proposed to define the terms 
``contractors, subcontractors, and legal representatives'' because it 
does not intend to change the accepted understanding of these business 
relationships between the recipient of Part 2 records under a written 
patient consent and the entities that it uses to carry out its business 
activities. The Department requests comment on whether it would be 
helpful to define these terms and, if so, what definitions would 
appropriately retain the existing accepted understanding of the 
business relationships.
---------------------------------------------------------------------------

    \168\ Section 3221(b) of the CARES Act is codified at 42 U.S.C. 
290dd-2(b)(1)(C).
---------------------------------------------------------------------------

    The proposed changes would implement section 3221 of the CARES Act 
by permitting covered entities and business associates to use and 
redisclose Part 2 records in accordance with the standards that apply 
to PHI in the Privacy Rule and permitting Part 2 programs to use, 
disclose, and redisclose Part 2 records for TPO purposes when the 
records are obtained under a written consent given once for all future 
TPO uses and disclosures. The expanded ability to use and disclose Part 
2 records would facilitate greater integration of SUD treatment 
information with other PHI. The Department believes this change would 
improve communication and care coordination between providers and with 
other elements of the health care system, such as the ability of payers 
to share SUD treatment claims information with alternative payment 
model providers for population health management, and enhance the 
ability to comprehensively diagnose and treat the whole patient. It 
would also facilitate the exchange of Part 2 records between Part 2 
programs and reduce burdens on such exchanges by allowing a written 
consent to be given once for all future TPO uses and disclosures. The 
Department supports the sharing of Part 2 records among health care 
entities and patients for continuity of care purposes and has proposed 
to align the Part 2 consent requirements and disclosure permissions 
with the Privacy Rule to the extent possible for such purposes within 
the legal authority granted by Congress.
    Only redisclosures for legal proceedings by covered entities or 
business associates would be subject to the more stringent Part 2 
restrictions, as discussed below in relation to Sec. Sec.  2.64 and 
2.65. Finally, the Department proposes to exclude covered entities and 
business associates from the requirements of paragraph (c) because they 
are already subject to the Privacy Rule requirements for business 
associate agreements. The Department welcomes comments concerning the 
extent to which the proposed changes to Sec.  2.33 would result in 
reduction of patient

[[Page 74243]]

trust that their Part 2 records will be kept confidential and thus 
affect the ability to provide treatment to patients with SUD. The 
Department requests comment on how Part 2 programs and recipients of 
Part 2 records would identify records for which a patient has given 
consent for TPO uses and disclosures generally as compared to consent 
for one purpose or a consent limited to certain segments of Part 2 
information. In addition, the Department seeks comment on the ways to 
increase coordination amongst not only amongst Part 2 programs or 
recipients of Part 2 records and providers of other healthcare services 
but also with the health IT developer and HIE communities to protect 
privacy for Part 2 records within EHRs. Finally, the Department 
requests comment on how the proposed revisions to Sec.  2.33 might 
affect the future data segregation practices of Part 2 programs and 
recipients of Part 2 records.

Sec.  2.34--Uses and Disclosures To Prevent Multiple Enrollments 
(Proposed Heading)

    Section 2.34 permits a Part 2 program to disclose patient records 
to certain central registries to prevent multiple enrollments of a 
patient to withdrawal management or maintenance treatment programs when 
conditions are met. The Department proposes to replace the phrase ``re-
disclose or use'' with ``use or redisclose'' at Sec.  2.34(b), as it 
relates to preventing a registry from using or redisclosing Part 2 
records, to align the language of this provision with the Privacy Rule 
as discussed above. The Department also proposes a minor wording change 
to refer to ``use of information in records'' instead of just ``use of 
information'' to make clear that this provision relates to Part 2 
records.

Sec.  2.35--Disclosures to Elements of the Criminal Justice System 
Which Have Referred Patients

    Section 2.35 of 42 CFR part 2 outlines conditions for disclosures 
back to persons within the criminal justice system who have referred 
patients to a Part 2 program for SUD diagnosis or treatment as a 
condition of the patients' confinement or parole. The Department 
proposes to clarify that the permitted disclosures would be of 
information from the Part 2 record and to replace the term 
``individual'' within the criminal justice system with ``persons.'' As 
discussed above, the term ``individual'' is defined in the HIPAA Rules 
to refer to natural persons who are the subject of PHI,\169\ while the 
analogous term in Part 2 for the subjects of Part 2 records is 
``patient.''
---------------------------------------------------------------------------

    \169\ See 45 CFR 160.103 (definition of ``Individual'').
---------------------------------------------------------------------------

    To avoid potential misunderstanding due to different terminology, 
the Department proposes to use ``persons'' when referring to someone 
other than the individual patient. In conjunction with this proposed 
change in usage, the Department proposes to replace the Part 2 
definition of ``person'' with the HIPAA regulatory definition at 45 CFR 
160.103. This definition includes both natural persons and legal 
entities. The Department also proposes to add the phrase ``from a 
record'' after the term ``information'' to make clear that this section 
regulates ``records'', and replaces ``disclosure and use'' with ``use 
and disclosure'' in several places to parallel the Privacy Rule.
    The Department welcomes comment on its approach to identifying 
``persons'' within the criminal justice system who have referred 
patients to a Part 2 program, including whether the alternative term 
``personnel'' would more accurately cover the circumstances under which 
referrals under Sec.  2.35 are made.

Subpart D--Uses and Disclosures Without Patient Consent (Proposed 
Heading)

    The Department proposes to modify the heading of subpart D by 
adding the term ``uses'' so it reads ``Uses and Disclosures Without 
Patient Consent'' to clarify that some of the regulated activities in 
this subpart--including research in Sec.  2.52(b) (e.g., conducting 
scientific research using patient identifying information), preparing 
research reports in Sec.  2.52(b)(3), and Audit and evaluation (now 
proposed as ``Management audits, financial audits, and program 
evaluation'')--include internal uses of Part 2 records by regulated 
entities.

Sec.  2.51--Medical Emergencies

    Section 2.51 of 42 CFR part 2 permits Part 2 programs to disclose 
patient identifying information to medical personnel in certain 
circumstances. In Sec.  2.51(c)(2), the Department proposes to replace 
the term ``individual'' with the term ``person'' as discussed above in 
Sec.  2.11, Definitions.

Sec.  2.52--Scientific Research (Proposed Heading)

    Section 2.52 of 42 CFR part 2 permits Part 2 programs to disclose 
patient identifying information for research, without patient consent, 
under limited circumstances. The Department proposes to update the 
title of this section for consistency with the statute and to add the 
term ``use'' to Sec.  2.52(a). In Sec.  2.52(b)(3), any individual or 
entity conducting scientific research using patient identifying 
information may include part 2 data in research reports only in non-
identifiable aggregate form. The Department proposes to change the 
standard in Sec.  2.52(b)(3) to more closely align with the Privacy 
Rule de-identification standard. Specifically, for Sec.  2.52(b)(3), 
the Department proposes changes to the text to read: ``. . . patient 
identifying information has been de-identified in accordance with the 
requirements of the Privacy Rule at 45 CFR 164.514(b) such that there 
is no reasonable basis to believe that the information can be used to 
identify a patient as having or having had a substance use disorder.'' 
The Department requests comment on any benefits, costs, and potential 
unintended adverse consequences that may result from this proposed 
change. The Department also proposes to replace several instances of 
the phrase ``individual or entity'' with the term ``person'', which 
would encompass both individuals and entities, and to replace the term 
``individual'' with the term ``person.''

Sec.  2.53--Management Audits, Financial Audits, and Program Evaluation 
(Proposed Heading)

    The Department proposes to change the heading of Sec.  2.53 to 
specifically refer to management audits, financial audits, and program 
evaluation to more clearly describe the disclosures permitted without 
consent under 42 U.S.C. 290dd-2(b)(2)(B). The Department also proposes 
to replace several instances of the phrase ``individual or entity'' 
with the term ``person'', which would encompass both individuals and 
entities.
    Section 2.53 of 42 CFR part 2 permits a Part 2 program or lawful 
holder to disclose patient identifying information to any individual or 
entity in the course of certain Federal, State, or local audit and 
program evaluation activities. Section 2.53 also permits a Part 2 
program to disclose patient identifying information to Federal, State, 
or local government agencies and their contractors, subcontractors, and 
legal representatives when mandated by law, if the audit or evaluation 
cannot be carried out using de-identified information.
    There is significant overlap between activities described as 
``audit and evaluation'' in Sec.  2.53 and health care operations as 
defined in the Privacy

[[Page 74244]]

Rule at 45 CFR 164.501. For example, the following audit and evaluation 
activities under Part 2 align with the health care operations defined 
in the Privacy Rule, as cited below:
     Sec.  2.53(c)(1) (government agency or third-party payer 
activities to identify actions, such as changes to its policies or 
procedures, to improve care and outcomes for patients with SUDs who are 
treated by part 2 programs; ensure that resources are managed 
effectively to care for patients; or determine the need for adjustments 
to payment policies to enhance care or coverage for patients with SUD); 
\170\
---------------------------------------------------------------------------

    \170\ See, e.g., 45 CFR 164.501 (definition of ``Health care 
operations'', paragraph 5).
---------------------------------------------------------------------------

     Sec.  2.53(c)(2) (reviews of appropriateness of medical 
care, medical necessity, and utilization of services).\171\
---------------------------------------------------------------------------

    \171\ See, e.g., 45 CFR 164.501 (definition of ``Health care 
operations'', paragraph 1).
---------------------------------------------------------------------------

     Sec.  2.53(d) (accreditation).\172\
---------------------------------------------------------------------------

    \172\ See, e.g., 45 CFR 164.501 (definition of ``Health care 
operations'', paragraph 2).
---------------------------------------------------------------------------

    In addition, activities by individuals and entities conducting 
Medicare, Medicaid, and CHIP audits or evaluations described at Sec.  
2.53(e) parallel those defined as health oversight activities in the 
Privacy Rule at 45 CFR 164.512(d)(1). Part 2 programs and lawful 
holders making disclosures to these individuals and entities must agree 
to comply with all applicable provisions of 42 U.S.C. 290dd-2, ensure 
that the activities involving patient identifying information occur in 
a confidential and controlled setting, ensure that any communications 
or reports or other documents resulting from an audit or evaluation 
under this section do not allow for the direct or indirect 
identification (e.g., through the use of codes) of a patient as having 
or having had an SUD; and must establish policies and procedures to 
protect the confidentiality of the patient identifying information 
consistent with this part. Patient identifying information disclosed 
pursuant to Sec.  2.53(e) may be further redisclosed to contractor(s), 
subcontractor(s), or legal representative(s), to carry out the audit or 
evaluation, but are restricted to only that which is necessary to 
complete the audit or evaluation as specified in paragraph (e).\173\
---------------------------------------------------------------------------

    \173\ See 42 CFR 2.53(e)(6).
---------------------------------------------------------------------------

    Section 3221(b) of the CARES Act amended the PHSA to permit Part 2 
programs, covered entities, and business associates to use or disclose 
the contents of Part 2 records for TPO after obtaining the written 
consent of a patient.\174\ Covered entities, business associates, and 
Part 2 programs are further permitted to redisclose the same 
information in accordance with the Privacy Rule. As the Department has 
noted throughout this NPRM, these new disclosure pathways are 
permissive, not required.
---------------------------------------------------------------------------

    \174\ Codified at 42 U.S.C. 290dd-2(b)(1)(B).
---------------------------------------------------------------------------

    To implement the new TPO permission that includes the ability of 
such entities to use or disclose Part 2 records for health care 
operations with a general consent, the Department proposes to modify 
the audit and evaluation provisions at Sec.  2.53 by adding the term 
``use'' where the current language of Sec.  2.53 refers only to 
disclosure and by adding paragraph (h), Disclosures for health care 
operations. This new provision would clarify that Part 2 programs, 
covered entities, and business associates are permitted to disclose 
Part 2 records pursuant to a consent for all future TPO uses and 
disclosures when a requesting entity is seeking records for activities 
described in paragraphs (c) or (d) of Sec.  2.53. Such activities are 
health care operations, but do not include treatment and payment. To 
the extent that a requesting entity is itself a Part 2 program, covered 
entity, or business associate that has received Part 2 records pursuant 
to a consent that includes disclosures for health care operations, it 
would then be permitted to redisclose the records for other purposes as 
permitted by the Privacy Rule. Thus, if an auditing entity is a Part 2 
program, covered entity, or business associate that has obtained 
consent and is not performing health oversight, it would not be subject 
to all the requirements of Sec.  2.53 (e.g., the requirement to only 
disclose the records back to the program that provided them). 
Requesting entities that are not Part 2 programs, covered entities, or 
business associates would not have this flexibility but would still use 
existing permissions in Sec.  2.53 to obtain access to records for 
audit and evaluation purposes, and they would remain subject to the 
redisclosure limitations therein.
    The CARES Act does not expressly address Sec.  2.53; however, there 
is overlap between the audit and evaluation activities contemplated in 
Sec.  2.53 and some activities defined as health care operations and 
health oversight activities in the Privacy Rule. The Department has 
consistently subjected its health oversight uses and disclosures to the 
requirements of Sec.  2.53, and it does not believe that Congress 
intended differently when it amended section 290dd-2(b)(1)(B) of 42 
U.S.C.
    As under the existing regulation, a person performing applicable 
audit and evaluation activities may rely instead on patient consent for 
health care operations as a means of obtaining the needed records. The 
Department believes that in many instances this would not be feasible 
because it would require tracking and segregating records with consent 
from those without consent, and would reduce the overall number of 
records available for auditing and evaluation. However, the Department 
requests comment on whether the new redisclosure permission for Part 2 
programs, covered entities, and business associates may create 
incentives for such recipients to rely on patient consent more 
frequently when performing audit and evaluation of records made 
available by Part 2 programs. Proposed paragraph (h) would leave intact 
existing disclosure permissions and requirements for audit and 
evaluation activities without consent, including health care oversight 
activities, such as described in paragraph (e). At the same time, the 
proposal would provide a new mechanism for programs and covered 
entities to obtain patient consents for all future TPO uses and 
disclosures (including redisclosures), which in some instances may 
include audit and evaluation activities.
    The Department proposes this approach because it believes there is 
no basis to fully align the Part 2 audit and evaluation provisions with 
the Privacy Rule, given that the CARES Act consent provisions 
specifically incorporated only uses and disclosures for TPO purposes, 
not for health oversight activities. The Department requests comment on 
this interpretation and any anticipated benefits or costs of treating 
some audit and evaluation activities under Part 2 differently than 
others based on whether the activities would constitute health care 
operations or health oversight activities.

Sec.  2.54--Disclosures for Public Health (Proposed Heading)

    The existing Part 2 regulations do not permit the disclosure of 
Part 2 records for public health purposes. The CARES Act, section 
3221(c), added paragraph (b)(2)(D) to 42 U.S.C. 290dd-2 to permit Part 
2 programs to disclose de-identified health information to public 
health authorities. Therefore, the Department proposes to add Sec.  
2.54 to permit Part 2 programs to disclose Part 2 records without 
patient consent to public health authorities provided that the 
information is de-identified in accordance with the standards in 45 CFR 
164.514(b). This change is proposed in conjunction with the 
Department's proposed definitions for public health authority as 
described

[[Page 74245]]

above. Further, the proposed change should not be construed as 
extending the protections of Part 2 to de-identified information, as 
such information is outside the scope of 2.12(a). Thus, once Part 2 
records are de-identified for disclosure to public health authorities, 
Part 2 no longer applies to the de-identified records.
    The Department requests comment on any benefits or costs that may 
result from this proposed change.

Subpart E--Court Orders Authorizing Use and Disclosure (Proposed 
Heading)

    The Department proposes to modify the heading of subpart E to 
reflect changes made to the provisions of this subpart related to the 
use and disclosure of Part 2 records in proceedings consistent with 42 
U.S.C. 290dd-2(b) and (2)(c), as amended by the section 3221(b) and (e) 
of the CARES Act.

Sec.  2.61--Legal Effect of Order

    Current Sec.  2.61 includes the requirement that beyond a court 
order, a subpoena must be issued to a Part 2 program in order to compel 
disclosure of Part 2 records. In addition to non-substantive wording 
edits reflected in the proposed regulatory text, the Department 
proposes to add the word ``use'' to paragraphs (a), (b)(1) and (b)(2) 
to clarify that the legal effect of a court order with respect to Part 
2 records would include authorizing the use of Part 2 records, in 
addition to the disclosure of Part 2 records. The Department believes 
this approach is consistent with the CARES Act amendments to 42 U.S.C. 
290dd-2.

Sec.  2.62--Order Not Applicable to Records Disclosed Without Consent 
to Researchers, Auditors and Evaluators

    Currently, Sec.  2.62 provides that a court order may not authorize 
qualified personnel who have received patient identifying information 
without consent for research, audit, or evaluation, to disclose the 
information or use it to conduct a criminal investigation of the 
patient. In addition to wording changes to improve readability, and 
reordering the phrase ``disclosure and use'' to ``use and disclosure'' 
for the same reasons described in other sections, the Department 
proposes to replace the term ``qualified personnel'' with a description 
of who falls within the term. The term ``Qualified personnel'' has a 
precise meaning but does not have a regulatory definition within 42 CFR 
part 2 and is used only once within the regulation. For greater 
clarity, the Department proposes to refer instead to ``persons who meet 
the criteria specified in Sec.  2.52(a)(1)(i)-(iii) of this part,'' and 
later in the paragraph to ``such persons.''

Sec.  2.63--Confidential Communications

    Section 2.63(a) of 42 CFR part 2 currently provides that a court 
order may authorize disclosure of confidential communications made by a 
patient to a Part 2 program during diagnosis, treatment, or referral 
only if necessary: (1) to protect against a threat of serious bodily 
injury; (2) to prosecute the patient for a serious crime; or (3) in 
connection with litigation or an administrative proceeding in which the 
patient introduces their own Part 2 records. Paragraph (c) of 42 U.S.C. 
290dd-2, as amended by section 3221(e) CARES Act, provides that Part 2 
records may be disclosed in noncriminal legal proceedings only with 
patient consent or a court order, and added civil litigation and 
administrative proceedings to the list of proceedings for which Part 2 
records cannot be used or disclosed by a government authority against a 
patient, absent a court order. To implement the changes to 42 U.S.C. 
290dd-2, the Department proposes to specify in Sec.  2.63(a)(3) that 
civil, as well as criminal, administrative, and legislative proceedings 
are circumstances under which a court may authorize disclosures of 
confidential communications made by a patient to a Part 2 program in 
Part 2 records when the patient opens the door by introducing their 
records or testimony that relays information in their records as 
evidence.

Sec.  2.64--Procedures and Criteria for Orders Authorizing Uses and 
Disclosures for Noncriminal Purposes (Proposed Heading)

    Section 2.64 of 42 CFR part 2 governs court orders authorizing the 
disclosure of patient records for noncriminal investigations or 
prosecutions. Paragraph (a) of this section provides that any person 
with a legally recognized interest may apply for a court order 
authorizing the disclosure of patient records in noncriminal 
proceedings, and such person may file the application separately or as 
part of a pending civil action in which they assert the evidentiary 
need for the records. A court order under this section (or any section 
within subpart E) would be limited to the circumstances specified in 
Sec.  2.63, discussed above. Section 3221(e) of the CARES Act expanded 
privacy protections by prohibiting the use of Part 2 records for these 
purposes, or disclosure or use of testimony relaying the contents of a 
patient's records. To implement this change, the Department proposes to 
modify the heading, paragraph (a), and paragraph (e) to include use, 
not only disclosure, of Part 2 records, and the use or disclosure of 
testimony relaying the information in such records.
    The Department further proposes to modify Sec.  2.64(a) by adding 
administrative, or legislative proceedings to the types of noncriminal 
proceedings for which a use or disclosure of Part 2 records must be 
authorized by a court order, absent patient consent or the application 
of Sec.  2.53(e). Section 290dd-2(c) of 42 U.S.C., as amended, requires 
a court order, even when the disclosure or use is sought in an 
administrative, or legislative proceeding. Thus, when disclosure or use 
of Part 2 records or testimony relaying information in a record is 
sought in a non-judicial proceeding, the application would be filed 
separately in court.
    Paragraph (e) of Sec.  2.64 sets forth limitations for court orders 
authorizing the disclosure of patient records in noncriminal 
proceedings, limiting such disclosures to the portions of the patient's 
record that are essential to fulfill the purpose of the order. The 
Department proposes to add the word ``only'' to clarify the extent of 
the limitation. The disclosure must also be limited to those persons 
whose need for the information is the basis for the order and must 
include necessary measures to limit the use or disclosure.
    The Department also proposes to modify subparagraphs (e)(1) through 
(e)(3) to include the use of patient records and the use or disclosure 
of testimony relaying the information in patient records. The 
Department proposes these modifications to align with 42 U.S.C. 290dd-
2(c)(1) through (c)(3), as amended by section 3221(e) of the CARES Act 
(expanding privacy protection by prohibiting the use or disclosure of 
patient records or testimony relaying the contents of a patient's 
records).

Sec.  2.65--Procedures and Criteria for Orders Authorizing Use and 
Disclosure of Records To Criminally Investigate or Prosecute Patients 
(Proposed Heading)

    Section 2.65 of 42 CFR part 2 establishes procedures and criteria 
for court orders authorizing the use and disclosure of patient records 
in criminal investigations or prosecutions of the patient. Under Sec.  
2.65(a), the custodian of the patient's records, or a law enforcement 
or prosecutorial official responsible for conducting investigative or 
prosecutorial activities with respect to the enforcement of criminal 
laws, may apply for a court order authorizing the disclosure of Part 2 
records to

[[Page 74246]]

criminally investigate or prosecute a patient of a Part 2 program. The 
Department proposes the change, as discussed above, to refer to ``use 
and disclosure'' throughout this section instead of ``disclosure and 
use.''
    Parallel to the proposed changes to Sec.  2.64, discussed above, 
the Department proposes to modify Sec.  2.65(a) to include the use and 
disclosure of testimony relaying the information in patient records 
because the current provision is limited to disclosure of records and 
does not address the CARES Act expanded privacy protection which also 
prohibits the use or disclosure of testimony relaying the contents of a 
patient's records. The Department further proposes to modify Sec.  
2.65(a) to add administrative, and legislative criminal proceedings to 
the criminal proceedings for which the use or disclosure of Part 2 
patient records may be authorized by a court order, consistent with the 
CARES Act. In addition to criminal prosecutions brought as part of the 
judicial process, criminal investigations may be carried out by 
executive agencies and legislative bodies and the CARES Act has widened 
the confidentiality protections for patients in all of these forums 
where there may be a risk of exposure and liability.
    Subparagraph (d) of Sec.  2.65 sets forth criteria for the issuance 
of a court order authorizing the disclosure and use of patient records 
to conduct a criminal investigation or prosecution of a patient. 
Specifically, Sec.  2.65(d)(2) requires a reasonable likelihood that 
the records would disclose information of substantial value in the 
investigation or prosecution.
    The Department proposes to modify Sec. Sec.  2.65(d) and (d)(2) in 
a manner similar to proposed Sec.  2.65(a), discussed above, to include 
the use or disclosure of testimony relaying the information in Part 2 
records. Under the proposed modification, the criteria in Sec.  2.65(d) 
would apply to court orders authorizing not only the use and disclosure 
of Part 2 records, but also the use and disclosure of testimony 
relaying the information in those records, consistent with 42 U.S.C. 
290dd-2(c), as amended section 3221(c) of the CARES Act.
    Subparagraph (e) of Sec.  2.65 sets forth requirements for the 
content of a court order authorizing the use or disclosure of patient 
records for the criminal investigation or prosecution of the patient. 
Specifically, Sec.  2.65(e)(1) requires that such order must limit the 
use or disclosure to those parts of the patient's record as are 
essential to fulfill the objective of the order. Section 2.65(e)(2) 
requires that the order limit the disclosure to those law enforcement 
and prosecutorial officials who are responsible for, or are conducting, 
the investigation or prosecution, and limit their use of the records to 
investigation and prosecution of the extremely serious crime or 
suspected crime specified in the application. The existing rule, at 
Sec.  2.63(1) and (2), specifies that the type of crime for which an 
order could be granted would be one ``which directly threatens loss of 
life or serious bodily injury, including homicide, rape, kidnapping, 
armed robbery, assault with a deadly weapon, or child abuse and 
neglect.'' \175\ Thus, the use of an illegal substance does not in 
itself constitute an extremely serious crime.
---------------------------------------------------------------------------

    \175\ 42 CFR 2.65.
---------------------------------------------------------------------------

    The Department proposes to modify Sec. Sec.  2.65(e) and (e)(1) 
through (e)(2) in a manner similar to Sec. Sec.  2.65(a) and 2.65(d) 
and (d)(2), discussed above, to include the use and disclosure of 
testimony relaying the information in patient records. The proposed 
modification would apply the same limitations on a court order 
authorizing the use or disclosure of a patient's records to court 
orders authorizing not only the use or disclosure of testimony relaying 
the information in those records. The proposed modification to Sec.  
2.65(e)(1) would limit uses and disclosures to those parts of a 
patient's records or testimony relaying the information in those 
records which are essential to fulfill the objective of the order. 
Likewise, the proposed modification to Sec.  2.65(e)(2) would limit 
disclosures to those law enforcement and prosecutorial officials who 
are responsible for, or are conducting, the investigation or 
prosecution, and limit their use of the records or testimony to 
investigation and prosecution of the extremely serious or suspected 
crime specified in the application and as limited by Sec.  2.63.
    The above-noted proposed modifications to Sec. Sec.  2.65(d) and 
(d)(2), 2.65(e), and 2.65(e)(1) and (e)(2), each would add the use and 
disclosure of testimony relaying the information in patient records to 
the protections already afforded Part 2 records under the regulations.

Sec.  2.66--Procedures and Criteria for Orders Authorizing Use and 
Disclosure of Records To Investigate or Prosecute a Part 2 Program or 
Person Holding the Records (Proposed Heading)

    Section 2.66 specifies the persons who may apply for an order 
authorizing the disclosure of patient records for the purpose of 
investigating or prosecuting a Part 2 program in connection with legal 
proceedings, how such persons may file the application, and provides 
that, at the court's discretion, such orders may be granted without 
notice to the Part 2 program or patient.
    The Department proposes a new paragraph (a)(3) that details 
procedures for investigative agencies to follow in the event they 
unknowingly obtain Part 2 records during an investigation or 
prosecution of a Part 2 program or person holding Part 2 records. 
Specifically, the Department would require an investigative agency 
(other than one proceeding under Sec.  2.53(e)) that discovers in good 
faith that it has obtained Part 2 records to secure the records 
according to Sec.  2.16 and cease using or disclosing them until it 
obtains a court order authorizing the use and disclosure of the records 
and any records later obtained, within a reasonable period of time, but 
not more than 120 days after discovering it received the records. If 
the agency does not seek a court order, it must return the records to 
the Part 2 program or person holding the records if it is legally 
permissible to do so, within a reasonable period of time, but not more 
than 120 days from discovery; or, if the agency does not seek a court 
order or return the records, it must destroy the records in a manner 
that renders the patient identifying information non-retrievable, 
within a reasonable period of time, but not more than 120 days from 
discovery. Finally, if the agency's application for a court order is 
rejected by the court and no longer subject to appeal, the agency must 
return the records to the Part 2 program or person holding the records, 
if it is legally permissible to do so, or destroy the records 
immediately after notice of rejection from the court.
    The Department proposes in paragraph (b) to provide an option for 
substitute notice by publication when it is impracticable under the 
circumstances to provide individual notification of the opportunity to 
seek revocation or amendment of a court order issued under Sec.  2.66. 
Additionally, the Department proposes to reorganize paragraph (c) by 
expressly incorporating the provisions from Sec.  2.64(d) that would 
require an applicant to show a court the good cause requirement and 
criteria, and adding the proposed Sec.  2.3(b) requirements as elements 
of good cause for investigative agencies that apply for a court order 
under proposed Sec.  2.66(a)(3)(ii).
    The Department proposes to replace the phrase ``disclosure and 
use'' with ``use and disclosure'' to align the language of this section 
with the Privacy

[[Page 74247]]

Rule in paragraphs (a) through (d). The Department also proposes minor 
wording changes to improve readability, viewable in proposed regulatory 
text.

Sec.  2.67--Orders Authorizing the Use of Undercover Agents and 
Informants To Investigate Employees or Agents of a Part 2 Program in 
Connection With a Criminal Matter

    Current Sec.  2.67 authorizes the placement of an undercover agent 
in a Part 2 program as an employee or patient by law enforcement or 
prosecutorial agency pursuant to court order when the law enforcement 
organization has reason to believe the employees of the Part 2 program 
are engaged in criminal misconduct.
    The Department proposes to clarify that the good cause criteria for 
a court order in paragraph (c)(2) includes circumstances when obtaining 
the evidence another way would ``yield incomplete evidence.'' The 
Department also proposes to create a new paragraph (c)(4) addressing 
investigative agencies' belated applications for a court order 
authorizing placement of an undercover informant or agent to 
investigate a Part 2 program or its employees. The provision would 
require the investigative agency to satisfy the conditions at proposed 
Sec.  2.3(b) before applying for a court order for Part 2 records after 
discovering that it unknowingly had received such records.
    Finally, the Department proposes to replace the phrase ``law 
enforcement or prosecutorial'' with ``investigative'' in paragraph (a) 
and to add the words ``using or'' in front of ``disclosing'' in 
paragraph (d)(3) of this section and ``and disclosure'' after the term 
``use'' in paragraph (e) of this section to implement 42 U.S.C. 290dd-
2(c), as amended by section 3221(e) of the CARES Act, which prohibits 
the use or disclosure of Part 2 records in these circumstances.

Sec.  2.68--Report to the Secretary (Proposed Heading)

    The Department proposes to create a new Sec.  2.68 to require 
investigative agencies to file an annual report with the Secretary of 
the applications filed for court orders after use or disclosure of 
records in an investigation or prosecution of a program or holder of 
records under Sec.  2.66(a)(3)(ii) and after placement of an undercover 
agent or informant under Sec.  2.67(c)(4). The report would also 
include the number of instances in which such applications were denied 
due to findings by the court of violations of this part during the 
calendar year, and the number of instances in which the investigative 
agency returned or destroyed Part 2 records following unknowing receipt 
without a court order, in compliance with Sec.  2.66(a)(3)(iii), (iv), 
or (v), respectively during the calendar year. The Department proposes 
that such reports would be due within 60 days following the end of the 
calendar year.

Request for Comments

    The Department requests public comment on all aspects of the 
proposed amendments to the regulations at 42 CFR part 2, 
Confidentiality of Substance Use Disorder Patient Records (Part 2), and 
45 CFR 164.520, Notice of Privacy Practices for Protected Health 
Information, and on the specific questions below. The Department 
welcomes public comment on any benefits or drawbacks of the proposed 
amendments set forth above in this proposed rule.
    1. Sec.  2.2 Purpose and Effect. The Department requests comment on 
whether the Department's proposals adding the terms ``use'' or ``uses'' 
to existing regulatory text that currently only state ``disclose'' or 
``disclosure,'' would substantively expand the scope of the applicable 
requirements and prohibitions in a manner not intended. The Department 
seeks input and specific examples of where the proposed insertion of 
new terms could result in any unintended adverse consequences for 
regulated entities.
    2. Sec.  2.3 Civil and Criminal Penalties for Violations. The 
Department requests comment on its proposals at Sec.  2.3(b) to create 
a limitation on civil or criminal liability for persons acting on 
behalf of investigative agencies if they unknowingly receive Part 2 
records while investigating a program or other person holding Part 2 
records without first obtaining the requisite court order, and on the 
proposed conditions to qualify for the limitation. Specifically, the 
Department requests comment on the potential impact on patient privacy 
and access to SUD treatment if investigative agencies can utilize a 
safe harbor when they unknowingly are in receipt of Part 2 records 
after first checking whether the program actually provides SUD 
services. Additionally, the Department requests comment on whether the 
listed activities should be the only ways an investigative agency may 
establish reasonable diligence. If there should be additional ways, 
what should they be and should they be included in regulatory text as 
an exclusive list?
    3. Sec.  2.11 Definitions.
    Business associate. The Department solicits comment on the proposal 
to adopt the definition of ``business associate'' that is used in the 
HIPAA Privacy Rule.
    Health care operations. The Department requests comment on the 
proposed definition of ``health care operations'', including the 
proposed approach in the consent requirements to offer an opt-in for 
fundraising, but not for de-identification and creating a designated 
record set.
    Intermediary. The Department requests comment on the proposed 
definition of intermediary and whether, in light of the new permission 
to disclose records for TPO based on a single prior consent, the 
requirements for an intermediary should be retained or removed.
    Investigative agency. The Department requests comment on the 
proposed definition of ``investigative agency'' and any concerns about 
including local agencies in the term, such as lack of uniform 
procedures, inconsistency across a state, or examples of local 
investigative agencies involvement in investigating Part 2 programs. 
The Department also requests comment on whether to interpret state (or 
local, if it is added) to include Tribal agencies or whether to 
expressly include Tribal agencies within the regulatory definition. The 
existing Part 2 regulation does not reference the term ``Tribal.''
    Lawful holder. Additionally, the Department requests comment on 
whether a definition of ``lawful holder'' is needed to properly enforce 
Sec.  2.16 as discussed above and in the regulatory alternatives 
considered. The Department also requests comment on whether, with 
respect to Sec.  2.33, there are types of recipients of Part 2 records 
by way of a consent that should be excluded from a definition of 
``lawful holder''.
    Personal representative. With respect to persons who are authorized 
to make health care decisions on behalf of a minor, a patient who lacks 
capacity to make their own decisions, or a patient who is deceased, the 
Department requests comment on any benefits or drawbacks of adopting 
the Privacy Rule term ``personal representative,'' and the description 
of the term in 45 CFR 164.502(g)(2), as a defined term within this 
part. If adopted, this term would replace the phrase ``guardian or 
other persons authorized under state law to act on the patient's 
behalf'' and ``executor, administrator, or other personal 
representative appointed under applicable state law.''
    Records. With respect to the consideration of newly defining SUD 
counseling notes that would be part of a record, the Department 
requests comment on the benefits and burdens of adopting such a 
definition, similar to

[[Page 74248]]

the psychotherapy notes provision under HIPAA. Additionally, the 
Department requests comment on the scope of SUD personnel who could 
potentially create SUD counseling notes and utilize the additional 
patient privacy protections they afford and whether a regulatory 
definition for SUD professional should be created.
    Use. With respect to the proposed definition of ``use'', the 
Department requests comment on whether to retain the specific reference 
to the use of records in certain proceedings against the patient, 
addressed at Sec. Sec.  2.61-2.67, or whether it would be clearer to 
adopt only the definition of the term ``use'' from the HIPAA Rules at 
45 CFR 160.103.
    4. Sec.  2.16 Security for records and notification of breaches. 
The Department requests public comment regarding the estimated burden 
for Part 2 programs that are not covered entities to comply with the 
proposed breach notification requirements. The Department also requests 
comment regarding the application of the Privacy Rule de-identification 
standard to rendering Part 2 records non-identifiable, as provided in 
the proposed modifications to Sec.  2.16(a)(1)(v) and (a)(2)(iv), 
including any unintended adverse consequences that may result from 
these proposed changes. The Department requests comment regarding 
whether the Security Rule or similar requirements should apply to Part 
2 programs that maintain electronic records but are not covered 
entities in the same manner as the Security Rule applies to covered 
entities and business associates. The Department requests comment on 
whether breach notification requirements that apply to business 
associates pursuant to the Privacy Rule should apply to QSOs as they 
are similarly situated. In addition, the Department requests comments 
from Part 2 programs that are not covered entities on whether they look 
to the HIPAA Security Rule generally for guidance on protecting 
electronic Part 2 records or otherwise voluntarily attempt to follow 
the requirements of the Security Rule. For any programs that may do so, 
the Department requests comment on what their experience has been, 
including any implementation costs. Finally, the Department requests 
comment on whether the requirements of this section that apply to a 
lawful holder should in any way depend on the level of sophistication 
of a lawful holder who is in receipt of Part 2 records by written 
consent, or should depend on whether the lawful holder is acting in 
some official or professional capacity connected to or related to the 
Part 2 records.
    5. Sec.  2.22 Notice to patients of Federal confidentiality 
requirements and 45 CFR 164.520 Notice of privacy practices for 
protected health information. The Department requests comment on ways 
to make the proposed notices more easily understandable, including 
examples of possible approaches, such as requiring the document to be 
at a particular reading grade level, maximum number of pages, or other 
suggestions. The Department specifically requests comment from legal, 
clinical, privacy, and civil rights experts on this matter.
    6. Sec.  2.24 Requirements for intermediaries. The Department 
solicits comment on the proposed reorganization and clarification of 
requirements for entities that facilitate health information exchange 
and whether there is a continued need for these requirements in light 
of the accounting of disclosures proposed in Sec.  2.25. Specifically, 
the Department solicits comment on how Part 2 programs have been 
implementing the existing requirements for intermediaries in Sec.  
2.13(d) and Sec.  2.31(a)(4)(ii) and examples of how those requirements 
have affected the ability of Part 2 programs to utilize HIEs.
    7. Sec.  2.25 Accounting of disclosures. The Department requests 
comment on the proposals to add a requirement for an accounting of 
disclosures for non-TPO disclosures and an accounting of disclosures 
through an electronic health record for TPO. The Department welcomes 
data from Part 2 programs that are also covered entities on the number 
and type of requests for an accounting of disclosures of PHI received 
annually, whether and how frequently they receive requests for an 
accounting of disclosures for TPO, and to what extent such covered 
entities are choosing to provide individuals with an accounting of TPO 
disclosures made through an electronic health record based on the 
HITECH Act statutory requirement, even absent an implementing 
regulation. The Department also welcomes comment on the provider burden 
and costs to respond to a request for an accounting for both TPO 
disclosures and non-TPO disclosures.
    8. Sec.  2.26 Right to request privacy protection for records. The 
Department requests comment and data on the extent to which covered 
entities and Part 2 programs receive requests from patients to restrict 
disclosures of patient identifying information for TPO purposes, how 
entities and programs track such requests, and the procedures and 
mechanisms used to comply with patient requests to which they have 
agreed or that they are otherwise required to comply with by law.
    9. Sec.  2.31 Consent requirements. The Department requests 
comments on its proposals that would implement changes to Sec.  2.31. 
Specifically, the Department requests comment on whether there are 
other changes that it should make to further align Sec.  2.31 with the 
Privacy Rule using its general regulatory authority in section 
3221(i)(1) of the CARES Act ``to make such revisions to regulations as 
may be necessary for implementing and enforcements the amendments.'' 
For example, the Department requests comment on the extent to which 
Part 2 programs segment out SUD treatment records considered ``SUD 
counseling notes.'' The Department requests comment on whether to 
propose special protection for SUD counseling notes to add a layer of 
regulatory protection that equates to the protection granted to 
psychotherapy notes in the Privacy Rule by requiring a separate written 
consent for their disclosure.\176\
---------------------------------------------------------------------------

    \176\ See e.g., 45 CFR 164.508(a)(2) requiring a covered entity 
to obtain written authorization prior to using or disclosing 
psychotherapy notes, subject to certain exceptions, and prohibiting 
the combining of an authorization to disclose psychotherapy notes 
with an authorization to disclose other types of PHI.
---------------------------------------------------------------------------

    The Department also solicits comment on the proposed changes to the 
consent requirements for entities that facilitate health information 
exchanges (i.e., intermediaries), particularly how they would affect 
the implementation of proposed changes to consent for TPO. The 
Department requests comment on whether, and to what extent, Part 2 
programs currently act on an oral revocation of consent, and if so, 
whether and how this is documented or tracked.
    10. Sec.  2.32 Notice to accompany disclosure. The Department 
welcomes comment from Part 2 programs that are covered entities, and 
recipients of Part 2 records that are covered entities or business 
associates, on whether and how the proposed changes to the redisclosure 
permissions in Sec.  2.32 are likely to reduce data segregation and 
positively affect the ability to provide treatment to patients with SUD 
and perform other beneficial activities. Specifically, the Department 
seeks comment on whether the proposed changes alone would be sufficient 
to implement section 3221 of the CARES Act, or whether different or 
additional modifications to Part 2 would be more effective to promote 
integration of Part 2 records with PHI, reduce stigma for patients with 
SUD, and improve access

[[Page 74249]]

to SUD treatment while maintaining the confidentiality of Part 2 
records as required by 42 U.S.C. 290dd-2.
    11. Sec.  2.33 Uses and disclosures permitted with written consent. 
The Department requests comment on whether or how recipients of Part 2 
records are informed that the records have been disclosed based on 
patient consent and the scope of the consent that is provided. 
Specifically, the Department welcomes data on how Part 2 programs and 
recipients of Part 2 records communicate information about the purpose 
of a disclosure or set of disclosures and the extent of the information 
communicated about the purpose or the scope of the disclosure 
permission, authorization, or mandate. Should the Department consider 
requiring Part 2 programs to provide a copy of the written patient 
consent when disclosing records? Should the Department consider 
requiring Part 2 programs, covered entities, and business associates to 
retain a copy of the written patient consent for a minimum period of 
time so that they can provide documentation of the consent to future 
recipients, or to the Secretary for purposes of investigating 
compliance with Part 2? Are programs already doing this? To what extent 
would such requirements be useful to recipients of Part 2 records or 
impose a burden on programs? Additionally, should the Department 
require programs to inform an HIE when a patient revokes consent for 
TPO so that additional uses and disclosures by the HIE would not be 
imputed to the programs that have disclosed Part 2 records to the HIE? 
The Department also welcomes comments on the potential unintended 
negative effects on confidentiality and privacy from the combined 
application of the proposed disclosure permissions for TPO with consent 
under Sec.  2.33, and the removal of Sec.  2.53 protections for audit 
and evaluation activities that fall within the definition of health 
care operations, and suggested regulatory approaches.
    12. Sec.  2.52 Scientific research. The Department requests public 
comment on whether any Part 2 programs conduct research using their own 
Part 2 records. The Department also requests public comment regarding 
the application of the HIPAA de-identification standard to Part 2 
records disclosed for research, as provided in the proposed 
modifications to Sec.  2.52(a)(3), including any unintended adverse 
consequences that may result from this proposed change.
    13. Sec.  2.53 Management audits, financial audits, and program 
evaluation. The Department requests comment on its proposal to 
acknowledge within this section the applicable permission for use and 
disclosure of records for health care operations purposes based on 
written consent of the patient for all future uses and disclosures for 
TPO and the permission for the third party conducting such audit or 
evaluation activities to redisclose the records as permitted by the 
HIPAA Privacy Rule if the third-party recipient is a Part 2 program, 
covered entity, or business associate that is not acting as a health 
oversight agency.
    14. Section 2.54 Disclosures for public health. The Department 
requests comment on its proposal to permit disclosures only of de-
identified records for public health purposes without patient consent.
    15. Subpart E. The Department seeks comment on the set of proposals 
in Sec. Sec.  2.3, 2.66, 2.67, and 2.68 to create a limitation on civil 
and criminal liability for investigative agencies that in good faith 
discover they have received Part 2 records before obtaining the 
required court order in the course of investigating or prosecuting a 
program, and the related requirement for agencies that make use of 
these provisions to submit a report to the Secretary.

Public Participation

    The Department seeks comment on all issues raised by the proposed 
regulation, including any unintended adverse consequences. Because of 
the large number of public comments normally received on Federal 
Register documents, the Department is not able to acknowledge or 
respond to them individually. In developing the final rule, the 
Department will consider all comments that are received by the date and 
time specified in the DATES section of the Preamble.
    Because mailed comments may be subject to security delays due to 
security procedures, please allow sufficient time for mailed comments 
to be timely received in the event of delivery delays. Any attachments 
submitted with electronic comments on www.regulations.gov should be in 
Microsoft Word or Portable Document Format (PDF). Please note that 
comments submitted by fax or email and those submitted after the 
comment period will not be accepted.

Regulatory Impact Analysis

    The Department has examined the impact of the proposed rule as 
required by Executive Order 12866 on Regulatory Planning and Review, 58 
FR 51735 (October 4, 1993); Executive Order 13563 on Improving 
Regulation and Regulatory Review, 76 FR 3821 (January 21, 2011); 
Executive Order 13132 on Federalism, 64 FR 43255 (August 10, 1999); 
Executive Order 13175 on Consultation and Coordination with Indian 
Tribal Governments, 65 FR 67249 (November 9, 2000); the Congressional 
Review Act, Public Law 104-121, sec. 251, 110 Stat. 847 (March 29, 
1996); the Unfunded Mandates Reform Act of 1995, Public Law 104-4, 109 
Stat.48 (March 22, 1995); the Regulatory Flexibility Act, Public Law 
96-354, 94 Stat. 1164 (September 19, 1980); Executive Order 13272 on 
Proper Consideration of Small Entities in Agency Rulemaking, 67 FR 
53461 (August 16, 2002); the Assessment of Federal Regulations and 
Policies on Families, Public Law 105-277, sec. 654, 112 Stat. 2681 
(October 21, 1998); and the Paperwork Reduction Act of 1995, Public Law 
104-13, 109 Stat. 163 (May 22, 1995).

A. Executive Orders 12866 and 13563 and Related Executive Orders on 
Regulatory Review

    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects; distributive impacts; and equity). Executive Order 13563 is 
supplemental to, and reaffirms the principles, structures, and 
definitions governing regulatory review as established in, Executive 
Order 12866.
    This proposed rule is partially regulatory and partially 
deregulatory. The Department estimates that the effects of the proposed 
requirements for Part 2 programs would result in new costs of 
$19,364,667 within 12 months of implementing the final rule. The 
Department estimates these first-year costs would be partially offset 
by $12,755,378 of first year cost savings, attributable to reductions 
in the need for Part 2 programs to obtain written patient consent for 
disclosures for treatment, payment, or health care operations (TPO) 
($9.8 million); reductions in the need for covered entities, business 
associates, and Part 2 programs to obtain written patient consent for 
redisclosures ($2.5 million); and reductions in capital expenses for 
printing consent forms ($0.5 million). This is followed by net savings 
of $10,240,622 annually in years two through five, resulting from a 
continuation of first-year cost saving of $12.8 million per year, minus 
the estimated annual costs of $2.5 million primarily attributable to 
compliance with breach notification requirements. This results in 
overall net cost savings of $34,353,198 over 5 years for changes

[[Page 74250]]

to 42 CFR part 2. In addition, the Department estimates that changes to 
45 CFR 164.520 would result in new nonrecurring costs for covered 
entities that receive or maintain Part 2 records in the amount of 
$44,935,225. Combined, the proposed regulatory changes to Part 2 and 
the Privacy Rule would result in estimated total costs of $64,299,891 
in the first year (approximately $19 million from Part 2 programs and 
$45 million from 45 CFR 164.520), followed by $2,514,756 of recurring 
annual costs in years two through five (from Part 2 programs), for a 
total of $74,358,914. This would be offset by an estimated annual 
savings of $12,755,378 for a total of $63,776,888 over five years. The 
combined result would be a net cost of $51,544,514 in the first year 
following the rule's effective date, followed by annual net savings of 
$10,240,622, resulting in 5-year net cost of $10,582,027 for HIPAA 
covered entities and Part 2 programs.
    The Department estimates that the private sector would bear 
approximately 60 percent of the costs, with state and federal health 
plans bearing the remaining 40 percent of the costs. All of the cost 
savings experienced from the first year through subsequent years would 
benefit Part 2 programs and covered entities. As a result of the 
economic impact, the Office of Management and Budget (OMB) has 
determined that this proposed rule is not an economically significant 
regulatory action within the meaning of section (3)(f)(1) of E.O. 
12866; however, it is a significant regulatory action because it 
presents novel legal and policy issues. Accordingly, OMB has reviewed 
this proposed rule.
    The Department presents a detailed analysis below.
Summary of the Proposed Rule
    This Notice of Proposed Rulemaking (NPRM) proposes to modify 42 CFR 
part 2 (``Part 2'') and 45 CFR 164.520 to implement changes required by 
section 3221 of the Coronavirus Aid, Relief, and Economic Security 
(CARES) Act, to further align Part 2 with the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA) Rules, and for 
clarity and consistency. Major proposals are summarized below:
    (1) Sec.  2.1--Statutory authority for confidentiality of substance 
use disorder patient records.
    Revise Sec.  2.1 to more closely reflect the authority granted in 
42 U.S.C. 290dd-2(g), especially with respect to court orders 
authorizing the disclosure of records.
    (2) Sec.  2.2--Purpose and effect.
    Amend paragraph (b) of Sec.  2.2 to reflect that Sec.  2.3(b) 
compels disclosures to the Secretary that are necessary for enforcement 
of this rule, using language adapted from the Privacy Rule at 45 CFR 
164.502(a)(2)(ii). Add a new paragraph (b)(3) to this section to 
prohibit any limits on a patient's right to request restrictions on use 
of records for treatment, payment, or health care operations (TPO) or a 
covered entity's choice to obtain consent to use or disclose records 
for TPO purposes as provided in the Privacy Rule.
    (3) Sec.  2.3--Civil and criminal penalties for violations 
(proposed heading).
    Amend the heading and replace title 18 U.S.C. enforcement with 
references to the HIPAA enforcement authorities in the Social Security 
Act at sections 1176 (civil enforcement, including the CMP tiers 
established by the Health Information Technology for Economic and 
Clinical Health Act of 2009 (HITECH Act) and 1177 (criminal 
penalties),\177\ as implemented in the Enforcement Rule.\178\ Create a 
limitation on civil or criminal liability for investigative agencies 
that act with reasonable diligence before making a demand for records 
in the course of an investigation of a program or other person holding 
Part 2 records by taking certain steps to determine whether a provider 
is subject to Part 2.
---------------------------------------------------------------------------

    \177\ See Public Law 111-5, 123 Stat. 226 (February 17, 2009). 
Section 13410 of the HITECH Act (codified at 42 U.S.C. 17939) 
amended sections 1176 and 1177 of the Social Security Act (codified 
at 42 U.S.C. 1320d-5) to add civil and criminal penalty tiers for 
violations of the HIPAA Administrative Simplification provisions.
    \178\ See 45 CFR part 160.
---------------------------------------------------------------------------

    (4) Sec.  2.4--Complaints of violations. (proposed heading)
    Amend the heading and insert requirements consistent with those 
applicable to HIPAA complaints under 45 CFR 164.530(d), (g), and (h), 
including: a requirement to establish a process for the Part 2 program 
to receive complaints, a prohibition against taking adverse action 
against patients who file complaints, and a prohibition against 
requiring individuals to waive the right to file a complaint as a 
condition of providing treatment, enrollment, payment, or eligibility 
for services.
    (5) Sec.  2.11--Definitions.
    Add new terms and definitions to align with the following statutory 
and regulatory HIPAA terms: Breach, Business associate, Covered entity, 
Health care operations, HIPAA, HIPAA regulations, Payment, Person, 
Public health authority, Treatment, Unsecured protected health 
information, and Use. Create new definitions for the terms 
Intermediary, Investigative agency, and Unsecured record, and modify 
the definitions of Informant, Part 2 program director, Patient, 
Program, Records, Third-party payer, Treating provider relationship, 
and Qualified service organization.
    (6) Sec.  2.12--Applicability.
    Replace ``Armed Forces'' with ``Uniformed Services'' in paragraph 
(c)(2) of Sec.  2.12. Incorporate four statutory examples of 
restrictions on the use or disclosure of Part 2 records to initiate or 
substantiate any criminal charges against a patient or to conduct any 
criminal investigation of a patient. Add language to qualify the term 
third-party payer with the phrase ``as defined in this part.'' Revise 
paragraph (e)(4)(i) to clarify when a diagnosis it not covered by Part 
2.
    (7) Sec.  2.13--Confidentiality restrictions and safeguards.
    Redesignate Sec.  2.13(d) requiring a list of disclosures as new 
Sec.  2.24 and modify the text for clarity. Amend the heading to 
distinguish the right to a list of disclosures made by intermediaries 
from the proposed new right to an accounting of disclosures made by a 
Part 2 program.
    (8) Sec.  2.14--Minor patients.
    Change the verb ``judges'' to ``determines'' to describe a program 
director's evaluation and decision that a minor lacks decision making 
capacity.
    (9) Sec.  2.15--Patients who lack capacity and deceased patients. 
(proposed heading)
    Revise to replace outdated language and refer instead to a lack of 
capacity to make health care decisions and add health plans to the list 
of entities to which a program may disclose records without consent.
    (10) Sec.  2.16--Security for records and notification of breaches. 
(proposed heading)
    Apply the HITECH Act breach notification provisions \179\ that are 
currently implemented in the Breach Notification Rule to breaches of 
records by Part 2 programs and retitle the provision to include breach 
notification to implement CARES Act provisions. Modify the provision to 
refer to the Privacy Rule de-identification standard at 45 CFR 164.514.
---------------------------------------------------------------------------

    \179\ Section 13400 of the HITECH Act (codified at 42 U.S.C. 
17921) defined the term ``Breach''. Section 13402 of the HITECH Act 
(codified at 42 U.S.C. 17932) enacted breach notification 
provisions, discussed in detail below.
---------------------------------------------------------------------------

    (11) Sec.  2.19--Disposition of records by discontinued programs.
    Add an exception to clarify that these provisions do not apply to 
transfers, retrocessions, and reassumptions of Part 2 programs under 
the Indian Self-Determination and Education

[[Page 74251]]

Assistance Act (ISDEAA), in order to facilitate the responsibilities 
set forth in 25 U.S.C. 5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C 5324(e), 
25 U.S.C. 5330, 25 U.S.C. 5386(f), 25 U.S.C. 5384(d), and the 
implementing ISDEAA regulations. Modernize the language to refer to 
``non-electronic'' records and include ``paper'' records as an example 
of non-electronic records.
    (12) Sec.  2.22--Notice to patients of federal confidentiality 
requirements.
    Modify the Part 2 confidentiality notice requirements (hereinafter, 
``Patient Notice'') to align with the Notice of Privacy Practices (NPP) 
and address protections required by 42 U.S.C. 290dd-2, as amended by 
section 3221 of the CARES Act, for entities that create or maintain 
Part 2 records.
    (13) Sec.  2.23--Patient access and restrictions on use and 
disclosure. (proposed heading)
    Add the term ``disclosure'' to the heading and body of this section 
to clarify that information obtained by patient access to their record 
may not be used or disclosed for purposes of a criminal charge or 
criminal investigation.
    (14) Sec.  2.24--Requirements for intermediaries (redesignated and 
proposed heading).
    Retitle the redesignated section (to be moved from Sec.  2.13(d)) 
as ``Requirements for intermediaries'' to clarify the responsibilities 
of recipients of records received under a consent with a general 
designation, such as health information exchanges, research 
institutions, accountable care organizations, and care management 
organizations.
    (15) Sec.  2.25--Accounting of disclosures (proposed heading).
    Add this section to implement 42 U.S.C. 290dd-2(b)(1)(D), as 
amended by the section 3221 of the CARES Act, to incorporate into Part 
2 the HITECH Act right to an accounting of certain disclosures of 
records for up to three years prior to the date the accounting is 
requested and add a right to an accounting of disclosures of records 
that mirrors the standard in the Privacy Rule at 45 CFR 164.528.
    (16) Sec.  2.26--Right to request privacy protection for records 
(proposed heading).
    Add this section to implement 42 U.S.C. 290dd-2(b)(1)(B), as 
amended by the section 3221 of the CARES Act, to incorporate into Part 
2 the HITECH Act rights implemented in the Privacy Rule at 45 CFR 
164.522, namely: (1) a patient right to request restrictions on 
disclosures of records otherwise permitted for TPO purposes, and (2) a 
patient right to obtain restrictions on disclosures to health plans for 
services paid in full by the patient.
    (17) Subpart C--Uses and Disclosures With Patient Consent. 
(proposed heading)
    Change the heading of subpart C to ``Uses and Disclosures With 
Patient Consent'' to reflect changes made to the provisions of this 
subpart related to the consent to use and disclose Part 2 records, 
consistent with 42 U.S.C. 290dd-2(b), as amended by the section 3221(b) 
of the CARES Act.
    (18) Sec.  2.31--Consent requirements.
    Align the content requirements for Part 2 written consent with the 
content requirements for a valid HIPAA authorization and clarify how 
recipients may be designated in a consent to use and disclose Part 2 
records for TPO.
    (19) Sec.  2.32--Notice to accompany disclosure (proposed heading).
    Change the heading of this section and align the content 
requirements for the required notice that accompanies a disclosure of 
records (hereinafter ``notice to accompany disclosure'') with the 
requirements of 42 U.S.C. 290dd-2(b), as amended by section 3221(b) of 
the CARES Act.
    (20) Sec.  2.33--Uses and disclosures permitted with written 
consent (proposed heading).
    To align this provision with the statutory authority in 42 U.S.C. 
290dd-2(b)(1), as amended by section 3221(b) of the CARES Act, replace 
the provisions requiring consent for uses and disclosures for payment 
and certain health care operations with permission to use and disclose 
records for TPO based on a single consent given once for all such 
future uses and disclosures, until such time as the patient revokes the 
consent in writing. Create redisclosure permissions for two categories 
of recipients of Part 2 records pursuant to a written consent: (1) 
Permit a Part 2 program, covered entity, or business associate that 
receives Part 2 records pursuant to a written consent for TPO purposes 
to redisclose the records in any manner permitted by the Privacy Rule, 
except for certain legal proceedings against the patient; \180\ and (2) 
Permit a lawful holder that is not a covered entity, business 
associate, or Part 2 program to redisclose Part 2 records for payment 
and health care operations to its contractors, subcontractors, or legal 
representatives as needed to carry out the activities in the consent.
---------------------------------------------------------------------------

    \180\ See 42 U.S.C. 290dd-2(b)(1)(B) and (2)(c).
---------------------------------------------------------------------------

    (21) Sec.  2.35--Disclosures to elements of the criminal justice 
system which have referred patients.
    For clarity, replace ``individuals'' with ``persons'' and clarify 
that permitted redisclosures of information are from Part 2 records.
    (22) Subpart D--Uses and Disclosures Without Patient Consent 
(proposed heading).
    Change the heading of subpart D to ``Uses and Disclosures Without 
Patient Consent'' to reflect changes made to the provisions of this 
subpart related to the consent to use and disclose Part 2 records, 
consistent with 42 U.S.C. 290dd-2 as amended by the CARES Act.
    (23) Sec.  2.51--Medical emergencies.
    For clarity in Sec.  2.51(c)(2), replace the term ``individual'' 
with the term ``person.''
    (24) Sec.  2.52--Scientific research (proposed heading).
    Revise the heading of Sec.  2.52 to reflect statutory language. To 
further align Part 2 with the Privacy Rule, replace the requirements to 
render Part 2 data in research reports non identifiable with the 
Privacy Rule's de-identification standard in 45 CFR 164.514.
    (25) Sec.  2.53--Management audits, financial audits, and program 
evaluation (proposed heading).
    Revise the heading of Sec.  2.53 to reflect statutory language. To 
support implementation of 42 U.S.C. 290dd-2(b)(1), as amended by 
section 3221(b) of the CARES Act, add a provision to acknowledge the 
permission for use and disclosure of records for health care operations 
purposes based on written consent of the patient and the permission to 
redisclose such records as permitted by the HIPAA Privacy Rule if the 
recipient is a Part 2 program, covered entity, or business associate.
    (26) Sec.  2.54--Disclosures for public health (proposed heading).
    Add a new Sec.  2.54 to implement 42 U.S.C. 290dd-2(b)(2)(D), as 
amended by section 3221(c) of the CARES Act, to permit disclosure of 
records without patient consent to public health authorities provided 
that the records disclosed are de-identified according to the standards 
established in section 45 CFR 164.514.
    (27) Subpart E--Court Orders Authorizing Use and Disclosure 
(proposed heading).
    Change the heading of subpart E to reflect changes made to the 
provisions of this subpart related to the uses and disclosure of Part 2 
records in proceedings consistent with 42 U.S.C. 290dd-2(b) and (2)(c), 
as amended by sections 3221(b) and (e) of the CARES Act.
    (28) Sec.  2.61--Legal effect of order.
    Add the term ``use'' to clarify that the legal effect of a court 
order would include authorizing the use and

[[Page 74252]]

disclosure of records, consistent with 42 U.S.C. 290dd-2(b) and (c), as 
amended by section 3221(e) of the CARES Act.
    (29) Sec.  2.62--Order not applicable to records disclosed without 
consent to researchers, auditors, and evaluators.
    For clarity, replace the term ``qualified personnel'' with a 
reference to the criteria that define such persons.
    (30) Sec.  2.63--Confidential communications.
    Revise paragraph (c) of Sec.  2.63 to expressly include civil, 
criminal, administrative, and legislative proceedings as forums where 
the requirements for a court order under this part would apply, to 
implement 42 U.S.C. 290dd-2(c), as amended by section 3221(c) of the 
CARES Act.
    (31) Sec.  2.64--Procedures and criteria for orders authorizing 
uses and disclosures for noncriminal purposes (proposed heading).
    Expand the types of forums where restrictions on use and disclosure 
of records in civil proceedings against patients apply \181\ to 
expressly include administrative and legislative proceedings and also 
restrict the use of testimony conveying information in a record in 
civil proceedings against patients, absent consent or a court order. 
Add the term ``uses'' to the heading and in this section to align it 
with current statutory authority.
---------------------------------------------------------------------------

    \181\ See 42 CFR part 2, subpart E.
---------------------------------------------------------------------------

    (32) Sec.  2.65--Procedures and criteria for orders authorizing use 
and disclosure of records to criminally investigate or prosecute 
patients (proposed heading).
    Expand the types of forums where restrictions on uses and 
disclosure of records in criminal proceedings against patients apply 
\182\ to expressly include administrative and legislative proceedings 
and also restrict the use of testimony conveying information in a Part 
2 record in criminal legal proceedings against patients, absent consent 
or a court order.
---------------------------------------------------------------------------

    \182\ Id.
---------------------------------------------------------------------------

    (33) Sec.  2.66--Procedures and criteria for orders authorizing use 
and disclosure of records to investigate or prosecute a Part 2 program 
or the person holding the records. (proposed heading)
    Create requirements for investigative agencies to follow in the 
event they discover in good faith that they received Part 2 records 
before seeking a court order as required under Sec.  2.66.
    (34) Sec.  2.67--Orders authorizing the use of undercover agents 
and informants to investigate employees or agents of a part 2 program 
in connection with a criminal matter.
    Add new criteria for issuance of a court order in instances where 
an application is submitted after the placement of an undercover agent 
or informant has already occurred, requiring an investigative agency to 
satisfy the conditions at Sec.  2.3(b).
    (35) Sec.  2.68--Report to the Secretary (proposed heading).
    Create new requirements for investigative agencies to file annual 
reports about the instances in which they applied for a court order 
after receipt of Part 2 records or placement of an undercover agent or 
informant as provided in Sec.  2.66 and Sec.  2.67.
    (36) 45 CFR 164.520--Notice of privacy practices for protected 
health information.
    Revise 45 CFR 164.520 to implement updates to the NPP to address 
Part 2 confidentiality requirements, as required by section 3221(i)(2) 
of the CARES Act.
    The proposed changes to Part 2 and 45 CFR 164.520 would create some 
estimated costs, and numerous and substantial estimated cost savings 
and anticipated benefits that the Department is unable to quantify but 
are described in depth below. These include improving the integration 
of SUD treatment with that of other health care by facilitating the 
integration of SUD treatment records with other medical records, 
reductions in paperwork for providers, and regulatory certainty.
    The Department estimates that the first-year costs for Part 2 
programs will total approximately $19 million. These first-year costs 
are attributable to Part 2 programs training workforce members on the 
revised requirements ($12.4 million); capital expenses ($0.8 million); 
compliance with breach notification requirements ($1.5 million); 
updating Patient Notices and NPPs ($2.4 million); updating consent 
forms ($1.5 million); updating the notice to accompany disclosures 
($0.6 million). It also includes nominal costs for responding to 
requests for privacy protection, providing accounting of disclosures, 
and $25,795 for investigative agencies to file reports to the 
Secretary. For years 2 through 5, the estimated annual costs of $2.5 
million are primarily attributable to compliance with breach 
notification requirements and related capital expenses. Additionally, 
the Department estimates nonrecurring costs of $45 million for covered 
entities that receive or maintain Part 2 records due to updating the 
HIPAA NPP under 45 CFR 164.520.
    The Department estimates annual cost savings of $12.8 million per 
year, over 5 years, attributable to reductions in the need for Part 2 
programs to obtain written patient consent for disclosures for TPO 
($9.8 million), reductions in the need for covered entities and 
business associates to obtain written patient consent for redisclosures 
($2.5 million), and reductions in capital expenses for printing consent 
forms ($0.5 million).\183\
---------------------------------------------------------------------------

    \183\ Totals in this Regulatory Impact Analysis may not add up 
due to showing rounded numbers in the tables.
---------------------------------------------------------------------------

    The Department estimates net costs for Part 2 programs totaling 
approximately $6.6 million in the first year followed by net savings of 
approximately $10 million annually in years 2 through 5, resulting in 
overall net cost savings of approximately $34 million over 5 years.

                                   Table 1a--Part 2 Estimated 5-Year Costs and Cost-Savings, Undiscounted, in Millions
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                           Total Part 2 costs and cost-savings
---------------------------------------------------------------------------------------------------------------------------------------------------------
                                                              Year 1          Year 2          Year 3          Year 4          Year 5           Total
--------------------------------------------------------------------------------------------------------------------------------------------------------
Costs:
    Total, Costs........................................             $19              $3              $3              $3              $3             $29
Cost-Savings:
    Total, Cost-savings.................................              13              13              13              13              13              64
                                                         -----------------------------------------------------------------------------------------------
        Net (negative = savings)........................               7            (10)            (10)            (10)            (10)            (34)
--------------------------------------------------------------------------------------------------------------------------------------------------------


[[Page 74253]]


                              Table 1b--Estimated Part 2 and HIPAA 5-Year Costs and Cost-Savings, Undiscounted, in Millions
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                         Total regulatory costs and cost-savings
---------------------------------------------------------------------------------------------------------------------------------------------------------
                                                              Year 1          Year 2          Year 3          Year 4          Year 5           Total
--------------------------------------------------------------------------------------------------------------------------------------------------------
Costs:
    Total, Costs........................................             $64              $3              $3              $3              $3             $74
Cost-Savings:
    Total, Cost-savings.................................              13              13              13              13              13              64
                                                         -----------------------------------------------------------------------------------------------
        Net (negative = savings)........................              52            (10)            (10)            (10)            (10)              11
--------------------------------------------------------------------------------------------------------------------------------------------------------

2. Need for the Proposed Rule
    On March 27, 2020, Congress enacted the CARES Act as Public Law 
116-136. Section 3221 of the CARES Act amended 42 U.S.C. 290dd-2, the 
statute that establishes requirements regarding the confidentiality and 
disclosure of certain records relating to SUD, and section 3221(i) of 
the CARES Act requires the Secretary to promulgate regulations 
implementing those amendments.\184\ With this NPRM, the Department 
proposes changes to Part 2 and 45 CFR 164.522 to implement section 3221 
of the CARES Act, increase clarity, and decrease compliance burdens for 
regulated entities. The Department believes the proposed changes would 
reduce data segmentation within entities subject to the regulatory 
requirements promulgated under both HIPAA and Part 2.
---------------------------------------------------------------------------

    \184\ Section 3221(i) of the CARES Act requires implementation 
on or after the date that is 12 months after the enactment of the 
CARES Act, i.e., March 27, 2021.
---------------------------------------------------------------------------

    Significant differences in the permitted uses and disclosures of 
Part 2 records and protected health information (PHI) as defined under 
the Privacy Rule contribute to ongoing operational compliance 
challenges. For example, currently, entities subject to Part 2 must 
obtain specific written consent for most uses and disclosures of Part 2 
records, including for TPO, while the Privacy Rule permits many uses 
and disclosures of PHI without authorization. Therefore, to comply with 
both sets of regulations, HIPAA covered entities subject to Part 2 must 
track and segregate Part 2 records from other health records (e.g., 
records that are protected under the HIPAA Rules but not Part 2).\185\
---------------------------------------------------------------------------

    \185\ For example, a clinic that provides general medical 
services, and has a unit specializing in SUD treatment that is a 
Part 2 program, would need to segregate its SUD records from other 
medical records, even for the same patient, to ensure that the SUD 
records are used and disclosed only as permitted by Part 2.
---------------------------------------------------------------------------

    In addition, once PHI is disclosed to an entity not covered by 
HIPAA it is no longer protected by the HIPAA Rules. In contrast, Part 2 
strictly limits redisclosures of Part 2 records by individuals or 
entities that receive a record directly from a Part 2 program or other 
``lawful holder'' of patient identifying information, absent written 
patient consent.186 187 Therefore, any Part 2 records 
received from a Part 2 program or other lawful holder must be 
segregated or segmented from non-Part 2 records.\188\ The need to 
segment Part 2 records from other health records created data ``silos'' 
that hamper the integration of SUD treatment records into entities' 
electronic record systems and billing processes, which in turn may 
impact the ability to integrate treatment for behavioral health 
conditions and other health conditions.\189\ Many stakeholders have 
urged the Department to take action to eliminate the need for such data 
segmentation,\190\ and the Department believes its proposals will 
reduce, but not completely eliminate, the need for data segmentation or 
tracking.
---------------------------------------------------------------------------

    \186\ See 42 CFR 2.12(d)(2)(i)(C).
    \187\ ``Patient identifying information means the name, address, 
social security number, fingerprints, photograph, or similar 
information by which the identity of a patient, as defined in this 
section, can be determined with reasonable accuracy either directly 
or by reference to other information. The term does not include a 
number assigned to a patient by a part 2 program, for internal use 
only by the part 2 program, if that number does not consist of or 
contain numbers (such as a social security, or driver's license 
number) that could be used to identify a patient with reasonable 
accuracy from sources external to the part 2 program.'' 42 CFR 2.11. 
See also definition of ``Disclose'': ``[T]o communicate any 
information identifying a patient as being or having been diagnosed 
with a substance use disorder, having or having had a substance use 
disorder, or being or having been referred for treatment of a 
substance use disorder either directly, by reference to publicly 
available information, or through verification of such 
identification by another person.'' 42 CFR 2.11.
    \188\ See 42 CFR 2.12(d)(2)(ii).
    \189\ McCarty, D., Rieckmann, T., Baker, R.L., & McConnell, K.J. 
(2017). ``The Perceived Impact of 42 CFR part 2 on Coordination and 
Integration of Care: A Qualitative Analysis.'' Psychiatric Services 
(Washington, DC), 68(3), 245-249, https://doi.org/10.1176/appi.ps.201600138).
    \190\ For example, the Ohio Behavioral Health Providers Network 
(Network) in an August 21, 2020 letter to SAMHSA, and the 
Partnership to Amend Part 2 in a similar January 8, 2021 letter to 
the U.S. Department of Health and Human Services (HHS), both urge 
that there should be no requirement for data segmentation or 
segregation after written consent is obtained and Part 2 records are 
transmitted to a health information exchange or care management 
entity that is a business associate of a covered entity covered by 
the new CARES Act consent language. In the letter, the Network 
states that such requirements are difficult to implement in 
federally qualified health centers and other integrated settings in 
which SUD treatment may be provided. See also public comments 
expressed and summarized in 85 FR 42986, https://www.federalregister.gov/documents/2020/07/15/2020-14675/confidentiality-of-substance-use-disorder-patient-records; and see 
https://aahd.us/wp-content/uploads/2021/01/PartnershipRecommendationsforNextPart2-uleLtrtoNomineeBecerra_01082021.pdf.
---------------------------------------------------------------------------

3. Cost-Benefit Analysis
Overview and Methodology
    In comparison to the estimated number of HIPAA covered entities 
(774,331 \191\) the estimated number of Part 2 program is very small 
(16,066 \192\) or just 2 percent of the number of covered entities. 
Because the number of Part 2 programs is so small, the Department 
includes the entire estimated number of Part 2 programs when estimating 
the projected costs and cost savings of the proposals in this NPRM, 
even though a percentage of Part 2 programs are already complying with 
HIPAA requirements because they are subject to both Part 2 and HIPAA. 
The Department requests comment on this approach and data on the number 
or proportion of Part 2 programs that are also HIPAA covered entities.
---------------------------------------------------------------------------

    \191\ See Proposed Modifications to the HIPAA Privacy Rule To 
Support, and Remove Barriers to, Coordinated Care and Individual 
Engagement, 86 FR 6446, 6498 (January 21. 2021).
    \192\ See Substance Abuse and Mental Health Services 
Administration, National Survey of Substance Abuse Treatment 
Services (N-SSATS): 2020. Data on Substance Abuse Treatment 
Facilities. Rockville, MD: Substance Abuse and Mental Health 
Services Administration, 2021, https://www.samhsa.gov/data/sites/default/files/reports/rpt35313/2020_NSSATS_FINAL.pdf.
---------------------------------------------------------------------------

    This regulatory impact analysis (RIA) relies on the same data 
source used by SAMHSA for the estimated number of Part 2 programs in 
SAMHSA's 2020 Information Collection Request (ICR) (``Part 2 ICR'') 
\193\ and uses an updated statistic from that source. The NPRM

[[Page 74254]]

also adopts the estimated number of covered entities used in the OCR's 
2021 ICR for the Privacy Rule NPRM (``2021 HIPAA ICR''), as well as its 
cost assumptions for many requirements of the HIPAA Rules, including 
breach notification activities.
---------------------------------------------------------------------------

    \193\ 85 FR 42986 (July 15, 2020).
---------------------------------------------------------------------------

    When applying HIPAA cost assumptions to Part 2 programs, the 
Department multiplies the figures by 2 percent (.02), representing the 
number of Part 2 programs in proportion to the total number of covered 
entities. In some instances, the estimates historically used by OCR and 
SAMHSA for similar regulatory requirements were developed based on 
different methodologies, resulting in significantly different fiscal 
projections for some required activities. This RIA adopts OCR's 
approach for those projected costs and cost savings.
    In addition to the quantitative analyses of the effects of the 
proposed regulatory modifications, the Department analyzes some 
benefits and burdens qualitatively; relatedly, there is uncertainty 
inherent in predicting the actions that a diverse scope of regulated 
entities might take in response to this proposed rule. The Department 
requests comment on the estimates, assumptions, and analyses contained 
herein--and any relevant information or data that would inform a 
quantitative analysis of proposed reforms that the Department 
qualitatively addresses in this RIA.
    For reasons explained more fully below, the proposed changes to the 
consent requirements for Part 2 programs and redisclosure permissions 
for covered entities and business associates would result in economic 
cost savings of approximately $63,776,888 over 5 years based on the 
proposed changes. The resulting net costs over 5 years is due to first 
year expenses including costs for some health plans to mail an updated 
NPP which would be finalized as part of a comprehensive HIPAA Privacy 
Rule.

                                                                Table 2--Accounting Table
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                  Accounting table of estimated benefits and costs of all proposed changes, in millions
---------------------------------------------------------------------------------------------------------------------------------------------------------
                                                              Year 1          Year 2          Year 3          Year 4          Year 5          Total *
--------------------------------------------------------------------------------------------------------------------------------------------------------
Costs:
    Undiscounted........................................             $64              $3              $3              $3              $3             $74
    3% Discount.........................................              50               2               2               2               2              58
    7% Discount.........................................              37               1               1               1               1              42
Cost Savings:
    Undiscounted........................................              13              13              13              13              13              64
    3% Discount.........................................              10              10               9               9               9              47
    7% Discount.........................................               7               7               6               6               6              33
                                                         -----------------------------------------------------------------------------------------------
        NET (undiscounted)..............................  ..............  ..............  ..............  ..............  ..............       Costs $11
--------------------------------------------------------------------------------------------------------------------------------------------------------
Non-quantified benefits and costs are described below.
--------------------------------------------------------------------------------------------------------------------------------------------------------
* Totals may not add up due to rounding.

Baseline Assumptions
    In developing its estimates of the potential costs and cost savings 
of the proposed regulation the Department relied substantially on 
recent prior estimates for modifications to this regulation \194\ and 
the Privacy Rule \195\ and associated ICRs. Specifically, the Part 2 
ICR data previously approved under OMB control #0930-0092 informs the 
Department's estimates with respect to proposed modifications to Part 2 
provisions.\196\ However, for proposed Part 2 provisions that are based 
on provisions of the HIPAA Rules, and for proposed changes to 45 CFR 
164.520, the Department relies on OCR's HIPAA regulatory ICRs 
previously approved under OMB control #0945-0003 and updated consistent 
with OCR's 2021 Privacy Rule NPRM.\197\
---------------------------------------------------------------------------

    \194\ See 83 FR 239 (January 3, 2018) and 85 FR 42986 (July 15, 
2020).
    \195\ 86 FR 6446 (January 21, 2021).
    \196\ 85 FR 42986 (July 15, 2020).
    \197\ 84 FR 51604 (September 30, 2019). See also 86 FR 6446 
(January 21, 2021).
---------------------------------------------------------------------------

    Because the Department lacks data to determine the percentage of 
Part 2 programs that are also subject to the HIPAA Rules, the 
Department assumes for purposes of this analysis that the proposed 
changes to Part 2 would affect all Part 2 programs equally--including 
those programs that are also HIPAA covered entities, and thus already 
are subject to requirements under the HIPAA Rules (e.g., breach 
notification) that the Department proposes to incorporate into Part 2. 
Thus, this RIA likely overestimates the overall compliance burden on 
Part 2 programs posed by the proposals in this NPRM. In contrast, this 
RIA likely underestimates the cost savings of the NPRM. The estimated 
cost savings are primarily attributed to the reduction in the number of 
written patient consents that would be needed to use or disclose 
records for TPO and to redisclose them for other purposes permitted by 
the Privacy Rule. Because the Department lacks data to estimate the 
annual numbers of written patient consents and disclosures to covered 
entities, this RIA adopts an assumption that only three consents per 
patient are currently obtained per year (one each for treatment, 
payment, and health care operations) and only one half of such consents 
result in a disclosure of records to a HIPAA covered entity or business 
associate, for which consent would be no longer required to use or 
redisclose the record under the NPRM's proposals. The Department 
requests comments on its assumptions and data to refine its estimates.
Part 2 Programs, Covered Entities, and Patient Population
    The Department relies on the same source as the approved Part 2 ICR 
\198\ as the basis for its estimates of the total number of Part 2 
programs and total annual Part 2 patient admissions. Part 2 programs 
are publicly (Federal, State, or local) funded, assisted, or regulated 
SUD treatment programs. The Part 2 ICR's estimate of the number of such 
programs (respondents) is based on the results of the 2020 National 
Survey of Substance Abuse Treatment Services (N-SSATS), and the average 
number of annual total responses is based on the results of the average 
number of SUD treatment admissions from SAMHSA's 2019 Treatment Episode 
Data Set (TEDS) as the number of patients treated annually by Part 2 
programs, both approved under OMB Control No. 0930-

[[Page 74255]]

0335.\199\ In the 2020 data from N-SSATS, the number of Part 2 
respondents was 16,066.\200\ The TEDS data for SUD treatment admissions 
has been updated, so the Department relies on the 2019 statistic, as 
shown in the table below.
---------------------------------------------------------------------------

    \198\ 85 FR 42986 (July 15, 2020).
    \199\ 84 FR 787 (January 31, 2019).
    \200\ See Substance Abuse and Mental Health Services 
Administration, National Survey of Substance Abuse Treatment 
Services (N-SSATS): 2020. Data on Substance Abuse Treatment 
Facilities. Rockville, MD: Substance Abuse and Mental Health 
Services Administration, 2021, https://www.samhsa.gov/data/sites/default/files/reports/rpt35313/2020_NSSATS_FINAL.pdf.

        Table 3--Part 2 Programs, Covered Entities, and Patients
------------------------------------------------------------------------
                                                Total annual  part 2
   Estimated number  of part 2 programs          program admissions
------------------------------------------------------------------------
16,066....................................  \201\ 1,864,367
------------------------------------------------------------------------
   Estimated number of covered entities       Total annual new patients
------------------------------------------------------------------------
774,331 \202\.............................  \203\ 613,000,000
------------------------------------------------------------------------

    For purposes of calculating estimated costs and benefits the 
Department relies on mean hourly wage rates for occupations involved in 
providing treatment and operating health care facilities, as noted in 
the table below.
---------------------------------------------------------------------------

    \201\ Substance Abuse and Mental Health Services Administration, 
Center for Behavioral Health Statistics and Quality. Treatment 
Episode Data Set (TEDS): 2019. Admissions to and Discharges From 
Publicly Funded Substance Use Treatment. Rockville, MD: Substance 
Abuse and Mental Health Services Administration, 2021, https://www.samhsa.gov/data/sites/default/files/reports/rpt35314/2019_TEDS_Proof.pdf.
    \202\ 86 FR 6446 (January 21, 2021).
    \203\ Id.

                     Table 4--Occupational Pay Rates
------------------------------------------------------------------------
                       Occupational pay rates \a\
-------------------------------------------------------------------------
                                                            Hourly wage
                Occupation code and title                  rate x 2 \b\
------------------------------------------------------------------------
00-0000 All Occupations.................................          $56.02
43-3021 Billing and Posting Clerks......................           41.10
29-0000 Healthcare Practitioners and Technical                     87.60
 Occupations............................................
29-9098 Health Information Technologists, Medical                  59.06
 Registrars, Surgical Assistants, and Healthcare
 Practitioners and Technical Workers, All Other.........
15-1212 Information Security Analysts...................          108.92
23-1011 Lawyer..........................................          142.34
13-1111 Management Analysts.............................           96.66
11-9111 Medical and Health Services Manager.............          115.22
29-2098 Medical Records Specialist......................           46.46
43-0000 Office and Administrative Support Occupations...           41.76
11-2030 Public Relations and Fundraising Managers.......          127.70
21-1018 Substance Abuse, Behavioral Disorder, and Mental           51.44
 Health Counselors......................................
13-1151 Training and Development Specialist.............           65.02
43-4171 Receptionist and Information Clerk..............           31.64
15-1257 Web Developer and Digital Interface Designer....           91.80
------------------------------------------------------------------------
\a\ Bureau of Labor Statistics, U.S. Department of Labor, ``Occupational
  Employment and Wages'' May 2021, https://www.bls.gov/oes/current/oes_stru.htm.
\b\ To incorporate employee benefits, these figures represent a doubling
  of the BLS mean hourly wage.

Qualitative Analysis of Non-Quantified Benefits and Burdens
    The Department's analysis focuses on primary areas of proposed 
changes that are likely to have an impact on regulated entities or 
patients. These are proposals to establish or modify requirements with 
respect to: enforcement and penalties, notification of breaches, 
consent for uses and disclosures, Patient Notice and the NPP, notice 
accompanying disclosure, requests for privacy protection, accounting of 
disclosures, audit and evaluation, disclosures for public health, and 
use and disclosure of records by investigative agencies. In addition to 
these proposals, the Department believes the modifications to Part 2 
that are proposed for clarification, readability, or consistency with 
HIPAA terminology, would have the unquantified benefits of providing 
clarity and regulatory certainty. The provisions that fall into this 
category and for which anticipated benefits are not discussed in-depth, 
are:
    Sec. Sec.  2.1-2.2, 2.4 Statutory authority and enforcement, Sec.  
2.11 Definitions, Sec.  2.12 Applicability, Sec.  2.13 Confidentiality 
restrictions and safeguards, Sec.  2.14 Minor patients, Sec.  2.15 
Patients who lack capacity and deceased patients, Sec.  2.17 Undercover 
agents and informants, Sec.  2.19 Disposition of records by 
discontinued programs, Sec.  2.20 Relationship to state laws, Sec.  
2.21 Relationship to federal statutes protecting research subjects 
against compulsory disclosure of their identity, Sec.  2.23 Patient 
access and restrictions on use and disclosure, Sec.  2.24 Requirements 
for intermediaries, Sec.  2.34 Uses and Disclosures to prevent multiple 
enrollments, Sec.  2.35 Disclosures to elements of the criminal justice 
system which have referred patients, Sec.  2.52 Scientific research, 
Sec. Sec.  2.61-2.65 Court Orders Authorizing Use and Disclosure.
    The Department provides its analysis of non-quantified benefits and 
burdens for the primary areas of proposed regulatory change below, 
followed by estimates and analysis of quantified benefits and costs in 
section (e).
    Sec.  2.3--Civil and criminal penalties for violations (proposed 
heading).
    The Department proposes to create limitations on civil and criminal 
liability for investigative agencies in the event they unknowingly 
receive Part 2 records in the course of investigating or prosecuting a 
Part 2 program or other person holding Part 2 records prior to 
obtaining the required court order under subpart E. This safe harbor 
would promote public safety by permitting agencies to investigate Part 
2 programs and persons holding Part 2 records in good faith without 
risk of HIPAA/HITECH Act penalties. The liability

[[Page 74256]]

limitations would be available only to agencies that could demonstrate 
reasonable diligence in attempting to determine whether a provider was 
subject to Part 2 before making a legal demand for records or placement 
of an undercover agent or informant. The proposed changes would benefit 
SUD providers, Part 2 programs, investigative agencies, and the courts, 
by encouraging agencies to seek information about a provider's Part 2 
status in advance and potentially reduce the number of instances where 
applications for good cause court orders are denied. Incentivizing 
investigative agencies to check whether Part 2 applies in advance of 
investigating a provider would benefit the court system, programs 
public safety, patients, and agencies by enhancing efficiencies within 
the legal system, promoting the rule of law, and ensuring the Part 2 
protections for records are utilized when applicable.
    The limitations on liability for investigative agencies may result 
in more disclosures of patient records to such agencies by facilitating 
investigations and prosecutions of Part 2 programs and lawful holders. 
The Department believes that limiting the application of proposed Sec.  
2.3(b) to investigations and prosecutions of programs and holders of 
records, requiring non-identifying information in the application for 
the requisite court orders,\204\ and keeping patient identifying 
information under seal \205\ will provide strong and continuing 
protections for patient privacy while promoting public safety.
---------------------------------------------------------------------------

    \204\ See Sec.  2.66 (requiring use of ``John Doe'').
    \205\ See Sec. Sec.  2.66 and 2.67.
---------------------------------------------------------------------------

    Sec.  2.16 Security for records and notification of breaches 
(proposed heading).
    The Department proposes to add notification of breaches to Sec.  
2.16 so that the requirements of 45 CFR 164.400 et seq., would apply to 
breaches of Part 2 records programs in the same manner as those 
requirements apply to breaches of PHI. Notification of breaches is a 
cornerstone element of good information practices because it permits 
affected individuals or patients to take steps to remediate harm, such 
as putting fraud alerts on their credit cards, checking their credit 
reports, notifying financial institutions, and informing personal 
contacts of potential scams involving the patient's identity. It is 
difficult to quantify the value of receiving notification in comparison 
to the costs incurred in restoring one's credit, correcting financial 
records, or the cost of lost opportunities due to loss of income or 
reduced credit ratings.\206\
---------------------------------------------------------------------------

    \206\ See Preamble, Breach Notification for Unsecured Protected 
Health Information, 74 FR 42739, 42765-66 (August 24, 2009).
---------------------------------------------------------------------------

    The benefit to the patient of learning about a breach of personally 
identifying information includes the opportunity for the patient to 
take timely action to regain control over their information and 
identity. The Department does not have data to predict how many 
patients will sign up for credit monitoring or other identity 
protections after receiving a notification of breach of their Part 2 
records; however, the Department believes that the costs to patients of 
taking these actions \207\ will be far outweighed by the savings of 
avoiding identity theft.\208\ Requiring Part 2 programs to provide 
breach notification would ensure that patients of such programs are 
provided the same informational protections as patients that receive 
other types of health care services from HIPAA covered entities.
---------------------------------------------------------------------------

    \207\ See Alexandria White, ``How much does credit monitoring 
cost?'' CNBC (November 16, 2021), https://www.cnbc.com/select/how-much-does-credit-monitoring-cost/.
    \208\ See Kenneth Terrell, ``Identity Fraud Hit 42 Million 
People in 2021,'' AARP (April 7, 2022) (``[T]he average per-victim 
loss from traditional identity fraud [is] $1,551.''), https://www.aarp.org/money/scams-fraud/info-2022/javelin-report.html.
---------------------------------------------------------------------------

    Sec.  2.22 Patient Notice & 45 CFR 164.520 (NPP).
    Patients, Part 2 programs, and covered entities are all likely to 
benefit from proposed changes to more closely align the Patient Notice 
and NPP regulatory requirements, which would simplify their compliance 
with the two regulations. The Department proposes to establish for 
patients the right to discuss the Patient Notice with a person 
designated by the program as the contact person and to include 
information about this right in the header of the Patient Notice as 
proposed in the HIPAA NPRM.\209\ These proposed changes would help 
improve a patient's understanding of the program's privacy practices 
and the patient's rights with respect to their records. Even for 
patients who do not request a discussion under this proposal, knowledge 
of the right may promote trust and confidence in how their records are 
handled.
---------------------------------------------------------------------------

    \209\ See Proposed Modifications to the HIPAA Privacy Rule To 
Support, and Remove Barriers to, Coordinated Care and Individual 
Engagement, 86 FR 6446 (January 21, 2021).
---------------------------------------------------------------------------

    Sec.  2.25 Accounting of Disclosures (proposed heading).
    Adding a requirement to account for disclosures for TPO through an 
electronic health record would benefit patients by increasing 
transparency about how their records are used and disclosed for those 
purposes. This proposed requirement could counterbalance concerns about 
loss of control that patients may experience as a result of the 
proposed changes to the consent process that would permit all future 
TPO uses and disclosures based on a single general consent. The data 
logs that Part 2 programs would need to maintain to create an accurate 
and complete accounting of TPO disclosures could also be beneficial for 
such programs in the event of an impermissible access by enabling 
programs to identify the responsible workforce member or other wrongful 
actor.
    Sec.  2.26 Right to request privacy protection for records 
(proposed heading).
    Adding a new right for patients to request restrictions on uses and 
disclosures of their records for TPO is likely to benefit patients by 
giving them a new opportunity to assert their privacy interests to 
program staff, to address patients' concerns about who may see their 
records and what may be done with the information their records 
contain.
    With respect to the right for patients to restrict disclosures to 
their health plan when patients have paid in full for services, 
patients will benefit by being shielded from potential harmful effects 
of some health plans' restrictive coverage policies or other potential 
negative effects, such as employers learning of patients' SUD 
diagnoses.\210\
---------------------------------------------------------------------------

    \210\ National Academies of Sciences, Engineering, and Medicine. 
(2016). Ending Discrimination Against People with Mental and 
Substance Use Disorders: The Evidence for Stigma Change. Washington, 
DC: The National Academies Press. doi: 10.17226/23442, https://www.nap.edu/23442; U.S. Department of Health and Human Services 
(HHS), Office of the Surgeon General, Facing Addiction in America: 
The Surgeon General's Report on Alcohol, Drugs, and Health. 
Washington, DC: HHS, November 2016.
---------------------------------------------------------------------------

    This right may also improve rates of access to SUD treatment 
because of patients' increased trust that they have the opportunity to 
ensure that their records will remain within the Part 2 program. A 
limitation on the benefits of this right is that it is only available 
to patients with the means to pay privately for SUD treatment.
    Part 2 programs may benefit from increased frequency of patients 
paying in full out of pocket, which could decrease the time spent by 
staff in billing and claims activities. Part 2 programs also may 
benefit from increased patient trust in the programs' protection of 
records.
    Sec.  2.31 Consent requirements and Sec.  2.33 Uses and disclosures 
permitted

[[Page 74257]]

with written consent (proposed heading).
    The proposed changes to consent for Part 2 records are two-fold: 
changes to the required elements on the written consent form and a 
reduction in the instances where a separate written consent is needed 
(the process of obtaining consent). Proposed changes to the consent 
form for alignment with the HIPAA authorization form would likely 
benefit Part 2 programs because they would employ more uniform language 
and concepts related to information use and disclosure. Such changes 
may particularly benefit Part 2 programs that are also subject to the 
HIPAA Rules, so staff do not have to compare and interpret different 
terms on forms that request the use or disclosure of similar types of 
information.
    Permitting patients to sign a single general consent for all uses 
and disclosures of their record for TPO, may carry both burdens and 
benefits to patients. Patients may benefit from a reduction in the 
amount of paperwork they must sign to give permission for routine 
purposes related to the treatment and payment and associated reductions 
in time spent waiting for referrals, transfer of records among 
providers, and payment of health insurance claims. At the same time, 
patients may experience a sense of loss of control over their records 
and the information they contain when they lose the opportunity to make 
specific decisions about which uses and disclosures they would permit. 
In some instances, the reduced ability to make specific use and 
disclosure decisions could result in a greater likelihood of harm to 
reputation, relationships, and livelihood.
    Part 2 programs would likely benefit from the efficiencies 
resulting from permitting a general consent for all TPO uses and 
disclosures by freeing staff from burdensome paperwork. In contrast, 
clinicians in Part 2 programs may find it harder to gain the 
therapeutic trust needed for patients to divulge sensitive information 
during treatment if patients become less confident about where their 
information may be shared and their ability to control those uses and 
disclosures. Some potential patients may avoid initiating treatment 
altogether, which would harm both patients and programs.
    Covered entities and business associates would benefit markedly 
from the ability to follow only one set of federal regulations when 
making decisions about using and disclosing Part 2 records by 
streamlining processes and simplifying decision making procedures. 
Additionally, covered entities and business associates would no longer 
need to segregate SUD treatment data and could improve care 
coordination and integration of behavioral health with general medical 
treatment, resulting in comprehensive holistic treatment of the entire 
patient.
    In contrast, this proposal could also create a burden because 
covered entities and business associates subject to Part 2 may need to 
sort and filter Part 2 records for certain uses and disclosures, such 
as audit and evaluation activities that are health care operations, 
according to whether or not a patient consent for TPO has been 
obtained. The Department seeks comment and specific data on the number 
and type of Part 2 programs that are also HIPAA covered entities or 
business associates. The Department also solicits comment and data on 
any concerns or questions Part 2 programs may have about how the 
information technology currently available to them can support 
implementation of either or both of these proposed provisions.
    Sec.  2.32 Notice to accompany disclosure. (proposed heading)
    The proposed revisions to the notice accompanying each disclosure 
of Part 2 records made with written consent would benefit patients by 
ensuring that recipients of Part 2 records would be on notice of the 
expanded prohibition on use of such records against patients in legal 
proceedings even though uses and redisclosures for other purposes would 
be more readily permissible. Due to the proposed changes in 
redisclosure permissions for recipients of Part 2 records that are 
covered entities and business associates, the importance of the notice 
to accompany disclosure would increase.
    Part 2 programs would benefit from having notice language that 
accurately reflects statutory changes in the privacy protections for 
records. Retaining the notice to accompany disclosure requirement would 
also ensure that certain protections for Part 2 records continue to 
``follow the record,'' as compared to the Privacy Rule whereby 
protections are limited to PHI held by a covered entity or business 
associate.
    Sec.  2.53 Management audits, financial audits, and program 
evaluation (proposed heading).
    Programs that are also covered entities would benefit from the 
proposed changes that would clarify that the limits on use and 
disclosure for audit and evaluation purposes do not apply to covered 
entities and business associates to the extent these activities fall 
within the Privacy Rule disclosure permissions for health care 
operations. This benefit would provide regulatory flexibility for 
covered entities when Part 2 records are subject to audit or 
evaluation.
    In some instances, a third-party auditor or evaluator may also be a 
Part 2 program or a covered entity or business associate. As recipients 
of Part 2 records, such third parties would be permitted to redisclose 
the records as permitted by the Privacy Rule, with patient consent for 
TPO. This flexibility would not extend to government oversight audits 
and evaluations.
    Sec.  2.54 Disclosures for public health (new provision)
    The Department proposes to create a new permission to disclose de-
identified records without patient consent for public health 
activities, consistent with statutory changes. This would benefit 
public health by permitting records to be disclosed that would address 
the opioid overdose crisis and other public health issues related to 
SUDs, and it would protect patient confidentiality because the 
permission is limited to disclosure of de-identified records.
    Sec.  2.66 Procedures and criteria for orders authorizing use and 
disclosure of records to investigate or prosecute a part 2 program or 
the person holding the records (proposed heading).
    The Department proposes to specify the actions investigative 
agencies should take when they discover in good faith that they have 
received Part 2 records without obtaining the required court order, 
such as securing the records, ceasing to use or disclose the records, 
applying for a court order, and returning or destroying the records, as 
applicable to the situation. This proposal would provide the dual 
benefits of enabling agencies to move forward with investigations when 
they have unknowingly sought records from a Part 2 program and 
protecting patient privacy by ensuring agencies have clear 
responsibilities to continue protecting records even absent a court 
order. The proposal would limit the liability of investigative agencies 
that unknowingly obtain records without the necessary court order and 
increase agencies' effectiveness in prosecuting programs. The minimal 
burden for exercising reasonable diligence before an unknowing receipt 
of Part 2 records is outweighed by the reduction in risk of a penalty 
for noncompliance. This analysis applies as well to Sec.  2.67 below.
    Sec.  2.67 Orders authorizing the use of undercover agents and 
informants to investigate employees or agents of a part 2 program in 
connection with a criminal matter.
    The Department's proposal would add a requirement for investigative 
agencies

[[Page 74258]]

that seek a good cause court order after placement of an undercover 
agent or information in a Part 2 program to first meet the reasonable 
diligence criteria in Sec.  2.3(b). This requirement would ensure that 
agencies take basic actions to determine whether a SUD treatment 
provider is subject to Part 2 before seeking to place an undercover 
agent or informant with the provider. Additionally, the reasonable 
diligence requirement would enhance patient privacy by ensuring that 
agencies consult available registries and visit websites or physical 
locations before placing agents in a position to access patients' 
records. As discussed above in reference to Sec.  2.66, this proposal 
would also have the benefit of enhancing public safety and aid courts 
to streamline the application process for court orders for the use and 
disclosure of records.
    Sec.  2.68 Report to the Secretary (proposed heading).
    The Department's proposal to require annual reports by 
investigative agencies concerning applications for court orders made 
after receipt of Part 2 records would benefit programs, patients, and 
investigative agencies by making data available about the frequency of 
investigative requests made ``after the fact.'' This requirement would 
benefit agencies and programs by highlighting the potential need for 
increased awareness about Part 2's applicability. A program that makes 
its Part 2 status publicly known would benefit from the procedural 
protections afforded within the court order requirements of Sec.  2.66 
and Sec.  2.67 in the event it becomes the target of an investigation. 
The proposed reporting requirement could also potentially serve as a 
deterrent to agencies from overly relying on the ability to obtain 
belated court orders instead of doing a reasonable amount of research 
to determine before making an investigative demand whether Part 2 
applies. Any resulting reduction in unauthorized uses and disclosures 
of records could be viewed as a benefit by patients and privacy 
advocates. In contrast, investigative agencies could view the reporting 
requirement as an administrative burden requiring resources that 
otherwise could be used to pursue investigations.
e. Estimated Quantified Cost Savings and Costs From Proposed Changes
    The Department has estimated quantified costs and cost savings 
likely to result from its proposed regulatory modifications for two 
core expense categories (capital expenses and workforce training) and 
seven substantive regulatory requirements. The remaining proposed 
regulatory changes are unlikely to result in quantifiable costs or cost 
savings, as explained following the discussion of projected costs and 
savings.
Capital Expenses
    Capital expenses related to compliance with the proposed rule fall 
into two categories: notification of breaches and printing forms and 
notices. The Department's estimates for capital costs related to 
providing breach notification are based on estimates from the HIPAA ICR 
multiplied by a factor of 0.02, representing the proportion of Part 2 
programs as compared to covered entities (774,331 x 16,066 = .02). For 
example, for an estimated 58,482 annual breaches of PHI the Department 
calculates that there are 1,170 breaches of Part 2 records (58,482 x 
.02 = 1,170), and associated costs. Those costs are estimated on an 
ongoing annual basis because programs could experience a breach at any 
time that would require notification.

                            Table 5a--Estimated Capital Expenses--Breach Notification
----------------------------------------------------------------------------------------------------------------
                                                                     Number of       Cost per
                  Breach notification activity                      occurrences     occurrence      Total costs
----------------------------------------------------------------------------------------------------------------
Breach--Printing & Postage......................................         a 1,170       b $719.96        $842,091
Breach--Posting Substitute Notice...............................            c 55          480.00          26,362
Breach--Call Center.............................................              55         d 74.44           4,088
                                                                 -----------------------------------------------
    Total Costs.................................................  ..............  ..............         872,541
----------------------------------------------------------------------------------------------------------------
a Total number of breaches of PHI in 2015 multiplied by a factor of .02 to represent breaches of Part 2 records
  (58,482 x .02).
b The Department assumes that half of all affected individuals (half of 113,535,549 equals 56,767,775) would
  receive paper notification and half would receive notification by email. Therefore, on average, 971
  individuals per breach will receive notification by mail. Further, the Department estimates that each mailed
  notice will cost $.06 for paper and envelope, $.08 for printing, and $.60 for postage. Accordingly, on
  average, the capital cost for mailed notices for each breach is $.74 for each of 971 notices, or $719.96. The
  Department accepts these assumptions for Part 2 breach notification costs as well.
c The number of breaches requiring substitute notice equals all 267 large breaches and all 2,479 breaches
  affecting 10-499 individuals multiplied by .02 to represent breaches of Part 2 records (2,746 x .02).
d This number includes $60 per breach for start-up and monthly costs, plus $.35 cents per call (at a standard
  rate of $.07 per minute for five minutes) for an average of 41.25 individual calls per breach.

    The Department's estimate of the costs for printing revised consent 
forms is based on SAMHSA's Part 2 ICR estimates for total annual 
patient admissions to Part 2 programs \211\ at a rate of $0.10 per 
copy. Programs are already required to print forms and notices on an 
ongoing basis and no change to the number of such forms and notices is 
projected, so the Department has not added any new capital costs for 
printing the revised Patient Notice, NPP, and notice to accompany 
disclosures. However, the Department estimates that as a result of 
changes to the requirement to obtain consent for disclosures related to 
TPO, Part 2 programs and covered entities and business associates would 
experience cost savings from a significant reduction in the number of 
needed consent forms. The Department assumes that, on average, each 
patient's treatment results in a minimum of three written consents 
obtained by Part 2 programs, one each for treatment, payment, and 
health care operations purposes. The proposed changes would result in 
an estimated decrease in the total number of consents by two-thirds 
because only one patient consent would be required to cover all TPO 
uses and disclosures. At an estimated cost of $0.10 per consent, for a 
total of 1,864,367 annual patient admissions, this would result in an 
annual cost savings to Part 2 programs of 3,728,734 fewer written 
consents, or $372,873. The Department requests comment on its 
assumption and welcomes data that may help refine its estimates.
---------------------------------------------------------------------------

    \211\ Substance Use Disorder Patient Records Supporting 
Statement A_06102020--OMB 0930-0092, https://omb.report/omb/0930-0092.
---------------------------------------------------------------------------

    Additionally, covered entities and business associates that receive 
Part 2 records would also experience a reduced need to obtain written 
patient

[[Page 74259]]

consent or a HIPAA authorization because redisclosure under the Privacy 
Rule does not require patient consent or authorization for TPO and many 
other purposes. The Department lacks data to make a precise estimate of 
projected cost savings, but each patient record disclosed to a covered 
entity or business associate would potentially generate a savings based 
on eliminating the need for the recipient to obtain additional consent 
for redisclosure. The Department has adopted a low cost savings 
estimate that one-half of Part 2 annual admissions would result in 
receipt of Part 2 records by a covered entity or business associate 
that would no longer be required to obtain specific written patient 
consent to redisclose such record, representing an annual capital 
expense savings from printing 932,184 fewer consent forms. At a per-
consent cost of $0.10,\212\ this would result in annual savings of 
$93,218. The savings related to the cost of staff time to obtain the 
patient consent are estimated and discussed separately in the section 
on consent below.
---------------------------------------------------------------------------

    \212\ The Department relies on its estimated capital expenses 
for printing HIPAA breach notification letters. See 2021 HIPAA ICR, 
https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=202011-0945-001.

                       Table 5b--Estimated Capital Expense Savings--Printing Consent Forms
----------------------------------------------------------------------------------------------------------------
                                                                     Number of       Cost per       Total cost
                            Activity                                occurrences     occurrence        savings
----------------------------------------------------------------------------------------------------------------
Reduction in Consent Forms for Part 2 Programs..................       3,728,734           $0.10        $372,873
Reduction in Consent Forms for CEs & BAs........................         932,184            0.10          93,218
                                                                 -----------------------------------------------
    Total Annual Savings........................................  ..............  ..............         466,092
----------------------------------------------------------------------------------------------------------------

Training Costs
    Although Part 2 does not expressly require training and the 
proposed rule would not require retraining, the Department anticipates 
that all Part 2 programs would choose to train their workforce members 
on the modified Part 2 requirements to ensure compliance. The 
Department estimates the potential costs that all Part 2 programs would 
incur to train staff on the changes to the confidentiality requirements 
if they are finalized as proposed. As indicated in the chart below, 
only certain staff would need to be trained on specific topics and each 
program would rely on a training specialist whose preparation time 
would also be accounted for. As compared to the proposed HIPAA Privacy 
Rule right to discuss privacy practices, the costs for training Part 2 
counselors include a higher number of staff per program because Part 2 
programs would have no required Privacy Officer who is already assigned 
similar duties and would be more likely to incur costs for developing a 
new training regimen. The Department of Labor, Bureau of Labor 
Statistics (BLS) last reported statistics for substance use and 
behavioral disorder counselors separate from mental health counselors 
in 2016, and substance use and behavioral disorder counselors 
represented 65 percent of the combined total. The Department thus 
calculates its estimate for the number of substance use and behavioral 
disorder counselors as 65 percent of the workers in the BLS 
occupational category for ``substance abuse, behavioral disorder, and 
mental health counselors'' and uses that as a proxy for the number of 
Part 2 program counselors that would require training on the new 
Patient Notice or NPP.\213\ The Department estimates that a total of 
$12 million in one-time new training costs would be incurred in the 
first year of the final rule's implementation.
---------------------------------------------------------------------------

    \213\ In 2021, that figure was 202,072 (310,880 x .65).

                                   Table 6--Estimated Workforce Training Costs
----------------------------------------------------------------------------------------------------------------
                                                                              Total
         Training topics--staff member            Number of     Time in      training   Hourly wage  Total costs
                                                   trainees     training      hours         rate
----------------------------------------------------------------------------------------------------------------
Complaint Procedures & Nonretaliation--Manager.       16,066         0.75    12,049.50      $115.22   $1,388,343
Breach Notification--Manager...................       16,066            1    16,066.00       115.22    1,851,125
Obtaining Consent--Receptionist................       32,132          0.5    16,066.00        31.64      508,328
Patient Notices & Right to Discuss--SUD            a 202,072         0.25    50,518.00        51.44    2,598,646
 Counselor.....................................
Requests for Restrictions--Receptionist,              48,198         0.25    12,049.50        39.73      478,767
 Medical Records, Billing Clerk................
Accounting of Disclosures--Med. Records               16,066          0.5        8,033        46.46      373,213
 Specialist....................................
Training Specialist's Time.....................       16,066            5       80,330        65.02    5,223,057
                                                ----------------------------------------------------------------
    Total Training Costs.......................  ...........  ...........      167,354  ...........   12,421,479
----------------------------------------------------------------------------------------------------------------
a This figure is the number of substance abuse and behavioral disorder counselors as a proxy for the number of
  Part 2 program counselors.

iii. Notification of Breaches
    The Department estimates annual labor costs of $1.5 million to Part 
2 programs for providing notification of breaches of unsecured records, 
including notification to the Secretary, affected patients, and the 
media, consistent with the requirements of the Breach Notification 
Rule. This estimate is derived from calculating two percent of the 
total estimated breach notification activities for covered entities and 
business associates under the Breach Notification Rule.\214\ Capital 
costs for providing breach notification are discussed separately in 
Table 5a above.
---------------------------------------------------------------------------

    \214\ See 2021 HIPAA ICR, https://omb.report/icr/202011-0945-001. Wage rates are updated to 2021 figures.

[[Page 74260]]



                                 Table 7--Estimated Costs of Breach Notification
----------------------------------------------------------------------------------------------------------------
                                                                                                       Total
              Section of 45 CFR                      Notification activity           Number of      respondent
                                                                                    respondents        costs
----------------------------------------------------------------------------------------------------------------
164.404.....................................  Individual Notice--Written and E-          a 1,170         $51,230
                                               mail Notice (drafting).
164.404.....................................  Individual Notice--Written and E-            1,170          24,422
                                               mail Notice (preparing and
                                               documenting notification).
164.404.....................................  Individual Notice--Written and E-            1,170         758,452
                                               mail Notice (processing and
                                               sending).
164.404.....................................  Individual Notice--Substitute                 b 55           5,042
                                               Notice (posting or publishing).
164.404.....................................  Individual Notice--Substitute                   55           7,844
                                               Notice (staffing toll-free
                                               number).
164.404.....................................  Individual Notice--Substitute              c 2,265          15,863
                                               Notice (individuals' voluntary
                                               burden to call toll-free number
                                               for information).
164.406.....................................  Media Notice......................          d 5.34             510
164.408.....................................  Notice to Secretary (notice for               5.34             510
                                               breaches affecting 500 or more
                                               individuals).
164.408.....................................  Notice to Secretary (notice for            e 1,164          48,621
                                               breaches affecting fewer than 500
                                               individuals).
164.414.....................................  500 or More Affected Individuals              5.34          30,764
                                               (investigating and documenting
                                               breach).
164.414.....................................  Less than 500 Affected Individuals              50          45,701
                                               (investigating and documenting
                                               breach)--affecting 10-499.
164.414.....................................  Less than 500 Affected Individuals         f 1,115         513,752
                                               (investigating and documenting
                                               breach)--affecting <10.
                                                                                 -------------------------------
    Total...................................  ..................................  ..............       1,502,711
----------------------------------------------------------------------------------------------------------------
a Total number of breach reports submitted to OCR in 2015 (58,482) multiplied by .02 to represent Part 2
  breaches.
b All 267 large breaches and all 2,479 breaches affecting 10-499 individuals (2,746) multiplied by 02.
c As noted in the previous footnote, this number equals 1% of the affected individuals who require substitute
  notification (0.01 x 11,326,441 = 113,264) multiplied by .02 to represent Part 2 program breaches.
d The total number of breaches affecting 500 or more individuals in 2015, multiplied by .02 to represent the
  number of Part 2 breaches.
e The total number of HIPAA breaches affecting fewer than 500 individuals in 2015, multiplied by .02 to
  represent the number of Part 2 breaches.
f 55,736 multiplied by .02.

iv. Patient Notice and NPP
    The Department estimates a first-year total of $2.4 million in 
costs to Part 2 programs for updating the Patient Notice and the NPP, 
as applicable, and providing patients a right to discuss the program's 
Patient Notice or NPP. Under the proposed modifications to Sec.  2.22 
and 45 CFR 164.520, as under the existing rules, a Part 2 program that 
is also a covered entity would only need to have one notice that meets 
the requirements of both rules, so the Department's estimates are based 
on an unduplicated count of Part 2 programs, each one needing to update 
either its Patient Notice or its NPP. The Department's estimate is 
based on the number of total entities and one hour of a lawyer's time 
to update the notice(s), as detailed in Table 8. The Department 
anticipates that the changed requirements for the NPP under this 
proposed rule and the HIPAA NPRM \215\ would become effective at the 
same time so that covered entities would only incur costs for printing, 
mailing, and posting a revised NPP one time. There would be no new 
costs for providers associated with distribution of the revised notice 
other than posting it on the entity's website (if it has one), as 
providers have an ongoing obligation to provide the notice to first-
time patients. The Department bases the estimate on its previous 
estimates from the 2013 Omnibus Rule, in which the Department estimated 
approximately 613 million first time visits with health care providers 
annually.\216\ Health plans that post their NPP online would incur 
minimal costs by posting the updated notice, and then, including the 
updated NPP in the next annual mailing to subscribers.\217\ The 
Department estimates a potential increase in costs for health plans 
that do not post an NPP online or provide an annual mailing to 
subscribers. The increased costs would be associated with the 
requirement to mail an updated NPP to subscribers within 60 days of 
making a material change. The Department requests comments on the 
burdens on covered entity health plans of doing a separate mailing for 
the updated NPP if they are not subject to requirements in other law 
for an annual mailing, how many such entities there are, whether there 
should be an exception to allow entities to send it in the next three-
year mailing, and any unintended adverse consequences for individuals 
of creating such an exception.
---------------------------------------------------------------------------

    \215\ 86 FR 6446.
    \216\ 78 FR 5675, https://www.govinfo.gov/content/pkg/FR-2013-01-25/pdf/2013-01073.pdf).
    \217\ 45 CFR 164.520(c)(1)(v)(A).
---------------------------------------------------------------------------

    In addition to the costs of updating the Patient Notice and NPP, 
the Department estimates that programs would incur ongoing costs to 
implement the right to discuss a program's Patient Notice or NPP 
calculated as 1 percent of all patients, or 18,644 requests, at the 
hourly wage of a substance abuse, behavioral disorder, and mental 
health counselor, as defined by BLS, for an average of 7 minutes per 
request or $111,887 total per year. The number of discussions is based 
on the same percentage of new patients as the parallel proposal in the 
HIPAA NPRM, which reflects the anticipated number of patients who would 
ask to speak with the identified contact person about the NPP or 
Patient Notice. It does not include the discussion that each counselor 
may have with a new patient about confidentiality in the clinical 
context which the Department views as part of treatment.
v. Accounting of Disclosures
    The Department's estimate of minimal annual costs to Part 2 
programs for providing patients an accounting of disclosures is based 
on OCR's estimates for covered entities to comply with the requirements 
in 45 CFR 164.528 multiplied by a factor of .02. This represents two 
percent of the total estimated requests for an accounting of 
disclosures under the Privacy Rule. The Department included this 
estimate in its calculations (detailed in Table 8), although it is 
negligible, due to the CARES Act mandate to include the requirement in 
Part 2. The responses to OCR's 2018 Request for Information on 
Modifying HIPAA Rules to Improve Coordinated Care \218\ indicated that

[[Page 74261]]

covered entities and their business associates receive very few 
requests for an accounting of disclosures annually (a high of 
.00006).\219\ The Department is unable to estimate the additional 
burdens, if any, of offering these accountings in a machine readable or 
other electronic format (unless the individual requests otherwise). 
Further, the Department lacks specific information about the costs to 
revise electronic health record systems to generate a report of 
disclosures for TPO, other than they could be substantial.\220\ The 
Department asks for public comments or information that will help to 
estimate these burdens.
---------------------------------------------------------------------------

    \218\ 83 FR 64302 (December 14, 2018).
    \219\ See generally, public comments posted in response to 
Docket ID# HHS-OCR-2018-0028, https://www.regulations.gov/document/HHS-OCR-2018-0028-0001/comment).
    \220\ Id.
---------------------------------------------------------------------------

Requests for Privacy Protection for Records
    The Department estimates that Part 2 programs would incur a total 
of $1,590 in annual costs arising from the right to request 
restrictions on disclosures. OCR's HIPAA ICR estimate of costs for 
covered entities to comply with the parallel requirement under 45 CFR 
164.522 represents a doubling of previous estimated responses from 
20,000 to 40,000.\221\ However, costs remain low for compliance with 
this regulatory requirement, in part because the requirement to accept 
a patient's request for restrictions is mandatory only for services for 
which the patient has paid in full; the cost of complying with a 
request not to disclose records or PHI to a patient's health plan 
occurs in a context in which providers are saved the labor that would 
be needed to submit claims to health insurers. The details of the 
Department's estimate are noted in Table 8.
---------------------------------------------------------------------------

    \221\ 86 FR 6446, 6498. See also 84 FR 51604.
---------------------------------------------------------------------------

Updated Consent Form
    The Department estimates that each program would incur the costs 
for 40 minutes of a lawyer's time to update its patient consent form 
for use and disclosure of records. This would result in an estimated 
total nonrecurring cost of approximately $1.5 million, to be incurred 
in the first year after publication of a final rule, as detailed in 
Table 8 below.
Updated Notice To Accompany Disclosures
    The Department estimates that each program would incur the costs 
for 20 minutes of a health care managers' time to update the regulatory 
notice that is to accompany each disclosure of records with written 
patient consent. The Department believes that a manager can accomplish 
this task, rather than a lawyer, because specific text for the notice 
to accompany disclosure is required and is included in the proposed 
regulation. For a total of 16,066 programs this would result in 
estimated total nonrecurring costs in the first year of the rule's 
implementation of approximately $0.6 million as detailed in Table 8 
below.
New Reporting to the Secretary
    The proposed reporting requirement in proposed Sec.  2.68 would be 
directed to those agencies that investigate and prosecute programs and 
holders of Part 2 records. Part 2 programs are subject to 
investigations for Medicare and Medicaid fraud and diversion of opioids 
used in medication assisted treatment (MAT). Medicaid and Medicare 
fraud investigations may involve both the Department of Justice (DOJ) 
and the HHS Office of the Inspector General (OIG). The Department 
estimates that these agencies conduct approximately 225 investigations 
of Part 2 programs annually. For fiscal years 2019 and 2020 the HHS OIG 
reported the number of end-of-year open enforcement cases as 159 and 
191, respectively, for an average of 175 per year, and annual criminal 
convictions and civil settlements or penalties totaling 19 and 16, 
respectively, for an average of 18 annual cases.222 223 Open 
Medicaid Fraud Cases of SUD Providers at end of FY 2020 included 140 
criminal and 51 civil settlements or penalties for a total of 191.\224\ 
At the end of FY 2019, the total was 159. Additionally, the Drug 
Enforcement Agency's (DEA) Drug Diversion Division reported actions 
against 50 registrants in 2020. The Department adds this number to the 
average of 175 health fraud cases, for an estimate of 225 
investigations annually. The Department assumes, as an over-estimate, 
that all 225 cases targeted Part 2 programs and that all cases result 
in a required report under proposed Sec.  2.68.
---------------------------------------------------------------------------

    \222\ HHS, Office of the Inspector General, Medicaid Fraud 
Control Units Fiscal Year 2020 Annual Report, Appendix C, Medicaid 
Fraud Control Unit Case Outcomes and Open Investigations by Provider 
Type and Case Type for Fiscal Year 2020, OEI-09-21-00120, March 
2021, p. 25, https://oig.hhs.gov/oei/reports/OEI-09-21-00120.pdf, 
(FY 2020 Medicaid fraud convictions and civil penalties against 
outpatient SUD treatment providers included 9 criminal convictions 
and 7 civil settlements, for a total of 16).
    \223\ 2019 Report, https://oig.hhs.gov/oei/reports/oei-09-20-00110.pdf, (FY 2019 Medicaid fraud convictions and civil penalties 
against outpatient SUD treatment providers included 4 criminal 
convictions and 14 civil settlements for a total of 18).
    \224\ Id., Exhibit C2, p. 28.
---------------------------------------------------------------------------

    The burden on investigative agencies for annual reporting about 
unknowing receipt of Part 2 records prior to a court order would 
include the labor of gathering data and submitting it to the Secretary. 
As a proxy for this burden, the Department estimates that the labor 
would be equal to that of reporting large breaches of PHI under HIPAA 
which has been calculated at 1.5 hours per response at an hourly wage 
rate of $76.43 \225\ for a total estimated cost of $114.65 per 
response. For an estimated 225 annual investigations this would result 
in a total cost of $25,794. This figure, albeit low, represents an 
overestimate because it assumes 100 percent of investigations would 
involve unknowing receipt of Part 2 records prior to seeking a court 
order. The Department assumes that the actual proportion of 
investigations falling within the reporting requirement would be less 
than 25 percent of cases, although it lacks data to substantiate this 
assumption, and welcome comments and data to better inform all of the 
assumptions related to the estimated costs.
---------------------------------------------------------------------------

    \225\ This is a composite wage rate used in burden estimates for 
OCR's breach notification Information Collection Request.

                     Table 8--Estimated Annual Part 2 Costs in First Year of Implementation
----------------------------------------------------------------------------------------------------------------
                                       Total         Hours per     Total burden     Hourly wage
            Activity                 responses       response          hours           rate         Total cost
----------------------------------------------------------------------------------------------------------------
2.16 Breach Notification (from    ..............  ..............  ..............  ..............      $1,502,714
 Table 7).......................
2.22 Updating Patient Notice....          16,066               1          16,066         $142.34       2,286,834
2.22 Right to Discuss...........          18,644            0.12           2,175           51.44         111,887
2.25 Accounting of Disclosures..             100            0.05               5           46.46             232
2.26 Requests for privacy                    800            0.05              40           39.20           1,590
 protection.....................
2.31 Consent--Updating Form.....          16,066            0.67          10,711          142.34       1,524,556

[[Page 74262]]

 
2.32 Notice to Accompany                  16,066            0.33           5,355          115.22         617,042
 Disclosures....................
2.68 Report to the Secretary....             225             1.5           337.5           76.43          25,795
Workforce Training (from Table    ..............  ..............  ..............  ..............      12,421,479
 6).............................
Capital Expenses (from Tables     ..............  ..............  ..............  ..............         872,541
 5a)............................
                                 -------------------------------------------------------------------------------
    Total Annual Costs (first     ..............  ..............  ..............  ..............      19,364,667
     year)......................
----------------------------------------------------------------------------------------------------------------

Proposed Changes Resulting in Negligible Fiscal Impact
    Sec. Sec.  2.1-2.4 Statutory authority and enforcement.
    While civil enforcement of Part 2 by the Department may increase 
costs for Part 2 programs or lawful holders that experience a breach or 
become the subject of a Part 2 complaint or compliance review, the 
costs of responding to a potential violation are not calculated 
separately from the costs of complying with proposed new or changed 
regulatory requirements. Thus, the Department's analysis does not 
estimate any program costs for the proposed changes to Sec. Sec.  2.1 
through 2.4 of 42 CFR part 2.
    Sec.  2.11 Definitions.
    Proposed changes to the regulatory definitions are not likely to 
create significant increases or decreases in burdens for Part 2 
programs or covered entities and business associates. These entities, 
collectively, would benefit from the regulatory certainty resulting 
from clarification of terms; however, the proposed definitions are 
generally intended to codify current usage and understanding of the 
defined terms.
    Sec.  2.12 Applicability.
    The proposal to change ``Armed Forces'' to ``Uniformed Services'' 
in paragraph (c)(2) of Sec.  2.12 is likely to result in only a 
negligible change in burden because this terminology is already in use 
in 42 U.S.C. 290dd-2. Adding ``uses'' and ``disclosures'' in several 
places provides clarity and consistency, but is unlikely to create 
quantifiable costs or cost savings. Adding the four express statutory 
restrictions on use and disclosure of records for court proceedings 
\226\ in paragraph (d)(1) of this section will likely result in no 
significant burden change, as the restrictions on use and disclosure of 
records for criminal investigations and prosecutions of patients are 
already stringent and the ability to obtain a court order remains. 
Excluding covered entities from the restrictions applied to other 
``third-party payers'' in paragraph (d)(2) of this section would reduce 
burden on covered entities that are health plans because they will be 
permitted to disclose records for a wider range of health care 
operations than under the current regulation. However, this burden 
reduction is similar to that for all covered entities under the 
proposed rule, so the Department has not estimated the costs or 
benefits separately from the effects of Sec.  2.33, Uses and 
disclosures permitted with written consent.
---------------------------------------------------------------------------

    \226\ See 42 U.S.C. 290dd-2(c).
---------------------------------------------------------------------------

    Sec.  2.13 Confidentiality restrictions and safeguards.
    The primary proposed change to this section is to remove paragraph 
(d) and redesignate it as Sec.  2.24. Additionally, adding the term 
``use'' to the circumstances when disclosures are permitted or 
prohibited provides clarification, but is unlikely to generate a change 
in burden associated with this provision.
    Sec.  2.14 Minor patients.
    The proposed changes to this section would clarify that a program 
director may clinically evaluate whether a minor has decision making 
capacity, but not issue a legal judgment to that effect. The proposals 
would also add ``uses'' to ``disclosures'' as the types of activities 
regulated under this section. None of the proposed changes would be 
likely to result in quantifiable burdens to Part 2 programs.
    Sec.  2.15 Patients who lack capacity and deceased patients.
    The Department's proposed modification will replace outdated 
references to incompetence and instead refer to a lack of capacity to 
make health care decisions and will add ``uses'' to ``disclosures'' to 
describe the activities permitted when certain conditions are met. 
These clarifications and additions are unlikely to generate a change in 
burden that can be quantified, and thus they are not included in the 
Department's calculation of estimated costs and cost savings.
    Sec.  2.20 Relationship to state laws.
    The Department proposes to add the term ``use'' to describe 
activities regulated by this section. Similar to 42 CFR part 2, state 
laws impose restrictions on uses and disclosures related to SUD and the 
Department assumes programs subject to regulation by this part would be 
able to comply with Part 2 and the state law. The Department does not 
anticipate these proposed changes would result in a quantifiable 
increase or decrease in burden.
    Sec.  2.21 Relationship to federal statutes protecting research 
subjects against compulsory disclosure of their identity.
    The Department replaced ``disclosure and use'' with ``use and 
disclosure'' to align the language of this section with that of the 
Privacy Rule. The edit does not require any changes to existing Part 2 
requirements. The Department does not anticipate this proposed change 
would result in a quantifiable increase or decrease in burden.
    Sec.  2.24 Requirements for intermediaries. (redesignated and 
proposed heading)
    The Department estimates no change in burdens and benefits as a 
result of this regulatory clarification because no substantive change 
is intended.
    Sec.  2.34 Uses and disclosures to prevent multiple enrollments.
    The Department proposes to add the term ``uses'' to the heading and 
incorporate minor word changes and style edits for clarity. The edits 
do not require any changes to existing Part 2 requirements. The 
Department does not anticipate these proposed changes would result in a 
quantifiable increase or decrease in burden.
    Sec.  2.35 Disclosures to elements of the criminal justice system 
which have referred patients.
    The Department proposes to replace the term ``individuals'' with 
``persons,'' clarify that permitted redisclosures of information are 
from Part 2 records, and make minor word and style edits for clarity. 
The edits do not require any changes to existing Part 2 requirements. 
The Department does not anticipate these proposed changes would result 
in a quantifiable increase or decrease in burden.
    Sec.  2.52 Scientific research (proposed heading)

[[Page 74263]]

    The Department considered whether the proposal to align the de-
identification standard in Sec.  2.52 (and throughout Part 2) with the 
Privacy Rule de-identification standard in 45 CFR 164.514 would 
significantly increase burden for Part 2 programs or result in any 
unintended negative consequences. The Department concluded that the 
proposed change would not significantly increase burden because a Part 
2 program would need to follow detailed protocols to ensure that the 
current standard is met that are similar to the level of work needed to 
adhere to the Privacy Rule standard. Additionally, the proposal would 
ensure that all Part 2 programs are following similar standards for de-
identification, which would benefit researchers when creating data sets 
from different Part 2 programs, by enabling them to populate the data 
sets with similar content elements.
    Sec.  2.53 Management audits, financial audits, and program 
evaluation. (proposed heading)
    The proposal to clarify that some audit and evaluation activities 
may be considered health care operations could be used by Part 2 
programs, covered entities, and business associates to obtain records 
based on consent for health care operations and then such entities 
could redisclose them as permitted by the Privacy Rule. The Privacy 
Rule may allow these entities greater flexibility to use or redisclose 
the Part 2 records for permitted purposes as compared to the 
limitations contained in Sec.  2.53 of Part 2. For Part 2 programs that 
are covered entities, this proposed change could result in burden 
reduction because they would not have to track the records used for 
audit and evaluation purposes as closely; however, the Department is 
without data to quantify the potential cost reduction. For business 
associates, there would likely be no change in burden because they are 
already obligated by contract to only use or disclose PHI (which may be 
Part 2 records) as allowed by the agreement with the covered entity.
    As discussed in preamble, the disclosure permission under Sec.  
2.53 would continue to apply to audits and evaluations conducted by a 
health oversight agency without patient consent. The Department does 
not believe that the text of section 3221(e) of the CARES Act indicates 
congressional intent to alter the established oversight mechanisms for 
Part 2 programs, including those that provide services reimbursed by 
Medicare, Medicaid, and Children's Health Insurance Program (CHIP). The 
Department also intends that a government agency conducting activities 
that could fall within either Sec.  2.53 or Sec.  2.33 for health care 
operations would have the flexibility to choose which permission to 
rely on and would not have to meet the conditions of both sections. In 
the event that the agency is a covered entity that has received the 
records based on a consent for TPO, it could further redisclose the 
records as permitted by the Privacy Rule.
    Sec.  2.54 Disclosures for public health. (proposed heading)
    The Department does not believe that an express permission to 
disclose records to public health authorities without patient consent 
will impact burdens to a significant degree. While programs will likely 
experience a burden reduction from the lifting of a consent 
requirement, the permission may cause an increase in disclosures to 
public health authorities, resulting in a net impact of no change to 
burdens. Additionally, to the extent these disclosures are required by 
other law, the compliance burden is not calculated as a change caused 
by Part 2.
    Sec. Sec.  2.61-2.65 Procedures for court orders.
    The Department lacks sufficient data to estimate the number of 
instances where the expanded scope of protection from use or disclosure 
of records against the patient in legal proceedings (including in 
administrative and legislative forums) would result in increased 
applications for court orders authorizing the disclosure of Part 2 
records or testimony.
    Sec.  2.66 Procedures and criteria for orders authorizing use and 
disclosure of records to investigate or prosecute a part 2 program or 
the person holding the records. (proposed heading)
    Proposed Sec.  2.66(a)(3) provides specific procedures for 
investigative agencies to follow upon discovering after the fact that 
they are holders of Part 2 records, such as securing, returning, or 
destroying the records and optionally seeking a court order under 
subpart E. Although the existing regulation does not expressly require 
law enforcement agencies to return or destroy records that it cannot 
use in investigations or prosecutions against a program when it does 
not obtain the required court order, it requires lawful holders to 
comply with Sec.  2.16 Security for records. The Department developed 
the proposed requirements in Sec.  2.66(a)(3) (to return or destroy 
records that an investigative agency is unable to use or disclose in an 
investigation or prosecution) to parallel the existing requirements in 
Sec.  2.16 for programs and lawful holders to establish policies for 
securing paper and electronic records, removing them, and destroying 
them. The proposed Sec.  2.66 requirements to obtain a court order, or 
to return or destroy the records within a reasonable time (no more than 
120 days from discovering it has received Part 2 records), would not 
significantly increase the existing burden for investigative agencies 
to comply with Sec.  2.16. The Department requests comment on these 
assumptions and data on the burden for complying within 120 days of 
discovering that an investigative agency has unknowingly received Part 
2 records.
    Sec.  2.67 Orders authorizing the use of undercover agents and 
informants to investigate employees or agents of a part 2 program in 
connection with a criminal matter.
    Proposed Sec.  2.67(c)(4) restricts an investigative agency from 
seeking a court order authorizing placement of an undercover agent or 
informant unless it has first exercised reasonable diligence as 
described by proposed Sec.  2.3(b), which provides that steps such as 
checking an available prescription drug monitoring program (PDMP) or 
visiting the provider's website or physical location to determine if it 
is providing SUD-related services shall presumptively constitute 
reasonable diligence. This provision serves as a prerequisite that 
would allow an investigative agency to continue placement of the 
undercover agent or informant in a Part 2 program by correcting an 
error of oversight if the investigative agency learns after the fact 
that the undercover agent or informant is in a Part 2 program and 
avoiding the risk of penalties for the violation. The Department 
anticipates that the burden for checking a PDMP or a program's website 
or physical location to ascertain whether the program provides SUD 
treatment would be minimal, as these activities would normally be 
included in the course of investigating and prosecuting a program. The 
proposed requirement would merely shift the timing of these actions in 
some cases so that investigative agencies ensure they are completed 
prior to requesting court approval of an undercover agent or use of an 
informant. The primary burden on investigative agencies would be to 
include a statement in an application for a court order after learning 
of the program's Part 2 status after the fact, that the investigator or 
prosecutor first exercised reasonable diligence to determine whether 
the program provided SUD treatment. The burden for including this 
statement within an application for a court order is minimal and could 
consist of standard language used in each application. Thus, the

[[Page 74264]]

Department has not calculated specific quantitative costs for 
compliance. The Department requests comment on the likely utilization 
of the proposed safe harbor involving undercover agents and informants.
f. Costs Borne by the Department
    This rule would have a cost impact on HHS. HHS has the primary 
responsibility to assess the regulatory compliance of covered entities 
and business associates and Part 2 programs. This proposed rule would 
extend those responsibilities to Part 2 programs. In addition to 
promulgating the current regulation, HHS would be responsible for 
developing guidance and conducting outreach to educate the regulated 
community and the public. HHS also would be required to investigate and 
resolve complaints and compliance reviews as part of its expanded 
responsibility for Part 2 compliance and enforcements. The Department 
estimates that implementing the proposals would require two full-time 
policy employees (or contractors) at the OPM General Schedule (GS) GS-
14 or equivalent level who will develop regulation, guidance, and 
national-level outreach. Additionally, the Department estimates needing 
eight full-time employees (or contractors) for enforcement at a GS-13 
or equivalent level to investigate, train investigators, and provide 
local outreach to regulated entities.\227\ The Department also 
estimates costs for hiring a contractor to create a breach portal or a 
Part 2 module for the existing HIPAA breach portal. The initial posting 
of such breaches is automated, and HHS currently pays a contractor 
approximately $13,000 annually to maintain the database to receive 
reports of breaches from covered entities. The Department estimates 
approximately $13,000 to hire a second contractor to maintain the 
database to receive reports of breaches from Part 2 programs. 
Additionally, HHS drafts and posts summaries of each large breach on 
the website at a labor cost of approximately $22,600 per year. To 
implement these policies, the Department estimates that initial Federal 
costs will be approximately $1,695,716 million. The Department 
estimates that based on the GS within grade step increases for each of 
the proposed GS-13 and GS-14 employees the Federal costs will be 
approximately $8,972,716 million over 5 years.
---------------------------------------------------------------------------

    \227\ To determine the salary rate of the employees at the GS-13 
and GS-14 pay scale, the Department used the U.S. Office of 
Personnel Management's (OPM's) General Schedule (GS) classification 
and pay system and used the Department's General Schedule (Base) 
annual rates. The Department used the available 2021 data for the 
estimated costs. In 2021, the salary table for schedule GS-13, step 
1 annual rate is $158,936, including $79,468 plus 100% for benefits 
and the GS-14, step 1 annual rate is $187,814, including $93,907 
plus 100% for benefits. The Department estimated the costs over 5 
years based on within-grade step increases based on an acceptable 
level of performance and longevity (waiting periods of 1 year at 
steps 1-3 and 2 years at steps 4-6).
---------------------------------------------------------------------------

Comparison of Benefits and Costs

       Table 9a--Part 2 Costs and Savings Over 5-Year Time Horizon
------------------------------------------------------------------------
            Cost item                5-Year costs       5-Year savings
------------------------------------------------------------------------
2.16 Breach Notice..............          $7,513,554  ..................
2.22 Patient Notice & Right to             2,846,269  ..................
 Discuss........................
2.25 Accounting of Disclosures..               1,162  ..................
2.26 Requests for Restrictions..               7,948  ..................
2.31 Updating Consent Form......           1,524,556  ..................
2.32 Updating Disclosure Notice.             617,042  ..................
2.68 Reporting to the Secretary.             129,364  ..................
Training........................          12,421,479  ..................
Capital Expenses................           4,362,706        ($2,330,459)
Obtaining Consent...............  ..................        (61,446,429)
                                 ---------------------------------------
    Total.......................          29,424,093        (63,776,888)
    Net Savings/Costs...........  ..................        (34,353,198)
------------------------------------------------------------------------


    Table 9b--Privacy Rule Costs and Savings Over 5-Year Time Horizon
------------------------------------------------------------------------
                                                        5-Year set-off
            Cost item                5-Year costs          (savings)
------------------------------------------------------------------------
45 CFR 164.520 NPP..............         $36,739,425  ..................
45 CFR 154.520 Capital Costs....           8,195,800  ..................
                                 ---------------------------------------
    Total.......................          44,935,225  ..................
    Net Savings/Costs...........  ..................       ($44,935,225)
------------------------------------------------------------------------


Table 9c--Combined Part 2 and Privacy Rule Costs and Savings Over 5-Year
                              Time Horizon
------------------------------------------------------------------------
                                                        5-Year set-off
            Cost item                5-Year costs          (savings)
------------------------------------------------------------------------
2.16 Breach Notice..............          $7,513,554  ..................
2.22 Patient Notice & Right to             2,846,269  ..................
 Discuss........................
2.25 Accounting of Disclosures..               1,162  ..................
2.26 Requests for Restrictions..               7,948  ..................
2.31 Updating Consent Form......           1,524,556  ..................
2.32 Updating Disclosure Notice.             617,042  ..................
2.68 Reporting to the Secretary.             128,976  ..................
Training........................          12,421,479  ..................
Capital Expenses (Part 2).......           4,362,706        ($2,330,459)

[[Page 74265]]

 
Obtaining Consent...............  ..................        (61,446,429)
45 CFR 164.520 NPP..............          36,739,425  ..................
45 CFR 164.520 Capital Expenses.           8,195,800  ..................
                                 ---------------------------------------
    Total.......................          74,359,318        (63,776,888)
    Net Savings/Costs...........  ..................          10,582,027
------------------------------------------------------------------------


   Table 10--Non-Quantified Benefits/Costs for Regulated Entities and
                                Patients
------------------------------------------------------------------------
       Regulatory changes                Costs             Benefits
------------------------------------------------------------------------
Add notification of breaches of   ..................  Increased
 records by Part 2 programs in                         opportunity for
 the same manner the Breach                            patients to take
 Notification Rule applies to                          steps to mitigate
 breaches of PHI by covered                            harm. Would
 entities.                                             provide the same
                                                       information
                                                       protections to
                                                       patients
                                                       receiving SUD
                                                       treatment as are
                                                       afforded to
                                                       patients that
                                                       receive other
                                                       types of health
                                                       care services.
Change the consent form content   Potential loss to   Improved clarity
 requirements and reduce           patients of         and reduction of
 instances where a separate        opportunity to      paperwork for
 written consent is needed.        provide granular    patients, Part 2
                                   consent for each    programs, covered
                                   use and             entities, and
                                   disclosure;         business
                                   potential to        associates.
                                   chill some
                                   patients'
                                   willingness to
                                   access care.
Align the Patient Notice and the  ..................  Improved
 NPP.                                                  understanding of
                                                       individuals'
                                                       rights and
                                                       covered entities'
                                                       privacy
                                                       practices.
Adding right to discuss           ..................  Improved
 program's Patient Notice.                             understanding of
                                                       patients' rights
                                                       & programs'
                                                       confidentiality
                                                       practices;
                                                       improved access
                                                       to care.
Change the content requirements   ..................  Increased
 for the notice accompanying                           knowledge by
 disclosure.                                           patients of the
                                                       expanded
                                                       prohibition on
                                                       use of records
                                                       against patients
                                                       in legal
                                                       proceedings.
                                                       Improved
                                                       coordination for
                                                       certain
                                                       protection for
                                                       Part 2 records to
                                                       ``follow the
                                                       record.''
Add a new right for patients to   ..................  New opportunity
 request restrictions on uses                          for patients to
 and disclosures of their                              assert their
 records for TPO.                                      privacy interests
                                                       to program staff;
                                                       increased patient
                                                       control through
                                                       ability to
                                                       prevent
                                                       disclosures to
                                                       their health plan
                                                       when patient has
                                                       paid in full for
                                                       services. For
                                                       Part 2 programs,
                                                       likely increase
                                                       in full payment
                                                       by patients which
                                                       would decrease
                                                       staff time spent
                                                       with billing and
                                                       claims
                                                       activities.
Add an accounting of disclosures  Potential           Increased
 for TPO.                          increased costs     transparency
                                   to modify           about how records
                                   information         and Part 2
                                   systems to          information are
                                   capture required    disclosed for
                                   data.               TPO.
Modifications for clarification,  ..................  Improved
 readability, or consistency                           understanding by
 with HIPAA terminology.                               regulated
                                                       entities,
                                                       patients, and the
                                                       public.
Limiting investigative agencies'  ..................  Increased
 potential liability for                               awareness of Part
 unknowing receipt of Part 2                           2 obligations for
 records.                                              investigative
                                                       agencies.
                                                       Opportunity for
                                                       investigative
                                                       agencies to
                                                       pursue action
                                                       against Part 2
                                                       programs despite
                                                       initial
                                                       procedural
                                                       errors.
Requiring investigative agencies  ..................  Creates
 to report annually to the                             transparency and
 Secretary if they seek to use                         accountability
 records obtained prior to                             for agencies' use
 seeking a court order.                                of Part 2 records
                                                       in civil,
                                                       criminal,
                                                       administrative,
                                                       and legislative
                                                       proceedings.
------------------------------------------------------------------------

4. Consideration of Regulatory Alternatives
    The Department carefully considered several alternatives to the 
proposals in this NPRM. The Department welcomes public comment on any 
benefits or drawbacks of the following alternatives it considered while 
developing the NPRM.
    Definitions for ``breach,'' ``health care operations,'' ``lawful 
holder,'' and ``third-party payer.''
    Breach. The Department considered adopting only the first sentence 
of the HIPAA definition of breach in the introductory text of the 
paragraph and not the remainder of the definition. The Department 
considered that the HIPAA definition, which includes exclusions from 
the term breach (i.e., unintentional access, inadvertent disclosure, 
disclosure based on good faith belief that an unauthorized recipient 
would not reasonably been able to retain the information) did not offer 
a parallel level of protection to Part 2 records as is intended by its 
overall structure of requiring consent for most disclosures. However, 
due to the amount of overlap between the types of entities that must 
comply with both Part 2 and the HIPAA Rules, the Department decided to 
adopt the HIPAA breach definition in its entirety. Congress was aware 
of the Breach Notification Rule when it passed the CARES Act, so the 
Department

[[Page 74266]]

assumes that Congress intended to apply the full scope of the 
definition to Part 2 records. The Department welcomes comments on any 
unintended negative consequences of this approach and how any 
alternative approaches could be implemented consistent with 
Congressional intent.
    Health care operations. The Department considered including the 
``Sense of Congress'' in section 3221(k)(4) of the CARES Act, which 
states that the definition of health care operations shall have the 
same meaning as provided in the HIPAA Rules except that clause (v) of 
paragraph (6) shall not apply. This would have had the effect of 
excluding from the HIPAA disclosure and redisclosure permissions the 
use of records for fundraising. In contrast, the Department also 
considered not including the Sense of Congress in any provision of the 
proposed rule. This would have narrowly hewed to the statutory 
amendment mandated by section 3221 of the CARES Act without 
acknowledging Congressional intent. Instead, the Department proposed to 
add an opt-in approach for fundraising activities in the requirements 
for a written consent proposed at Sec.  2.31(a)(5). The Department 
similarly is proposing in Sec.  2.22 and 45 CFR 164.520 to require that 
programs and covered entities provide notice to a patient that the use 
and disclosure of records for such activities may be made only with the 
patient's written consent. The Department welcomes comments on any 
unintended adverse consequences of this approach and how any 
alternative approaches could be implemented consistent with statutory 
authority and Congressional intent.
    Lawful holder. Although not required by the CARES Act, the 
Department considered proposing a new regulatory definition for the 
term ``lawful holder,'' which is not currently defined in Part 2. The 
definition would be drawn from the Department's descriptions of lawful 
holders in previous Part 2 proposed and final rule preambles.\228\ In 
particular, the Department considered whether the definition was needed 
to distinguish the category of records recipients that includes covered 
entities, business associates, qualified service organizations, and 
other components of the health care system from other types of 
recipients of records based on a written patient consent for purposes 
of applying different requirements to the different categories.
---------------------------------------------------------------------------

    \228\ See 81 FR 6988; See also 82 FR 6052.
---------------------------------------------------------------------------

    SAMHSA has described a lawful holder as ``an individual or entity 
who has received such information as the result of a part 2-compliant 
patient consent (with a notice to accompany disclosure) or as a result 
of one of the exceptions to the consent requirements in the statute or 
implementing regulations and, therefore, is bound by 42 CFR part 2.'' 
\229\ Further, Sec.  2.33(a) provides that a valid consent may name any 
person or category of persons: ``If a patient consents to a disclosure 
of their records under Sec.  2.31, a [P]art 2 program may disclose 
those records in accordance with that consent to any person or category 
of persons identified or generally designated in the consent, except 
that disclosures to central registries and in connection with criminal 
justice referrals must meet the requirements of Sec. Sec.  2.34 and 
2.35, respectively.'' Taken together, the description of lawful holder 
and provision on consent mean that any person who receives records 
pursuant to a valid consent could be considered a lawful holder, and 
thus subject to the Part 2 requirements that apply to lawful holders.
---------------------------------------------------------------------------

    \229\ 82 FR 6052, 6068.
---------------------------------------------------------------------------

    The Department is concerned that some of the restrictions and 
obligations placed on lawful holders are not appropriate to apply 
across all types of persons who receive Part 2 records pursuant to a 
consent. For example, a patient's family member who receives a record 
based on consent could not be reasonably expected to develop policies 
and procedures for securing records. To address this concern, the 
Department considered proposing a definition that would exclude certain 
types of persons, such as those who are acting in their capacity as 
private citizens (rather than in a professional or official capacity as 
part of the health care system or government authority, for example). 
The Department also considered a definition that would expressly 
include only covered entities, Part 2 programs, any person conducting 
diagnosis, treatment, or referral for treatment, billing or payment, 
and any other purpose related to a patient's enrollment or 
participation in a Part 2 program. However, the Department is concerned 
that inserting a new definition in regulatory text may inadvertently 
exclude persons who rightfully should be subject to Part 2 requirements 
and restrictions that apply to both Part 2 programs and lawful holders.
    The Department has considered that a small minority of recipients 
of Part 2 records based on a patient's consent may not be properly 
subject to regulatory requirements that apply only to Part 2 programs 
and lawful holders. For example, it is unclear how the Department would 
enforce organizational requirements, such as policies and procedures, 
against some persons who receive records based on written consent, such 
as natural persons who are family members of a patient and are not 
acting in any professional or official capacity.
    Therefore, rather than propose a regulatory definition or create an 
enforcement exception, the Department instead asks for comment on what 
would be reasonable to expect of a person who is a lawful holder, but 
not a covered entity, business associate, or qualified service 
organization with respect to protecting records against unauthorized 
use and disclosure or security threats. The Department requests comment 
on whether it would be appropriate to include a definition of lawful 
holder--and, if so, what persons should be considered lawful holders.
    Third-party payer. The Department considered removing the term 
``third-party payer'' from the regulations because the definition is 
limited to entities with a contractual obligation to pay for Part 2 
services, many of which are covered entity health plans to whom Part 2 
redisclosure restrictions will no longer apply. Upon further 
consideration, the Department determined that some Part 2 programs may 
be paid based on a contractual obligation between the payer and the 
patient, but by entities other than a health plan. Retaining a narrower 
definition of third-party payer rather than removing the definition 
entirely would ensure that the restrictions on redisclosure are 
maintained for any third-party payers that are not covered entities. 
The Department welcomes data on how many and what types of third-party 
payers are not covered entities.
    Exception for reporting suspected abuse and neglect.
    The Department considered expanding the exception under Sec.  
2.12(c)(6) for reporting suspected child abuse and neglect to include 
reporting suspected abuse and neglect of adults. Such an expansion 
would be consistent with the Privacy Rule permission to report abuse, 
neglect, or domestic violence at 45 CFR 164.512(c), and could be 
beneficial for vulnerable adults, such as persons who are incapacitated 
or otherwise are unable to make health care decisions on their own 
behalf. However, Sec.  2.12(c)(6), under the authority of 42 U.S.C. 
290dd-2, limits the reporting of abuse and neglect to reporting child 
abuse and neglect as required by State or local law. Further, section 
(c) of the authorizing statute also restricts uses of records in 
criminal, civil, or administrative contexts, which

[[Page 74267]]

could include investigations by a protective services agency, for 
example, unless pursuant to a court order or with the patient's 
consent. Therefore, the Department determined that expanding the 
exception under Sec.  2.12(c)(6) to include reporting abuse and neglect 
of adults would exceed the statutory authority.
    Security of records and notification of breaches.
    The Department considered retaining the current language in Sec.  
2.16 (a)(1)(v) with respect to ``non-identifiable'' information and 
adding a reference to the Privacy Rule standard with the phrase ``as 
consistent with 45 CFR 164.514.'' Upon consideration, the Department 
decided instead to insert text from the Privacy Rule de-identification 
standard and a reference to 45 CFR 164.514 to more closely align the 
two sets of regulations.
    The Department also considered further harmonizing Part 2 and the 
HIPAA Rules by applying the Security Rule, or components of it, to Part 
2 programs and other lawful holders with respect to electronic Part 2 
records. The Security Rule contains standards and implementation 
specifications for securing electronic PHI that are consistent with 
industry best practices, and the implementation of robust security 
safeguards can prevent many breaches of patients' Part 2 records. 
However, the CARES Act did not make the Security Rule applicable to 
Part 2 programs. Therefore, the Department believes it does not have 
statutory authority to the Security Rule to encompass Part 2 programs 
that are not covered entities or business associates. The Department 
requests comment on this interpretation and on whether the Part 2 
security provisions should be modified to incorporate additional or 
different safeguards consistent with the Security Rule.
    Patient Notice and NPP.
    The Department considered proposing more limited modifications to 
the Patient Notice in Sec.  2.22 to narrowly address only those changes 
specifically identified in section (i)(2) of the CARES Act, without 
incorporating into the Patient Notice other aspects of the NPP. 
However, the Department determined that greater alignment between the 
requirements of the Patient Notice and NPP would create more 
consistency in notices among Part 2 programs and other types of health 
care providers, and thus more consistency in patients' understanding 
and expectations regarding their rights and regulated entities' duties 
with respect to their Part 2 records.
    Adding a requirement for notification of TPO consent.
    The Department considered adding a requirement to Sec.  2.32 to 
require Part 2 programs to notify the recipient that a record is being 
disclosed to them pursuant to a global consent for TPO or whether it is 
a more limited consent. The Department considered how this might help 
covered entities to avail themselves of the new redisclosure 
permissions enacted into the CARES Act by section 3221(b) so that they 
would be aware when they could redisclose a record according to the 
HIPAA Rules. However, the Department determined that this would be 
unduly burdensome on Part 2 programs. The Department requests comment 
on this alternative and the extent to which covered entities that 
receive Part 2 records are aware of the purpose of the disclosure and 
how that information is conveyed between programs and covered entity 
recipients of Part 2 records.
    Adding a new definition for ``confidential communications.''
    The Department considered adding a new definition for 
``confidential communications'' as an alternative modification to Sec.  
2.63 (confidential communications). Specifically, the Department 
considered whether to propose incorporating in regulatory text a 
preamble description of ``confidential communications'' from prior Part 
2 rulemaking, which describes the term as ``the essence of those 
matters to be afforded protection'' and ``highly sensitive 
communication.'' \230\ The Department did not propose this approach as 
it is only used in one specific context and a new definition would 
likely create unnecessary complexity without improving understanding of 
the regulatory requirements.
---------------------------------------------------------------------------

    \230\ 52 FR 21801 (June 9, 1987).
---------------------------------------------------------------------------

    Creating limitations on liability for investigative agencies' 
unknowing receipt of Part 2 records.
    The Department considered creating an enforceable requirement for 
Part 2 programs to notify investigative agencies of the applicability 
of Part 2 when presented with an investigative demand for records, but 
deemed this an unnecessary burden on programs. Instead, the Department 
created prerequisites for investigative agencies to meet before they 
could benefit from liability protection, and thus avoided any increased 
burden on programs.
5. Request for Comments on Costs and Benefits
    The Department requests public comment on all the estimates, 
assumptions, and analyses within the cost-benefits analysis, including 
the costs to regulated entities and patients. The Department also 
requests comments on any relevant information or data that would inform 
a quantitative analysis of proposed reforms that the Department 
qualitatively addresses in this RIA. The Department also requests 
comments on whether there may be other indirect costs and benefits 
resulting from the proposed changes in the proposed rule and welcomes 
additional information that may help quantify those costs and benefits.

B. Regulatory Flexibility Act

    The Department has examined the economic implications of this 
proposed rule as required by the Regulatory Flexibility Act (5 U.S.C. 
601-612). If a rule has a significant economic impact on a substantial 
number of small entities, the Regulatory Flexibility Act (RFA) requires 
agencies to analyze regulatory options that would lessen the economic 
effect of the rule on small entities. For purposes of the RFA, small 
entities include small businesses, nonprofit organizations, and small 
governmental jurisdictions. The Act defines ``small entities'' as (1) a 
proprietary firm meeting the size standards of the Small Business 
Administration (SBA), (2) a nonprofit organization that is not dominant 
in its field, and (3) a small government jurisdiction of less than 
50,000 population. Because 90 percent or more of all health care 
providers meet the SBA size standard for a small business or are 
nonprofit organization, the Department generally treats all health care 
providers as small entities for purposes of performing a regulatory 
flexibility analysis. The SBA size standard for health care providers 
ranges between a maximum of $8 million and $41.5 million in annual 
receipts, depending upon the type of entity.
    The projected costs and savings are discussed in detail in the 
regulatory impact analysis (section 3a). This proposed rule would 
create average net costs for regulated entities (Part 2 programs and 
covered entities), many of which are small entities, and the proposed 
changes are needed to implement required statutory changes. As its 
measure of significant economic impact on a substantial number of small 
entities, HHS uses a threshold for the size of the impact of 3 to 5 
percent. The

[[Page 74268]]

total costs from this rule are estimated to be $10,582,027, spread 
across 774,331 small entities. The average cost per small entity over 5 
years is equal to $13.67, and we do not believe that this threshold 
will be reached by the requirements in this proposed rule. Therefore, 
the Secretary certifies that this proposed rule would not result in a 
significant negative impact on a substantial number of small entities.

C. Unfunded Mandates Reform Act

    Section 202(a) of The Unfunded Mandates Reform Act of 1995 (UMRA) 
requires that agencies assess anticipated costs and benefits before 
issuing any rule whose mandates require spending that may result in 
expenditures in any one year of $100 million in 1995 dollars, updated 
annually for inflation. In 2021, that threshold is approximately $158 
million. The Department does not anticipate that this proposed rule 
would result in the expenditure by state, local, and tribal 
governments, taken together, or by the private sector, of $158 million 
or more in any one year. The proposals, however, present novel legal 
and policy issues, for which the Department is required to provide an 
explanation of the need for this proposed rule and an assessment of any 
potential costs and benefits associated with this rulemaking in 
accordance with Executive Orders 12866 and 13563. The Department 
presents this analysis in the preceding sections.

D. Executive Order 13132--Federalism

    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final rule) that imposes substantial direct requirement costs on state 
and local governments, preempts state law, or otherwise has federalism 
implications. The Department does not believe that this rulemaking 
would have any federalism implications.
    The federalism implications of the Privacy, Security, Breach 
Notification, and Enforcement Rules were assessed as required by 
Executive Order 13132 and published as part of the preambles to the 
final rules on December 28, 2000,\231\ February 20, 2003,\232\ and 
January 25, 2013.\233\ Regarding preemption, the preamble to the final 
Privacy Rule explains that the HIPAA statute dictates the relationship 
between state law and Privacy Rule requirements, and the Rule's 
preemption provisions do not raise federalism issues. The HITECH Act, 
at section 13421(a), provides that the HIPAA preemption provisions 
shall apply to the HITECH Act provisions and requirements.
---------------------------------------------------------------------------

    \231\ 65 FR 82462, 82797.
    \232\ 68 FR 8334, 8373.
    \233\ 78 FR 5566, 5686.
---------------------------------------------------------------------------

    The Federalism implications of Part 2 were assessed and published 
as part of the preamble to proposed rules on February 9, 2016.\234\
---------------------------------------------------------------------------

    \234\ 81 FR 6987, 7012.
---------------------------------------------------------------------------

    The Department anticipates that the most significant direct costs 
on state and local governments would be the cost for state and local 
government-operated covered entities to revise consent forms, policies 
and procedures, providing notification in the event of a breach of Part 
2 records and drafting, printing, and distributing Patient Notices or 
NPPs for individuals with first-time health encounters. The regulatory 
impact analysis above addresses these costs in detail.
    In considering the principles in and requirements of Executive 
Order 13132, the Department has determined that these proposed 
modifications to the Privacy Rule would not significantly affect the 
rights, roles, and responsibilities of the States.

E. Assessment of Federal Regulation and Policies on Families

    Section 654 of the Treasury and General Government Appropriations 
Act of 1999 \235\ requires Federal departments and agencies to 
determine whether a proposed policy or regulation could affect family 
well-being. If the determination is affirmative, then the Department or 
agency must prepare an impact assessment to address criteria specified 
in the law. The Department believes that these regulations would 
positively impact the ability of patients and families to coordinate 
treatment and payment for health care, particularly for families to 
participate in the care and recovery of their family members 
experiencing SUD treatment, by aligning the permission for covered 
entities and business associates to use and disclose records disclosed 
to them for TPO purposes with the permissions available in the Privacy 
Rule. The Department does not anticipate negative impacts on family 
well-being as a result of this regulation or the separate rulemaking as 
described.
---------------------------------------------------------------------------

    \235\ Public Law 105-277, 112 Stat. 2681 (October 21, 1998).
---------------------------------------------------------------------------

F. Paperwork Reduction Act of 1995

    Under the Paperwork Reduction Act of 1995 (PRA) (Pub. L. 104-13), 
agencies are required to submit to the Office of Management and Budget 
(OMB) for review and approval any reporting or record-keeping 
requirements inherent in a proposed or final rule, and are required to 
publish such proposed requirements for public comment. The PRA requires 
agencies to provide a 60-day notice in the Federal Register and solicit 
public comment on a proposed collection of information before it is 
submitted to OMB for review and approval. To fairly evaluate whether an 
information collection should be approved by OMB, section 3506(c)(2)(A) 
of the PRA requires that the Department solicit comment on the 
following issues:
    1. Whether the information collection is necessary and useful to 
carry out the proper functions of the agency;
    2. The accuracy of the agency's estimate of the information 
collection burden;
    3. The quality, utility, and clarity of the information to be 
collected; and
    4. Recommendations to minimize the information collection burden on 
the affected public, including automated collection techniques.
    The PRA requires consideration of the time, effort, and financial 
resources necessary to meet the information collection requirements 
referenced in this section. The Department explicitly seeks, and will 
consider, public comment on its assumptions as they relate to the PRA 
requirements summarized in this section. To comment on the collection 
of information or to obtain copies of the supporting statements and any 
related forms for the proposed paperwork collections referenced in this 
section, email your comment or request, including your address and 
phone number to [email protected], or call the Reports Clearance 
Office at (202) 690-6162. Written comments and recommendations for the 
proposed information collections must be directed to the OS Paperwork 
Clearance Officer at the above email address within 60 days.
    As discussed below, the Department estimates a total program burden 
associated with all proposed Part 2 changes of 565,029 hours and 
$43,911,857, including capital costs and one-time burdens, across all 
16,066 Part 2 programs for 1,864,367 annual patient admissions. On 
average, this equates to an annual burden of 35 hours and $2,733 per 
Part 2 program and 0.30 hours and $24 per patient admission. Excluding 
one-time costs that would be incurred in the first year of the final 
rule's implementation, the average annual burden would be 22 hours and 
$1,704 per Part 2 program and 0.19 hours and $15 per patient admission. 
In addition to program burdens, the Department's proposals would 
increase burdens on investigative agencies for

[[Page 74269]]

reporting annually to the Secretary in the collective amount of 338 
hours of labor and $25,795 in costs. This would result in a total 
burden for Part 2 of 565,367 hours in the first year after the rule 
becomes effective and 350,172 annual burden hours thereafter.
    Further, due to the proposed changes to 45 CFR 164.520, covered 
entities may need to update their NPP in order to comply with the 
documentation requirements of 45 CFR 164.530. Section 164.530 contains 
the administrative requirements for covered entities, including 
documenting training of personnel, updating policies and procedures, 
and updating the NPP in accordance with changes in the law.\236\ Due to 
these proposals, the burden for respondent covered entities to comply 
with the requirements of the suite of HIPAA Rules (Privacy, Breach 
Notification, Security, and Enforcement) would increase by 258,110 
burden hours.
---------------------------------------------------------------------------

    \236\ See 45 CFR 164.530(i)(3).
---------------------------------------------------------------------------

    In this NPRM, the Department is revising certain information 
collection requirements and, as such, is revising the information 
collection last prepared in 2020 and previously approved under OMB 
control #0930-0092. The Department is also revising the NPP information 
collection requirements in OCR's HIPAA ICR previously approved under 
OMB control #0945-0003. The estimated burdens of these proposed changes 
are shown in the tables that follow.
1. Explanation of Estimated Annualized Burden Hours for 42 CFR Part 2
    The Department presents, in separate tables below, revised 
estimates for existing burdens (Table 11), previously unquantified 
ongoing burdens (Table 12), new ongoing burdens of the proposals (Table 
13), and new one-time burdens of the proposals (Table 13).

                               Table 11--Annualized Estimates of Current Burdens *
----------------------------------------------------------------------------------------------------------------
                                                                                   Average time
     Part 2          Type of        Respondents    Responses per       Total       per response    Total burden
   provision        respondent                      respondent       responses        (hours)          hours
----------------------------------------------------------------------------------------------------------------
2.22...........  Patient Notice.   \a\ 1,864,367               1       1,864,367           0.021          38,841
2.31...........  Obtaining             1,864,367               1       1,864,367          0.0833         155,364
                  Consent for
                  TPO
                  Disclosures.
2.36...........  PDMP \b\             \c\ 16,066          176.03      2,828,0501          0.0333          94,268
                  Reporting.
2.51...........  Documenting              16,066               2          32,132           0.167           5,355
                  Emergency Tx.
                  Disclosure.
2.52...........  Disclosures for     \d\ 125,845               1         125,845           0.083          10,487
                  Research--Elec
                  ..
2.52...........  Disclosures for      \e\ 13,983               1          13,983           0.250           3,496
                  Research--Pape
                  r.
2.53...........  Disclosures for     \f\ 125,845               1         125,845           0.083          10,487
                  Audit & Eval.--
                  Elec..
2.53...........  Disclosures for      \g\ 13,983               1          13,983           0.250           3,496
                  Audit & Eval.--
                  Paper.
----------------------------------------------------------------------------------------------------------------
Total Ongoing Burdens, Currently Approved \237\                        6,868,571  ..............         321,794
----------------------------------------------------------------------------------------------------------------
* Not all decimal places are shown.
\a\ Number of annual Part 2 program admissions as a proxy for total number of patients.
\b\ For more information about PDMPs, see https://store.samhsa.gov/product/In-Brief-Prescription-Drug-Monitoring-Programs-A-Guide-for-Healthcare-Providers/SMA16-4997.
\c\ Total number of Part 2 programs.
\d\ Estimated number of research disclosures made electronically.
\e\ Estimated number of research disclosures on paper.
\f\ Estimated number of disclosures for audit and evaluation made electronically.
\g\ Estimated number of disclosures for audit and evaluation made on paper.

    As shown in Table 11, the Department is adjusting the currently 
approved burden estimates to reflect an increase in the number of Part 
2 programs, from 13,585 to 16,066. The respondents for this collection 
of information are publicly (Federal, State, or local) funded, 
assisted, or regulated SUD treatment programs. The estimate of the 
number of such programs (respondents) is based on the results of the 
2020 National Survey of Substance Abuse Treatment Services (N-SSATS), 
which represents an increase of 2,481 program from the 2017 N-SSATS 
which was the basis for the approved ICR under OMB No. 0930-0335. The 
average number of annual total responses is based the results of the 
average number of SUD treatment admissions from SAMHSA's 2019 Treatment 
Episode Data Set (TEDS) as the number of annual patient admissions by 
part 2 programs (1,864,367 patients).) To accurately reflect the number 
of disclosures, the Department based some estimates on the number of 
patients (or a multiple of that number) and then divided by the number 
of programs to arrive at the number of responses per respondent. The 
Department based other estimates on the number of programs and then 
multiplied by the estimated number of disclosures to arrive at the 
total number of responses.
---------------------------------------------------------------------------

    \237\ This refers to approved information collections; however, 
the burden hours shown are adjusted for the NPRM.
---------------------------------------------------------------------------

    The estimate in the currently approved ICR includes the time spent 
with the patient to obtain consent and the time for training for 
counselors.\238\ The Department is now estimating the time for 
obtaining consent separately from the burden of training time and 
applies an average of 5 minutes per patient admission for obtaining 
consent.
---------------------------------------------------------------------------

    \238\ The Department estimated that the amount of time for 
disclosure to a patient ranged from a low of 3-5 minutes to a high 
of almost 38 minutes; the approximately 12 minute estimate used to 
estimate burden reflected a judgment about the time needed to 
adequately comply with the legal requirements and for basic training 
of counselors on the importance of patient confidentiality.
---------------------------------------------------------------------------

    For Sec.  2.31, Sec.  2.52, and Sec.  2.53, the Department is 
separating out estimates for each provision which were previously 
reported together and is also adjusting the estimates. For Sec.  2.31, 
the Department believes that disclosures with written consent for TPO 
are made for 100 percent of patients; due to the proposed changes to 
the consent requirements, the Department assumes that programs would 
experience a decreased burden from an average of 3 consents per 
admission to 1 consent. The Table above reflects 1 consent for each of 
the 1,864,367 annual patient admissions (used as a proxy for the 
estimated number of patients) and a time burden of 5 minutes per 
consent for a total of 155,364 burden hours. The previously 
unacknowledged burden of obtaining multiple consents for each patient 
is shown in Table 12, below.
    The Department previously estimated that for Sec.  2.31 (consent), 
Sec.  2.52 (research), and Sec.  2.53 (audit and

[[Page 74270]]

evaluation) combined, programs would need to disclose an average of 15 
percent of all patients' records (1,864,367 records x .15 = 279,655 
disclosures). The Department is adjusting its estimates to reflect that 
15 percent of patients would have records disclosed without consent for 
research and audits or evaluations and that this would be divided 
evenly between the two provisions, resulting in 7.5% of 1,864,367 
records (or approximately 139,828 disclosures) for Sec.  2.52 
disclosures and the same for Sec.  2.53 disclosures. The Department 
previously estimated that 10 percent of disclosed records would be 
disclosed in paper form while the remaining 90 percent would be 
disclosed electronically. The time burden for disclosing a paper record 
is estimated as 15 minutes and the time for disclosing an electronic 
record as 5 minutes. For Part 2 programs using paper records, the 
Department expects that a staff member would need to gather and 
aggregate the information from paper records, and manually track 
disclosures; for those Part 2 programs with a health IT system, the 
Department expects records and tracking information will be available 
within the system.
    For Sec.  2.36, the Department used the average number of opiate 
treatment admissions from SAMHSA's 2019 TEDS (565,610 admissions) and 
assumed the PDMP databases would need to be accessed and reported once 
initially and quarterly thereafter for each patient (565,610 x 5 = 
2,828.050). Dividing the number of opiate treatment admissions by the 
number of SUD programs results in an average of 35.21 patients per 
program (565,610 patients / 16,066 programs) and 176.03 PDMP updates 
per respondent (35.21 patients/program x 5 PDMP updates per patient). 
Based on discussions with providers, the Department believes accessing 
and reporting to PDMP databases would take approximately 2 minutes per 
patient, resulting in a total annual burden of 10 minutes (5 database 
accesses/updates x 2 minutes per access/update) or 0.166 hours annually 
per patient. For Sec.  2.51, the time estimate for recordkeeping for a 
clerk to locate a patient record, record the necessary information and 
re-file the record is 10 minutes.

                         Table 12--Annualized Estimate of Previously Unquantified Burden
----------------------------------------------------------------------------------------------------------------
                                                                                   Average time
     Part 2          Type of        Respondents    Responses per       Total       per response    Total burden
   provision        respondent                      respondent       responses        (hours)          hours
----------------------------------------------------------------------------------------------------------------
2.31...........  Obtaining         \a\ 1,864,367             2.5       4,660,918           0.083         388,410
                  Consent.
----------------------------------------------------------------------------------------------------------------
\a\ Annual number of Part 2 program admissions as a proxy for number of Part 2 patients.

    As shown in Table 12, for Sec.  2.31 the Department is recognizing 
for the first time the burden on programs to obtain multiple consents 
for each patient annually. The Department estimates that for each 
patient admission to a program a minimum of 3 consents is needed for 
disclosures of records: one each for treatment, payment, and health 
care operations (1,864,367 x 3).
    As shown in Table 11, a burden is already recognized for obtaining 
consent, but the estimate assumed only one consent per admission under 
the existing regulation and it was combined with estimates for 
disclosures without consent under Sec.  2.52 (research) and Sec.  2.53 
(audit and evaluation). The Department believes its previous 
calculations underestimated the numbers of consents obtained annually, 
and thus the Department views its updated estimate (i.e., adding two 
consents per patient annually) as acknowledging a previously 
unquantified burden. Additionally, recipients of Part 2 records that 
are covered entities or business associates must obtain consent for 
redisclosure of these records. The Department estimates an average of 
one-half of patients' records are disclosed to a covered entity or 
business associate that needs to redisclose the record with consent 
(1,864,367 x .5), and this also represents a previously unquantified 
burden. Together, this would result in an increase of 2.5 consents 
annually per patient. However, this would be offset by the changes 
proposed in this NPRM which would result in a reduction in the number 
of consents by 2.5 per patient, thus resulting in no change from the 
currently approved burden of 1 consent per patient.

                             Table 13--Annualized Estimates for Proposed New Burdens
----------------------------------------------------------------------------------------------------------------
                                                     Number of                        Average
       Type of respondent            Number of     responses per       Total       burden hours    Total burden
                                    respondents     respondent       responses     per response        hours
----------------------------------------------------------------------------------------------------------------
Individual Notice--Written and E-      \a\ 1,170               1           1,170             0.5             585
 mail Notice (drafting).........
Individual Notice--Written and E-          1,170               1           1,170             0.5             585
 mail Notice (preparing and
 documenting notification)......
Individual Notice--Written and E-          1,170           1,941   \b\ 2,270,271           0.008          18,162
 mail Notice (processing and
 sending).......................
Individual Notice--Substitute                 55               1              55               1              55
 Notice (posting or publishing).
Individual Notice--Substitute             \c\ 55               1              55        \d\ 3.42             188
 Notice (staffing toll-free
 number)........................
Individual Notice--Substitute          \e\ 2,265               1           2,265        \f\ .125             283
 Notice (individuals' voluntary
 burden to call toll-free number
 for information)...............
Media Notice....................           \g\ 5               1               5            1.25               7
Notice to Secretary (notice for                5               1               5            1.25               7
 breaches affecting 500 or more
 individuals)...................
Notice to Secretary (notice for        \h\ 1,164               1           1,164               1           1,164
 breaches affecting fewer than
 500 individuals)...............
500 or More Affected Individuals           \i\ 5               1            5.34              50             267
 (investigating and documenting
 breach)........................
Less than 500 Affected                    \j\ 50               1           49.58               8             397
 Individuals (investigating and
 documenting breach)--affecting
 10-499.........................

[[Page 74271]]

 
Less than 500 Affected                 \k\ 1,115               1        1,114.72               4           4,459
 Individuals (investigating and
 documenting breach)--affecting
 <10............................
Right to Discuss Patient Notice       \l\ 18,644               1          18,644            0.12           2,175
 or NPP.........................
Accounting for Disclosures of            \m\ 100               1             800            0.05               5
 Part 2 Records.................
Rights to Request Restrictions..         \n\ 800               1             800            0.05              40
Report to the Secretary.........       [deg] 225               1             225             1.5             338
                                 -------------------------------------------------------------------------------
                                  ..............  ..............       2,297,574  ..............          28,378
----------------------------------------------------------------------------------------------------------------
\a\ Total number of breach reports submitted to OCR in 2015 (58,482) multiplied by .02 to represent Part 2
  breaches.
\b\ Average number of individuals affected per breach incident reported in 2015 (113,513,562) multiplied by .02.
\c\ All 267 large breaches and all 2,479 breaches affecting 10-499 individuals (2,746) multiplied by 02.
\d\ This assumes that 10% of the sum of (a) all individuals affected by large breaches in 2015 (113,250,136) and
  (b) 5% of individuals affected by small breaches (0.05 x 285,413 = 14,271) will require substitute
  notification. Thus, the Department calculates 0.10 x (113,250,136 + 14,271) = 11,326,441 affected individuals
  requiring substitute notification for an average of 4,125 affected individuals per such breach. The Department
  assumes that 1% of the affected individuals per breach requiring substitute notice annually will follow up
  with a telephone call, resulting in 41.25 individuals per breach calling the toll-free number. The Department
  assumes that call center staff will spend 5 minutes per call, with an average of 41 affected individuals per
  breach requiring substitute notice, resulting in 3.42 hours per breach spent answering calls from affected
  individuals.
\e\ As noted in the previous footnote, this number equals 1% of the affected individuals who require substitute
  notification (0.01 x 11,326,441 = 113,264) multiplied by .02 to represent Part 2 program breaches.
\f\ This number includes 7.5 minutes for each individual who calls with an average of 2.5 minutes to wait on the
  line/decide to call back and 5 minutes for the call itself.
\g\ The total number of breaches affecting 500 or more individuals in 2015, multiplied by .02 to represent the
  number of Part 2 breaches.
\h\ The total number of HIPAA breaches affecting fewer than 500 individuals in 2015, multiplied by .02 to
  represent the number of Part 2 breaches.
\i\ 267 multiplied by .02.
\j\ 2,479 multiplied by .02.
\k\ 55,736 multiplied by .02.
\l\ The Department estimates that 1 percent of all patients annually would request a discussion of the Patient
  Notice for an average of 7 minutes per discussion, calculated as .01 x 1,864,367at the hourly wage of a SUD
  counselor.
\m\ The Department estimates that covered entities annually fulfill 5,000 requests from individuals for an
  accounting of disclosures of their PHI multiplied by .02 to represent the number of requests from patients for
  an accounting from Part 2 patients.
\n\ The Department doubled the estimated number of requests for confidential communications or restrictions on
  disclosures of PHI per year (to 40,000) due to the effect of the broadened TPO consent and related
  redisclosure permission and multiplied it by .02 to represent requests from Part 2 patients.
\o\ Estimated number of investigations of programs, used as a proxy for the instances an investigative agency
  would be in receipt of a record prior to obtaining the required court order.

    In Table 13 above, the Department shows an annualized new hourly 
burden of approximately 28,378 hours due to proposed regulatory 
requirements for breach notification, accounting of disclosures of 
records, responding to patient's requests for restrictions on 
disclosures, discussing the Patient Notice, and required reporting by 
investigative agencies. These burdens would be recurring. The estimates 
represent 2 percent of the total estimated by the Department for 
compliance with the parallel HIPAA requirements for covered entities. 
This percentage was calculated by dividing the total number of covered 
entities by the number of Part 2 programs (16,066/771,334 = .02). The 
Department recognizes that this is an overestimate because an unknown 
proportion of Part 2 programs are also covered entities. The total in 
Table 13 also includes the Department's estimates for a recurring 
annual burden on investigative agencies of 338 hours, relying on 
previous estimates for the burden of reporting breaches of PHI to the 
Secretary at 1.5 hours per report.

                            Table 14--Estimates for Proposed Nonrecurring New Burdens
----------------------------------------------------------------------------------------------------------------
                                                    Number of                     Average burden
       Type of respondent           Number of     responses per        Total         hours per     Total burden
                                   respondents      respondent       responses       response          hours
----------------------------------------------------------------------------------------------------------------
2.04 Complaint Procedures &          \a\ 16,066                1          16,066            0.75          12,050
 Nonretaliation--Training
 (manager).....................
2.16 Breach Notice--Training             16,066                1          16,066               1          16,066
 (manager).....................
2.22 Patient Notice, incl.              202,072                1         202,072            0.25          50,518
 right to discuss--Training
 (counselor)...................
2.22 Updating Patient Notice             16,066                1          16,066               1          16,066
 (lawyer)......................
2.25 Accounting of Disclosures--         16,066                1          16,066             0.5           8,033
 Training (med. records
 specialist)...................
2.26 Requests for Restrictions--         16,066                3          48,198            0.25          12,050
 Training (receptionist,
 medical records, & billing)...
2.31 Updating Consent Form               16,066                1          16,066            0.66          10,711
 (lawyer)......................
2.31 Obtaining Consent--                 16,066                2          32,132             0.5          16,066
 Training (receptionist).......
2.32 Updating Notice to                  16,066                1          16,066           0.333           5,355
 Accompany Disclosure (manager)
Training Specialist's Time.....          16,066                1          16,066               5          80,330
                                                                 ----------------                ---------------

[[Page 74272]]

 
    Total......................  ..............  ...............         394,862  ..............         215,195
----------------------------------------------------------------------------------------------------------------
\a\ Estimated total number of Part 2 programs.

    As shown in Table 14, the Department estimates one-time burden 
increases as a result of proposed changes to Sec.  2.16, Sec.  2.22, 
Sec.  2.31, and Sec.  2.32 and due to proposed new provisions Sec.  
2.25 and Sec.  2.26. The proposed nonrecurring burdens are for training 
staff on the proposed provisions and for updating forms and notices. 
The Department estimates that each program would need 5 hours of a 
training specialist's time to prepare and present the training for a 
total of 80,330 burden hours.
    For Sec.  2.16, the Department estimates that each program would 
need to train 1 manager on breach notification requirements for 1 hour, 
for a total of 16,066 burden hours. For Sec.  2.22, the Department 
estimates that each program will need 1 hours of a lawyer's time to 
update the content of the Patient Notice (for a total of 16,066 burden 
hours) and 15 minutes to train 202,072 Part 2 counselors on the new 
Patient Notice and right to discuss the Patient Notice requirements 
(for 50,518 total burden hours).
    For Sec.  2.25, the Department estimates that each program would 
need to train a medical records specialist on the requirements of 
proposed accounting of disclosures requirements for 30 minutes, 
resulting in a total burden of approximately 8,033 hours. For Sec.  
2.26, the Department estimates that each program would need to train 
three staff (a front desk receptionist, a medical records technician, 
and a billing clerk (16,066 Part 2 programs x 3 staff)) for 15 minutes 
each on the right of a patient to request restrictions on disclosures 
for TPO. The base wage rate is an average of the mean hourly rate for 
the three occupations being trained. This would total approximately 
12,050 burden hours.
    For Sec.  2.31, each program would need 40 minutes of a lawyer's 
time to update the consent to disclosure form (for a total of 
approximately 10,711 burden hours) and 30 minutes to train an average 
of 2 front desk receptionists on the changed requirements for consent 
(for a total of approximately 16,066 burden hours). For Sec.  2.32, the 
Department estimates that each program would need 20 minutes of a 
health care manager's time to update the content of the notice to 
accompany disclosure with the changed language provided in the proposed 
regulations, for a total of approximately 5,355 burden hours. This is 
likely an over-estimate because an alternative, short form of the 
notice is also provided in regulation, and the language for that form 
is unchanged such that programs that are using the short form notice 
could continue using the same notice and avoid any burden increase.
2. Explanation of Estimated Capital Expenses for 42 CFR Part 2

                               Table 15--Capital Expenses for Part 2 Activities *
----------------------------------------------------------------------------------------------------------------
                                                                     Number of     Average cost    Total breach
         45 CFR breach section                Cost elements          breaches       per breach         cost
----------------------------------------------------------------------------------------------------------------
164.404...............................  Individual Notice--                1,170         $719.95     $842,091.28
                                         Postage, Paper, and
                                         Envelopes.
164.404...............................  Individual Notice--                   55          480.00       26,361.60
                                         Substitute Notice Media
                                         Posting.
164.404...............................  Individual Notice--                   55           74.44        4,088.24
                                         Substitute Notice--Toll-
                                         Free Number.
                                                                 -----------------------------------------------
    Total Breach......................  ........................  ..............  ..............      872,541.12
----------------------------------------------------------------------------------------------------------------
Part 2 section                          Activity................       Number of    Average cost    Total notice
                                                                         notices      per notice            cost
----------------------------------------------------------------------------------------------------------------
2.22..................................  Printing Patient Notice.         932,184            0.10      $93,218.35
2.31..................................  Printing Consent Form...         932,184            0.10       93,218.35
2.32..................................  Printing Notice to               186,437            0.10       18,643.67
                                         Accompany Disclosure.
                                                                 -----------------------------------------------
Total Part 2 Forms....................  ........................  ..............  ..............      205,080.37
                                                                 -----------------------------------------------
Total Capital Costs...................  ........................  ..............  ..............    1,077,621.49
----------------------------------------------------------------------------------------------------------------
* Not all decimal places are shown.

    As shown above in Table 15, Part 2 programs would incur new capital 
costs for providing breach notification. The table also reflects 
existing burdens for printing the Patient Notice, the Notice to 
Accompany Disclosure, and Consents. The Department has estimated 50 
percent of forms used would be printed on paper, taking into account 
the notable increase in the use of telehealth services for the delivery 
of SUD treatment and the expectation that the demand for telehealth 
will continue.\239\
---------------------------------------------------------------------------

    \239\ See Molfenter T, Roget N, Chaple M, Behlman S, Cody O, 
Hartzler B, Johnson E, Nichols M, Stilen P, Becker S, Use of 
Telehealth in Substance Use Disorder Services During and After 
COVID-19: Online Survey Study, JMIR Ment Health 021;8(2):e25835, 
https://mental.jmir.org/2021/2/e25835.
---------------------------------------------------------------------------

3. Explanation of Estimated Annualized Burden Hours for 45 CFR 164.520

[[Page 74273]]



                       Table 16--New Nonrecurring Burdens of Compliance for 45 CFR 164.520
                                         [As required by 45 CFR 164.530]
----------------------------------------------------------------------------------------------------------------
                                                     Number of                    Average burden
  Privacy rule       Type of         Number of     responses per       Total         hours per     Total burden
    section         respondent      respondents     respondent       responses       response          hours
----------------------------------------------------------------------------------------------------------------
164.530........  Administrative      \a\ 774,331               1         774,331         \b\.333         258,110
                  Requirements--
                  Policies &
                  Procedures--Re
                  vising the
                  Notice of
                  Privacy
                  Practices,
                  164.520.
                                 -------------------------------------------------------------------------------
    Total......  ...............  ..............  ..............         774,331  ..............         258,110
----------------------------------------------------------------------------------------------------------------
\a\ Total number of covered entities.
\b\ Not all decimal places are shown.

    As shown in Table 16, above, the Department proposes increasing the 
estimated number of covered entities from 700,000 to 774,331 due to 
updating the estimated the total number of covered entities, consistent 
with its estimates associated with the HIPAA NPRM published on January 
21, 2021.\240\ The Department also proposes adding one new burden 
element for covered entities to update the NPP as required by 45 CFR 
164.530 to include the proposed revisions to 45 CFR 164.520. This 
burden estimate is primarily applicable to covered entities that 
receive or maintain Part 2 records because the burdens for covered 
entities that create Part 2 records (i.e., that are Part 2 programs) 
are addressed in the Part 2 ICR, discussed above. However, the 
Department recognizes this likely overestimates the overall compliance 
burden on covered entities because some covered entities may not 
receive or maintain Part 2 records and may find the Part 2 NPP language 
is not applicable. The Department estimates that each covered entity 
that is not a Part 2 program would incur the burden of 20 minutes of a 
lawyer's time to evaluate how the modifications may apply to them and 
to update the NPP accordingly. The Department estimates 258,110 total 
one-time burden hours in the first year attributable to the proposed 
changes to 45 CFR 164.520 in this NPRM and no additional burden 
thereafter.
---------------------------------------------------------------------------

    \240\ See Proposed Modifications to the HIPAA Privacy Rule To 
Support, and Remove Barriers to, Coordinated Care and Individual 
Engagement, 86 FR 6446.
---------------------------------------------------------------------------

List of Subjects

42 CFR Part 2

    Administrative practice and procedure, Alcoholism, Administrative 
practice and procedure, Alcohol use disorder, Breach, Confidentiality, 
Courts, Drug abuse, Electronic information system, Grant programs--
health, Health, Health care, Health care operations, Health care 
providers, Health information exchange, Health plan, Health records, 
HIPAA, HITECH Act, Hospitals, Investigations, Medicaid, Medical 
research, Medicare, Part 2, Part 2 programs, Patient rights, Penalties, 
Privacy, Reporting and record keeping requirements, Security measures, 
Substance use disorder, SUD.

45 CFR Part 164

    Administrative practice and procedure, Breach, Confidentiality, 
Courts, Drug abuse, Electronic information system, Health, Health care, 
Health care operations, Health information exchange, Health plan, 
Health records, HIPAA, HITECH Act, Hospitals, Individual rights, 
Investigations, Medicaid, Medical research, Medicare, Part 2, Patient 
rights, Penalties, Privacy, Reporting and record keeping requirements, 
Security measures, Substance use disorder, SUD.

Proposed Rule

    For the reasons stated in the preamble, the Department of Health 
and Human Services proposes to amend 42 CFR part 2 and 45 CFR part 164 
as set forth below:

Title 42--Public Health

PART 2--CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS

0
1. Revise the authority citation for part 2 to read as follows:

    Authority:  Sec. 408 of Pub. L. 92-255, 86 Stat. 79, as amended 
by sec. 303(a), (b) of Pub. L. 93-282, 83 Stat. 137, 138; sec. 
4(c)(5)(A) of Pub. L. 94-237, 90 Stat. 244; sec. 111(c)(3) of Pub. 
L. 94-581, 90 Stat. 2852; sec. 509 of Pub. L. 96-88, 93 Stat. 695; 
sec. 973(d) of Pub. L. 97-35, 95 Stat. 598; and transferred to sec. 
527 of the Public Health Service Act by sec. 2(b)(16)(B) of Pub. L. 
98-24, 97 Stat. 182 and as amended by sec. 106 of Pub. L. 99-401, 
100 Stat. 907 (42 U.S.C. 290ee-3) and sec. 333 of Pub. L. 91-616, 84 
Stat. 1853, as amended by sec. 122(a) of Pub. L. 93-282, 88 Stat. 
131; and sec. 111(c)(4) of Pub. L. 94-581, 90 Stat. 2852 and 
transferred to sec. 523 of the Public Health Service Act by sec. 
2(b)(13) of Pub. L. 98-24, 97 Stat. 181 and as amended by sec. 106 
of Pub. L. 99-401, 100 Stat. 907 (42 U.S.C. 290dd-3), as amended by 
sec. 131 of Pub. L. 102-321, 106 Stat. 368, (42 U.S.C. 290dd-2), as 
amended by sec. 3221 of Pub. L. 114-136.

0
2. Revise Sec.  2.1 to read as follows:


Sec.  2.1   Statutory authority for confidentiality of substance use 
disorder patient records.

    Title 42, United States Code, section 290dd-2(g) authorizes the 
Secretary to prescribe regulations to carry out the purposes of section 
290dd-2. Such regulations may contain such definitions, and may provide 
for such safeguards and procedures, including procedures and criteria 
for the issuance and scope of orders under subsection 290dd-2(b)(2)(C), 
as in the judgment of the Secretary are necessary or proper to 
effectuate the purposes of section 290dd-2, to prevent circumvention or 
evasion thereof, or to facilitate compliance therewith.
0
3. Amend Sec.  2.2 by revising paragraphs (a) introductory text, 
(a)(2), (a)(3), (a)(4), (b)(1), (b)(2), and (b)(3) to read as follows:


Sec.  2.2   Purpose and effect.

    (a) Purpose. Pursuant to 42 U.S.C. 290dd-2(g), the regulations in 
this part impose restrictions upon the use and disclosure of substance 
use disorder patient records (``records,'' as defined in this part) 
which are maintained in connection with the performance of any part 2 
program. The regulations in this part include the following subparts:
* * * * *
    (2) Subpart C of this part: Uses and Disclosures with Patient 
Consent, including uses and disclosures that require patient consent 
and the consent form requirements;
    (3) Subpart D of this part: Uses and Disclosures without Patient 
Consent, including uses and disclosures which do not require patient 
consent or an authorizing court order; and
    (4) Subpart E of this part: Court Orders Authorizing Use and 
Disclosure, including uses and disclosures of records which may be made 
with an

[[Page 74274]]

authorizing court order and the procedures and criteria for the entry 
and scope of those orders.
    (b) * * * (1) The regulations in this part prohibit the use and 
disclosure of records unless certain circumstances exist. If any 
circumstance exists under which use or disclosure is permitted, that 
circumstance acts to remove the prohibition on use and disclosure but 
it does not compel the use or disclosure. Thus, the regulations do not 
require use or disclosure under any circumstance other than when 
disclosure is required by the Secretary to investigate or determine a 
person's compliance with this part pursuant to Sec.  2.3(c) of this 
part.
    (2) The regulations in this part are not intended to direct the 
manner in which substantive functions such as research, treatment, and 
evaluation are carried out. They are intended to ensure that a patient 
receiving treatment for a substance use disorder in a part 2 program is 
not made more vulnerable by reason of the availability of their record 
than an individual with a substance use disorder who does not seek 
treatment.
    (3) The regulations in this part shall not be construed to limit:
    (i) A patient's right, as described in 45 CFR 164.522, to request a 
restriction on the use or disclosure of a record for purposes of 
treatment, payment, or health care operations.
    (ii) A covered entity's choice, as described in 45 CFR 164.506, to 
obtain the consent of the patient to use or disclose a record to carry 
out treatment, payment, or health care operations.
0
4. Revise Sec.  2.3 to read as follows:


Sec.  2.3   Civil and criminal penalties for violations.

    (a) Under 42 U.S.C. 290dd-2(f), any person who violates any 
provision of this part shall be subject to the applicable penalties 
under sections 1176 and 1177 of the Social Security Act, 42 U.S.C. 
1320d-5 and 1320d-6.
    (b) A person who is acting on behalf of an investigative agency 
having jurisdiction over the activities of a part 2 program or other 
person holding part 2 records (or employees or agents of that part 2 
program or person holding the records) shall not incur civil or 
criminal liability under 42 U.S.C. 290dd-2(f) for use or disclosure of 
such records inconsistent with this part that occurs while acting 
within the scope of their employment in the course of investigating or 
prosecuting a part 2 program or person holding the record, if the 
person or investigative agency demonstrates that the following 
conditions are met:
    (1) Before presenting a request, subpoena, or other demand for 
records, or placing an undercover agent or informant in a health care 
practice or provider, as applicable, such person acted with reasonable 
diligence to determine whether the regulations in this part apply to 
the records, program, or other person holding part 2 records. The 
following actions are sufficient to constitute reasonable diligence 
when made within a reasonable period of time (no more than 60 days) 
before requesting records from, or placing an undercover agent or 
informant in, a health care practice or provider where it is reasonable 
to believe that the practice or provider provides substance use 
disorder diagnostic, treatment, or referral for treatment services:
    (i) consulting a prescription drug monitoring program database in 
the state where the investigative agency's investigation is occurring, 
where such database is available and accessible by the investigative 
agency under state law, or
    (ii) checking a practice's or provider's publicly available website 
or physical location to determine whether in fact such services are 
provided.
    (2) The investigative agency followed all of the applicable 
provisions in this part for any use or disclosure of the received part 
2 records that occurred, or will occur, after the investigative agency 
knew, or by exercising reasonable diligence would have known, that it 
received part 2 records.
    (c) The provisions of 45 CFR part 160, subparts C, D, and E, shall 
apply to part 2 programs for violations of this part with respect to 
records in the same manner as they apply to covered entities and 
business associates for violations of 45 CFR parts 160 and 164 with 
respect to protected health information.
0
5. Revise Sec.  2.4 to read as follows:


Sec.  2.4   Complaints of Violations.

    (a) A part 2 program must provide a process to receive complaints 
concerning the program's compliance with the requirements of this part.
    (b) A part 2 program may not intimidate, threaten, coerce, 
discriminate against, or take other retaliatory action against any 
patient for the exercise by the patient of any right established, or 
for participation in any process provided for, by this part, including 
the filing of a complaint under this section or Sec.  2.3(c).
    (c) A part 2 program may not require patients to waive their right 
to file a complaint under this section or Sec.  2.3 as a condition of 
the provision of treatment, payment, enrollment, or eligibility for any 
program subject to this part.
0
6. Amend Sec.  2.11 by:
0
a. Adding in alphabetical order definitions of ``Breach''; ``Business 
associate''; ``Covered entity''; ``Health care operations''; ``HIPAA''; 
``HIPAA regulations'';
0
b. In the definition of ``Informant'' revising the introductory text;
0
c. Adding in alphabetical order definitions of ``Intermediary''; and 
``Investigative agency'' ';
0
d. Revising the definition of ``Part 2 program director'';
0
e. Adding a sentence at the end of the definition of ``Patient'';
0
f. Adding in alphabetical order the definition of ``Payment'';
0
g. Revising the definition of ``Person'';
0
h. In the definition of ``Program'' revising paragraph (1);
0
i. Adding in alphabetical order the definition of ``Public health 
authority'';
0
j. In the definition of ``Qualified service organization'' revising the 
introductory text, paragraph (2) introductory text, and adding 
paragraph (3);
0
k. Revising the definition of ``Records'', ``Third-party payer'', 
``Treating provider relationship'', and ``Treatment'';
0
l. Adding in alphabetical order definitions of ``Unsecured protected 
health information''; ``Unsecured record''; and ``Use''.
    The revisions and additions read as follows:


Sec.  2.11   Definitions.

* * * * *
    Breach has the same meaning given that term in 45 CFR 164.402.
    Business associate has the same meaning given that term in 45 CFR 
160.103.
* * * * *
    Covered entity has the same meaning given that term in 45 CFR 
160.103.
* * * * *
    Health care operations has the same meaning given that term in 45 
CFR 164.501.
    HIPAA means the Health Insurance Portability and Accountability Act 
of 1996, Public Law 104-191, as amended by the Privacy and Security 
provisions in subtitle D of title XIII of the Health Information 
Technology for Economic and Clinical Health Act, Public Law 111-5 
(``HITECH Act'').
    HIPAA regulations means the regulations at 45 CFR parts 160 and 164 
(commonly known as the HIPAA Privacy, Security, Breach Notification, 
and Enforcement Rules or ``HIPAA Rules'').
    Informant means a person:
* * * * *
    Intermediary means a person who has received records under a 
general

[[Page 74275]]

designation in a written patient consent to be disclosed to one or more 
of its member participant(s) who has a treating provider relationship 
with the patient.
    Investigative agency means a state or federal administrative, 
regulatory, supervisory, investigative, law enforcement, or 
prosecutorial agency having jurisdiction over the activities of a part 
2 program or other person holding part 2 records.
* * * * *
    Part 2 program director means:
    (1) In the case of a part 2 program that is a natural person, that 
person.
    (2) In the case of a part 2 program that is an entity, the person 
designated as director or managing director, or person otherwise vested 
with authority to act as chief executive officer of the part 2 program.
    Patient * * * In provisions where the HIPAA regulations apply in 
this part, Patient means an individual as that term is defined in 45 
CFR 160.103.
* * * * *
    Payment has the same meaning given that term in 45 CFR 164.501.
    Person has the same meaning given that term in 45 CFR 160.103.
    Program * * *
    (1) A person (other than a general medical facility) who holds 
itself out as providing, and provides, substance use disorder 
diagnosis, treatment, or referral for treatment; or
* * * * *
    Public health authority has the same meaning given that term in 45 
CFR 164.501.
    Qualified service organization means a person who:
* * * * *
    (2) Has entered into a written agreement with a part 2 program 
under which that person:
* * * * *
    (3) A qualified service organization includes a person who meets 
the definition of Business associate in 45 CFR 160.103, paragraphs (1), 
(2), and (3), with respect to the use and disclosure of protected 
health information that also constitutes a ``record'' as defined by 
this section.
    Records means any information, whether recorded or not, created by, 
received, or acquired by a part 2 program relating to a patient (e.g., 
diagnosis, treatment and referral for treatment information, billing 
information, emails, voice mails, and texts), and including patient 
identifying information, provided, however, that information conveyed 
orally by a part 2 program to a non-part 2 provider for treatment 
purposes with the consent of the patient does not become a record 
subject to this Part in the possession of the non-part 2 provider 
merely because that information is reduced to writing by that non-part 
2 provider. Records otherwise transmitted by a part 2 program to a non-
part 2 provider retain their characteristic as records in the hands of 
the non-part 2 provider, but may be segregated by that provider.
* * * * *
    Third-party payer means a person, other than a health plan as 
defined at 45 CFR 160.103, who pays or agrees to pay for diagnosis or 
treatment furnished to a patient on the basis of a contractual 
relationship with the patient or a member of the patient's family or on 
the basis of the patient's eligibility for federal, state, or local 
governmental benefits.
    Treating provider relationship means that, regardless of whether 
there has been an actual in-person encounter:
    (1) A patient is, agrees to be, or is legally required to be 
diagnosed, evaluated, or treated, or agrees to accept consultation, for 
any condition by a person; and
    (2) The person undertakes or agrees to undertake diagnosis, 
evaluation, or treatment of the patient, or consultation with the 
patient, for any condition.
    Treatment has the same meaning given that term in 45 CFR 164.501.
* * * * *
    Unsecured protected health information has the same meaning given 
that term in 45 CFR 164.402.
    Unsecured record means any record, as defined in this part, that is 
not rendered unusable, unreadable, or indecipherable to unauthorized 
persons through the use of a technology or methodology specified by the 
Secretary in the guidance issued under Public Law 111-5, section 
13402(h)(2).
    Use means, with respect to records, the sharing, employment, 
application, utilization, examination, or analysis of the information 
contained in such records that occurs either within an entity that 
maintains such information or in the course of civil, criminal, 
administrative, or legislative proceedings as described at 42 U.S.C. 
290dd-2(c).
* * * * *
0
7. Amend Sec.  2.12 by:
0
a. Revising paragraphs (a)(1) introductory text, (a)(1)(ii), and 
(a)(2);
0
b. Revising paragraphs (c)(2), (c)(3) introductory text, (c)(4), (c)(5) 
introductory text and (c)(6);
0
c. Revising paragraphs (d)(1) and (2); and
0
d. Revising paragraphs (e)(3), (e)(4) introductory text, and (e)(4)(i).
    The revisions read as follows:


Sec.  2.12   Applicability.

    (a) * * * (1) Restrictions on use and disclosure. The restrictions 
on use and disclosure in the regulations in this part apply to any 
records which:
* * * * *
    (ii) Contain substance use disorder information obtained by a 
federally assisted substance use disorder program after March 20, 1972 
(part 2 program), or contain alcohol use disorder information obtained 
by a federally assisted alcohol use disorder or substance use disorder 
program after May 13, 1974 (part 2 program); or if obtained before the 
pertinent date, is maintained by a part 2 program after that date as 
part of an ongoing treatment episode which extends past that date; for 
the purpose of treating a substance use disorder, making a diagnosis 
for that treatment, or making a referral for that treatment.
    (2) Restriction on use. The restriction on use or disclosure of 
information to initiate or substantiate any criminal charges against a 
patient or to conduct any criminal investigation of a patient (42 
U.S.C. 290dd-2(c)) applies to any information, whether or not recorded, 
which is substance use disorder information obtained by a federally 
assisted substance use disorder program after March 20, 1972 (part 2 
program), or is alcohol use disorder information obtained by a 
federally assisted alcohol use disorder or substance use disorder 
program after May 13, 1974 (part 2 program); or if obtained before the 
pertinent date, is maintained by a part 2 program after that date as 
part of an ongoing treatment episode which extends past that date; for 
the purpose of treating a substance use disorder, making a diagnosis 
for the treatment, or making a referral for the treatment.
* * * * *
    (c) * * *
    (2) Uniformed Services. The regulations in this part apply to any 
information described in paragraph (a) of this section which was 
obtained by any component of the Uniformed Services during a period 
when the patient was subject to the Uniform Code of Military Justice 
except:
    (i) Any interchange of that information within the Uniformed 
Services; and
    (ii) Any interchange of that information between the Uniformed 
Services and those components of the Department of Veterans Affairs 
furnishing health care to veterans.
    (3) Communication within a part 2 program or between a part 2 
program

[[Page 74276]]

and an entity having direct administrative control over that part 2 
program. The restrictions on use and disclosure in the regulations in 
this part do not apply to communications of information between or 
among personnel having a need for the information in connection with 
their duties that arise out of the provision of diagnosis, treatment, 
or referral for treatment of patients with substance use disorders if 
the communications are:
* * * * *
    (4) Qualified service organizations. The restrictions on use and 
disclosure in the regulations in this part do not apply to the 
communications between a part 2 program and a qualified service 
organization of information needed by the qualified service 
organization to provide services to or on behalf of the program.
    (5) Crimes on part 2 program premises or against part 2 program 
personnel. The restrictions on use and disclosure in the regulations in 
this part do not apply to communications from part 2 program personnel 
to law enforcement agencies or officials which:
* * * * *
    (6) Reports of suspected child abuse and neglect. The restrictions 
on use and disclosure in the regulations in this part do not apply to 
the reporting under state law of incidents of suspected child abuse and 
neglect to the appropriate state or local authorities. However, the 
restrictions continue to apply to the original substance use disorder 
patient records maintained by the part 2 program including their use 
and disclosure for civil or criminal proceedings which may arise out of 
the report of suspected child abuse and neglect.
    (d) * * * (1) Restriction on use and disclosure of records. The 
restriction on the use and disclosure of any record subject to the 
regulations in this part to initiate or substantiate criminal charges 
against a patient or to conduct any criminal investigation of a 
patient, or to in use in any civil, criminal, administrative, or 
legislative proceedings against a patient, applies to any person who 
obtains the record from a part 2 program, covered entity, business 
associate, intermediary, or other lawful holder, regardless of the 
status of the person obtaining the record or whether the record was 
obtained in accordance with subpart E of this part. This restriction on 
use and disclosure bars, among other things, the introduction into 
evidence of a record or testimony in any criminal prosecution or civil 
action before a Federal or State court, reliance on the record or 
testimony to form part of the record for decision or otherwise be taken 
into account in any proceeding before a Federal, State, or local 
agency, the use of such record or testimony by any Federal, State, or 
local agency for a law enforcement purpose or to conduct any law 
enforcement investigation, and the use of such record or testimony in 
any application for a warrant, absent patient consent or a court order 
in accordance with subpart E of this part. Information obtained by 
undercover agents or informants (see Sec.  2.17) or through patient 
access (see Sec.  2.23) is subject to the restriction on use and 
disclosure.
    (2) Restrictions on use and disclosures--(i) Third-party payers, 
administrative entities, and others. The restrictions on use and 
disclosure in the regulations in this part apply to:
    (A) Third-party payers, as defined in this part, with regard to 
records disclosed to them by part 2 programs or under Sec.  
2.31(a)(4)(i);
    (B) Persons having direct administrative control over part 2 
programs with regard to information that is subject to the regulations 
in this part communicated to them by the part 2 program under paragraph 
(c)(3) of this section; and
    (C) Persons who receive records directly from a part 2 program or 
other lawful holder of patient identifying information and who are 
notified of the prohibition on redisclosure in accordance with Sec.  
2.32.
    (ii) Notwithstanding paragraph (d)(2)(i)(C) of this section, a non-
part 2 treating provider may record information about a substance use 
disorder and its treatment that identifies a patient. This is permitted 
and does not constitute a record that has been redisclosed under part 
2, provided that any substance use disorder records received from a 
part 2 program or other lawful holder are segregated or segmented. The 
act of recording information about a substance use disorder and its 
treatment does not by itself render a medical record which is created 
by a non-part 2 treating provider subject to the restrictions of this 
part 2.
* * * * *
    (e) * * *
    (3) Information to which restrictions are applicable. Whether a 
restriction applies to the use or disclosure of a record affects the 
type of records which may be disclosed. The restrictions on use and 
disclosure apply to any records which would identify a specified 
patient as having or having had a substance use disorder. The 
restriction on use and disclosure of records to bring a civil action or 
criminal charges against a patient in any civil, criminal, 
administrative, or legislative proceedings applies to any records 
obtained by the part 2 program for the purpose of diagnosis, treatment, 
or referral for treatment of patients with substance use disorders. 
(Restrictions on use and disclosure apply to recipients of records as 
specified under paragraph (d) of this section.)
    (4) How type of diagnosis affects coverage. These regulations cover 
any record reflecting a diagnosis identifying a patient as having or 
having had a substance use disorder which is initially prepared by a 
part 2 program in connection with the treatment or referral for 
treatment of a patient with a substance use disorder. A diagnosis 
prepared by a part 2 program for the purpose of treatment or referral 
for treatment, but which is not so used, is covered by the regulations 
in this part. The following are not covered by the regulations in this 
part:
    (i) Diagnosis which is made on behalf of and at the request of a 
law enforcement agency or official or a court of competent jurisdiction 
solely for the purpose of providing evidence; or
* * * * *
0
7. Amend Sec.  2.13 by revising paragraphs (a), (b) and (c)(1) and 
removing paragraph (d) to read as follows:


Sec.  2.13   Confidentiality restrictions and safeguards.

    (a) General. The patient records subject to the regulations in this 
part may be used or disclosed only as permitted by the regulations in 
this part and may not otherwise be used or disclosed in any civil, 
criminal, administrative, or legislative proceedings conducted by any 
federal, state, or local authority. Any use or disclosure made under 
the regulations in this part must be limited to that information which 
is necessary to carry out the purpose of the use or disclosure.
    (b) Unconditional compliance required. The restrictions on use and 
disclosure in the regulations in this part apply whether or not the 
part 2 program or other lawful holder of the patient identifying 
information believes that the person seeking the information already 
has it, has other means of obtaining it, is a law enforcement agency or 
official or other government official, has obtained a subpoena, or 
asserts any other justification for a use or disclosure which is not 
permitted by the regulations in this part.
    (c) * * * (1) The presence of an identified patient in a health 
care facility or component of a health care facility that is publicly 
identified as a

[[Page 74277]]

place where only substance use disorder diagnosis, treatment, or 
referral for treatment is provided may be acknowledged only if the 
patient's written consent is obtained in accordance with subpart C of 
this part or if an authorizing court order is entered in accordance 
with subpart E of this part. The regulations permit acknowledgment of 
the presence of an identified patient in a health care facility or part 
of a health care facility if the health care facility is not publicly 
identified as only a substance use disorder diagnosis, treatment, or 
referral for treatment facility, and if the acknowledgment does not 
reveal that the patient has a substance use disorder.
* * * * *
0
8. Amend Sec.  2.14 by revising paragraphs (a), (b)(1), (b)(2) 
introductory text, (b)(2)(ii) and (c) to read as follows:


Sec.  2.14   Minor patients.

    (a) State law not requiring parental consent to treatment. If a 
minor patient acting alone has the legal capacity under the applicable 
state law to apply for and obtain substance use disorder treatment, any 
written consent for use or disclosure authorized under subpart C of 
this part may be given only by the minor patient. This restriction 
includes, but is not limited to, any disclosure of patient identifying 
information to the parent or guardian of a minor patient for the 
purpose of obtaining financial reimbursement. These regulations do not 
prohibit a part 2 program from refusing to provide treatment until the 
minor patient consents to a use or disclosure that is necessary to 
obtain reimbursement, but refusal to provide treatment may be 
prohibited under a state or local law requiring the program to furnish 
the service irrespective of ability to pay.
    (b) * * * (1) Where state law requires consent of a parent, 
guardian, or other person for a minor to obtain treatment for a 
substance use disorder, any written consent for use or disclosure 
authorized under subpart C of this part must be given by both the minor 
and their parent, guardian, or other person authorized under state law 
to act on the minor's behalf.
    (2) Where state law requires parental consent to treatment, the 
fact of a minor's application for treatment may be communicated to the 
minor's parent, guardian, or other person authorized under state law to 
act on the minor's behalf only if:
* * * * *
    (ii) The minor lacks the capacity to make a rational choice 
regarding such consent as determined by the part 2 program director 
under paragraph (c) of this section.
    (c) Minor applicant for services lacks capacity for rational 
choice. Facts relevant to reducing a substantial threat to the life or 
physical well-being of the minor applicant or any other person may be 
disclosed to the parent, guardian, or other person authorized under 
state law to act on the minor's behalf if the part 2 program director 
determines that:
    (1) A minor applicant for services lacks capacity because of 
extreme youth or mental or physical condition to make a rational 
decision on whether to consent to a disclosure under subpart C of this 
part to their parent, guardian, or other person authorized under state 
law to act on the minor's behalf; and
    (2) The minor applicant's situation poses a substantial threat to 
the life or physical well-being of the minor applicant or any other 
person which may be reduced by communicating relevant facts to the 
minor's parent, guardian, or other person authorized under state law to 
act on the minor's behalf.
0
9. Amend Sec.  2.15 by revising the section heading, paragraphs (a) and 
(b)(2) to read as follows.


Sec.  2.15  Patients who lack capacity and deceased patients.

    (a) Adult patients who lack capacity to make health care decisions. 
(1) Adjudication by a court. In the case of a patient who has been 
adjudicated as lacking the capacity, for any reason other than 
insufficient age, to make their own health care decisions, any consent 
which is required under the regulations in this part may be given by 
the guardian or other person authorized under state law to act on the 
patient's behalf.
    (2) No adjudication by a court. In the case of a patient, other 
than a minor or one who has been adjudicated as lacking the capacity to 
make health care decisions, that for any period suffers from a medical 
condition that prevents knowing or effective action on their own 
behalf, the part 2 program director may exercise the right of the 
patient to consent to a use or disclosure under subpart C of this part 
for the sole purpose of obtaining payment for services from a third-
party payer or health plan.
    (b) * * *
    (2) Consent by personal representative. Any other use or disclosure 
of information identifying a deceased patient as having a substance use 
disorder is subject to the regulations in this part. If a written 
consent to the use or disclosure is required, that consent may be given 
by an executor, administrator, or other personal representative 
appointed under applicable state law. If there is no such applicable 
state law appointment, the consent may be given by the patient's spouse 
or, if none, by any responsible member of the patient's family.
0
10. Amend Sec.  2.16 by:
0
a. Revising the section heading and paragraphs (a) introductory text, 
(a)(1)(v), and (a)(2)(iv); and
0
b. Adding paragraph (b).
    The revisions and addition read as follows:


Sec.  2.16  Security for records and notification of breaches.

    (a) The part 2 program or other lawful holder of patient 
identifying information must have in place formal policies and 
procedures to reasonably protect against unauthorized uses and 
disclosures of patient identifying information and to protect against 
reasonably anticipated threats or hazards to the security of patient 
identifying information. These formal policies and procedures must 
address all of the following:
    (1) * * *
    (v) Rendering patient identifying information de-identified in 
accordance with the requirements of the HIPAA Privacy Rule at 45 CFR 
164.514(b) such that there is no reasonable basis to believe that the 
information can be used to identify a particular patient as having or 
having had a substance use disorder.
    (2) * * *
    (iv) Rendering the patient identifying information de-identified in 
accordance with the requirements of the HIPAA Privacy Rule at 45 CFR 
164.514(b) such that there is no reasonable basis to believe that the 
information can be used to identify a patient as having or having had a 
substance use disorder.
    (b) The provisions of 45 CFR part 160 and subpart D of part 164 
shall apply to part 2 programs with respect to breaches of unsecured 
records in the same manner as those provisions apply to a covered 
entity with respect to breaches of unsecured protected health 
information.
0
11. Amend Sec.  2.17 by revising paragraph (b) to read as follows.


Sec.  2.17  Undercover agents and informants.

* * * * *
    (b) Restriction on use of information. No information obtained by 
an undercover agent or informant, whether or not that undercover agent 
or informant is placed in a part 2 program pursuant to an authorizing 
court order, may be used or disclosed to criminally investigate or 
prosecute any patient.

[[Page 74278]]

0
12. Amend Sec.  2.19 by:
0
a. Adding paragraph (a)(3);
0
b. Revising paragraphs (b)(1) introductory text, (b)(1)(i) introductory 
text (b)(1)(i)(A), and (b)(2).
    The addition and revisions read as follows:


Sec.  2.19  Disposition of records by discontinued programs.

    (a) * * *
    (3) The Part 2 program is transferred, retroceded, or reassumed 
pursuant to the Indian Self-Determination and Education Assistance Act 
(ISDEAA), 25 U.S.C. 5301 et seq., and its implementing regulations.
    (b) * * *
    (1) Records in non-electronic (e.g., paper) form must be:
    (i) Sealed in envelopes or other containers labeled as follows: 
``Records of [insert name of program] required to be maintained under 
[insert citation to statute, regulation, court order or other legal 
authority requiring that records be kept] until a date not later than 
[insert appropriate date]''.
    (A) All hard copy media from which the paper records were produced, 
such as printer and facsimile ribbons, drums, etc., must be sanitized 
to render the data non-retrievable.
* * * * *
    (2) All of the following requirements apply to records in 
electronic form:
    (i) Records must be:
    (A) Transferred to a portable electronic device with implemented 
encryption to encrypt the data at rest so that there is a low 
probability of assigning meaning without the use of a confidential 
process or key and implemented access controls for the confidential 
process or key; or
    (B) Transferred, along with a backup copy, to separate electronic 
media, so that both the records and the backup copy have implemented 
encryption to encrypt the data at rest so that there is a low 
probability of assigning meaning without the use of a confidential 
process or key and implemented access controls for the confidential 
process or key.
    (ii) Within one year of the discontinuation or acquisition of the 
program, all electronic media on which the patient records or patient 
identifying information resided prior to being transferred to the 
device specified in paragraph (b)(2)(i)(A) of this section or the 
original and backup electronic media specified in paragraph 
(b)(2)(i)(B) of this section, including email and other electronic 
communications, must be sanitized to render the patient identifying 
information non-retrievable in a manner consistent with the 
discontinued program's or acquiring program's policies and procedures 
established under Sec.  2.16.
    (iii) The portable electronic device or the original and backup 
electronic media must be:
    (A) Sealed in a container along with any equipment needed to read 
or access the information, and labeled as follows: ``Records of [insert 
name of program] required to be maintained under [insert citation to 
statute, regulation, court order or other legal authority requiring 
that records be kept] until a date not later than [insert appropriate 
date];'' and
    (B) Held under the restrictions of the regulations in this part by 
a responsible person who must store the container in a manner that will 
protect the information (e.g., climate-controlled environment.
    (iv) The responsible person must be included on the access control 
list and be provided a means for decrypting the data. The responsible 
person must store the decryption tools on a device or at a location 
separate from the data they are used to encrypt or decrypt.
    (v) As soon as practicable after the end of the required retention 
period specified on the label, the portable electronic device or the 
original and backup electronic media must be sanitized to render the 
patient identifying information non-retrievable consistent with the 
policies established under Sec.  2.16.
0
13. Revise Sec.  2.20 to read as follows.


Sec.  2.20  Relationship to state laws.

    The statute authorizing the regulations in this part (42 U.S.C. 
290dd-2) does not preempt the field of law which they cover to the 
exclusion of all state laws in that field. If a use or disclosure 
permitted under the regulations in this part is prohibited under state 
law, neither the regulations in this part nor the authorizing statute 
may be construed to authorize any violation of that state law. However, 
no state law may either authorize or compel any use or disclosure 
prohibited by the regulations in this part.
0
14. Amend Sec.  2.21 by revising paragraph (b) to read as follows:


Sec.  2.21   Relationship to federal statutes protecting research 
subjects against compulsory disclosure of their identity.

* * * * *
    (b) Effect of concurrent coverage. These regulations restrict the 
use and disclosure of information about patients, while administrative 
action taken under the research privilege statutes and implementing 
regulations protects a person engaged in applicable research from being 
compelled to disclose any identifying characteristics of the 
individuals who are the subjects of that research. The issuance under 
subpart E of this part of a court order authorizing a disclosure of 
information about a patient does not affect an exercise of authority 
under these research privilege statutes.
0
15. Revise Sec.  2.22 to read as follows:


Sec.  2.22  Notice to patients of federal confidentiality requirements.

    (a) Notice required. At the time of admission to a part 2 program 
or, in the case that a patient does not have capacity upon admission to 
understand their medical status, as soon thereafter as the patient 
attains such capacity, each part 2 program shall inform the patient 
that federal law protects the confidentiality of substance use disorder 
patient records.
    (b) Content of notice. In addition to the communication required in 
paragraph (a), a part 2 program shall provide notice, written in plain 
language, of the program's legal duties and privacy practices, as 
specified in this paragraph.
    (1) The notice must include the following content:
    (i) Header. The notice must contain the following statement as a 
header or otherwise prominently displayed.

NOTICE OF PRIVACY PRACTICES OF [PART 2 PROGRAM]

    THIS NOTICE DESCRIBES:

 HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
 YOUR RIGHTS WITH RESPECT TO YOUR HEALTH INFORMATION
 HOW TO FILE A COMPLAINT CONCERNING A VIOLATION OF THE 
PRIVACY OR SECURITY OF YOUR HEALTH INFORMATION, OR OF YOUR RIGHTS 
CONCERNING YOUR INFORMATION

    YOU HAVE A RIGHT TO A COPY OF THIS NOTICE (IN PAPER OR 
ELECTRONIC FORM) AND TO DISCUSS IT WITH [ENTER NAME OR TITLE] AT 
[PHONE AND EMAIL] IF YOU HAVE ANY QUESTIONS.

    (ii) Uses and disclosures. The notice must contain:
    (A) A description of each of the purposes for which the part 2 
program is permitted or required by this part to use or disclose 
records without the patient's written consent.
    (B) If a use or disclosure for any purpose described in paragraph 
(b)(1)(ii)(A) of this section is prohibited or materially limited by 
other applicable law, the description of such use or disclosure must 
reflect the more stringent law.
    (C) For each purpose described in accordance with paragraphs 
(b)(1)(ii)(A) and (B) of this section, the description must include 
sufficient detail to place

[[Page 74279]]

the patient on notice of the uses and disclosures that are permitted or 
required by this part and other applicable law.
    (D) A description, including at least one example, of the types of 
uses and disclosures that require written consent under this part.
    (E) A statement that a patient may provide a single consent for all 
future uses or disclosures for treatment, payment, and health care 
operations purposes.
    (F) A statement that the program will make uses and disclosures not 
described in the notice only with the patient's written consent.
    (G) A statement that the patient may revoke written consent as 
provided by Sec.  2.31 and Sec.  2.35 of this part.
    (H) A statement that includes the following information:
    (1) Records, or testimony relaying the content of such records, 
shall not be used or disclosed in any civil, administrative, criminal 
or legislative proceedings against the patient unless based on specific 
written consent or a court order;
    (2) Records shall only be used or disclosed based on a court order 
after notice and an opportunity to be heard is provided to the patient 
or the holder of the record, where required by 42 U.S.C. 290dd-2 and 42 
CFR part 2; and
    (3) A court order authorizing use or disclosure must be accompanied 
by a subpoena or other legal requirement compelling disclosure before 
the requested record is used or disclosed.
    (iii) Separate statements for certain uses or disclosures. If the 
program intends to engage in any of the following activities, the 
description required by paragraph (b)(1)(ii)(D) of this section must 
include a separate statement as follows:
    (A) Records that are disclosed to a program, covered entity, or 
business associate pursuant to the patient's written consent for 
treatment, payment, and health care operations may be further disclosed 
by that program, covered entity, or business associate, without the 
patient's written consent, to the extent the HIPAA Privacy Rule permits 
such disclosure.
    (B) Records that a program, covered entity, or business associate 
intends to use or disclose to fundraise for the benefit of the program, 
covered entity, or business associate, may be used or disclosed only 
with your valid written consent that complies with the requirements of 
42 CFR part 2.
    (iv) Patient rights. The notice must contain a statement of the 
patient's rights with respect to their records and a brief description 
of how the patient may exercise these rights, as follows:
    (A) Right to request restrictions of disclosures made with prior 
consent for purposes of treatment, payment, and health care operations, 
as provided in 42 CFR 2.26.
    (B) Right to request and obtain restrictions of disclosures of part 
2 records to the patient's health plan for those services for which the 
patient has paid in full, in the same manner as 45 CFR 164.522 applies 
to disclosures of protected health information.
    (C) Right to an accounting of disclosures of electronic part 2 
records for the past 3 years, as provided in 42 CFR 2.25, and a right 
to an accounting of disclosures that meets the requirements of 45 CFR 
164.528(a)(2) and (b)-(d) for all other disclosures made with consent.
    (D) Right to obtain a paper or electronic copy of the notice from 
the program upon request.
    (E) Right to discuss the notice with a designated contact person 
identified by the part 2 program pursuant to paragraph (b)(1)(vii).
    (v) Part 2 program's duties. The notice must contain:
    (A) A statement that the part 2 program is required by law to 
maintain the privacy of records, to provide patients with notice of its 
legal duties and privacy practices with respect to records, and to 
notify affected patients following a breach of unsecured records;
    (B) A statement that the part 2 program is required to abide by the 
terms of the notice currently in effect; and
    (C) For the part 2 program to apply a change in a privacy practice 
that is described in the notice to records that the part 2 program 
created or received prior to issuing a revised notice, a statement that 
it reserves the right to change the terms of its notice and to make the 
new notice provisions effective for records that it maintains. The 
statement must also describe how it will provide patients with a 
revised notice.
    (vi) Complaints. The notice must contain a statement that patients 
may complain to the part 2 program and to the Secretary if they believe 
their privacy rights have been violated, a brief description of how the 
patient may file a complaint with the program, and a statement that the 
patient will not be retaliated against for filing a complaint.
    (vii) Contact. The notice must contain the name, or title, 
telephone number, and email address of a person or office to contact 
for further information about the notice.
    (viii) Effective date. The notice must contain the date on which 
the notice is first in effect, which may not be earlier than the date 
on which the notice is printed or otherwise published.
    (2) Optional elements. (i) In addition to the content required by 
paragraph (b)(1) of this section, if a part 2 program elects to limit 
the uses or disclosures that it is permitted to make under this part, 
the part 2 program may describe its more limited uses or disclosures in 
its notice, provided that the part 2 program may not include in its 
notice a limitation affecting its right to make a use or disclosure 
that is required by law or permitted to be made for emergency 
treatment.
    (ii) For the part 2 program to apply a change in its more limited 
uses and disclosures to records created or received prior to issuing a 
revised notice, the notice must include the statements required by 
paragraph (b)(1)(v)(C) of this section.
    (3) Revisions to the notice. The part 2 program must promptly 
revise and distribute its notice whenever there is a material change to 
the uses or disclosures, the patient's rights, the program's legal 
duties, or other privacy practices stated in the notice. Except when 
required by law, a material change to any term of the notice may not be 
implemented prior to the effective date of the notice in which such 
material change is reflected.
    (c) Implementation specifications: Provision of notice. A part 2 
program must make the notice required by this section available upon 
request to any person and to any patient; and
    (1) A part 2 program must provide the notice:
    (i) No later than the date of the first service delivery, including 
service delivered electronically, to such patient after the compliance 
date for the program; or
    (ii) In an emergency treatment situation, as soon as reasonably 
practicable after the emergency treatment situation.
    (2) If the part 2 program maintains a physical service delivery 
site:
    (i) Have the notice available at the service delivery site for 
patients to request to take with them; and
    (ii) Post the notice in a clear and prominent location where it is 
reasonable to expect patients seeking service from the part 2 program 
to be able to read the notice in a manner that does not identify the 
patient as receiving treatment or services for substance use disorder; 
and
    (iii) Whenever the notice is revised, make the notice available 
upon request on or after the effective date of the

[[Page 74280]]

revision and promptly comply with the requirements of paragraph 
(c)(2)(ii) of this section, if applicable.
    (3) Specific requirements for electronic notice:
    (i) A part 2 program that maintains a website that provides 
information about the part 2 program's customer services or benefits 
must prominently post its notice on the website and make the notice 
available electronically through the website.
    (ii) A part 2 program may provide the notice required by this 
section to patient by email, if the patient agrees to electronic notice 
and such agreement has not been withdrawn. If the part 2 program knows 
that the email transmission has failed, a paper copy of the notice must 
be provided to the patient. Provision of electronic notice by the part 
2 program will satisfy the provision requirements of paragraph (c) of 
this section when timely made in accordance with paragraph (c)(1) or 
(2) of this section.
    (iii) For purposes of paragraph (c)(2)(i) of this section, if the 
first service delivery to an individual is delivered electronically, 
the part 2 program must provide electronic notice automatically and 
contemporaneously in response to the individual's first request for 
service. The requirements in paragraph (c)(2)(ii) of this section apply 
to electronic notice.
    (iv) The patient who is the recipient of electronic notice retains 
the right to obtain a paper copy of the notice from a part 2 program 
upon request.
0
16. Amend Sec.  2.23 by revising the section heading and paragraph (b) 
to read as follows.


Sec.  2.23   Patient access and restrictions on use and disclosure.

* * * * *
    (b) Restriction on use and disclosure of information. Information 
obtained by patient access to their record is subject to the 
restriction on use and disclosure of records to initiate or 
substantiate any criminal charges against the patient or to conduct any 
criminal investigation of the patient as provided for under Sec.  
2.12(d)(1).
0
17. Add Sec.  2.24 to subpart B to read as follows:


Sec.  2.24  Requirements for intermediaries.

    Upon request, an intermediary must provide to patients who have 
consented to the disclosure of their records using a general 
designation, pursuant to Sec.  2.31(a)(4)(ii)(B), a list of persons to 
which their records have been disclosed pursuant to the general 
designation.
    (a) Under this provision, patient requests:
    (1) Must be made in writing; and
    (2) Are limited to disclosures made within the past three years.
    (b) Under this provision, the entity named on the consent form that 
discloses information pursuant to a patient's general designation (the 
entity that serves as an intermediary) must:
    (1) Respond in 30 or fewer days of receipt of the written request; 
and
    (2) Provide, for each disclosure, the name(s) of the entity(ies) to 
which the disclosure was made, the date of the disclosure, and a brief 
description of the patient identifying information disclosed.
0
18. Add Sec.  2.25 to subpart B to read as follows.


Sec.  2.25  Accounting of disclosures.

    (a) General rule. Subject to the limitations in paragraph (b) of 
this section, a part 2 program must provide to a patient, upon request, 
an accounting of all disclosures made with consent under Sec.  2.31 in 
the six years prior to the date of the request (or a shorter time 
period chosen by the patient). The accounting of disclosures must meet 
the requirements of 45 CFR 164.528(a)(2) and (b)-(d).
    (b) Accounting of disclosures for treatment, payment, and health 
care operations. (1) A part 2 program must provide a patient with an 
accounting of disclosures of records for treatment, payment, and health 
care operations only where such disclosures are made through an 
electronic health record.
    (2) A patient has a right to receive an accounting of disclosures 
described in paragraph (b)(1) of this section during only the three 
years prior to the date on which the accounting is requested.
0
19. Add Sec.  2.26 to subpart B to read as follows:


Sec.  2.26  Right to request privacy protection for records.

    (a)(1) A part 2 program must permit a patient to request that the 
part 2 program restrict uses or disclosures of records about the 
patient to carry out treatment, payment, or health care operations, 
including when the patient has signed written consent for such 
disclosures.
    (2) Except as provided in paragraph (a)(6) of this section, a part 
2 program is not required to agree to a restriction.
    (3) A part 2 program that agrees to a restriction under paragraph 
(a)(1) of this section may not use or disclose records in violation of 
such restriction, except that, if the patient who requested the 
restriction is in need of emergency treatment and the restricted record 
is needed to provide the emergency treatment, the program may use the 
restricted record, or may disclose information derived from the record 
to a health care provider, to provide such treatment to the patient.
    (4) If information from a restricted record is disclosed to a 
health care provider for emergency treatment under paragraph (a)(3) of 
this section, the part 2 program must request that such health care 
provider not further use or disclose the information.
    (5) A restriction agreed to by a part 2 program under paragraph (a) 
of this section, is not effective under this subpart to prevent uses or 
disclosures required by law or permitted by this regulation for 
purposes other than treatment, payment, and health care operations, as 
defined in this regulation.
    (6) A part 2 program must agree to the request of a patient to 
restrict disclosure of records about the patient to a health plan if:
    (i) The disclosure is for the purpose of carrying out payment or 
health care operations and is not otherwise required by law; and
    (ii) The record pertains solely to a health care item or service 
for which the patient, or person other than the health plan on behalf 
of the patient, has paid the program in full.
    (b) A program may terminate a restriction, if one of the following 
applies:
    (1) The patient agrees to or requests the termination in writing.
    (2) The patient orally agrees to the termination and the oral 
agreement is documented.
    (3) The program informs the patient that it is terminating its 
agreement to a restriction, except that such termination is:
    (i) Not effective for records restricted under paragraph (a)(6) of 
this section; and
    (ii) Only effective with respect to records created or received 
after it has so informed the patient.
0
20. Revise the heading of subpart C to read as follows:

Subpart C--Uses and Disclosures With Patient Consent

* * * * *
0
21. Amend Sec.  2.31 by:
0
a. Revising paragraph (a) introductory text, and paragraphs (a)(2) 
through (a)(8);
0
b. Adding paragraph (a)(10); and
0
c. Revising paragraph (b)(4).
    The revisions and additions read as follows:


Sec.  2.31   Consent requirements.

    (a) Required elements for written consent. A written consent to a 
use or

[[Page 74281]]

disclosure under the regulations in this part may be paper or 
electronic and must include:
* * * * *
    (2) The name or other specific identification of the person(s), or 
class of persons, authorized to make the requested use or disclosure.
    (3) A description of the information to be used or disclosed that 
identifies the information in a specific and meaningful fashion.
    (4)(i) General requirement for designating recipients. The name(s) 
of the person(s), or class of persons, to which a disclosure is to be 
made (``recipient(s)''). For a single consent for all future uses and 
disclosures for treatment, payment, and health care operations, the 
recipient may be described as ``my treating providers, health plans, 
third-party payers, and people helping to operate this program'' or a 
similar statement.
    (ii) Special instructions for intermediaries. Notwithstanding 
paragraph (a)(4)(i) of this section, if the recipient entity is an 
intermediary, a written consent must include the name(s) of the 
intermediary(ies) and
    (A) The name(s) of the member participants of the intermediary; or
    (B) A general designation of a participant(s) or class of 
participants, which must be limited to a participant(s) who has a 
treating provider relationship with the patient whose information is 
being used or disclosed.
    (iii) Special instructions when designating certain recipients. If 
the recipient is a program, covered entity, or business associate to 
whom a record (or information contained in a record) is disclosed for 
purposes of treatment, payment, or health care operations as defined in 
this part, a written consent must include the statement that the 
patient's record (or information contained in the record) may be 
redisclosed in accordance with the permissions contained in the HIPAA 
Privacy Rule, except for uses and disclosures for civil, criminal, 
administrative, and legislative proceedings against the patient.
    (5) A description of each purpose of the requested use or 
disclosure.
    (i) The statement ``at the request of the patient'' is a sufficient 
description of the purpose when a patient initiates the consent and 
does not, or elects not to, provide a statement of the purpose.
    (ii) The statement, ``for treatment, payment, and health care 
operations'' is a sufficient description of the purpose when a patient 
provides consent once for all such future uses or disclosures for those 
purposes.
    (iii) Fundraising. If applicable, a statement that a patient 
consents to the use or disclosure of the patient's records for the 
purpose of fundraising for the benefit of the program.
    (6) The patient's right to revoke the consent in writing, except to 
the extent that the part 2 program, or other lawful holder of patient 
identifying information that is permitted to make the disclosure, has 
already acted in reliance on it, and how the patient may revoke 
consent.
    (7) An expiration date or an expiration event that relates to the 
individual patient or the purpose of the use or disclosure. The 
statement ``end of the treatment,'' ``none,'' or similar language is 
sufficient if the consent is for a use or disclosure for treatment, 
payment, or health care operations. The statement ``end of the research 
study'' or similar language is sufficient if the consent is for a use 
or disclosure for research, including for the creation and maintenance 
of a research database or research repository.
    (8) The signature of the patient and, when required for a patient 
who is a minor, the signature of a person authorized to give consent 
under Sec.  2.14; or, when required for a patient who lacks the 
capacity to make their own health care decisions or is deceased, the 
signature of a person authorized to sign under Sec.  2.15. Electronic 
signatures are permitted to the extent that they are not prohibited by 
any applicable law.
* * * * *
    (10) A patient's written consent to use or disclose records for 
treatment, payment, or health care operations must include all of the 
following statements:
    (i) The potential for the records used or disclosed pursuant to the 
consent to be subject to redisclosure by the recipient and no longer 
protected by this part.
    (ii) The consequences to the patient of a refusal to sign the 
consent.
    (b) * * *
    (4) Is known, or through reasonable diligence could be known, by 
the person holding the records to be materially false.
0
22. Amend Sec.  2.32 by revising the section heading and paragraph (a) 
to read as follows:


Sec.  2.32   Notice to accompany disclosure.

    (a) Notice to accompany disclosure. Each disclosure made with the 
patient's written consent must be accompanied by one of the following 
written statements (i.e., either (a)(1) or (a)(2) of this section):
    (1) ``This record which has been disclosed to you is protected by 
federal confidentiality rules (42 CFR part 2). These rules prohibit you 
from using or disclosing this record, or testimony that describes the 
information contained in this record, in any civil, criminal, 
administrative, or legislative proceedings by any Federal, State, or 
local authority, against the patient, unless authorized by the consent 
of the patient, except as provided at 42 CFR 2.12(c)(5) or as 
authorized by a court in accordance with 42 CFR 2.64 or 2.65 and 
compelled by subpoena or other legal requirement. In addition, the 
federal rules prohibit you from making any other use or disclosure of 
this record unless at least one of the following applies:
    (i) Further use or disclosure is expressly permitted by the written 
consent of the individual whose information is being disclosed in this 
record or is otherwise permitted by 42 CFR part 2.
    (ii) You are a covered entity or business associate and have 
received the record for treatment, payment, or health care operations 
as defined in this part, or
    (iii) You have received the record from a covered entity or 
business associate as permitted by 45 CFR part 164 subparts A and E.
    (iv) A general authorization for the release of medical or other 
information is NOT sufficient to meet the required elements of written 
consent to further use or redisclose the record (see 42 CFR 2.31).''
    (2) 42 CFR part 2 prohibits unauthorized use or disclosure of these 
records.
* * * * *
0
23. Revise Sec.  2.33 to read as follows:


Sec.  2.33   Uses and disclosures permitted with written consent.

    (a) If a patient consents to a use or disclosure of their records 
consistent with Sec.  2.31, a part 2 program may disclose those records 
in accordance with that consent to any person or category of persons 
identified or generally designated in the consent, except that 
disclosures to central registries and in connection with criminal 
justice referrals must meet the requirements of Sec. Sec.  2.34 and 
2.35, respectively.
    (b) If a patient consents to a use or disclosure of their records 
consistent with Sec.  2.31, the recipient may further use or disclose 
such records as provided in subpart E of this part, and as follows:
    (1) When disclosed for treatment, payment, and health care 
operations activities as defined in this part, to a program, covered 
entity, or business associate, the recipient may further use or 
disclose those records as permitted

[[Page 74282]]

by 45 CFR part 164, except for uses and disclosures for civil, 
criminal, administrative, and legislative proceedings against the 
patient.
    (2) When disclosed with consent given once for all future 
treatment, payment, and health care operations activities to a part 2 
program that is not a covered entity or business associate, the 
recipient may further use or disclose those records consistent with the 
consent.
    (3) When disclosed for payment or health care operations activities 
to a lawful holder that is not a covered entity, business associate, or 
part 2 program, the recipient may further use or disclose those records 
as may be necessary for its contractors, subcontractors, or legal 
representatives to carry out the payment or health care operations 
specified in the consent on behalf of such lawful holders.
    (c) Lawful holders, other than covered entities and business 
associates, who wish to redisclose patient identifying information 
pursuant to paragraph (b)(2) of this section must have in place a 
written contract or comparable legal instrument with the contractor or 
voluntary legal representative, which provides that the contractor, 
subcontractor, or voluntary legal representative is fully bound by the 
provisions of part 2 upon receipt of the patient identifying 
information. In making any such redisclosures, the lawful holder must 
furnish such recipients with the notice required under Sec.  2.32; 
require such recipients to implement appropriate safeguards to prevent 
unauthorized uses and disclosures; and require such recipients to 
report any unauthorized uses, disclosures, or breaches of patient 
identifying information to the lawful holder. The lawful holder may 
only redisclose information to the contractor or subcontractor or 
voluntary legal representative that is necessary for the contractor or 
subcontractor or voluntary legal representative to perform its duties 
under the contract or comparable legal instrument. Contracts may not 
permit a contractor or subcontractor or voluntary legal representative 
to redisclose information to a third party unless that third party is a 
contract agent of the contractor or subcontractor, helping them provide 
services described in the contract, and only as long as the agent only 
further discloses the information back to the contractor or lawful 
holder from which the information originated.
0
24. Amend Sec.  2.34 by revising the section heading and paragraph (b) 
to read as follows:


Sec.  2.34  Uses and Disclosures to prevent multiple enrollments.

* * * * *
    (b) Use of information in records limited to prevention of multiple 
enrollments. A central registry and any withdrawal management or 
maintenance treatment program to which information is disclosed to 
prevent multiple enrollments may not use or redisclose patient 
identifying information for any purpose other than the prevention of 
multiple enrollments or to ensure appropriate coordinated care with a 
treating provider that is not a part 2 program unless authorized by a 
court order under subpart E of this part.
* * * * *
0
25. Amend Sec.  2.35 by revising paragraphs (a) introductory text, 
(a)(1), (b)(3), and (d) to read as follows:


Sec.  2.35  Disclosures to elements of the criminal justice system 
which have referred patients.

    (a) A part 2 program may disclose information from a record about a 
patient to those persons within the criminal justice system who have 
made participation in the part 2 program a condition of the disposition 
of any criminal proceedings against the patient or of the patient's 
parole or other release from custody if:
    (1) The disclosure is made only to those persons within the 
criminal justice system who have a need for the information in 
connection with their duty to monitor the patient's progress (e.g., a 
prosecuting attorney who is withholding charges against the patient, a 
court granting pretrial or post-trial release, probation or parole 
officers responsible for supervision of the patient); and
* * * * *
    (b) * * *
    (3) Such other factors as the part 2 program, the patient, and the 
person(s) within the criminal justice system who will receive the 
disclosure consider pertinent.
* * * * *
    (d) Restrictions on use and redisclosure. Any persons within the 
criminal justice system who receive patient information under this 
section may use and redisclose it only to carry out official duties 
with regard to the patient's conditional release or other action in 
connection with which the consent was given.
0
26. Revise the heading of subpart D to read as follows:

Subpart D--Uses and Disclosures Without Patient Consent

* * * * *
0
27. Amend Sec.  2.51 by revising paragraph (c)(2) to read as follows:


Sec.  2.51   Medical emergencies.

* * * * *
    (c) * * *
    (2) The name of the person making the disclosure;
* * * * *
0
28. Amend Sec.  2.52 by:
0
a. Revising the section heading and paragraphs (a) introductory text, 
(a)(1) introductory text and (a)(2);
0
b. Revising paragraphs (b) introductory text, (b)(2) and (3);
0
c. Revising paragraph (c)(1) introductory text and adding paragraph 
(c)(1)(iii); and
0
d. Removing the second paragraph (c)(2).
    The revisions and addition read as follows:


Sec.  2.52   Scientific research.

    (a) Notwithstanding other provisions of this part, including 
paragraph (b)(2) of this section, patient identifying information may 
be used or disclosed for the purposes of the recipient conducting 
scientific research if:
    (1) The person designated as director or managing director, or 
person otherwise vested with authority to act as chief executive 
officer or their designee, of a part 2 program or other lawful holder 
of part 2 data, makes a determination that the recipient of the patient 
identifying information is:
* * * * *
    (2) The part 2 program or other lawful holder of part 2 data is a 
HIPAA covered entity or business associate, and the use or disclosure 
is made in accordance with the HIPAA Privacy Rule requirements at 45 
CFR 164.512(i).
* * * * *
    (b) Any person conducting scientific research using patient 
identifying information obtained under paragraph (a) of this section:
* * * * *
    (2) Must not redisclose patient identifying information except back 
to the person from whom that patient identifying information was 
obtained or as permitted under paragraph (c) of this section.
    (3) May include part 2 data in research reports only in aggregate 
form in which patient identifying information has been de-identified in 
accordance with the requirements of the HIPAA Privacy Rule at 45 CFR 
164.514(b) such that there is no reasonable basis to believe that the 
information can be used

[[Page 74283]]

to identify a patient as having or having had a substance use disorder.
* * * * *
    (c) * * * (1) Researchers. Any person conducting scientific 
research using patient identifying information obtained under paragraph 
(a) of this section that requests linkages to data sets from a data 
repository(ies) holding patient identifying information must:
* * * * *
    (iii) Ensure that patient identifying information is not 
redisclosed for data linkage purposes other than as provided in 
paragraph (c) of this section.
* * * * *
0
29. Amend Sec.  2.53 by:
0
a. Revising the section heading;
0
b. Revising paragraph (a) introductory text and paragraph (a)(1)(ii);
0
c. Revising paragraphs (b) introductory text, (b)(1)(iii) and 
(b)(2)(ii);
0
d. Revising paragraphs (c)(1) introductory text and (c)(1)(i);
0
e. Revising paragraphs (e)(1) introductory text, (e)(1)(iii), (e)(5), 
and (e)(6);
0
f. Revising paragraph (f); and
0
g. Adding paragraph (h).
    The revisions and addition read as follows:


Sec.  2.53   Management audits, financial audits, and program 
evaluation.

    (a) Records not copied or removed. If patient records are not 
downloaded, copied or removed from the premises of a part 2 program or 
other lawful holder, or forwarded electronically to another electronic 
system or device, patient identifying information, as defined in Sec.  
2.11, may be disclosed in the course of a review of records on the 
premises of a part 2 program or other lawful holder to any person who 
agrees in writing to comply with the limitations on use and 
redisclosure in paragraph (f) of this section and who:
    (1) * * *
    (ii) Any person which provides financial assistance to the part 2 
program or other lawful holder, which is a third-party payer or health 
plan covering patients in the part 2 program, or which is a quality 
improvement organization performing a QIO review, or the contractors, 
subcontractors, or legal representatives of such person or quality 
improvement organization.
* * * * *
    (b) Copying, removing, downloading, or forwarding patient records. 
Records containing patient identifying information, as defined in Sec.  
2.11, may be copied or removed from the premises of a part 2 program or 
other lawful holder or downloaded or forwarded to another electronic 
system or device from the part 2 program's or other lawful holder's 
electronic records by any person who:
    (1) * * *
    (iii) Comply with the limitations on use and disclosure in 
paragraph (f) of this section; and
    (2) * * *
    (ii) Any person which provides financial assistance to the part 2 
program or other lawful holder, which is a third-party payer or health 
plan covering patients in the part 2 program, or which is a quality 
improvement organization performing a QIO review, or the contractors, 
subcontractors, or legal representatives of such person or quality 
improvement organization; or
* * * * *
    (c) * * *
    (1) Activities undertaken by a federal, state, or local 
governmental agency, or a third-party payer or health plan, in order 
to:
    (i) Identify actions the agency or third-party payer or health plan 
can make, such as changes to its policies or procedures, to improve 
care and outcomes for patients with substance use disorders who are 
treated by part 2 programs;
* * * * *
    (e) * * * (1) Patient identifying information, as defined in Sec.  
2.11, may be disclosed under paragraph (e) of this section to any 
person for the purpose of conducting a Medicare, Medicaid, or CHIP 
audit or evaluation, including an audit or evaluation necessary to meet 
the requirements for a Centers for Medicare & Medicaid Services (CMS)-
regulated accountable care organization (CMS-regulated ACO) or similar 
CMS-regulated organization (including a CMS-regulated Qualified Entity 
(QE)), if the person agrees in writing to comply with the following:
* * * * *
    (iii) Comply with the limitations on use and disclosure in 
paragraph (f) of this section.
* * * * *
    (5) If a disclosure to a person is authorized under this section 
for a Medicare, Medicaid, or CHIP audit or evaluation, including a 
civil investigation or administrative remedy, as those terms are used 
in paragraph (e)(2) of this section, the person may further use or 
disclose the patient identifying information that is received for such 
purposes to its contractor(s), subcontractor(s), or legal 
representative(s), to carry out the audit or evaluation, and a quality 
improvement organization which obtains such information under paragraph 
(a) or (b) of this section may use or disclose the information to that 
person (or, to such person's contractors, subcontractors, or legal 
representatives, but only for the purposes of this section).
    (6) The provisions of this paragraph do not authorize the part 2 
program, the federal, state, or local government agency, or any other 
person to use or disclose patient identifying information obtained 
during the audit or evaluation for any purposes other than those 
necessary to complete the audit or evaluation as specified in paragraph 
(e) of this section.
    (f) Limitations on use and disclosure. Except as provided in 
paragraph (e) of this section, patient identifying information 
disclosed under this section may be disclosed only back to the part 2 
program or other lawful holder from which it was obtained and may be 
used only to carry out an audit or evaluation purpose or to investigate 
or prosecute criminal or other activities, as authorized by a court 
order entered under Sec.  2.66.
* * * * *
    (h) Disclosures for health care operations. With respect to 
activities described in paragraphs (c) and (d) of this section, a part 
2 program, covered entity, or business associate may disclose records 
in accordance with a consent that includes health care operations, and 
the recipient may redisclose such records as permitted under the HIPAA 
Privacy Rule if the recipient is a part 2 program, covered entity, or 
business associate.
0
30. Add Sec.  2.54 to subpart D to read as follows:


Sec.  2.54  Disclosures for public health.

    A part 2 program may disclose records for public health purposes 
without patient consent so long as:
    (a) The disclosure is made to a public health authority as defined 
in this part; and
    (b) The content of the information from the record disclosed has 
been de-identified in accordance with the requirements of the HIPAA 
Privacy Rule at 45 CFR 164.514(b) such that there is no reasonable 
basis to believe that the information can be used to identify a patient 
has having or having had a substance use disorder.
0
31. Revise the heading of subpart E to read as follows:

Subpart E--Court Orders Authorizing Use and Disclosure

* * * * *
0
32. Revise Sec.  2.61 to read as follows:

[[Page 74284]]

Sec.  2.61  Legal effect of order.

    (a) Effect. An order of a court of competent jurisdiction entered 
under this subpart is a unique kind of court order. Its only purpose is 
to authorize a use or disclosure of patient information which would 
otherwise be prohibited by 42 U.S.C. 290dd-2 and the regulations in 
this part. Such an order does not compel use or disclosure. A subpoena 
or a similar legal mandate must be issued in order to compel use or 
disclosure. This mandate may be entered at the same time as and 
accompany an authorizing court order entered under the regulations in 
this part.
    (b) Examples. (1) A person holding records subject to the 
regulations in this part receives a subpoena for those records. The 
person may not use or disclose the records in response to the subpoena 
unless a court of competent jurisdiction enters an authorizing order 
under the regulations in this part.
    (2) An authorizing court order is entered under the regulations in 
this part, but the person holding the records does not want to make the 
use or disclosure. If there is no subpoena or other compulsory process 
or a subpoena for the records has expired or been quashed, that person 
may refuse to make the use or disclosure. Upon the entry of a valid 
subpoena or other compulsory process the person holding the records 
must use or disclose, unless there is a valid legal defense to the 
process other than the confidentiality restrictions of the regulations 
in this part.
0
33. Revise Sec.  2.62 to read as follows:


Sec.  2.62   Order not applicable to records disclosed without consent 
to researchers, auditors and evaluators.

    A court order under the regulations in this part may not authorize 
persons who meet the criteria specified in Sec.  2.52(a)(1)(i)-(iii) of 
this part, who have received patient identifying information without 
consent for the purpose of conducting research, audit or evaluation, to 
disclose that information or use it to conduct any criminal 
investigation or prosecution of a patient. However, a court order under 
Sec.  2.66 may authorize use and disclosure of records to investigate 
or prosecute such persons who are holding the records.
0
34. Amend Sec.  2.63 by revising paragraph (a)(3) to read as follows:
    (a) * * *
    (3) The disclosure is in connection with a civil, criminal, 
administrative, or legislative proceeding in which the patient offers 
testimony or other evidence pertaining to the content of the 
confidential communications.
* * * * *
0
35. Amend Sec.  2.64 by by revising the section heading, paragraph (a), 
paragraph (b) introductory text, (d) and (e) to read as follows:


Sec.  2.64   Procedures and criteria for orders authorizing uses and 
disclosures for noncriminal purposes.

    (a) Application. An order authorizing the use or disclosure of 
patient records or testimony relaying the information contained in the 
records for purposes other than criminal investigation or prosecution 
may be applied for by any person having a legally recognized interest 
in the use or disclosure which is sought in the course of a civil, 
administrative or legislative proceeding. The application may be filed 
separately or as part of a pending civil action in which the applicant 
asserts that the patient records or testimony relaying the information 
contained in the records are needed to provide evidence. An application 
must use a fictitious name, such as John Doe, to refer to any patient 
and may not contain or otherwise disclose any patient identifying 
information unless the patient is the applicant or has given written 
consent (meeting the requirements of the regulations in this part) to 
disclosure or the court has ordered the record of the proceeding sealed 
from public scrutiny.
    (b) Notice. A court order under this section is only valid when the 
patient and the person holding the records from whom disclosure is 
sought have received:
* * * * *
    (d) * * *
    (2) The public interest and need for the use or disclosure outweigh 
the potential injury to the patient, the physician-patient relationship 
and the treatment services.
    (e) Content of order. An order authorizing a use or disclosure 
must:
    (1) Limit use or disclosure to only those parts of the patient's 
record, or testimony relaying those parts of the patient's record, 
which are essential to fulfill the objective of the order;
    (2) Limit use or disclosure to those persons whose need for 
information is the basis for the order; and
    (3) Include such other measures as are necessary to limit use or 
disclosure for the protection of the patient, the physician-patient 
relationship and the treatment services; for example, sealing from 
public scrutiny the record of any proceeding for which use or 
disclosure of a patient's record, or testimony relaying the contents of 
the record, has been ordered.
0
36. Amend Sec.  2.65 by revising the section heading, paragraphs (a), 
(b) introductory text, (d) introductory text, (d)(2) and (e) to read as 
follows:


Sec.  2.65  Procedures and criteria for orders authorizing use and 
disclosure of records to criminally investigate or prosecute patients.

    (a) Application. An order authorizing the use or disclosure of 
patient records, or testimony relaying the information contained in 
those records, to investigate or prosecute a patient in connection with 
a criminal proceeding may be applied for by the person holding the 
records or by any law enforcement or prosecutorial official who is 
responsible for conducting investigative or prosecutorial activities 
with respect to the enforcement of criminal laws, including 
administrative and legislative criminal proceedings. The application 
may be filed separately, as part of an application for a subpoena or 
other compulsory process, or in a pending criminal action. An 
application must use a fictitious name such as John Doe, to refer to 
any patient and may not contain or otherwise use or disclose patient 
identifying information unless the court has ordered the record of the 
proceeding sealed from public scrutiny.
    (b) Notice and hearing. Unless an order under Sec.  2.66 is sought 
in addition to an order under this section, an order under this section 
is valid only when the person holding the records has received:
* * * * *
    (d) Criteria. A court may authorize the use and disclosure of 
patient records, or testimony relaying the information contained in 
those records, for the purpose of conducting a criminal investigation 
or prosecution of a patient only if the court finds that all of the 
following criteria are met:
* * * * *
    (2) There is a reasonable likelihood that the records or testimony 
will disclose information of substantial value in the investigation or 
prosecution.
* * * * *
    (e) Content of order. Any order authorizing a use or disclosure of 
patient records subject to this part, or testimony relaying the 
information contained in those records, under this section must:
    (1) Limit use and disclosure to those parts of the patient's 
record, or testimony relaying the information contained in those 
records, which are essential to fulfill the objective of the order;
    (2) Limit disclosure to those law enforcement and prosecutorial 
officials who are responsible for, or are

[[Page 74285]]

conducting, the investigation or prosecution, and limit their use of 
the records or testimony to investigation and prosecution of the 
extremely serious crime or suspected crime specified in the 
application; and
    (3) Include such other measures as are necessary to limit use and 
disclosure to the fulfillment of only that public interest and need 
found by the court.
0
37. Amend Sec.  2.66 by
0
a. Revising the section heading and paragraph (a)(1);
0
b. Adding new paragraph (a)(3);
0
c. Revising paragraphs (b), (c), and (d).
    The revisions and addition read as follows:


Sec.  2.66  Procedures and criteria for orders authorizing use and 
disclosure of records to investigate or prosecute a part 2 program or 
the person holding the records.

    (a) * * * (1) An order authorizing the use or disclosure of patient 
records subject to this part to investigate or prosecute a part 2 
program or the person holding the records (or employees or agents of 
that part 2 program or person holding the records) in connection with a 
criminal or administrative matter may be applied for by any 
investigative agency having jurisdiction over the program's or person's 
activities.
* * * * *
    (3) Upon discovering in good faith that it received part 2 records 
in the course of investigating or prosecuting a part 2 program or the 
person holding the records (or employees or agents of that part 2 
program or person holding the records), an investigative agency must do 
the following:
    (i) Secure the records in accordance with Sec.  2.16; and
    (ii) Cease using and disclosing the records until the investigative 
agency obtains a court order consistent with paragraph (c) of this 
section authorizing the use and disclosure of the records and any 
records later obtained. The application for the court order must occur 
within a reasonable period of time, but not more than 120 days after 
discovering it received part 2 records; or
    (iii) If the agency does not seek a court order in accordance with 
paragraph (a)(3)(ii) of this section, the agency must either return the 
records to the part 2 program or person holding the records, if it is 
legally permissible to do so, within a reasonable period of time, but 
not more than 120 days after discovering it received part 2 records; or
    (iv) If the agency does not seek a court order or return the 
records, the agency must destroy the records in a manner that renders 
the patient identifying information non-retrievable, within a 
reasonable period of time, but not more than 120 days after discovering 
it received part 2 records; or.
    (v) If the agency's application for a court order is rejected by 
the court and no longer subject to appeal, the agency must return the 
records to the part 2 program or person holding the records, if it is 
legally permissible to do so, or destroy the records immediately after 
notice from the court.
    (b) Notice not required. An application under this section may, in 
the discretion of the court, be granted without notice. Although no 
express notice is required to the part 2 program, to the person holding 
the records, or to any patient whose records are to be disclosed, upon 
implementation of an order so granted any of those persons must be 
afforded an opportunity to seek revocation or amendment of that order, 
limited to the presentation of evidence on the statutory and regulatory 
criteria for the issuance of the court order in accordance with 
paragraph (c) of this section. If a court finds that individualized 
contact is impractical under the circumstances, patients may be 
informed of the opportunity through a substitute form of notice that 
the court determines is reasonably calculated to reach the patients, 
such as conspicuous notice in major print or broadcast media in 
geographic areas where the affected patients likely reside.
    (c) Requirements for order. An order under this section must be 
entered in accordance with, and comply with the requirements of Sec.  
2.64(e). In addition, an order under this section may be entered only 
if the court determines that good cause exists. To make such good cause 
determination, the court must find that:
    (1) Other ways of obtaining the information are not available, 
would not be effective, or would yield incomplete information;
    (2) The public interest and need for the use or disclosure outweigh 
the potential injury to the patient, the physician-patient 
relationship, and the treatment services; and
    (3) For an application being submitted pursuant to paragraph 
(a)(3)(ii) of this section, the investigative agency has satisfied the 
conditions at Sec.  2.3(b).
    (d) Limitations on use and disclosure of patient identifying 
information. (1) An order entered under this section must require the 
deletion or removal of patient identifying information from any 
documents or oral testimony made available to the public.
    (2) No information obtained under this section may be used or 
disclosed to conduct any investigation or prosecution of a patient in 
connection with a criminal matter, or be used or disclosed as the basis 
for an application for an order under Sec.  2.65.
0
38. Amend Sec.  2.67 by revising paragraphs (a), (c), (d)(3) and (e) to 
read as follows:


Sec.  2.67  Orders authorizing the use of undercover agents and 
informants to investigate employees or agents of a part 2 program in 
connection with a criminal matter.

    (a) Application. A court order authorizing the placement of an 
undercover agent or informant in a part 2 program as an employee or 
patient may be applied for by any investigative agency which has reason 
to believe that employees or agents of the part 2 program are engaged 
in criminal misconduct.
* * * * *
    (c) Criteria. An order under this section may be entered only if 
the court determines that good cause exists. To make such good cause 
determination, the court must find all of the following:
    (1) There is reason to believe that an employee or agent of the 
part 2 program is engaged in criminal activity;
    (2) Other ways of obtaining evidence of the suspected criminal 
activity are not available, would not be effective, or would yield 
incomplete evidence;
    (3) The public interest and need for the placement of an undercover 
agent or informant in the part 2 program outweigh the potential injury 
to patients of the part 2 program, physician-patient relationships and 
the treatment services; and
    (4) For an application submitted after the placement of an 
undercover agent or informant has already occurred, that the 
investigative agency has satisfied the conditions at Sec.  2.3(b) and 
only discovered that a court order was necessary after such placement 
occurred.
    (d) * * *
    (3) Prohibit the undercover agent or informant from using or 
disclosing any patient identifying information obtained from the 
placement except as necessary to investigate or prosecute employees or 
agents of the part 2 program in connection with the suspected criminal 
activity; and
* * * * *
    (e) Limitation on use and disclosure of information. No information 
obtained by an undercover agent or informant placed in a part 2 program 
under this section may be used or disclosed to investigate or prosecute 
any patient in connection with a criminal matter or as the basis for an 
application for an order under Sec.  2.65.
0
39. Add Sec.  2.68 to subpart E to read as follows:

[[Page 74286]]

Sec.  2.68  Report to the Secretary.

    (a) Any investigative agency covered by this part shall report to 
the Secretary, not later than 60 days after the end of each calendar 
year, to the extent applicable and practicable, on:
    (1) The number of applications made under Sec.  2.66(a)(3)(ii) and 
Sec.  2.67(c)(4) during the calendar year;
    (2) The number of instances in which such applications were denied, 
due to findings by the court of violations of this part during the 
calendar year; and
    (3) The number of instances in which part 2 records were returned 
or destroyed following unknowing receipt without a court order, in 
compliance with Sec.  2.66(a)(3)(iii)(iv) or (v), respectively during 
the calendar year.
    (b) [Reserved].
* * * * *

Title 45--PUBLIC WELFARE

PART 164--SECURITY AND PRIVACY

0
40. The authority citation for part 164 is revised to read as follows:

    Authority:  42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 
264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 
(note)); secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279 (42 
U.S.C. 17921, 17931-17954); and sec. 3221(i)(2), Pub. L. 116-136.
0
41. Amend Sec.  164.520 by:
0
a. Revising paragraphs (a)(1) and removing paragraph (a)(3);
0
b. Redesignating paragraph (a)(2) as (a)(3) and adding a new paragraph 
(a)(2);
0
c. Revising paragraphs (b)(1) introductory text, (b)(1)(i), 
b)(1)(ii)(C), (b)(1)(ii)(D), and (b)(1)(iii);
0
d. Revising paragraphs (b)(1)(iv)(C), (b)(1)(iv)(G), (b)(1)(v)(A), 
(b)(1)(v)(C), (b)(1)(vii), and (b)(2)(iii);
0
e. Removing paragraph (c)(2)(ii), redesignating paragraphs (c)(2)(iii) 
and (iv) as (c)(2)(ii) and (iii) and revising newly redesignated 
(c)(2)(ii) introductory text and (iii) and (c)(3)(iii);
0
f. Adding paragraph (d)(4); and
0
g. Revising paragraph (e).
    The revisions and additions read as follows:


Sec.  164.520   Notice of privacy practices for protected health 
information

    (a) * * * (1) Right to notice. Except as provided by paragraph 
(a)(3) of this section, an individual has a right to adequate notice of 
the uses and disclosures of protected health information that may be 
made by the covered entity, and of the individual's rights and the 
covered entity's legal duties with respect to protected health 
information.
    (2) Notice requirements for covered entities creating or 
maintaining records subject to 42 U.S.C. 290dd-2(a). As provided in 42 
CFR 2.22, an individual who is the subject of records protected under 
42 CFR part 2 has a right to adequate notice of the uses and 
disclosures of such records, and of the individual's rights and the 
covered entity's legal duties with respect to such records.
    (3) Exception for group health plans. (i) An individual enrolled in 
a group health plan has a right to notice:
    (A) From the group health plan, if, and to the extent that, such an 
individual does not receive health benefits under the group health plan 
through an insurance contract with a health insurance issuer or HMO; or
    (B) From the health insurance issuer or HMO with respect to the 
group health plan through which such individuals receive their health 
benefits under the group health plan.
    (ii) A group health plan that provides health benefits solely 
through an insurance contract with a health insurance issuer or HMO, 
and that creates or receives protected health information in addition 
to summary health information as defined in Sec.  164.504(a) or 
information on whether the individual is participating in the group 
health plan, or is enrolled in or has disenrolled from a health 
insurance issuer or HMO offered by the plan, must:
    (A) Maintain a notice under this section; and
    (B) Provide such notice upon request to any person. The provisions 
of paragraph (c)(1) of this section do not apply to such group health 
plan.
    (iii) A group health plan that provides health benefits solely 
through an insurance contract with a health insurance issuer or HMO, 
and does not create or receive protected health information other than 
summary health information as defined in Sec.  164.504(a) or 
information on whether an individual is participating in the group 
health plan, or is enrolled in or has disenrolled from a health 
insurance issuer or HMO offered by the plan, is not required to 
maintain or provide a notice under this section.
    (b) * * * (1) Required elements. The covered entity, including any 
covered entity maintaining or receiving records subject to 42 U.S.C. 
290dd-2, must provide a notice that is written in plain language and 
that contains the elements required by this paragraph.
    (i) Header. The notice must contain the following statement as a 
header or otherwise prominently displayed:

NOTICE OF PRIVACY PRACTICES OF [NAME OF COVERED ENTITY, AFFILIATED 
COVERED ENTITIES, OR ORGANIZED HEALTH CARE ARRANGEMENT, AS APPLICABLE]

THIS NOTICE DESCRIBES:

     HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND 
DISCLOSED
     YOUR RIGHTS WITH RESPECT TO YOUR HEALTH INFORMATION
     HOW TO EXERCISE YOUR RIGHT TO GET COPIES OF YOUR 
RECORDS AT LIMITED COST OR, IN SOME CASES, FREE OF CHARGE
     HOW TO FILE A COMPLAINT CONCERNING A VIOLATION OF THE 
PRIVACY, OR SECURITY OF YOUR HEALTH INFORMATION, OR OF YOUR RIGHTS 
CONCERNING YOUR INFORMATION, INCLUDING YOUR RIGHT TO INSPECT OR GET 
COPIES OF YOUR RECORDS UNDER HIPAA
    YOU HAVE A RIGHT TO A COPY OF THIS NOTICE (IN PAPER OR 
ELECTRONIC FORM) AND TO DISCUSS IT WITH [ENTER [NAME OR TITLE] AT 
[PHONE AND EMAIL]] IF YOU HAVE ANY QUESTIONS.

    (ii) * * *
    (C) If a use or disclosure for any purpose described in paragraphs 
(b)(1)(ii)(A) or (B) of this section is prohibited or materially 
limited by other applicable law, such as 42 CFR part 2, the description 
of such use or disclosure must reflect the more stringent law as 
defined in Sec.  160.202 of this subchapter.
    (D) For each purpose described in paragraph (b)(1)(ii)(A) or (B) of 
this section, the description must include sufficient detail to place 
the individual on notice of the uses and disclosures that are permitted 
or required by this subpart and other applicable law, such as 42 CFR 
part 2.
* * * * *
    (iii) Separate statements for certain uses or disclosures. If the 
covered entity intends to engage in any of the following activities, 
the description required by paragraph (b)(1)(ii)(A) or (B) of this 
section must include a separate statement informing the individual of 
such activities, as applicable:
    (A) In accordance with Sec.  164.514(f)(1), the covered entity may 
contact the individual to raise funds for the covered entity and the 
individual has a right to opt out of receiving such communications;
    (B) In accordance with Sec.  164.504(f), the group health plan, or 
a health insurance issuer or HMO with respect to a group health plan, 
may disclose protected health information to the sponsor of the plan;
    (C) If a covered entity that is a health plan, excluding an issuer 
of a long-term care policy falling within paragraph (1)(viii) of the 
definition of health plan, intends to use or disclose protected

[[Page 74287]]

health information for underwriting purposes, a statement that the 
covered entity is prohibited from using or disclosing protected health 
information that is genetic information of an individual for such 
purposes;
    (D) Substance use disorder treatment records received from programs 
subject to 42 CFR part 2, or testimony relaying the content of such 
records, shall not be used or disclosed in civil, criminal, 
administrative, or legislative proceedings against the individual 
unless based on written consent, or a court order after notice and an 
opportunity to be heard is provided to the individual or the holder of 
the record, as provided in 42 CFR part 2. A court order authorizing use 
or disclosure must be accompanied by a subpoena or other legal 
requirement compelling disclosure before the requested record is used 
or disclosed; or
    (E) If a covered entity that creates or maintains records subject 
to 42 CFR part 2 intends to use or disclose such records for 
fundraising for the benefit of the covered entity, a statement that 
such information may be used or disclosed for such purpose only if the 
individual grants written consent as provided in 42 CFR 2.31.
    (iv) * * *
    (C) The right of access to inspect and obtain a copy of protected 
health information at limited cost or, in some cases, free of charge; 
and the right to direct a covered health care provider to transmit an 
electronic copy of protected health information in an electronic health 
record to a third party, as provided by Sec.  164.524;
* * * * *
    (G) The right to discuss the notice with a designated contact 
person identified by the covered entity pursuant to Sec.  
164.520(b)(vii);
    (v) * * *
    (A) A statement that the covered entity is required by law to 
maintain the privacy of protected health information, to provide 
individuals with notice of its legal duties and privacy practices, and 
to notify affected individuals following a breach of unsecured 
protected health information;
* * * * *
    (C) A statement that the covered entity reserves the right to 
change the terms of its notice, provided that such terms are not 
material or contrary to law, and to make the new notice provisions 
effective for all protected health information that it maintains. The 
statement must also describe how it will provide individuals with a 
revised notice.
* * * * *
    (vii) Contact. The notice must contain the name or title and 
telephone number and email for a designated person who is available to 
provide further information and answer questions about the covered 
entity's privacy practices, as required by Sec.  164.530(a)(1)(ii).
* * * * *
    (2) * * *
    (iii) A covered entity may provide in its notice information about 
how an individual who seeks to direct protected health information to a 
third party, when the protected health information is not in an 
electronic health record or is in a non-electronic format, can instead 
obtain a copy of protected health information directly under Sec.  
164.524 and send the copy to the third party themselves, or request the 
covered entity to send a copy of protected health information to a 
third party using a valid authorization under Sec.  164.508.
* * * * *
    (c) * * *
    (2) * * *
    (ii) If the health care provider maintains a physical service 
delivery site:
* * * * *
    (iii) Whenever the notice is revised, make the notice available 
upon request on or after the effective date of the revision and 
promptly comply with the requirements of paragraph (c)(2)(ii) of this 
section, if applicable.
    (3) * * *
    (iii) For purposes of paragraph (c)(2)(i) of this section, if the 
first service delivery to an individual is delivered electronically, 
the covered health care provider must provide electronic notice 
automatically and contemporaneously in response to the individual's 
first request for service.
* * * * *
    (d) * * *
    (4) The permission in paragraph (c)(1) of this section for covered 
entities who are part of an organized health care arrangement to issue 
a joint notice may not be construed to remove any obligations or duties 
of entities creating or maintaining records subject to 42 U.S.C. 290dd-
2, or to remove any rights of patients who are the subjects of such 
records.
    (e) Implementation specifications: Documentation. A covered entity 
must document compliance with the notice requirements, as required by 
Sec.  164.530(j), by retaining copies of the notices issued by the 
covered entity.

    Dated: November 21, 2022.
Xavier Becerra,
Secretary, Department of Health and Human Services.
[FR Doc. 2022-25784 Filed 11-28-22; 8:45 am]
BILLING CODE 4153-01-P