Confidentiality of Substance Use Disorder (SUD) Patient Records, 12472-12631 [2024-02544]
Download as PDF
12472
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
(NPRM) for the Confidentiality of
Substance Use Disorder (SUD) Patient
Records. This final rule also makes
certain other modifications to increase
alignment with the Health Insurance
Portability and Accountability Act of
1996 (HIPAA) Privacy Rule to improve
workability and decrease burden on
programs, covered entities, and business
associates.
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Office of the Secretary
42 CFR Part 2
RIN 0945–AA16
Confidentiality of Substance Use
Disorder (SUD) Patient Records
Office for Civil Rights, Office of
the Secretary, Department of Health and
Human Services; Substance Abuse and
Mental Health Services Administration
(SAMHSA), Department of Health and
Human Services.
ACTION: Final rule.
AGENCY:
The United States Department
of Health and Human Services (HHS or
‘‘Department’’) is issuing this final rule
to modify its regulations to implement
section 3221 of the Coronavirus Aid,
Relief, and Economic Security (CARES)
Act. The Department is issuing this final
rule after careful consideration of all
public comments received in response
to the notice of proposed rulemaking
SUMMARY:
DATES:
Effective date: This final rule is
effective on April 16, 2024.
Compliance date: Persons subject to
this regulation must comply with the
applicable requirements of this final
rule by February 16, 2026.
FOR FURTHER INFORMATION CONTACT:
Marissa Gordon-Nguyen at (202) 240–
3110 or (800) 537–7697 (TDD).
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Executive Summary
A. Purpose of Rulemaking and Issuance of
Proposed Rule
B. Severability
C. Summary of the Major Provisions
D. Summary of the Costs and Benefits of
the Major Provisions
II. Statutory and Regulatory Background
III. Overview of Public Comments
A. General Discussion of Comments
B. General Comments
1. General Support for the Proposed Rule
2. General Opposition to the Proposed Rule
IV. Analysis and Response to Public
Comments and Final Modifications
A. Effective and Compliance Dates
B. Substantive Proposals and Responses to
Comments
V. Regulatory Impact Analysis
A. Executive Orders 12866 and 13563 and
Related Executive Orders on Regulatory
Review
1. Summary of the Final Rule
2. Need for the Final Rule
3. Response to Public Comment
4. Cost-Benefit Analysis
5. Consideration of Regulatory Alternatives
B. Regulatory Flexibility Act
C. Unfunded Mandates Reform Act
D. Executive Order 13132—Federalism
E. Assessment of Federal Regulation and
Policies on Families
F. Paperwork Reduction Act of 1995
1. Explanation of Estimated Annualized
Burden Hours for 42 CFR Part 2
2. Explanation of Estimated Capital
Expenses for 42 CFR Part 2
TABLE OF ACRONYMS
lotter on DSK11XQN23PROD with RULES2
Acronym
Meaning
ACO .....................................................................
ADAMHA .............................................................
ADT .....................................................................
APCD ..................................................................
BLS ......................................................................
CARES Act ..........................................................
CBO .....................................................................
CFR .....................................................................
CHIP ....................................................................
CMP ....................................................................
CMS ....................................................................
COVID–19 ...........................................................
CSP .....................................................................
DOJ .....................................................................
E.O. .....................................................................
EHR .....................................................................
ePHI ....................................................................
FDA .....................................................................
FOIA ....................................................................
FR ........................................................................
GS .......................................................................
Health IT ..............................................................
HHS or Department .............................................
HIE ......................................................................
HIN ......................................................................
HIPAA ..................................................................
HITECH Act .........................................................
HIV ......................................................................
ICR ......................................................................
IHS ......................................................................
ISDEAA ...............................................................
MAT .....................................................................
MHPAEA .............................................................
MOUD .................................................................
MPCD ..................................................................
NIST ....................................................................
NOAA ..................................................................
NPP .....................................................................
NPRM ..................................................................
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Accountable Care Organization.
Alcohol, Drug Abuse, and Mental Health Administration Reorganization Act.
Admit, Discharge, Transfer.
All-Payer Claims Database.
Bureau of Labor Statistics.
Coronavirus Aid, Relief, and Economic Security Act.
Community-based Organizations.
Code of Federal Regulations.
Children’s Health Insurance Program.
Civil Money Penalty.
Centers for Medicare & Medicaid Services.
Coronavirus Disease 2019.
Cloud Service Provider.
U.S. Department of Justice.
Executive Order.
Electronic Health Record.
Electronic Protected Health Information.
Food and Drug Administration.
Freedom of Information Act.
Federal Register.
General Schedule.
Health Information Technology.
U.S. Department of Health and Human Services.
Health Information Exchange.
Health Information Network.
Health Insurance Portability and Accountability Act of 1996.
Health Information Technology for Economic and Clinical Health Act of 2009.
Human Immunodeficiency Virus.
Information Collection Request.
Indian Health Service.
Indian Self-Determination and Education Assistance Act.
Medication Assisted Treatment.
Mental Health Parity and Addiction Equity Act.
Medications for Opioid Use Disorder.
Multi-Payer Claims Database.
National Institute of Standards and Technology.
National Oceanic and Atmospheric Administration.
Notice of Privacy Practices.
Notice of Proposed Rulemaking.
PO 00000
Frm 00002
Fmt 4701
Sfmt 4700
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
12473
TABLE OF ACRONYMS—Continued
Acronym
Meaning
N–SSATS ............................................................
OCR ....................................................................
OIG ......................................................................
OIRA ....................................................................
OMB ....................................................................
ONC ....................................................................
OTP .....................................................................
PDMP ..................................................................
PHI ......................................................................
PHSA ...................................................................
PRA .....................................................................
Pub. L. .................................................................
QSO ....................................................................
QSOA ..................................................................
RFA .....................................................................
RFI .......................................................................
RIA ......................................................................
RPMS ..................................................................
SAMHSA .............................................................
SBA .....................................................................
SUD .....................................................................
TEDS ...................................................................
TEFCA .................................................................
TPO .....................................................................
U.S.C. ..................................................................
USPHS ................................................................
VA ........................................................................
I. Executive Summary
lotter on DSK11XQN23PROD with RULES2
A. Purpose of Rulemaking and Issuance
of Proposed Rule
On March 27, 2020, Congress enacted
the Coronavirus Aid, Relief, and
Economic Security (CARES) Act,
including section 3221 of the Act 1
entitled ‘‘Confidentiality and Disclosure
of Records Relating to Substance Use
Disorder.’’ Section 3221 enacts statutory
amendments to section 290dd–2 of title
42 United States Code (42 U.S.C.
290dd–2).2 These amendments require
the U.S. Department of Health and
Human Services (HHS or ‘‘Department’’)
to increase the regulatory alignment
between title 42 of the Code of Federal
Regulations (CFR) (42 CFR part 2 or
‘‘part 2’’),3 which includes privacy
provisions that protect SUD patient
records, and key aspects of the Health
Insurance Portability and
Accountability Act of 1996 (HIPAA) 4
1 Public Law 116–136, 134 Stat. 281 (Mar. 27,
2020).
2 42 U.S.C. 290dd–2.
3 For readability, the Department refers to specific
sections of 42 CFR part 2 using a shortened citation
with the ‘‘§ ’’ symbol except where necessary to
distinguish title 42 citations from other CFR titles,
such as title 45 CFR, and in footnotes where the full
reference is used.
4 Subtitle F of title II of HIPAA, Public Law 104–
191, 110 Stat. 1936 (Aug. 21, 1996) added a new
part C to title XI of the Social Security Act (SSA),
Public Law 74–271, 49 Stat. 620 (Aug. 14, 1935),
(see sections 1171–1179 of the SSA (codified at 42
U.S.C. 1320d–1320d–8)), as amended by the Health
Information Technology for Economic and Clinical
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
National Survey of Substance Abuse Treatment Services.
Office for Civil Rights.
Office of the Inspector General.
Office of Information and Regulatory Affairs.
Office of Management and Budget.
Office of the National Coordinator for Health Information Technology.
Opioid Treatment Program.
Prescription Drug Monitoring Program.
Protected Health Information.
Public Health Service Act.
Paperwork Reduction Act of 1995.
Public Law.
Qualified Service Organization.
Qualified Service Organization Agreement.
Regulatory Flexibility Act.
Request for Information.
Regulatory Impact Analysis.
Resource and Patient Management System.
Substance Abuse and Mental Health Services Administration.
Small Business Administration.
Substance Use Disorder.
Treatment Episode Data Set.
Trusted Exchange Framework and Common Agreement.
Treatment, Payment, and/or Health Care Operations.
United States Code.
U.S. Public Health Service.
U.S. Department of Veterans Affairs.
Privacy, Breach Notification, and
Enforcement regulations (‘‘HIPAA
regulations’’),5 which govern the use
and disclosure of protected health
information (PHI).6
On December 2, 2022, the Department
published a notice of proposed
rulemaking (NPRM) proposing to
modify part 2 consistent with the
requirements of section 3221.7 In the
NPRM, the Department proposed to: (1)
enhance restrictions against the use and
Health (HITECH) Act of 2009, Public Law 111–5,
123 Stat. 226 (Feb. 17, 2009) (codified at 42 U.S.C.
139w–4(0)(2)), enacted as title XIII of division A
and title IV of division B of the American Recovery
and Reinvestment Act of 2009 (ARRA), Public Law
111–5, 123 Stat. 226 (Feb. 17, 2009).
5 See the HIPAA Privacy Rule, 45 CFR parts 160
and 164, subparts A and E; the HIPAA Security
Rule, 45 CFR parts 160 and 164, subparts A and C;
the HIPAA Breach Notification Rule, 45 CFR part
164, subpart D; and the HIPAA Enforcement Rule,
45 CFR part 160, subparts C, D, and E. Breach
notification requirements were added by the
HITECH Act.
6 PHI is individually identifiable health
information maintained or transmitted by or on
behalf of a HIPAA covered entity. See 45 CFR
160.103 (definitions of ‘‘Individually identifiable
health information’’ and ‘‘Protected health
information’’).
7 87 FR 74216 (Dec. 2, 2022). The Department also
proposed modifications to the HIPAA Notice of
Privacy Practices (NPP) in January 2021 and April
2023. See Proposed Modifications to the HIPAA
Privacy Rule to Support, and Remove Barriers to,
Coordinated Care and Individual Engagement, 86
FR 6446 (Jan. 21, 2021) and HIPAA Privacy Rule
To Support Reproductive Health Care Privacy 88 FR
23506 (Apr. 17, 2023).
PO 00000
Frm 00003
Fmt 4701
Sfmt 4700
disclosure of part 2 records 8 in civil,
criminal, administrative, and legislative
proceedings; (2) provide for civil
enforcement authority, including the
imposition of civil money penalties
(CMPs); (3) modify consent for uses and
disclosures of part 2 records for
treatment, payment, and health care
operations (TPO) purposes; (4) impose
breach notification obligations; (5)
incorporate some definitions from the
HIPAA regulations into part 2; (6)
provide new patient rights to request
restrictions on uses and disclosures and
obtain an accounting of disclosures
made with consent; (7) add a permission
to disclose de-identified records to
public health authorities; and (8)
address concerns about potential
unintended consequences for
government agencies that investigate
part 2 programs due to the change in
enforcement authority and penalties for
violations of part 2.
The 60-day public comment period
for the proposed rule closed on January
31, 2023, and the Department received
approximately 220 comments in
response to its proposal.9 After
considering the public comments, the
Department is issuing this final rule that
adopts many of the proposals set forth
8 Within this rule the terms records and part 2
records are used interchangeably to refer to
information subject to part 2.
9 The public comments are available at https://
www.regulations.gov/docket/HHS-OCR-2022-0018/
comments.
E:\FR\FM\16FER2.SGM
16FER2
12474
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
lotter on DSK11XQN23PROD with RULES2
in the NPRM, with certain modifications
based on the input received. This final
rule aligns certain part 2 requirements
more closely with requirements of the
HIPAA regulations to improve the
ability of entities that are subject to part
2 to use and disclose part 2 records and
make other changes to part 2, as
described in this preamble. We believe
this final rule implements the
modifications required by the CARES
Act amendments to 42 U.S.C. 290dd–2
and will decrease burdens on patients
and providers, improve coordination of
care and access to care and treatment,
and protect the confidentiality of
treatment records.
The provisions of the proposed rule
and the public comments received that
were within the scope of the proposed
rule are described in more detail below
in sections III and IV.
B. Severability
In this final rule, we adopt
modifications to 42 CFR part 2 that
support a unified scheme of privacy
protections for part 2 records. While the
unity and comprehensiveness of this
scheme maximizes its utility, we clarify
that its constituent elements operate
independently to protect patient
privacy. Were a provision of this
regulation stayed or invalidated by a
reviewing court, the provisions that
remain in effect would continue to
provide vital patient privacy
protections. For example, the essential
part 2 provisions concerning such issues
as restrictions on use of part 2 records
in criminal, civil, and administrative
proceedings and written consent
requirements would remain in effect
even if certain other provisions, such as
the limitation on civil or criminal
liability in § 2.3(b), were no longer in
effect. Similarly, the provisions
regulating different forms of conduct
under part 2 (e.g., use, disclosure,
consent requirements) each provide
distinct benefits for patient privacy.
Thus, we consider the provisions
adopted in this final rule to be
severable, both internally within this
final rule and from the other provisions
in part 2, and the Department’s intent is
to preserve the rule in its entirety, and
each independent provision of the rule,
to the fullest extent possible.
Accordingly, any provision of 42 CFR
part 2 that is held to be invalid or
unenforceable by its terms, or as applied
to any person or circumstance, should
be construed so as to give maximum
effect to the provision permitted by law,
unless such holding is one of utter
invalidity or unenforceability, in which
event the provision is intended to be
severable from this part and not affect
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
the remainder thereof or the application
of the provision to other persons not
similarly situated or to other dissimilar
circumstances.
C. Summary of the Major Provisions
After consideration of the public
comments received in response to the
NPRM, the Department is issuing this
final rule as follows: 10
1. Section 2.1—Statutory Authority for
Confidentiality of Substance Use
Disorder Patient Records
Finalizes § 2.1 to more closely reflect
the authority granted in 42 U.S.C.
290dd–2(g), including with respect to
court orders authorizing the disclosure
of records under 42 U.S.C. 290dd–
2(b)(2)(C).
2. Section 2.2—Purpose and Effect
Finalizes paragraph (b) of § 2.2 to
compel disclosures to the Secretary 11
that are necessary for enforcement of
this rule, using language adapted from
the HIPAA Privacy Rule at 45 CFR
164.502(a)(2)(ii). Finalizes a new
paragraph (b)(3) that prohibits any
limits on a patient’s right to request
restrictions on use of records for TPO or
a covered entity’s 12 choice to obtain
consent to use or disclose records for
TPO purposes as provided in the HIPAA
Privacy Rule. References ‘‘use and
disclosure’’ in § 2.2(a) and (b). Removes
reference to criminal penalty and
finalizes new paragraph (b)(3).
3. Section 2.3—Civil and Criminal
Penalties for Violations
Finalizes the heading of this section
as above. This section as finalized now
references the HIPAA enforcement
authorities in the Social Security Act at
sections 1176 (civil enforcement,
including the culpability tiers
established by the Health Information
Technology for Economic and Clinical
Health (HITECH) Act of 2009) and 1177
10 Additional
revisions are not listed here because
they are not considered major. Generally, the
proposals not listed make non-substantive changes.
These proposals are reviewable in section IV and
the amendatory language in the last section of the
final rule and include proposals to modify § 2.17
(Undercover agents and informants); § 2.20
(Relationship to state laws); § 2.21 (Relationship to
Federal statutes protecting research subjects against
compulsory disclosure of their identity); and § 2.34
(Uses and Disclosures to prevent multiple
enrollments).
11 Unless otherwise stated, ‘‘Secretary’’ as used in
this rule refers to the Secretary of HHS.
12 Covered entities are health care providers who
transmit health information electronically in
connection with any transaction for which the
Department has adopted an electronic transaction
standard, health plans, and health care
clearinghouses. See 45 CFR 160.103 (definition of
‘‘Covered entity’’).
PO 00000
Frm 00004
Fmt 4701
Sfmt 4700
(criminal penalties),13 as implemented
in the HIPAA Enforcement Rule.14
Paragraph (b) includes a limitation on
civil or criminal liability (‘‘safe harbor’’)
under part 2 for investigative agencies
that act with reasonable diligence before
making a demand for records in the
course of an investigation or
prosecution of a part 2 program or
person holding the record, provided that
certain conditions are met.15 Further
modifies the ‘‘reasonable diligence’’
steps to mean taking all of the following
actions: searching for the practice or
provider among the SUD treatment
facilities in SAMHSA’s online treatment
locator; searching in a similar state
database of treatment facilities where
available; checking a practice or
program’s website, where available, or
physical location; viewing the entity’s
Patient Notice or HIPAA NPP if it is
available; and taking all these steps
within no more than 60 days before
requesting records or placing an
undercover agent or informant. Updates
language referring to enforcement, now
set forth in paragraph (c).
4. Section 2.4—Complaints of
Noncompliance
Modifies the heading to refer to
‘‘Complaints of noncompliance.’’
Finalizes inclusion of requirements
consistent with those applicable to
HIPAA complaints under 45 CFR
164.530(d), (g), and (h), including: a
requirement for a part 2 program to
establish a process to receive
complaints. Adds a new provision
permitting patients to file complaints
with the Secretary in the same manner
as under 45 CFR 160.306. Finalizes a
prohibition against taking adverse
action against patients who file
complaints and a prohibition against
requiring patients to waive the right to
file a complaint as a condition of
providing treatment, enrollment,
payment, or eligibility for services.
5. Section 2.11—Definitions
Finalizes definitions of the following
terms within this part consistent with
the NPRM: ‘‘Breach,’’ ‘‘Business
associate,’’ ‘‘Covered entity,’’ ‘‘Health
13 See Public Law 111–5, 123 Stat. 226 (Feb. 17,
2009). Section 13410 of the HITECH Act (codified
at 42 U.S.C. 17939) amended sections 1176 and
1177 of the Social Security Act (codified at 42
U.S.C. 1320d–5 and 1320d–6) to add civil and
criminal penalty tiers for violations of the HIPAA
Administrative Simplification provisions.
14 See 45 CFR part 160 subparts C, D, and E.
15 Although this provision is not expressly
required by the CARES Act, it falls within the
Department’s general rulemaking authority in 42
U.S.C. 290dd–2(g), and is needed to address the
logical consequences of the changes required by
sec. 3221.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
care operations,’’ ‘‘HIPAA,’’ ‘‘HIPAA
regulations,’’ ‘‘Informant,’’ ‘‘Part 2
program director,’’ ‘‘Program,’’
‘‘Payment,’’ ‘‘Person,’’ ‘‘Public health
authority,’’ ‘‘Records,’’ ‘‘Substance use
disorder (SUD),’’ ‘‘Third-party payer,’’
‘‘Treating provider relationship,’’
‘‘Treatment,’’ ‘‘Unsecured protected
health information,’’ ‘‘Unsecured
record,’’ and ‘‘Use.’’ Adds a definition of
‘‘Substance Use Disorder (SUD)
counseling notes’’ on which input was
requested in the NPRM. Adds new
definitions of ‘‘Lawful holder’’ and
‘‘Personal representative.’’ Adopts a
revised definition of ‘‘Intermediary,’’
but with an exclusion for part 2
programs, covered entities, and business
associates. Modifies definition of
‘‘Investigative agency’’ to reference
state, local, territorial, and Tribal
investigative agencies. Modifies
definition of ‘‘Patient identifying
information’’ to ensure consistency with
the de-identification standard
incorporated into this final rule.
Modifies the proposed definition of
‘‘Qualified Service Organization’’ (QSO)
to expressly include business associates
as QSOs where the QSO meets the
definition of business associate for a
covered entity that is also a part 2
program.
6. Section 2.12—Applicability
Replaces ‘‘Armed Forces’’ with
‘‘Uniformed Services’’ in paragraphs
(b)(1) and (c)(2) of § 2.12. Incorporates
four statutory examples of restrictions
on the use or disclosure of part 2
records to initiate or substantiate any
criminal charges against a patient or to
conduct any criminal investigation of a
patient. Adds language to qualify the
term ‘‘Third-party payer’’ with the
phrase ‘‘as defined in this part.’’
Specifies that a part 2 program, covered
entity, or business associate 16 that
receives records based on a single
consent for all future uses and
disclosures for TPO is not required to
segregate or segment such records.
Revises paragraph (e)(4)(i) to clarify
when a diagnosis is not covered by part
2.
lotter on DSK11XQN23PROD with RULES2
7. Section 2.13—Confidentiality
Restrictions and Safeguards
Finalizes the redesignation of
§ 2.13(d) requiring a list of disclosures
as new § 2.24 and modifies the text for
clarity.
business associate is a person, other than a
workforce member, that performs certain functions
or activities for or on behalf of a covered entity, or
that provides certain services to a covered entity
involving the disclosure of PHI to the person. See
45 CFR 160.103 (definition of ‘‘Business associate’’).
8. Section 2.14—Minor Patients
Finalizes the change of the verb
‘‘judges’’ to ‘‘determines’’ to describe a
part 2 program director’s evaluation and
decision that a minor lacks decision
making capacity.
9. Section 2.15—Patients Who Lack
Capacity and Deceased Patients
Finalizes changes proposed in the
NPRM. Changes the heading as above.
Replaces outdated terminology and
clarifies that paragraph (a) of this
section refers to an adjudication by a
court of a patient’s lack of capacity to
make health care decisions while
paragraph (b) refers to a patient’s lack of
capacity to make health care decisions
without court adjudication. Clarifies
consent for uses and disclosures of
records by personal representatives for
patients who lack capacity to make
health care decisions in paragraph (a)
and deceased patients in paragraph
(b)(2).
10. Section 2.16—Security for Records
and Notification of Breaches
Finalizes changes proposed in the
NPRM. Changes the heading as above.
Finalizes the de-identification provision
to align with the HIPAA Privacy Rule
standard at 45 CFR 164.514. Creates an
exception to the requirement that part 2
programs and lawful holders create
policies and procedures to secure
records that applies to family, friends,
and other informal caregivers who are
lawful holders as defined in this
regulation. Applies the HITECH Act
breach notification provisions 17 that are
currently implemented in the HIPAA
Breach Notification Rule to breaches of
records by part 2 programs. Modifies the
exemption for lawful holders by
exempting them from § 2.16(a) instead
of only paragraph (a)(1).
11. Section 2.19—Disposition of
Records by Discontinued Programs
Finalizes an exception to clarify that
these provisions do not apply to
transfers, retrocessions, and
reassumptions of part 2 programs
pursuant to the Indian SelfDetermination and Education
Assistance Act (ISDEAA), to facilitate
the responsibilities set forth in 25 U.S.C.
5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C.
5324(e), 25 U.S.C. 5330, 25 U.S.C.
5386(f), 25 U.S.C. 5384(d), and the
implementing ISDEAA regulations.
Updates the language to refer to ‘‘non-
16 A
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
17 Section 13400 of the HITECH Act (codified at
42 U.S.C. 17921) defined the term ‘‘Breach’’.
Section 13402 of the HITECH Act (codified at 42
U.S.C. 17932) enacted breach notification
provisions, discussed in detail below.
PO 00000
Frm 00005
Fmt 4701
Sfmt 4700
12475
electronic’’ records and include ‘‘paper’’
records as an example of non-electronic
records.
12. Section 2.22—Notice to Patients of
Federal Confidentiality Requirements
Finalizes proposed changes to
requirements for notice to patients of
Federal confidentiality requirements
(hereinafter, ‘‘Patient Notice’’) to
address protections required by 42
U.S.C. 290dd–2, as amended by section
3221 of the CARES Act. Modifies the
statement of a patient’s right to discuss
the notice with a designated contact
person by permitting the part 2 program
to list an office rather than naming a
person. Further modifies the list of
patient rights to include the following:
(1) a right to a list of disclosures by an
intermediary for the past 3 years as
provided in § 2.24 (moved from the
consent requirements in § 2.31); and (2)
a right to elect not to receive any
fundraising communications to
fundraise for the benefit of the part 2
program. Further modifies the
fundraising provision by replacing the
proposed requirement to obtain patient
consent with a requirement to provide
individuals with the opportunity to opt
out of receiving fundraising
communications, which more closely
aligns with the HIPAA regulations.
Clarifies that a court order authorizing
use or disclosure must be accompanied
by a subpoena or similar legal mandate
compelling disclosure.
13. Section 2.23—Patient Access and
Restrictions on Use and Disclosure
Finalizes the heading as above. Adds
the term ‘‘disclosure’’ to the heading
and body of this section to clarify that
information obtained by patient access
to their record may not be used or
disclosed for purposes of a criminal
charge or criminal investigation.
14. Section 2.24—Requirements for
Intermediaries
Finalizes the retitling of the
redesignated section that is moved from
§ 2.13(d) as above to clarify the
responsibilities of recipients of records
received under a consent with a general
designation (other than part 2 programs,
covered entities, and business
associates), such as research
institutions, accountable care
organizations (ACOs), and care
management organizations.
15. Section 2.25—Accounting of
Disclosures
Finalizes this new section to
implement 42 U.S.C. 290dd–2(b)(1)(B),
as amended by the section 3221 of the
CARES Act, to add a right to an
E:\FR\FM\16FER2.SGM
16FER2
12476
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
accounting of all disclosures made with
consent for up to three years prior to the
date the accounting is requested. A
separate provision applies to disclosures
for TPO purposes made through an
EHR. The compliance date for § 2.25 is
tolled until the HIPAA Accounting of
Disclosures provision at 45 CFR 164.528
is revised to address accounting for TPO
disclosures made through an EHR.
16. Section 2.26—Right To Request
Privacy Protection for Records
Finalizes this new section to
implement 42 U.S.C. 290dd–2(b)(1)(B),
as amended by the section 3221 of the
CARES Act, to incorporate into part 2
the rights set forth in the HIPAA Privacy
Rule at 45 CFR 164.522, including: (1)
a patient right to request restrictions on
disclosures of records otherwise
permitted for TPO purposes, and (2) a
patient right to obtain restrictions on
disclosures to health plans for services
paid in full by the patient.
17. Subpart C—Uses and Disclosures
With Patient Consent
Finalizes change to the heading of
subpart C as above to reflect changes
made to the provisions of this subpart
related to the consent to use and
disclose part 2 records, consistent with
42 U.S.C. 290dd–2(b), as amended by
the section 3221(b) of the CARES Act.
lotter on DSK11XQN23PROD with RULES2
18. Section 2.31—Consent Requirements
Finalizes the proposed alignment of
the content requirements for part 2
written consent with the content
requirements for a valid HIPAA
authorization and clarifies how
recipients may be designated in a
consent to use and disclose part 2
records for TPO. Further modifies the
rule by replacing the proposed
requirement to obtain consent for
fundraising with an opportunity for the
patient to opt out. Adds consent
provisions for uses and disclosures of
SUD counseling notes, and adds an
express requirement for separate
consent for use and disclosure of
records in civil, criminal,
administrative, or legislative
proceedings.
19. Section 2.32—Notice and Copy of
Consent To Accompany Disclosure
Further modifies the proposed
heading to read as above by inserting
‘‘and copy of consent’’. Finalizes the
proposed alignment of the content
requirements for the required notice that
accompanies a disclosure of records
(hereinafter ‘‘Notice to Accompany
Disclosure’’) with the requirements of
42 U.S.C. 290dd–2(b), as amended by
section 3221(b) of the CARES Act.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Further modifies this section by creating
a new requirement that each disclosure
made with the patient’s written consent
must be accompanied by a copy of the
consent or a clear explanation of the
scope of the consent provided.
20. Section 2.33—Uses and Disclosures
Permitted With Written Consent
Changes the heading as proposed, to
read as above. Aligns this provision
with the statutory authority in 42 U.S.C.
290dd–2(b)(1), as amended by section
3221(b) of the CARES Act. Replaces the
provisions requiring consent for uses
and disclosures for payment and certain
health care operations with permission
to use and disclose records for TPO with
a single consent given once for all such
future uses and disclosures (‘‘TPO
consent’’) as permitted by the HIPAA
regulations, until such time as the
patient revokes the consent in writing.
Finalizes proposed redisclosure
permissions for three categories of
recipients of part 2 records pursuant to
a written consent with some additional
modifications to limit the ability to
redisclose part 2 records in accordance
with HIPAA to covered entities and
business associates, as follows: (1)
permits a covered entity or business
associate that receives part 2 records
pursuant to a TPO consent to redisclose
the records in accordance with the
HIPAA regulations, except for certain
proceedings against the patient; 18 (2)
permits a part 2 program that is not a
covered entity to redisclose records
received pursuant to a TPO consent
according to the consent; and (3)
permits a lawful holder that is not a
covered entity or business associate to
redisclose part 2 records for payment
and health care operations to its
contractors, subcontractors, or legal
representatives as needed to carry out
the activities specified in the consent.
Finalizes the contracting requirements
in paragraph (c) to exclude covered
entities and business associates because
they are subject to HIPAA business
associate agreement requirements.
21. Section 2.35—Disclosures to
Elements of the Criminal Justice System
Which Have Referred Patients
Finalizes the proposals to replace
‘‘individuals’’ with ‘‘persons’’ and
clarifies that permitted redisclosures of
information are from part 2 records.
22. Subpart D—Uses and Disclosures
Without Patient Consent
Finalizes the proposal to change the
heading of subpart D to reflect changes
made to the provisions of this subpart
18 See
PO 00000
42 U.S.C. 290dd–2(b)(1)(B) and (c).
Frm 00006
Fmt 4701
Sfmt 4700
related to the consent to use and
disclose part 2 records, consistent with
42 U.S.C. 290dd–2 as amended by the
CARES Act.
23. Section 2.51—Medical Emergencies
Finalizes the proposal to replace the
term ‘‘individual’’ with the term
‘‘person’’ in § 2.51(c)(2).
24. Section 2.52—Scientific Research
Finalizes the proposed modifications
to the heading as above to reflect
statutory language. The final rule further
aligns with the HIPAA Privacy Rule by
replacing the requirements to render
part 2 data in research reports nonidentifiable with the HIPAA Privacy
Rule’s de-identification standard in 45
CFR 164.514.
25. Section 2.53—Management Audits,
Financial Audits, and Program
Evaluation
Finalizes changes as proposed.
Modifies the heading to reflect statutory
language. To support implementation of
42 U.S.C. 290dd–2(b)(1), as amended by
section 3221(b) of the CARES Act, adds
a provision to acknowledge the
permission to use and disclose records
for health care operations purposes
based on written consent of the patient
and the permission to redisclose such
records as permitted by the HIPAA
Privacy Rule if the recipient is a part 2
program, covered entity, or business
associate.
26. Section 2.54—Disclosures for Public
Health
Finalizes the proposed addition of
this section to implement 42 U.S.C.
290dd–2(b)(2)(D), as amended by
section 3221(c) of the CARES Act, to
permit the disclosure of records without
patient consent to public health
authorities provided that the records
disclosed are de-identified according to
the standards established in section 45
CFR 164.514.
27. Subpart E—Court Orders
Authorizing Use and Disclosure
Finalizes proposed modifications to
the heading of subpart E as above to
reflect changes made to the provisions
of this subpart related to the uses and
disclosure of part 2 records in
proceedings consistent with 42 U.S.C.
290dd–2(b) and (2)(c), as amended by
sections 3221(b) and (e) of the CARES
Act.
28. Section 2.62—Order Not Applicable
to Records Disclosed Without Consent
to Researchers, Auditors, and Evaluators
Finalizes the proposed replacement of
the term ‘‘qualified personnel’’ with a
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
reference to the criteria that define such
persons and adds a reference to § 2.53
as a technical edit.
29. Section 2.63—Confidential
Communications
Finalizes proposed changes to
paragraph (a)(3) of § 2.63 to expressly
include civil, criminal, administrative,
and legislative proceedings as forums
where the requirements for a court order
under this part would apply, to
implement 42 U.S.C. 290dd–2(c), as
amended by section 3221(c) of the
CARES Act.
30. Section 2.64—Procedures and
Criteria for Orders Authorizing Uses and
Disclosures for Noncriminal Purposes
Finalizes proposed changes that
expand the types of forums where
restrictions on use and disclosure of
records in civil proceedings against
patients apply 19 to expressly include
administrative and legislative
proceedings and also restricts the use of
testimony conveying information in a
record in civil proceedings against
patients, absent consent or a court order.
31. Section 2.65—Procedures and
Criteria for Orders Authorizing Use and
Disclosure of Records To Criminally
Investigate or Prosecute Patients
Finalizes changes as proposed.
Modifies the heading as above. Expands
the types of forums where restrictions
on uses and disclosure of records in
criminal proceedings against patients
apply 20 to expressly include
administrative and legislative
proceedings and also restricts the use of
testimony conveying information in a
part 2 record in criminal proceedings
against patients, absent consent or a
court order.
lotter on DSK11XQN23PROD with RULES2
32. Section 2.66—Procedures and
Criteria for Orders Authorizing Use and
Disclosure of Records To Investigate or
Prosecute a Part 2 Program or the Person
Holding the Records
Finalizes changes as proposed and
adds new changes. Modifies the heading
as above. Finalizes requirements for
investigative agencies to follow in the
event that they discover in good faith
that they received part 2 records during
an investigation or prosecution of a part
2 program or the person holding the
records, in order to seek a court order
as required under § 2.66. Adds a further
modification to provide that information
from records obtained in violation of
this part cannot be used in an
19 See
42 CFR part 2, subpart E.
VerDate Sep<11>2014
18:41 Feb 15, 2024
application for a court order to obtain
such records.
II. Statutory and Regulatory
Background
33. Section 2.67—Orders Authorizing
the Use of Undercover Agents and
Informants To Investigate Employees or
Agents of a Part 2 Program in
Connection With a Criminal Matter
Confidentiality of SUD Records
Congress enacted the first Federal
confidentiality protections for SUD
records in section 333 of the
Comprehensive Alcohol Abuse and
Alcoholism Prevention, Treatment, and
Rehabilitation Act of 1970.22 This
statute authorized ‘‘persons engaged in
research on, or treatment with respect
to, alcohol abuse and alcoholism to
protect the privacy of individuals who
[were] the subject of such research or
treatment’’ from persons not connected
with the conduct of the research or
treatment by withholding identifying
information.
Section 408 of the Drug Abuse Office
and Treatment Act of 1972 23 applied
confidentiality requirements to records
relating to drug abuse prevention
authorized or assisted under any
provision of the Act. Section 408
permitted disclosure, with a patient’s
written consent, for diagnosis or
treatment by medical personnel and to
government personnel for obtaining
patient benefits to which the patient is
entitled. The 1972 Act also established
exceptions to the consent requirement
to permit disclosures for bona fide
medical emergencies; to qualified
personnel for conducting certain
activities, such as scientific research or
financial audit or program evaluation, as
long as the patient is not identified in
any reports; and as authorized by court
order granted after application showing
good cause.24
The Comprehensive Alcohol Abuse
and Alcoholism Prevention, Treatment,
and Rehabilitation Act Amendments of
1974 25 expanded the types of records
protected by confidentiality restrictions
to include records relating to
‘‘alcoholism,’’ ‘‘alcohol abuse’’, and
‘‘drug abuse’’ maintained in connection
with any program or activity conducted,
Finalizes proposed criteria for
issuance of a court order in instances
where an application is submitted after
the placement of an undercover agent or
informant has already occurred,
requiring an investigative agency to
satisfy the conditions at § 2.3(b). Adds a
further modification to provide that
information from records obtained in
violation of this part cannot be used in
an application for a court order to obtain
such records.
34. Section 2.68—Report to the
Secretary
Finalizes the proposed requirement
for investigative agencies to file annual
reports about the instances in which
they applied for a court order after
receipt of part 2 records or placement of
an undercover agent or informant as
provided in §§ 2.66(a)(3) and 2.67(c)(4).
35. General Changes To Use and
Disclosure
Finalizes proposed changes to reorder ‘‘disclosure and use’’ to ‘‘use and
disclosure’’ throughout the regulation
consistent with their usage in the
HIPAA Privacy Rule which generally
regulates the ‘‘use and disclosure’’ of
PHI and relies on the phrase as a term
of art.21 Inserts ‘‘use’’ or ‘‘disclose’’ to
reflect the scope of activity that is the
subject of the regulatory provision.
D. Summary of the Costs and Benefits of
the Major Provisions
This final rule is anticipated to have
an annual effect on the economy of
$12,720,000 in the first year of the rule,
followed by net savings in years two
through five, resulting in overall net
cost savings of $8,445,706 over five
years. The Office of Management and
Budget (OMB) has determined that this
proposed rule is a significant regulatory
action under section 3(f) of E.O. 12866,
but not under section 3(f)(1).
Accordingly, the Department has
prepared a Regulatory Impact Analysis
(RIA) that presents the estimated costs
and benefits of the rule.
21 See, e.g., 45 CFR 164.502, Uses and disclosures
of protected health information: General rules.
20 Id.
Jkt 262001
12477
PO 00000
Frm 00007
Fmt 4701
Sfmt 4700
22 See sec. 333, Public Law 91–616, 84 Stat. 1853
(Dec. 31, 1970) (codified at 42 U.S.C. 2688h).
23 See sec. 408, Public Law 92–255, 86 Stat. 65
(Mar. 21, 1972) (codified at 21 U.S.C. 1175). Section
408 also prohibited the use of a covered record for
use or initiation or substantiation of criminal
charges against a patient or investigation of a
patient. Section 408 provided for a fine in the
amount of $500 for a first offense violation, and not
more than $5,000 for each subsequent offense.
24 Id.
25 See sec. 101, title I, Public Law 93–282, 88 Stat.
126 (May 14, 1974) (codified at 42 U.S.C. 4541
note), providing that: ‘‘This title [enacting this
section and sections 4542, 4553, 4576, and 4577 of
this title, amending sections 242a, 4571, 4572, 4573,
4581, and 4582 of this title, and enacting provisions
set out as notes under sections 4581 and 4582 of
this title] may be cited as the ‘Comprehensive
Alcohol Abuse and Alcoholism Prevention,
Treatment, and Rehabilitation Act Amendments of
1974’.’’
E:\FR\FM\16FER2.SGM
16FER2
12478
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
lotter on DSK11XQN23PROD with RULES2
regulated, or directly or indirectly
federally assisted by any United States
agency. The 1974 Act also permitted the
disclosure of records based on prior
written patient consent only to the
extent such disclosures were allowed
under Federal regulations. Additionally,
the 1974 Act excluded the interchange
of records within the Armed Forces or
components of the U.S. Department of
Veterans Affairs (VA), then known as
the Veterans’ Administration, from the
confidentiality restrictions.26
In 1992, section 131 of the Alcohol,
Drug Abuse, and Mental Health
Administration Reorganization Act
(ADAMHA Reorganization Act) 27 added
section 543, Confidentiality of Records,
to the Public Health Service Act
(PHSA) 28 (‘‘part 2 statute’’), which
narrowed the grounds upon which a
court could grant an order permitting
disclosure of such records from ‘‘good
cause’’ (i.e., based on weighing the
public interest in the need for disclosure
against the injury to the patient,
physician patient relationship, and
treatment services) 29 to ‘‘the need to
avert a substantial risk of death or
serious bodily harm.’’ 30 Congress also
established criminal penalties for part 2
violations under title 18 of the United
States Code, Crimes and Criminal
Procedure.31 Finally, section 543
granted broad authority to the Secretary
of HHS to prescribe regulations to carry
out the purposes of section 543 and
provide for safeguards and procedures,
including criteria for the issuance and
scope of court orders to authorize
disclosure of SUD records, ‘‘as in the
judgment of the Secretary are necessary
or proper to effectuate the purposes of
this section, to prevent circumvention
or evasion thereof, or to facilitate
compliance therewith.’’ 32
In 1975, the Department promulgated
the first Federal regulations
implementing statutory SUD
confidentiality provisions at 42 CFR
part 2.33 In 1987, the Department
published a final rule making
substantive changes to the scope of part
2 to clarify the regulations and ease the
burden of compliance by part 2
programs within the parameters of the
26 See sec. 408, title I, Public Law 92–255, 86 Stat.
79 (Mar. 21, 1972) (originally codified at 21 U.S.C.
1175). See 21 U.S.C. 1175 note for complete
statutory history.
27 See sec. 131, Public Law 102–321, 106 Stat. 323
(July 10, 1992) (codified at 42 U.S.C. 201 note).
28 Codified at 42 U.S.C. 290dd–2.
29 See sec. 333, Public Law 91–616, 84 Stat. 1853
(Dec. 31, 1970).
30 See sec. 131, Public Law 102–321, 106 Stat. 323
(July 10, 1992) (codified at 42 U.S.C. 201 note).
31 Id., adding sec. 543(b)(2)(C) to the PHSA.
32 Id., adding sec. 543(g) to the PHSA.
33 See 40 FR 27802 (July 1, 1975).
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
existing statutory restrictions.34 After
the 1992 enactment of the ADAMHA
Reorganization Act, the Department
later clarified the definition of
‘‘program’’ in a 1995 final rule to narrow
the scope of part 2 regulations
pertaining to medical facilities to cover
identified units within general medical
facilities which holds themselves out as
providing, and provide SUD treatment
and medical personnel or other staff in
a general medical care facility whose
primary function is the provision of
SUD diagnosis, treatment or referral for
treatment and who are identified as
such providers.35
HIPAA and the HITECH Act
In 1996, Congress enacted HIPAA,36
which included Administrative
Simplification provisions requiring the
establishment of national standards 37 to
protect the privacy and security of
individuals’ PHI and establishing civil
money and criminal penalties for
violations of the requirements, among
other provisions.38 The Administrative
Simplification provisions and
implementing regulations apply to
covered entities, which are health care
providers who conduct covered health
care transactions electronically, health
plans, and health care clearinghouses.39
Certain provisions of the HIPAA
regulations also apply directly to
‘‘business associates’’ of covered
entities.40
34 See 52 FR 21796 (June 9, 1987). See also Notice
of Decision to Develop Regulations, 45 FR 53 (Jan.
2, 1980) and (Aug. 25, 1983).
35 See 60 FR 22296 (May 5, 1995). See also 59 FR
42561 (Aug. 18, 1994) and 59 FR 45063 (Aug. 31,
1994). The ambiguity of the definition of ‘‘program’’
was identified in United States v. Eide, 875 F. 2d
1429 (9th Cir. 1989) where the court held that the
general emergency room is a ‘‘program’’ as defined
by the regulations.
36 See Public Law 104–191, 110 Stat. 1936 (Aug.
21, 1996).
37 See the Administrative Simplification
provisions of title II, subtitle F, of HIPAA, supra
note 4. See also sec. 264 of HIPAA (codified at 42
U.S.C. 1320d–2 note). See also, Centers for
Medicare & Medicaid Services, ‘‘HIPAA and
Administrative Simplification’’ (Sept. 6, 2023),
https://www.cms.gov/about-cms/what-we-do/
administrative-simplification/hipaa/statutesregulations.
38 See 42 U.S.C. 1320d–1–1320d–9. With respect
to privacy standards, Congress directed the
Department to ‘‘address at least the following: (1)
The rights that an individual who is a subject of
individually identifiable health information should
have. (2) The procedures that should be established
for the exercise of such rights. (3) The uses and
disclosures of such information that should be
authorized or required.’’ 42 U.S.C. 1320d–2 note.
39 See 42 U.S.C. 1320d–1 (applying
Administrative Simplification provisions to covered
entities).
40 See ‘‘Office for Civil Rights Fact Sheet on Direct
Liability of Business Associates under HIPAA’’
(May 2019) for a comprehensive list of requirements
in the HIPAA regulations that apply directly to
PO 00000
Frm 00008
Fmt 4701
Sfmt 4700
The HIPAA Privacy Rule, including
provisions implemented as a result of
the HITECH Act,41 regulates the use and
disclosure of PHI by covered entities
and business associates, requires
covered entities to have safeguards in
place to protect the privacy of PHI, and
requires covered entities to obtain the
written authorization of an individual to
use and disclose the individual’s PHI
unless the use or disclosure is otherwise
required or permitted by the HIPAA
Privacy Rule.42 The HIPAA Privacy
Rule includes several use and disclosure
permissions that are relevant to this
NPRM, including the permissions for
covered entities to use and disclose PHI
without written authorization from an
individual for TPO; 43 to public health
authorities for public health purposes; 44
and for research in the form of a limited
data set 45 or pursuant to a waiver of
authorization by a Privacy Board or
Institutional Review Board.46 The
HIPAA Privacy Rule also establishes the
rights of individuals with respect to
their PHI, including the rights to:
receive adequate notice of a covered
entity’s privacy practices; request
restrictions of certain uses and
disclosures; access (i.e., to inspect and
obtain a copy of) their PHI; request an
amendment of their PHI; and receive an
accounting of certain disclosures of
their PHI.47 Finally, the HIPAA Privacy
Rule specifies standards for deidentification of PHI such that, when
implemented, the information is no
longer individually identifiable health
business associates, https://www.hhs.gov/hipaa/forprofessionals/privacy/guidance/businessassociates/factsheet/.
41 The HITECH Act extended the applicability of
certain HIPAA Privacy Rule requirements and all of
the HIPAA Security Rule requirements to the
business associates of covered entities; required
HIPAA covered entities and business associates to
provide for notification of breaches of unsecured
PHI (implemented by the HIPAA Breach
Notification Rule); established new limitations on
the use and disclosure of PHI for marketing and
fundraising purposes; prohibited the sale of PHI;
required consideration of whether a limited data set
can serve as the minimum necessary amount of
information for uses and disclosures of PHI; and
expanded individuals’ rights to access electronic
copies of their PHI in an electronic health record
(EHR), to receive an accounting of disclosures of
their PHI with respect to electronic PHI (ePHI), and
to request restrictions on certain disclosures of PHI
to health plans. In addition, subtitle D strengthened
and expanded HIPAA’s enforcement provisions.
See subtitle D of title XIII of the HITECH Act,
entitled ‘‘Privacy’’, for all provisions (codified in
title 42 of U.S.C.).
42 See 45 CFR 164.502(a).
43 See 45 CFR 164.506.
44 See 45 CFR 164.512(b).
45 See 45 CFR 164.514(e)(1) through (4).
46 See 45 CFR 164.512(i).
47 See 45 CFR 164.520, 164.522, 164.524, 164.526
and 164.528.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
lotter on DSK11XQN23PROD with RULES2
information subject to the HIPAA
regulations.48
The HIPAA Security Rule, codified at
45 CFR parts 160 and 164, subparts A
and C, requires covered entities and
their business associates to implement
administrative, physical, and technical
safeguards to protect electronic PHI
(ePHI). Specifically, covered entities
and business associates must ensure the
confidentiality, integrity, and
availability of all ePHI they create,
receive, maintain, or transmit; 49 protect
against reasonably anticipated threats or
hazards to the security or integrity of the
information 50 and reasonably
anticipated impermissible uses or
disclosures; 51 and ensure compliance
by their workforce.52
The HIPAA Breach Notification Rule,
codified at 45 CFR parts 160 and 164,
subparts A and D, implements HITECH
Act requirements 53 for covered entities
to provide notification to affected
individuals, the Secretary, and in some
cases the media, following a ‘‘breach’’ of
unsecured PHI. The HIPAA Breach
Notification Rule also requires a covered
entity’s business associate that
experiences a breach of unsecured PHI
to notify the covered entity of the
breach. A breach is the acquisition,
access, use, or disclosure of PHI in a
manner not permitted by the HIPAA
Privacy Rule that compromises the
security or privacy of ‘‘unsecured’’ PHI,
subject to three exceptions: 54 (1) the
unintentional acquisition, access, or use
of PHI by a workforce member or person
acting under the authority of a covered
entity or business associate, if such
acquisition, access, or use was made in
good faith and within the scope of
authority; (2) the inadvertent disclosure
of PHI by a person authorized to access
PHI at a covered entity or business
associate to another person authorized
to access PHI at the covered entity or
business associate, or organized health
care arrangement in which the covered
entity participates; and (3) the covered
entity or business associate making the
disclosure has a good faith belief that
the unauthorized person to whom the
impermissible disclosure was made,
would not reasonably have been able to
retain the information.
The HIPAA Breach Notification Rule
provides that a covered entity may rebut
the presumption that such
impermissible use or disclosure
48 See
45 CFR 164.514(a) through (c).
45 CFR 164.306(a)(1).
50 See 45 CFR 164.306(a)(2).
51 See 45 CFR 164.306(a)(3).
52 See 45 CFR 164.306(a)(4).
53 See sec. 13402 of the HITECH Act (codified at
42 U.S.C. 17932).
54 See 45 CFR 164.402, ‘‘breach’’, paragraph (1).
49 See
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
constituted a breach by demonstrating
that there is a low probability that PHI
has been compromised based on a risk
assessment of at least four required
factors: (1) the nature and extent of the
PHI involved, including the types of
identifiers and the likelihood of reidentification; (2) the unauthorized
person who used the PHI or to whom
the disclosure was made; (3) whether
the PHI was actually acquired or
viewed; and (4) the extent to which the
risk to the PHI has been mitigated.55
The HIPAA Enforcement Rule,
codified at 45 CFR part 160 subparts C,
D, and E, includes standards and
procedures relating to investigations
into complaints about noncompliance
with the HIPAA regulation, compliance
reviews, the imposition of CMPs, and
procedures for hearings. The HIPAA
Enforcement Rule states generally that
the Secretary will impose a CMP upon
a covered entity or business associate if
the Secretary determines that the
covered entity or business associate
violated a HIPAA Administrative
Simplification provision.56 However,
the HIPAA Enforcement Rule also
provides for informal resolution of
potential noncompliance,57 which
occurs through voluntary compliance by
the regulated entity, corrective action, or
a resolution agreement with the
payment of a settlement amount to HHS
Office for Civil Rights (OCR).
The Department promulgated or
modified key provisions of the HIPAA
regulations as part of the ‘‘Modifications
to the HIPAA Privacy, Security,
Enforcement, and Breach Notification
Rules Under the Health Information
Technology for Economic and Clinical
Health Act and the Genetic Information
Nondiscrimination Act, and Other
Modifications to the HIPAA Rules’’ final
rule (‘‘2013 Omnibus Final Rule’’),58 in
which the Department implemented
applicable provisions of the HITECH
Act, among other modifications. For
example, the Department strengthened
privacy and security protections for PHI,
finalized breach notification
requirements, and enhanced
enforcement by increasing potential
CMPs for violations, including
establishing tiers of penalties based on
a covered entity’s or business associate’s
level of culpability.59
The Secretary of HHS delegated
authority to OCR to make decisions
55 Id.
paragraph (2).
penalties may be imposed by the
Department of Justice for certain violations under
42 U.S.C. 1320d–6.
57 See 45 CFR 160.304. See also 45 CFR 160.416
and 160.514.
58 78 FR 5566 (Jan. 25, 2013).
59 Id.
56 Criminal
PO 00000
Frm 00009
Fmt 4701
Sfmt 4700
12479
regarding the implementation and
interpretation of the HIPAA Privacy,
Security, Breach Notification, and
Enforcement regulations.60
Earlier Efforts To Align Part 2 With the
HIPAA Regulations
Prior to amendment by the CARES
Act, 42 U.S.C. 290dd–2 provided that
records could be disclosed only with the
patient’s prior written consent, with
limited exceptions.61 The exceptions
related to records maintained by VA or
the Armed Forces and, for example,
disclosures for continuity of care in
emergency situations or between
personnel who have a need for the
information in connection with their
duties that arise out of the provision of
the diagnosis, treatment, or referral for
treatment of patients with SUD.62 The
exceptions did not include, for example,
a disclosure of part 2 records by a part
2 program to a third-party medical
provider to treat a condition other than
SUD absent an emergency situation.
Therefore, the current part 2 regulations
require prior written consent of the
patient for most uses and disclosures of
part 2 records, including for nonemergency treatment purposes. In
contrast, the HIPAA Privacy Rule
permits covered entities to use and
disclose an individual’s PHI for TPO
without the individual’s HIPAA
authorization.63
The Department has modified and
clarified part 2 several times to align
certain provisions more closely with the
HIPAA Privacy Rule,64 address changes
in health information technology (health
IT), and provide greater flexibility for
disclosures of patient identifying
information within the health care
system, while continuing to protect the
confidentiality of part 2 records.65 For
example, the Department clarified in a
2017 final rule that the definition of
‘‘patient identifying information’’ in
60 See U.S. Dep’t of Health and Human Servs.,
Office of the Secretary, Office for Civil Rights;
Statement of Delegation of Authority, 65 FR 82381
(Dec. 28, 2000); U.S. Dep’t of Health and Human
Servs., Office of the Secretary, Office for Civil
Rights; Delegation of Authority, 74 FR 38630 (Aug.
4, 2009); U.S. Dep’t of Health and Human Servs.,
Office of the Secretary, Statement of Organization,
Functions and Delegations of Authority, 81 FR
95622 (Dec. 28, 2016).
61 The limited exceptions are codified in current
regulation at 42 CFR 2.12(c) and 42 CFR part 2,
subpart D.
62 See 42 CFR 2.12(c)(3). These disclosures are
limited to communications within a part 2 program
or between a part 2 program and an entity having
direct administrative control over the part 2
program.
63 See 45 CFR 164.501.
64 See 85 FR 42986 (July 15, 2020) and 83 FR 239
(Jan. 3, 2018).
65 82 FR 6052 (Jan. 18, 2017). See also 81 FR 6988
(Feb. 9, 2016).
E:\FR\FM\16FER2.SGM
16FER2
12480
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
part 2 includes the individual
identifiers listed in the HIPAA Privacy
Rule at 45 CFR 164.514(b)(2)(i) for those
identifiers that are not already listed in
the part 2 definition.66 The 2017 final
rule also revised § 2.16 (Security for
Records) to more closely align with
HIPAA and permitted the use of a
consent that generally designates the
recipient of records rather than naming
a specific person.67
In 2018, the Department issued a final
rule clarifying the circumstances under
which lawful holders and their legal
representatives, contractors, and
subcontractors could use and disclose
part 2 records related to payment and
health care operations in § 2.33(b) and
for audit or evaluation-related purposes.
The Department clarified that
previously listed types of payment and
health care operations uses and
disclosures under the lawful holder
permission in § 2.33(b) were illustrative,
and not definitive so as to be included
in regulatory text.68 The Department
also acknowledged the similarity of the
list of activities to those included in the
HIPAA Privacy Rule definition of
‘‘health care operations’’ but declined to
fully incorporate that definition into
part 2.69 The Department specifically
excluded care coordination and case
management from the list of payment
and health care operations activities
permitted without prior written consent
of the patient under part 2 based on a
determination that these activities are
akin to treatment.
In 2018 the Department also codified
language for an abbreviated Notice to
Accompany Disclosure of part 2
records.70 Although the rule retained
the requirement that a patient must
consent before a lawful holder may
redisclose part 2 records for treatment,71
the Department explained that the
purpose of the part 2 regulations is to
ensure that a patient receiving treatment
for an SUD is not made more vulnerable
by reason of the availability of their
patient records than an individual with
a SUD who does not seek treatment.72
The Department simultaneously
recognized the legitimate needs of
lawful holders to obtain payment and
conduct health care operations as long
as the core protections of part 2 are
maintained.73
lotter on DSK11XQN23PROD with RULES2
66 See
82 FR 6052, 6064.
FR 6052, 6054.
68 See 83 FR 239, 241–242.
69 Id. at 242.
70 83 FR 239, 240. See also 82 FR 5485, 5487 (Jan.
18, 2017).
71 83 FR 239, 242.
72 82 FR 6052, 6053.
73 83 FR 239, 242.
67 82
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
In a final rule published July 15,
2020,74 the Department retained the
requirement that programs obtain prior
written consent before disclosing part 2
records in the first instance (outside of
recognized exceptions). At the same
time the Department reversed its
previous exclusion of care coordination
and case management from the list of
payment and health care operations in
§ 2.33(b) for which a lawful holder may
make further disclosures to its
contractors, subcontractors, and legal
representatives.75 The Department
based this change on comments
received on the proposed rule in 2019
and on section 3221(d)(4) of the CARES
Act, which incorporated the HIPAA
Privacy Rule definition of ‘‘health care
operations,’’ including care
coordination and case management
activities,76 into paragraph (k)(4) of 42
U.S.C. 290dd–2.77 The July 2020 final
rule also modified the consent
requirements in § 2.31 by establishing
special requirements for written
consent 78 when the recipient of part 2
records is a health information exchange
(HIE) (as defined in 45 CFR 171.102 79).
In this final rule, the Department now
finalizes a definition of the term
‘‘intermediary’’ 80 to further facilitate
the exchange of part 2 records in new
models of care, including those
involving a research institution
providing treatment, an ACO, or a care
coordination or care management
organization.81
74 85 FR 42986. See also 84 FR 44568 (Aug. 26,
2019).
75 See 42 CFR 2.33(b).
76 See 45 CFR 164.501.
77 See 85 FR 42986, 43008–009. Sec. 3221(k)(4)
expressed the Sense of Congress that the
Department should exclude paragraph (6)(v) of 45
CFR 164.501 (relating to creating de-identified
health information or a limited data set, and
fundraising for the benefit of the covered entity)
from the definition of ‘‘health care operations’’ in
applying the definition to these records.
78 See 85 FR 42986, 43006.
79 Id. See also 21st Century Cures Act:
Interoperability, Information Blocking, and the ONC
Health IT Certification Program, 85 FR 25642 (May
1, 2020).
80 See 42 CFR 2.11, defining ‘‘Intermediary’’ as a
person, other than a program, covered entity, or
business associate, who has received records under
a general designation in a written patient consent
to be disclosed to one or more of its member
participants for the treatment of the patient(s)—e.g.,
a health information exchange, a research
institution that is providing treatment, an
accountable care organization, or a care
management organization.
81 U.S. Dep’t of Health and Human Servs.,
‘‘Information Related to Mental and Behavioral
Health, including Opioid Overdose’’ (Dec. 23,
2022), https://www.hhs.gov/hipaa/forprofessionals/special-topics/mental-health/
index.html; U.S. Dep’t of Health and Human Servs.,
‘‘Does HIPAA permit health care providers to share
protected health information (PHI) about an
individual with mental illness with a third party
PO 00000
Frm 00010
Fmt 4701
Sfmt 4700
The Department again modified part 2
on December 14, 2020,82 by amending
the confidential communications
section of § 2.63(a)(2), which
enumerated a basis for a court order
authorizing the use of a record when
‘‘the disclosure is necessary in
connection with investigation or
prosecution of an extremely serious
crime allegedly committed by the
patient.’’ The December 2020 final rule
removed the phrase ‘‘allegedly
committed by the patient,’’ explaining
that the phrase was included in
previous rulemaking by error, and
clarifying that a court has the authority
to permit disclosure of confidential
communications when the disclosure is
necessary in connection with
investigation or prosecution of an
extremely serious crime that was
allegedly committed by either a patient
or an individual other than the patient.
Section 3221 of the Coronavirus Aid,
Relief, and Economic Security (CARES)
Act
On March 27, 2020, Congress enacted
the CARES Act 83 to provide emergency
assistance to individuals, families, and
businesses affected by the COVID–19
pandemic. Section 3221 of the CARES
Act, Confidentiality and Disclosure of
Records Relating to Substance Use
Disorder, substantially amended 42
U.S.C. 290dd–2 to more closely align
Federal privacy standards applicable to
part 2 records with the HIPAA and
HITECH Act privacy standards, breach
notification standards, and enforcement
authorities that apply to PHI, among
other modifications.
The requirements in 42 U.S.C. 290dd–
2(b), (c), and (f), as amended by section
3221 of the CARES Act, with respect to
patient consent and redisclosures of
SUD records, now align more closely
with HIPAA Privacy Rule provisions
permitting uses and disclosures for TPO
and establish certain patient rights with
respect to their part 2 records consistent
with provisions of the HITECH Act;
restrict the use and disclosure of part 2
records in legal proceedings; and set
civil and criminal penalties for
that is not a health care provider for continuity of
care purposes? For example, can a health care
provider refer a patient experiencing homelessness
to a social services agency, such as a housing
provider, when doing so may reveal that the basis
for eligibility is related to mental health?’’ (Jan. 9,
2023), https://www.hhs.gov/hipaa/forprofessionals/faq/3008/does-hipaa-permit-healthcare-providers-share-phi-individual-mental-illnessthird-party-not-health-care-provider-continuitycare-purposes/.
82 85 FR 80626 (Dec. 14, 2020).
83 Public Law 116–136, 134 Stat. 281 (Mar. 27,
2020). Significant components of section 3221 are
codified at 42 U.S.C. 290dd–2 as further detailed in
this final rule.
E:\FR\FM\16FER2.SGM
16FER2
lotter on DSK11XQN23PROD with RULES2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
violations. Section 3221 also amended
42 U.S.C. 290dd–2(j) and (k) by adding
HITECH Act breach notification
requirements and new terms and
definitions consistent with the HIPAA
regulations and the HITECH Act,
respectively. Finally, section 3221
requires the Department to modify the
HIPAA NPP 84 requirements at 45 CFR
164.520 so that covered entities and part
2 programs provide notice to
individuals regarding privacy practices
related to part 2 records, including
individuals’ rights and uses and
disclosures that are permitted or
required without authorization.
Paragraph (b) of section 3221
(Disclosures to Covered Entities
Consistent with HIPAA), adds a new
paragraph (1) (Consent), to section 543
of the PHSA 85 and expands the ability
of covered entities, business associates,
and part 2 programs to use and disclose
part 2 records for TPO. The text of
section 3221(b) adding paragraph (1)(B)
to 42 U.S.C. 290dd–2 states that once
prior written consent of the patient has
been obtained, those contents may be
used or disclosed by a covered entity,
business associate, or a program subject
to 290dd–2 for the purposes of TPO as
permitted by the HIPAA regulations.
Any disclosed information may then be
redisclosed in accordance with the
HIPAA regulations.
To the extent that 42 U.S.C. 290dd–
2(b)(1) now provides for a general
written patient consent covering all
future uses and disclosures for TPO ‘‘as
permitted by the HIPAA regulations,’’
and expressly permits the redisclosure
of part 2 records received for TPO ‘‘in
accordance with the HIPAA
regulations,’’ the Department believes
this means the recipient redisclosing the
records must be a covered entity,
business associate, or part 2 program
that has received part 2 records under
a TPO consent. The Department’s
proposals throughout this final rule are
premised on its reading of section
3221(b) as applying to redisclosures of
part 2 records by covered entities,
business associates, and part 2
programs, including those covered
entities that are part 2 programs.
In addition to the provisions of
section 3221 described above, paragraph
(g) of section 3221, Antidiscrimination,
adds a new provision (i)(1) to 42 U.S.C.
290dd–2 to prohibit discrimination
against an individual based on their part
2 records in: (A) admission, access to, or
84 Section 3221(i) requires the Secretary to update
45 CFR 164.520, the HIPAA Privacy Rule
requirements with respect to the HIPAA NPP.
85 Paragraph (1) is codified at 42 U.S.C. 290dd–
2(b).
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
treatment for health care; (B) hiring,
firing, or terms of employment, or
receipt of worker’s compensation; (C)
the sale, rental, or continued rental of
housing; (D) access to Federal, State, or
local courts; or (E) access to, approval
of, or maintenance of social services and
benefits provided or funded by Federal,
State, or local governments.86 Further,
the new paragraph (i)(2) prohibits
discrimination by any recipient of
Federal funds against individuals based
on their part 2 records.87 As stated in
the NPRM, the Department intends to
implement the CARES Act
antidiscrimination provisions in a
separate rulemaking. However, we
discuss below and briefly respond to
comments we received on the NPRM
concerning antidiscrimination and
stigma issues.
III. Overview of Public Comments
A. General Discussion of Comments
The Department received
approximately 220 comments on the
NPRM. By a wide margin, most of the
commenters represented organizations
rather than individuals (87 percent
versus 13 percent). Professional and
trade associations, including medical
professional associations, and patient,
provider, or other advocacy
organizations were the most
represented, followed by organizations
that could fall within multiple
categories. Other commenters included
hospitals and health care systems, state
and local government agencies, health
plans and managed care organizations,
health IT vendors, and unaffiliated
individuals. Among the 27 individual
commenters, nearly a third stated that
they had current or past experience as
an SUD provider, health care
administrator, or health IT or legal
professional.
The specific issue mentioned most
frequently in comments was the
proposal to allow patients to sign a
single consent form for all future uses
and disclosures of their SUD records for
TPO purposes. This was followed by the
proposed consent requirements,
regulatory definitions, protections for
patients in investigations and
proceedings against them, and
requirements for intermediaries, in that
order.
B. General Comments
Approximately 75 percent of
commenters provided general views on
the NPRM covering multiple issues,
including the need for better or
complete alignment with HIPAA,
86 See
sec. 3221(g) of the CARES Act.
87 Id.
PO 00000
Frm 00011
Fmt 4701
Sfmt 4700
12481
concerns about erosion of privacy and
the need for informed consent for
disclosures, requests for Departmental
guidance, and requests to better fund
SUD treatment services and health IT
technology for part 2 providers.
General Support for the Proposed Rule
Public comments showed strong
general support for the NPRM, with
nearly half voicing clear support and
nearly one-third expressing support
while offering suggestions for
improvement. Comments in support of
the proposed rule stated that the
proposed changes would improve care
coordination, support patient privacy,
reduce data and information gaps
between patients and providers, reduce
the stigma around SUD treatment, and
reduce costs.
A group of commenters supported the
proposed changes but did not view the
proposals as sufficient—they sought
more comprehensive change, to
essentially recreate a set of HIPAA
standards for part 2 records.
General Opposition to the Proposed
Rule
Some commenters that expressed
opposition to the NPRM stressed the
importance of privacy and the need for
informed consent regarding the use and
disclosure of SUD treatment
information, particularly for the use of
records in investigations and
proceedings against a patient. Some
SUD providers, medical professionals,
trade associations, advocacy
organizations, a mental health provider,
and nearly all individual commenters
urged the Department not to make
changes to part 2, largely to maintain
the existing privacy protections. One
advocacy organization urged the
Department to weigh the risk to patients
of their data being used without their
permission and their potential loss of
privacy surrounding seeking treatment
for SUD, against any potential benefits
provided for providers by the new rule.
IV. Analysis and Response to Public
Comments and Final Modifications
The discussion below provides a
section-by-section description of the
final rule and responds to comments
received from the public in response to
the 2022 NPRM. As the Department
discussed in the NPRM, the CARES Act
did not expressly require every proposal
promulgated by the Department. Some
of the Department’s proposals were
proposed to align the language of this
regulation with that in the HIPAA
Privacy Rule and to clarify alreadyexisting part 2 permissions or
restrictions.
E:\FR\FM\16FER2.SGM
16FER2
12482
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
A. Effective and Compliance Dates
Proposed Rule
In the NPRM, the Department
proposed to finalize an effective date for
a final rule that would occur 60 days
after publication, and a compliance date
that would occur 22 months after the
effective date. Taken together, the two
dates would give entities two years after
publication to finalize compliance
measures. In the NPRM, we 88 stated
‘‘[e]ntities subject to a final rule would
have until the compliance date to
establish and implement policies and
practices to achieve compliance.’’ 89 The
Department proposed to provide the
same compliance date for both the
proposed modifications to 45 CFR
164.520, the HIPAA NPP provision, and
the more extensive part 2 modifications.
The HIPAA regulations generally
require covered entities and business
associates to comply with new or
modified standards or implementation
specifications no later than 180 days
from the effective date of any such
standards or implementation
specifications,90 whereas the part 2
regulation does not contain a standard
compliance period for regulatory
changes.
However, as we explained in the
NPRM, the proposed compliance period
would allow part 2 programs to revise
existing policies and practices, complete
other implementation requirements, and
train their workforce members on the
changes, as well as minimize
administrative burdens on entities
subject to the HIPAA Privacy Rule.
We requested comment on the
adequacy of the 22-month compliance
period that follows the proposed
effective date and any benefits or
unintended adverse consequences for
entities or individuals of a shorter or
longer compliance period.
lotter on DSK11XQN23PROD with RULES2
Comment
More than half of the commenters
who addressed the timeline for
compliance, including several
providers, health plans, professional
medical and trade associations, and HIE
networks, expressed support or opined
that the proposed dates were feasible.
Some of these commenters believed
changes could be implemented sooner.
Several of these supportive commenters
offered the opinion that compliance
deadlines facilitate care coordination
and therefore should not be
unnecessarily delayed, but that the
88 In this final rule, ‘‘we’’ and ‘‘our’’ denote the
Department.
89 87 FR 74216, 74218.
90 See 45 CFR 160.105.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Department should offer technical
assistance leading up to the compliance
deadline to assist entities in
implementing these changes. Some
commenters stated that the Department
should make clear that covered entities
and part 2 programs who wish to
comply with new finalized provisions,
such as permissively using and
disclosing SUD records for TPO or using
the new authorization form with a
general designation, before the proposed
timeline should be able to do so
voluntarily.
Several commenters opined that the
compliance timeline should be
shortened. In general, these commenters
stated that a shorter compliance
timeline would more quickly facilitate
improved care coordination for SUD
patients and avoid extending the opioid
crisis. A few of these commenters
suggested that the gap in time between
the effective date and compliance date
would allow entities to ‘‘choose’’
whether to follow existing or revised
regulations for a period of time, and
thus impede interoperability. Others in
this group of commenters suggested that
the proposed compliance date was
excessively long, demonstrated a lack of
urgency by the Department for
improving SUD data exchange and care
for SUD patients, and would prolong the
‘‘misalignment’’ of privacy protections
for different types of information. One
of these commenters recommended an
alternative 12-month timeline that
would include the effective date with
only 10 additional months for
compliance. A few of these commenters
further encouraged the Department to
clarify that entities wishing to
implement any regulatory changes
before the proposed timelines could
voluntarily do so.
Response
We appreciate the comments and
clarify here that persons who are subject
to the regulation and are able to
voluntarily comply with regulatory
provisions finalized in this rulemaking
may do so at any time after the effective
date. We also agree with the
commenters who emphasized the
important role that this rule will play in
improving care coordination for patients
experiencing addiction or other forms of
SUD, and we acknowledge their
concerns about timely implementation.
As finalized, we believe the effective
and compliance dates strike the right
balance between incentivizing entities
to come into compliance in a timely
fashion, and granting them sufficient
time to adjust policies, procedures, and,
in some cases, technology to support
new or revised regulations.
PO 00000
Frm 00012
Fmt 4701
Sfmt 4700
Comment
A few commenters expressed support
for the proposed timelines but requested
clarification about whether new
finalized provisions would apply to
records created prior to the compliance
date of the final rule. These commenters
urged the Department to apply modified
requirements to part 2 records created
prior to the compliance date of the final
rule to avoid the burdensome task of
separating records and applications for
consent.
Response
The changes finalized in this rule will
apply to records created prior to the
final rule. We agree with commenters
who stated that separating records by
date of creation for differential
treatment would be unduly
burdensome.
Comment
Slightly less than half of the
commenters about this topic, including
medical associations, a technology
vendor, HIE/HINs, state and local
agencies, health plans, and professional
provider organizations, suggested that
the Department should either lengthen
the compliance timeline or finalize the
proposed compliance date but delay
enforcement, or issue a compliance safe
harbor beyond the compliance date. For
example, one commenter suggested that
the Department implement a two-year
enforcement delay while a few other
commenters suggested a three-year
enforcement delay or two-year phased
enforcement approach beyond the
compliance date. Some commenters
requested that the Department spend the
time tolled by the enforcement delay to
issue implementation guidance
addressing the interaction of the Centers
for Medicare & Medicaid Services (CMS)
Interoperability Rule,91 HIPAA
regulations, and 42 CFR part 2, or work
with the IT vendor community to
address data segmentation approaches.
A few state and local agencies opined
that the 22-month compliance period
following the effective date would not
be adequate for communication,
training, implementation, and
monitoring of extensive SUD provider
networks with varying delivery options.
One of these agencies cited as an
example the state of California where
the Medicaid SUD service delivery
system may include hundreds of county
and contracted providers such that the
burden of audits, deficiency findings,
and corrective actions would be felt
statewide. Another state agency
commented that its state needed more
91 See
E:\FR\FM\16FER2.SGM
85 FR 25510 (May 1, 2020).
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
time to develop a means to track TPO
disclosures and recommended a 60month timeline after publication of the
rule. Other alternative timelines
suggested by commenters included a
recommendation by a dental
professional association to establish an
effective date of no less than one year
after publication of the final rule, and a
compliance date of no less than one year
after the effective date; an additional 12
months beyond the proposed 22-month
compliance timeline to better
accommodate new interoperability rules
and a corresponding need by part 2
programs to update technology; or a 34month period following the 60-day
effective date period to grant part 2
programs greater time to implement
changes in practice related to the rule,
as well as additional time for questions
and clarifications from the Department.
Commenters also suggested that an
enforcement delay include a delay in
imposing civil monetary penalties or
‘‘safe harbor’’ protection for part 2
programs, providers, business
associates, and covered entities acting in
good faith.
lotter on DSK11XQN23PROD with RULES2
Response
We disagree with commenters who
suggested or recommended that the
Department delay enforcement of a final
part 2 rule beyond the proposed
timeline. We also disagree that
additional safe harbor protection for the
entities that would be regulated under
this rule is necessary or appropriate.
Either an enforcement delay or an
enforcement safe harbor (that would
effectively extend the compliance
timeline) would frustrate the timely
implementation of the CARES Act
amendments to meaningfully improve
the ability of impacted entities to
coordinate care for individuals
experiencing SUD, as suggested by the
many commenters who either agreed
with the proposed effective and
compliance dates or sought a shorter
compliance timeline. The Department
may provide further guidance on the
CMS Interoperability Rule in relation to
data segmentation issues, HIPAA, and
part 2, but we do not believe that this
should delay finalization of the
modifications to the part 2 rule or
compliance deadlines.
Comment
One commenter, a Tribal health
board, recommended that Indian Health
Service (IHS) and Tribal facilities using
the existing IHS medical record system
be exempted from compliance with part
2 until such time as IHS modernizes its
electronic health record (EHR) system,
projected for 2025. It further requested
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
that SAMHSA issue guidance for
pharmacies utilizing and issuing
electronic prescriptions through the
Resource and Patient Management
System (RPMS) EHR system, and
associated redisclosures, in the context
of an integrated pharmacy system with
the full RPMS EHR.
Response
The timeline finalized here is
consistent with this request. As
explained, the two-month delay
between publication and an effective
date combined with a 22-month
compliance deadline beyond the
effective date grants entities two years
after publication to comply. Absent
extenuating circumstances that cause
the Department to require compliance
sooner, this final rule will require
compliance no earlier than third quarter
of calendar year 2025.
Comment
A few commenters representing HIE
networks expressed support for the
Department’s proposal to toll the date
by which part 2 programs must comply
with the proposed accounting of
disclosures requirements at § 2.25 until
the effective date of a final rule on a
revised HIPAA accounting of
disclosures standard at 45 CFR 164.528
to ensure the consistency with HIPAA.
Response
We appreciate these comments.
Comment
A few commenters recommended that
the Department delay this rule in its
entirety until other proposed HIPAA
regulations are finalized to permit
commenters to better assess interactions
between the alignment and to reduce
administrative burden, such as
reviewing multiple proposed HIPAA
NPP provisions.
Response
The Department is not finalizing the
proposed HIPAA NPP provisions in this
final rule, but plans to do so in a future
HIPAA final rule. We intend to align
compliance dates for any required
changes to the HIPAA NPP and part 2
Patient Notice to enable covered entities
to make such changes at the same time.
We believe the two-year compliance
timeline following publication of this
rule provides adequate time to assess
alignment implications between HIPAA
and part 2 and adjust accordingly.
Final Dates
The final rule adopts the proposed
effective date of 60 days after
publication of this final rule, and the
PO 00000
Frm 00013
Fmt 4701
Sfmt 4700
12483
proposed compliance date of 24 months
after the publication of this final rule.
We are also finalizing the proposed
accounting of disclosure provision at
§ 2.25, but tolling the effective and
compliance dates for that provision
until such time as the Department
finalizes a revised provision in HIPAA
at 45 CFR 164.528.
B. Substantive Proposals and Responses
to Comments
Section 2.1—Statutory Authority for
Confidentiality of Substance Use
Disorder Patient Records
Proposed Rule
Section 2.1 describes the statutory
authority vested in 42 U.S.C. 290dd–2(g)
to prescribe implementing regulations.
The Department proposed to revise § 2.1
to more closely align this section with
the statutory text of 42 U.S.C. 290dd–
2(g) and subsection 290dd–2(b)(2)(C)
related to the issuance of court orders
authorizing disclosures of part 2
records.
Comment
A health plan commenter expressed
support for this language alignment and
that the specific references to authorized
disclosures pursuant to court order will
assist part 2 programs in their
compliance efforts. A state agency said
that these changes to part 2 will affect
its Medicaid system and Prepaid
Inpatient Health Plans. Compliance is
further required for State licensed
narcotic treatment facilities and
residential alcohol and drug treatment
facilities.
Response
We appreciate these comments.
Final Rule
The final rule adopts the proposed
changes to this section without further
modification.
Section 2.2—Purpose and Effect
Proposed Rule
Section 2.2 establishes the purpose
and effect of regulations imposed in this
part upon the use and disclosure of part
2 records. The Department proposed to
amend paragraph (b) of this section to
reflect that § 2.2(b) compels disclosures
to the Secretary that are necessary for
enforcement of this rule, using language
adapted from the HIPAA Privacy Rule at
45 CFR 164.502(a)(2)(ii). In the NPRM,
the Department stated that the
regulations do not require use or
disclosure under any circumstance
other than when disclosure is required
by the Secretary to investigate or
determine a person’s compliance with
E:\FR\FM\16FER2.SGM
16FER2
12484
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
this part.92 The Department also
proposed to add a new paragraph (b)(3)
to this section to clarify that nothing in
this rule should be construed to limit a
patient’s right to request restrictions on
use of records for TPO or a covered
entity’s choice to obtain consent to use
or disclose records for TPO purposes as
provided in the HIPAA Privacy Rule.
The Department specifically stated that
the ‘‘regulations in this part are not
intended to direct the manner in which
substantive functions such as research,
treatment, and evaluation are carried
out.’’ 93
Comment
A commenter said that it is logical for
disclosures to the Secretary under § 2.2
to be consistent with analogous
disclosures under HIPAA. Regarding the
proposed modification to § 2.2(b)(1) to
provide that the regulations generally do
not require the use and disclosure of
part 2 records, except when disclosure
is required by the Secretary, another
commenter said that it would be more
logical and appropriate to treat part 2
records as HIPAA-covered records. The
commenter believed that continued
stigmatization of the diagnoses treated
by part 2 facilities is a barrier to
treatment and creates a two-tiered
approach to use and disclosure that
provides no meaningful benefit to
patients.
lotter on DSK11XQN23PROD with RULES2
Response
We appreciate these comments and
have finalized this section as noted
below. We believe our changes align
part 2 more closely with HIPAA while
also acknowledging changes to 42 U.S.C
290dd–2, as amended by section 3221 of
the CARES Act, which continue to
provide additional protection for part 2
records, especially in legal proceedings
against a patient. This section is needed
to prevent harm to patients from stigma
and discrimination consistent with the
intent of part 2 and the CARES Act,
including newly added statutory
antidiscrimination requirements (42
U.S.C. 290dd–2(i)).
Comment
A SUD professional association
discussed stigma and discrimination to
which SUD patients are subject and
asked that any discussion of proposed
changes in the NPRM first begin with
the context of why these protections
exist. Citing to § 2.2(b)(2), the
association noted that there are a
number of adverse impacts to which
patients are vulnerable including those
92 87
93 87
FR 74216, 74226.
FR 74216, 74274.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
related to: criminal justice, health care,
housing, life insurance coverage, loans,
employment, licensure, and other
intentional or passive discrimination
against patients. A psychiatric hospital
said that, under current § 2.2(b)(2), the
purpose of the substance use disorder
confidentiality protections is to
encourage care without fear of stigmarelated adverse impacts, not to block
access to it for patients.
Response
We have long emphasized and agree
with commenters that one primary
purpose of the part 2 regulations is to,
as the 1987 rule stated, ensure ‘‘that an
alcohol or drug abuse patient in a
federally assisted alcohol or drug abuse
program is not made more vulnerable by
reason of the availability of his or her
patient record than an individual who
has an alcohol or drug problem and who
does not seek treatment.’’ 94 The final
rule continues to emphasize, including
in this section, that most uses and
disclosures allowed under part 2 are
permissive and not mandatory. The
final rule adds that disclosure may be
required ‘‘when disclosure is required
by the Secretary to investigate or
determine a person’s compliance with
this part pursuant to § 2.3(c).’’ Likewise,
a court order with a subpoena or similar
legal mandate may compel disclosure of
part 2 records, as explained in § 2.61,
Legal effect of order.95
Comment
A commenter believed the
Department’s proposal to add a new
paragraph (b)(3) to § 2.2 to provide that
nothing in this part shall be construed
to limit a patient’s right to request
restrictions on use of records for TPO or
a covered entity’s choice to obtain
consent to use or disclose records for
TPO purposes as provided in the HIPAA
Privacy Rule appears consistent with
patients’ rights requirements under
HIPAA and is a logical clarification.
Response
We appreciate the comment on our
proposed changes which are finalized
here.
94 52
FR 21796, 21805.
2.61(a) provides that court orders
entered under this subpart are ‘‘unique’’ and only
issued to authorize a disclosure or use, and not
‘‘compel’’ disclosure. It further provides ‘‘A
subpoena or a similar legal mandate must be issued
in order to compel disclosure. This mandate may
be entered at the same time as and accompany an
authorizing court order entered under the
regulations in this part.’’ Under the HIPAA Privacy
Rule, a disclosure pursuant to such a court order,
but without an accompanying subpoena, would not
constitute a disclosure required by law as that term
is defined at 45 CFR 164.103.
95 Section
PO 00000
Frm 00014
Fmt 4701
Sfmt 4700
Final Rule
The final rule adopts all changes to
§ 2.2 as proposed, without further
modification.
Section 2.3—Civil and Criminal
Penalties for Violations
Proposed Rule
Section 2.3 of 42 CFR part 2 currently
requires that any person who violates
any provision of the part 2 regulations
be criminally fined in accordance with
title 18 U.S.C. The Department proposed
multiple changes to this section to
implement the new authority granted in
section 3221(f) of the CARES Act as
applied in 42 U.S.C. 290dd–2(f) so that
sections 1176 and 1177 of the Social
Security Act apply to a part 2 program
for a violation of 42 CFR part 2 in the
same manner as they apply to a covered
entity for a violation of part C of title XI
of the Social Security Act (HIPAA
Administrative Simplification).
The Department proposed to replace
title 18 criminal enforcement with civil
and criminal penalties under
sections 1176 and 1177 of the Social
Security Act (42 U.S.C. 1320d–5,
1320d–6), respectively, as implemented
in the HIPAA Enforcement Rule.96 The
Department also proposed to rename
§ 2.3 as ‘‘Civil and criminal penalties for
violations’’ and reorganize § 2.3 into
paragraphs (a), (b), and (c). Proposed
§ 2.3(a) would incorporate the penalty
provisions of 42 U.S.C. 290dd–2(f),
which apply the civil and criminal
penalties of sections 1176 and 1177 of
the Social Security Act, respectively, to
violations of part 2. Proposed changes
and comments regarding paragraphs (a),
(b), and (c) are discussed below.
Comment
We received comments concerning
proposed revisions to § 2.3(a). A state
agency requested clarification regarding
the agencies authorized to enforce § 2.3.
Given statutory changes made by the
CARES Act, the commenter asked that
the Department clarify which agencies
are authorized to enforce part 2
pursuant to the proposed provision.
This commenter opined that section
1176 of the Social Security Act
authorizes the Secretary to impose
penalties, the attorney general of a state
to bring a civil action for statutory
damages in certain circumstances, and
OCR to use corrective action in cases
where the person did not know of the
violation involved. The commenter
asked for confirmation that the
Department is the Federal agency that is
96 See 45 CFR part 160, subpart D (Imposition of
Civil Money Penalties).
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
authorized to enforce part 2 through
civil penalties and further seeks
clarification regarding whether the
Department will act through OCR,
SAMHSA, or another entity. The
commenter also seeks clarification that
the authorized state enforcement agency
is the office of the attorney general.
Additionally, section 1177 of the Social
Security Act pertains to criminal
penalties for knowing violations, but
does not identify the specific agency
charged with enforcement. The
commenter seeks confirmation that
under the proposed rule, the Federal
Department of Justice (DOJ) has
jurisdiction over enforcement of part 2
through criminal penalties.
Response
We appreciate requests for
clarification on enforcement of part 2 as
proposed and now finalized in this rule.
As we have noted in previous
rulemakings such as the ‘‘HIPAA
Administrative Simplification:
Enforcement’’ final rule ‘‘[u]nder
sections 1176 and 1177 of the Act, 42
U.S.C. 1320d–5 and 6, these persons or
organizations, collectively referred to as
‘covered entities,’ may be subject to
CMPs and criminal penalties for
violations of the HIPAA regulations.
HHS enforces the CMPs under section
1176 of the Act, and [DOJ] enforces the
criminal penalties under section 1177 of
the Act.’’ 97 As part of the HITECH Act,
state attorneys general may bring civil
suits for violations of the HIPAA
Privacy and Security Rules on behalf of
state residents.98 Under this final rule,
alleged violators of part 2 are subject to
the same penalties as HIPAA covered
entities through sections 1176 and 1177
of the Social Security Act. The CARES
Act granted enforcement authority to
the Secretary for civil penalties and the
Department will identify the enforcing
agency before the compliance date of
this final rule.
lotter on DSK11XQN23PROD with RULES2
Comment
A state agency said that its state
strongly opposes what it perceives as
increasing the civil and criminal
penalties described in § 2.3.
Understanding the desire to ensure
strong privacy protections are in place
and that sanctions are necessary, the
97 74 FR 56123, 56124 (Oct. 30, 2009). See also,
U.S. Dep’t of Health and Human Servs., ‘‘How OCR
Enforces the HIPAA Privacy & Security Rules’’
(June 7, 2017), https://www.hhs.gov/hipaa/forprofessionals/compliance-enforcement/examples/
how-ocr-enforces-the-hipaa-privacy-and-securityrules/.
98 See U.S. Dep’t of Health and Human Servs.,
‘‘State Attorneys General’’ (Dec. 21, 2017), https://
www.hhs.gov/hipaa/for-professionals/complianceenforcement/state-attorneys-general/.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
agency opined that the current
enforcement framework is adequate and
increasing sanctions would be punitive
rather than promoting compliance.
Punitive sanctions should be brought
only against those entities or
individuals that failed to use due
diligence and/or make every reasonable
attempt to protect against unauthorized
disclosure. Unintended unauthorized
disclosures that result in no material
patient harm should be treated as that—
unintended disclosures that cause de
minimis or no harm to patients.
Increasing sanctions may have the
unintended consequence of part 2
programs not sharing patient records
even if the patient in fact desires
disclosure.
Response
We appreciate this commenter’s
concerns about part 2 enforcement and
disagree that the sanctions for violations
will be harsher than for violations of the
HIPAA regulations. We note that 42
U.S.C. 290dd–2(f), as amended by
section 3221(f) of the CARES Act,
applies the provisions of sections 1176
and 1177 of the Social Security Act to
a violation of 42 CFR part 2 in the same
manner as they apply to a violation of
part C of title XI of the Social Security
Act. We are implementing these
requirements in this final rule. As of the
compliance date for this final rule, we
anticipate taking a similar approach to
addressing noncompliance under part 2
as for violations of HIPAA, ranging from
voluntary compliance and corrective
action to civil and criminal penalties.99
Indeed, we are finalizing below § 2.3(c)
which provides that the provisions of 45
CFR part 160, subparts C, D, and E, shall
apply to noncompliance with this part
with respect to records in the same
manner as they apply to covered entities
and business associates for violations of
45 CFR parts 160 and 164 with respect
to PHI. As proposed, we are
incorporating the entirety of 45 CFR part
160, subpart D, which includes the
mitigating factors in 45 CFR 160.408
and the affirmative defenses in 45 CFR
160.410, to align part 2 enforcement
with the HIPAA Enforcement Rule.
In contrast, prior to this final rule, all
alleged part 2 violations were subject
only to potential criminal penalties.
Aligning part 2 and HIPAA enforcement
approaches should make the
enforcement process more
straightforward for part 2 programs that
99 See U.S. Dep’t of Health and Human Servs.,
‘‘Enforcement Process’’ (Sept. 17, 2021), https://
www.hhs.gov/hipaa/for-professionals/complianceenforcement/enforcement-process/;
HIPAA Enforcement Rule, 45 CFR part 160,
subparts C, D, and E.
PO 00000
Frm 00015
Fmt 4701
Sfmt 4700
12485
are covered entities because it offers the
same mitigating factors for
consideration in enforcement, such as
the number of individuals affected by
the violation; whether the violation
caused physical, financial, or
reputational harm to the individual or
jeopardized an individual’s ability to
obtain health care, the size of the
covered entity or part 2 program; and
whether the penalty would jeopardize
the covered entity or part 2 program’s
ability to continue doing business. This
alignment also affords part 2 programs,
including those that are covered
entities, the same affirmative defenses to
alleged noncompliance and generally
prohibits the imposition of a civil
money penalty for a violation that is not
due to willful neglect and is corrected
within 30 days of discovery.
Final Rule
We are finalizing § 2.3(a) to specify
that under 42 U.S.C. 290dd–2(f), any
person who violates any provision of
this part shall be subject to the
applicable penalties under sections
1176 and 1177 of the Social Security
Act, 42 U.S.C. 1320d–5 and 1320d–6, as
implemented in the HIPAA
Enforcement Rule.
Section 2.3(b) Limitation on Criminal or
Civil Liability
Proposed Rule
As noted in the NPRM, after
consultation with DOJ, the Department
proposed in § 2.3(b) to create a
limitation on civil or criminal liability
(‘‘safe harbor’’) for persons acting on
behalf of investigative agencies when, in
the course of investigating or
prosecuting a part 2 program or other
person holding part 2 records, such
agencies or persons unknowingly
receive part 2 records without first
obtaining the requisite court order. The
proposed safe harbor applies only in
instances where records are obtained for
the purposes of investigating a part 2
program or person holding the record,
not a patient. Further, investigative
agencies would be required to follow
part 2 requirements for obtaining, using,
and disclosing part 2 records as part of
an investigation or prosecution,
including requirements related to
seeking a court order, filing protective
orders, maintaining security for records,
and ensuring that records obtained in
program investigations are not used in
legal actions against patients who are
the subjects of the records.
This safe harbor would be available
for uses or disclosures inconsistent with
part 2 only when the person acting on
behalf of an investigative agency acted
E:\FR\FM\16FER2.SGM
16FER2
12486
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
lotter on DSK11XQN23PROD with RULES2
with reasonable diligence to determine
in advance whether part 2 applied to the
records or part 2 program. Paragraph
(b)(1) proposed to clarify what
constitutes reasonable diligence in
determining whether part 2 applies to a
record or part 2 program before an
investigative agency makes an
investigative demand or places an
undercover agent with the part 2
program or person holding the records.
The Department proposed specifically
that reasonable diligence under this
provision would require acting within a
reasonable period of time, but no more
than 60 days prior to, the request for
records or placement of an undercover
agent or informant. As proposed,
reasonable diligence would include
taking the following actions to
determine whether a health care
practice or provider (where it is
reasonable to believe that the practice or
provider provides SUD diagnostic,
treatment, or referral for treatment
services) provides such services: (1)
checking a prescription drug monitoring
program (PDMP) in the state where the
provider is located, if available and
accessible to the agency under state law;
or (2) checking the website or physical
location of the provider.
In addition, § 2.3(b) as proposed was
intended to require an investigative
agency to meet any other applicable
requirements within part 2 for any use
or disclosure of the records that
occurred, or would occur, after the
investigative agency knew, or by
exercising reasonable diligence would
have known, that it received part 2
records. The Department also proposed
amending §§ 2.66 and 2.67 to be
consistent with and further implement
these proposed changes in § 2.3.
Comment
A state agency that regulates health
facilities expressed concern that
statements made by HHS in the NPRM
when describing the need for the safe
harbor provision for investigative
agencies might bring its authority to
obtain part 2 records from health care
facilities into question. The commenter
explains that the Department’s
justification and interpretation of the
need for a safe harbor provision could
result in licensed health care facilities
refusing to provide it with access to part
2 records until the state agency obtains
a court order under subpart E. While the
commenter appreciated the clarification
provided by the Department in the
NPRM (‘‘[HHS] does not intend to
modify the applicability of § 2.12 or
§ 2.53 for investigative agencies’’), the
commenter asked that § 2.3(b) affirm
that investigative agencies will not be
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
required to demonstrate due diligence
or obtain a court order if their access,
use, and disclosure of part 2 records is
covered by another exception to part 2,
such as the audit and evaluation
exception in § 2.53.
An academic medical center
advocated for a narrower definition of
‘‘investigative agency’’ than proposed
and expressed concern about applying
the proposed limitation on liability to a
broad category of agencies. Several other
commenters also addressed in their
comments the Department’s proposed
definition of ‘‘investigative agency’’ in
§ 2.11, suggesting inclusion of state,
Tribal, or local agencies in this
definition.
Response
We address comments on definitions
below in § 2.11, including concerns
about potential unintended adverse
consequences of including
‘‘supervisory’’ agencies in the definition
of ‘‘investigative agency’’. We believe
that the definition of ‘‘investigative
agency’’, combined with the safe harbor
(and its reasonable diligence
prerequisite) and the annual reporting
requirement, provides an appropriate
check on government access to records
in the course of investigating a part 2
program or lawful holder in those
situations where an agency discovers it
has unknowingly obtained part 2
records. The safe harbor option to apply
for a court order retroactively does not
alter the criteria for a court to grant the
order, which includes a finding that
other means of obtaining the records
were unavailable, would not be
effective, or would yield incomplete
information. Here, we also clarify that
we do not intend, in § 2.3(b), to override
the existing authority of investigative or
oversight agencies to access records,
without court order, when permitted
under another section of this regulation.
Rather than narrowing the definition,
we also include, as some commenters
requested, local, territorial, and Tribal
investigative agencies in the final
‘‘investigative agency’’ definition
because they have a role in
investigations of part 2 programs.
Comment
Some SUD policy organizations and
other commenters suggested that the
Department should not include a safe
harbor provision for investigative
agencies, as this is not required by the
CARES Act and is duplicative of
existing protections such as qualified
immunity. According to these
commenters, the CARES Act does not
require a limitation on civil or criminal
liability for persons acting on behalf of
PO 00000
Frm 00016
Fmt 4701
Sfmt 4700
investigative agencies if they
unknowingly receive part 2 records.
Additionally, this provision is
deleterious to the confidentiality of
patients relying on part 2 protections of
their records in seeking or receiving
SUD treatment, further eroding the trust
necessary between provider and patient
for successful SUD treatment.
The commenters further addressed in
their comments the reasonable diligence
steps proposed to identify whether a
provider is a covered part 2 program.
Though the NPRM proposed that
passing by a part 2 program to observe
its operations or checking a PDMP is
sufficient to determine whether a
provider offers SUD services, many SUD
providers are not required to share
information with PDMPs, the
commenters assert. One commenter
suggested that PDMPs do not contain
any information from part 2 programs
that do not prescribe controlled
substances to patients. Under § 2.36,
opioid treatment programs (OTPs) may
report methadone dispensing
information to PDMPs, but only if the
reporting is mandated by state law and
authorized by a part 2-compliant
consent form. The commenters asserted
that more accurate verification methods
exist, such as SAMHSA’s online
treatment locator or state treatment
databases. If such a safe harbor
provision is included, the standard for
diligence must be made more explicit
and subject to more rigorous standards,
according to these commenters.
A legal advocacy organization
commented that the safe harbor
proposal fell outside the scope of the
CARES Act and was an unnecessary
change. It further commented that
despite disclosing that it consulted with
the DOJ, HHS failed to adequately
explain why law enforcement merits
special consideration for protection
from liability or why HHS did not
consult with civil rights organizations,
legal and policy advocates, providers, or
patients. In addition, this commenter
opined that the proposed safe harbor
provision had inadequate guardrails to
protect privacy because the Department
proposed a very low standard of
reasonable diligence that the
investigative agency would be required
to show and insufficient examples of
actions an investigative agency must
take to identify whether a provider
offered SUD treatment under part 2. The
commenter also remarked that checking
a state’s PDMP website should not be
sufficient to establish reasonable
diligence since the majority of part 2
programs do not report information to
PDMPs, and similarly, driving by a
provider’s physical location should not
E:\FR\FM\16FER2.SGM
16FER2
lotter on DSK11XQN23PROD with RULES2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
be considered sufficient to establish
reasonable diligence because many SUD
providers preserve their patients’
privacy by avoiding overt street signage
or advertisements. This commenter
suggested checking SAMHSA’s online
treatment locator or the state oversight
agency’s list of licensed and certified
providers as better alternatives than
those proposed in the NPRM.
An HIE association expressed concern
that if patients believe that their
information related to seeking SUD
treatment or admitting continued SUD
while in treatment could be disclosed to
an investigative Federal Government
agency, then they may forgo or stop
receiving that treatment. SUD treatment
and the part 2 patient records are some
of the most sensitive pieces of a person’s
health record. The commenter suggested
that it is important for OCR and
SAMHSA to engage with patient
advocacy organizations to understand
the needs of patients to protect that
privacy and ensure treatment is not
foregone due to a fear of exposure. An
individual commenter also
recommended consultation by the
Department with SUD patients and
former patients.
Another group of commenters
claimed that the proposed rule’s new
safe harbor provision in § 2.3 was
unnecessary, overly broad, and was not
required by the CARES Act. HHS should
withdraw this proposed change, these
commenters stated, or at least should
include more accurate methods of how
investigative agencies can determine a
provider offers SUD services (and thus
may be subject to part 2) such as
consulting the SAMHSA online
treatment locator.
An individual commenter viewed the
proposed § 2.3(b) changes as
stigmatizing because it would promote
access to patients’ records against their
interests by law enforcement. Another
individual commenter suggested the
proposed safe harbor may create a
chilling effect, dissuading people from
seeking the SUD care and other kinds of
health care, including prenatal care, that
they need. One person in recovery said
that the proposal’s language is vague
and open-ended, leaving room for
interpretation and loopholes for fishing
expeditions by law enforcement through
patient records. This commenter further
stated that while it is important that bad
actor treatment centers or providers are
held accountable, the solution should
not sacrifice fundamental privacy rights
of patients.
Another commenter recommended a
bar against using the safe harbor
provision without inquiring directly
with the provider about whether part 2
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
applies. The organization has helped
part 2 programs respond to hundreds of
law enforcement requests for SUD
treatment records. Based on its
experience, many part 2 programs report
that law enforcement officials are not
familiar with part 2 and do not listen to
program staff when they flag its
requirements for law enforcement. The
commenter stated that part 2 program
staff have even been arrested and
charged with obstruction for attempting
to explain the Federal privacy law as a
result of this lack of knowledge by law
enforcement.
A county government expressed
opposition to the Department’s
proposals in § 2.3, and relatedly in
§§ 2.66 and 2.67. According to this
commenter, the Department should
consider that once information is
received by an investigator, there is no
way to undo the knowledge learned
even if records are destroyed as required
in §§ 2.66 and 2.67. Thus, the
commenter concluded, the Department
should not finalize the safe harbor.
Another county government, also
expressing opposition to proposed
changes in §§ 2.3 and 2.66, commented
that it believes the creation of a safe
harbor for improper use or disclosure of
part 2 records by investigative agencies
is contrary to the ‘‘fundamental policy
goals’’ that support more stringent
privacy protections for substance use
treatment records under 42 CFR part 2.
This commenter explained its view that
patients remain fearful of legal
repercussions for engaging in substance
use and will be discouraged from
seeking treatment if guardrails that
protect information are lowered. This
commenter further opined that creating
a safe harbor for investigative agencies
could have the unintended consequence
of creating an incentive for investigative
agencies to design document requests to
technically meet the requirements of the
safe harbor, with the hopes of providers
turning over part 2 records to which the
investigative agency would not
otherwise have access. Furthermore,
according to the commenter, the
contents of part 2 records could
conceivably be used as a basis for
meeting the criteria for a court order to
use or disclose these, or other part 2
records, under § 2.64. This commenter
further recommended that investigators
not be permitted to retroactively seek a
court order to use or disclose part 2
record, and in no event should
investigative agencies be able to use
information from part 2 records that
they did not have proper authority to
receive as the basis for a retroactive
court order for use of disclosure of part
2 records.
PO 00000
Frm 00017
Fmt 4701
Sfmt 4700
12487
Response
As noted above and in response to
comments, this final rule no longer
considers the reasonable diligence
requirement specific to the safe harbor
to be met by checking the applicable
PDMP. Instead, this rule in the
regulatory text of § 2.3 provides that
‘‘reasonable diligence’’ means taking all
of the following actions: searching for
the practice or provider among the SUD
treatment facilities in SAMHSA’s online
treatment locator; searching in a similar
state database of treatment facilities
where available; checking a practice or
program’s website, where available, or
physical location; viewing the entity’s
Patient Notice or HIPAA NPP if it is
available; and taking all these steps
within no more than 60 days before
requesting records or placing an
undercover agent or informant.
SAMHSA’s online treatment
locator,100 even if it does not include
every SUD provider or may include
outdated information for some
providers, still is more inclusive than
PDMPs. Generally, only SUD providers
who prescribe controlled substances
submit data to PDMPs while SAMHSA’s
online treatment locator also includes
SUD providers who do not prescribe
controlled substances. Further, we
believe that requiring consultation of a
PDMP by investigative agencies could
unnecessarily increase exposure of
patient records that are contained in a
PDMP with the records of part 2
programs or lawful holders who are
under investigation. The inherent risk of
an unnecessary disclosure of patient
records runs counter to the underlying
intent to keep these records
confidential. Finally, the SAMHSA
online treatment locator uses existing
Departmental resources and is readily
available to the general public at no
cost.101
As to the suggestion that checking
state licensing information would be a
better indicator of a program’s part 2
status, the Department disagrees.
Licensing may occur at the facility level,
100 See Substance Abuse and Mental Health
Servs. Admin., ‘‘FindTreatment.gov,’’ https://
findtreatment.gov/.
101 See Ned J. Presnall, Giulia Croce Butler, and
Richard A. Grucza, ‘‘Consumer access to
buprenorphine and methadone in certified
community behavioral health centers: A secret
shopper study,’’ Journal of Substance Abuse
Treatment (Apr. 29, 2022), https://
www.jsatjournal.com/article/S0740-5472(22)000708/fulltext; Cho-Hee Shrader, Ashly Westrick, Saskia
R. Vos, et al., ‘‘Sociodemographic Correlates of
Affordable Community Behavioral Health
Treatment Facility Availability in Florida: A CrossSectional Study,’’ The Journal of Behavioral Health
Services & Research (Jan. 4, 2023), https://
www.ncbi.nlm.nih.gov/pmc/articles/PMC9812544/.
E:\FR\FM\16FER2.SGM
16FER2
lotter on DSK11XQN23PROD with RULES2
12488
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
or separately by occupational specialty,
which would require an investigative
agency to scour several sources of
information. Further, the definition of
part 2 program is broader than that of
licensed SUD treatment providers
because it can include prevention
programs, so the pool of licensed
provider is overly narrow and does not
address the requirements that a program
‘‘hold itself out’’ as providing SUD
services or that it is in receipt of Federal
assistance.
Regarding comments that HHS did
not consult with civil rights
organizations, legal and policy
advocates, providers, or patients, we
note that we received and reviewed
comments submitted by individuals and
advocacy and civil rights organizations
as we are required to do as part of the
rulemaking process. We also consulted
with DOJ and other Federal agencies.
We also acknowledge and appreciate
concerns among some individual
commenters that this provision may
further stigmatize people seeking SUD
treatment. However, we believe the
requirement to demonstrate reasonable
diligence to determine part 2 status in
the safe harbor along with the
requirements in §§ 2.66 and 2.67 that
prohibit use or disclosure of records
against a patient in a criminal
investigation or prosecution or in an
application for a court order to obtain
records for such purposes will help
ensure and enhance patient privacy
consistent with the purpose and intent
of part 2 and 42 U.S.C. 290dd–2 as
amended by the CARES Act. We will
monitor implementation and take steps
to address any unintended adverse
consequences that may follow,
particularly for patients because they
are not the intended focus of these
investigations.
The safe harbor is not required by the
CARES Act; it is grounded in the
Secretary’s general rulemaking authority
for the confidentiality of SUD patient
records under 42 U.S.C. 290dd–2(g) and
is necessary to operationalize subpart E,
particularly in the context of other
health care investigations. For example,
investigative agencies may inadvertently
obtain records from part 2 programs in
the course of their investigations under
other laws such as Medicaid fraud
regulations, Drug Enforcement
Administration (DEA) regulations, and
HIPAA, where the applicability of part
2 (and the court order requirement for
program investigations) is not obvious.
The safe harbor provision facilitates a
pathway to conduct the investigation
under the amended part 2 statute.
Contrary to some views expressed by
commenters, it may be inappropriate for
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
an investigative agency to directly
discuss with or contact the provider
about whether part 2 applies because
this could apprise them of an
investigation or potential use of an
informant under subpart E. In contrast,
reliance on a publicly available
directory, a HIPAA NPP, or Patient
Notice offers neutral sources to alert
agencies to the potential applicability of
part 2.
Comment
A health care system commented that
an investigative agency should have
ample and sufficient notice that it may
receive or come into contact with SUD
records in the course of investigating or
prosecuting a part 2 program. However,
depending on the requirements or
standards to be met, the commenter
stated that it may be more expedient for
an investigating agency to rely on the
safe harbor after it comes into contact
with part 2 records. As a result,
investigative agencies might
intentionally bypass the requirement to
obtain consent or a court order and
decide instead to avail themselves of the
safe harbor after disclosure. In addition,
the commenter asserted that the good
faith standard could easily become
diluted and might permit an investigator
to hide behind the safe harbor when
their conduct is the result of ignorance
or an error in judgment. The commenter
also expressed concern that the good
faith standard would allow for a
spectrum of interpretations and
different courts may apply the standard
differently, leading to inconsistent
results; as such, it would be important
for the Department to audit and monitor
the use of the safe harbor to ensure it is
being used appropriately.
An individual commenter asserted
that expanding the reach of the CARES
Act 102 to create safe harbors for the
criminal justice communities for
violations of part 2 is beyond the intent
of Congress, noting that the CARES Act
does not require the creation of a
limitation on civil or criminal liability
for persons acting on behalf of
investigative agencies if they
unknowingly receive part 2 records.
This commenter expressed concern that
creating a limitation on civil or criminal
liability under § 2.3 of 42 CFR part 2 or
a good faith exception under the
proposed new paragraph under
§ 2.66(a)(3) of 42 CFR part 2 would
‘‘encourage lax investigative actions on
the part of an investigative agency.’’ The
commenter believed that investigative
agencies should continue to be required
to seek an authorization from a court to
102 See
PO 00000
sec. 3221(i)(1) of the CARES Act.
Frm 00018
Fmt 4701
Sfmt 4700
use or disclose any records implicated
by part 2 protections because
admonishing an investigative agency to
cease using or disclosing part 2 records
after the fact would in practice give the
investigative agency license to screen
and review part 2 records. This
commenter also said that the good faith
standard of § 2.66(a)(3) would offer
investigative agencies an ‘‘excuse’’ to
receive and review part 2 records. This
commenter also asserted that §§ 2.3 and
2.66(a)(3) and (b) should be eliminated
from the final rule as not required by the
CARES Act and inconsistent with the
confidentiality of a patient relying on
part 2 protections of their records in
seeking or receiving SUD treatment.
Another commenter argued that the
limitation of liability would not
negatively affect a patient’s access to
SUD treatment but might ‘‘influence the
investigative agency to be cavalier in
obtaining the appropriate [consent or
court order] if they are aware that its
liability will be limited.’’ This
commenter further opined that the
annual reporting to the Secretary could
serve as an important way to audit the
use of the safe harbor this protection,
and the limitation of liability may
support an investigative agency’s ability
to investigate a program, which could
increase the quality of care.
Response
We believe that some commenters
misunderstand the process of
investigating a health care provider and
we disagree that an investigator would
always know before seeking records that
a provider is subject to part 2. In many
instances, an investigation is focused on
the use of public money such as
Medicaid or Medicare claims and
reimbursement, and the focus is not on
whether a provider is treating SUDs.
Regarding the good faith standard as we
explain below, we believe the phrase is
generally understood to means acting
consistent with both the text and intent
of the statute and part 2 regulations.
We believe that the operation of this
provision is clear in the event a finding
of good faith is not met. First, a lack of
good faith could result in the imposition
of HIPAA/HITECH Act penalties under
42 U.S.C. 290dd–2, as amended, if
investigators are found to have acted in
bad faith in obtaining the part 2 records.
Second, in §§ 2.66 and 2.67, a finding of
good faith is necessary to trigger the
ability of the agency to apply for a court
order to use records that were
previously obtained.
We also disagree that this provision
will encourage lax investigative actions
or prompt agencies to ‘‘game’’ the
regulations to improperly obtain
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
records. First, the manner in which
agencies obtain records will be
considered by a court as part of the
court order process. Second, while the
safe harbor operates as a limitation on
civil and criminal liability under 42
U.S.C. 290dd–2(f), it does not provide
absolute immunity under Federal or
state law should an agency or person
knowingly obtain records improperly or
under false pretenses. For example, it
would be improper to knowingly obtain
records without following the required
procedures for the type of request, or
under false pretenses.
We agree with the sentiment that the
reporting requirement in § 2.68 will
serve as a useful tool to help monitor
the appropriateness of investigative
agencies’ reliance on the regulatory safe
harbor. We also appreciate the view that
facilitating appropriate investigations
will play an important role in ensuring
the quality of care delivered by part 2
programs.
lotter on DSK11XQN23PROD with RULES2
Comment
An SUD provider said that this safe
harbor essentially could establish a
loophole for investigative agencies to
obtain part 2 records without following
part 2 requirements, and thus adversely
affect patient privacy. This commenter
believed that the proposed rule
attempted to justify the safe harbor by
addressing the increased liability due to
added penalties for violations of part 2,
the need to prosecute bad actors, and
public safety. However, this justification
was misplaced, according to this
commenter, and the safe harbor might
only reduce important protections that
limit investigative agencies’ ability to
obtain protected records. By replacing
the required elements in place to protect
the privacy of patients with a loosely
defined reasonable diligence standard,
the proposed rule would only increase
the chances of investigative agencies
unknowingly receiving part 2 records,
according to this commenter. The
proposed reasonable diligence standard
provides investigative agencies with two
options to determine part 2 application
on a provider both of which the
commenter views as insufficient.
Ultimately, these proposed reasonable
diligence standards can be easily
bypassed as a way to obtain records
without the requisite requirements. The
organization expressed the belief that if
a reasonable diligence standard remains
in place, the Department should impose
more stringent requirements under this
standard, such as obtaining a copy of a
provider’s HIPAA NPP to determine
part 2 applicability or comparable
requirement.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Response
We acknowledge this commenter’s
concerns. As noted in this final rule at
§ 2.3, we are revising the proposed
‘‘reasonable diligence’’ standard to
mean taking all of the following actions:
searching for the practice or provider
among the SUD treatment facilities in
SAMHSA’s online treatment locator;
searching in a similar state database of
treatment facilities where available;
checking a practice or program’s
website, where available, or its physical
location; viewing the entity’s Patient
Notice or HIPAA NPP if it is available;
and taking all these steps within no
more than 60 days before requesting
records or placing an undercover agent
or informant. We are requiring these
reasonable diligence steps to be taken in
response to commenters’ concerns about
the effects of the safe harbor on patient
privacy and their specific
recommendations for strengthening
those steps. Importantly, an
investigative agency could be subject to
penalties under the CARES Act
enforcement provisions if it does not
take all of the steps in the required time
frame as necessary to qualify for the
protection afforded by the safe harbor.
Finally, as discussed above, the
reporting requirement to the Secretary
will play an important role in ensuring
transparency. After this rule is finalized,
the Department intends to make use of
such reports to monitor compliance
with these requirements and work to
educate patients, providers,
investigative agencies and others about
these provisions.
Comment
An individual commenter expressed
concern about what they characterized
as a broad swath of potential agencies
that conduct activities covered by the
term ‘‘investigation.’’ The commenter
opined that the types of agencies that
conduct investigations are broad and
many have repeatedly demonstrated
their lack of prioritization of patient
privacy and personal rights. The
commenter believed that the
Department outlines reasonable
minimums including access controls,
requesting and maintaining the
minimum data required, and taking the
most basic steps to determine if staff
should or could access patient data
before doing so, as well as obtaining the
legally required permissions to lawfully
receive such data. However, inability to
follow these most basic guidelines does
not support reducing liability, the
commenter asserted, suggesting that the
reasonable steps the Department
describes in § 2.3 should be required for
PO 00000
Frm 00019
Fmt 4701
Sfmt 4700
12489
investigatory agencies to receive any
PHI or part 2 records or to deploy an
informant.
An anonymous commenter alleged
that parole officers in their state
frequently violate part 2 by making
notes in an automated system
redisclosing part 2 information from
community providers. Until there is a
regulatory and investigative agency
invested in ensuring strict adherence to
this regulation, the commenter said the
Department should not ease up on the
restrictions and access to SUD
confidential information.
Response
We acknowledge that a broad range of
agencies is encompassed within the
definition of ‘‘investigative agency,’’ and
they have varying degrees of
involvement with the provision of
health care. The prerequisites for
accessing part 2 records for audit and
evaluation differ, intentionally, from the
prerequisites for placing an informant
within a program, although both may
involve investigative agency review of
part 2 records. The requirement to first
obtain a court order before records are
sought in a criminal investigation or
prosecution is a much higher standard.
While the safe harbor operates as a
limitation on civil and criminal liability
for agencies that have acted in good
faith, it does not provide immunity
under Federal or state law should an
investigative agency knowingly obtain
records improperly or under false
pretenses. Further, this final rule
establishes a right to file a complaint
with the Secretary for violations of part
2 by, among others, lawful holders.
Comment
A medical professional association
encouraged extending safe harbor
protections to part 2 programs,
providers, business associates, and
covered entities acting in good faith for
at least 34 months following the 60-day
effective date period (36 total months).
According to the commenter, this
protection is essential to encourage
providers to hold themselves out as
SUD providers and other entities to
support part 2 programs, which will be
especially important as the health care
system implements these new
regulations. However, the commenter
opposed the proposed the safe harbor
for investigative agencies as written.
According to this commenter, as written
the proposed safe harbor could reduce
access to care if part 2 programs or
providers feel more at risk for acting in
good faith than the investigative
agencies that do not provide patient
care.
E:\FR\FM\16FER2.SGM
16FER2
12490
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Response
As discussed in the proposed rule, the
effective date of a final rule will be 60
days after publication and the
compliance date will be 24 months after
the publication date. The Department
acknowledges concerns about
compliance and may provide additional
guidance after the rule is finalized. We
acknowledge requests by commenters to
extend the safe harbor beyond
investigative agencies to covered
entities, health plans, HIEs/HINs, part 2
programs, APCDs, and others. However,
we decline to make these requested
changes because § 2.3 is specifically
intended to operate in tandem with
§§ 2.66 and 2.67 when investigative
agencies unknowingly obtain part 2
records in the course of investigating or
prosecuting a part 2 program and, as a
result, fail to obtain the required court
order in advance. We also believe that
covered entities and business associates
that are likely to receive part 2 records
are routinely engaged in health care
activities and are more likely to be
aware when they are receiving such
records.
Comment
A health IT vendor addressed our
request for comment on whether to
expand the limitation on civil or
criminal liability for persons acting on
behalf of investigative agencies to other
entities. The commenter requested
clarification on how the Department
defines ‘‘unknowingly’’ when
considering whether a safe harbor
should be created for SUD providers
that unknowingly hold part 2 records
and unknowingly disclose them in
violation of part 2.
lotter on DSK11XQN23PROD with RULES2
Response
We have not developed a formal
definition of ‘‘unknowingly;’’ however,
the safe harbor for investigative agencies
addresses situations where the recipient
is unaware that records they have
obtained contain information subject to
part 2 although the agency first
exercised reasonable diligence to
determine if the disclosing entity was a
part 2 program. The reasonable
diligence expected of an SUD provider
would be different in nature because
such a provider uniquely possesses the
information necessary to evaluate
whether it is subject to this part, and
consequently whether any patient
records it creates are also subject to this
part. We think it is more likely that the
‘‘unknowing’’ situation could occur
when an entity other than a part 2
program receives records without the
Notice to Accompany Disclosure and
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
rediscloses them in violation of this part
because it is unaware that it possesses
part 2 records. As we stated in the
NPRM, we believe this scenario is
addressed by the HITECH penalty tiers,
so we are not expanding the safe harbor
to other entities. Covered entities and
business associates that are likely to
receive part 2 records are routinely
engaged in health care activities and are
more likely to be aware that they are
receiving such records. Further, the
HITECH penalty tiers were designed to
address privacy violations by covered
entities and business associates.
Comment
Many commenters argued that the
proposed safe harbor provisions should
apply to entities beyond investigative
agencies. The commenters included a
medical association, a state Medicaid
agency, a managed care organization,
health care providers, HIEs, a state HIE
association, and other professional and
trade associations. The range of entities
for which a safe harbor was
recommended include the following:
non-investigative agencies; covered
entities; business associates; other SUD
providers, facilities, and other providers
generally who act in good faith and use
reasonable diligence to determine
whether records received/maintained
are covered by part 2; health plans
based on good faith redisclosures that
comply with the HIPAA Privacy rule
but not with the part 2 Rule; HIEs; SUD
providers that are unaware of its
practice designation as a part 2
provider; state Medicaid agency
administering the Medicaid program; all
payer claims databases (APCDs); part 2
programs; and lawful holders who, in
good faith, unknowingly receive part 2
records and then unintentionally violate
part 2 with respect to those records.
A county government argued that
amending § 2.3 to contain a safe harbor
provision for providers would better
serve the policy goals of protecting
patient privacy, while recognizing that
health systems are moving toward
integrating substance use treatment with
other health conditions and behavioral
health needs. Many part 2 programs
provide integrated substance use and
mental health treatment, and include
providers who provide both mental
health and substance use treatment or
work in collaboration with mental
health treatment providers. In these
‘‘dual diagnosis’’ programs, mental
health providers may over time
unknowingly generate and/or receive
and possess records subject to part 2.
Another commenter, a professional
association, urged that such a safe
harbor should remain in place until
PO 00000
Frm 00020
Fmt 4701
Sfmt 4700
such time as there is an operationally
viable means of providing the Notice to
Accompany Disclosures of part 2
records in § 2.32. It should apply to
HIPAA entities only if and to the extent
that HHS does not, in the final rule,
permit these entities to integrate these
records with their existing patient
records and treat the data as PHI which,
the association asserted is the best
approach from both patient care and
operational perspectives.
Response
We acknowledge requests by
commenters to extend the safe harbor
beyond investigative agencies to
covered entities, health plans, HIEs/
HINs, part 2 programs, APCDs, and
others. However, we decline to make
these requested changes because § 2.3 is
specifically intended to operate in
tandem with §§ 2.66 and 2.67 when
investigative agencies unknowingly
obtain part 2 records in the course of
investigating or prosecuting a part 2
program and, as a result, fail to obtain
the required court order in advance. By
contrast, §§ 2.12, 2.31, and 2.32,
including the requirement in this final
rule that each disclosure made with the
patient’s written consent must be
accompanied by a notice and a copy of
the consent or a clear explanation of the
scope of the consent, should be
sufficient to inform recipients of part 2
records of the applicability of part 2 in
circumstances that do not involve
investigations or use of informants.
SUD providers, in particular, are
obligated to know whether they are
subject to part 2. In the event of an
enforcement action against a lawful
holder that involves an unknowing
receipt or disclosure of part 2 records
despite the lawful holder having
exercised reasonable diligence, the
Department will consider the facts and
circumstances and make a
determination as to whether the
disclosure of part 2 records warrants an
enforcement action against the lawful
holder. This would include considering
application of the ‘‘did not know’’
culpability tier for such violations.103
Comment
A health information management
association remarked that covered
entities, lawful holders, and other
recipients of SUD PHI are obligated to
be aware of what information is being
disclosed prior to disclosing it. Law
enforcement requests for information
103 See 45 CFR 160.404 (b)(2)(i) (the entity ‘‘did
not know and, by exercising reasonable diligence,
would not have known that [they] violated such
provision[.]’’). See also Social Security Act,
sections 1176 and 1177.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
should be clear to prevent inadvertent
disclosures. According to the
commenter, a court order, subpoena, or
patient ‘‘authorization’’ should be
necessary before obtaining SUD
information. Under 45 CFR 164.512(e)
criteria required for a valid court order
and/or subpoena protects the SUD PHI.
Disclosing SUD information before the
correct protections are in place could
result in the SUD information becoming
discoverable through the Freedom of
Information Act (FOIA).104 In addition,
once the information is disclosed the
recipients cannot unsee or unknow the
information, nor are mechanisms in
place to properly return or destroy the
information.
lotter on DSK11XQN23PROD with RULES2
Response
Part 2, subpart E, requirements are
distinct from the HIPAA Privacy Rule
requirements at 45 CFR 164.512(e). We
agree that it is important to engage with
patients and patient organizations to
ensure part 2 continues to bolster
patient privacy and access to SUD
treatment. SAMHSA provides funding
to support the Center of Excellence for
Protected Health Information Related to
Behavioral Health 105 which does not
provide legal advice but can help
answer questions from providers and
family members about HIPAA, part 2,
and other behavioral health privacy
requirements. The required report to the
Secretary in § 2.68 will help the
Department monitor investigations and
prosecutions involving part 2 records.
While in theory FOIA or similar state
laws could apply to mistakenly released
information, FOIA includes several
exemptions and exclusions that could
apply to withhold information from
release in response to a request for such
information, including FOIA
Exemptions 3 (requires the withholding
of information prohibited from
disclosure by another Federal statute), 6
(protects certain information about an
individual when disclosure would
constitute a clearly unwarranted
invasion of personal privacy), and 7
(protects certain records or information
compiled for law enforcement
purposes).106 State health privacy laws
or freedom of information laws may
contain similar exemptions.107
104 Public Law 89–487, 80 Stat. 250 (July 4, 1966)
(originally codified at 5 U.S.C. 1002; codified at 5
U.S.C. 552).
105 See The Ctr. of Excellence for Protected Health
Info., ‘‘About COE PHI,’’ https://coephi.org/aboutcoe-phi/.
106 5 U.S.C. 552(b)(3), (b)(6) & (b)(7).
107 See, e.g., National Freedom of Info. Coal.,
‘‘State Freedom of Information Laws,’’ https://
www.nfoic.org/state-freedom-of-information-laws/
and Seyfarth Shaw LLP, ‘‘50-State Survey of Health
Care Information Privacy Laws’’ (July 15, 2021),
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Final Rule
We are finalizing § 2.3(b) with the
additional modifications discussed
above in response to public comments
and reorganizing for clarity. This final
rule strengthens the safe harbor’s
proposed reasonable diligence
requirements in response to public
comments that the proposed steps
would be insufficient and provides that
all of the specified actions must be
initiated for the limitation on liability to
apply. We clarify here that if any of the
actions taken results in knowledge that
a program or person holding records is
subject to part 2, no further steps are
required to further confirm that the
program or person holding records is
subject to part 2.
Section 2.3(c) Applying the HIPAA
Enforcement Rule to Part 2 Violations
Proposed Rule
Proposed § 2.3(c) stated that the
HIPAA Enforcement Rule shall apply to
violations of part 2 in the same manner
as they apply to covered entities and
business associates for violations of part
C of title XI of the Social Security Act
and its implementing regulations with
respect to PHI.108 109
Comment
A state agency stated its view that if
§ 2.3(c) applies the various sanctions of
HIPAA to part 2 programs regardless of
whether the program is a HIPAA
covered entity or business associate, the
need to retain QSOs for part 2 programs
that are not covered entities seems to be
eliminated.
Response
We disagree that including this
section obviates the need for QSOs,
which we discuss below in § 2.11.
Final rule
We are finalizing § 2.3(c) with
modifications changing references to
‘‘violations’’ to ‘‘noncompliance.’’ This
minor change recognizes that the
provisions of the HIPAA Enforcement
Rule address not only penalties based
on formal findings of violations but also
https://www.seyfarth.com/news-insights/50-statesurvey-of-health-care-information-privacylaws.html.
108 See 45 CFR part 160, subpart C (Compliance
and Investigations), D (Imposition of Civil Money
Penalties), and E (Procedures for Hearings). See also
sec. 13410 of the HITECH Act (codified at 42 U.S.C.
17929).
109 This proposal would implement the required
statutory framework establishing that civil and
criminal penalties apply to violations of this part,
as the Secretary exercises only civil enforcement
authority. The DOJ has authority to impose criminal
penalties where applicable. See 68 FR 18895, 18896
(Apr. 17, 2003).
PO 00000
Frm 00021
Fmt 4701
Sfmt 4700
12491
many other aspects of the enforcement
process, including procedures for
receiving complaints and conducting
investigations into alleged or potential
noncompliance, which could result in
informal resolution without a formal
finding of a violation.
Section 2.4—Complaints of
Noncompliance
Proposed Rule
The Department proposed to change
the existing language of paragraphs (a)
and (b) of § 2.4 which provide that
reports of violations of the part 2
regulations may be directed to the U.S.
Attorney for the judicial district in
which the violation occurs and reports
of any violation by an OTP may be
directed to the U.S. Attorney and also to
SAMHSA. Section 290dd–2(f) of 42
U.S.C., as amended by section 3221(f) of
the CARES Act, grants civil enforcement
authority to the Department, which
currently exercises its HIPAA
enforcement authority under section
1176 of the Social Security Act in
accordance with the HIPAA
Enforcement Rule. To implement these
changes, the Department proposed to retitle the heading to this section by
replacing ‘‘Reports of violations’’ with
‘‘Complaints of noncompliance,’’ and to
replace the existing provisions about
directing reports of part 2 violations to
the U.S. Attorney’s Office and to
SAMHSA with provisions about
directing complaints of potential
violations to a part 2 program. The
Department noted that SAMHSA
continues to oversee OTP accreditation
and certification and therefore may
receive reports of alleged violations by
OTPs of Federal opioid treatment
standards, including privacy and
confidentiality requirements.
The Department proposed to add
§ 2.4(a) to require a part 2 program to
have a process to receive complaints
concerning a program’s compliance
with the part 2 regulations. Proposed
§ 2.4(b) provided that a part 2 program
may not intimidate, threaten, coerce,
discriminate against, or take other
retaliatory action against any patient for
the exercise of any right established, or
for participation in any process
provided for in part 2, including the
filing of a complaint. The Department
also proposed to add § 2.4(c) to prohibit
a part 2 program from requiring patients
to waive their right to file a complaint
as a condition of the provision of
treatment, payment, enrollment, or
eligibility for any program subject to
part 2.
E:\FR\FM\16FER2.SGM
16FER2
12492
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Comment
Commenters generally supported the
Department’s proposal to establish a
complaint process under § 2.4 that
aligns with HIPAA and ensures part 2
programs would not retaliate against
patients who filed a complaint or
condition treatment or receipt of
services on a patient’s waiving any
rights to file a complaint. Commenters
advocated for part 2 patients being
protected against potential
discrimination, such as job loss, that
may occur following improper
disclosures of their treatment records.
They further suggested that this
provision aligns with the HIPAA
Privacy Rule and thus will help to
reduce administrative burdens. For
example, covered entities can use their
existing Privacy Offices and processes to
oversee both part 2 and HIPAA
compliance. Commenters also believed
that application of the HIPAA Breach
Notification Rule and the HIPAA
Enforcement Rule will further help to
protect part 2 patients. Additionally,
commenters supported the inclusion of
business associates and covered entities
within the scope of this section.
Response
We appreciate the comments for the
proposed changes to align part 2 with
HIPAA Privacy Rule provisions
concerning complaints. Patients with
SUD continue to experience the effects
of stigma and discrimination, one
reason why privacy protections as
established in this regulation remain
important.110 We agree that aligning
part 2 and HIPAA requirements may
reduce administrative burdens.
lotter on DSK11XQN23PROD with RULES2
Comment
One commenter expressed concern
about enhanced penalties, which it
characterized as potentially punitive
and best reserved for those who fail to
exercise due diligence. Such penalties
may deter part 2 programs from sharing
part 2 information, this commenter
asserted. Other commenters similarly
noted what they viewed as potential
110 See, e.g., Lars Garpenhag, Disa Dahlman,
‘‘Perceived healthcare stigma among patients in
opioid substitution treatment: a qualitative study,’’
Substance Abuse Treatment, Prevention, and Policy
(Oct. 26, 2021), https://pubmed.ncbi.nlm.nih.gov/
34702338/; Janet Zwick, Hannah Appleseth,
Stephan Arndt, ‘‘Stigma: how it affects the
substance use disorder patient,’’ Substance Abuse
Treatment, Prevention, and Policy (July 27, 2020),
https://pubmed.ncbi.nlm.nih.gov/32718328/;
Richard Bottner, Christopher Moriates and Matthew
Stefanko, ‘‘Stigma is killing people with substance
use disorders. Health care providers need to rid
themselves of it,’’ STAT News (Oct. 2, 2020),
https://www.statnews.com/2020/10/02/stigma-iskilling-people-with-substance-use-disorders-healthcare-providers-need-to-rid-themselves-of-it/.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
deterrent effects of penalties provided
for in this regulation on information
sharing. A commenter urged reduced
penalties for unintentional disclosures
by part 2 programs as they may require
time and assistance to comply with
these regulations. Another commenter
urged that clinicians should not be held
liable for unintentional disclosures of
part 2 records by part 2 programs which
may need additional time and technical
assistance to comply with these updated
regulations in accordance with this
regulation.
By contrast, another commenter urged
strict enforcement of this provision
including penalties for both negligent
and intentional breaches. The
commenter recommended enforcement
by states’ attorneys general and a private
right of action for complainants under
part 2 if states’ attorneys general do not
pursue enforcement.
Response
Existing part 2 language imposes a
criminal penalty for violations.111
Section 3221(f) of the CARES Act
(codified at 42 U.S.C. 290dd–2(f))
requires the Department to apply the
provisions of sections 1176 and 1177 of
the Social Security Act to a part 2
program for a violation of 42 CFR part
2 in the same manner as they apply to
a covered entity for a violation of part
C of title XI of the Social Security Act.
Accordingly, the Department proposed
to replace title 18 U.S.C. criminal
enforcement in the current regulation
with civil and criminal penalties under
sections 1176 and 1177 of the Social
Security Act (42 U.S.C. 1320d–5,
1320d–6), respectively, as implemented
in the HIPAA Enforcement Rule.112
Under the HIPAA Enforcement Rule,
criminal violations fall within the
purview of DOJ. Historically,
commenters have noted that
enforcement of penalties concerning
alleged part 2 violations has been
limited.113 By aligning part 2
requirements in this final rule with
current HIPAA provisions, part 2
programs now will be subject to an
enforcement approach that is consistent
with that for HIPAA-regulated health
111 42
CFR 2.3 (Criminal penalty for violation).
Enforcement Rule, 45 CFR part 160,
subparts C, D, and E.
113 See Kimberly Johnson, ‘‘COVID–19: Isolating
the Problems in Privacy Protection for Individuals
with Substance Use Disorder,’’ University of
Chicago Legal Forum (May 1, 2021), https://
papers.ssrn.com/sol3/papers.cfm?abstract_
id=3837955; Substance Abuse and Mental Health
Servs. Admin., ‘‘Substance Abuse Confidentiality
Regulations; Frequently Asked Questions’’ (July 24,
2023), https://www.samhsa.gov/about-us/who-weare/laws-regulations/confidentiality-regulationsfaqs.
112 HIPAA
PO 00000
Frm 00022
Fmt 4701
Sfmt 4700
care providers, thereby reducing
administrative burdens for part 2
programs that are also HIPAA-covered
entities. As some commenters
suggested, this will also enable staff
within HIPAA and part 2-regulated
entities to more effectively collaborate
given additional alignment of part 2 and
HIPAA regulatory provisions.
Therefore, it is unlikely that part 2
programs will experience an adverse
impact beyond that which in general
applies to covered entities under
HIPAA. As the Department has
explained elsewhere, alleged
unintentional violations are often
resolved with covered entities through
voluntary compliance or corrective
action.114
Knowing or intentional violations of
HIPAA may be referred to DOJ for a
criminal investigation. As noted in the
NPRM, criminal penalties may be
imposed by DOJ for certain violations
under 42 U.S.C. 1320d–6. After
publication of this final rule, the
Department may provide additional
guidance specific to part 2; however, we
anticipate that many entities now will
be more comfortable appropriately
sharing information and developing
plans to mitigate risks of part 2 and
HIPAA violations because the HIPAA
and part 2 complaint provisions are now
better aligned.115
Section 1176 of the Social Security
Act, (codified at 42 U.S.C. 1320d–5),
also provides for enforcement by states’
attorneys general in the form of a civil
action. The reference to this statutory
provision in § 2.3 encompasses this
avenue of enforcement.
Although the HIPAA and HITECH
penalties do not provide a private right
of action for privacy violations, as
discussed elsewhere in this preamble, in
this final rule we provide a right for a
person to file a complaint to the
Secretary for an alleged violation by a
part 2 program, covered entity, business
associate, qualified service organization,
or other lawful holder of part 2 records.
While a person may file a complaint to
the Secretary, part 2 programs also must
establish a process for the program to
directly receive complaints. The right to
file a complaint directly with the
Secretary for an alleged violation is
analogous to a similar provision within
the HIPAA Privacy Rule.116 Although
114 See ‘‘Enforcement Process,’’ supra note 99;
HIPAA Enforcement Rule, 45 CFR part 160,
subparts C, D, and E.
115 See U.S. Dep’t of Health and Human Servs.,
‘‘Guidance on Risk Analysis,’’ (July 22, 2019),
https://www.hhs.gov/hipaa/for-professionals/
security/guidance/guidance-risk-analysis/
index.html.
116 45 CFR 160.306.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
the right to file a complaint to the
Secretary for an alleged violation of part
2 was not included in the proposed text
of § 2.4, it was included in the required
statements for the Patient Notice.
Adding the language to § 2.4 is a logical
outgrowth of the NPRM and a response
to public comments received.
Comment
One commenter asked for a
clarification of what is considered an
‘‘adverse action’’ for the purposes of this
section. Other commenters requested
clarification from the Department that
acting on a complaint that was held in
abeyance after a patient exercises their
right to withdraw consent would not be
viewed as retaliation.
Response
In the NPRM the Department referred
to a prohibition on ‘‘taking adverse
action against patients who file
complaints.’’ This prohibition is broadly
similar to that which exists within
HIPAA in 45 CFR 160.316 and 164.530.
The Department has described ‘‘adverse
actions’’ as those that may constitute
intimidation or retaliation, such as
suspending someone’s participation in a
program.117 We are not clear what the
commenter means in referring to taking
action on a complaint that was held in
abeyance after a patient exercises their
right to withdraw consent not being
viewed as retaliation. However, a
complaint can be withdrawn by the
filer.118 Health care entities can likewise
take steps to investigate complaints
internally and OCR has developed tools
and resources to support HIPAA
compliance.119
Comment
lotter on DSK11XQN23PROD with RULES2
Several commenters, including legal
and SUD recovery advocacy
organizations, urged the Department to
include in the final rule provisions
permitting a patient to complain
directly to OCR or the Secretary,
paralleling provisions in HIPAA.
Another commenter asked about
obligations of entities, such as medical
licensing boards and physician health
programs, and how a patient would
report alleged violations by those
entities.
117 70 FR 20224, 20230 (Apr. 18, 2005); 71 FR
8389, 8399 (Feb. 16, 2006).
118 See U.S. Dep’t of Health and Human Servs.,
‘‘Enforcement Highlights’’ (July 6, 2023), https://
www.hhs.gov/hipaa/for-professionals/complianceenforcement/data/enforcement-highlights/
index.html.
119 See U.S. Dep’t of Health and Human Servs.,
‘‘HIPAA Enforcement’’ (July 25, 2017), https://
www.hhs.gov/hipaa/for-professionals/complianceenforcement/.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Response
In response to public comments, we
are adding a new provision to § 2.4 in
this final rule to permit a person to file
a complaint to the Secretary for a
violation of this part by, among others,
a lawful holder of part 2 records in the
same manner as a person may file a
complaint under 45 CFR 160.203 for a
HIPAA violation. Specifically, we
provide in § 2.4(b) that ‘‘[a] person may
file a complaint to the Secretary for a
violation of this part by a part 2
program, covered entity, business
associate, qualified service organization,
or other lawful holder’’ in the same
manner as under HIPAA (45 CFR
160.306). By making this change, we are
aligning part 2 with HIPAA and
ensuring an adequate mechanism for
review and disposition of complaints
related to alleged part 2 violations. We
are also adding a regulatory definition of
lawful holder in this final rule at § 2.11.
The Department will provide
information about how to file
complaints of alleged part 2 violations
before the compliance date for the final
rule.
Comment
A commenter asked whether the state,
agency, or disclosing person would be
penalized for a violation that results in
the impermissible disclosure of records
subject to HIPAA or part 2.
Response
Whether a party subject to part 2 is
held accountable for a particular
violation will depend on the facts and
circumstances of the case. The
Department has explained elsewhere
that it will attempt to resolve
enforcement actions through voluntary
compliance, corrective action, and/or a
resolution agreement, and we anticipate
that applying the HIPAA Enforcement
Rule framework to part 2 will have
similar results.120 Further, lawful
holders are prohibited from using and
disclosing records in proceedings
against a patient absent written consent
or a court order. In the case of an
improper disclosure by a part 2 program
employee, the part 2 program would
likely be provided with notice of an
investigation and the investigator would
review whether the program had
policies and procedures in place and
whether those were followed in its
handling of the improper disclosure. An
entity’s compliance officer can help
ensure breaches are properly
investigated and reported to the
120 See ‘‘How OCR Enforces the HIPAA Privacy &
Security Rules,’’ supra note 97.
PO 00000
Frm 00023
Fmt 4701
Sfmt 4700
12493
Department,121 and has responsibilities
to develop and implement a compliance
plan.
Comment
A commenter asked for clarification
that penalties would not be
concurrently imposed under both
HIPAA and part 2 for the same alleged
violation(s).
Response
HIPAA and part 2 regulations stem
from different statutory authorities and
are different compliance regulations.
With the CARES Act, Congress replaced
the previous criminal penalties
established for part 2 violations with a
civil and criminal penalty structure
imported from HITECH. Nothing in the
CARES Act states that an entity that is
subject to both regulatory schemes shall
be subject to only one regulation or one
regulation’s penalties. Therefore, an
entity potentially remains subject to
both regulations, including their
provisions on penalties for violations.
What penalties could or would be
imposed by the Department in a
particular case, and under which
statutes or regulations (HIPAA, HITECH,
part 2, other regulations), remains a factspecific inquiry. State law provisions
also may apply concurrently with some
part 2 and HIPAA requirements.122
Additionally, some aspects of part 2 or
HIPAA violations may fall within the
jurisdiction of other agencies such as
SAMHSA (which continues to oversee
accreditation of OTPs).123
Comment
One commenter noted that some
covered entities may not be part 2
121 See ‘‘What are the Duties of a HIPAA
Compliance Officer?’’ The HIPAA Journal, https://
www.hipaajournal.com/duties-of-a-hipaacompliance-officer/; U.S. Dep’t of Health and
Human Servs., ‘‘The HIPAA Privacy Rule’’, https://
www.hhs.gov/hipaa/for-professionals/privacy/
index.html; U.S. Dep’t of Health and Human Servs.,
‘‘Submitting Notice of a Breach to the Secretary’’
(Feb. 27, 2023), https://www.hhs.gov/hipaa/forprofessionals/breach-notification/breach-reporting/
index.html; U.S. Dep’t of Health and Human Servs.,
‘‘Training Materials’’, https://www.hhs.gov/hipaa/
for-professionals/training/.
122 See The Off. of the Nat’l Coordinator for
Health Info. Techn. (ONC), ‘‘HIPAA versus State
Laws’’ (Sept. 5, 2017), https://www.healthit.gov/
topic/hipaa-versus-state-laws; Nat’l Ass’n of State
Mental Health Program Dirs., ‘‘TAC Assessment
Working Paper: 2016 Compilation of State
Behavioral Health Patient Treatment Privacy and
Disclosure Laws and Regulations,’’ (2016) https://
www.nasmhpd.org/content/tac-assessmentworking-paper-2016-compilation-state-behavioralhealth-patient-treatment.
123 See Substance Abuse and Mental Health
Servs. Admin., ‘‘Certification of Opioid Treatment
Programs (OTPs)’’ (July 24, 2023), https://
www.samhsa.gov/medications-substance-usedisorders/become-accredited-opioid-treatmentprogram.
E:\FR\FM\16FER2.SGM
16FER2
12494
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
providers and urged HHS to ease the
burden on such programs. Another
urged that business associates be
included within the scope of this
section.
lotter on DSK11XQN23PROD with RULES2
Response
We provide in § 2.4(b) that ‘‘[a] person
may file a complaint to the Secretary for
a violation of this part by a part 2
program, covered entity, business
associate, qualified service organization,
or other lawful holder in the same
manner as a person may file a complaint
under 45 CFR 160.306 for a violation of
the administrative simplification
provisions of the Health Insurance
Portability and Accountability Act
(HIPAA) of 1996.’’ Thus, covered
entities and business associates are
included within the scope of this
section. The compliance burdens for
covered entities of receiving part 2
complaints can be minimized by using
the same process they already have in
place for receiving HIPAA complaints.
Comment
Commenters provided their views as
to which agency or agencies should
receive part 2-related complaints. One
commenter requested that the regulation
expressly identify the agency(ies)
authorized to receive part 2 complaints
from patients. The commenter suggested
that complaints made to part 2 programs
by patients can raise conflict of interest
issues because the program is
investigating its own or its staff’s alleged
misconduct. The commenter further
urged that the regulation identify
specific agencies, such as OCR and
SAMHSA, and state their obligation to
investigate complaints received. Other
commenters urged that OCR, rather than
part 2 programs, receive complaints,
that patients be permitted to complain
directly of violations to OCR or that the
Department clarify the various roles of
OCR, SAMHSA, and other agencies.
One commenter supported part 2
programs having a process to receive
complaints but said these programs are
understaffed and underfunded so they
would need additional resources. A
health system that is a part 2 program
and a covered entity also supported part
2 programs developing a process to
receive complaints. A county health
department asked that § 2.4 be amended
to include specific provisions about
how and where patients can file their
complaints with the HHS Secretary and
the roles of HHS components in
receiving and investigating complaints.
Response
In response to public comments, and
as provided in the HIPAA regulations,
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
we are finalizing an additional
modification to § 2.4 that was not
included in this section but was
proposed as a required statement of
rights in the Patient Notice in
§ 2.22(b)(1)(vi). The intent of the
enforcement provisions in § 2.4 was to
create a process that mirrors that for
HIPAA violations, but the Department
inadvertently omitted from its proposed
changes to this section an express right
to complain to the Secretary. Analogous
to 45 CFR 160.306, which permits the
submission of complaints to the
Secretary alleging noncompliance by
covered entities with the HIPAA Privacy
Rule,124 we are providing in this final
rule a right for a person to file a
complaint to the Secretary for an alleged
violation by a part 2 program, covered
entity, business associate, qualified
service organization, and other lawful
holder of part 2 records. Part 2 programs
also must establish a process for the
program to receive complaints. A
patient is not obliged to report an
alleged violation either to the Secretary
or part 2 program but may report to
either or both. OCR has explained how
HIPAA complaints are investigated,
which may be instructive, but is not
dispositive of how part 2 complaints
will be handled.125 We believe our
changes are a logical outgrowth of the
NPRM which provided an opportunity
for public input and we are making
these changes in response to public
comments received. We also anticipate
releasing information about the specific
complaint process after publication of
this final rule.
Comment
A commenter urged that the
complaint process reflect the needs of
those with limited English proficiency.
Response
Part 2 programs should be mindful
that Federal civil rights laws require
certain entities, including recipients of
Federal financial assistance and public
entities, to take appropriate steps. For
instance, such entities must take steps
to ensure that communications with
individuals with disabilities are as
124 See U.S. Dep’t of Health and Human Servs.,
‘‘Federal Register Notice of Addresses for
Submission of HIPAA Health Information Privacy
Complaints’’ (June 8, 2020), https://www.hhs.gov/
guidance/document/federal-register-noticeaddresses-submission-hipaa-health-informationprivacy-complaints; U.S. Dep’t of Health and
Human Servs., ‘‘Filing a Complaint’’ (Mar. 31,
2020), https://www.hhs.gov/hipaa/filing-acomplaint/.
125 See U.S. Dep’t of Health and Human Servs.,
‘‘How to File a Health Information Privacy or
Security Complaint’’ (Dec. 23, 2022), https://
www.hhs.gov/hipaa/filing-a-complaint/complaintprocess/.
PO 00000
Frm 00024
Fmt 4701
Sfmt 4700
effective as communications with
others, including by providing
appropriate auxiliary aids and services
where necessary.126 In addition,
recipients of Federal financial assistance
must take reasonable steps to ensure
meaningful access to their programs and
activities for individuals with limited
English proficiency, including through
language assistance services when
necessary.127 The Department stated in
the 2017 Part 2 Final Rule that materials
such as consent forms ‘‘should be
written clearly so that the patient can
easily understand the form.’’ 128 The
Department further stated that it
‘‘encourages part 2 programs to be
sensitive to the cultural and linguistic
composition of their patient population
when considering whether the consent
form should also be provided in a
language(s) other than English (e.g.,
Spanish).’’ 129 Consistent with these
legal requirements, the Department
strongly encourages development of
§ 2.4 materials that are clear and reflect
the needs of a program’s patient
population.
Comment
Another commenter remarked that
some covered entities may need
technical assistance from the
Department to establish complaint
processes under this section.
Response
The Department has existing materials
to support compliance with HIPAA and
part 2.130 SAMHSA supports a Center of
Excellence for Protected Health
Information Related to Behavioral
Health that may provide educational
126 See e.g., U.S. Dep’t of Health and Human
Servs., ‘‘Effective Communication for Persons Who
Are Deaf or Hard of Hearing’’ (June 16, 2017),
https://www.hhs.gov/civil-rights/for-individuals/
disability/effective-communication/; U.S.
Dep’t of Health and Human Servs., ‘‘Section 1557:
Ensuring Effective Communication with and
Accessibility for Individuals with Disabilities’’
(Aug. 25, 2016), https://www.hhs.gov/civil-rights/
for-individuals/section-1557/fs-disability/
index.html.
127 See U.S. Dep’t of Health and Human Servs.,
‘‘Guidance to Federal Financial Assistance
Recipients Regarding Title VI Prohibition Against
National Origin Discrimination Affecting Limited
English Proficient Persons’’ (July 26, 2013), https://
www.hhs.gov/civil-rights/for-individuals/specialtopics/limited-english-proficiency/guidance-federalfinancial-assistance-recipients-title-vi/;
U.S. Dep’t of Health and Human Servs., ‘‘Section
1557: Ensuring Meaningful Access for Individuals
with Limited English Proficiency’’ (Aug. 25, 2016),
https://www.hhs.gov/civil-rights/for-individuals/
section-1557/fs-limited-english-proficiency/
index.html.
128 82 FR 6052, 6077.
129 Id.
130 See ‘‘How OCR Enforces the HIPAA Privacy &
Security Rules,’’ supra note 97; ‘‘Substance Abuse
Confidentiality Regulations; Frequently Asked
Questions,’’ supra note 113.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
materials and technical assistance to
providers, patients, family members,
and others.131 The Department will
consider what additional guidance,
technical assistance, and engagement on
these issues may be helpful for covered
entities and the public after this
regulation is finalized.
Comment
Other commenters emphasized that
the Department may need additional
funding and staff adequate to receive
and investigate complaints and enforce
these provisions. Another commenter
similarly suggested that part 2 programs
may need more resources to develop a
complaint process, describing this as a
‘‘substantial burden’’ given part 2
program staff and funding challenges.
Response
With respect to the burden on
programs to develop a complaint
process, we believe that the two-year
compliance timeline will provide
programs with sufficient time to plan for
complaint management. We have
accounted for the burden associated
with complaints in the RIA. The
Department has requested that Congress
provide additional funding to support
part 2 compliance, enforcement, and
other activities.132 OCR, SAMHSA,
CMS, and the Office of the National
Coordinator for Health Information
Technology (ONC) have and will
continue to collaborate to support EHRs
and health IT within the behavioral
health space.133
Comment
Another commenter believed that
programs may need time and support to
adapt their information technology and
EHRs, and urged SAMHSA to work with
ONC to support such efforts.
Response
The Department has estimated the
cost to the Department to implement
this final rule and enforce part 2 and has
included that in the RIA. It has also
requested additional funding to support
compliance, enforcement, and other
activities.134 The number of part 2
programs in relation to HIPAA covered
entities and business associates is very
lotter on DSK11XQN23PROD with RULES2
131 See
‘‘About COE PHI,’’ supra note 105.
132 See U.S. Dep’t of Health and Human Servs.,
‘‘Department of Health and Human Services, Fiscal
Year 2024,’’ FY 2024 Budget Justification, General
Department Management, Office for Civil Rights, at
255, https://www.hhs.gov/sites/default/files/fy2024-gdm-cj.pdf.
133 Id. See also, The Off. of the Nat’l Coordinator
for Health Info. Tech. (ONC), ‘‘Behavioral Health,’’
https://www.healthit.gov/topic/behavioral-health.
134 See ‘‘Department of Health and Human
Services, Fiscal Year 2024,’’ supra note 132.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
small, so the costs will not rise to the
same level as for HIPAA
implementation efforts. OCR, SAMHSA,
CMS, and ONC have collaborated and
will continue to collaborate to support
EHRs and health IT within the
behavioral health space.135
Final Rule
We are finalizing this section as
proposed in the NPRM and further
modifying it by adding a new paragraph
that provides a patient right to file a
complaint directly with the Secretary
for violations of part 2 by programs,
covered entities, business associates,
qualified service organizations, and
other lawful holders.
As noted in the NPRM, these changes
to § 2.4 will align part 2 with HIPAA
Privacy Rule provisions concerning
complaints. Section 2.4(a) is consistent
with the administrative requirements in
45 CFR 164.530(d) (Standard:
Complaints to the covered entity).
Proposed § 2.4(c) would align with the
HIPAA Privacy Rule provision at 45
CFR 164.530(g) (Standard: Refraining
from intimidating or retaliatory acts).
The proposed § 2.4(d) would be
consistent with the HIPAA Privacy Rule
provision at 45 CFR 164.530(h)
(Standard: Waiver of rights). Thus, part
2 programs that are also covered entities
already have these administrative
requirements in place, but programs that
are not covered entities would need to
adopt new policies and procedures.
Section 2.11—Definitions
Proposed Rule
Section 2.11 includes definitions for
key regulatory terms in 42 CFR part 2.
The Department proposed to add
thirteen defined regulatory terms and
modify the definitions of ten existing
terms. Nine of the new regulatory
definitions proposed for incorporation
into part 2 were required by section
3221(d) of the CARES Act: ‘‘Breach,’’
‘‘Business associate,’’ ‘‘Covered entity,’’
‘‘Health care operations,’’ ‘‘HIPAA
regulations,’’ ‘‘Payment,’’ ‘‘Public health
authority,’’ ‘‘Treatment,’’ and
‘‘Unsecured protected health
information.’’ In each case, 42 U.S.C.
290dd–2(k), as amended by section
3221(d), requires that each term ‘‘has
the same meaning given such term for
purposes of the HIPAA regulations.’’ 136
Other proposed new or modified
definitions included: ‘‘Informant,’’
135 See
‘‘Behavioral Health,’’ supra note 133.
3221(k) para. 5 incorporates the term
HIPAA regulations and reads: ‘‘The term ‘HIPAA
regulations’ has the same meaning given such term
for purposes of parts 160 and 164 of title 45, Code
of Federal Regulations.’’
136 Section
PO 00000
Frm 00025
Fmt 4701
Sfmt 4700
12495
‘‘Intermediary,’’ ‘‘Investigative agency,’’
‘‘Part 2 program director,’’ ‘‘Patient,’’
‘‘Person,’’ ‘‘Program,’’ ‘‘Qualified service
organization,’’ ‘‘Records,’’ ‘‘Third-party
payer,’’ ‘‘Treating provider
relationship,’’ ‘‘Unsecured record,’’ and
‘‘Use.’’ Some of these terms and
definitions were proposed by either
referencing existing HIPAA regulatory
terms in 45 CFR parts 160 and 164 in
part based on changes required by the
CARES Act. We also proposed changes
for clarity and consistency in usage
between the HIPAA and part 2
regulations and to operationalize other
changes proposed in the NPRM.
In addition, the Department discussed
three definitions—for ‘‘Lawful holder,’’
‘‘Personal representative,’’ and ‘‘SUD
counseling notes’’—in requests for
comments. The Department proposed
each definition because it believed the
definitions improve alignment of this
regulation with HIPAA and support
implementation efforts.
Further, we are finalizing a modified
definition of ‘‘Patient identifying
information’’ as an outgrowth of
changes to the standard for deidentification of records in §§ 2.16, 2.52,
and 2.54 that are being finalized in
response to comments in the NPRM.
General Comment
Several commenters, including large
provider organizations, health systems,
and an employee benefits association,
expressed general support for the
Department’s approach to aligning the
definitions for terms that would appear
in both HIPAA and part 2. One large
provider organization specifically
commented that alignment of
definitions within HIPAA and part 2
would reduce administrative burden for
covered entities and part 2 providers by
eliminating inconsistent terminology,
duplicative policies (including
overlapping workforce training
requirements), and regulatory risk due
to misinterpretation. An academic
medical center recommended that the
Department compare and incorporate
any HIPAA definition, in their entirety,
as applicable to part 2 programs which
are also HIPAA covered entities.
General Response
We appreciate the comments. The
Department undertook a careful analysis
of definitions that, if incorporated,
would result in the further alignment of
this regulation with HIPAA, or that are
required to operationalize required
amendments to the regulations.
Responses to specific comments about
each proposed definition are discussed
below.
E:\FR\FM\16FER2.SGM
16FER2
12496
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Breach
Section 290dd–2(k), as added by the
CARES Act, required the Department to
adopt the term ‘‘breach’’ in part 2 by
reference to the definition in 45 CFR
164.402 of the HIPAA Breach
Notification Rule. HIPAA defines
‘‘breach’’ as ‘‘the acquisition, access,
use, or disclosure of protected health
information in a manner not permitted
under subpart E which compromises the
security or privacy of the protected
health information.’’ HIPAA also
describes the circumstances that are
considered a ‘‘breach’’ and explains that
a breach is presumed to have occurred
when an ‘‘acquisition, access, use, or
disclosure’’ of PHI occurs in a manner
not permitted under the HIPAA Privacy
Rule unless a risk assessment shows a
low probability that health information
has been compromised.137 To
implement section 290dd–2(j) added by
section 3221(h) of the CARES Act,
which requires notification in case of a
breach of part 2 records, we reference
and incorporate the HIPAA breach
notification provisions.
Comment
One legal services commenter
requested clarification on the term
‘‘breach’’ and suggested that the
Department amend the definition to
expressly refer to the misuse of records
in a manner not permitted under 42 CFR
part 2 and that compromises the
security or privacy of the part 2 record,
instead of referring to PHI. A medical
professionals association questioned
whether the term ‘‘breach’’ could
properly be applied to lawful holders,
but this comment and other comments
related to the application of breach
notification provisions to lawful holders
are addressed in the description of
comments for § 2.16.
Business Associate
Consistent with 42 U.S.C. 290dd–2(k),
the Department proposed to adopt the
same meaning of ‘‘business associate’’ as
is used in the HIPAA regulations by
incorporating the HIPAA definition
codified at 45 CFR 160.103. Within
HIPAA, a ‘‘business associate’’ generally
describes a person who, for or on behalf
of a covered entity and other than a
workforce member of the covered entity,
creates, receives, maintains, or transmits
PHI for a function or activity regulated
by HIPAA, or who provides services to
the covered entity involving the
disclosure of PHI from the covered
entity or from another business
associate of the covered entity to the
person.138
Comment
The Department received only
supportive comments for its proposed
adoption of the term ‘‘business
associate’’ into part 2 and the proposed
definition, as described above. In
contrast, many commenters expressed
concern about the Department’s
proposal to incorporate business
associates into the definition of
‘‘Qualified service organization’’ or how
business associates relate to the
proposed term ‘‘Intermediary,’’ and
those comments are discussed in
applicable definitional sections below.
Response
We appreciate the comments.
Final Rule
The final rule adopts the proposed
definition of ‘‘business associate’’
without modification.
Comment
A large hospital system commented
that it supported the inclusion of
‘‘health plan’’ as part of the definition
of ‘‘covered entity’’ asserting that it
would allow for more consistent sharing
of information with its own health plan
and for certain redisclosures of part 2
records in alignment with HIPAA.
Response
The HIPAA definition of ‘‘covered
entity’’ has long included health plans.
However, to the extent that the
commenter may be referring to the
narrowed definition of ‘‘third party
payer,’’ which excludes health plans
because they are already incorporated
within the HIPAA definition of covered
entities, we agree that the change could
have the effect described by the
commenter.
Final Rule
The final rule adopts the proposed
definition of ‘‘covered entity’’ without
modification.
Health Care Operations
Consistent with 42 U.S.C. 290dd–2(k),
the Department proposed to adopt the
same meaning of this term as is used in
the HIPAA regulations by incorporating
the HIPAA definition codified at 45 CFR
164.501. Within HIPAA, ‘‘health care
operations’’ refer to a set of specified
activities, described in six paragraphs,
that are conducted by covered entities
related to covered functions. Paragraphs
(1) through (6) generally refer to quality
assessment and improvement; assessing
professional competency or
qualifications; insurance; detecting and
addressing fraud and abuse and
conducting medical reviews; business
planning and development; and
business management and general
administrative activities.
We understand the request to
expressly refer to part 2 records instead
of PHI, but as explained above, we are
applying the statutory definition that
adopts the definition of ‘‘breach’’ in this
regulation by reference to the HIPAA
provision. We believe the discussion
above makes clear that the definition
should be applied to records under part
2 instead of PHI under HIPAA, and we
further clarify that breach includes use
and disclosure of part 2 records in a
manner that is not permitted by part 2.
Covered Entity
Consistent with 42 U.S.C. 290dd–2(k),
the Department proposed to adopt the
same meaning of the term ‘‘Covered
entity’’ as is used in the HIPAA
regulations by incorporating the HIPAA
definition codified at 45 CFR 160.103.
Within HIPAA a ‘‘covered entity’’
means: (1) a health plan; (2) a health
care clearinghouse; or (3) a health care
provider who transmits any health
information in electronic form in
connection with a transaction covered
by subchapter C of HIPAA,
Administrative Data Standards and
Related Requirements.
A provider group specifically
supported adoption of the HIPAA
definition of the term ‘‘health care
operations’’ and its incorporation into
this regulation. A large health plan
recommended expanding the proposed
definition to include care coordination
and case management by health plans as
proposed by the Department in the 2021
HIPAA Privacy Rule NPRM.139 One
individual, commenting anonymously,
asserted that ‘‘public health’’ should be
recognized as a health care operation to
137 U.S. Dep’t of Health and Human Servs.,
‘‘Breach Notification Rule’’ (July 26, 2013), https://
www.hhs.gov/hipaa/for-professionals/breachnotification/.
138 U.S. Dep’t of Health and Human Servs.,
‘‘Business Associates’’ (May 24, 2019), https://
www.hhs.gov/hipaa/for-professionals/privacy/
guidance/business-associates/.
139 See Proposed Modifications to the HIPAA
Privacy Rule to Support, and Remove Barriers to,
Coordinated Care and Individual Engagement, 86
FR 6446, 6472 (Jan. 21, 2021).
Response
lotter on DSK11XQN23PROD with RULES2
Final Rule
The final rule adopts the proposed
definition of ‘‘breach’’ without
modification.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
PO 00000
Frm 00026
Fmt 4701
Sfmt 4700
Comment
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
counter what it termed ‘‘legal activism’’
to re-define the term ‘‘life.’’
Response
We appreciate the comments. The
Department also notes that changing the
HIPAA definition of ‘‘health care
operations’’ is outside the scope of its
authority for this rulemaking, and
public comments submitted in response
to the 2021 NPRM remain under
consideration.
Final Rule
The final rule adopts the proposed
definition of ‘‘health care operations’’
without modification.
HIPAA
Although not directed by statute, the
Department proposed to add a
definition of HIPAA that explicitly
references the Health Insurance
Portability and Accountability Act of
1996 as amended by the Privacy and
Security provisions in subtitle D of title
XIII of the 2009 HITECH Act. These
provisions pertain specifically to the
privacy, security, breach notification,
and enforcement standards governing
the use and disclosure of PHI, but
exclude other components of the HIPAA
statute, such as insurance portability,
and other HIPAA regulatory standards,
such as the standard electronic
transactions regulation. The Department
proposed this definition of ‘‘HIPAA’’ to
make clear the specific components of
the relevant statutes that would be
incorporated into this part.
Comment
The Department did not receive any
comments specific to its adoption of this
definition.
Final Rule
The final rule adopts the proposed
definition of ‘‘HIPAA’’ without
modification.
lotter on DSK11XQN23PROD with RULES2
HIPAA Regulations
The current part 2 rule does not
define ‘‘HIPAA regulations.’’ Consistent
with 42 U.S.C. 290dd–2(k), the
Department proposed to adopt the same
meaning of this term as is purposed for
parts 160 and 164 of title 45 CFR, the
regulatory provisions that codify the
HIPAA Privacy, Security, Breach
Notification, and Enforcement
regulations (collectively referred to as
‘‘HIPAA regulations’’). For purposes of
this rulemaking, the term does not
include Standard Unique Identifiers,
Standard Electronic Transactions, and
Code Sets, 42 CFR part 162.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Comment
The Department did not receive any
specific comments, other than those
already discussed above, concerning its
proposed definition of this term.
Final Rule
The final rule adopts the proposed
definition of ‘‘HIPAA regulations’’
without modification.
Informant
Part 2 currently states that an
‘‘informant’’ means an individual: (1)
who is a patient or employee of a part
2 program or who becomes a patient or
employee of a part 2 program at the
request of a law enforcement agency or
official; and (2) who at the request of a
law enforcement agency or official
observes one or more patients or
employees of the part 2 program for the
purpose of reporting the information
obtained to the law enforcement agency
or official. Within the definition of
‘‘informant,’’ the Department proposed
to replace the term ‘‘individual’’ with
the term ‘‘person’’ as is used in the
HIPAA regulations. The Department
believes that this change will foster
alignment with HIPAA, avoid confusion
with the definition of individual in
HIPAA, and improve the public’s
understanding of HIPAA and the part 2
rules.
Comment
As noted below, the Department
received general support for its proposal
to align the definition of ‘‘person’’
within part 2 with the HIPAA definition
of ‘‘person’’ in 45 CFR 160.103. The
Department did not receive other
specific comments on ‘‘informant’’.
Final Rule
The final rule adopts the proposed
definition of ‘‘informant’’ without
modification.
Intermediary
The current rule imposes
requirements on intermediaries in
§ 2.13(d)(2) and special consent
provisions in § 2.31(a)(4) without
defining the term ‘‘intermediary.’’
Examples of an intermediary include,
but are not limited to, a HIE, a research
institution that is providing treatment,
an ACO, or a care management
organization. To improve understanding
of the requirements for intermediaries,
and to distinguish those requirements
from the proposed accounting of
disclosure requirements, the
Department proposed to establish a
definition of intermediary as ‘‘a person
who has received records, under a
general designation in a written patient
PO 00000
Frm 00027
Fmt 4701
Sfmt 4700
12497
consent, for the purpose of disclosing
the records to one or more of its member
participants who has a treating provider
relationship with the patient.’’
Consistent with HIPAA’s definition of
‘‘person,’’ and as defined in this
regulation, an ‘‘intermediary’’ may
include entities as well as natural
persons. The requirements for
intermediaries were proposed to remain
unchanged but to be redesignated from
§ 2.13(d) (Lists of disclosures) to new
§ 2.24 (Requirements for
intermediaries).
Comment
Approximately half of the
commenters on intermediaries opposed
the Department’s proposal to define
intermediary and retain consent
requirements for disclosures to
intermediaries that differ from consent
for disclosures to business associates
generally. Three-fourths of the HIE/HIN
and health IT vendors that commented
on this set of proposals opposed them.
Several commenters, including a
national trade association and a leading
authority on the use of health IT, stated
that the proposed definition is too vague
and confusing.
Response
We appreciate these comments about
the lack of clarity in the current
understanding and proposed definition
of ‘‘intermediary.’’ As we stated in the
NPRM, the term ‘‘intermediary’’ is based
on the function of the person—receiving
records from a part 2 program and
disclosing them to other providers as a
key element of its role—rather than on
a title or category of an organization or
business. We agree that the interaction
of this term with ‘‘program,’’ ‘‘business
associate,’’ and ‘‘covered entity’’ is a
source of confusion and believe a
modified definition could address this
confusion.
Comment
Commenters suggested a range of
changes to the proposed definition.
These included revising the HIPAA
definition of ‘‘covered entity’’ to include
examples of the intermediaries and
removing the part 2 definition of
‘‘intermediary;’’ excluding the following
from the definition of intermediary:
business associates, health IT vendors,
and health plans; and clarifying what
types of HIEs or health IT vendors are
included in the definition (because
some HIE technology or EHR software
does not maintain data or have access to
it when exchanging data between
systems).
E:\FR\FM\16FER2.SGM
16FER2
12498
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Response
lotter on DSK11XQN23PROD with RULES2
We considered the possibility of
removing the part 2 definition of
‘‘intermediary’’ entirely; however, that
would leave a gap in privacy protection
for records that are disclosed to
intermediaries that are not subject to
HIPAA requirements. For example,
intermediaries may include research
institutions and care coordination
organizations that are not always subject
to HIPAA. We adopt the proposed
language of the definition with
modification: we exclude programs,
covered entities, and business
associates, in part because the primary
requirement of intermediaries—to
provide a list of disclosures upon
patient request—is similar to the new
accounting of disclosures requirements
that the CARES Act applied to part 2
programs and that already applies to
covered entities and business associates.
For clarification, we reiterate here that
a research institution that is not
providing treatment would not be
considered an intermediary because it
would not have member participants
with a treating provider relationship to
a patient. A health app that is providing
individual patients with access to their
records would not be considered an
intermediary unless it is also facilitating
the exchange of part 2 records from a
part 2 program to other treating
providers using a general designation in
a consent.
We also clarify that member
participants of an intermediary refers to
health care provider practices or healthrelated organizations, such as health
plans. The member participants of an
intermediary may or may not be covered
entities. Individual health plan
subscribers (i.e., enrollees, members of a
health plan) are not considered member
participants of an intermediary,
although they may access records
through an EHR, because they are not
providers or health-related
organizations. Further, employees of
providers or health-related
organizations who share access to the
same EHR system are not considered
member participants of an intermediary
because the employer as an entity is
considered the participant. However, an
HIE/HIN that is providing services to a
part 2 program that is not a covered
entity would be an intermediary (and
the HIE/HIN would also be a QSO).
Comment
An SUD provider recommended
modifying the proposed definition of
‘‘intermediary’’ to include ‘‘a member of
the intermediary named in the consent,’’
rather than limiting it to members of the
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
intermediary that have a treating
provider relationship with the patient.
Response
Expanding the definition of
‘‘intermediary’’ to include any member
participant would open the door to
accessing patients’ SUD records without
their specific knowledge in advance
(because the recipient would be in a
general designation within a consent).
Although the CARES Act expanded
health plans’ and other providers’
access to records for TPO, we do not
believe the intention was to remove all
restrictions on access by member
participants of a research institution, for
example. Removing programs, covered
entities, and business associates from
the definition carves out a significant
portion of entities that would otherwise
be subject to the intermediary
requirements so that it is not necessary
to change the definition as suggested by
the commenter.
Final Rule
We are adopting the proposed
definition of ‘‘intermediary,’’ but with
an exclusion for part 2 programs,
covered entities, and business
associates. We believe excluding
business associates, in particular, will
encourage HIEs to accept part 2 records
and include part 2 programs as
participants and reduce burdens on
business associates that serve as HIEs.
Investigative Agency
The Department proposed to create a
new definition of ‘‘investigative agency’’
to describe those government agencies
with responsibilities for investigating
and prosecuting part 2 programs and
persons holding part 2 records, such
that they would be required to comply
with subpart E when seeking to use or
disclose records against a part 2
program or lawful holder. In
conjunction with proposed changes to
subpart E pertaining to use and
disclosure of records for investigating
and prosecuting part 2 programs, the
Department proposed to define an
‘‘investigative agency’’ as ‘‘[a] state or
federal administrative, regulatory,
supervisory, investigative, law
enforcement, or prosecutorial agency
having jurisdiction over the activities of
a part 2 program or other person holding
part 2 records.’’ Such agencies
potentially will have available a new
limitation on liability under § 2.3 if they
unknowingly obtain part 2 records
before obtaining a court order for such
records, provided they meet certain
prerequisites.
PO 00000
Frm 00028
Fmt 4701
Sfmt 4700
Comment
Several commenters recommended
that local, territorial, and Tribal
investigative agencies be added to the
definition of ‘‘investigative agency’’
because they have a role in
investigations of part 2 program. These
commenters asserted, for instance, that
local agencies play a role in
investigating or prosecuting part 2
programs or other holders of part 2
records and excluding them from the
definition could create an uneven
application of the law.
Response
We appreciate the feedback in
response to the request for comment on
whether other types of agencies should
be included in the definition of
‘‘investigative agency’’, and specifically
whether adding agencies that may be
smaller or less resourced would present
any concerns or unintended
consequences. We believe it is useful to
include local, Tribal, and territorial
agencies in the definition; however,
such agencies should be aware that use
of the safe harbor also requires reporting
to the Secretary of instances when it is
applied in an investigation or
proceeding against a part 2 program or
other holder of records.
Comment
A few commenters recommended
narrowing the definition of
‘‘investigative agency’’ by excluding
agencies that supervise part 2 programs,
to avoid creating uncertainty about
whether, in performing their
supervisory functions, they are expected
to obtain a court order to use or disclose
part 2 records of their subordinate
programs. For example, a state agency
believed that, as proposed, the safe
harbor applies whenever an agency has
obtained records without a court
order—thus the existence of the safe
harbor implies that a court order may be
required for all types of investigations,
even when other part 2 disclosure
permissions apply, such as § 2.53
(Management audits, financial audits,
and program evaluation). They
expressed concern that holders of
records may resist legitimate agency
requests for records and urge the agency
to first seek a court order. One
commenter recommended clarifying
that existing permissions for agencies to
obtain records without a court order still
apply. Another commenter pointed out
that § 2.12(c)(3)(ii) already allows
unlimited communication ‘‘[b]etween a
part 2 program and an entity that has
direct administrative control over the
program,’’ which includes government-
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
run SUD programs and administering
agencies.
Response
We appreciate these concerns and
believe that the existing criteria for
court orders are sufficient to prevent
overuse of the court order process by
government agencies. Specifically,
§§ 2.66 and 2.67 require a finding by the
court that ‘‘other ways of obtaining the
information are not available.’’ These
include, for example, § 2.12(c) for
agencies with direct administrative
control and § 2.53 for agencies with
oversight roles or that act as third-party
payers. We believe that the existing
disclosure permissions for government
agencies are sufficient to clarify the
scope of access to records by
supervisory agencies without obtaining
a court order and that our explanation
will reinforce agencies’ abilities to
continue to obtain part 2 records under
permissions they have historically used
and not burden courts with unnecessary
and potentially ineffective applications
for court orders. We reiterate here that
the existence of the safe harbor
provision and the opportunity to seek a
court order retroactively do not affect
the availability of other part 2
provisions that allow access to records
without written consent or a court
order.
We believe this discussion will
encourage investigative agencies to
evaluate how other disclosure
permissions may apply to their requests
for records when they are in the role of
a supervisory agency to a part 2
program.
lotter on DSK11XQN23PROD with RULES2
Comment
One commenter, a state Medicaid
fraud unit, recommended that their
agency be excluded from the proposed
definition of ‘‘investigative agency’’ and
that they be able to access records
without a court order. In the alternative,
they support the proposed safe harbor
and related procedures proposed in
§§ 2.66 and 2.67.
Response
Agencies with oversight authority
may continue to rely on § 2.53 to
conduct program evaluations and
financial audits without obtaining a
court order. Comments regarding the
ability of a fraud unit to rely on the
proposed safe harbor are addressed
below in the discussion of § 2.66.
Final Rule
In the final rule we are adopting the
proposed definition of ‘‘investigative
agency’’ and further modifying it to add
local, Tribal, and territorial agencies.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Lawful Holder
Lawful holders are not formally
defined within part 2. In the January
2017 final rule, the Department clarified
its use of the term ‘‘lawful holder’’,
stating that a ‘‘lawful holder’’ of patient
identifying information is an individual
or entity who has received such
information as the result of a part 2compliant patient consent (with a
prohibition on re-disclosure notice) or
as a result of one of the exceptions to
the consent requirements in the statute
or implementing regulations and,
therefore, is bound by 42 CFR part 2.140
Lawful holders are subject to
numerous obligations within the
regulation, including the following:
• Prohibited from using records in
investigations or proceedings against a
patient without consent or a court order,
§ 2.12(d).
• Adopting policies and procedures
to protect records received, § 2.16.
• Providing notice upon redisclosure,
§ 2.32.
• Having a contract in place to
redisclose records for payment and
health care operations that binds
recipients to comply with part 2 and
redisclose only back to the program,
§ 2.33.
• Reporting to Prescription Drug
Monitoring Programs only with patient
consent, § 2.36.
• Lawful holder that is a covered
entity—may apply HIPAA standards for
research disclosures, § 2.52.
• Complying with audit and
evaluation disclosure provisions, § 2.53.
In the NPRM the Department
proposed three key changes that affect
lawful holders:
• Section 2.4—to allow patients to
file complaints of part 2 violations
against both programs and lawful
holders.
• Section 2.12(d)—to expressly state
that downstream recipients from a
lawful holder continue to be bound by
the prohibition on use of a patient’s
records in proceedings against the
patient, absent written consent or a
court order.
• Section 2.33(b)(3) and (c)—to
exclude covered entities and business
associates from certain requirements for
lawful holders who have received
records based on consent for payment
and health care operations; the
requirement is for lawful holders to
have a written contract (with required
provisions) before redisclosing records
to contractors or subcontractors. This
section also provides that when records
are disclosed for payment or health care
140 See 82 FR 6052, 6068. See also 81 FR 6988,
6997.
PO 00000
Frm 00029
Fmt 4701
Sfmt 4700
12499
operations activities to a lawful holder
that is not a covered entity, business
associate, or part 2 program, the
recipient may further use or disclose
those records as may be necessary for its
contractors, subcontractors, or legal
representatives to carry out the payment
or health care operations specified in
the consent on behalf of such lawful
holders.
Overview of Comments
Some commenters provided views on
whether to create a regulatory definition
of ‘‘lawful holder,’’ and if so, what
entities should fall within the
definition. A significant majority of
those commenters recommended
creation of a regulatory definition to
help provide clarity about
responsibilities of respective types of
recipients of part 2 records and none
opposed a new regulatory definition. A
few organizations did not make a
specific recommendation in their
comments about a regulatory definition
of lawful holder but requested that the
Department provide clarification in the
final rule. Several commenters offered
other views on lawful holders.
Additional comments about lawful
holders are included in the comments
on intermediaries.
Comment
Commenters recommended various
definitions of ‘‘lawful holder’’ that
exclude covered entities, business
associates, family members, or personal
representatives.
Response
We appreciate these
recommendations. We are not excluding
part 2 programs, covered entities, and
business associates from the finalized
regulatory definition of lawful holder
when they receive part 2 records from
a part 2 program. However, covered
entities and business associates that
receive part 2 records based on a TPO
consent may redisclose them as
permitted by § 2.33(b)(1) and part 2
programs that are not covered entities or
business associates, and that receive
part 2 records based on a TPO consent,
may redisclose the records for TPO as
permitted by § 2.33(b)(2). These
recipients of part 2 records (part 2
programs, covered entities, and business
associates) are not subject to the
additional limitations in § 2.33(b)(3) and
(c) that apply to other lawful holders
who have received records based on
consent for payment and health care
operations. Family members remain
included as lawful holders; however,
they are excluded from the requirements
E:\FR\FM\16FER2.SGM
16FER2
12500
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
in § 2.16 to have formal policies and
procedures to protect records.
Comment
Commenters recommended that the
lawful holder provision provide a safe
harbor from the imposition of civil or
criminal monetary penalties under the
HIPAA Breach Notification Rule for the
unintentional redisclosure of part 2
records by lawful holders that would
have otherwise been a compliant
disclosure of PHI under the HIPAA
Privacy Rules TPO permission.
Response
We appreciate the feedback but
decline to create a new safe harbor for
unintentional violations by lawful
holders because we believe the existing
penalty tier under the HITECH Act for
‘‘did not know’’ violations is
appropriate to address these types of
violations.
Comment
An advocacy organization for
behavioral health recommended that the
Department define mobile health apps
that are business associates as ‘‘lawful
holders’’ and consider whether other
health care interoperability applications
or mobile health apps would also fall
within the new definition.
Response
We appreciate this feedback on how
technology may interact with the part 2
regulations. Because we are excluding
business associates from certain
requirements that apply to ‘‘lawful
holders’’ a mobile health app that is a
business associate would also be
excluded. However, we do not believe a
technology would qualify on its own as
a business associate, but rather the
owner or developer of the technology
that qualifies as a person capable of
executing a business associate
agreement. To the extent that the owner
or developer of a health app, through
the use of its technology, becomes a
recipient of records in the manner
described in the definition of ‘‘lawful
holder,’’ it would be a lawful holder
subject to the requirements and
prohibitions on lawful holders of part 2
records.
lotter on DSK11XQN23PROD with RULES2
Comment
A state agency urged that the rule add
lawful holders and intermediaries to
§ 2.12 to permit them to verbally receive
part 2 information and include it in a
record without it being considered a
part 2 record.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Response
Final Rule
We appreciate this recommendation,
but do not believe it is necessary for
several reasons. First, we are finalizing
the definition of ‘‘lawful holder’’ and
the definition of ‘‘intermediary’’ (that
excludes covered entities and business
associates). Thus, covered entities and
business associates will not be subject to
requirements for lawful holders or
intermediaries. Second, we are
finalizing changes to § 2.12(d) that: (a)
expressly state that data segmentation
and record segregation is not required
by part 2 programs, covered entities,
and business associates that have
received records based on a single
consent for all future TPO; and (b)
remove language requiring segmentation
of part 2 data or segregation of records.
As a result of these changes, to the
extent a lawful holder or intermediary is
a part 2 program, covered entity, or
business associate, it is not required to
segregate the information, but it is still
considered a part 2 record subject to the
prohibition against disclosure in
proceedings against a patient. Third, the
existing rule contains a provision for
non-part 2 providers who document
verbally shared part 2 information,
excluding that information from part 2
status. Thus, only a small set of
recipients are still subject to the data
segregation requirement, taking into
account the combination of changes
finalized within this rule.
The final rule adds a new regulatory
definition of ‘‘lawful holder’’ that is
based on SAMHSA’s previous
explanations and guidance, to read as
noted in § 2.11.
Comment
Patient
One commenter, a medical
professionals association for SUD
providers, recommended that the
definition of ‘‘lawful holders’’
encompass entities with access to
individual part 2 records outside the
HIPAA/HITECH and part 2 rules, and
that the Department should clarify that
mobile health apps and
‘‘interoperability applications’’ that are
business associates of covered entities
would be considered lawful holders.
The Department proposed to add
language to the existing definition to
clarify that when the HIPAA regulations
apply to part 2 records, a ‘‘patient’’ is an
individual as that term is defined in the
HIPAA regulations.
Response
Rather than refer to specific types of
entities, we believe a definition based
on the status of the person with respect
to how they received subject records is
a more workable definition and likely to
facilitate common understanding. In
this regard, whether a person is a
managed care organization or mobile
app, if that person received records
pursuant to a part 2-compliant consent
with an accompanying notice of
disclosure, or as a result of a consent
exception, the person will be properly
considered a lawful holder under this
final rule.
PO 00000
Frm 00030
Fmt 4701
Sfmt 4700
Part 2 Program Director
To foster alignment between the
HIPAA regulations and the part 2 Rules,
the Department proposed to replace the
first instance of the term ‘‘individual’’
with the term ‘‘natural person’’ and the
other instances of the term ‘‘individual’’
with the term ‘‘person’’ within the
definition of ‘‘part 2 program director.’’
Comment
As noted below, the Department
received general support for its proposal
to align the definition of person within
part 2 with the HIPAA definition of
person in 45 CFR 160.103.
Response
We appreciate the comments on the
proposed changes.
Final Rule
The final rule adopts the proposed
definition of ‘‘part 2 program director’’
without further modification. The
Department believes that this change
will foster alignment with HIPAA and
understanding of HIPAA and the part 2
rules.
Comment
The Department received general
support for further aligning the part 2
definition of patient with the definition
of individual within the HIPAA
regulations.
Final Rule
The final rule adopts the proposed
definition of ‘‘patient’’ without further
modification.
Patient Identifying Information
Request for Comment
The Department did not propose
changes to the definition of ‘‘patient
identifying information’’ but requested
comment on all proposed changes to
part 2, including the modifications to
the de-identification standard in §§ 2.16,
2.52, and 2.54.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Comment
Comments on the proposed deidentification standard are discussed in
the sections listed above where deidentification is applied.
lotter on DSK11XQN23PROD with RULES2
Response
In addressing the comments received
on the proposed de-identification
standard and developing additional
modification to better align part 2 with
the HIPAA de-identification standard in
45 CFR 164.514(b), we identified
additional changes needed to clarify and
align terms related to de-identification,
including ‘‘patient identifying
information.’’ These changes are
described below.
Final Rule
We are finalizing a modification to
clarify the definition of ‘‘patient
identifying information’’ and ensure
consistency with the de-identification
standard incorporated into this final
rule. This change is in response to
comments received on the NPRM and to
align with the finalization of the deidentification standard in §§ 2.16, 2.52,
and 2.54, and is consistent with the
Department’s existing interpretation of
the term. The final rule retains the part
2 term, ‘‘patient identifying
information,’’ rather than replacing it
with the HIPAA term, ‘‘individually
identifiable health information,’’
because the two regulatory schemes
apply to different sets of health
information and the CARES Act
mandate for alignment did not erase
those distinctions.
The first sentence of the definition of
‘‘patient identifying information’’ lists
the following identifiers: name, address,
social security number, fingerprints,
photograph, or similar information by
which the identity of a patient, as
defined in § 2.11, can be determined
with reasonable accuracy either directly
or by reference to other information.
This identifying information is
consistent with the identifiers listed in
in 45 CFR 164.514(b)(2)(i) of the HIPAA
Privacy Rule that must be removed from
PHI for it to be considered de-identified
and no longer subject to HIPAA
protections. As explained in the
background section of this rule, the
Department clarified in a 2017 final rule
that the definition of patient identifying
information in part 2 includes the
individual identifiers listed in the
HIPAA Privacy Rule at 45 CFR
164.514(b)(2)(i) for those identifiers that
are not already listed in the part 2
definition, and in preamble listed those
identifiers.141
141 See
82 FR 6052, 6064.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
However, the second sentence of the
definition of ‘‘patient identifying
information’’ in the part 2 rule currently
in effect allows retention of ‘‘a number
assigned to a patient by a part 2
program, for internal use only by the
part 2 program, if that number does not
consist of or contain numbers (such as
a social security, or driver’s license
number) that could be used to identify
a patient with reasonable accuracy from
sources external to the part 2 program.’’
This exclusion from the definition for a
number that could be a part 2 program’s
equivalent of a medical record number
conflicts with one of the identifiers that
must be removed under the HIPAA deidentification standard (and that is
listed in the 2017 Part 2 Final Rule),
namely, ‘‘[a]ny other unique identifying
number, characteristic, or code, except
as permitted by paragraph (c) of this
section[.]’’ Paragraph (c) of § 164.514
allows a covered entity to assign a code
or other record identifier that can be
used to re-identify the PHI, but it must
be kept secure and not used for any
other purpose. The allowable code
referred to in paragraph (c) is different
from the number assigned to a patient
by a part 2 program, which is more
likely to be a provider’s internal record
identifier that may be ubiquitous
throughout a patient’s medical record.
Thus, we believe a clarification of the
current rule is needed that removes the
last sentence of the definition of patient
identifying information.
The final rule adopts a modified
definition of ‘‘patient identifying
information’’ to align more closely with
the HIPAA standard in 45 CFR 164.514.
Payment
The Department proposed to adopt
the same definition of this term as in the
HIPAA regulations. This proposal
would implement 42 U.S.C. 290dd–2(k),
added by section 3221(d) of the CARES
Act, requiring the term ‘‘payment’’ in
this part be given the same meaning of
the term for the purposes of the HIPAA
regulations.
Comment
The Department received general
support for aligning the part 2 definition
of payment with the HIPAA definition.
Response
We appreciate the comments on
adopting the HIPAA definition of
‘‘payment’’ and confirm that the intent
is to uniformly apply the term
‘‘payment’’ in both this regulation and
the HIPAA context.
PO 00000
Frm 00031
Fmt 4701
Sfmt 4700
12501
Final Rule
The final rule adopts the proposed
definition of ‘‘payment’’ without further
modification.
Person
The term ‘‘person’’ is defined within
part 2 as ‘‘an individual, partnership,
corporation, federal, state or local
government agency, or any other legal
entity, (also referred to as ‘individual or
entity’).’’ The part 2 regulation uses the
term ‘‘individual’’ in reference to
someone who is not the patient and
therefore not the subject of a part 2
record. In contrast, the HIPAA
regulations at 45 CFR 160.103 define the
term ‘‘individual’’ to refer to the subject
of PHI, and ‘‘person’’ to refer to ‘‘a
natural person, trust or estate,
partnership, corporation, professional
association or corporation, or other
entity, public or private.’’ Thus, the
HIPAA definition includes both natural
persons and corporate entities.
To further the alignment of part 2 and
the HIPAA regulations and provide
clarity for part 2 programs and entities
that must comply with both sets of
requirements, the Department proposed
to replace the part 2 definition of
‘‘person’’ with the HIPAA definition in
45 CFR 160.103. As an extension of this
clarification, the Department further
proposed to replace the term
‘‘individual’’ with ‘‘patient’’ when the
regulation refers to someone who is the
subject of part 2 records, to use the term
‘‘person’’ when it refers to someone who
is not the subject of the records at issue,
and to modify the definition of
‘‘patient’’ in part 2 to include an
‘‘individual’’ as that term is used in the
HIPAA regulations. The Department
stated that this combination of
modifications would promote the
understanding of both part 2 and the
HIPAA regulations and requested
comment on whether this or other
approaches would provide more clarity.
Comment
Commenters generally supported this
proposed change as providing clarity
and helping to align with HIPAA. One
commenter, a county SUD provider,
suggested that referring to ‘‘person’’ is
helpful for clarity and also emphasizes
patient autonomy and whole person
care. Another commenter supported the
efforts throughout the rulemaking to
streamline language by replacing the
phrase ‘‘individual or entity’’ with the
word ‘‘person,’’ but questioned use of
this term in § 2.51 (Medical
emergencies).
E:\FR\FM\16FER2.SGM
16FER2
12502
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Response
We appreciate the comments. We
confirm here that within this rule
‘‘person’’ refers to both a natural person
and an entity, which may include a
government agency, a health care
provider, or another type of
organization. Thus, the term ‘‘person’’
in the new safe harbor at § 2.3 applies
to an investigative agency as well as a
natural person who is acting under a
grant of authority from an investigative
agency. The comment about disclosures
for medical emergencies is discussed
further in § 2.51 (Medical emergencies).
Final Rule
The final rule adopts the proposed
definition of ‘‘person’’ without further
modification.
lotter on DSK11XQN23PROD with RULES2
Personal Representative
The Department did not propose a
regulatory definition of ‘‘personal
representative’’ for this rule but
requested comment on whether to do so
and apply it to § 2.15 which addresses
surrogate decision making for patients
who are deceased or lack capacity to
make decisions about their health care.
Under the existing § 2.15(a)(1)
provision, consent for disclosures of
records may be given by the guardian or
other individual authorized under state
law to act on behalf of a patient who has
been adjudicated as lacking capacity, for
any reason other than insufficient age,
to manage their own affairs. In
circumstances without adjudication,
under § 2.15(a)(2) the part 2 program
director may exercise the right of the
patient to consent to disclosure for the
sole purpose of obtaining payment for
services from a third-party payer for an
adult patient who for any period suffers
from a medical condition that prevents
knowing or effective action on their own
behalf.
The existing rule, at § 2.15(b)(2),
requires a written consent by an
executor, administrator, or other
personal representative appointed under
applicable state law for disclosures for
a deceased patient’s record. If there is
no legally appointed personal
representative, the consent may be given
by the patient’s spouse or, if none, by
any responsible member of the patient’s
family. However, part 2 does not define
any of the terms for the persons who can
provide the consent, including
‘‘personal representative.’’
Comment
Several commenters, including state
agencies and health technology vendors,
suggested that the Department provide
that personal representatives can give
consent to use and disclose part 2
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
records on behalf of an incapacitated
patient. One of the state agencies
commented that such a grant of
authority to personal representatives
would help ensure care coordination.
All agreed that the Department should
define ‘‘personal representative’’ and a
few of these commenters commented
that the Department should define it
consistent with HIPAA. Specifically, a
few of these commenters described
facilities being faced with requests for
records by many individuals of varying
relationships to patients. They asserted
that the NPRM leaves room for
interpretation about who has authority,
making it difficult to ensure patient
privacy consistent with HIPAA.
Response
We acknowledge and agree with the
commenters who provided views on
this topic. HIPAA does not include
‘‘personal representative’’ in its
definitions section but provides a clear
standard in 45 CFR 164.502(g)(2), where
it describes the responsibilities of a
personal representative as having
‘‘authority to act on behalf of an
individual who is an adult or an
emancipated minor in making decisions
related to health care.’’ Section
164.502(g) provides when, and to what
extent, a personal representative must
be treated as the individual for purposes
of the HIPAA Privacy Rule. Section
164.502(g)(2) requires a covered entity
to treat a person with legal authority to
act on behalf of an adult or emancipated
minor in making decisions related to
health care as the individual’s personal
representative with respect to PHI
relevant to such personal
representation. Adopting a definition in
the final rule will clarify who qualifies
as a personal representative for
decisions about uses and disclosures for
adults who lack the capacity to make
decisions about consenting to uses or
disclosures of their SUD records and
provide needed consistency between
part 2 and the HIPAA Privacy Rule.
Defining the term ‘‘personal
representative’’ consistent with the
HIPAA standard furthers the alignment
of part 2 and HIPAA in accordance with
the CARES Act and will also assist with
treatment and care coordination. We
considered but decline to adopt 45 CFR
164.502(g) in its entirety because several
paragraphs conflict with part 2, such as
consent by minors, and we believe it is
important to maintain those provisions
of part 2 that are more protective of
patient privacy.
Final Rule
We are finalizing in § 2.11 a new
regulatory definition of ‘‘personal
PO 00000
Frm 00032
Fmt 4701
Sfmt 4700
representative’’ that mirrors language in
the HIPAA Privacy Rule at 45 CFR
164.502(g).
Program
Within the definition of ‘‘program,’’
the Department proposed to replace the
term ‘‘individual or entity’’ with the
term ‘‘person’’ as is used in the HIPAA
regulations and make no other changes.
Part 2 defines program as: (1) An
individual or entity (other than a
general medical facility) who holds
itself out as providing, and provides,
substance use disorder diagnosis,
treatment, or referral for treatment; or
(2) An identified unit within a general
medical facility that holds itself out as
providing, and provides, substance use
disorder diagnosis, treatment, or referral
for treatment; or (3) Medical personnel
or other staff in a general medical
facility whose primary function is the
provision of substance use disorder
diagnosis, treatment, or referral for
treatment and who are identified as
such providers.
Comment
The Department received several
comments on the existing definition of
‘‘program,’’ including several elements
for which no changes were proposed.
Some providers commented that they
continue to be confused as to the
meaning of ‘‘holds itself out.’’
Commenters also requested clarity as to
whether they or their facility’s ‘‘primary
function’’ was the provision of SUD
treatment. Commenters requested more
objective definitions of these terms or
use of another approach to defining a
program, such as HHS creating a central
registry of part 2 programs similar to
that developed by the Health Resources
and Services Administration for health
centers or the 340B Drug Pricing
Program. Lacking such clarity,
commenters asserted that it may be
difficult for providers to distinguish
between claims that are subject to part
2 consent or other provisions from those
that are not. Commenters also asked
whether a program or provider holds
themselves out based on their
advertising SUD services or based on
their being known to provide, refer, or
bill for SUD treatment. One commenter
believed that general medical facilities
are exempt from the definition of part 2
programs yet in practice, such facilities
may offer SUD treatment and this may
be widely known in the community.
The commenter urged the Department to
provide additional clarity is needed on
how part 2 applies to general medical
facilities or practices given current
emphasis on behavioral health
integration and care coordination for
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
patients. Another commenter noted that
facilities making it known that they
offer SUD treatment can help to reduce
stigma and discrimination and
encourage patients to seek needed care.
A medical professionals’ association
asserted that EHRs are not designed to
treat some units or locations within a
facility, such as emergency departments,
differently than others. The commenter
urged the Department to define part 2
‘‘program’’ as being limited to licensed
SUD providers to help provide needed
clarity. Other commenters suggested
that providers may offer medications for
opioid use disorder (MOUD) (also
known as medication assisted treatment
(MAT)) 142 but do not specifically hold
themselves out as being part 2 programs.
Commenters urged the Department to
clarify that facilities or providers
providing MOUD do not become part 2
programs unless doing so is their
primary function.
Response
lotter on DSK11XQN23PROD with RULES2
We did not propose changes to the
long-standing definition of a part 2
‘‘program’’ in 42 CFR part 2, and thus
the final rule is limited to interpreting
the definition rather than revising it.
Whether a provider holds itself out as
providing SUD treatment or as a
practice with the primary function of
providing SUD treatment within a
general medical facility setting is a factspecific inquiry that may depend on
how a particular program operates and
describes or publicizes its services. That
said, the Department acknowledges
comments about providers’ challenges
in applying the definition of part 2
‘‘program’’ in integrated care settings or
using EHRs and other technologies to
support coordinated, integrated care.
The Department has provided guidance
on this issue in the past.143 After this
rule is final, the Department may update
or provide additional guidance to help
further clarify the definition of program.
The Department has historically noted
that most SUD treatment programs are
federally assisted and therefore that
prong of part 2 typically applies. In
2017, the Department largely reiterated
its proposed interpretations of ‘‘holds
itself out’’ and ‘‘primary function,’’ 144
142 This rule follows the convention adopted by
SAMHSA of referring to MOUD rather than MAT.
See 87 FR 77330, 77338 (Dec. 16, 2022).
143 See Substance Abuse and Mental Health
Servs. Admin., ‘‘Disclosure of Substance Use
Disorder Patient Records: Does Part 2 Apply to
Me? ’’ (May 1, 2018), https://www.hhs.gov/
guidance/document/does-part-2-apply-me.
144 See discussion at 82 FR 6052, 6066.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
and more recently developed guidance
on the applicability of part 2.145
Comment
Another commenter asked that the
Department specifically carve out from
part 2 IHS and Tribal facilities that
provide MOUD incident to their
provision of general medical care.
Response
We appreciate the comment; however,
this change is beyond the scope of this
rulemaking. The Department conducted
a Tribal consultation about the CARES
Act changes to this rule in March
2022 146 and will continue to provide
support to Tribal entities and
collaborate with IHS in implementing
the final rule. The Department also
notes that some facilities and providers,
even if they do not meet the definition
of program, still may be required by
state regulations to comply with part 2
requirements.147
Final Rule
The final rule adopts the proposed
definition of ‘‘program’’ without further
modification.
Public Health Authority
The Department proposed to adopt
the same meaning for this term as in the
HIPAA Privacy Rule at 45 CFR 164.501.
This proposal would implement
subsection (k) of 42 U.S.C. 290dd–2,
added by section 3221(d) of the CARES
Act, requiring the term in this part be
given the same meaning of the term for
the purposes of the HIPAA regulations.
Comment
The Department received a few
specific supportive comments,
including from several state agencies,
that the addition of the proposed
definition would facilitate public health
authorities’ provision of comprehensive
health and health care information to
the public, and would help clarify the
145 See ‘‘Disclosure of Substance Use Disorder
Patient Records: Does Part 2 Apply to Me?,’’ supra
note 143.
146 See U.S. Dep’t of Health and Human Servs.,
Off. for Civil Rights and the Substance Abuse and
Mental Health Servs. Admin., ‘‘Follow up Report on
the 42 CFR part 2 Tribal Consultation
Recommendations’’ (June 2023), https://
www.samhsa.gov/sites/default/files/follow-upreport-42-cfr-part-2-tribal-consultationrecommendations-june-2023.pdf.
147 See California Health & Human Servs. Agency,
Ctr. for Data Insights and Innovation, ‘‘State Health
Information Guidance, 1.2, Sharing Behavioral
Health Information in California’’ (Apr. 2023),
https://www.cdii.ca.gov/wp-content/uploads/2023/
04/State-Health-Information-Guidance-1.22023.pdf; see also ‘‘TAC Assessment Working
Paper: 2016 Compilation of State Behavioral Health
Patient Treatment Privacy and Disclosure Laws and
Regulations,’’ supra note 122.
PO 00000
Frm 00033
Fmt 4701
Sfmt 4700
12503
provision of comprehensive data and
information to public health authorities
for critical public health needs.
Response
We appreciate the comments.
Final Rule
The final rule adopts the proposed
definition of ‘‘public health authority’’
without further modification.
Qualified Service Organization
The Department proposed to modify
the definition of ‘‘qualified service
organization’’ by adding HIPAA
business associates to the regulatory text
to clarify that they are QSOs in
circumstances when part 2 records also
meet the definition of PHI (i.e., when a
part 2 program is also a covered entity).
The Department stated that this
proposal would facilitate the
implementation of the CARES Act with
respect to disclosures to QSOs. The
HIPAA regulations generally permit
disclosures from a covered entity to a
person who meets the definition of a
business associate (i.e., a person who
works on behalf of or provides services
to the covered entity) 148 without an
individual’s authorization, when based
on a business associate agreement that
incorporates certain protections.149
Similarly, the use and disclosure
restrictions of this part do not apply to
the communications between a part 2
program and QSO when the information
is needed by the QSO to provide
services to the part 2 program. This
definition is proposed in conjunction
with a proposal to modify § 2.12
(Applicability), to clarify that QSOs also
use part 2 records received from
programs to work ‘‘on behalf of’’ the
program.
The Department also proposed a
wording change to replace the phrase
‘‘individual or entity’’ with the term
‘‘person’’ as proposed to comport with
the HIPAA meaning of the term.
Comment
Several organizations commented on
QSOs. A behavioral health advocacy
organization supported the proposed
change because consent requirements
would not apply to information
exchanges between part 2 programs and
business associates when they are
providing ‘‘service work’’ on behalf of
the part 2 program and this expansion
would encourage data sharing for part 2
programs. A state health data agency
recommended eliminating the QSO
148 See 45 CFR 160.103 (definition of ‘‘Business
associate’’).
149 See, e.g., 45 CFR 164.504(e).
E:\FR\FM\16FER2.SGM
16FER2
12504
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
definition in favor of business associate.
The commenter believed that if § 2.3(c)
applies the various sanctions of HIPAA
to part 2 programs regardless of whether
the program is a HIPAA covered entity
or business associate, the need to retain
QSOs for part 2 programs that are not
covered entities seems to be eliminated.
A health system commenter has found
the existing definition of QSO to be
broad, and said that it is difficult to
know which recipients are receiving
part 2 records. This commenter would
support the proposed definition if it
meant that compliance with a business
associate agreement would meet the part
2 requirements for a QSO agreement
(QSOA).
Response
The Department is maintaining a
distinct definition in part 2 for QSOs.
The revised definition clarifies the
obligations of a business associate that
has records created by a covered entity
that is a part 2 program (which is
subject to all part 2 requirements) and
a business associate that has records
from a covered entity that is only a
recipient of part 2 records (and subject
to the new redisclosure permission as
allowed under the HIPAA Privacy Rule).
While QSOs supporting part 2 programs
in such activities as data processing and
other professional services are
analogous to the activities of business
associates supporting covered entities,
QSOs have a distinct function within
part 2. For these reasons, QSOA under
part 2 should be understood as distinct
from business associate agreements
required by HIPAA.
lotter on DSK11XQN23PROD with RULES2
Comment
Another state commenter suggested
that QSOs should be included in the
breach notification requirements that
are being newly applied to part 2
programs.
Response
We considered finalizing a
requirement for QSOs to comply with
the new breach reporting requirements
in § 2.16 in the same manner as they
apply to business associates under
HIPAA. We believe subjecting QSOs to
this requirement would have
underscored the status of QSOs as
similar to business associates; however,
we are not making this change because
the CARES Act provides that breach
notification should apply to part 2
programs in the same manner as it does
to covered entities and does not
mention breach notification
requirements with respect to QSOs or
business associates. Regardless, part 2
programs are likely to address breach
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
notifications in contractual provisions
within a QSOA, so QSOs need to be
aware of breach notification.
Comment
A few HIN/HIEs requested that the
definition of QSO be modified to
expressly include subcontractors of
QSOs. The commenters further
requested that the Department withdraw
prior regulatory guidance regarding
‘‘contract agents,’’ because it has been
interpreted by some as requiring a
Federal agency-level relationship
between the QSO and the QSO’s
subcontractor to permit the QSO to
engage with a subcontractor.
Response
The Department declines to withdraw
previous guidance concerning contract
agents or subcontractors, which it still
views as relevant. In its 2010 HIE
guidance, the Department stated that
‘‘[a]n HIO may disclose the Part 2
information to a contract agent of the
HIO, if it needs to do so to provide the
services described in the QSOA, and as
long as the agent only discloses the
information back to the HIO or the Part
2 program from which the information
originated.’’ 150 In 2017 the Department
noted that ‘‘[w]e have previously
clarified in responses to particular
questions that contracted agents of
individuals and/or entities may be
treated as the individual/entity.’’ 151 In
the 2018 final rule, the Department
stated that ‘‘SAMHSA guidance
indicates that a QSOA does not permit
a QSO to re-disclose information to a
third party unless that third party is a
contract agent of the QSO, helping them
provide services described in the QSOA,
and only as long as the agent only
further discloses the information back to
the QSO or to the part 2 program from
which it came.’’ 152
The Department, in the 2020 Part 2
Final Rule, noted that activities of QSOs
‘‘would overlap with those articulated
in § 2.33(b) related to information
disclosures to a lawful holder’s
contractors, subcontractors, and legal
representatives for the purposes of
payment and/or health care
operations.’’ 153 This guidance continues
to be relevant to the roles of QSOs and
their subcontractors or agents.
150 Substance Abuse and Mental Health Servs.
Admin., ‘‘Frequently Asked Questions: Applying
the Substance Abuse Confidentiality Regulations to
Health Information Exchange (HIE),’’ at 8, https://
www.samhsa.gov/sites/default/files/faqs-applyingconfidentiality-regulations-to-hie.pdf.
151 82 FR 6052, 6056.
152 83 FR 239, 246.
153 85 FR 42986, 43009.
PO 00000
Frm 00034
Fmt 4701
Sfmt 4700
Comment
According to one county government,
the addition of business associates to
the definition of a ‘‘qualified service
organization’’ is helpful for the county
health system’s ability to serve patients
in need of SUD treatment. As a large
health system and provider of
behavioral health services, this county
relies on business associates to operate
its programs. A clearer definition of
QSOs will allow the county and its part
2 programs to expand services using
business associates to provide much
needed assistance with claims, data and
analytics, and quality assurance, the
commenter said.
Response
The Department appreciates the
comments on its proposed change.
Comment
An advocacy organization urged HHS
to clarify that a business associate must
still meet all aspects of the QSO
definition, including entering into a
QSOA. It also suggested that HHS
should consider creating and publishing
an official version of a joint QSOA and
business associate agreement and that
HHS should also work to improve major
technology vendors’ understanding of
part 2, so that part 2 programs and their
patients can benefit from services like
email, cloud-based storage, and
telehealth platforms, while maintaining
confidentiality safeguards. Another
commenter said the Department should
provide guidance on how terms such as
intermediaries, business associates,
qualified service organizations, and
lawful holders interact and differ.
Response
The Department appreciates these
comments and will consider what
additional guidance may be helpful after
this rule is finalized. The Department
explains throughout this rule that the
roles and functions of lawful holders,
business associates, QSOs, and
intermediaries but may provide
additional, concise guidance in the
future. As highlighted in its guidance
entitled ‘‘Disclosure of Substance Use
Disorder Patient Records: Does Part 2
Apply to Me? ’’ such inquiries are factspecific depending on an organization’s
or provider’s role in SUD treatment and
the records it shares or receives.154
Final Rule
The final rule adopts the proposed
definition of QSO to expressly include
154 See ‘‘Disclosure of Substance Use Disorder
Patient Records: Does Part 2 Apply to Me? ’’ supra
note 143.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
business associates as QSOs where the
PHI in question also constitutes a part
2 record and further modifies the new
paragraph by adding a clarification that
the definition of QSO includes business
associates where the QSO meets the
definition of business associate for a
covered entity that is also a part 2
program. Finalizing the changes to
expressly include business associates as
QSOs responds to comments received
on the NPRM and those from others on
previous part 2 rulemakings (such as
during SAMHSA’s 2014 Listening
Session) 155 noting that the role of QSOs
is analogous to business associates such
that aligning terminology makes sense
given the purpose of section 3221 of the
CARES Act to enhance harmonization of
HIPAA and part 2. As noted in the
NPRM, the Department also believes
finalizing this proposal facilitates the
implementation of the CARES Act with
respect to disclosures to QSOs.
Records
The definition of ‘‘records’’ specifies
the scope of information that part 2
protects. The Department proposed to
insert a clause to expressly include
patient identifying information within
the definition of records and to remove,
as unnecessary, the last sentence that
expressly included paper and electronic
records.
lotter on DSK11XQN23PROD with RULES2
Comment
Several organizations commented on
the definition of ‘‘records.’’ Several
commenters on the definition of
‘‘record’’ requested that the final rule
expressly state that records received
from a part 2 program under a consent
for TPO no longer retain their
characteristic as part 2 records. These
commenters provided their views of the
difficulties associated with tracking the
provenance of a particular data element
once it has been added to a record. One
comment suggested that the recipient
should be able to redisclose the data for
TPO even if the provenance could not
be tracked.
Response
We appreciate the comments but
decline to add a statement that records
received under a consent for TPO are no
longer part 2 records. Instead, in
response to other comments we are
finalizing an express statement in
§ 2.12(d) that segregation of records
received by a part 2 program, covered
entity, or business associate under a
155 See ‘‘Disclosure of Substance Use Disorder
Patient Records: Does Part 2 Apply to Me? ’’ supra
note 143; see also, Confidentiality of Alcohol and
Drug Abuse Patient Records, Notice of Public
Listening Session, 79 FR 26929 (May 12, 2014).
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
consent for TPO is not required. We
believe it is necessary for the records
received to retain their characteristic as
part 2 records to ensure that recipients
comply with the continuing prohibition
on use and disclosure of the records in
investigations or proceedings against the
patient, absent written consent or a
court order. We agree with the comment
that a recipient that is a part 2 program,
covered entity, or business associate
should be able to redisclose the data for
TPO as permitted by HIPAA and believe
that the suite of modifications in the
final rule accomplishes that end.
Comment
According to one commenter, the
definitions of ‘‘record,’’ ‘‘program,’’ and
‘‘patient identifying information’’ and
how they are applied are inconsistent,
cross-referential, and confusing. This
commenter urged the Department to
simplify and clarify these terms,
perhaps by adopting a single term as
used in HIPAA (e.g., ‘‘protected health
information’’) to uniformly apply
throughout the regulation.
Response
We appreciate this comment and are
finalizing a number of changes to
improve consistency and clarity
throughout the rule; however, we are
also mindful that many definitions have
a special meaning within this part and
the primary aim of this rulemaking is to
implement the CARES Act amendments
to 42 U.S.C. 290dd–2. We are
incorporating the term ‘‘patient
identifying information’’ into the
definition of record, in part to align with
the HIPAA definition of PHI which
includes demographic information.
Thus, with this modification the
definition includes both information
that could identify a patient as having
or having had an SUD, but also
information that identifies the patient.
Comment
An individual commenter
recommended that the Department
retain the last sentence of the definition
because it is helpful to indicate that part
2 may apply to paper and electronic
records and removing it might suggest to
programs that the regulation no longer
applies to paper records.
Response
In the five decades since the
promulgation of the part 2 regulation,
health IT has become widely adopted
and it is evident that records include
both paper and electronic formats. The
Department does not intend to change
the meaning or understanding of records
PO 00000
Frm 00035
Fmt 4701
Sfmt 4700
12505
with this proposed modification, but
only to streamline the description.
Final Rule
We are adopting the proposed
definition of ‘‘records’’ without further
modification.
SUD Counseling Notes
In the NPRM, we requested input
about whether to create a new definition
similar to psychotherapy notes within
HIPAA that is specific to the notes of
SUD counseling sessions by a part 2
program professional. Such notes would
be part 2 records, but could not be
disclosed based on a general consent for
TPO. They could only be disclosed with
a separate written consent that is not
combined with a consent to disclose any
other type of health information. We
requested comments on the benefits and
burdens of creating such additional
privacy protection for SUD counseling
notes that are maintained primarily for
use by the originator of the notes,
similar to psychotherapy notes as
defined in the HIPAA Privacy Rule. We
provided potential language for ‘‘SUD
counseling notes’’, defining it as notes
recorded (in any medium) by a part 2
program provider who is an SUD or
mental health professional documenting
or analyzing the contents of
conversation during a private
counseling session or a group, joint, or
family counseling session and that are
separated from the rest of the patient’s
record. ‘‘SUD counseling notes’’
excludes medication prescription and
monitoring, counseling session start and
stop times, the modalities and
frequencies of treatment furnished,
results of clinical tests, and any
summary of the following items:
diagnosis, functional status, the
treatment plan, symptoms, prognosis,
and progress to date.156
Comment
Many commenters somewhat or
strongly supported the Department’s
proposal to include a definition of ‘‘SUD
counseling notes.’’ We are finalizing the
proposed definition and discuss
comments specifically regarding the
proposed definition below and other
comments relating to consent and
disclosure of SUD counseling notes
within § 2.31.
Comments Supporting a Proposed SUD
Counseling Notes Definition
An SUD recovery organization
supported the potential definition. An
association of medical professionals also
supported establishing a definition of
156 87
E:\FR\FM\16FER2.SGM
FR 74216, 74230.
16FER2
12506
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
lotter on DSK11XQN23PROD with RULES2
‘‘SUD counseling notes’’ that effectively
copies the definition of ‘‘psychotherapy
notes’’ under the HIPAA Privacy Rule.
A state health department supported an
‘‘SUD counseling notes’’ definition in
§ 2.11 because this would permit
disclosure without patient consent for
the purpose of oversight of the
originator of the SUD counseling notes
to ensure patient safety. Another state
agency urged that SUD counseling
session notes be treated similarly to
psychotherapy notes as now addressed
in HIPAA (i.e., SUD counseling notes be
given protections equal to
psychotherapy notes). A provider
supported the addition of a definition of
‘‘SUD counseling notes’’ as written to
incorporate the same protections as
described in the HIPAA regulations for
psychotherapy notes. The provider
believed that any perceived burdens to
creating a separate definition of SUD
counseling notes are outweighed by the
benefits of the additional protections by
requiring separate authorization for
release of the SUD counseling notes. A
county agency recommended that we
add this protection in alignment with
the psychotherapy notes restriction
under HIPAA and further suggests that
the protection extend to all clinical
notes in addition to the notes of SUD
counselors. The commenter further
recommended that the definition of
‘‘counseling notes’’ include assessment
forms. This added protection would
safeguard against use of SUD counseling
notes in pending legal cases and
pending dependency court (child
custody) cases.
A hospital commenter supported
providing a corresponding protection in
part 2 for certain notes for SUD patients,
like psychotherapy notes have under
HIPAA, but did not support the use of
a new term that would differentiate SUD
counseling notes from psychotherapy
notes. Instead, the hospital
recommended using psychotherapy
notes or SUD psychotherapy notes for
consistency. The commenter also
suggested further discussion of the use
of the term ‘‘psychotherapy notes’’ in
the regulations, since the term continues
to generate confusion. The commenter
stated that the terms ‘‘counseling notes’’
and ‘‘psychotherapy notes’’ have a
different meaning in routine clinical
practice and are used frequently, but do
not seem to meet the definition in the
NPRM.
Response
We appreciate comments concerning
our proposed definition of ‘‘SUD
counseling notes’’ and respond as
follows. As discussed in the NPRM, the
intent of the potential definition we
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
described was to align with HIPAA
provisions regarding psychotherapy
notes, and we discuss psychotherapy
notes further in § 2.31 below.157 We
believe the final definition of ‘‘SUD
counseling notes’’ will ease compliance
burdens for part 2 programs because the
definition almost exactly matches the
definition of ‘‘psychotherapy notes’’
under the HIPAA Privacy Rule except
for the references to SUD professionals
and SUD notes.
As we explained in the 2000 final
HIPAA Privacy Rule, psychotherapy
notes ‘‘are the personal notes of the
therapist, intended to help him or her
recall the therapy discussion and are of
little or no use to others not involved in
the therapy.’’ 158 While the commenter
above did not define what it meant by
assessment forms, consistent with
HIPAA our final definition of ‘‘SUD
counseling notes’’ expressly excludes
‘‘medication prescription and
monitoring, counseling session start and
stop times, modalities and frequencies
of treatment furnished, results of
clinical tests, and any summary of the
following items: diagnosis, functional
status, the treatment plan, symptoms,
prognosis, and progress to date.’’
Comment
Several SUD recovery organizations
supported a ‘‘SUD counseling notes’’
definition because these notes often
contain highly sensitive information
that supports therapy. Limiting access to
these notes is critical to protect the
therapeutic alliance due to the unique
risks that patients face due to the highly
sensitive information in these notes. An
SUD recovery association and SUD
provider commented that the
Department should protect counseling
notes using a new definition similar to
psychotherapy notes, require specific
consent, and not allow such consent to
be combined with consent to disclose
any other type of health information.
According to these two commenters the
patient’s prognosis should be
considered a counseling note because it
could bias staff toward the patient’s
situation; it is subjective and the large
turnover of counseling staff results in
greater reliance on existing reports. An
individual commenter also said that
they supported the Department’s
version of SUD counseling notes, but
157 See, e.g., 45 CFR 164.501; 45 CFR 164.508;
U.S. Dep’t of Health and Human Servs., ‘‘Does
HIPAA provide extra protections for mental health
information compared with other health
information? ’’ (Sept. 12, 2017), https://
www.hhs.gov/hipaa/for-professionals/faq/2088/
does-hipaa-provide-extra-protections-mentalhealth-information-compared-other-health.html; 65
FR 82461, 82497, 82514 (Dec. 28, 2000).
158 65 FR 82461, 82623.
PO 00000
Frm 00036
Fmt 4701
Sfmt 4700
expressed concern about excluding
prognosis from SUD counseling notes;
they too believed that prognosis is too
subjective and its exclusion from the
definition could result in bias or
prejudice. Given the large turnover of
counseling staff and the use of fairly
junior clinicians to provide service,
prognosis should be considered a
counseling note. A few SUD treatment
professionals associations also said that
counseling notes should be so protected
using a new definition similar to
psychotherapy notes.
Response
We appreciate comments from SUD
recovery organizations and others about
our proposed changes. The final
definition of ‘‘SUD counseling notes’’
expressly excludes ‘‘medication
prescription and monitoring, counseling
session start and stop times, the
modalities and frequencies of treatment
furnished, results of clinical tests, and
any summary of the following items:
diagnosis, functional status, the
treatment plan, symptoms, prognosis,
and progress to date.’’ Thus, prognosis
information is excluded from ‘‘SUD
counseling notes’’ under the definition
adopted in this final rule. Information
critical to the patients’ diagnosis and
treatment such as prognosis and test
results, should be within the patient’s
part 2 record or medical record such
that it may be available for such
activities as treatment consultation,
medication management, care
coordination, and billing.159
Neither HIPAA nor part 2 provides a
right of access to psychotherapy notes or
SUD counseling notes, but for different
reasons. Under HIPAA, although
psychotherapy notes are part of the
designated record set (because the
clinician may use them to make
decisions about the individual), they are
specifically excluded from the right of
access in 45 CFR 164.524. Under part 2,
there is no general right of access for
part 2 records, and thus there is no right
of access for SUD counseling notes,
which are a narrow subset of part 2
records. However, under both HIPAA
and part 2, clinicians may exercise their
discretion and voluntarily provide
patients with access to psychotherapy
notes and/or SUD counseling notes or a
portion of such notes.
159 See U.S. Dep’t of Health and Human Servs.,
‘‘Individuals’ Right under HIPAA to Access their
Health Information 45 CFR 164.524’’ (Oct. 20,
2022), https://www.hhs.gov/hipaa/forprofessionals/privacy/guidance/access/;
45 CFR 164.501 (definition of ‘‘Designated record
set’’).
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Comment
A local government agency supported
explicitly defining ‘‘SUD counseling
notes’’ as discussed in the NPRM. The
commenter said we should clearly
define how and where SUD counseling
notes must be treated differently from
other part 2 records and the HIPAA
designated record set. Such clarification
will assist dually regulated entities’
efforts to comply with the HIPAA
Privacy Rule and Information Blocking
requirements.160 The commenter
proposed redefining ‘‘HIPAA
psychotherapy notes’’ to include all part
2-defined SUD counseling notes by
reference. Such a straightforward
alignment would minimize burden and
maximize ease of compliance.
Response
We appreciate comments concerning
the definition of ‘‘SUD counseling
notes’’ including the suggestion to
redefine HIPAA ‘‘psychotherapy notes’’
at 45 CFR 164.501 to include SUD
counseling notes. However, changes to
the HIPAA definitions are outside the
scope of this rulemaking.
lotter on DSK11XQN23PROD with RULES2
Comment
A health insurer supported a separate
definition of ‘‘SUD counseling notes’’
that makes clear the distinction between
these types of notes, other notes, and
part 2 records. SUD counseling notes are
distinct from other notes, such as
psychotherapy and analysis notes,
according to this commenter. Most
treatment for SUDs is done through
individual and group counseling to
address specific goals of a treatment
plan, the commenter said, so excluding
all notes would in effect exclude the
disclosure of SUD information, unless
there is differentiation between these
notes. Even though the commenter
recognizes the definitions would
overlap in several aspects—such as for
consent requirements—it welcomed the
overlap, as there would be an additional
administrative burden around creating a
separate consent for SUD counseling
notes if requirements differed within the
definition.
Response
We appreciate this comment on our
proposed changes. The commenter
correctly apprehends that the provisions
for SUD counseling notes require that
they be separated from the rest of the
part 2 and/or medical record to be
recognized as ‘‘SUD counseling notes’’
160 See The Off. of the Nat’l Coordinator for
Health Info. Tech. (ONC), ‘‘Information Blocking’’,
https://www.healthit.gov/topic/informationblocking.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
and afforded additional privacy
protection. We agree that the definition
of ‘‘SUD counseling notes’’ in this final
rule will support patient participation
in individual and group SUD
counseling. SAMHSA has noted
elsewhere the importance of privacy
and confidentiality in both individual
and group counseling settings.161
Comments Opposing a New SUD
Counseling Notes Definition or
Requesting Clarification
Comment
A county government asked that HHS
make SUD records a specific category of
PHI under HIPAA in a way similar to
psychotherapy notes. It is inequitable,
said the commenter, that patients have
more confidentiality of their records
when receiving SUD services from a
part 2 program versus a primary care
provider that is not a part 2 program. A
state agency said that the proposed
definition of ‘‘SUD counseling notes’’
and the existing definition of
‘‘psychotherapy notes’’ in 45 CFR
164.501 do not accurately capture the
intent of the right of access exclusion.
The agency suggested using headings of
‘‘SUD process notes’’ and
‘‘psychotherapy process notes’’ to
clarify that these are non-clinical notes
and avoid creating confusion for
patients in understanding what they are
in fact requesting to exclude.
Response
We appreciate suggestions concerning
changes or clarifications to provisions
concerning the definition of HIPAA
‘‘psychotherapy notes’’ at 45 CFR
164.501. However, changes to the
HIPAA definitions are outside the scope
of our part 2 rulemaking. With respect
to SUD counseling notes, we clarify that
the exclusion of psychotherapy notes
from the right of access in the HIPAA
Privacy Rule does not have a parallel in
part 2 because part 2 does not contain
a right of access. We do not believe that
renaming these notes as process notes
would promote understanding of their
essential nature—that they are
separately maintained and intended
primarily for use by the direct treating
clinician with few exceptions. Further,
we do not categorize SUD counseling
notes or psychotherapy notes as either
161 See Substance Abuse and Mental Health
Servs. Admin., ‘‘TIP 41: Substance Abuse
Treatment: Group Therapy’’ (2015), https://
store.samhsa.gov/product/TIP-41-Substance-AbuseTreatment-Group-Therapy/SMA15-3991; Substance
Abuse and Mental Health Servs. Admin., ‘‘TIP 63:
Medications for Opioid Use Disorder—Full
Document’’ (2021), https://store.samhsa.gov/
product/TIP-63-Medications-for-Opioid-UseDisorder-Full-Document/PEP21-02-01-002.
PO 00000
Frm 00037
Fmt 4701
Sfmt 4700
12507
clinical or non-clinical. We expect that
they contain a mix of information useful
to the clinician but not necessary for
routine uses or disclosures for TPO.
Comment
A few HIE associations questioned the
definition discussed in the NPRM
stating that psychotherapy notes rarely
exist as they are not considered in the
HIPAA designated record set; therefore,
such psychotherapy notes are not
accessible under the patient right of
access or available in the patient portal.
These commenters and others, as
discussed below in § 2.31, expressed
concern about the need to keep such
records compartmentalized or distinct
from other part 2 records and associated
burdens for data sharing, health IT, and
other activities.
Response
As the Department explained in
guidance, ‘‘[d]esignated record sets
include medical records, billing records,
payment and claims records, health
plan enrollment records, case
management records, as well as other
records used, in whole or in part, by or
for a covered entity to make decisions
about individuals.’’ 162 Psychotherapy
notes are used by the treating clinician
to make decisions about individuals,
and thus are part of the designated
record set, but, they are expressly
excluded from the individual right of
access to PHI.163 However, the HIPAA
Privacy Rule permits a treating provider
to voluntarily grant an individual access
to such notes.164 Similarly, § 2.23
permits, but does not require, part 2
programs to provide a patient with
access to part 2 records (including SUD
counseling notes as finalized here),
based on the patient’s consent. As
explained above, changes to the HIPAA
Privacy Rule definition of
‘‘psychotherapy notes’’ are beyond the
scope of this rulemaking.
Comment
A health care provider asserted that it
is not necessary to create a separate term
and definition of SUD counseling notes
because the HIPAA term
‘‘psychotherapy notes’’ meets these
162 U.S. Dep’t of Health and Human Servs., ‘‘What
personal health information do individuals have a
right under HIPAA to access from their health care
providers and health plans? ’’ (June 24, 2016),
https://www.hhs.gov/hipaa/for-professionals/faq/
2042/what-personal-health-information-doindividuals/.
163 See ‘‘Individuals’ Right under HIPAA to
Access their Health Information 45 CFR 164.524,’’
supra note 159.
164 The HIPAA Privacy Rule expressly permits
disclosures of PHI to the individual who is the
subject of the PHI. See 45 CFR 164.502(a)(1)(i).
E:\FR\FM\16FER2.SGM
16FER2
12508
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
needs. The commenter supported
applying the HIPAA standard to
psychotherapy notes created within a
part 2 program.
lotter on DSK11XQN23PROD with RULES2
Response
We appreciate this comment. As
noted in the NPRM, we believe that it
is important to include within part 2 a
definition of ‘‘SUD counseling notes’’
specific to the notes of SUD counseling
sessions by a part 2 program
professional. SUD counseling notes
under this final rule are part 2 records
but cannot be disclosed based on a
general consent for TPO. If this rule
failed to include a definition of SUD
counseling notes HIPAA’s
psychotherapy notes provisions and
definitions in 45 CFR 164.501 and
164.508 would not apply to part 2
programs that are not covered entities
and SUD counseling notes could be
disclosed under a general TPO consent,
which would undermine the utility of
these notes being maintained separately
from the designated record set by some
SUD providers.
Comment
A county health department stated
that SUD counseling notes are different
from psychotherapy notes, which often
focus on more intimate and deeper
clinical considerations, while SUD
counseling notes often include more
straightforward clinical details that do
not require additional privacy
protections. This commenter stated that
the differences in the nature of such
notes is due to differences in the scope
of practice of the different workforces of
SUD programs and therapists. The
commenter also stated that, because
most of the services provided by part 2
programs are documented via SUD
counseling notes, requiring separate
consent for SUD counseling notes
would counteract the aim of facilitating
greater information exchange without
providing a clear benefit. As such, the
commenter urged the Department to
reject the idea of applying additional
privacy protections for SUD counseling
notes.
Another county department similarly
stated that the nature of SUD counseling
notes is fundamentally different from
psychotherapy notes, and does not
warrant enhanced confidentiality. As
described by this commenter, while
psychotherapy notes focus on intimate
and nuanced clinical considerations, the
typical SUD counseling note is far less
detailed and more like a standard
progress note in a medical record. In
addition, SUD counseling notes are
usually kept by providers with less
education and training than
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
psychiatrists, who do not have a
professional practice of maintaining
separate counseling notes primarily for
use by the originator of the notes.
A state agency expressed concern that
adopting special protections for SUD
counseling notes would create
additional administrative complexity
and compliance challenges for part 2
programs and may have unintended
adverse consequences by restricting
patient access to, or beneficial
disclosures of, a significant segment of
their SUD treatment records. The
commenter asserted that such a change
seemed unlikely to facilitate
information exchange for care
coordination purposes, and thus would
seem to be inconsistent with many of
the other proposed amendments.
Response
We acknowledge comments that SUD
counseling notes and psychotherapy
notes are not precisely equivalent.
However, SUD counseling notes, like
psychotherapy notes, may also include
particularly sensitive details about a
patient’s medical conditions and
personal history. Such concerns may be
especially acute, for instance, with
pediatric patients 165 or patients who
have or are at risk of conditions such as
human immunodeficiency virus
(HIV).166 While these commenters’
anecdotal accounts are helpful to our
understanding of the issues, these
experiences and comments, do not
necessarily apply to the majority of SUD
counseling situations in which the
clinician’s notes may play an important
role in patient treatment and necessitate
the additional protections made
available in this final rule. More than
two-thirds of commenters on this issue
expressed support for moving forward
with a new definition and heightened
protections for SUD counseling notes.
Comment
A health care provider expressed
support for an approach that
destigmatizes SUD treatment and
promotes access to clinically relevant
information that is valuable and
informative for all TPO purposes. As
165 See Substance Abuse and Mental Health
Servs. Admin., ‘‘Treatment Considerations for
Youth and Young Adults with Serious Emotional
Disturbances and Serious Mental Illnesses and Cooccurring Substance Use’’ (2021), https://
www.samhsa.gov/resource/ebp/treatmentconsiderations-youth-young-adults-seriousemotional-disturbances-serious.
166 See Substance Abuse and Mental Health
Servs. Admin., ‘‘Prevention and Treatment of HIV
Among People Living with Substance Use and/or
Mental Disorders’’ (2020), https://store.samhsa.gov/
product/Prevention-and-Treatment-of-HIV-AmongPeople-Living-with-Substance-Use-and-or-MentalDisorders/PEP20-06-03-001.
PO 00000
Frm 00038
Fmt 4701
Sfmt 4700
such, the provider did not believe that
creating additional protections for SUD
counseling notes would promote access
and exchange of valuable information.
An SUD treatment provider association
urged the Department to limit
disclosures of patient information that
are not necessary for the purpose of the
disclosure, such as details of trauma
history that are not needed for TPO,
except by the treating clinician. An
insurance association suggested that a
new definition of ‘‘SUD counseling
notes’’ could be beneficial in some
circumstances when heightened privacy
is warranted. But a new definition also
could impede care coordination because
SUD counseling notes may contain
clinically relevant information and help
inform coordinated treatment plans,
according to this commenter, who also
asserted that some programs may have
difficulty implementing the requirement
and be unable to share the remainder of
the record for TPO. The commenter
urged the Department not to create a
separate category for SUD counseling
notes but instead to allow SUD
providers to determine how to best
record these notes. Another insurance
association requested that the
Department use this rule as an
opportunity to: (1) reinforce the existing
HIPAA restrictions on sharing
psychotherapy notes; and (2) clarify that
SUD counseling notes are not
psychotherapy notes and maybe used
and disclosed for TPO.
Response
We acknowledge these comments and
discuss additional related provisions
below in § 2.31. We do not believe the
final ‘‘SUD counseling notes’’ definition
will contribute to stigma or
discrimination for SUD patients because
it strengthens confidentiality for the
most sensitive information shared
during treatment and does so in a
manner similar to what already exists in
the HIPAA regulations. We do not agree
that the ‘‘SUD counseling notes’’
definition will impede care
coordination because the nature of these
notes is that they are intended primarily
for use by the direct treating clinician.
We agree that the final rule may be an
opportunity to provide additional
education on existing HIPAA
psychotherapy note provisions and will
consider what additional guidance may
be helpful after this rule is finalized. In
addition, we note that a part 2 program’s
use of separate SUD counseling notes is
voluntary and optional—although a
program may adopt a facility-wide
policy that either supports or disallows
the creation and maintenance of such
notes. As noted above, through the
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
separate definition adopted in this final
rule in § 2.11, SUD counseling notes
under this final rule are part 2 records
but cannot be disclosed based on a TPO
consent.
Comment
A medical professionals association
expressed concern about potential
challenges associated with maintaining
SUD counseling notes, noting that the
creation of a distinct class of
psychotherapy notes in HIPAA provides
an illustrative example of the challenge
of implementing specific data
protections within a medical record:
although the ‘‘psychotherapy notes’’
option was added to HIPAA to protect
psychotherapist-patient privilege, this
option specifically excludes key
elements of psychotherapy session notes
that are required for routine clinical care
as well as for billing purposes (e.g.,
medication prescription and
monitoring, summary of diagnosis,
treatment plan). As a result, according
to this commenter, if a HIPAA-defined
‘‘psychotherapy note’’ is used, it must
always be accompanied by a clinical
note that includes the essential elements
for routine clinical care and billing.
Response
We acknowledge this comment and
appreciate the analogy to HIPAA
psychotherapy notes in clinical practice;
however, we believe the framework is a
valuable option for some clinicians,
with the understanding that the notes
are intended to be used only by the
clinician. Neither the HIPAA Privacy
Rule nor this final rule mandate the use
within a mental health practice or a part
2 program of ‘‘psychotherapy notes’’ or
‘‘SUD counseling notes’’ as defined
within the respective regulations.
However, clinicians who choose to keep
separate notes for their own use are
afforded some additional privacy and
the patient’s confidentiality is also
protected by additional consent
requirements under § 2.31(b) (Consent
required: SUD counseling notes).
lotter on DSK11XQN23PROD with RULES2
Comment
A medical professionals association
suggested that the Department create a
regulatory definition of an ‘‘SUD
professional’’ who is qualified to
perform treatment and prepare SUD
counseling notes.
Response
The definition of ‘‘SUD counseling
notes’’ matches the definition of
‘‘psychotherapy notes’’ under the
HIPAA Privacy Rule except for the
references to SUD professionals and
SUD notes. Historically, the Department
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
has considered licensed providers as
‘‘professionals.’’ We did not propose
and therefore are not finalizing a
definition of SUD professionals either
separately or in relation to SUD
counseling notes. The exception to the
consent requirement for use in a part 2
program’s training program indicates
that an ‘‘SUD professional’’ may be
someone who is completing their
practical experience to receive a degree
or professional certification or license,
and, additionally, that such notes may
be used in clinical supervision.
Final Rule
The final rule adopts the definition of
‘‘SUD counseling notes’’ as proposed in
the NPRM.
Third-Party Payer
The term ‘‘third-party payer’’ refers to
an entity with a contractual obligation
to pay for a patient’s part 2 services and
includes some health plans, which by
definition are covered entities under
HIPAA. The current regulation, at
§ 2.12(d)(2), limits disclosures by thirdparty payers to a shorter list of purposes
than the HIPAA Privacy Rule allows for
health plans. The Department proposed
to exclude covered entities from the
definition of ‘‘third-party payer’’ to
facilitate implementation of 42 U.S.C.
290dd–2(b)(1)(B), as amended by
section 3221(b) of the CARES Act,
which enacted a permission for certain
recipients of part 2 records to redisclose
them according to the HIPAA standards.
The result of this proposed change
would be that the current part 2
disclosure restrictions continue to apply
to a narrower set of entities. The
Department believes that this approach
would carry out the intent of the CARES
Act, while preserving the privacy
protections that apply to payers that are
not covered entities. The Department
also proposed a wording change to
replace the phrase ‘‘individual or
entity’’ with the term ‘‘person’’ as now
proposed to comport with the HIPAA
meaning of the term.
Comment
The Department received
overwhelmingly supportive comments
on the intent to distinguish health
plans, which are covered entities, from
other third-party payers who would be
subject to part 2 (but not HIPAA). The
rationales offered for supporting this
proposal were that it furthers the
implementation of the CARES Act
requirement to align part 2 with HIPAA,
reduces the need to segment part 2
records, reduces health plan burden,
and allows health plans to engage in
more activities that improve health care,
PO 00000
Frm 00039
Fmt 4701
Sfmt 4700
12509
such as care coordination and
accountable care.
Response
We appreciate the comments.
Comment
Several commenters stated that the
definition could be confusing to some
readers and requested clarification in
the final rule along with additional
examples of entities that would remain
subject to part 2 as third-party payers.
Specifically, a trade association
requested that the Department exclude
business associates of health insurance
providers (i.e., a health plan/payer) from
this definition because they are not
independent ‘‘third-party payers’’ but
rather are acting on behalf of a health
insurance provider. A health system
requested that the Department ensure
that ACOs and population health
providers have access to full part 2
information without a beneficiary
having to explicitly opt-in to data
sharing.
Response
We appreciate the comments and
clarify that business associates acting on
behalf of health plans are not
independent ‘‘third-party payers’’ who
would fall within this definition.
However, business associates are listed
along with covered entities in the new
language of § 2.12(d)(2)(i)(C), which
expressly states that covered entities
and business associates are not required
to segregate records or segment part 2
data once received from a part 2
program based on a TPO consent.
Comment
One commenter asserted that the
proposed rule did not clearly address
the role of third-party payers, including
the more active role of these entities in
coordinating patient care. This
commenter cited, for example, that
third-party payers could provide direct
care coordination; services such as
home health visits as a covered entity;
or function solely as a third-party payer,
making payment and overseeing quality
claims reporting for providers. The
commenter cited the Ohio Medicaid
Comprehensive Privacy Care or ‘‘CPC’’
alternative payment program as an
example where health plans act as
managed care organizations that oversee
various avenues of payment as well as
core coordination in conjunction with
providers. This commenter also
believed that the definition is intended
to ensure that third-party payers that are
not HIPAA covered entities are also
subject to the same rules as a covered
entities with respect to part 2 records
E:\FR\FM\16FER2.SGM
16FER2
12510
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
and recommended that HHS clarify the
definitions of ‘‘covered entity’’ and
‘‘third-party payer’’ to explain the
relationship between these groups and
the obligations of each with respect to
part 2 information.
Response
We appreciate the commenter’s
description of new models of payment
and care coordination. However, we
believe the commenter misapprehends
the intent of the proposed definition,
which is finalized in this rule. The
intent is to distinguish third-party
payers, which are not covered entities,
from health plans (which, by definition,
are covered entities). If a third-party
payer is not a covered entity, then it is
not subject to part 2 provisions that
apply to covered entities except when
(a) specifically identified as being
subject to these provisions or (b) in
those instances where third-party payers
are lawful holders by virtue of having
received part 2 records under a written
consent or an exception to the consent
requirements. For example, some nonprofit organizations provide health care
reimbursement for individuals and
some entities provide payment as part of
an insurance policy that does not meet
the definition of health plan in HIPAA.
Final Rule
The final rule adopts all proposed
modifications to the definition of ‘‘thirdparty payer’’ in § 2.11, without further
modification.
Treating Provider Relationship
The Department proposed to modify
the part 2 definition of ‘‘treating
provider relationship’’ by replacing the
phrase ‘‘individual or entity’’ with
‘‘person,’’ in accordance with the
proposed changes to the definition of
‘‘person’’ described above. Additionally,
several minor wording changes were
proposed for clarity.
Comment
In addition to the supportive
comments discussed above, a state
government expressed specific support
for the adoption of the HIPAA definition
of the term ‘‘treatment.’’
Response
We appreciate the comments.
We appreciate the comment but
believe both terms are needed to
implement the newly required breach
notification standards for part 2 records,
which are defined differently from PHI.
Unsecured Protected Health Information
The Department proposed to adopt
the same meaning of this term as used
in the HIPAA regulations at 45 CFR
164.402 to mean PHI that is not
rendered unusable, unreadable, or
indecipherable to unauthorized persons
through the use of a technology or
methodology specified by the Secretary
in guidance. This proposal would
implement subsection (k) of 42 U.S.C.
290dd–2, added by section 3221(d) of
the CARES Act, requiring that the term
in this part be given the same meaning
as the term for the purposes of the
HIPAA regulations.
Comment
Response
The final rule adopts the proposed
changes to the definition of ‘‘treating
provider relationship’’ without further
modification.
Final Rule
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
The Department received one
comment from a state government that
suggested eliminating ‘‘unsecured
record,’’ in favor of ‘‘unsecured
protected health information’’ because
two terms are unnecessary.
Response
Final Rule
The Department proposed to modify
the part 2 definition of ‘‘treatment’’ by
adopting the HIPAA Privacy Rule
definition in 45 CFR 164.501 by
reference. This would implement
subsection (k) of 42 U.S.C. 290dd–2,
added by section 3221(d) of the CARES
Comment
The final rule adopts all proposed
modifications to the definition of
‘‘treatment’’ in § 2.11, without further
modification.
We received no comments on the
proposed changes to this definition.
Treatment
the newly required breach notification
standards for part 2 records. To align
with the definition of ‘‘unsecured
protected health information’’ in the
HIPAA regulations at 45 CFR 164.402,
the Department proposed to apply a
similar concept to records, as defined in
this part. Thus, an ‘‘unsecured record’’
would be one that is not rendered
unusable, unreadable, or indecipherable
to unauthorized persons through the use
of a technology or methodology
specified by the Secretary in the
guidance issued under Public Law 111–
5, section 13402(h)(2).167
Final Rule
Other than the supportive comments
discussed above pertaining to the
changes to definitions generally, the
Department did not receive specific
comments for its proposed definition of
this term in the regulation.
Comment
lotter on DSK11XQN23PROD with RULES2
Act, requiring that the term be given the
same meaning of the term for the
purposes of the HIPAA regulations. As
discussed in the NPRM, by replacing the
existing language, the Department does
not intend to change the scope of
activities that constitute treatment. In
this context, treatment includes the care
of a patient suffering from an SUD, a
condition which is identified as having
been caused by the SUD, or both, to
reduce or eliminate the adverse effects
upon the patient.
We appreciate the comments.
The final rule adopts all proposed
modifications to the definition of
‘‘unsecured protected health
information’’ in § 2.11, without further
modification.
Unsecured Record
In the NPRM, the Department
explained its view that the proposed
addition was necessary to implement
PO 00000
Frm 00040
Fmt 4701
Sfmt 4700
Final Rule
The final rule adopts all proposed
modifications to the definition of
‘‘unsecured record’’ in § 2.11, without
further modification.
Use
The Department proposed to add a
definition of this term that is consistent
with the definition in the HIPAA
regulations at 45 CFR 160.103 and as the
term is applied to the conduct of
proceedings specified in 42 U.S.C.
290dd–2(c). As explained in the NPRM,
the Department believes this addition is
necessary to more fully align part 2 with
the HIPAA regulations’ use of the
phrase ‘‘use and disclosure,’’ as well as
make clear, where applicable, that many
of the activities regulated by this part
involve not only disclosures but internal
uses of part 2 records by programs or
recipients of part 2 records. The
Department also proposed this
definition to clarify that in this part, the
term ‘‘use’’ has a secondary meaning in
accordance with the statutory
requirements at 42 U.S.C. 290dd–2(c)
for ‘‘use’’ of records in civil, criminal,
administrative, and legislative
investigations and proceedings. The
167 See U.S. Dep’t of Health and Human Servs.,
‘‘Guidance to Render Unsecured Protected Health
Information Unusable, Unreadable, or
Indecipherable to Unauthorized Individuals’’ (July
26, 2013), https://www.hhs.gov/hipaa/forprofessionals/breach-notification/guidance/
index.html.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Department discusses in greater detail
the addition of the term ‘‘use’’ to
specific provisions throughout this rule.
Comment
The Department received
overwhelmingly supportive comments
on the proposed changes throughout
this rule to include ‘‘use and’’ preceding
‘‘disclosure.’’ With respect to proposed
definitions of ‘‘use’’ and ‘‘disclosure,’’
one commenter stated that the term
‘‘use’’ was broad enough to incorporate
both the current understanding (as
applied to legal proceedings) and the
HIPAA understanding (applied to use of
records within a health care entity)
without creating confusion and other
commenters agreed the proposal would
provide clarity. Additionally, several
commenters recommended that the
Department adopt the HIPAA
definitions of ‘‘use’’ and ‘‘disclosure’’ to
further align part 2 with the HIPAA
regulations. Another commenter
suggested further that the final rule
eliminate the clause ‘‘or in the course of
civil, criminal, administrative, or
legislative proceedings as described at
42 U.S.C. 290dd–2(c)’’ because the
proposed language departs from the
HIPAA definition and is unnecessary.
Response
We appreciate the comments.
Although we are declining to adopt the
HIPAA definition of ‘‘use,’’ we believe
that the definition finalized in this rule
is consistent with HIPAA’s definition
and with the additional second meaning
in this part in accordance with the
statutory requirements at 42 U.S.C.
290dd–2(c) for ‘‘use’’ of records in civil,
criminal, administrative, and legislative
proceedings.
Comment
One commenter, a health system,
suggested that the Department revise the
definition of ‘‘use’’ within the HIPAA
regulations to match the understanding
of its meaning as proposed here, to
include the initiation of a legal
proceeding.
lotter on DSK11XQN23PROD with RULES2
Response
We appreciate this comment, but it is
not within the scope of this rulemaking
to address the definition of ‘‘use’’ within
the HIPAA regulations.
Final Rule
The final rule adopts all proposed
modifications to the definition of ‘‘use’’
in § 2.11, without further modification.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Section 2.12—Applicability
Proposed Rule
In addition to changes to the use and
disclosure language in this section,
discussed above, the Department
proposed to modify paragraph (a) to
update the terminology by replacing
‘‘drug abuse’’ with ‘‘substance use
disorder.’’ The Department also
proposed to modify paragraph (c)(2) of
this section, which excludes from part
2 requirements certain interchanges of
information within the Armed Forces
and between the Armed Forces and the
VA, by replacing ‘‘Armed Forces’’ with
‘‘Uniformed Services.’’ This proposed
change would align the regulatory text
with the statutory language at 42 U.S.C.
290dd–2(e).
As we noted in the 2021 HIPAA
NPRM to modify the HIPAA Privacy
Rule, the U.S. Public Health Service
(USPHS) and the National Oceanic and
Atmospheric Administration (NOAA)
Commissioned Corps share
responsibility with the Armed Services
for certain critical missions, support
military readiness and maintain medical
fitness for deployment in response to
urgent and emergency public health
crises, and maintain fitness for
deployment onto U.S. Coast Guard
manned aircraft and shipboard
missions. Because this part 2 proposal
with respect to the Uniformed Services
is consistent with the underlying
statute, the Department does not believe
the modification will change how SUD
treatment records are treated for USPHS
and NOAA Commissioned Corps
personnel, but requested comment on
this assumption.
The Department proposed in
paragraph (d)(1) of this section to
expand the restrictions on the use of
records as evidence in criminal
proceedings against the patient by
incorporating the four prohibited
actions specified in 42 U.S.C. 290dd–
2(c), as amended by the CARES Act, and
expanding the regulatory prohibition on
use and disclosure of records against
patients to cover civil, administrative, or
legislative proceedings in addition to
criminal proceedings.168 Absent patient
168 Administrative agencies may issue subpoenas
pursuant to their authority to investigate matters
and several statutes authorize the use of
administrative subpoenas in criminal
investigations. For example, these may be cases
involving health care fraud, child abuse, Secret
Service protection, controlled substance cases,
inspector general investigations, and tracking
unregistered sex offenders. See Charles Doyle,
Administrative Subpoenas in Criminal
Investigations: A Brief Legal Analysis, CRS Report
RL33321 (Dec. 19, 2012), https://
crsreports.congress.gov/product/pdf/RL/RL33321;
Legislative investigations may also be conducted in
furtherance of the functions of Congress or state
PO 00000
Frm 00041
Fmt 4701
Sfmt 4700
12511
consent or a court order, the proposed
prohibitions are: (1) the introduction
into evidence of a record or testimony
in any criminal prosecution or civil
action before a Federal or State court; (2)
reliance on the record or testimony to
form part of the record for decision or
otherwise be taken into account in any
proceeding before a Federal, State, or
local agency; (3) the use of such record
or testimony by any Federal, State, or
local agency for a law enforcement
purpose or to conduct any law
enforcement investigation; and (4) the
use of such record or testimony in any
application for a warrant.
The Department further proposed
changes to paragraph (d)(2) (Restrictions
on use and disclosures). In paragraph
(d)(2)(i) (Third-party payers,
administrative entities, and others), the
term ‘‘third-party payer’’ as modified in
§ 2.11 would have the effect of
excluding covered entity health plans
from the limits on redisclosure of part
2 records. To clarify the modified scope
of this paragraph, the Department
proposed to insert qualifying language
in § 2.12(d)(2)(i)(A) to refer to ‘‘thirdparty payers, as defined in this part.’’
This approach implements the CARES
Act changes in a manner that preserves
the existing redisclosure limitations for
any third-party payers that are not
covered entities. The modified
definition of ‘‘third-party payer’’ in
§ 2.11 excludes health plans by
describing a ‘‘third-party payer’’ as ‘‘a
person, other than a health plan as
defined at 45 CFR 160.103, who pays or
agrees to pay for diagnosis or treatment
furnished to a patient on the basis of a
contractual relationship with the patient
or a member of the patient’s family or
on the basis of the patient’s eligibility
for Federal, state, or local governmental
benefits’’ [emphasis added]. As a result
of the proposal, health plans would be
permitted to redisclose part 2
information as permitted by the HIPAA
regulations and other ‘‘third-party
payers’’ would remain subject to the
existing part 2 prohibition on
redisclosure.
The Department also proposed to
substitute the term ‘‘person’’ for the
term ‘‘entity’’ and the phrase
‘‘individuals and entities’’ in
§ 2.12(d)(2)(i)(B) and (C), respectively.
As discussed above in relation to § 2.11
(Definitions), the Department does not
intend this to be a substantive change,
but rather an alignment with the term as
legislative bodies. See U.S. Dept. of Justice, Off. of
Legal Policy, Report to Congress on the Use of
Administrative Subpoena Authorities by Executive
Branch Agencies and Entities: Pursuant to Public
Law 106–544, https://www.justice.gov/archive/olp/
rpt_to_congress.htm.
E:\FR\FM\16FER2.SGM
16FER2
12512
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
it is defined in the HIPAA Privacy Rule
at 45 CFR 160.103.
In addition to these proposed changes
to § 2.12(d), the Department requested
comment on how the proposed
revisions to § 2.33 (Uses and disclosures
with written consent), might affect the
future data segregation practices of part
2 programs and recipients of part 2
records. We include comments on that
topic in this section because it provides
the only explicit reference to data
segmentation and segregation of records
within the regulation. Operationalizing
consent for TPO, more narrow consent,
revocation of consent, and requests for
restrictions on disclosures for TPO may
raise challenges concerning tagging,
tracking, segregating and segmenting
records and health data. These issues
are addressed across multiple sections
of the final rule, including §§ 2.12, 2.22,
2.31, 2.32, and 2.33.
The Department proposed to conform
paragraph (e)(3) of § 2.12 to 42 U.S.C.
290dd–2(c), as amended by section
3221(e) of the CARES Act, by expanding
the restrictions on the use of part 2
records in criminal proceedings against
the patient to expressly include
disclosures of part 2 records and to add
civil and administrative proceedings as
additional types of forums where use
and disclosure of part 2 records is
prohibited, absent written patient
consent or a court order. Additionally,
the Department proposed to clarify
language in paragraph (e)(4)(i) of § 2.12,
which excludes from part 2 those
diagnoses of SUD that are created solely
to be used as evidence in a legal
proceeding. The proposed change
would narrow the exclusion to
diagnoses of SUD made ‘‘on behalf of
and at the request of a law enforcement
agency or official or a court of
competent jurisdiction’’ to be used as
evidence ‘‘in legal proceedings.’’ The
Department believed the proposed
clarification would tighten the nexus
between a law enforcement or judicial
request for the diagnosis and the use or
disclosure of the SUD diagnosis based
on that request, and requested comment
on this approach.
We respond to comments on all
aspects of § 2.12 below.
lotter on DSK11XQN23PROD with RULES2
Comment
A few health system commenters
supported the proposed change in
paragraph (c)(2) to replace Armed
Forces with Uniformed Services to be
more inclusive.
Response
We appreciate the comments.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Comment
A few commenters expressed
concerns about paragraph (c)(6) of this
section, which excludes from part 2
applicability the use and disclosure of
part 2 records in reports of child abuse
and neglect mandated by state law and
the fact that the exception does not
allow for reporting of vulnerable adult
and elder abuse or domestic violence.
Response
Modifications to this provision are
outside of the scope of this rulemaking.
Moreover, the exception that allows part
2 programs to disclose otherwise
confidential records for child abuse
reporting is based in a statutory
exclusion in 42 U.S.C. 290dd–2(e).
Because Congress had the opportunity
to address this statutory exclusion in the
CARES Act amendments and did not do
so we do not believe we can unilaterally
expand the exclusion by adding a
regulatory exception for elder or
vulnerable adult abuse similar to that
for child abuse reporting. Congress
could in the future choose to add to the
statute an exception that would allow
part 2 programs to report vulnerable
adult and elder abuse and neglect. We
further address options for disclosures
to prevent harm in the discussion of
§ 2.20 (Relationship to state laws).
Comment
Some commenters supported the
proposed changes in paragraph (d)(2) to
the prohibition on use and disclosure of
part 2 records against a patient or a part
2 program in investigations and
proceedings absent patient consent or a
court order. These commenters
appreciated the expanded protection
from use and disclosure in legislative
and administrative investigations and
proceedings and the express protection
of testimony that conveys information
from part 2 records within the consent
or court order requirements. Some
commenters thought that these express
and expanded protections would serve
as a beneficial counterweight to easing
the flow of part 2 records for health
care-related purposes.
Response
We appreciate the comments and
agree that the expanded scope of
protection to include not only records
but testimony and to include legislative
and administrative proceedings
provides greater protection to patients
and part 2 programs that are the subject
of investigations and proceedings.
Comment
Many commenters expressed concern
about the use of written consent as a
PO 00000
Frm 00042
Fmt 4701
Sfmt 4700
way to overcome the prohibition against
the use of records in proceedings against
patients, expressing alarm that this
could allow coerced consent by law
enforcement.
Response
We address the concerns about
allowing patient consent for use and
disclosure of records in legal
proceedings in the discussion of § 2.31
(Consent requirements). Patient consent
was not the intended focus of the
modifications to § 2.12(d), but was
included to mirror the statutory
language in 42 U.S.C. 290dd–2(c), as
amended by section 3221(e) of the
CARES Act. The final rule provides
guardrails for the consent process in a
new paragraph to § 2.31, discussed
below.
Comment
A county board of supervisors
commented on changes to paragraph
(d)(2), stating that the current
regulations require a special court order
to authorize the use or disclosure of
patient records in a criminal
investigation or prosecution. The county
expressed concern that a lack of
meaningful safeguards when allowing
the disclosure of patients’ SUD records
by patient consent may result in
patients being asked to consent to
disclosures of their protected SUD
treatment records as a condition of a
plea deal, sentencing, or release from
custody, and that without adequate
protections individuals may fear this
information being used against them
and may not seek treatment. According
to the commenter, expanding the ability
to access and use patients’ SUD
treatment records in criminal cases may
result in harm to patients such as
exacerbation of disparities in access to
SUD treatment, criminalization of SUD,
and treatment outcomes. The
commenter recommended that HHS
include meaningful protections in the
final rule against patients being coerced
into signing consent forms that can be
used against them in a criminal or civil
case.
Response
We have added at § 2.31(d) an express
requirement that consent for use and
disclosure of records in civil, criminal,
administrative, and legislative
investigations and proceedings be
separate from consent to use and
disclose part 2 records for other
purposes. The existing rule, at § 2.33(a),
permits patients to consent to use and
disclosure of their records and that part
2 programs may disclose the records
according to the consent. We interpret
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
lotter on DSK11XQN23PROD with RULES2
this to include consent for use and
disclosure of records in legal
proceedings, including those that are
brought against a patient. Thus, we do
not view this final rule’s language about
consent in § 2.12(d) as creating a
substantive change to patients’ rights or
the existing procedures for legal
proceedings, but as clarifying how
consent is one option for achieving the
use and disclosure of records in
proceedings against a patient.
Nonetheless, because the role of
patient consent is expanding, we
created the new requirement for
separate consent as § 2.31(d) in response
to many comments about the potential
for coerced consent and specific
suggestions about ways to reduce
instances of potential coercion,
including requiring it to be separate
from TPO consent or consent to
treatment. This paragraph provides that
patient consent for use and disclosure of
records (or testimony relaying
information contained in a record) in a
civil, criminal, administrative, or
legislative investigation or proceeding
cannot be combined with a consent to
use and disclose a record for any other
purpose. Some commenters asserted
that patients are particularly vulnerable
to coerced consent at the initiation of
treatment when they are suffering the
effects of SUD and that they may not
fully appreciate how their records may
be used or disclosed in proceedings
against them. Thus, requiring separate
consent for use or disclosure of records
in investigations or proceedings against
a patient would help ensure that
patients are better aware of the nature of
the proceedings and how their records
may be used. Signing a separate
document specific to one purpose draws
attention to the consent decision and
provides greater opportunity for review
of the nature of the consent. Comments
about the proposed changes for legal
proceedings are also addressed in §§ 2.2,
2.31, 2.66, and 2.67. Additional
comments with similar concerns are
discussed in § 2.31.
Comment
With respect to the applicability of
part 2 to third-party payers, we received
overwhelming support from the several
organizations that commented on the
proposed changed definition of thirdparty payer as applied in paragraph
(d)(2)(i) of this section. These
commenters supported the proposal to
distinguish health plans, which are
covered entities, from other third-party
payers who are subject to part 2 (but not
subject to HIPAA). One commenter
explained their understanding that
covered entity payers (e.g., health plans)
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
would already be included in the
meaning of covered entity for the
purposes of part 2 and HIPAA, and
therefore able to operate under the
relaxation of the redisclosure
prohibition for TPO purposes while
‘‘third-party payers’’ under this
narrowed definition would not. The
commenter stated its belief that the
change was an important and useful
clarification of the continued
redisclosure prohibition on treatment
uses by such third-party payers.
A few HIE/HIN commenters strongly
supported this change because the
inability to segment the part 2-protected
claims/encounter data from the non-part
2 data has often been a barrier to health
plans contributing the clinical
component of this administrative data to
local, regional, and national HIE efforts.
Additionally, a health system requested
that the Department ensure that ACOs
and population health providers have
access to full part 2 information without
a beneficiary having to explicitly opt-in
to data sharing.
Response
We appreciate the comments
concerning how the proposed narrower
definition of ‘‘third-party payer’’
operates in paragraph (d)(2) of this
section. Applicability to health plans is
now addressed under paragraph
(d)(2)(C) within the reference to covered
entities. Additionally, the new
statement in paragraph (d)(2)(C) in this
final rule provides that health plans are
not required to segregate records or
segment data upon receipt from a part
2 program. ACOs and population health
providers will need to evaluate the
applicability provision based on their
status as covered entities or business
associates.
Comment
A medical professionals association
voiced its strong support for data
segmentation in support of data
interoperability while maintaining
patient privacy; capabilities for EHRs to
track and protect sensitive information
before it can be disclosed or redisclosed;
and continuous monitoring and data
collection regarding unintended harm to
patients from sharing their sensitive
information.
Response
We appreciate the comment about
improving the capabilities for EHRs to
segment data to maintain patient
privacy while also remaining
interoperable. The final rule change
expressly stating that data segmentation
is not required by recipients under a
TPO consent does not preclude the
PO 00000
Frm 00043
Fmt 4701
Sfmt 4700
12513
voluntary use of data segmentation or
tracking as means to protect sensitive
data from improper disclosure or
redisclosure. As a result of the
modifications to paragraph (d)(2) of
§ 2.12, key recipients of part 2 records
may choose the best method for their
health IT environment and
organizational structure to protect
records from use and disclosure in legal
proceedings against the patient, absent
consent or a court order. For example,
the use of the data segmentation for
privacy (‘‘DS4P’’) standard as adopted
as part of the ONC Health IT
Certification Program criteria in 45 CFR
170.315(b) is a technical capability that
would be acceptable/sufficient.169
Comment
A few individual commenters, a
police and community treatment
collaborative, a health IT vendor, and an
SUD recovery policy organization,
requested changes to paragraph (e)(4),
which applies to a ‘‘[d]iagnosis which is
made on behalf of and at the request of
a law enforcement agency or official or
a court of competent jurisdiction solely
for the purpose of providing
evidence[.]’’ Specifically, they
recommended in § 2.12(e)(4)(i) that we
add language to include the purpose of
determining eligibility for participation
in deflection, diversion, or reentry
alternatives to incarceration. The
commenters stated that alternatives to
incarceration require swift assessments,
diagnoses, and referrals to treatment and
care, and that the requested change is
narrowly tailored and consistent with
best practice and priorities within the
justice field.
Response
We decline to further modify
paragraph (e)(4) in the manner
suggested, although we appreciate the
comment and the intent to support
criminal justice deflection programs and
alternatives to incarceration where
appropriate. The changes we proposed
to this paragraph were for clarification
and not intended to create substantive
modifications. However, we believe that
as drafted, the final regulatory language
supports the disclosure of diagnoses
made for the purpose of providing
evidence for any number of purposes,
which could include determining
eligibility for participation in deflection,
diversion, or reentry alternatives to
incarceration. Thus, in our view, the
169 See The Off. of the Nat’l Coordinator for
Health Info. Tech., ‘‘Certification Companion
Guide: Security tags’’ (2015), https://
www.healthit.gov/test-method/security-tagssummary-care-send.
E:\FR\FM\16FER2.SGM
16FER2
12514
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
suggested change is not necessary to
meet the commenter’s purposes.
Final Rule
The final rule adopts all proposed
changes to § 2.12 and further modifies
this section by: (1) clarifying that the
restrictions on uses and disclosures of
records in proceedings against a patient
apply to persons who receive records
from not only part 2 programs and
lawful holders, but also from covered
entities, business associates, and
intermediaries to allow for the new
operation of consent as enacted by the
CARES Act; 170 (2) modifying paragraph
(b)(1) by replacing ‘‘Armed Forces’’ with
‘‘Uniformed Services’’ to conform with
the changes in paragraph (c)(2) and the
statutory language at 42 U.S.C. 290dd–
2(e); (3) adding an express statement to
paragraph (d)(2)(i)(C) that recipients of
records under a TPO consent who are
part 2 programs, covered entities, and
business associates are not required to
segregate the records received or
segment part 2 data; and (4) removing a
phrase in paragraph (d)(2)(ii) that
implied a requirement for recipients of
part 2 records to segregate or segment
the data received, including removing
the requirement from covered entities,
business associates, and intermediaries,
as well as from part 2 programs.
lotter on DSK11XQN23PROD with RULES2
Section 2.13—Confidentiality
Restrictions and Safeguards
Proposed Rule
The current provisions of this section
apply confidentiality restrictions and
safeguards to how part 2 records may be
‘‘disclosed and used’’ in this part, and
specifically provide that part 2 records
may not be disclosed or used in any
civil, criminal, administrative, or
legislative proceedings. The current
provisions also provide that
unconditional compliance with part 2 is
required by programs and lawful
holders and restrict the ability of
programs to acknowledge the presence
of patients at certain facilities. Changes
to the Department’s use of terms ‘‘use’’
and ‘‘disclose’’ in this section are
discussed above. Paragraph (d) of § 2.13
(List of disclosures), includes a
requirement for intermediaries to
provide patients with a list of entities to
which an intermediary, such as an HIE,
has disclosed the patient’s identifying
information pursuant to a general
designation. The Department proposed
to remove § 2.13(d) and redesignate the
content as § 2.24, change the heading of
170 The non-substantive wording changes to
paragraphs (a), (c), and (e) are included in the
amendatory language in the last section of this final
rule.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
§ 2.24 to ‘‘Requirements for
intermediaries,’’ and in § 2.11 create a
regulatory definition of the term
‘‘intermediary’’ as discussed above. The
Department’s proposal to redesignate
§ 2.13(d) as § 2.24 would move the
section toward the end of subpart B
(General Provisions), to be grouped with
the newly proposed §§ 2.25 and 2.26
about patient rights and disclosure.
Section 2.24 is discussed separately
below.
In addition to these proposed
structural changes, the Department also
proposed minor wording changes to
paragraphs (a) through (c) of § 2.13 to
clarify who is subject to the restrictions
and safeguards with respect to part 2
records. The Department solicited
comment on the extent to which part 2
programs look to the HIPAA Security
Rule as a guide for safeguarding part 2
electronic records. The Department also
requested comment on whether it
should modify part 2 to apply the same
or similar safeguards requirements to
electronic part 2 records as the HIPAA
Security Rule applies to ePHI or
whether other safeguards should be
applied to electronic part 2 records.
Comment
We received general support from an
HIE regarding our efforts to align the
security requirements in part 2 for EHRs
with the HIPAA Security Rule. An
individual commenter said that similar
safeguard requirements should apply to
electronic part 2 records as the HIPAA
Security Rule applies to ePHI. The
commenter stated that, ideally, stronger
safeguards should apply to electronic
part 2 records because these records can
function as a bridge to discrimination,
sanctions, and adverse actions. An
insurer commenter stated that it
manages electronic part 2 records and
information consistent with the HIPAA
Security Rule currently and would—in
keeping with the concept of treating
SUD information the same as other
PHI—support applying the same rules
and protections of the HIPAA Security
Rule to electronically stored and
managed part 2 records and
information. Noting that the HIPAA
Privacy and Security Rules are widely
adopted across the health care
continuum, an HIE association
encouraged the Department to pursue
further alignment with HIPAA Security
Rule requirements where appropriate.
Another health insurer supported
aligning part 2 safeguards with the
safeguards applicable under the HIPAA
regulations. This commenter stated that,
as HHS works to align part 2 regulations
with HIPAA regulations, the ultimate
goal should be to streamline policies
PO 00000
Frm 00044
Fmt 4701
Sfmt 4700
while ensuring the protection of patient
data across programs and data sharing
platforms. The health plan and another
commenter, a health insurer, believed
that different types of PHI should share
the same level of protection and
supports Department efforts toward this
end.
Response
We appreciate the comments on our
proposed changes and comments on
modifying part 2 to apply the same or
similar safeguard requirements to
electronic part 2 records as apply to the
HIPAA Security Rule. Prior to our
changes in this final rule, part 2
programs and other lawful holders
already were required to have in place
formal policies and procedures to
reasonably protect against unauthorized
uses and disclosures of patient
identifying information and to protect
against reasonably anticipated threats or
hazards to the security of patient
identifying information. The provisions
applied to paper records and electronic
records.
Consistent with the amendment
enacted in the CARES Act and codified
at 42 U.S.C. 290dd–2(j), the final rule
applies breach notification requirements
to ‘‘unsecured records’’ in the same
manner as they currently apply to
‘‘unsecured PHI’’ in the Breach
Notification Rule, including specific
requirements related to the manner in
which breach notification is provided.
We are not making any additional
modifications to align the HIPAA
Security Rule and part 2 at this time, but
will take these comments into
consideration in potential future
rulemaking.
Comment
A few HIEs/HIE associations urged
the Department to add new language to
§ 2.13 that expressly provides:
‘‘[c]onsent revocation. If a patient
revokes a consent, the consent
revocation is only effective to prevent
additional disclosures from the part 2
program(s) to the consent recipient(s). A
recipient is not required to cease using
and disclosing part 2 records received
prior to the revocation.’’
The commenters believed that adding
this language to § 2.13 would mitigate
part 2 program concerns that they might
be held accountable for a recipient’s
continued use and disclosure of
previously disclosed part 2 program
records. The Department sought
comment on whether it should require
part 2 programs to inform an HIE when
a patient revokes consent for TPO so
that additional uses and disclosures by
the HIE would not be imputed to the
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
programs that have disclosed part 2
records to the HIE. These commenters
responded that requiring such
notification would directly contradict
the Department’s statements in the
preamble to the NPRM—and the
purpose of the CARES Act—because a
notification implies that it would be
unlawful for the HIE to continue to use
and disclose the part 2 records it
received prior to revocation. A better
approach according to these
commenters would be to clarify in the
part 2 regulations what is and is not
permitted after a revocation.
Response
Revocation of consent is associated
with a patient’s wish to modify or
rescind previously granted written
consent provided under § 2.31 in
subpart C. We do not agree that stating
revocation requirements in this section
would clarify these requirements and
those issues are addressed in the
discussion of § 2.31.
Comment
A medical professionals association
generally supported the alignment of
redisclosure processes with HIPAA. The
commenter also supported prohibiting
redisclosures of records for use in civil,
criminal, administrative, and legal
proceedings. Along with increased
patient and provider education about
disclosure and data protection, the
association further encouraged the
Department to support the development
of technological infrastructure to
manage these data once disclosed.
lotter on DSK11XQN23PROD with RULES2
authorized to provide consent to
treatment.
Section 2.14—Minor Patients
Proposed Rule
The Department proposed to change
the verb ‘‘judges’’ to ‘‘determines’’ to
describe a part 2 program director’s
evaluation and decision that a minor
lacks decision making capacity, which
can lead to a disclosure to the patient’s
parents without the patient’s consent.
This change is intended to distinguish
between the evaluation by a part 2
program director about patient decision
making capacity and an adjudication of
incompetence made by a court, which is
addressed in § 2.15. The Department
also proposed a technical edit to
§ 2.14(c)(1) to correct a typographical
error from ‘‘youthor’’ to ‘‘youth or.’’
The Department also proposed to
substitute the term ‘‘person’’ for the
term ‘‘individual’’ in § 2.14(b)(1) and
(2), (c) introductory text, and (c)(1) and
(2), respectively.
Overview of Comments
The Department received general
support for its proposed changes to
§ 2.14. However, some commenters
expressed concern about certain
proposed changes or requested
additional clarity, as described below.
Comment
Final Rule
The final rule adopts the changes to
§ 2.13 as proposed, including removing
paragraph (d) and redesignating it as
§ 2.24 (Requirements for
intermediaries).171
An HIE association urged the
Department to align the part 2
requirements regarding minors with the
state-based requirements regarding
minor access, consent, and disclosure of
their health records. The commenter
noted that some states have stringent
rules for when a minor patient can
control different sections of their health
record and urged the Department to
engage with patient advocacy
organizations to fully understand the
implications of the minor consent
provisions in part 2.172 Another
commenter noted that jurisdictions vary
with respect to the age of majority, who
is considered a legal guardian or
authorized representative, emancipated
minors, and specific consent for special
health services (e.g., HIV testing,
reproductive services, mental and
behavioral health). Commenters cited
examples of states such as California,
which they perceived to have strong
consent and privacy provisions for
minors and argued that it was important
that part 2 foster alignment between
consent to receive care and access to
medical information by the person
171 The changes to the remaining provisions of
§ 2.13 are non-substantive and are included in the
amendatory language in the last section of this final
rule.
172 See, e.g., Marianne Sharko, Rachael Jameson,
Jessica S. Ancker, et al., ‘‘State-by-State Variability
in Adolescent Privacy Laws,’’ Pediatrics (May 9,
2022), https://doi.org/10.1542/peds.2021-053458.
Response
We appreciate this comment on the
Department’s proposed changes. We
have revised the part 2 redisclosure
requirements to align more closely with
HIPAA requirements with respect to
disclosures of PHI. We clarify
applicability of these changes to
business associates and covered entities.
Subject to limited exceptions, such
redisclosed records cannot be used in
any civil, criminal, administrative, or
legislative proceedings by any Federal,
State, or local authority against the
patient, unless authorized by the
consent of the patient.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
PO 00000
Frm 00045
Fmt 4701
Sfmt 4700
12515
Response
We acknowledge that regulations and
statutes pertaining to behavioral health,
including treatment and access to
records by those who consent, differ by
state.173 The Department has previously
highlighted that § 2.14 states that ‘‘these
regulations do not prohibit a part 2
program from refusing to provide
treatment until the minor patient
consents to the disclosure necessary to
obtain reimbursement, but refusal to
provide treatment may be prohibited
under a state or local law requiring the
program to furnish the service
irrespective of ability to pay.’’ 174 State
laws may also vary with respect to
access to records by parents or
caregivers. As provided in § 2.20
(Relationship to state laws), part 2 ‘‘does
not preempt the field of law which they
cover to the exclusion of all state laws
in that field.’’ Thus, states may impose
requirements for consent, including for
minors, that are more stringent than
what Federal regulations may require.
The Department understands that there
exist variations among jurisdictions
concerning minor and parent or
guardian consent requirements. Part 2
programs and other regulated entities
are advised to seek legal advice on the
application of their state and local laws
when appropriate.
Comment
One commenter urged the Department
to proactively partner with states to
design state-specific educational
resources and tools to expedite access to
SUD treatments. The commenter cited
as one example the New York Civil
Liberties Union 2018 pamphlet entitled
‘‘Teenagers, Health Care and the Law: A
Guide to Minors’ Rights in New York
State’’ as one helpful resource.175 Other
commenters also urged the Department
to provide guidance about minor
consent in relation to Medicaid, the
Children’s Health Insurance Program
(CHIP), and other health coverage
programs.
Response
The Department appreciates examples
of what commenters view as relevant or
173 Id. See also ‘‘TAC Assessment Working Paper:
2016 Compilation of State Behavioral Health Patient
Treatment Privacy and Disclosure Laws and
Regulations,’’ supra note 122. See also, 82 FR 6079
(Jan. 18, 2017).
174 82 FR 6052, 6083.
175 New York Civil Liberties Union, ‘‘Guide:
Teenagers, Health Care, and the Law (English and
Spanish)’’ (Oct. 2, 2018), https://www.nyclu.org/en/
publications/guide-teenagers-health-care-and-lawenglish-and-spanish.
E:\FR\FM\16FER2.SGM
16FER2
12516
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
helpful resources and publications but
does not necessarily endorse the content
of specific publications not developed
or reviewed by HHS. We will consider
what additional guidance from HHS
may be helpful after this rule is
finalized.
Comment
Commenters generally supported the
proposed change from ‘‘judges’’ to
‘‘determines’’ to better distinguish a part
2 program director’s evaluation and
decision that a minor lacks decisionmaking capacity from when a court
adjudicates (i.e., judges) a patient as
lacking decision-making capacity. But
one association noted that in addition to
the Federal regulation, states can also
have their own requirements related to
minors, decision-making capacity, and
their ability to make independent
decisions regarding care and treatment.
The commenter believed that part 2
programs, consumers, and other
stakeholders could benefit from the
Department discussing the Federal
standard in the preamble to final
regulations or in future guidance
discussing how states can align with the
standard and potential areas for Federal
and state conflicts. Other commenters
also urged the Department to provide
additional guidance on the intersection
of state and Federal laws, including for
minors out of state and receiving SUD
treatment.
Response
The Department appreciates the
comments about changing ‘‘judges’’ to
‘‘determines’’ and will consider what
additional guidance on these issues may
be helpful after this rule is finalized.
Comment
Commenters supported the proposal
to remove the term ‘‘incompetent’’ and
instead refer to patients who lack the
capacity to make health care decisions
to distinguish between lack of capacity
and adjudication of incompetence.
lotter on DSK11XQN23PROD with RULES2
Response
The Department appreciates the
comments on this proposed change.
Comment
Commenters emphasized the
importance of minors being able to
control their health records but also
ensuring that parents and guardians do
not face unnecessary barriers to
obtaining SUD treatment for youth in
their care. Providers, one commenter
asserted, are reluctant or even unwilling
to include parents and guardians in
treatment, even when their clinical
judgment would dictate otherwise.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Response
The Department agrees that it is
important for minors to have input
concerning the use and disclosure of
their health records in a manner that is
consistent with state law. The
Department also has emphasized both
with respect to HIPAA and part 2 that
parents, guardians, and other caregivers
should not face unnecessary barriers in
supporting a loved one’s care.176
SAMHSA has published resources for
families coping with mental health and
SUDs and OCR has issued guidance for
consumers and health professionals on
HIPAA and behavioral health.177
Comment
To allow for meaningful care
coordination for minors, a state agency
urged the Department to modify
proposed § 2.14(b)(2) as follows:
‘‘[w]here state law requires parental
consent to treatment, any consent
required under this Part may be given
by the minor’s parent, guardian, or other
person authorized under state law to act
on the minor’s behalf only if: * * *.’’
Response
We appreciate the suggestion;
however, because we did not propose
modifications to this language or request
public comment related to it, making
this change would be outside the scope
of this rulemaking. For purposes of this
rulemaking, finalizing the existing
language, without modification,
accurately reflects the current balance
between part 2 confidentiality
requirements and state legal
requirements concerning minor consent.
Comment
One commenter expressed concern
that, in their view, part 2 provides no
options for part 2 providers to involve
parents or guardians in a minor’s
treatment without the minor’s consent,
even where state law explicitly permits
such involvement or even requires
providers to make determinations about
the appropriateness of a parent or
guardian’s involvement. The commenter
urged the Department to align § 2.14
176 See ‘‘Frequently Asked Questions: Applying
the Substance Abuse Confidentiality Regulations to
Health Information Exchange (HIE),’’ supra note
150; U.S. Dep’t of Health and Human Servs.,
‘‘Personal Representatives and Minors,’’ https://
www.hhs.gov/hipaa/for-professionals/faq/personalrepresentatives-and-minors/.
177 See Substance Abuse and Mental Health
Services Administration, ‘‘Resources for Families
Coping with Mental and Substance Use Disorders’’
(Mar. 14, 2023), https://www.samhsa.gov/families;
U.S. Dep’t of Health and Human Servs., ‘‘The HHS
Office for Civil Rights Responds to the Nation’s
Opioid Crisis’’ (Mar. 11, 2021), https://
www.hhs.gov/civil-rights/for-individuals/specialtopics/opioids/.
PO 00000
Frm 00046
Fmt 4701
Sfmt 4700
with provisions in the Privacy Rule
permitting access to treatment records if
a minor consents to care as provided
under state law.
Response
The Department acknowledges the
complexity of the intersection of part 2
and state requirements concerning
minor consent, including parental or
caregiver involvement. After this rule is
finalized, the Department may provide
additional guidance on these issues.
Part 2, in part, provides that ‘‘[w]here
state law requires consent of a parent,
guardian, or other individual for a
minor to obtain treatment for a
substance use disorder, any written
consent for disclosure authorized under
subpart C of this part must be given by
both the minor and their parent,
guardian, or other individual authorized
under state law to act in the minor’s
behalf.’’ The Department has published
relevant resources for families and
guidance on applying behavioral health
privacy laws to mental health and
SUDs.178
Comment
With respect to the role of part 2
program director, one association of
medical professionals asserted that the
decision-making of a minor should be
made in consultation with the treatment
plan team and not in isolation by a part
2 program director.
Response
The Department appreciates this
input on clinician-based decisions about
patients. While the part 2 program
director has specific responsibilities
under this section, the Department
would expect most part 2 programs to
have protocols detailing the program
director’s role and consultation with
others on the treatment team as needed.
As the person with authority over the
part 2 program, the director would be
responsible for how the program
operates, so we do not view additional
regulatory requirements as necessary.
Final Rule
The Department is finalizing all
proposed changes to § 2.14 without
further modification. This includes a
technical edit in § 2.14(c)(1) to correct a
typographical error from ‘‘youthor’’ to
‘‘youth or’’ and changing the verb
‘‘judges’’ to ‘‘determines’’ to describe a
part 2 program director’s evaluation and
decision that a minor lacks decision
making capacity that could lead to a
178 See, e.g., The Ctr. of Excellence for Protected
Health Info., ‘‘Families and minors,’’ https://
coephi.org/topic/families-and-minors/.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
disclosure to the patient’s parents
without the patient’s consent.
Section 2.15—Patients Who Lack
Capacity and Deceased Patients
Proposed Rule
The Department proposed to replace
outdated terminology in this section
that referred to ‘‘incompetent’’ patients,
refer to the ‘‘use’’ of records in addition
to disclosures, and to substitute the term
‘‘person’’ for the term ‘‘individual’’ as
discussed above in relation to § 2.11
(Definitions). The Department further
proposed to clarify that paragraph (a) of
this section refers to a lack of capacity
to make health care decisions as
adjudicated by a court while paragraph
(b) refers to lack of capacity to make
health care decisions that is not
adjudicated by a court, and to add
health plans to the list of entities to
which a part 2 program may disclose
records without consent to obtain
payment during a period when the
patient has an unadjudicated inability to
make decisions. We also proposed
updates to paragraph (b) of this section
concerning consent by personal
representatives.
Comment
A health plan commenter supported
inclusion of health plans to the list of
entities to which a part 2 program can
disclose records when a patient lacks
capacity. An association of medical
professionals also supported adding
health plans to the list of entities to
which a part 2 program may disclose
records without consent when a patient
lacks capacity to make health care
decisions to ensure that part 2 programs
receive appropriate and timely payment
for their services. A health system
expressed general support for our
proposed changes.
Response
We appreciate the comments on the
proposed changes.
lotter on DSK11XQN23PROD with RULES2
Comment
An association of medical
professionals supported the proposed
change from ‘‘incompetent patients’’ to
‘‘patients who lack capacity to make
health care decisions,’’ whether
adjudicated or not. The commenter also
supported the addition of health plans
to the list of entities to which a program
may disclose records without consent.
The commenter also said that families
often request the records of deceased
patients and there does not appear to be
a consistent policy about this among
SUD treatment centers. It would be
helpful to have this matter addressed.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Response
We appreciate the comment on our
proposed changes. With respect to
deceased patients, part 2 regulations as
finalized ‘‘do not restrict the disclosure
of patient identifying information
relating to the cause of death of a patient
under laws requiring the collection of
death or other vital statistics or
permitting inquiry into the cause of
death.’’ Additionally, the regulations
state that ‘‘[a]ny other use or disclosure
of information identifying a deceased
patient as having a substance use
disorder is subject to the regulations in
this part. If a written consent to the use
or disclosure is required, that consent
may be given by the personal
representative.’’ In the preamble for
§ 2.11 of this rule, we discuss applying
the HIPAA definition of ‘‘personal
representative.’’ We have stated in
guidance for the HIPAA Privacy Rule
that ‘‘[s]ection 164.502(g) provides
when, and to what extent, [a] personal
representative must be treated as the
individual for purposes of the [HIPAA
Privacy] Rule.’’ 179 Section 164.502(g)(2)
requires a covered entity to treat a
person with legal authority to act on
behalf of an adult or emancipated minor
in making decisions related to health
care as the individual’s personal
representative with respect to PHI
relevant to such personal
representation.180 The definition in this
rule mirrors language in the HIPAA
Privacy Rule at 45 CFR 164.502(g).
Comment
An association of medical
professionals supported the proposed
changes but urged the Department to
reduce confusion and avoid potential
conflicts with state law by amending
§ 2.15(b)(2) to clarify that this section
only applies if there are no applicable
state laws governing surrogate decision
making.
Response
We decline to modify this section to
refer to state law requirements, as we
discuss intersections with state law in
§ 2.20 and we do not anticipate that the
definition of ‘‘personal representative,’’
which mirrors the standard in the
HIPAA regulations, will conflict with
state law requirements.
Comment
One commenter believed that even
though the NPRM addressed the issue of
179 U.S. Dep’t of Health and Human Servs.,
‘‘Personal Representatives’’ (Sept. 19, 2013), https://
www.hhs.gov/hipaa/for-professionals/privacy/
guidance/personal-representatives/.
180 Id. See also, ‘‘Personal Representatives and
Minors,’’ supra note 176.
PO 00000
Frm 00047
Fmt 4701
Sfmt 4700
12517
a patient’s lack of capacity to sign an
informed consent, it failed to address
circumstances involving diminished
capacity associated with intoxication,
withdrawal, medication induction, and
early phases of treatment. The
commenter asserted that addressing the
issue of temporary diminished capacity
is critical to the proposed perpetual
consent for TPO purposes promoted by
the NPRM. The commenter also stated
that relying on a single enduring
consent made at a time when a person
is most vulnerable and cognitively
compromised is unethical, and that a
signed consent around the time of
treatment entry should be valid for no
more than six months. According to this
commenter, it is important to stress that
the authority of the part 2 program
director to exercise the right of the
patient to consent to uses and
disclosures of their records is restricted
to that period where the patient suffers
from a medical condition that creates a
lack of capacity to make knowing or
effective health care decisions on their
own behalf. Further, according to this
commenter, that authority is limited to
obtaining payment for services from a
third-party payer or health plan, and
should not extend more than 30 days.
After such time, the part 2 program
director should seek a court order,
according to the commenter.
Response
We agree with the commenter that, as
stated in the regulation, the part 2
program director’s authority in
§ 2.15(a)(2) extends only to obtaining
payment for services from a third-party
payer or health plan.
In some cases, a patient who has
diminished capacity due to overdose,
intoxication, withdrawal, or other
medical conditions may be considered
by a medical provider to be
experiencing a ‘‘bona fide medical
emergency in which the patient’s prior
written consent cannot be obtained.’’ 181
As the Department explained in
preamble to its final 2020 rule,182 under
§ 2.51, disclosures of SUD treatment
records without patient consent are
permitted in a bona fide medical
emergency. Although not a defined term
under part 2, a ‘‘bona fide medical
emergency’’ most often refers to the
situation in which an individual
requires urgent clinical care to treat an
immediately life-threatening condition
(including, but not limited to, heart
attack, stroke, overdose), and in which
it is infeasible to seek the individual’s
consent to release of relevant, sensitive
181 See
182 85
E:\FR\FM\16FER2.SGM
42 CFR 2.51 (Medical emergencies).
FR 42986, 43018.
16FER2
12518
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
SUD records prior to administering
potentially life-saving care. In such
cases, the medical emergency provisions
of part 2 would apply.
In addition, provisions of § 2.31
(Consent requirements), are pertinent to
this comment. Section 2.31(a)(6) of this
final rule requires that the consent must
inform the patient of ‘‘[t]he patient’s
right to revoke the consent in writing,
except to the extent that the part 2
program, or other lawful holder of
patient identifying information that is
permitted to make the disclosure, has
already acted in reliance on it, and how
the patient may revoke consent.’’ Thus,
a patient, after their medical condition
has been treated, will be able to modify
any part 2 written consent at a later
date.
Comment
lotter on DSK11XQN23PROD with RULES2
An academic health system believed
that under § 2.15(a)(2), patients who
may lack capacity temporarily, without
court intervention, have no one with the
legal authority to consent to uses or
disclosures other than for payment
purposes. The commenter viewed this
restriction as inconsistent with both
state law and HIPAA and as an outdated
and problematic limitation. The
commenter said that at times its part 2
programs admit a patient who lacks
capacity temporarily (where there is no
need for court intervention) and permit
a surrogate to consent to treatment as
permitted by state law, particularly in
the inpatient context. The commenter
added, the regulations should reflect
that if a surrogate or personal
representative has the ability under state
law to consent to treatment, then that
same surrogate or personal
representative should have the ability to
consent to the use and disclosure of part
2 records regardless of whether there
has been an adjudication by a court.
Otherwise, part 2 programs would be
admitting a patient into treatment with
no one who has the legal authority to
consent to critical uses or disclosures
that are essential or legally required to
operate the part 2 program. According to
the commenter, making this change
would also better align part 2 with
HIPAA and the concept that a personal
representative has authority under state
law to consent to both treatment and the
uses and disclosures of information
related to that treatment.
Response
We refer the commenter to our
responses above regarding the part 2
medical emergency provisions that may
apply to such circumstances and to our
comments on the definition of personal
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
representative. We discuss intersections
with state law in § 2.20.
Comment
A commenter anticipated that once
the proposed rule is finalized, part 2
programs will begin to utilize existing
technologies and workflows that have
been created to comply with HIPAA
standards. The commenter stated that
many part 2 programs may require all
patients to sign a global consent as a
condition of treatment to take advantage
of these current technologies and
workflows that will now be available to
part 2 programs. The commenter
expressed concern that, once these part
2 programs change their practices to
align with existing technologies and
workflows, there would be no
mechanism for a part 2 program to treat
a patient who refuses to sign a global
consent. The commenter suggested that
the ‘‘payment only’’ limitation in
§ 2.15(a)(2) would prevent part 2
programs from offering treatment to
those most vulnerable patients because
no one will have the authority to
consent to the use and disclosure of part
2 information. Having a patient
admitted into a part 2 program with no
one able to provide TPO consent that
would permit subsequent beneficial
redisclosures, may penalize patients
who are most in need of treatment,
according to this commenter.
Another commenter, a health plan
association, also urged HHS to allow the
part 2 program director to exercise the
patient’s right to consent to any use or
disclosure under part 2 when the
patient is incompetent but not yet
adjudicated by a court as such. The
commenter stated that the rule should
not deprive incompetent persons most
in need of care from the ability to access
care and expressed particular concern
about circumstances in which a part 2
program may be the only mental health
provider in the area (e.g., in rural
locations). The commenter stated that
part 2 should not prevent part 2
programs from divulging information
without which the incompetency
adjudication process cannot proceed;
otherwise, part 2 would create a barrier
to access to care for incompetent
patients because the information the
part 2 program has might be the only
information that would enable an
adjudication of incompetence. The
‘‘medical emergency’’ exception, the
commenter asserted, would sometimes
be of little use if the emergency
providers to whom information is
disclosed cannot obtain consent to
render care, and a court adjudication of
incompetency is impossible to achieve
without part 2 program information.
PO 00000
Frm 00048
Fmt 4701
Sfmt 4700
Additionally, the commenter found
that the proposed rule did not address
advance directives like durable powers
of attorney that do not involve court
adjudication but physician adjudication
to trigger the provisions conferring
authority to the patient’s personal
representative. Therefore, according to
the commenter, § 2.15(a)(2) should read:
‘‘[i]n the case of a patient, other than a
minor or one who has been adjudicated
as lacking the capacity to make health
care decisions, that for any period
suffers from a medical condition that
prevents knowing or effective action on
their own behalf, the part 2 program
director may exercise the right of the
patient to consent to a use or disclosure
under subpart C of this part.’’
Response
As noted above, the part 2 medical
emergency provisions may apply to the
circumstances described by the
commenter if a patient cannot consent
to treatment due to a bona fide medical
emergency. Absent a medical
emergency, under § 2.15(a)(2) the part 2
program director may exercise the right
of the patient to consent to disclosure
for the sole purpose of obtaining
payment for services from a third-party
payer for an adult patient who for any
period suffers from a medical condition
that prevents knowing or effective
action on their own behalf. Consistent
with the Privacy Rule’s provisions on
personal representatives, we state in
§ 2.11 that a personal representative
means a person who has authority
under applicable law to act on behalf of
a patient who is an adult or an
emancipated minor in making decisions
related to health care. Also, consistent
with the Privacy Rule, a personal
representative under part 2 would have
authority only with respect to patient
records that are relevant to such
personal representation.
Comment
A state agency recommended
modifying § 2.15(a) to specifically
address adult patients who lack
capacity, but have appointed a personal
representative. This change, according
to the commenter, would allow for
better care and coordination for patients
who have a personal representative.
Response
We believe our modifications to
§ 2.15(a) as finalized in this rule
respond to the commenter’s concerns
about the role of the personal
representative. We decline to make
additional changes to this section as
requested by the commenter because the
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
new definition of ‘‘personal
representative’’ defers to state law.
lotter on DSK11XQN23PROD with RULES2
Comment
A health plan commenter stated that
when a patient has an unadjudicated
inability to make decisions due to a
medical condition, this section of the
final rule should clarify that patients
would be allowed to request that their
billing information not be sent to a
health plan if the patient (or third party
other than the health plan) agrees to pay
for services in full. The commenter also
expressed concern about a general lack
of guidance on how proof of an
unadjudicated inability to made
decisions (other than in an emergency)
would be documented and sought
further clarification. The commenter
asked the Department to confirm that a
health plan would not be required to (1)
confirm how consent was obtained and
(2) treat SUD information of patients
who lack capacity in a special manner—
for example, through specialized
documentation and other procedures—
or differently from information of
patients who directly provided consent.
The commenter said that these changes
would help facilitate treatment and
payment for patients who lack capacity
temporarily, which may lead to more
timely care and better outcomes.
According to this commenter, relying on
a part 2 program’s director expertise to
determine the patient’s present capacity
would facilitate more timely care
decisions and reduce burden on health
plans.
Response
We discuss consent provisions
elsewhere in this rule. We confirm that
this final rule does not create new
requirements for special or unique
treatment of SUD information of
patients who lack capacity.
As we discuss above, when a patient
suffers from a medical condition that
prevents knowing or effective action on
their own behalf for any period, the part
2 program director may exercise the
right of the patient to consent to a use
or disclosure under subpart C for the
sole purpose of obtaining payment for
services from a third-party payer or
health plan. If a part 2 program director
believes that this step is unnecessary
after speaking with the patient or others,
the director may choose not to exercise
this right. If a patient has an
unadjudicated inability to make
decisions due to a medical condition
that prevents them from knowing or
taking action, he or she may be unable
to consent to or refuse consent to a use
or disclosure for the sole purpose of
obtaining payment for services from a
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
third-party payer or health plan; in such
circumstances, the part 2 program
director’s ability to exercise the patient’s
right to consent for the sole purpose of
obtaining payment may apply.
Final Rule
In additional to finalizing changes
such as replacing ‘‘individual’’ with
‘‘person’’ and referring to ‘‘use’’ in
addition to ‘‘disclosures,’’ we are
finalizing the proposal to remove the
term ‘‘incompetent’’ in this section and
refer instead to patients who lack
capacity to make health care decisions.
We also are finalizing the proposal to
clarify that paragraph (a) of this section
refers to lack of capacity to make health
care decisions as adjudicated by a court
while paragraph (b) refers to lack of
capacity to make health care decisions
that is not adjudicated, and to add
health plans to the list of entities to
which a part 2 program may disclose
records without consent to obtain
payment during a period when the
patient has an unadjudicated inability to
make decisions. We also are finalizing
updates to paragraph (b) of this section
concerning deceased patients and
consent by personal representatives.
Section 2.16—Security for Records and
Notification of Breaches
Overview of Rule
Section 2.16 (Security for records)
contains several requirements for
securing records. Specifically, § 2.16(a)
requires a part 2 program or other lawful
holder of patient identifying
information to maintain formal policies
and procedures to protect against
unauthorized uses and disclosures of
such information, and to protect the
security of this information. Section
2.16(a)(1) and (2) set forth minimum
requirements for what these policies
and procedures must address with
respect to paper and electronic records,
respectively, including, for example,
transfers of records, maintaining records
in a secure location, and appropriate
destruction of records. Section
2.16(a)(1)(v) requires part 2 programs to
implement formal policies and
procedures to address removing patient
identifying information to render it nonidentifiable in a manner that creates a
low risk of re-identification.
The current part 2 requirements for
maintaining the security of records are
limited to these provisions requiring
policies and procedures. In contrast, the
HIPAA regulations include a HIPAA
Security Rule with specific standards
and implementation specifications for
how covered entities and business
associates are required to safeguard
PO 00000
Frm 00049
Fmt 4701
Sfmt 4700
12519
ePHI. Part 2 does not have similar
requirements.
Application of Part 2 Security
Requirements to Lawful Holders
Current § 2.16 applies security
requirements to part 2 programs and
lawful holders. The term ‘‘lawful
holder’’ is a recognized term that is
applied in several part 2 regulatory
provisions; however, it is not defined in
regulation. Generally, it refers to ‘‘an
individual or entity who has received
such information as the result of a part
2-compliant patient consent (with a
prohibition on re-disclosure) or as a
result of one of the exceptions to the
consent requirements in the statute or
implementing regulations and,
therefore, is bound by 42 CFR part
2.’’ 183
The Department sought public
comment on whether security
requirements should apply uniformly
across all persons who receive part 2
records pursuant to consent such that
certain failures, such as a failure to have
‘‘formal policies and procedures’’ or to
‘‘protect’’ against threats, would result
in the imposition of civil or criminal
penalties again all persons who receive
these records pursuant to consent. The
Department’s request for comment in
this regard asked, ‘‘whether the
requirements of this section that apply
to a lawful holder should in any way
depend on the level of sophistication of
a lawful holder who is in receipt of Part
2 records by written consent, or should
depend on whether the lawful holder is
acting in some official or professional
capacity connected to or related to the
Part 2 records.’’
Comment
One commenter, an association, of
medical professionals, opined that all
entities that hold personal health
information should be required to notify
persons when their information is
breached, but also that breach rules
must not hold parties responsible for the
actions of other parties over whom they
do not have control.
Response
We agree with the sentiments
expressed in this comment and assume
that the commenter’s use of the term
‘‘entity’’ is referring to an organizational
or professional entity and not an
individual acting in a personal capacity.
The final rule requires part 2 programs
to provide breach notification for
breaches of part 2 records in the same
manner as breach notification is
183 See 82 FR 6052, 6068; See also 81 FR 6988,
6997.
E:\FR\FM\16FER2.SGM
16FER2
12520
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
required for breaches of PHI, which
would include breaches of part 2
records held on behalf of a program by
QSOs or business associates. Under
HIPAA, a business associate is required
to notify a covered entity of breaches
and we believe part 2 programs that are
not covered entities could obligate their
QSOs to notify the programs of breaches
through contractual provisions. A part 2
program would not be responsible for
breaches by QSOs or business
associates. However, the part 2 program
is responsible under this rule for having
in place contractual requirements to
ensure that it is timely notified of a
breach by such entities so that it can
meet its obligations to notify affected
individuals.
Comment
A few commenters, including a
managed care organization and a county
health department, opined that it is
appropriate to apply breach notification
requirements to QSOs. Another
commenter, a health plan, requested
confirmation from the Department that
the part 2 breach notification
requirements are the same as the
requirements under the HIPAA Breach
Notification Rule, and also sought
confirmation that the requirements
would not apply to lawful holders who
are caregivers not acting in a
professional capacity.
lotter on DSK11XQN23PROD with RULES2
Response
Our close review of the statute leads
us to believe that there is no authority
to apply notification requirements to
QSOs as they are applied to business
associates under the HIPAA Breach
Notification Rule. We also agree that
non-professional lawful holders, such as
family members, friends, or other
informal caregivers, are not the same as
lawful holders acting in a professional
capacity. However, non-professionals
should nonetheless take reasonable
steps to protect records in their custody.
Final Rule for Lawful Holders and
Security of Records
We are re-organizing § 2.16(a) and
finalizing additional language to clarify
to whom the security requirements
apply. Specifically, we are creating a
new exception for certain lawful holders
in new paragraph (a)(2) that expressly
excludes ‘‘family, friends, and other
informal caregivers’’ from the
requirements to develop formal policies
and procedures. We expect that
informal caregivers and other similar
lawful holders who would be subject to
this exception still recognize some
responsibility to safeguard these
sensitive records and exercise caution
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
when handling such records. We clarify
here that while we are not making
informal caregivers subject to the final
rule requirements to develop formal
policies and procedures, we do
encourage all lawful holders to protect
records. For example, informal
caregivers should at least take
reasonable steps to protect the
confidentiality of patient identifying
information.
We are finalizing breach notification
requirements for part 2 programs; lawful
holders are not subject to breach
notification requirements.
De-Identification
Proposed Rule
Section 3221(c) of the CARES Act
required the Department to apply the
HIPAA standard in 45 CFR 164.514(b)
for de-identification of PHI to part 2 for
the purpose of disclosing part 2 records
for public health purposes. To further
advance alignment with HIPAA and
reduce burden on disclosing entities,
the Department proposed to apply 45
CFR 164.514(b) to the existing deidentification requirements in part 2:
§§ 2.16 (Security for records) and 2.52
(Research) (discussed below).
Specifically, the Department proposed
to modify § 2.16(a)(1)(v) (for paper
records) and (a)(2)(iv) (for electronic
records), to read as follows: ‘‘[r]endering
patient identifying information deidentified in accordance with the
requirements of the [HIPAA] Privacy
Rule at 45 CFR 164.514(b), such that
there is no reasonable basis to believe
that the information can be used to
identify a patient as having or having
had a substance use disorder.’’
As proposed, this provision would
permit part 2 programs to disclose
records de-identified in accordance with
the implementation specification in the
HIPAA Privacy Rule (i.e., the expert
determination method or the safe harbor
method) but the provision does not
reference the HIPAA Privacy Rule
standard at 45 CFR 164.514(a) that the
implementation specification is
designed to achieve—that the
information is de-identified such that
there is no reasonable basis to believe
that the information disclosed can be
used to identify an individual.
consistent with the HIPAA Privacy Rule
would reduce workforce confusion,
inadvertent non-compliance, and
unintentional leaks of confidential
information. A government agency
commented that the express alignment
with the HIPAA Privacy Rule was a
welcome clarification that would
protect the privacy and confidentiality
of SUD patients. An individual
commented that it would be prudent to
enact the standards in 45 CFR
164.514(b) to offer more protection to
patients and that doing so would not
create adverse consequences. A
managed care organization suggested
that HIPAA provided an appropriate
existing regulatory standard for
rendering part 2 records nonidentifiable. A few commenters, all
health systems that partly specialize in
providing SUD services, expressed
strong support for the proposal and the
principle that programs should not be
required to obtain consent from
individuals prior to de-identifying their
information.
Response
We appreciate these comments.
Comment
Comment
Some commenters, including a health
IT vendor and a few health information
management associations, expressed
support for the Department’s proposal
but also urged the Department to ‘‘fully
align’’ the part 2 de-identification
standard with the HIPAA Privacy Rule.
For example, one of these commenters
opined that the language ‘‘such that
there is no reasonable basis to believe
that the information can be used to
identify a patient as having or having
had a substance use disorder’’ is not the
HIPAA de-identification standard, and
that the Department should instead use
the exact language of HIPAA. Other
commenters urged the Department to
expressly clarify that both the HIPAA
safe harbor method and expert
determination method could satisfy the
proposed de-identification requirements
for part 2 records. A behavioral health
advocacy organization asked the
Department to clarify that the definition
of part 2 ‘‘records’’ does not include deidentified records consistent with the
HIPAA Privacy Rule’s treatment of deidentified health information.
Many commenters expressed support
for the Department’s de-identification
proposal citing a variety of reasons. One
health system, stating that many part 2
programs are embedded within covered
entities or share workforces with such
programs, commented that deidentification standards within part 2
Response
We agree that, as drafted, the
Department’s proposal does not fully
align with the regulatory text of the full
de-identification standard in the HIPAA
Privacy Rule, which includes
paragraphs (a) and (b) of 45 CFR
164.514. We clarify here that by
PO 00000
Frm 00050
Fmt 4701
Sfmt 4700
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
incorporating the HIPAA standard
codified at 45 CFR 164.514(b), either
method of de-identification of PHI can
be used to de-identify records under
part 2. We also note here a critical
difference between the definitions of
PHI under the HIPAA Privacy Rule and
records in this part. The definition of
PHI is grounded in the recognition that
it is ‘‘individually identifiable health
information.’’ 184 The HIPAA Privacy
Rule standard for de-identification
therefore renders PHI no longer
‘‘individually identifiable.’’ In this part,
the definition of records does not refer
to ‘‘individually identifiable’’
information, but rather information
‘‘relating to a patient’’ and is already
understood to relate to SUD records.
The final rule modifies the deidentification standard in § 2.16(a)(1)(v)
(for paper records) and (a)(2)(iv) (for
electronic records) so it aligns more
closely with the HIPAA language such
that the de-identified part 2 information
cannot be ‘‘used to identify a patient.’’
Comment
A few HIEs asked the Department to
re-examine the ‘‘base minimum’’
standards for de-identified data, opining
that some data may be anonymized for
some algorithms, but as technology
continues to improve, ‘‘de-identification
in perpetuity’’ is truly unknown, and
therefore the proposed standard may
still represent a privacy risk for patients.
Response
The Department acknowledges the
concerns about the burgeoning ability of
some technologists to re-identify data
stored in large data sets. The
Department is committed to monitoring
these issues as it works to determine
their application to the HIPAA and part
2 de-identification standards.
lotter on DSK11XQN23PROD with RULES2
Comment
One commenter, a health system,
suggested that the Department make
explicit the right to use part 2 records
for health care operations to create a deidentified data set without patient
consent. Another commenter, a health
plan, recommended that the Department
remove the requirement to obtain
express written consent to create a deidentified data set because it conflicts
with the HIPAA Privacy Rule, is
counterproductive, and confuses
patients when they receive a notice
requesting consent to use their SUD data
once de-identified.
184 See 45 CFR 160.103 (definition of ‘‘Protected
health information’’).
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Response
We appreciate the comment, but are
constrained by the authorizing statute at
42 U.S.C. 290dd–2, which sets forth the
circumstances for which records subject
to part 2 may be disclosed. Where part
2 programs are not disclosing to a
covered entity, the CARES Act
amendments did not rescind the
requirement to obtain consent prior to
disclosing records for TPO.185
Comment
One commenter, an industry trade
association for pharmacies, commented
that § 2.16 should simply refer to
rendering the patient identifying
information de-identified where
practicable, and then define ‘‘deidentified’’ in section § 2.11 as data
which meets the standard for deidentification under HIPAA.
Response
The proposed regulatory text is
consistent with the intent expressed by
the commenter, but still comports with
the language required by the CARES Act
for disclosures for public health
activities. We therefore believe that we
are finalizing a more workable standard
because it is uniform across the
regulation.
Comment
Several commenters opposed the
proposed de-identification standard for
various reasons. A privacy advocacy
organization commented that the target
HIPAA standard is outdated and needs
‘‘tightening.’’ A few HIE organizations
commented that the proposal would
materially and detrimentally affect the
use of SUD information from part 2
records in limited data sets. These
organizations interpreted the current
part 2 regulations to only require
removal of ‘‘direct identifiers’’ and
believed that, under HIPAA, a limited
data set can be used and disclosed for
research, public health, and health care
operations activities if the recipient
agrees to a HIPAA data use agreement,
which prohibits (among other things) reidentification of individuals. These
organizations further suggested that
changing §§ 2.16 and 2.52 to require use
of the more stringent HIPAA deidentification standard under 45 CFR
185 The HIPAA term also includes a description
of the activities that are excluded as not
constituting a breach, and an explanatory paragraph
that applies a breach presumption when an
‘‘acquisition, access, use, or disclosure’’ of PHI
occurs in a manner not permitted under the HIPAA
Privacy Rule, and that fails to demonstrate a low
probability of breach based on breach risk
assessment. See discussion of proposed definition
of the term ‘‘breach’’ above.
PO 00000
Frm 00051
Fmt 4701
Sfmt 4700
12521
164.514(b) will prevent researchers,
public health authorities, quality
improvement organizations, and others
from using a limited data set containing
part 2 SUD data. A limited data set is
useful for research, public health, and
quality improvement activities because
it permits analysis of health data in
connection with certain identifiers that
are relevant to health outcomes, such as
age, race, and gender. Prohibiting use of
limited data sets for research involving
part 2 records may ultimately deny SUD
patients the benefits of better and more
effective treatments and services. They
recommended that the Department
continue to consider limited data sets of
SUD records as non-patient identifying
information under part 2 at least for
purposes of research, public health, and
health care operations. With respect to
consent models for de-identification,
these entities requested that it be left up
to part 2 programs and other lawful
holders of part 2 data to decide—based
on their patient populations and
business needs—what is the most
effective model for their community.
Response
We acknowledge the relatively large
number of commenters raising the
possibility that the Department codify a
limited data set option in this
regulation. Because many of these
comments were submitted in response
to our proposal to incorporate the same
de-identification standard proposed
here into § 2.52 (Scientific research), our
response to the comments on limited
data sets and similar comments related
to research are addressed together,
below.
Comment
One individual commented that the
proposal to re-align de-identification
with HIPAA lowers the part 2 standard
from an objective standard to one that
is subjective. The commenter believed
that the phrase ‘‘no reasonable basis to
believe’’ was subjective and would
decrease the researcher’s responsibility.
By contrast, under existing § 2.52
requirements information is deidentified ‘‘such that the information
cannot be re-identified and serve as an
unauthorized means to identify a
patient’’ is a more objective standard.
Another individual commented that the
proposed standard is vague and likely
unenforceable.
Response
We disagree with the commenters’
characterization of the proposed change
as creating a standard that is subjective
or vague and unenforceable. The HIPAA
standard incorporated here clearly
E:\FR\FM\16FER2.SGM
16FER2
12522
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
lotter on DSK11XQN23PROD with RULES2
identifies two methods for deidentifying records, the expert
determination method and the safe
harbor method, which set forth specific
requirements that are long established
and well understood in the health care
industry.
Final Rule Related to De-Identification
of Records
We agree with commenters who urged
the Department to fully align the deidentification standard in this part with
the standard in the HIPAA Privacy Rule.
Whereas the part 2 requirement
protected records identifying a patient
as having or having had an SUD, the
HIPAA standard at 45 CFR 164.514(a)
protects information that identifies or
can be used to identify an individual.
The existing part 2 standard focuses on
protection of a limited number of data
points based on one health condition
(i.e., SUD) while HIPAA protects the
identity of the individual in connection
with any health care and thus already
incorporates protection of the
information in part 2. Because 45 CFR
164.514(a) shields a wider range of data
elements from disclosure, it is more
protective of privacy than the existing
part 2 de-identification requirement. By
complying with the HIPAA standard, a
part 2 program would also be meeting
the requirements of the existing part 2
de-identification standard.
The final rule incorporates the HIPAA
Privacy Rule de-identification standard
in 45 CFR 164.514(b) into § 2.16 as
proposed, and further modifies
paragraph (a) of this section to more
fully align with the complete HIPAA deidentification standard, including
language that is similar to that in the
HIPAA Privacy Rule at 45 CFR
164.514(a). To achieve this, we are
deleting the existing part 2 phrase ‘‘as
having or having had a substance use
disorder’’ and retaining the phrase
‘‘such that there is no reasonable basis
to believe that the information can be
used to identify a particular patient.’’
Section 2.16(a)(1)(v) and (a)(2)(iv) are
now modified as § 2.16(a)(1)(i)(E) and
(a)(1)(ii)(D) and read as ‘‘[r]endering
patient identifying information deidentified in accordance with the
requirements of 45 CFR 164.514(b) such
that there is no reasonable basis to
believe that the information can be used
to identify a particular patient.’’ We
removed the language ‘‘the HIPAA
Privacy Rule’’ from in front of the
regulatory references to 45 CFR
164.514(b) because we believe it
unnecessary and for consistency
throughout this final rule.
By adopting the same deidentification standard as we are
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
required to adopt for public health
disclosures (in new § 2.54) into this
provision (and in § 2.52 for scientific
research purposes, discussed below), we
provide a uniform method for deidentifying part 2 records for all
purposes and provide more privacy
protection than our proposed
incorporation of only HIPAA 45 CFR
164.514(b). We also make clear here that
the inability to identify an individual, as
consistent with the language in 45 CFR
164.514(a) of HIPAA, includes the
inability to identify them as a person
with SUD. The final rule therefore
would include the interpretation that is
consistent with our initial proposal, but
we believe it also protects from
reidentification a broader scope of
identifiers. This approach is also most
responsive to commenters who
generally agreed that the deidentification standards for both HIPAA
and part 2 should completely align.
Proposed Rule
Breach Notification
Overview
Section 290dd–2(j) of 42 U.S.C., as
amended by the CARES Act, requires
the Department to apply the HIPAA
breach notification provisions of the
HITECH Act (codified as 42 U.S.C.
17932, Notification in the case of
breach) to part 2 records ‘‘to the same
extent and in the same manner as such
provisions apply to a covered entity in
the case of a breach of unsecured
protected health information.’’
Paragraph (k)(1) of 42 U.S.C. 290dd–2
incorporated a definition of the term
breach, giving it the same meaning as
under the HIPAA regulations. The
HIPAA Breach Notification Rule at 45
CFR 164.402 defines breach as ‘‘the
acquisition, access, use, or disclosure of
protected health information in a
manner not permitted under subpart E
of this part which compromises the
security or privacy of the protected
health information.’’ 186 Paragraph (k)(9)
of the 42 U.S.C. 290dd–2 incorporated
a definition of ‘‘unsecured protected
health information,’’ giving it the same
meaning as under the HIPAA
regulations. The HIPAA Breach
Notification Rule defines ‘‘unsecured
protected health information’’ to mean
PHI ‘‘that is not rendered unusable,
unreadable, or indecipherable to
unauthorized persons through the use of
a technology or methodology specified
by the Secretary in the guidance issued
under section 13402(h)(2) of Public Law
111–5.’’
186 Id.
PO 00000
Frm 00052
Fmt 4701
Paragraph (a) of 42 U.S.C. 17932
contains the HIPAA 187 breach
notification requirements for covered
entities; paragraph (b) requires a
business associate of a covered entity to
notify the covered entity when there is
a breach and includes requirements for
the notice; paragraph (c) sets forth the
circumstances for when a covered entity
or business associate shall treat a breach
as discovered; and paragraphs (d)
through (g) contain requirements related
to timeliness of notice, method of
notice, content of notice, and allowance
for delay of notice authorized by law
enforcement, respectively. Other
paragraphs define ‘‘unsecured PHI,’’ set
forth requirements for congressional
reporting, and authorize interim
regulations. The Department
implemented 42 U.S.C. 17932 in the
HIPAA Breach Notification Rule
codified at 45 CFR 164.400 through
164.414.
Sfmt 4700
To implement the new requirements
in paragraph (j) of 42 U.S.C. 290dd–2, as
amended by the CARES Act, the
Department proposed to modify the
heading of § 2.16 to add ‘‘and
notification of breaches’’ and add a new
paragraph § 2.16(b) to require part 2
programs to establish and implement
policies and procedures for notification
of breaches of unsecured part 2 records
consistent with the requirements of 42
U.S.C. 17932. The HIPAA Breach
Notification Rule refers to ‘‘unsecured
protected health information.’’ The
existing part 2 regulation does not have
a definition of ‘‘unsecured records’’ but
to align with HIPAA we proposed such
a definition, as discussed in § 2.11,
above.
Comment
The commenters who addressed the
breach notification proposals
unanimously expressed support for
applying breach notification
requirements to part 2, with slightly
more than half expressing general
support without further elaboration.
Other supportive commenters expressed
additional views, including that the
Department’s proposal: implemented
the CARES Act; was likely to ensure
patient confidentiality in the same
manner as HIPAA; and could provide a
‘‘counterweight’’ to the perceived
lessening of part 2 protections brought
about by the CARES Act.
187 The HIPAA Breach Notification Rule, codified
at 45 CFR parts 160 and 164, subparts A and D,
implements sec. 13402 of the HITECH Act (codified
at 42 U.S.C. 17932).
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Response
The Department appreciates these
comments.
Comment
Almost half of all commenters on
breach notification expressed support
for the proposal but requested
clarification or guidance, especially
related to the interaction of newly
proposed breach notification
requirements and HIPAA breach
notification requirements. For example,
one commenter, a health plan
association, recommended that the
Department clarify that if a use or
disclosure of part 2 records is permitted
by the HIPAA Privacy Rule, then the
same use or disclosure would not be
considered a breach under part 2. This
same commenter requested, in the
alternative, that if the activity did
amount to a breach under part 2, the
rule should provide that states have the
ability to exempt HIPAA covered
entities and business associates from
part 2 breach notification requirements
to avoid overlap, confusion, or conflict
among individuals who receive
notification. A legal advocacy
association commented that HHS
should clarify that the breach
notification requirement applies to
disclosures that violate the part 2
standard of confidentiality, and not just
disclosures that violate the HIPAA
Privacy Rule, and that the Department
should amend the definition of
‘‘breach’’ in § 2.11 or clarify in § 2.16
that patients should be notified of any
acquisition, access, use, or disclosure of
part 2 records in a manner not permitted
under 42 CFR part 2. Yet another
commenter, a health system, requested
clarification of whether overlapping
breach reporting obligations triggered by
an activity that violated both HIPAA
and part 2 would involve
communicating with OCR, SAMHSA, or
both.
lotter on DSK11XQN23PROD with RULES2
Response
In the CARES Act, Congress replaced
the criminal penalties for part 2
violations with the HITECH civil
penalty structure that is applied to
violations of the HIPAA regulations, as
well as criminal penalties for certain
violations. The CARES Act did not
include an exemption for persons who
are subject to both regulatory schemes,
and who commit acts that violate both
regulatory schemes. We expect a new
enforcement process to ensure efficient
use of Department agencies’ resources,
emphasize bringing entities into
compliance with part 2, and avoid
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
12523
duplicative reporting by part 2
programs.
therefore should not be treated as
meaningful or considered cost effective.
Comment
Response
We received several comments related
to breach notification and the impact of
the proposed effective dates and
compliance dates for a final rule. A
hospital association and a health IT
vendor recommended that the
Department phase in the breach
notification requirements or extend the
period of time for compliance beyond
the proposed timeline, noting that
compliance with part 2 is already
complex and a potential deterrent to
treating patients with SUD, and that the
risk of monetary penalties would further
deter providers from taking on these
patients. One of these commenters also
noted that implementing breach
notification capability could be a timeconsuming process requiring time
beyond what the Department estimated.
Several commenters stated that many
part 2 programs are also subject to
HIPAA and thus are already complying
with breach notification, so the proposal
would not create any additional burden
for such programs. One commenter
believed that the number of entities or
individuals affected by the proposal
(part 2 programs not subject to HIPAA)
would be small.
We note at the outset that we have not
proposed to make breach notification
applicable to lawful holders such as
‘‘investigative agencies.’’ We agree that
breach notification provisions across
types of entities should be uniform. We
also believe the commenter’s suggestion
is reasonable; however, we believe that
more breach notification options, rather
than fewer options, are preferable.
Response
We appreciate the concerns expressed
about the potential complexity of
implementing breach notification
among this community of providers but
agree that many providers have already
implemented breach notification
because they are also covered entities
under HIPAA and that overall, a
relatively small number of entities will
be affected. We are mindful, however,
that this regulation must also still serve
the community of part 2 programs that
are not subject to HIPAA. We remind
such entities that the required
compliance date would not occur until
almost two years after the rule becomes
effective. These entities may wish to
review existing guidance on breach
notification.188
Comment
One anonymous commenter urged the
Department to cease or disallow part 2
programs, covered entities, and
investigative agencies from relying on
TV and newspaper notification avenues
because these methods are no longer
likely to be seen by patients, and
188 See, e.g., U.S. Dep’t of Health and Human
Servs., ‘‘Breach Notification Rule’’ (July 2013),
https://www.hhs.gov/hipaa/for-professionals/
breach-notification/.
PO 00000
Frm 00053
Fmt 4701
Sfmt 4700
Final Rule
The Department adopts the proposal
to add paragraph (b) to § 2.16 to require
part 2 programs to establish and
implement policies and procedures for
notification of breaches of unsecured
part 2 records consistent with the
requirements of 45 CFR parts 160 and
164, subpart D. First, we believe this
provision is consistent with the CARES
Act requirement to apply breach
notification to part 2 in the same
manner as it applies to covered entities
for breaches of unsecured PHI. Second,
we believe the same public policy
objectives of the HIPAA Breach
Notification Rule as applied to covered
entities are furthered by establishing
analogous requirements for part 2
programs. In the NPRM we established
those policy objectives as: (1) greater
accountability for part 2 programs
through requirements to maintain
written policies and procedures to
address breaches and document actions
taken in response to a breach; (2)
enhanced oversight and public
awareness through notification of the
Secretary, affected patients, and in some
cases the media; (3) greater protection of
patients through obligations to mitigate
harm to affected patients resulting from
a breach; and (4) improved measures to
prevent future breaches as part 2
programs timely resolve the causes of
record breaches.
Finally, as we discuss in greater detail
in Definitions, in § 2.11 above, we are
finalizing proposed definitions for
‘‘breach’’ and ‘‘unsecured records.’’ In
addition to the term ‘‘breach’’ being
required by the amended statute, we
believe incorporating these terms and
definitions, as proposed, helps bring
clarity to regulated entities on how to
operationalize breach notification
requirements aligned with HIPAA in
part 2. In keeping with these changes,
we are finalizing the proposed
modification of the heading of § 2.16 so
that it now reads ‘‘Security for records
and notification of breaches.’’
E:\FR\FM\16FER2.SGM
16FER2
12524
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Section 2.17—Undercover Agents and
Informants
As we discussed above, the final rule
adopts the proposed addition of the
language ‘‘or disclosed’’ behind ‘‘used’’
in this section so that the use and
disclosure of part 2 records is prohibited
by this section pursuant to the statutory
authority. We did not receive public
comments on this proposal and there
are no other substantive changes to this
section.
Section 2.19—Disposition of Records by
Discontinued Programs
Proposed Rule
Section 2.19 requires a part 2 program
to remove patient identifying
information or destroy the records when
a program discontinues services or is
acquired by another program, unless
patient consent is obtained or another
law requires retention of the records.
The Department proposed to create a
third exception to this general
requirement to clarify that these
provisions do not apply to transfers,
retrocessions, and reassumptions of part
2 programs pursuant to the ISDEAA, to
facilitate the responsibilities set forth in
25 U.S.C. 5321(a)(1), 25 U.S.C. 5384(a),
25 U.S.C. 5324(e), 25 U.S.C. 5330, 25
U.S.C. 5386(f), 25 U.S.C. 5384(d), and
the implementing ISDEAA
regulations.189 The Department also
proposed wording changes to improve
readability and modernize the
regulation, such as by referring to ‘‘nonelectronic’’ records instead of ‘‘paper’’
records, and structural changes to the
numbering of paragraphs.
lotter on DSK11XQN23PROD with RULES2
Comment
One commenter asserted that the
Department’s proposed exception to
clarify that these provisions do not
apply to transfers, retrocessions, and
reassumptions of part 2 programs
pursuant to the ISDEAA is a logical
addition that will promote continuity of
patient treatment. However, the
commenter requested further
clarification of the rule’s record
retention requirements for discontinued
or acquired programs, including the
provision that requires labeling stored
non-electronic record with specific
regulatory language. The commenter
asked if the reference in the NPRM
preamble to ‘‘another law’’ that might
require record retention was a reference
to HIPAA for covered entities.
189 For
further information on the ISDEAA, see
Indian Health Service, Title 1, HHS, https://
www.ihs.gov/odsct/title1/.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Response
The Department appreciates the
comments about clarifying in the final
rule that these provisions do not apply
to transfers, retrocessions, and
reassumptions of part 2 programs
pursuant to the ISDEAA. Part 2 has long
had requirements pertaining to paper
records which were updated in 2017 to
apply to electronic records of
discontinued programs as well.190
When there is a legal requirement that
the records be kept for a period
specified by law which does not expire
until after the discontinuation or
acquisition of the part 2 program, the
dates of record retention would be
reflected in the requirements of that law
under § 2.19(a)(2). The NPRM
discussion of this was not intended as
a reference to a specific law, but more
generally to records retention laws
which are typically established in state
law for medical records. The HIPAA
regulations do not address the time
period for retention of medical records,
but contain requirements for how
retained records must be safeguarded.
The HIPAA regulations also address
retention of compliance documentation
that may be located within a medical
record (such as a signed authorization)
or stored separately (such as security
risk analyses). HIPAA Security Rule
requirements for proper storage and
security of records also may apply to
records maintained by part 2 programs
that also are covered entities.191
Comment
Another commenter expressed
concern that current EHR systems do
not support removing only part 2 data
from one program for a particular
patient or subset of patients, so it may
not be technically feasible to remove
patient identifying information or
destroy the data as required by § 2.19.
The commenter claimed that the
requirements for this section as
described in the NPRM would require
EHRs to be redesigned and therefore
recommends alignment with the HIPAA
Privacy and Security Rules. The
commenter asserted that the HIPAA
Security Rule requires that covered
190 82 FR 6052, 6076; 81 FR 6987, 6999 (Feb. 9,
2016).
191 See, e.g., U.S. Dep’t of Health and Human
Servs., ‘‘Security Rule Guidance Material’’ (June 29,
2023), https://www.hhs.gov/hipaa/forprofessionals/security/guidance/. See
also, ‘‘Guidance on Risk Analysis,’’ supra note 115;
U.S. Dep’t of Health and Human Servs., ‘‘Does the
HIPAA Privacy Rule require covered entities to
keep patients’ medical records for any period of
time?’’ (Feb. 18, 2009), https://www.hhs.gov/hipaa/
for-professionals/faq/580/does-hipaa-requirecovered-entities-to-keep-medical-records-for-anyperiod/.
PO 00000
Frm 00054
Fmt 4701
Sfmt 4700
entities implement policies and
procedures that address the final
disposition of ePHI and/or the hardware
or electronic media on which it is
stored, as well as to implement
procedures for removal of ePHI from
electronic media before the media are
made available for re-use.
Response
We appreciate the feedback. Distinct
requirements for disposition of part 2
records for discontinued programs have
existed since 1987.192 In 2017 the
Department applied this section to
electronic records.193 At that time, we
cited resources that may support
compliance with this requirement
including from OCR (e.g., Guidance
Regarding Methods for De-identification
of Protected Health Information in
Accordance with the Health Insurance
Portability and Accountability Act
(HIPAA) Privacy Rule) and the National
Institute of Standards and Technology
(NIST) (e.g., Special Publication 800–88,
Guidelines for Media Sanitization).194
These and other resources developed by
OCR, NIST, ONC, and others can
continue to aid compliance with this
section. The Department also notes that
part 2 has established distinct
requirements in § 2.19 for disposition of
part 2 records that may be more
stringent and specific than those
articulated in the HIPAA Security Rule
based on the purposes of part 2 and
stigma and discrimination associated
with improper disclosure of SUD
records. This section was updated in the
2020 final rule to apply to use of
personal devices and accounts.195
Final Rule
The Department is finalizing all
proposed changes to this section
without further modification.
Section 2.20—Relationship to State laws
Proposed Rule
Section 2.20 establishes the
relationship of state laws to part 2 and
provides that part 2 does not preempt
the field of law which it covers to the
exclusion of all applicable state laws,
but that no state law may either
authorize or compel a disclosure
prohibited by part 2. Part 2 records
frequently are also subject to regulation
by various state laws. For example,
similar to part 2, state laws impose
restrictions to varying degree on uses
and disclosures of records related to
192 See
52 FR 21796.
FR 6052, 6076.
194 82 FR 6052, 6075; 81 FR 6987, 6999.
195 85 FR 42986, 42988.
193 82
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
SUD 196 and other sensitive health
information, such as reproductive
health, HIV, or mental illness.197 The
Department stated in the NPRM its
assumption that, to the extent state laws
address SUD records, part 2 programs
generally are able to comply with part
2 and state law. The Department
requested comment on this assumption
and further requested examples of any
circumstances in which a state law
compels a use or disclosure that is
prohibited by part 2, such that part 2
preempts such state law.
Comment
Several commenters asserted that
complete Federal preemption is needed
on part 2 issues with respect to state
law, or barriers to care coordination will
continue to exist. One commenter, a
county government, said that part 2
preemption of state law is a problem in
California because it creates a barrier
when parents attempt to obtain SUD
treatment for their minor children over
the objection of the minor. Part 2
prevents disclosure of the minor’s
records without the minor’s consent.
Another commenter believed that part 2
conflicts with state law regarding statemandated reporting on other types of
abuse other than child abuse (such as
elder abuse or domestic violence) and
creates a dilemma for part 2 providers
who need to report because there is not
a ‘‘required by law’’ exception within
part 2.
Response
lotter on DSK11XQN23PROD with RULES2
We acknowledge that considerable
variation in patient consent laws exists
for minors at the state level and discuss
these issues in more detail in
responding to comments regarding
§ 2.14.198 The Department also notes
that state behavioral health privacy laws
may vary.199
196 See, e.g., Mich. Comp. Laws sec. 333.6111
(expressly excluding SUD records from an
emergency medical service as restricted); and NJ
Rev. Stat. sec. 26:2B–20 (2013) (requiring records to
be confidential except by proper judicial order
whether connected to pending judicial proceedings
or otherwise).
197 See, e.g., MO Rev. Stat. sec. 191.731 (requiring
SUD records of certain pregnant women remain
confidential). Ctrs. for Disease Control and
Prevention, ‘‘State Laws that address High-Impact
HIV Prevention Efforts’’ (March 17, 2022), https://
www.cdc.gov/hiv/policies/law/states/;
‘‘TAC Assessment Working Paper: 2016
Compilation of State Behavioral Health Patient
Treatment Privacy and Disclosure Laws and
Regulations,’’ supra note 122.
198 See ‘‘State-by-State Variability in Adolescent
Privacy Laws,’’ supra note 172.
199 See ‘‘TAC Assessment Working Paper: 2016
Compilation of State Behavioral Health Patient
Treatment Privacy and Disclosure Laws and
Regulations,’’ supra note 122.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
With respect to reporting abuse and
neglect, 42 U.S.C. 290dd–2 expressly
states that the prohibitions of part 2 ‘‘do
not apply to the reporting under State
law of incidents of suspected child
abuse and neglect to the appropriate
State or local authorities.’’ However, no
similar references are made to domestic
violence, elder abuse, animal abuse, or
other similar activities. Moreover, such
changes were not proposed in the
NPRM. Part 2 does, however, permit
reporting a crime on the premises or
against part 2 program personnel
(§ 2.12(c)(5)), or applying for a court
order to disclose confidential
communications about an existing
threat to life or serious bodily injury
(§ 2.62). The Department also advised in
the 2017 rule that ‘‘if a program
determines it is important to report
elder abuse, disabled person abuse, or a
threat to someone’s health or safety, or
if the laws in a program’s state require
such reporting, the program must make
the report anonymously, or in a way
that does not disclose that the person
making the threat is a patient in the
program or has a substance use
disorder.’’ 200 A program could file a
report therefore in such a way that does
not note that the subject of the report is
a patient in a part 2 program or has an
SUD.
Comment
One commenter supported balancing
the alignment of Federal privacy law
and regulations with HIPAA and
applicable state law for the purposes of
TPO. Another commenter believed that
to foster care coordination the
Department should work with states to
better align with the Federal standards
to improve care coordination and
individual patient outcomes.
Response
We appreciate the comments on our
proposed changes to align part 2 with
HIPAA consistent with the CARES Act.
Comment
A state agency requested express
permission within the regulation to
permit disclosures to state data
collection agencies, such as APCDs,
because there is not a ‘‘required by law’’
provision in this part that would
otherwise permit SUD records to be
submitted to the state agencies that
collect other health and claims data. A
state agency requested that the final rule
clearly authorize state agencies that
maintain repositories of health care
claims and discharge data to receive
SUD information under 42 CFR part 2.
SAMHSA, the commenter said,
addressed a similar issue with stateoperated PDMPs by clarifying in its
2020 final rule that such disclosures
were authorized under 42 CFR part 2.
The commenter reported that the PDMP
modification strengthened a critical
component of states’ ability to monitor
access, use, and abuse of prescription
drugs, while protecting patient privacy
and confidentiality.
Response
We appreciate the comment and
recommendation. The Department, in
2020, added a new section § 2.36
(Disclosures to prescription drug
monitoring programs),201 based on a
regulatory proposal. No provision was
proposed in the NPRM pertaining to
APCDs/multi-payer claims databases
(MPCDs) and thus there is no basis to
add such a provision in the final rule.
The Department previously declined to
include exceptions to various
requirements for APCDs/MPCDs after
consideration of comments received on
these issues in 2017.202
Comment
A state agency said that in its state,
the majority of SUD treatment records
are covered by part 2; it has
communicated to licensed SUD
treatment providers that they will not be
cited for state regulatory violations if
they disclose information as permitted
by part 2. Licensed providers who are
not part 2 programs are currently asked
to verify this status with the state if a
disclosure is made under HIPAA that
would not be permitted by part 2.
Response
The Department appreciates this
information in response to our request
for input about these issues.
Comment
For one commenter, the final rule
provides an opportunity to encourage
states to update regulations that can
often be outdated and confusing with
regard to applicability. Such updates
could facilitate care coordination and
access. A hospital association requested
more guidance on the interaction of
Federal and state laws and that
hospitals in states with confidentiality
laws specific to SUD or citing part 2 will
have to invest significant time and
financial resources into understanding
the interaction between Federal and
state laws and how to incorporate those
laws into real-time care decisions. Some
hospitals also may provide services in
201 See
200 82
PO 00000
FR 6052, 6071.
Frm 00055
Fmt 4701
202 82
Sfmt 4700
12525
E:\FR\FM\16FER2.SGM
85 FR 42986, 43015; 84 FR 44568, 44576.
FR 6052, 6079.
16FER2
12526
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
multiple states, the commenter pointed
out, and patients may therefore receive
treatment at facilities in more than one
state. Other commenters requested
additional guidance on the interaction
between Federal and state SUD
confidentiality requirements and
provide technical assistance to help
providers operationalize these
requirements. One commenter also
requested guidance to address such
issues as hospitals providing services in
multiple states and application of state
laws to out-of-state telehealth
consultations.
Response
We appreciate these comments and
may provide additional guidance and
technical support to states and others
after this rule is finalized. As previously
noted, the Department supports the
Center of Excellence for Protected
Health Information Related to
Behavioral Health, that can provide
guidance and technical support on
behavioral health privacy laws.203 The
Department will continue to support
this Center. The Department supports
efforts to facilitate telehealth use
consistent with HIPAA, part 2, and
other state and Federal requirements.
The Department has developed and
supported resources to promote
appropriate use of telehealth for SUD
and other behavioral health
conditions.204 The Department
acknowledges that hospitals or other
providers providing services in multiple
states may face more complex
compliance burdens and may need to
consult legal counsel to ensure
compliance, as the Department has
previously advised.205
Comment
One commenter said that any changes
need to take into account discrepancies
between state and Federal laws
regarding release of information and
ways to protect patients from the
consequences of their information being
used against them.
Response
The Department acknowledges that
the complex intersection of state and
203 See
‘‘About COE PHI,’’ supra note 105.
The Ctr. of Excellence for Protected Health
Info., ‘‘Telehealth,’’ https://coephi.org/protectinghealth-information/telehealth-resources/; U.S. Dep’t
of Health and Human Servs., ‘‘Telehealth for
behavioral health care,’’ https://telehealth.hhs.gov/
providers/best-practice-guides/telehealth-forbehavioral-health; Substance Abuse and Mental
Health Servs. Admin., ‘‘Telehealth for the
Treatment of Serious Mental Illness and Substance
Use Disorders’’ (2021), https://www.samhsa.gov/
resource/ebp/telehealth-treatment-serious-mentalillness-substance-use-disorders.
205 82 FR 6052, 6071.
lotter on DSK11XQN23PROD with RULES2
204 See
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Federal behavioral health privacy
statutes and regulations may result in
unnecessary or improper disclosures. As
we have noted in this section, part 2
does not preempt more stringent state
statutes or regulations. Likewise, we
have stated that HIPAA constitutes a
floor of privacy protection that does not
preclude more stringent state laws.206
Comment
One commenter was concerned that
Federal efforts to promote
interoperability may intersect with
conflicting state requirements, pointing
to the Federal Trusted Exchange
Framework and Common Agreement
(TEFCA) initiative as an example.207
The commenter believed that the health
care industry does not yet fully
understand all the potential conflicts
and how they will impact health
information exchange. Another
commenter suggested requiring
electronic records to display the basis
when certain information is not visible
or accessible (e.g., due to state law,
patient restriction, etc.).
Response
The Department will continue to
support health IT and behavioral health
integration by ensuring that TEFCA and
other efforts are consistent with part 2
and take into account state
requirements.208 As noted above, the
Department has developed guidance for
part 2 programs on exchanging part 2
data and may update such guidance in
the future.209 The Department continues
to support EHRs and health IT
compliant with part 2 and HIPAA
requirements as well as care
coordination and behavioral health
integration.210
206 See U.S. Dep’t of Health and Human Servs.,
‘‘Preemption of State Law,’’ https://www.hhs.gov/
hipaa/for-professionals/faq/preemption-of-statelaw/. For surveys of state privacy laws
and discussion of state requirements see, e.g., ‘‘50State Survey of Health Care Information Privacy
Laws,’’ supra note 107; George Washington Univ.’s
Hirsh Health Law and Pol’y Program and the Robert
Wood Johnson Found., ‘‘States,’’ Health Information
& the Law, https://www.healthinfolaw.org/state;
‘‘TAC Assessment Working Paper: 2016
Compilation of State Behavioral Health Patient
Treatment Privacy and Disclosure Laws and
Regulations,’’ supra note 122.
207 See The Off. of the Nat’l Coordinator for
Health Info. Tech. (ONC), ‘‘Trusted Exchange
Framework and Common Agreement (TEFCA),’’
https://www.healthit.gov/topic/interoperability/
policy/trusted-exchange-framework-and-commonagreement-tefca.
208 See ‘‘Behavioral Health,’’ supra note 133.
209 See ‘‘Substance Abuse Confidentiality
Regulations,’’ supra note 113.
210 See ‘‘Behavioral Health,’’ supra note 133.
PO 00000
Frm 00056
Fmt 4701
Sfmt 4700
Comment
A commenter recommended that a
Federal electronic consent standard
should override conflicting state law.
Response
While electronic signatures are
beyond the scope of this rulemaking and
no modifications to electronic signature
requirements were proposed by the
Department, both HIPAA and part 2
permit electronic signatures for
authorizations or consents consistent
with state law. As stated in HHS
guidance, the HIPAA Privacy Rule
‘‘allows HIPAA authorizations to be
obtained electronically from
individuals, provided any electronic
signature is valid under applicable
law.’’ 211 The Department also has stated
in guidance and regulation that under
part 2 electronic signatures are
permissible.212 In 2017 the Department
revised § 2.31 to ‘‘to permit electronic
signatures to the extent that they are not
prohibited by any applicable law.’’
However, the Department also advised
that ‘‘[b]ecause there is no single federal
law on electronic signatures and there
may be variation in state laws,
SAMHSA recommends that
stakeholders consult their attorneys to
ensure they are in compliance with all
applicable laws.’’ 213
The requirements for providing
consent under § 2.31 and the notice and
copy of consent to accompany
disclosure under § 2.32 could be met in
electronic form. The requirements of
§ 2.32 would not require the written
consent, copies of a written consent, or
a notice to accompany a disclosure of
part 2 records to be in paper or other
hard copy form, provided that any
required signatures obtained in
electronic form would be valid under
applicable law. This interpretation is
consistent with the Department’s
approach under the HIPAA Privacy
Rule. OCR has provided prior guidance
stating that covered entities can disclose
PHI pursuant to an electronic copy of a
valid and signed authorization, and the
211 U.S. Dep’t of Health and Human Servs., Off.
for Civil Rights, ‘‘How do HIPAA authorizations
apply to an electronic health information exchange
environment?’’ (Sept. 17, 2021), https://
www.hhs.gov/hipaa/for-professionals/faq/554/howdo-hipaa-authorizations-apply-to-electronic-healthinformation/; U.S. Dep’t of Health and
Human Servs., ‘‘Does the Security Rule require the
use of an electronic or digital signature?’’ (July 26,
2013), https://www.hhs.gov/hipaa/forprofessionals/faq/2009/does-the-security-rulerequire-the-use-of-an-electronic-signature/
index.html.
212 See ‘‘Frequently Asked Questions: Applying
the Substance Abuse Confidentiality Regulations to
Health Information Exchange (HIE),’’ supra note
150.
213 82 FR 6052, 6080.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Privacy Rule allows HIPAA
authorizations to be obtained
electronically from individuals,
provided that any electronic signature is
valid under applicable law.214
Final Rule
After considering the public
comments on the relationship of part 2
to state laws we are finalizing this
section as proposed without further
modification.
Section 2.21—Relationship to Federal
Statutes Protecting Research Subjects
Against Compulsory Disclosure of Their
Identity
The Department adopts the proposal
in § 2.21(b) to reorder ‘‘disclosure and
use’’ to read ‘‘use and disclosure’’ to
better align the wording of this section
with language used in the HIPAA
Privacy Rule. A provider health system
supported the proposal and no other
comments were received on this
proposal.
Section 2.22—Notice to Patients of
Federal Confidentiality
Requirements 215
Patient Notice
lotter on DSK11XQN23PROD with RULES2
Proposed Rule
Section 3221(i) of the CARES Act
required the Secretary to update the
HIPAA NPP requirements at 45 CFR
164.520 to specify new requirements for
covered entities and part 2 programs
with respect to part 2 records that are
PHI (i.e., records of SUD treatment by a
part 2 program that are transmitted or
maintained by or for covered entities).
By applying such requirements, entities
that are dually regulated by both part 2
and HIPAA would be subject to the
notice requirements. Discussed here and
consistent with our approach
throughout this rulemaking, in addition
to proposing the required updates to 45
CFR 164.520 (discussed below), we also
proposed to revise the Patient Notice at
§ 2.22.
As explained in the NPRM, to the
extent the HIPAA regulations and part
2 cover different, but often overlapping,
214 U.S. Dep’t of Health and Human Servs., Off.
For Civil Rights, ‘‘How do HIPAA authorizations
apply to an electronic health information exchange
environment?’’ https://www.hhs.gov/hipaa/forprofessionals/faq/554/how-do-hipaaauthorizations-apply-to-electronic-healthinformation/.
215 In the NPRM, we included a detailed
discussion of proposed modifications to HIPAA
Privacy Rule 45 CFR 164.520, Notice of privacy
practices for protected health information, in
addition to modifications proposed to § 2.22, Notice
to Patients of Federal Confidentiality. Here, we
include a brief explanation that HIPAA Privacy
Rule proposed modifications and public comments
will be considered in a separate rulemaking.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
sets of regulated entities, and the HIPAA
NPP offers more robust notice
requirements than the Patient Notice,
the Department proposed to modify
§ 2.22 to provide the same information
to patients of part 2 programs as
individuals receive under the HIPAA
Privacy Rule. The Department’s
proposed modifications to the Patient
Notice would also restructure it to
substantially mirror the structure of the
HIPAA NPP but exclude those elements
that are inapplicable to part 2 programs.
The specific proposed changes are
described in detail in the NPRM and set
forth below following the discussion of
general comments.
Overview of Comments
The Department received more
comments about its approach to
modifying the Patient Notice to align
with the HIPAA NPP than comments
about specific elements of the proposed
notice. Some commenters supported
aligning part 2 Patient Notice
requirements with the HIPAA NPP.
Other commenters expressed concerns,
asked for clarity on certain specific
proposed requirements, or urged the
Department to provide resources or
examples to support compliance.
Response
We appreciate the comments about
the proposed changes and discuss our
response to specific concerns expressed
by commenters below.
Patient Understanding
Comment
Some commenters questioned
whether the Patient Notice would
ensure part 2 patients, programs, and
recipients of part 2 records understand
how part 2 records will be used,
disclosed, and protected. Such
requirements, these commenters said,
should be delineated in easy-tounderstand wording in the patient’s
primary language. One commenter,
describing their experiences as a patient
and professional, said that they were not
educated about the consent forms or
what they were disclosing and their
rights.
Some commenters expressed concern
that patients may not understand the
revised notices, suggesting that the
Department’s approach could lead to
additional downstream disclosures and
legal consequences for patients even as
it supported care coordination. A
medical professionals association also
emphasized its view that the
Department should ensure standard and
easily understandable notices of privacy
practices. Other commenters suggested
the Patient Notices be simplified and
PO 00000
Frm 00057
Fmt 4701
Sfmt 4700
12527
streamlined such as limiting notices to
one page or gearing notices to a fifthgrade reading level. A state agency
suggested that the Patient Notice adhere
to language and disability access
standards to the extent required under
HIPAA. A privacy association opined
that the proposed rule allows a patient
to consent to a broad range of TPO
disclosures, but also notes that SUD
patients may at times lack capacity to
understand the Patient Notice. These
challenges may also apply to
understanding consents and to
managing revocation of consents.
However, the association believes that
this result is dictated by the statute
rather than the Department’s approach
in the NPRM. A county government also
expressed its view that it is difficult to
provide these notices when the patient
is undergoing detoxification or
treatment for a SUD.
Response
We appreciate these comments. We
mirrored required elements of the
HIPAA NPP in the Patient Notice
because we believe that patients have
become familiar with it and to reflect
the closer alignment between part 2 and
HIPAA in the final rule. We have
provided further clarification
concerning the substantive alignment of
part 2 and HIPAA requirements through
responses to public comments in several
other sections of the final rule. The
Department recognizes that outreach
and further guidance will be needed
both to persons with SUD and to
providers in connection with the final
rule. The Department will continue to
monitor the response to part 2 in the
SUD treatment community and will
provide clarification of the final rule as
needed. We discuss patients who lack
capacity to make health care decisions
in § 2.15 above.
Single or Streamlined Form
Comment
Commenters expressed different
views as to whether they preferred using
a single document or separate HIPAA
and part 2 notices to provide notice
statements to patients to aid compliance
and patient understanding. One public
health agency asked HHS to confirm
that a single notice of privacy practices
can fulfill both part 2 and HIPAA
obligations. Some commenters said that
for them that a single notice of privacy
practices would reduce burdens or be
the most effective way to convey
privacy information to patients without
creating unnecessary confusion and
burden through excessive paperwork
and asked for confirmation this was
E:\FR\FM\16FER2.SGM
16FER2
12528
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
permitted. An academic health center
supported covered entities which have
part 2 programs using one NPP
addressing key elements of the HIPAA
NPP such as a Header, Uses and
Disclosures, Individual Rights. If a joint
notice is acceptable, a commenter asked
that proposed 42 CFR 2.22(b)(1)(i) be
updated to note that the 45 CFR
164.520(b)(1)(v)(C) header may be used
in a combined notice. A trade
association and health plan supported
part 2 notices including elements of the
HIPAA NPP such as a description of the
permitted uses and disclosures of part 2
records, the complaint process, and the
patient’s right to revoke their consent
for the part 2 program to disclose
records in certain circumstances.
Response
We have stated both in HIPAA and
part 2 guidance that notices for different
purposes may be separate or joint/
combined so long as the required
elements are included.216 Thus, either
using separate HIPAA, state law, or part
2 notices or combining these notices
into one form would be acceptable so
long as all required elements are
included.
lotter on DSK11XQN23PROD with RULES2
Comment
Commenters also urged the
Department to support a simplified or
streamlined Patient Notice. One
advocacy organization characterized the
proposed notice as unwieldy and overly
detailed for both patients seeking to
understand their rights and covered
entities. The Department should
streamline both notices and develop
model Patient Notices as it has done for
HIPAA NPPs. A health plan encouraged
the Department to align with the HIPAA
Privacy Rule by developing two
versions of the part 2 model notice
language: (a) the minimum necessary
additional language/verbiage, which
would be required to be added to an
existing HIPAA NPP for entities which
already are subject to that requirement;
and (b) a notice similar to what is in the
proposed rule for entities which do not
already have a notice.
Other commenters urged the
Department to develop notice templates
or model forms in multiple languages. A
state agency supported the HIPAA
NPP’s being translated, at a minimum,
into the top three languages for a
provider’s client population. One
216 See U.S. Dep’t of Health and Human Servs.,
‘‘Notice of Privacy Practices for Protected Health
Information’’ (July 26, 2013), https://www.hhs.gov/
hipaa/for-professionals/privacy/guidance/privacypractices-for-protected-health-information/
index.html; ‘‘Substance Abuse Confidentiality
Regulations,’’ supra note 113.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
commenter asked the Department to
develop at least two example Patient
Notices—one directed at providers, and
the other directed at payers and health
coverage issuers. Another commenter
suggested that model Patient Notices
were needed for a HIPAA covered entity
that has an existing HIPAA NPP and
therefore HHS should create a minimal
addendum or template which highlights
any additional language specifically
required to be added to that existing
HIPAA NPP relative to this rule. The
commenter also urged the Department
to develop a Patient Notice template for
third-party payers or other entities
which may not already use a HIPAA
NPP. Commenters urged that given the
HIPAA enforcement proposal, there
should be a safe harbor for using these
standard notices.
Response
We appreciate this comment and
understand the value of having a sample
or model notice that incorporated the
changes finalized in this rule. The
Department may, at a future time,
develop sample templates and forms to
support compliance with § 2.22. We also
note that this final rule provides 24
months from the date of publication for
compliance with its provisions.
Administrative Burdens
Comment
The Department received several
comments stating that proposed changes
to the part 2 notice would either reduce
or increase part 2 program, provider, or
covered entity burdens. While part 2
programs and covered entities would
need to update both the Patient Notice
and the HIPAA NPP, the benefits
outweighed the burdens, according to
some commenters. One commenter
asked HHS to clarify that § 2.22 only
applies to part 2 programs that are not
subject to HIPAA. Another commenter
said that as a dually regulated entity it
believed that aligning these two notices
will reduce dually regulated entities’
burden of compliance, and improve
patient understanding by reducing the
amount of reading required. The
commenter said updating notices
concurrently would reduce their
burden. Many commenters said
examples of the updated HIPAA NPP
and Patient Notice would be helpful and
reduce their administrative burdens.
Others also suggested the Department
reduce administrative burdens and
improve compliance by providing
educational resources and templates to
providers and patients and work with
advocacy organizations to ensure the
PO 00000
Frm 00058
Fmt 4701
Sfmt 4700
notice requirements are understood by
patients and practical for providers.
Another commenter supported the
proposed changes, stating that it
anticipated an additional administrative
burden on part 2 programs which are
not covered by HIPAA but limited
impact or additional burden on those
part 2 programs covered by HIPAA. One
commenter similarly described what it
viewed as potential burdens but said
that for entities which are both part 2
programs and covered entities, a portion
of the burden would be offset by the
ability to have consistent policies and
procedures given the new alignment
between the part 2 rules and the HIPAA
regulations. A medical professionals
association, while supporting alignment
of the part 2 notice with the HIPAA
NPP, suggested there would be an
additional burden that modifying the
HIPAA NPP for physician practices,
especially small practices and those in
rural areas.
Response
The Department detailed its analysis
of potential costs and benefits in the
NPRM and in the RIA below. As we
earlier noted, we are finalizing the part
2 Rule only at this time. The
Department intends to publish the
CARES Act required revisions to the
HIPAA NPP provision (45 CFR 164.520)
as part of a future HIPAA rulemaking.
Thus, this final rule focuses only on
changes to the Patient Notice under
§ 2.22. We intend to align compliance
dates for any required changes to the
HIPAA NPP and part 2 Patient Notice to
enable covered entities to makes such
changes at the same time.
After both this rule and the
forthcoming HIPAA Privacy Rule
changes are finalized, while entities
initially may require time to update the
content of the Patient Notice and HIPAA
NPP, commenters stated many part 2
programs, such as those that also are
covered entities, may be able to save
time and patients may benefit from
enhanced protections offered by the
revised notices. The Department
acknowledges that some smaller, rural,
or other types of practices may face
increased burdens relative to larger
entities, though this may not be true in
all cases as many smaller practices or
providers may also have familiarity both
with HIPAA and part 2. After this rule
is finalized, the Department may
develop template/model forms or other
guidance subsequent to finalizing this
rule.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Notifying Patients
Comment
Some commenters expressed concerns
about notifying patients of new or
updated notices. A medical
professionals association expressed
concern that the notification process as
described in the NPRM may be
problematic for those patients who lack
mailing addresses and substitute notice
by publication still might not be
sufficient to inform patients about
release of their records.
Response
We appreciate the comments and
acknowledge that updating the Patient
Notice will create some burden for part
2 programs, as may copying and mailing
costs; however, we believe that the
burdens will be balanced by the overall
burden reduction as a result of the
decreased number of consents that are
required for routine uses and
disclosures. Section 2.22 as revised in
this rule requires part 2 programs to
notify patients when requirements that
pertain to a patient’s treatment have
materially changed. It specifically
requires the updated Patient Notice to
be provided by the first day the health
care is provided to the patient after the
compliance date for the program, or for
emergency treatment as soon as
reasonably practicable after the
emergency. The Department’s stated
intention to hold in abeyance updates to
the HIPAA NPP pending a future
rulemaking does not negate the
Department’s expectation that part 2
programs will comply with the
requirements in § 2.22. However, as
explained above, we intend to align
compliance dates for any required
changes to the HIPAA NPP and part 2
Patient Notice to enable covered entities
to make such changes at the same time.
lotter on DSK11XQN23PROD with RULES2
Recommendations To Change the
Proposal
Comment
One commenter noted that the
proposed Patient Notice did not include
notice that patients could obtain copies
of their records at limited costs or in
some case, free of charge. The
commenter stated that, although §§ 2.22
and 2.23 do not require a part 2 program
to give a patient the right to inspect or
get copies of their records, but the
Department should use the general
regulatory authority of the CARES Act
(section 3221(i)(1)) to require part 2
programs to allow patients to inspect or
get copies of their records. This
commenter supported the Patient Notice
statement describing the duties of part
2 programs with respect to part 2
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
records even though it is not required by
42 U.S.C. 290dd–2.
Response
The commenter is correct that these
regulations do not create a patient right
of access to their records analogous to
the HIPAA Privacy Rule right of
access.217 We discuss patient access and
restrictions on use and disclosure in
§ 2.23.
Comment
A commenter requested modification
of the section of the notice pertaining to
complaints so that complaints may be
filed ‘‘either to the Part 2 Program or the
Secretary’’ rather than to the program
and the Secretary. Requiring the patient
to complain to both entities may
intimidate the patient especially if they
are dependent on the part 2 program for
employment, child welfare, or criminal
justice purposes, the commenter
asserted.
Response
As we state in § 2.4 (Complaints of
noncompliance), a person may file a
complaint with the Secretary for a
violation of this part by a part 2
program, covered entity, business
associate, qualified service organization,
or other lawful holder but is not
compelled to file a complaint of
violation both with the Secretary and
the part 2 program. This ‘‘no wrong
door’’ approach mirrors the language in
the HIPAA NPP for the HIPAA Privacy
Rule, and OCR has continued to receive
thousands of privacy complaints
annually. A patient who files a
complaint with a provider may or may
not receive a response, and we do not
believe a patient should be required to
wait before bringing their complaints of
noncompliance to the Department’s
attention. Further, many complaints
filed with the Department are readily
resolved through voluntary compliance
and technical assistance to aid the
entity’s compliance with the regulation.
Thus, we do not believe it will overly
burden part 2 programs to allow
patients to file complaints directly with
the Department.
Final Rule
Header
The Department proposed to require a
header for the Patient Notice that would
be nearly identical to the header
required in the HIPAA NPP (and as
proposed for amendment in the NPRM)
at 45 CFR 164.520(b)(1)(i) except where
217 See ‘‘Individuals’ Right under HIPAA to
Access their Health Information 45 CFR 164.524,’’
supra note 159.
PO 00000
Frm 00059
Fmt 4701
Sfmt 4700
12529
necessary to distinguish components of
the notice not applicable to 42 CFR part
2. For example, the Patient Notice that
would be provided pursuant to this part
would not include notice that patients
could exercise the right to get copies of
records at limited costs or, in some
cases, free of charge, nor would it
provide notice that patients could
inspect or get copies of records under
HIPAA.
The final rule adopts the header as
proposed without modification.
Uses and Disclosures
The Department is finalizing its
proposal, without modification, to
require a part 2 program to include in
its Patient Notice descriptions of uses
and disclosures that are permitted for
TPO, are permitted without written
consent, or will only be made with
written consent. The Department is
finalizing its proposed requirement that
a covered entity that creates or
maintains part 2 records include
sufficient detail in its Patient Notice to
place the patient on notice of the uses
and disclosures that are permitted or
required. Although, as stated in the
NPRM, the Department believes section
3221(k)(4) of the CARES Act—stating
that certain de-identification and
fundraising activities should be
excluded from the definition of health
care operations—has no legal effect as a
Sense of Congress, the Department will
finalize its proposed new paragraph
(b)(1)(iii) in § 2.22. This provision
requires that a part 2 program provide
notice to patients that the program may
use and disclose part 2 records to
fundraise for the program’s own behalf
only if the patient is first provided with
a clear and conspicuous opportunity to
elect not to receive fundraising
communications. This new notice
requirement is consistent with the
requirement at § 2.31(a)(5)(iii) in which
a part 2 program, when obtaining a
patient’s TPO consent, must provide the
patient the opportunity to elect not to
receive fundraising communications.
Rather than referring to ‘‘the HIPAA
Privacy Rule’’ we instead refer in this
rule to ‘‘HIPAA regulations’’ to describe
the redisclosure permission applicable
to part 2 programs, covered entities, and
business associates following an initial
disclosure based on a TPO consent. We
believe this modification to what we
initially proposed is consistent with our
incorporation of the new defined term
‘‘HIPAA regulations’’ into part 2.
Patient Rights
The Department is finalizing its
proposal, with further modification, to
require that a part 2 program include in
E:\FR\FM\16FER2.SGM
16FER2
12530
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
the Patient Notice statements of
patients’ rights with respect to part 2
records. The structure mirrors the
statements of rights required in the
HIPAA NPP for covered entities and PHI
but, be based on amended 42 U.S.C.
290dd–2, and patient rights under the
final rule. The patient rights listed
include, for example, the rights to:
• Request restrictions of disclosures
made with prior consent for purposes of
TPO, as provided in 42 U.S.C. 290dd–
2(b)(1)(C).
• Request and obtain restrictions of
disclosures of part 2 records to the
patient’s health plan for those services
for which the patient has paid in full,
in the same manner as 45 CFR 164.522
applies to restrictions of disclosures of
PHI.
• Obtain an electronic or nonelectronic copy of the notice from the
part 2 program upon request.
• Discuss the notice with a
designated contact person identified by
the part 2 program pursuant to
paragraph 45 CFR 164.520(b)(1)(vii).
• A list of disclosures by an
intermediary for the past 3 years as
provided in 42 CFR 2.24.
• Elect not to receive any fundraising
communications.
lotter on DSK11XQN23PROD with RULES2
Part 2 Program’s Duties
The Department is finalizing its
proposal, without modification, to
incorporate into the Patient Notice
statements describing the duties of part
2 programs with respect to part 2
records that parallel the statements of
duties of covered entities required in the
HIPAA NPP with respect to PHI.
Although this change is not required by
42 U.S.C. 290dd–2, the statement of
duties would put patients on notice of
the obligations of part 2 programs to
maintain the privacy and security of
part 2 records, abide by the terms of the
Patient Notice, and inform patients that
it may change the terms of a Patient
Notice. The Patient Notice also would
include a statement of the new duty
under 42 U.S.C. 290dd–2(j) to notify
affected patients following a breach of
part 2 records.
Complaints
The Department is finalizing its
proposal, without modification, to
require that a part 2 program inform
patients, in the Patient Notice, that the
patients may complain to the part 2
program and Secretary when they
believe their privacy rights have been
violated, as well as a brief description
of how the patient may file the
complaint and a statement that the
patient will not be retaliated against for
filing a complaint. We are finalizing the
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
new provision that patients may
complain to the Secretary as well as the
part 2 program. These changes support
the implementation of the CARES Act
enforcement provisions, which apply
the civil enforcement provisions of
section 1176 of the Social Security Act
to violations of 42 U.S.C. 290dd–2.
Contact and Effective Date
The Department is finalizing its
proposal, without modification, to
require that the Patient Notice provide
the name or title, telephone number,
and email address of a person or office
a patient may contact for further
information about the part 2 Notice, and
information about the date the Patient
Notice takes effect. We intend to align
compliance dates for any required
changes to the HIPAA NPP and part 2
Patient Notice to enable covered entities
to make such changes at the same time.
Optional Elements
The Department is finalizing its
proposal, without modification, to
incorporate into the Patient Notice the
optional elements of a HIPAA NPP,
which a part 2 program could include
in its Patient Notice. This provision
permits a program that elects to place
more limits on its uses or disclosures
than required by part 2 to describe its
more limited uses or disclosures in its
notice, provided that the program may
not include in its notice a limitation
affecting its ability to make a use or
disclosure that is required by law or
permitted to be made for emergency
treatment.
Revisions to the Patient Notice
The Department is finalizing the
proposal, without modification, to
require that a part 2 program must
promptly revise and distribute its
Patient Notice when there has been a
material change and provide that,
except when required by law, such
material change may not be
implemented prior to the effective date
of the Patient Notice.
Implementation Specifications
The Department is finalizing its
proposal, without modification, to
require that a part 2 program provide
the § 2.22 notice to anyone who requests
it and provide it to a patient not later
than the date of the first service
delivery, including where first service is
delivered electronically, after the
compliance date for the Patient Notice.
This provision also would require that
the notice be provided as soon as
reasonably practicable after emergency
treatment. If the part 2 program has a
physical delivery site, the notice would
PO 00000
Frm 00060
Fmt 4701
Sfmt 4700
have to be posted in a clear and
prominent location at the delivery site
where a patient would be able to read
the notice in a manner that does not
identify the patient as receiving SUD
treatment, and the Patient Notice would
need to be included on a program’s
website, where available. These
provisions would parallel the current
requirements for provision of the
HIPAA NPP by HIPAA-covered health
care providers.
45 CFR 164.520 HIPAA Notice of
Privacy Practices
In the NPRM, we proposed to update
the HIPAA NPP requirements consistent
with requirements in the CARES Act
using plain language that is easily
understandable. We also proposed
additional updates consistent with
changes to the HIPAA NPP we proposed
in January 2021 (Proposed
Modifications to the HIPAA Privacy
Rule To Support, and Remove Barriers
to, Coordinated Care and Individual
Engagement).218 This part 2 final rule
adopts changes to the part 2 Patient
Notice only; it does not include
finalized changes to the HIPAA NPP in
45 CFR 164.520. The Department
intends to publish modifications to 45
CFR 164.520 as part of a future HIPAA
rulemaking. Comments received
regarding changes to the HIPAA NPP
proposed in the 2022 NPRM will be
addressed when those changes are
published as part of a HIPAA final rule.
As we consider public comments
received related to the HIPAA NPP, we
intend to carefully consider the progress
made by affected entities working to
implement changes to the Patient
Notice.
Section 2.23—Patient Access and
Restrictions on Use and Disclosure
Proposed Rule
In addition to the paragraph (b)
changes discussed above in the ‘‘use’’ or
‘‘disclosure’’ section, the Department
proposed wording changes to paragraph
(b) to improve readability and to replace
the phrase ‘‘this information’’ with
‘‘records,’’ which more accurately
describes the scope of the information to
which the regulation applies. The
comments and the Department’s
responses regarding § 2.23 are set forth
below.
Comment
While not proposed in the NPRM, a
few commenters suggested adding a
patient right to direct copies of PHI to
a third party, as follows: (1) to define a
right to direct copies to prevent
218 See
E:\FR\FM\16FER2.SGM
86 FR 6446.
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
unintended parties from receiving
records; (2) to allow covered entities to
restrict or refuse requests from any
entity that are not the individual or an
entity authorized by the individual; and
(3) to create a patient right to direct a
copy of records to third parties without
a consent form to align with HIPAA.
Response
We appreciate the suggestion to create
a patient right to direct copies of PHI to
a third party; however, that suggestion
is outside the scope of the current
rulemaking.
Comment
While not proposed in the NPRM, a
few commenters also suggested creating
a right of access for part 2 records to
afford part 2 patients the same rights as
individuals under the HIPAA Privacy
Rule.
lotter on DSK11XQN23PROD with RULES2
Response
We appreciate the suggestion to create
a right of access for part 2 records and
the intent to provide equity for those
being treated for SUD with respect to
their patient rights compared to the
rights for patients with other health
conditions under HIPAA. This proposal
falls outside the scope of the part 2
rulemaking and we did not propose this
change or request comment on this topic
in the NPRM; therefore, there is not an
adequate foundation for adopting a right
of access in the final rule.
The HIPAA Privacy Rule established
for an individual the right of access to
their PHI in a designated record set. The
HIPAA right of access applies to records
created by a part 2 program that is also
a covered entity as well as part 2 records
received by a covered entity.219 For part
2 programs that are not covered entities,
§ 2.23 does not prohibit a part 2 program
from giving a patient access to their own
records, including the opportunity to
inspect and copy any records that the
part 2 program maintains about the
patient.
Comment
One commenter recommended that
the Department not adopt the changes
proposed to the right of access in its
2021 HIPAA NPRM on coordination of
care 220 because the proposed changes
‘‘would create new pathways for third
parties to easily access patient health
information through personal health
apps with little to no requirements for
patient education and consent, thus
eroding longstanding privacy
219 See ‘‘Individuals’ Right under HIPAA to
Access their Health Information 45 CFR 164.524,’’
supra note 159.
220 86 FR 6446.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
protections and increasing burden on
providers.’’
Response
We appreciate the comment; however,
the topic is outside the scope of the
current rulemaking.
Comment
One commenter appreciated knowing
that once they receive SUD records, the
records become PHI and are subject to
the access requirements in the HIPAA
Privacy Rule.
Response
We appreciate the comment. We
clarify that when part 2 records are
received by or for a covered entity and
are part of a designated record set they
become PHI and are subject to the
HIPAA Privacy Rule access
requirements. Generally, the HIPAA
Privacy Rule gives individuals the right
to access all of their PHI in a designated
record set.221 A ‘‘designated record set’’
is a group of records maintained by or
for a covered entity that are a provider’s
medical and billing records, a health
plan’s enrollment, payment, claims
adjudication, and case or medical
management record systems, and any
other records used, in whole or in part,
by or for the covered entity to make
decisions about individuals.222 A
covered entity’s part 2 records usually
fall into one of these categories and thus
are part of the designated record set.
This is true when a part 2 program is a
covered entity, as well as when a
covered entity receives part 2 records
but is not a part 2 program. As such, the
records held by a covered entity are
subject to the HIPAA Privacy Rule’s
right of access requirements.
Comment
One commenter expressed concerns
about any access or disclosures that
could subject part 2 patients to criminal
charges.
Response
We appreciate this comment. The
revisions to § 2.23 clarify the existing
prohibition on use and disclosure of
information obtained by patient access
to their record for purposes of a criminal
charge or criminal investigation of the
patient.
Comment
One commenter believed that the
Department was proposing to remove
the written consent requirement for
patient access to their own records.
221 See
45 CFR 164.524.
45 CFR 164.501 (definition of ‘‘Designated
record set’’).
222 See
PO 00000
Frm 00061
Fmt 4701
Sfmt 4700
12531
Response
Section 2.23 does not require a part 2
program to obtain a patient’s written
consent or other authorization to
provide access by the patient to their
own records, and the final rule is not
changing this. Thus, the ability of a
patient to obtain access to their record
without written consent will be
maintained.
Final Rule
The final rule adopts all proposed
modifications to § 2.23(b), without
further modification.
Section 2.24—Requirements for
Intermediaries
Proposed Rule
The Department proposed to address
the role of intermediaries by: (a) creating
a regulatory definition of the term in
§ 2.11; (b) reorganizing the existing
requirements for intermediaries and
redesignating that provision as § 2.24;
and (c) clarifying in § 2.31(a)(4)(ii)(B)
how a general designation in a consent
for use and disclosure of records to an
intermediary would operate. The
definition as proposed would read as
follows: Intermediary means a person
who has received records under a
general designation in a written patient
consent to be disclosed to one or more
of its member participant(s) who has a
treating provider relationship with the
patient. The current part 2 consent
requirements in § 2.31 contain special
instructions when making a disclosure
to entities that fall within the proposed
definition of intermediary: the consent
must include the name of the
intermediary and one of the following:
(A) the name(s) of member participant(s)
of the intermediary; or (B) a general
designation of a participant(s) or class of
participants, which must be limited to
a participant(s) who has a treating
provider relationship with the patient
whose information is being disclosed.
The NPRM proposed to replace ‘‘entities
that facilitate the exchange of health
information and research institutions’’
with ‘‘intermediaries’’ and add ‘‘used
and’’ before ‘‘disclosed’’ in § 2.31.
Comment
We received comments both
supporting and opposing the
Department’s proposal to define
‘‘intermediary’’ and retain consent
requirements for disclosures to
intermediaries. Most HIEs/HINs and
health IT vendors that commented on
this set of proposals, expressed concern
about our changes. Opposing
commenters stated their views that the
special provisions for intermediaries
E:\FR\FM\16FER2.SGM
16FER2
lotter on DSK11XQN23PROD with RULES2
12532
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
were a holdover from before the CARES
Act and were inconsistent with its
alignment of part 2 and HIPAA,
especially with regard to the new
provision to allow a single consent for
all future TPO. Some commenters
suggested that the CARES Act may
require the Department to remove the
intermediary provisions. Other
commenters believed that these
provisions did not support care
coordination or were inconsistent with
allowing a single consent for TPO.
Commenters asked that we revise the
HIPAA definition of ‘‘covered entity’’ to
include examples of the intermediaries
and remove the part 2 definition of
‘‘intermediary’’; exclude business
associates, health IT vendors, or health
plans from the part 2 definition of
intermediary; expressly allow
intermediaries to disclose for TPO;
expressly allow HIEs and HIE
participants to be listed in a general
designation in the consent for
disclosures for TPO; and clarify what
types of HIEs or health IT vendors are
included in the definition (because
some HIE technology or EHR software
does not maintain data or have access to
it when exchanging data between
systems).
One commenter asserted that the
CARES Act does not define nor use the
term ‘‘intermediary’’ and the
Department should instead rely upon
established terms of ‘‘covered entity,’’
‘‘business associate,’’ and part 2
‘‘programs.’’ Another commenter
believed the NPRM created a ‘‘twotiered’’ system that perpetuates
discrimination because patients with
SUD cannot reap the benefits of
integrated care that is facilitated by
shared electronic records. A health plan
said that there would not be sufficient
oversight of intermediaries under the
proposed definition because they
include entities that are not subject to
HIPAA.
One commenter, a health plan
association, asserted that business
associates should be carved out from the
definition of ‘‘intermediary’’ as most
already defined as covered entities or
business associates under HIPAA.
Others agreed that the role of
intermediaries such as HIEs/HINs or
ACOs should be carved out from this
definition. A few HIE commenters
viewed requirements for intermediaries
as based on 2017 rule changes, in which
the Department attempted to limit those
instances when a general designation
consent could be used without
specifically naming the persons entitled
to receive the part 2 record.
Additionally, the 2017 rule changes
layered on additional accounting and
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
consent requirements that—together
with the operational challenge of
determining when and whether a
downstream entity has a ‘‘treating
provider relationship’’ with the
patient—resulted in low adoption due
to the technical and administrative
challenges in implementing these
requirements and limitations. A county
department argued that there is no
analog to intermediary within HIPAA,
thus these changes are inconsistent with
the CARES Act effort to foster closer
alignment between HIPAA and part 2.
Response
We appreciate input from commenters
and have made changes in response to
their expressed concerns. Our final
definition of ‘‘intermediary’’ in
§ 2.11 includes ‘‘a person, other than a
program, covered entity, or business
associate, who has received records
under a general designation in a written
patient consent to be disclosed to one or
more of its member participant(s) who
has a treating provider relationship with
the patient.’’ We also are finalizing
provisions that an intermediary must
provide to patients who have consented
to the disclosure of their records using
a general designation, pursuant to
§ 2.31(a)(4)(ii)(B), a list of persons to
whom their records have been disclosed
pursuant to the general designation.
These changes will implement the
CARES Act consent provisions by
permitting HIEs that are business
associates to receive part 2 records
under a broad TPO consent and
redisclose them consistent with the
HIPAA regulations. These changes also
will encourage HIEs to accept part 2
records and include part 2 programs as
participants, facilitate integration of
behavioral health information with
other medical records, and reduce
burdens on business associates that
serve as HIEs. Our final rule also is
consistent with previous SAMHSA
guidance to ensure part 2 data
exchanged by HIEs remains subject to
protection under this final rule.223
Comment
According to one commenter, if a
patient signed a consent form
designating ‘‘my health plan’’ as the
recipient, the part 2 program would be
permitted to disclose such information
directly to the health plan but would be
prohibited from disclosing that
information to the very same health
plan if the disclosure was made via an
223 See U.S. Dep’t of Health and Human Servs.,
‘‘Disclosure of Substance Use Disorder Patient
Records: How Do I Exchange Part 2 Data?’’ https://
www.samhsa.gov/sites/default/files/how-do-iexchange-part2.pdf.
PO 00000
Frm 00062
Fmt 4701
Sfmt 4700
intermediary without specifically
naming the intermediary and the health
plan. This approach could thus impede
operations of HIEs/HINs.
Response
We agree with the commenter’s
concerns that the proposed consent
requirements for intermediaries may
impede HIEs/HINs. The finalized
definition of intermediary in § 2.11
excludes part 2 programs, covered
entities, and business associates. This
approach should help remove barriers to
HIEs’/HINs’ inclusion of part 2 records
from part 2 programs that are also
covered entities. As noted, we believe
excluding business associates, in
particular, will encourage HIEs to accept
part 2 records and include part 2
programs as participants and reduce
burdens on business associates that
serve as HIEs.
Comment
One HIE commenter said that the
NRPM provides an example of an
intermediary being an electronic health
vendor that enables entities at two
different health systems to share records
and would be bound by the
requirements proposed under § 2.24.
However, that same vendor would not
be an intermediary when used by
employees in different departments of a
hospital to access the same patient’s
records. The commenter finds this
confusing and seeks clarification on the
definition of intermediary and their
associated requirements. Another
commenter, a health IT vendor, also
questioned our example in the NPRM
claiming that the developer of the
product used in an exchange of
information is no more an intermediary
to the exchange than the manufacturer
of a fax machine is an intermediary to
information faxed from one place to
another. The EHR vendor described in
the NPRM should only be considered an
intermediary when it controls the
exchange of health records between
systems using its software or when it
serves as the recipient of records.
Response
We acknowledge that some
commenters may have found this NPRM
example confusing. We believe our
revised definition and changes to § 2.24
help clarify the role of intermediaries.
We have in the NPRM and other past
rules and guidance cited HIEs/health
information networks or ‘‘HINs,’’ ACOs,
coordinated care organizations, care
management organizations, and research
institutions as examples of
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
intermediaries but this may be a factspecific inquiry.224
Comment
Other comments on the proposal
addressed the role of community-based
organizations (CBOs), such as those
providing services to people
experiencing homelessness. A few
commenters requested that such CBOs
be considered as intermediaries, and
one pointed out that the limitation on
sharing part 2 records through an
intermediary would likely result in
limiting the sharing of records with
CBOs via an HIE because CBOs are not
treating providers. A county HIE said
that it fosters data sharing across dozens
of health care providers, managed care,
and CBOs to enable better care
coordination to and address social
determinants of health. The county
asserted that allowing part 2 records to
be shared based on a single consent for
TPO would be ‘‘deeply enhanced by
pairing it with the technology of an
HIE.’’
lotter on DSK11XQN23PROD with RULES2
Response
We have noted the definition of
‘‘intermediary’’ and examples above. An
intermediary may be named in a general
designation in § 2.31(a)(4) though
special instructions apply to such use.
Under the final rule, we have excluded
business associates, part 2 programs,
and covered entities from the definition
of ‘‘intermediary’’ in § 2.11. Thus, HIEs
that meet the definition of ‘‘business
associates’’ are not intermediaries.
Part 2 programs, covered entities, and
business associates (notably HIEs) are
permitted to disclose records for TPO
under the new TPO consent
requirements and redisclose records as
permitted by the HIPAA Privacy Rule
once a consent for all future uses and
disclosures for TPO is obtained.
Accordingly, when a part 2 program that
is covered entity discloses records
through an HIE, the intermediary
consent requirements under § 2.31(a)(4)
do not apply because the HIE would be
serving as a business associate of the
part 2 program/covered entity, and as a
business associate the HIE would be
excluded from the definition of
‘‘intermediary.’’ We believe that part 2
programs that rely on HIEs are those
most likely to be covered entities and to
benefit from the narrowed definition of
intermediary in the final rule.
Comment
A commenter said that definition of
‘‘intermediary’’ is broad enough that a
224 Id. See also, 87 FR 74216, 74224; 82 FR 6052,
6055.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
primary care provider connecting a
patient (and a patient’s part 2 records)
from one program to another could be
seen as an intermediary. This
commenter seeks guidance on the
relationship between part 2 programs
and intermediaries, and what
unintended consequences the
Department is seeking to avoid. The
commenter suggests collaboration with
ONC to leverage TEFCA, as there seems
to be overlap between what constitutes
an intermediary and how ONC defines
a Qualified Health Information Network
under TEFCA.
An insurance association referenced
TEFCA and said that it is expected to be
operating this year, creating a national
network for health care information
exchange among both HIPAA covered
and non-HIPAA covered entities. The
part 2 rule, the association said, should
be structured to ensure data can be
seamlessly shared among covered
entities for TPO and other purposes
designated in an individual’s consent.
However, the commenter believed that
robust privacy protections for part 2
records remain critical for all entities
involved in health data exchanges. The
TEFCA processes are building in
governance and operating requirements
parallel to the HIPAA privacy and
security requirements for all
participants in the system even if they
are not covered entities under the law
to ensure robust protections no matter
what role the entity plays. The
commenter was concerned that a single
weak link in the chain could
compromise the entire system.
The commenter also stated that
activities by HIEs that go beyond the
role of a ‘‘basic conduit’’ should come
with commensurate responsibilities for
data protections. Therefore, the
commenter questioned the definition of
‘‘intermediary’’ as proposed, asserting
that it would minimize the
accountability of these entities.
Response
We appreciate input from commenters
on the role of HIEs and TEFCA. ONC,
OCR, SAMHSA and others are
collaborating to support participation in
TEFCA and implementation of health IT
and EHRs within the behavioral health
sector.225 When an HIE is acting as a
business associate to a part 2 program
that is also a covered entity, it would
not be considered an ‘‘intermediary’’ as
defined in this final rule because we
have excluded business associates
(along with programs and covered
entities) from the definition. An HIE
that is a ‘‘business associate’’ is subject
225 See
PO 00000
‘‘Behavioral Health,’’ supra note 133.
Frm 00063
Fmt 4701
Sfmt 4700
12533
to certain HIPAA requirements,
including safeguards under the HIPAA
Security Rule.226
For clarity, we also explain here that
the exclusion of business associates
from the ‘‘intermediary’’ definition in
§ 2.11 results in far fewer entities being
subject to intermediary consent
requirements under § 2.31(a)(4) and the
list of disclosures obligations under
§ 2.24 because most HIEs—which were
the most typical example of an
intermediary—are business associates.
A QSO—which is analogous to a
business associate for a part 2
program—is only considered an
intermediary when it is providing
services to a program that is not a
covered entity. We believe that part 2
programs that are covered entities are
those most likely to make use of HIE
services and that the burden reduction
on HIE business associates in this final
rule may incentivize them to accept part
2 records into their systems more
frequently than under the existing part
2 regulation.
Comment
SUD recovery organizations
recommended modifying the proposed
definition of ‘‘intermediary’’ to also
include ‘‘a member of the intermediary
named in the consent,’’ rather than
limiting it to members of the
intermediary that have a treating
provider relationship with the patient.
A state data agency urged us to add
intermediaries and other lawful holders
to the language of § 2.12(d)(2)(ii), which
permitted a non-part 2 treatment
provider who receives part 2
information to record it without it
becoming a part 2 record, so long as any
part 2 records they receive are
segregated from other health
information.
Response
Section 2.12(d)(2)(ii) applies to
persons who receive records directly
from a part 2 program or other lawful
holder of patient identifying
information and who are notified of the
prohibition on redisclosure in
accordance with § 2.32. We are
finalizing a modification to this
provision to expressly state that: ‘‘[a]
program, covered entity, or business
associate that receives records based on
a single consent for all treatment,
payment, and health care operations is
not required to segregate or segment
such records.’’ Thus, an HIE that is a
business associate of a covered entity
226 See U.S. Dep’t of Health and Human Servs.,
‘‘Business Associates’’ (May 24, 2019), https://
www.hhs.gov/hipaa/for-professionals/privacy/
guidance/business-associates/.
E:\FR\FM\16FER2.SGM
16FER2
12534
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
that operates a part 2 program cannot,
by definition, be an intermediary, and
thus would not be required to segregate
the part 2 records they receive.
However, the records would still be
considered part 2 records (as well as
PHI) and there is a continuing obligation
to protect the records from use or
disclosure in proceedings against the
patient.
Because the concept of intermediary
by its nature is limited to organizations
that mediate the interactions between a
program and an intended recipient of
records, it would not be practical to
include in the definition of
‘‘intermediary’’ language concerning ‘‘a
member of the intermediary named in
the consent.’’
lotter on DSK11XQN23PROD with RULES2
Comment
Several commenters requested
clarification of certain aspects of the
proposal, such as: whether entities
already subject to HIPAA are included
as intermediaries; whether QSOs can
serve as intermediaries and how the
QSO role would fit into the
requirements; whether the intermediary
definition is limited to facilitating
access for treatment purposes or
whether the definition contemplates
facilitating access for other purposes
(e.g., for payment purposes, patient
access, etc.); and which entities have the
responsibility for the required list of
disclosures and exactly which
responsibilities related to that
requirement. One commenter requested
that the Department expressly clarify
that QSOs are not intermediaries since
QSOs do not receive records under a
general designation in a written patient
consent, but rather they receive records
through a QSOA.
Response
We discuss our changes to the
definition of ‘‘intermediary’’ here and in
§ 2.11. As noted, in response to public
comments we are excluding covered
entities, business associates, and part 2
programs from the definition of
‘‘intermediary.’’ Further, the
‘‘intermediary’’ definition is not, in and
of itself, expressly limited to facilitating
access for treatment purposes; however,
by the operation of the consent
requirement in § 2.31, the use of
intermediaries is generally limited to
facilitating the exchange of records
among treating providers. The final rule
definition of ‘‘qualified service
organization’’ includes a person who
meets the definition of ‘‘business
associate’’ in 45 CFR 160.103, for a part
2 program that is a covered entity, with
respect to the use and disclosure of PHI
that also constitutes a part 2 record.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Expressly including business associates
as QSOs, where both definitions are
met, responds to comments received on
the NPRM noting that the role of QSOs
is analogous to business associates, such
that aligning terminology makes sense
given the purpose of section 3221 of the
CARES Act to enhance harmonization of
HIPAA and part 2. Additionally, as
commenters requested, we have carved
out business associates from the
definition of ‘‘intermediary.’’ Thus,
while a QSO may be a business
associate, it cannot at the same time also
be considered an intermediary. As a
result, an HIE/HIN that is a QSO and
business associate for a part 2 program
that is also a covered entity would not
be subject to the intermediary
requirements (e.g., a general designation
in a consent and the list of disclosures).
Comment
About half of the commenters on
intermediaries opposed the requirement
that intermediaries provide a list of
disclosures for the 3 years preceding the
request. Many commenters expressed
concern that the TPO consent
provisions in §§ 2.31 and 2.33 would
result in an increase in requests for a list
of disclosures made via an intermediary
and that HIEs were not equipped to
respond in volume. One commenter
opined that millions of transactions will
be facilitated by the intermediary daily
and, as a result, it would be difficult for
both the part 2 program and the
intermediary to provide a full
accounting of disclosure that would
feasibly be usable and helpful to the
patient. Others suggested the part 2
program directly assume this obligation.
While supporting the proposed
changes, a few commenters raised
substantial concerns about the existing
requirements, stating that it would be
difficult for an intermediary to log
individual accesses and reasons why
data was accessed over a multi-year
period. While patients should
understand where and how their data is
being transferred, it must be done while
maintaining the interoperability
pathway outlined by other HHS
programs and with the full
understanding of burden represented. A
few commenters specifically supported
the proposed extension for the list of
disclosures from 2 to 3 years. A local
government and a health system
appreciated that the obligation for
producing the list of disclosures
remains with the intermediary and not
the part 2 program. A few commenters
asserted that the proposed changes
would help address technological issues
with HIEs that are compliant with part
2. Others suggested this process would
PO 00000
Frm 00064
Fmt 4701
Sfmt 4700
be burdensome for HIEs and part 2
programs.
Response
We acknowledge these comments.
The final rule in § 2.24 extends the
‘‘look back’’ period for the required list
of disclosures by an intermediary from
2 years to 3 years as proposed. We made
this change to align with the new right
to an accounting of disclosures in § 2.25
for disclosures made with consent, that
contains a 3-year look back period. As
we have stated prior to this final rule,
the intermediary, not the part 2 program
itself, is responsible for compliance
with the required list of disclosures
under § 2.24.227 We discuss costs and
benefits associated with this rule below
including for §§ 2.24 and 2.25.
Comment
Comments asserted that the
accounting requirement for
intermediaries was duplicative of the
accounting of disclosure for TPO from
an EHR requirements under HIPAA
(which have not been finalized in
regulation) and had created barriers to
the use of HIEs to exchange part 2
records. One commenter asserted that
they have not allowed part 2 records in
their system due to the differing
requirements and that the intermediary
proposal would perpetuate this
outcome. Another commenter explained
that a group of organizations that tested
part 2 disclosure models did not
ultimately adopt them because the part
2 requirements were too problematic.
Several commenters requested that the
requirement for providing the list of
disclosures be tolled until the
finalization of the expected HIPAA
accounting of disclosures regulation for
TPO disclosures through an EHR.
Response
We are not tolling the list of
disclosures requirements for
intermediaries because these obligations
already exist in § 2.13(d) and are simply
being continued in a new section § 2.24
with the time period covered being
extended from 2 years to 3.
Intermediaries are not subject to the
HIPAA accounting of disclosures
requirements, by definition, because we
have excluded covered entities and
business associates from the definition
of ‘‘intermediary’’ in the final rule.
Because the HIPAA accounting of
disclosures requirement for TPO
disclosures through an EHR has not yet
been finalized, we believe this distinct
list of disclosures requirement should
remain effective.
227 82
E:\FR\FM\16FER2.SGM
FR 6052, 6072.
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Final Rule
We are finalizing in this section,
redesignated as § 2.24, that an
intermediary must provide to patients
who have consented to the disclosure of
their records using a general designation
pursuant to § 2.31(a)(4)(ii)(B), a list of
persons to whom their records have
been disclosed pursuant to the general
designation.
Section 2.25—Accounting of
Disclosures
Proposed Rule
lotter on DSK11XQN23PROD with RULES2
The Department noted in the NPRM
that except for disclosures made by
intermediaries, the current part 2
regulation did not have provisions that
included a right for patients to obtain an
accounting of disclosures of part 2
records.228 Section 290dd–2(b)(1)(B) of
42 U.S.C., as amended by section
3221(b) of the CARES Act, applies
section 13405(c) of the HITECH Act, 42
U.S.C. 17935(c) (Accounting of Certain
Protected Health Information
Disclosures Required if Covered Entity
Uses Electronic Health Record), to part
2 disclosures for TPO with prior written
consent. Therefore, the Department
proposed to add a new § 2.25
(Accounting of disclosures) to establish
the patient’s right to receive, upon
request, an accounting of disclosures of
part 2 records made with written
consent for up to three years prior to the
date the accounting is requested.
This proposal was intended to apply
the individual right to an accounting of
disclosures in the HITECH Act to
disclosure of part 2 records.229 The
Department proposed at § 2.25(a) that
paragraph (a) would generally require
an accounting of disclosures made with
patient consent for a period of 6 years
prior to the request, and paragraph (b)
would limit the requirement with
respect to disclosures made with TPO
consent, which would only be required
for disclosures made from an EHR
system for a period of 3 years prior to
the request. In both instances, the
proposed changes would be contingent
on the promulgation of HITECH Act
modifications to the accounting of
228 42 CFR 2.13(d) (specifying List of Disclosures
requirement applicable to intermediaries).
229 OCR published an NPRM to implement this
HITECH Act provision in 2011 but did not finalize
it because of concerns raised by public comments.
See 76 FR 31426 (May 31, 2011). OCR announced
its intention to withdraw the 2011 NPRM and
requested public input on new questions to help
OCR implement the HITECH Act requirement as
part of the 2018 HIPAA Rules Request for
Information (RFI). See 83 FR 64302, 64307 (Dec. 14,
2018). A final HIPAA regulation on the accounting
of disclosures that would apply to TPO disclosures
by covered entities has not been issued.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
disclosures standard in the HIPAA
Privacy Rule at 45 CFR 164.528.230
The Department stated in the NPRM
preamble that this proposed accounting
requirement is consistent with section
3221(b) of the CARES Act, 42 U.S.C.
290dd–2(b)(1)(B), as amended. The
Department noted that the CARES Act
applied the HITECH Act ‘‘look back’’
time period for accounting of
disclosures to ‘‘all disclosures’’ of part
2 records with consent and not just
those disclosures contained in an EHR.
From a policy perspective, the
Department therefore proposed to apply
the 3-year ‘‘look back’’ to all
accountings of disclosures with consent
and not just for accountings of
disclosures of records contained in an
EHR.
Because the Department has not yet
finalized the HITECH Act accounting of
disclosures modifications within the
HIPAA Privacy Rule, the Department
did not propose to require compliance
with § 2.25 before finalizing the HIPAA
Privacy Rule provision in 45 CFR
164.528. The comments and the
Department’s responses regarding § 2.25
are set forth below.
Accounting of Disclosures for TPO
Comment
A few commenters expressed
opposition to the accounting of
disclosures for TPO because: (1) the
proposal does not align with the HIPAA
Privacy Rule, including the exclusion
pursuant to an authorization; (2) it
would increase administrative burden;
and (3) the existing and established
technology lacks the capability,
including manual collection of data
from multiple systems (e.g., EHR and
practice management system for
payment and health care operations).
Other commenters remarked that unless
technical capabilities are developed
within certified EHR technology to
capture why someone has opened a
patient record, providing a full
accounting would be impossible and
requiring providers to mark and
230 See also sec. 13405(c) of the HITECH Act
(codified at 42 U.S.C. 17935(c). Since the HITECH
Act requirement for accounting of disclosures was
enacted in 2009, the Department published a RFI
at 75 FR 23214 (May 3, 2010) and an NPRM at 76
FR 31426 (May 31, 2011). Based in part on public
comment on the RFI, the Department proposed to
provide individuals with an ‘‘access report’’ as a
means of fulfilling the requirement. Based on
feedback on the NPRM in which commenters
overwhelmingly opposed the report as
‘‘unworkable,’’ the Department, in a follow up RFI
published at 83 FR 64302, explained its intent to
withdraw the proposal of the 2011 NPRM. The
Department received additional public comment
about implementing sec. 13405(c) and will publish
in a future Regulatory Unified Agenda notice about
any future actions.
PO 00000
Frm 00065
Fmt 4701
Sfmt 4700
12535
maintain a full accounting would
incentivize providers to forego going
into a patient’s record, even when it
may be better for treatment
coordination.
Response
We appreciate the comments.
However, the proposed change is
required by section 290dd–2(b)(1)(B) of
42 U.S.C., as amended by section
3221(b) of the CARES Act, that applies
section 13405(c) of the HITECH Act, 42
U.S.C. 17935(c), to part 2 disclosures for
TPO with prior written consent. The
final rule attempts to balance the
potential compliance burden by tolling
the effective and compliance dates for
the HITECH accounting of disclosures
requirement until it is finalized within
the HIPAA Privacy Rule.
Comment
A health system and a health IT
vendor commented on the timeframes
covered in accountings of disclosure
and suggested that the period for which
accountings can be requested be limited
to those after the rule is effective
because of different applicable privacy
standards prior to rule finalization. For
example, if the Department finalizes the
accounting of disclosures provision to
include data for six years prior to the
request date, the first day for which part
2 programs would need to provide
accountings would be the effective date
of the rule.
Response
We appreciate the comments. We
clarify that the period for which an
accounting can ‘‘look back’’ is limited to
those disclosures occurring after the
first day of the compliance date.
Comment
An HIE association requested the
Department provide a specific
maximum allowable cost to a patient for
fulfilling a requested accounting of
disclosures for their PHI in the final
rule. According to the commenter, the
Department provides guidance in other
resources on the maximum allowable
cost that a patient can incur when
requesting an accounting of disclosures
but the NPRM did not provide a clear
and concise regulatory specification.
Response
We appreciate the comment and
decline at this time to state a maximum
patient cost; however, we will further
consider the comment in drafting the
HIPAA accounting of disclosures final
rule to implement section 13405(c) of
the HITECH Act, 42 U.S.C. 17935(c). We
are not aware of resources that discuss
E:\FR\FM\16FER2.SGM
16FER2
12536
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
the maximum allowable cost that a
patient can incur when requesting an
accounting of disclosure. However, the
Department has provided guidance in
other resources on the costs a covered
entity may charge individuals to receive
a copy of their PHI, which is a different
cost from providing individuals an
accounting of disclosures. For an
accounting of disclosures, the HIPAA
Privacy Rule at 45 CFR 164.528(c)(2)
requires a covered entity provide the
first accounting to an individual in any
12-month period without charge. The
covered entity may impose a reasonable,
cost-based fee for each subsequent
request for an accounting by the same
individual within the 12-month period,
provided that the covered entity informs
the individual in advance of the fee and
provides the individual with an
opportunity to withdraw or modify the
request.
Comment
Several commenters were supportive
of the proposal to add a new accounting
of disclosures requirement in part 2
because it would align with an
individual’s rights under the HIPAA
Privacy Rule. One health IT vendor said
health IT and other digital technologies
should incorporate audit trails to help
detect inappropriate access to PHI. An
advocacy organization supported the
proposed timeframes an accounting of
disclosures would cover, while a health
system said the three-year timeframe for
TPO disclosures should match the sixyear timeframe in the HIPAA Privacy
Rule.
lotter on DSK11XQN23PROD with RULES2
Response
We appreciate the comments. With
respect to the ‘‘look back’’ period for
accounting of disclosures in the HIPAA
Privacy Rule, an individual has a right
to receive an accounting of disclosures
of PHI made by a covered entity in the
six years prior to the date on which the
accounting is requested.231 The HITECH
accounting requirement covers
disclosures for TPO made via an EHR
and a look back period of only three
years; however, this has not been
finalized in the HIPAA Privacy Rule, so
we cannot harmonize the part 2 TPO
disclosure timeframe to that of the
HIPAA Privacy Rule accounting of
disclosure requirement. Additionally, a
HIPAA accounting of disclosures
rulemaking would implement the
HITECH Act modification to 45 CFR
164.528 for disclosures for TPO to three
231 See
45 CFR 164.528(a)(3).
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
years prior to the date which the
accounting is requested.232
Comment
A few trade associations and a health
IT vendor requested the Department
provide a template for the accounting of
disclosures that includes the level of
detail necessary to fulfill the
requirement.
Response
We appreciate the comments and will
consider providing a template when the
HITECH accounting of disclosures
requirement is finalized within the
HIPAA Privacy Rule.
Tolling of Compliance Date
Comment
A few commenters addressed tolling
the compliance date for part 2 programs
and each of them agreed with tolling the
effective and compliance dates of the
accounting of disclosures proposal until
the effective and compliance dates of
the modified HIPAA Privacy Rule
accounting provision to provide
consistency for part 2 providers,
covered entities, and business
associates.
Response
We appreciate the comments. We are
tolling the effective and compliance
dates for part 2 programs until the
effective and compliance dates of a final
rule on the HIPAA/HITECH accounting
of disclosures standard (section
13405(c) of the HITECH Act) to ensure
part 2 programs do not incur new
compliance obligations before covered
entities and business associates under
the HIPAA Privacy Rule are obligated to
comply. We are also mindful that the
alignment of the part 2 and HIPAA
compliance dates for the accounting of
disclosures is most important for part 2
programs that are also covered entities.
We also note the part 2 programs are not
required to include the statement of a
patient’s right to an accounting of
disclosures in the Patient Notice under
§ 2.22 until the future compliance date
of the accounting of disclosures.
Other Comments on Requests for
Accountings of Disclosures
The Department, in the NPRM, asked
for feedback on potential burdens such
as staff time and other costs associated
with accounting of disclosure
requests.233 The Department also
requested data on the extent to which
covered entities receive requests from
232 See sec. 13405(c) of the HITECH Act (codified
at 42 U.S.C. 17935(c)).
233 87 FR 74216, 74239, 74249.
PO 00000
Frm 00066
Fmt 4701
Sfmt 4700
patients to restrict disclosures of patient
identifying information for TPO
purposes, how covered entities
document such requests, and the
procedures and mechanisms used by
covered entities to ensure compliance
with patient requests to which they
have agreed or that they are otherwise
required to comply with by law.
Comment
A few commenters said they rarely
receive requests for an accounting of
disclosures and a few commenters
stated they receive between 1–10
requests annually. Some of these
commenters said in their experiences a
single request for an accounting of
disclosures from a patient may take one
staffer with the current functionality
within an organization a full 40-hour
week to respond.
Response
We appreciate the comments and the
information provided on the number
and type of requests for an accounting
of disclosures of PHI received annually
and the staff time involved in
responding to an individual’s request
for an accounting of disclosures of PHI.
Final Rule
The final rule adopts all proposed
modifications to § 2.25, with a
correction to the timeframe in paragraph
(a) to require an accounting of
disclosures made with consent in the 3
years prior to the date of the request.
Section 2.26—Right to Request Privacy
Protection for Records
Proposed Rule
Prior to the CARES Act amendments,
the part 2 statute did not explicitly
provide a patient the right to request
restrictions on disclosures of part 2
records for TPO, although patients
could tailor the scope of their consent,
which would govern the disclosure of
their part 2 records. Section 3221(b) of
the CARES Act amended 42 U.S.C.
290dd–2 such that section 13405(c) of
the Health Information Technology and
Clinical Health Act (42 U.S.C. 17935(c))
applies to subsection (b)(1). Therefore,
the Department proposed to codify in
§ 2.26 a patient’s rights to: (1) request
restrictions on disclosures of part 2
records for TPO purposes, and (2) obtain
restrictions on disclosures to health
plans for services paid in full. The
proposed provision would align with
the individual right in the HITECH Act,
as implemented in the HIPAA Privacy
Rule at 45 CFR 164.522.234 As with the
HIPAA Privacy Rule right to request
234 See
E:\FR\FM\16FER2.SGM
42 U.S.C. 17935(a).
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
restrictions, a part 2 program that denies
a request for restrictions still would be
subject to any applicable state or other
law that imposes greater restrictions on
disclosures than part 2 requires.
In addition to applying the HITECH
Act requirements to part 2, the CARES
Act emphasized the importance of the
right to request restrictions in three
provisions, including:
(1) a rule of construction that the
CARES Act should not be construed to
limit a patient’s right under the HIPAA
Privacy Rule to request restrictions on
the use or disclosure of part 2 records
for TPO; 235
(2) a Sense of Congress that patients
have the right to request a restriction on
the use or disclosure of a part 2 record
for TPO; 236 and
(3) a Sense of Congress that
encourages covered entities to make
every reasonable effort to the extent
feasible to comply with a patient’s
request for a restriction regarding TPO
uses or disclosures of part 2 records.237
Comment
Commenters provided general support
for the proposal to modify part 2 to
implement requirements in the CARES
Act concerning a patient’s right to
request restrictions on uses and
disclosures of part 2 records. For
instance, a medical professionals
association supported this proposed
change, stating that transparent privacy
policies should accommodate patient
preference and choice as long as those
preferences and choices do not preclude
the delivery of clinically appropriate
care, public health, or safety. A county
health system said the proposed
changes will promote patient advocacy,
privacy, and transparency. Health
system and health plan commenters
supported the proposed language
allowing patients to request restrictions
on the use or disclosure of their PHI if
this request aligns with the HIPAA
Privacy Rule, which gives covered
entities the ability to approve or deny
these requests. Others such as state
agencies, health care providers, and a
health IT vendor also supported
provisions to request restrictions on
disclosures including for disclosures
otherwise permitted for TPO purposes.
lotter on DSK11XQN23PROD with RULES2
Response
We appreciate the comments about
the proposed addition of a new patient
235 See sec. 3221(j)(1) of the CARES Act. The
Department believes the effect of this rule of
construction is that 45 CFR 164.522 of the HIPAA
Privacy Rule continues to apply without change to
covered entities with respect to part 2 records.
236 See sec. 3221(k)(2) of the CARES Act.
237 See sec. 3221(k)(3) of the CARES Act.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
right to request restrictions on uses and
disclosures of part 2 records for TPO
and the alignment of the right with the
parallel HIPAA provision.
Comment
A health information association
supported a mechanism for patients to
request to restrict where and who can
access their records in specific
situations as this approach builds trust
and allows the patient to control use
and disclosure of their health record.
The commenter further asserted that
while data segmentation challenges
exist, most providers follow HIPAA and
align with state law privacy
requirements regarding use and
disclosure of part 2 records. However,
the association urged that as the
Department finalizes these requirements
the ability for a patient to request
restriction of disclosure should not be
mandatory for providers to adhere to
when they are otherwise required to
provide disclosure. Another provider
supported aligning the right to request
a restriction with HIPAA language to
include specific language which
clarifies a covered entity and/or part 2
program is under no obligation to agree
to requests for restrictions. Due to EHR
functionality limitations, the provider
cannot accommodate most requests for
restrictions, especially related to
treatment.
Response
We appreciate the comments about
our proposed change to align part 2 and
HIPAA requirements. As stated in
§ 2.26(a)(5): ‘‘[a] restriction agreed to by
a part 2 program under paragraph (a) of
this section is not effective under this
subpart to prevent uses or disclosures
required by law or permitted by this
regulation for purposes other than
treatment, payment, and health care
operations, as defined in this part.’’
Paragraph (a)(6) of § 2.26 also states that
‘‘[a] part 2 program must agree to the
request of a patient to restrict disclosure
of records about the patient to a health
plan if . . . [t]he disclosure is for the
purpose of carrying out payment or
health care operations and is not
otherwise required by law [. . .].’’
Therefore, a part 2 program that is a
covered entity is not required by this
section to agree to restrict a disclosure
that otherwise is required by law 238 or
for a purpose permitted by part 2 other
than TPO.239
238 For further discussion of ‘‘required by law’’ in
the HIPAA context, see 78 FR 5566, 5628.
239 For further discussion of ‘‘required by law’’ in
the HIPAA context, see 78 FR 5566, 5628.
PO 00000
Frm 00067
Fmt 4701
Sfmt 4700
12537
Comment
An individual commenter urged the
Department to expand its proposal by
using the general regulatory authority
given it by the CARES Act to modify 42
CFR part 2 to indicate that a covered
entity is required to agree to a patient’s
requested restriction of uses and
disclosures of part 2 information. Thus,
the commenter suggested the provisions
of 45 CFR 164.522(a)(1)(ii) and (a)(2)(iii)
would be eliminated. The commenter
asserted that a ‘‘rule of construction’’ in
the CARES Act should not be construed
to limit a patient’s right under the
HIPAA Privacy Rule to request
restrictions on the use or disclosure of
part 2 records for TPO. The commenter
stated its interpretation of the Sense of
Congress in the CARES Act that patients
have the right to request a restriction on
the use or disclosure of a part 2 record
for TPO and that encourages covered
entities to make every reasonable effort
to the extent feasible to comply with a
patient’s request for a restriction
regarding TPO uses or disclosures of
part 2 records.
A health system also supported this
change stating that this provision aligns
with existing standards under the
HIPAA Privacy Rule, which allows a
patient to request restrictions, while a
covered entity is not obligated to agree
to that request (except when the service
in question has been paid in full). The
health system appreciated that HHS
proposed to allow the same flexibility
and decision-making capacity for part 2
programs. Another commenter proposed
that the same standards are applied in
part 2 as in HIPAA, which requires
covered entities to evaluate requests and
take reasonable means. The commenter
believed that a covered entity is not
mandated to honor a restriction for
purposes of operation/treatment but
would be for payment in circumstances
where the patient pays out of pocket, in
full. The commenter suggested applying
the same standards to part 2 as applied
to covered entities in the HIPAA
restriction process. A health system said
it supported aligning part 2 and HIPAA,
but if there is a part 2 entity that is not
already a covered entity under HIPAA,
HHS should expand the HIPAA
definition of covered entity rather than
duplicate HIPAA provisions in this rule.
Response
We acknowledge these comments and
emphasize the Sense of Congress
expressed in section 3221(k)(3) of the
CARES Act that ‘‘[c]overed entities
should make every reasonable effort to
the extent feasible to comply with a
E:\FR\FM\16FER2.SGM
16FER2
12538
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
patient’s request for a restriction’’
regarding such use or disclosure.
Comment
A health system citing to 42 CFR
2.12(c)(3) supported HHS’ attempt to
better align part 2 with HIPAA as it
relates to both uses and disclosures,
stated that the introduction of
restrictions on uses poses significant
challenges for part 2 programs unless
additional changes or clarifications to
the regulations are made. The
commenter urged the Department to
clarify in the final rule that permitted
uses also include those uses necessary
to carry out the payment or health care
operations of the part 2 program. Such
clarification will ensure part 2 programs
may continue to use part 2 records
internally for payment and health care
operations that may not directly relate
to the diagnosis, treatment, or referral
for treatment of patients. Without this
clarification, if a part 2 program fails to
secure consent from a patient, the part
2 program would be prohibited from
using part 2 records for essential
internal purposes, such as quality
improvement, peer review, and other
legally required patient safety activities.
lotter on DSK11XQN23PROD with RULES2
Response
Section 2.12(c)(3), which excludes
from part 2 restrictions treatmentrelated internal communications among
staff in a program and communications
with entities that have direct
administrative control of the program, is
not inconsistent with the new patient
right to request restrictions on
disclosures for TPO purposes, and a
patient’s right to obtain restrictions on
disclosures to health plans for services
paid in full by the patient. Additional
changes desired by the commenter to
§ 2.12(c)(3) are outside the scope of this
rulemaking.
Comment
A medical professionals association
asserted that given the sensitivity of
SUD data patients may request that their
SUD treatment data not be shared with
other clinicians nor be accessible via
various third-party applications. The
commenter believed that physicians,
especially those in primary care,
generally lack the ability to segment out
certain parts of a patient’s record while
maintaining the ability to meaningfully
share the non-SUD treatment data with
the patient’s care team for the purposes
of care coordination and management.
The commenter explained its view that
this lack of granular data segmentation
functionality increases administrative
burden and creates challenges for
clinicians who are complying with
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
requests not to disclose SUD treatment
data while still complying with HIPAA
and information blocking requirements.
As a result, clinicians must either place
sensitive data in the general medical
record and institute policies and
procedures outside of the EHR to protect
this data or create a new location or
shadow chart that houses and protects
the data. These workarounds disrupt the
flow of comprehensive health data
within a patient’s care team and
increases administrative tasks. The
association urges HHS to work with
EHR vendors to modernize the
functionality of health care data
management platforms to ensure part 2
programs can keep patients’ data
confidential when requested. Another
medical association also reflected
similar views.
A health IT vendor claimed that
several NPRM provisions, including
§ 2.26, would require it to implement
procedural changes. But the vendor
stated that these updates are necessary
to eliminate barriers to data sharing
amongst patients, providers, and health
care facilities. The vendor also believed
these requirements can be implemented
within the proposed 22-month
compliance period.
A health IT association supported
alignment with a patient’s right to
request restrictions under the existing
HIPAA Privacy Rule. But the
commenter believed that it is important
not to add a burden on covered entities
participating in a shared electronic
health information platform or with an
HIE or HIN. The commenter urged OCR
and SAMHSA to connect to health IT
developers, technology companies, HIE,
and HINs to ensure that technology
exists to feasibly allow for covered
entity compliance with interoperability
and information blocking requirements.
Response
We acknowledge concerns that data
segmentation may be difficult for part 2
programs and covered entities and
discuss this further in § 2.12. However,
covered entities have had to address
individuals’ requests for restrictions of
TPO uses and disclosures since the
HIPAA Privacy Rule was implemented
more than two decades ago. The
renewed emphasis on the right to
request restrictions on uses and
disclosures of records for TPO is closely
linked to the new permission to use and
disclose records based on a single
consent for all future TPO. We have
stated in the discussion of the new
consent permission that programs and
covered entities that want to utilize the
TPO consent mechanism should be
prepared from a technical perspective to
PO 00000
Frm 00068
Fmt 4701
Sfmt 4700
also afford patients their requested
restrictions when it is otherwise
reasonable to do so. Entities that are
planning to benefit from streamlined
transmission and integration of part 2
records by using the single consent for
all TPO should be prepared to ensure
that patients’ privacy also benefits from
the use of health IT.
EHR systems’ technical capabilities
are outside the scope of this rulemaking,
but we are cognizant of and refer
throughout this rule to the existing
health IT capabilities supported by data
standards adopted by ONC on behalf of
HHS in 45 CFR part 170, subpart B, and
referenced in the ONC Health IT
Certification Program certification
criteria for security labels and
segmentation of sensitive health data.
ONC, SAMHSA, OCR, and others
collaborate to support EHRs and health
IT in behavioral health and integrated
care settings.240
Comment
A provider association opined that the
NPRM overemphasizes the social harms
that disclosing SUD clinical information
creates, at the risk of medical harms and
overdose deaths that are a consequence
of poor care coordination. The
commenter urged the Department to
provide guidance on precisely what is
expected of providers as they
incorporate processes to respect these
patient rights if the provisions are
finalized as proposed.
Response
We appreciate this comment and the
concern for patient safety. As noted
above, providers are not required to
agree to all patient requests for
restrictions on uses and disclosures for
TPO, but are encouraged to make
reasonable efforts to do so. Providers
retain the responsibility for patient care
and determining what is reasonable
under the circumstances. The final rule
is emphasizing, however, that programs
and covered entities are expected to do
more than merely establish policies and
procedures on the right to request
restrictions—they need to make a
concerted effort to evaluate how they
can reasonably accommodate patients’
requests.
Comment
An academic health center stated its
general support for patients’ rights to
limit access to their medical records but
wanted to avoid creating further
administrative and operational burdens
on staff and avoid managing patient data
retroactively.
240 See
E:\FR\FM\16FER2.SGM
‘‘Behavioral Health,’’ supra note 133.
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Response
We acknowledge this comment and
concerns about burdens that could
result from § 2.26 implementation.
However, part 2 programs that are
covered entities are already subject to
the HIPAA provisions on the right to
request restrictions in 45 CFR 164.522.
As finalized, we believe this section is
consistent with HIPAA as well as
CARES Act requirements.
Comment
A medical professionals association
asserted that the NPRM does not
account for patient protections in plans
self-funded through an employer. The
association requested clarity on how
TPO information will be kept protected
from the employer and how patients
will be protected against discriminatory
practices, arguing that without further
clarification, employees will be hesitant
to seek treatment if there is an
assumption that an employer will have
knowledge of his or her SUD.
In contrast, a national employee
benefits association for large employers
urged the Department to allow health
plan sponsors (i.e., employers) to access
part 2 records containing de-identified
claims data that are held by third-party
vendors that manage SUD programs.
From the employer/health plan
sponsors’ perspective, these records are
needed to evaluate and improve health
benefits.
lotter on DSK11XQN23PROD with RULES2
Response
Self-funded group health plans are
not permitted to retaliate against SUD or
other patients/employees for seeking
care. HHS has explained in guidance
application of HIPAA to self-funded
employer group health plans that: ‘‘the
[HIPAA] Privacy Rule does not directly
regulate employers or other plan
sponsors that are not HIPAA covered
entities. However, the [HIPAA] Privacy
Rule, in 45 CFR 164.504(f) does control
the conditions under which the group
health plan can share protected health
information with the employer or plan
sponsor when the information is
necessary for the plan sponsor to
perform certain administrative functions
on behalf of the group health plan
[. . . .] The covered group health plan
must comply with [HIPAA] Privacy
Rule requirements, though these
requirements will be limited when the
group health plan is fully insured.’’ 241
241 U.S. Dep’t of Health and Human Servs., ‘‘As
an employer, I sponsor a group health plan for my
employees. Am I a covered entity under HIPAA?’’
(Apr. 6, 2004), https://www.hhs.gov/hipaa/forprofessionals/faq/499/am-i-a-covered-entity-underhipaa/.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
In discussing 45 CFR 164.530, HHS
has further stated in guidance that
‘‘group health plans are exempt from
most of the administrative
responsibilities under the [HIPAA]
Privacy Rule. These health plans are
still required, however, to refrain from
intimidating or retaliatory acts, and
from requiring an individual to waive
their privacy rights.’’ 242
As well, self-funded group health
plans are subject to the Mental Health
Parity and Addiction Equity Act
(MHPAEA) which requires that most
health plans providing mental health
and SUD benefits must provide services
comparable to those for medical/
surgical conditions.243 While previously
able to opt-out of these requirements,
recent changes made by the
Consolidated Appropriations Act of
2023 state that ‘‘self-funded, nonFederal governmental group health
plans that opt out of compliance with
MHPAEA are required to come into
compliance with these
requirements.’’ 244 This change too
should mitigate the potential of
employees to be subject to stigma and
discrimination within self-funded group
health plans because they have or are in
recovery from an SUD.
With respect to employer/health plan
sponsor access to de-identified part 2
records, the Department did not propose
to create new use and disclosure
permissions specific to employers/
health plan sponsors and does not adopt
such changes in this final rule.
However, under this final rule, a
covered entity or business associate that
receives records under a TPO consent
may redisclose them in accordance with
the HIPAA Privacy Rule, which does
not place limitations on the use or
disclosure of de-identified information.
242 See U.S. Dep’t of Health and Human Servs.,
‘‘I’m an employer that offers a fully insured group
health plan for my employees. Is the fully insured
group health plan subject to all of the Privacy Rule
provisions?’’ (Apr. 6, 2004), https://www.hhs.gov/
hipaa/for-professionals/faq/496/is-the-fullyinsured-group-health-plan-subject-to-all-privacyrule-provisions/.
243 See Ctrs. for Medicare & Medicaid Servs.,
‘‘The Mental Health Parity and Addiction Equity
Act (MHPAEA),’’ https://www.cms.gov/cciio/
programs-and-initiatives/other-insuranceprotections/mhpaea_factsheet; Ctrs. for Medicare &
Medicaid Servs., ‘‘Sunset of MHPAEA opt-out
provision for self-funded, non-Federal
governmental group health plans’’ (June 7, 2023),
https://www.cms.gov/files/document/hipaa-opt-outbulletin.pdf.
244 Ctrs. for Medicare & Medicaid Servs., ‘‘Sunset
of MHPAEA opt-out provision for self-funded, nonFederal governmental group health plans,’’ at 1
(June 7, 2023), https://www.cms.gov/files/
document/hipaa-opt-out-bulletin.pdf. See also, 42
U.S.C. 300gg–26, Parity in mental health and
substance use disorder benefits.
PO 00000
Frm 00069
Fmt 4701
Sfmt 4700
12539
Comment
A health plan asserted that, as
written, the rule might be interpreted to
prevent plans with part 2 data from
redisclosing it without consent.
Additional restrictions around TPO may
negatively impact plans’ business
operations since plans would need to
separate part 2 records from other
records. This restriction would be
burdensome and more operationally
challenging even for the most
sophisticated stakeholders, according to
the commenter, who also asserted that
patients may be more likely to receive
unnecessary information in these broad
disclosures. The commenter believed
that the proposed expanded TPO
restriction would overwhelm both
patients and plans, ultimately hindering
efforts toward more efficient care
coordination for patients with SUD.
Response
This section as finalized is consistent
with the Sense of Congress as
articulated in the CARES Act, which
provides that patients have the right to
request a restriction on the use or
disclosure of a part 2 record for TPO.
The CARES Act similarly encourages
covered entities to make every
reasonable effort to the extent feasible to
comply with a patient’s request for a
restriction regarding TPO uses or
disclosures of part 2 record.
A patient’s right to request restrictions
does not prevent health plans with part
2 records from redisclosing such records
without patient consent as permitted
under this rule, except in those
situations where the plan has agreed to
a requested restriction.
Comment
A few commenters, including an
advocacy organization, professional
associations, and a recovery
organization asserted that the proposed
right is profoundly inequitable because
it is only available to patients with the
means to pay privately for SUD
treatment. Pointing to what it views as
disparities and the cost of SUD
treatment, one commenter asserted that
underserved communities and persons
affected by poverty and inequality thus
will be less able to exercise this right to
restrict uses and disclosures of their
SUD records. Other commenters
expressed concern that some patients
can afford to self-pay and may not wish
to face the risks of restrictive health
plan coverage policies, employers, and
others finding out they are being treated
for an SUD, but this right is not
extended to those who cannot self-pay.
These commenters believed that the rule
E:\FR\FM\16FER2.SGM
16FER2
12540
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
should not subject most Americans to
these very real risks while
acknowledging that persons of means
can avoid them.
The commenter recommended that
HHS strengthen this provision so that
providers comply with all patients’
requests to restrict disclosures of this
sensitive health information—not just
those patients who are wealthy enough
to pay in full and out-of-pocket. The
commenter argued that strengthening
the provision is also consistent with the
CARES Act’s ‘‘Sense of Congress’’ in
section 3221(k)(3): ‘‘covered entities
should make every reasonable effort to
the extent feasible to comply with a
patient’s request for a restriction
regarding such use or disclosure.’’ The
commenter asserted that when patients
request a restriction on disclosure of
their part 2 records, the default answer
should be ‘‘yes,’’ subject to narrow
exceptions such as disclosures to treat a
medical emergency. In practice,
however, providers’ default answer is
almost always ‘‘no,’’ which is why HHS
should provide a more enforceable right
here.
a relatively small number of restrictions
are made in the context of self-pay for
services. The center urged HHS to align
the request for restriction process for
part 2 records with what it views as the
already established and operationally
familiar process under HIPAA,
explaining that from a technological
perspective restricting patient
information within the organization for
TPO is burdensome, and highly errorprone. Restrictions for treatment
purposes can endanger patients, as
members of the treatment team need
information to safely provide care,
according to this commenter.
Response
We acknowledge that, as structured,
some elements of the right to request
restrictions may benefit patients who
can self-pay rather than those who are
unable to do so. However, the provision
requiring covered entities to agree to
certain requests is statutory. For this
reason and to align with HIPAA
requirements pertaining to requests for
restrictions by self-pay patients.245 The
Department also acknowledges and is
working to address disparities in access
to SUD treatment.246
Comment
A commenter requested that notice of
the right to request limitations of
disclosures of health records, and the
process for doing so comply with
Federal guidance and best practices for
individuals with limited English
proficiency and individuals with
limited literacy or health literacy skills.
lotter on DSK11XQN23PROD with RULES2
Comment
One county government stated that in
its experience there are very few
requests for restriction received each
year and virtually none are agreed to
because of the related operational
challenges. An academic health center
said that in its experience of patients
who request restrictions annually, only
245 U.S. Dep’t of Health and Human Servs.,
‘‘Under HIPAA, may an individual request that a
covered entity restrict how it uses or discloses that
individual’s protected health information (PHI)?’’
(Dec. 28, 2022), https://www.hhs.gov/hipaa/forprofessionals/faq/3026/under-hipaa-may-anindividual-request-that-a-covered-entity-restricthow-it-uses-or-discloses-that-individuals-protecthealth-information/.
246 See, e.g., Substance Abuse and Mental Health
Servs. Admin., ‘‘Behavioral Health Equity,’’ https://
www.samhsa.gov/behavioral-health-equity; Off. of
the Assistant Secretary for Planning and Evaluation,
‘‘Meeting Substance Use and Social Service Needs
in Communities of Color’’ (2022), https://
aspe.hhs.gov/reports/substance-use-social-needspeople-color.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Response
We appreciate this information in
response to our request for input in the
NPRM. Given that the number of
requests for restrictions is small, the
overall organizational burden for
fulfilling such requests should not be
overwhelming. When a regulated entity
agrees to a requested restriction, we
encourage it to explain to the patient
any limits on its ability to ensure that
the request is implemented fully.
Response
We discuss notice requirements in
§ 2.22 above. We have in the past stated
that materials should take into
consideration the cultural and linguistic
needs of a provider’s patients and be
written to be clear and
understandable.247
Comment
A privacy foundation cited one of its
resources concerning HIPAA and why
the right to request restrictions is in its
view almost meaningless. The
commenter suggested that the rule does
not require a covered entity to agree to
a restriction requested by a patient.
More importantly, the covered entity
does not have to agree even if the
patient’s request is reasonable. If HHS
does not require a covered entity to
respond to a patient’s request for
restriction, even to state whether the
request is granted or declined, the right
to request restrictions is meaningfully
diminished, according to the
commenter, which, added that in some
247 82
PO 00000
FR 6052, 6078.
Frm 00070
Fmt 4701
Sfmt 4700
cases, the right to request restrictions
will be—for all intents and purposes—
abrogated in cases where the request is
never given any response.
Response
As finalized, we believe this section is
consistent with HIPAA as well as
CARES Act requirements. We have
provided guidance within HIPAA about
requests for restrictions on disclosures
of PHI in HIPAA under 45 CFR
164.522.248 The right to request
restrictions must be balanced with other
regulatory requirements and patient
needs, such as for emergency treatment
even when use of records has been
restricted. We also note that as required
by § 2.26(a)(6)(ii), a part 2 program must
implement restrictions on disclosure
when requested by a patient if a record
pertains solely to a health care item or
service for which the patient, or person
other than the health plan on behalf of
the patient, has paid the part 2 program
in full.
Comment
An SUD provider recommended
eliminating the ability for tailored
restrictions by patients. Additionally,
should the Department implement this
requirement, the provider requests
requested that the regulations clarify
whether a part 2 program is responsible
for notifying other recipients of part 2
information if a patient decides to
restrict future disclosures.
Response
As explained, we are finalizing the
proposed requirements. Redisclosure
provisions are discussed in this rule in
§§ 2.12(d) and 2.33. As we note,
consistent with the Sense of Congress in
the CARES Act, section 3221(k)(3),
covered entities, including those
covered entities that also are part 2
programs, should make every reasonable
effort to the extent feasible to comply
with a patient’s request for a restriction
regarding a particular use or disclosure.
This would apply should a patient
subsequently modify a request under
this section.
Comment
An advocacy group supported the
proposed right of patients to request
privacy protections as a means of
248 ‘‘Under HIPAA, may an individual request
that a covered entity restrict how it uses or
discloses that individual’s protected health
information (PHI)?’’ supra note 245; U.S. Dep’t of
Health and Human Servs., ‘‘Uses and Disclosures
for Treatment, Payment, and Health Care
Operations’’ (Apr. 3, 2003), https://www.hhs.gov/
hipaa/for-professionals/privacy/guidance/
disclosures-treatment-payment-health-careoperations/.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
building trust with the patient but urged
HHS to adopt a reasonable or as
practicable a standard as possible when
adopting this proposal. Some patient
requests may not be feasible, and a part
2 program should not have to comply
with requests that are overly
burdensome or impractical.
Response
We draw attention to the Sense of
Congress expressed in the CARES Act
that ‘‘[c]overed entities should make
every reasonable effort to the extent
feasible to comply with a patient’s
request for a restriction regarding such
use or disclosure,’’ 249 and we encourage
part 2 programs to do so as well. We
believe that this language makes it clear
that reasonable effort is expected and
that it may be balanced by what is
feasible. We believe that a program
should not condition treatment on a
TPO consent unless it has some capacity
to fulfill patients’ requests for
restrictions on uses and disclosures for
TPO such that ‘‘every reasonable effort’’
has some meaning. We are finalizing as
proposed in § 2.22 a requirement to
include in the Patient Notice a
statement that the patient has the right
to request restrictions on disclosures for
TPO and in § 2.26 a patient’s right to
request restrictions.
lotter on DSK11XQN23PROD with RULES2
Comment
With respect to proposed § 2.26(a)(4),
a health system suggested that a request
to restrict access to records for treatment
purposes would likely not be granted
since such a restriction could not be
reasonably guaranteed in an EHR. In its
system, part 2 programs have been
implemented as restricted departments.
Access controls have been implemented
to permit emergency physicians to
access such records by breaking the
glass and documenting the purpose of
access. At this time, the commenter
believed that there is not a practical way
to operationalize the inclusion of
additional language in the break the
glass process so emergency physicians
could view language to not further use
or disclose this information.
Response
As finalized § 2.26(a)(4) states that
‘‘[i]f information from a restricted record
is disclosed to a health care provider for
emergency treatment under paragraph
(a)(3) of this section, the part 2 program
must request that such health care
provider not further use or disclose the
information.’’ Section 2.26(a)(3) permits
use of restricted records for emergency
treatment. While we have stated in this
249 See
section 3221(k)(3).
VerDate Sep<11>2014
18:41 Feb 15, 2024
rule that data segmentation is not
required, we also stated in 2017 that
‘‘data systems must be designed to
ensure that the part 2 program is
notified when a ‘break the glass’
disclosure occurs and part 2 records are
released pursuant to a medical
emergency. The notification must
include all the information that the part
2 program is required to document in
the patient’s records.’’ 250 We recognize
that EHR systems have varying degrees
of functionality for implementing
requested restrictions and programs are
in different stages of updating their
systems; however, we believe that
programs need to evaluate how the
limitations of their EHRs may affect
patient choice and develop policies
accordingly. For example, if a program
conditions treatment on a patient’s TPO
consent and the patient agrees to sign
the consent, but only if their records are
not provided to a certain provider, the
program should have the means to
accommodate the request and if not,
allow the patient to sign a more limited
consent as appropriate within the
context. While lack of EHR system
capability may be a valid rationale for
not accommodating some patients’
requests for restrictions, it may also be
a basis for not adopting a policy of
conditioning treatment on signing a
single consent for all TPO if the program
has no other mechanism available to
limit disclosures of part 2 records in the
event that patients request restrictions.
Final Rule
We are finalizing this new section as
proposed. We also note the Sense of
Congress expressed in section 3221(k)(3)
of the CARES Act stating that ‘‘[c]overed
entities should make every reasonable
effort to the extent feasible to comply
with a patient’s request for a restriction
regarding a particular use or
disclosure.’’ We also encourage part 2
programs that are not covered entities to
make such efforts. OCR has provided
examples in guidance about the
analogous HIPAA provision that could
demonstrate ‘‘reasonable effort’’ to
operationalize compliance with a
patient’s request for a restriction
including in circumstances when an
individual is unable to pay for their
health care in full. For instance,
consistent with 45 CFR 164.522(a)(1)(vi)
we cite the example that ‘‘if an
individual pays for a reproductive
health care visit out-of-pocket in full
and requests that the covered health
care provider not submit PHI about that
visit in a separate claim for follow-up
care to their health plan, the provider
250 82
Jkt 262001
PO 00000
FR 6052, 6096.
Frm 00071
Fmt 4701
Sfmt 4700
12541
must agree to the requested
restriction.’’ 251 If an individual wishes
to not receive fundraising
communications, we noted in preamble
to the 2013 Omnibus Final Rule that
‘‘[c]overed entities should consider the
use of a toll-free phone number, an
email address, or similar opt out
mechanisms that provide individuals
with simple, quick, and inexpensive
ways to opt out of receiving further
fundraising communications.’’ 252 For
instance, a covered entity might develop
a phone-based process that supports
individuals in making appropriate
requests for restrictions on use and
disclosure of PHI.253
Some entities also have developed
specific forms to facilitate compliance
with 45 CFR 164.522 requirements.254
Similar reasonable efforts could be used
to operationalize requests for
restrictions in § 2.26 as finalized, such
as supporting options for a patient
wishing to restrict disclosures for TPO.
Section 2.31—Consent Requirements.
Section 2.31(a) Requirements for
Written Consent
Proposed Rule
The Department proposed to align the
required elements for a part 2 consent
in paragraph (a) with the required
elements of a HIPAA authorization, to
include: the patient’s name; the person
or class of persons making the
disclosure; a description of the
information to be disclosed in a specific
and meaningful fashion; a designation
of recipients; a description of the
purpose or if no stated purpose, ‘‘at the
request of the patient;’’ the patient’s
right to revoke consent and how to do
so; an expiration date or event; the
patient’s or authorized person’s
signature; and the date signed. In
addition, the Department proposed
several provisions in the consent
requirements to support implementation
of the CARES Act requirement to permit
251 ‘‘Under HIPAA, may an individual request
that a covered entity restrict how it uses or
discloses that individual’s protected health
information (PHI)?’’ supra note 245.
252 78 FR 5565, 5621 (Jan. 25, 2013).
253 See Ctrs. for Medicare & Medicaid Servs.,
‘‘CMS Security and Privacy Handbooks,’’ https://
security.cms.gov/learn/cms-security-and-privacyhandbooks; Ctrs. for Medicare & Medicaid Servs.,
‘‘CMS Privacy Program Plan,’’ https://
security.cms.gov/policy-guidance/cms-privacyprogram-plan.
254 See Kyle Murphy, ‘‘How IHS plans to
implement the HIPAA Privacy Rule,’’
HealthITSecurity (Jan. 11, 2013). https://
healthitsecurity.com/news/how-ihs-plans-toimplement-the-hipaa-privacy-rule (discussing
Indian Health Service efforts). See also, Indian
Health Service, ‘‘Patient Forms,’’ https://
www.ihs.gov/forpatients/patientforms/.
E:\FR\FM\16FER2.SGM
16FER2
lotter on DSK11XQN23PROD with RULES2
12542
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
a single consent for all future uses and
disclosures for TPO, as listed below:
• The recipient may be a class of
persons including a part 2 program,
covered entity, or business associate and
the consent may describe the recipient
as ‘‘my treating providers, health plans,
third-party payers, and those helping
operate this business’’ or use similar
language. The consent also may include
a named intermediary under paragraph
(a)(4)(ii), as applicable.
• The statement, ‘‘for treatment,
payment, and health care operations’’ is
a sufficient description of the purpose
when a patient provides consent for all
future uses or disclosures for those
purposes.
• The required expiration date or
event may be ‘‘none’’ for a consent for
all future uses and disclosures for TPO.
• The consent must include:
Æ The statement that the patient’s
record (or information contained in the
record) may be redisclosed in
accordance with the permissions
contained in the HIPAA regulations,
except for uses and disclosures for civil,
criminal, administrative, and legislative
proceedings against the patient.
Æ A statement about the potential for
the records used or disclosed pursuant
to the consent to be subject to
redisclosure by the recipient and no
longer protected by this part.
Æ The consequences to the patient of
a refusal to sign the consent.
The Department proposed to require
that a consent to disclose part 2 records
to intermediaries state the name(s) of
the intermediary(ies) and one of the
following:
• The name(s) of member
participant(s) of the intermediary; or
• A general designation of a
participant(s) or class of participants,
which must be limited to a
participant(s) who has a treating
provider relationship with the patient
whose information is being used or
disclosed.
The Department proposed to remove
from the consent requirements a
required statement of a patient’s right to
obtain a list of disclosures made by an
intermediary.
Finally, the Department proposed
wording changes to replace the term
‘‘individual’’ with the term ‘‘person’’ to
comport with the meaning of person in
the HIPAA regulations and consistent
with similar changes proposed
throughout this part.
Required Elements of Consent
Comment
Some commenters who supported the
proposed alignment of part 2 with the
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
HIPAA regulations expressed
enthusiasm for what they described as
a long-awaited change that would
support the streamlining of
administrative processes, improvements
in care coordination, and reduced
inequities in how SUD treatment is
viewed compared with general health
care. One commenter specifically
appreciated the clarification that
electronic signatures are permitted. An
Indian health board noted that allowing
American Indian/American Native
patients to identify a ‘‘class of
participants’’ with a treating provider
relationship (like a ‘‘health care team’’)
within a single prior consent would
facilitate care within the Indian health
system. Another supporter pointed out
that including ‘‘use’’ as well as
‘‘disclosure’’ clarifies the consent form
and noted that informing patients about
the ability for information to be
redisclosed it also important. A health
information management association
described the changes as ‘‘removing
regulatory morass.’’ A health plan
believed that the proposed changes
‘‘mak[e] it easier to comply with both
regulatory requirements [of part 2 and
the HIPAA regulations] without adding
an additional layer of regulatory burden.
The statutorily required six elements [of
a consent] noted above as well the
additional explanations for failing to
sign a consent will better ensure that
patients are apprised of their rights
under Part 2 and instill patients’ trust.’’
Response
We appreciate the comments about
our efforts to improve health care and
reduce burdens on regulated entities by
aligning the required elements of the
written consent for disclosure of part 2
records with the required elements of a
HIPAA authorization to disclose PHI.
Comment
Many commenters requested
clarification and simplification of the
consent requirements. One commenter
recommended that the Department
develop model consent language,
limited to a single comprehensible
paragraph with an option to find further
information online, such as through a
scannable QR code. Some commenters
stated that the part 2 consent is vague,
complicated, and difficult to read and
should be simplified into plain language
for an ordinary person and they
opposed the proposed changes to
consent. They also urged the
Department to ‘‘prioritize
transparency.’’ Another commenter
asserted that it is in providers’ best
interests to inform patients ‘‘of their
rights in a straightforward, easy-to-
PO 00000
Frm 00072
Fmt 4701
Sfmt 4700
understand manner, focusing on how
their information will be used and who
will have access to it.’’
Response
We appreciate the comments
recommending simplification and
streamlining of the required consent and
will consider the various suggestions for
doing so as we develop guidance or
other materials. We agree that consent
should be in plain language that
ordinary readers can understand and
believe that the required statements can
be drafted in that manner.
Comment
Several commenters believed that
since the proposed part 2 consent
requirements are like a HIPAA
authorization, it is confusing to have
similar documents with different
purposes. They recommended that the
consent process be easily folded into
existing HIPAA compliance processes,
preferably incorporating the
acknowledgment of receipt of the
HIPAA NPP and the patient’s part 2
consent into the same document.
Response
We appreciate the concern and
believe that aligning the required
elements of a part 2 consent with those
required for a HIPAA authorization will
facilitate the use of a single form by part
2 programs that are covered entities, and
thus must meet both sets of
requirements.
Comment
Several commenters suggested ceasing
use of the word ‘‘consent’’ when
referring to disclosure of records and
using the term ‘‘authorization’’ instead.
Response
We decline to make this change
because covered entities and part 2
programs, particularly those that are not
covered entities, are still obligated to
comply with differing sets of disclosure
permissions. Moreover, 42 U.S.C.
290dd–2, as amended by the CARES
Act, continues to expressly refer to
consent and thus this final rule remains
consistent with statutory terminology.
Although we are modifying the
requirements for a part 2 consent to
align more closely with a HIPAA
authorization, the scope and effect of
these documents continue to differ in
meaningful ways. For example, a part 2
consent is required for uses and
disclosures of part 2 records for TPO,
but a HIPAA authorization is not
required for uses and disclosures of PHI
for TPO. The part 2 consent is required
for part 2 programs and the
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
authorization is for covered entities and
business associates. Because of these
and other differences, we believe using
the term ‘‘authorization’’ for individual
permission under HIPAA as well as for
patient permission under part 2 would
create confusion.
Comment
An academic medical center
suggested making no changes to part 2
consent requirements for HIPAA
covered entities, but instead allowing
them to use the HIPAA authorization to
obtain consent for TPO and to use the
patient’s right to request a restriction for
more granular consents, such as for
disclosure limited to a specific provider.
lotter on DSK11XQN23PROD with RULES2
Response
We assume in this response that the
granular consent referred to in the
comment is a consent for some aspects
of TPO, but not the full scope of the
TPO consent. We decline to adopt this
suggestion in its entirety because the
HIPAA authorization applies to a
narrower set of uses and disclosures
than part 2 and does not have all the
required elements of a part 2 consent.
For example, the consent, as finalized
here, requires a statement about the
potential for records to be redisclosed
by the recipient when they are disclosed
under a TPO consent, and it contains
special requirements for disclosures
through an intermediary. Covered
entities that are also part 2 programs
will have more flexibility under the
final rule consent requirements, so that
they may be able to use a single form
that meets the applicable requirements
of a part 2 consent and a HIPAA
authorization. Covered entities that are
recipients of part 2 records but are not
operating a part 2 program do not need
to create or use a part 2 consent. Instead,
covered entities that are not part 2
programs may use a HIPAA
authorization to disclose part 2 records
they receive provided that the
authorization is not for the release of
medical or other information generally.
The authorization form must be specific
to part 2 records or records of SUD
treatment rather than ‘‘my medical
records,’’ so that it identifies the
information in a specific and
meaningful fashion according to § 2.31.
Comment
In addition to supporting the proposal
to allow a single consent for all future
uses and disclosures for TPO, a county
government recommended that
programs be allowed to rely on verbal
consent when making patient referrals,
particularly at the initial stages of
patient access to and engagement in
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
treatment and requested regulatory
guidance on how to do so. The
commenter explained the importance of
verbal consent for referral or intake
purposes before a treatment relationship
has been established in many instances.
In the alternative, the commenter
suggested creating a safe harbor from
part 2 violations ‘‘for providers who
share information based on a verbal
consent to refer a patient for treatment
(which may first take place through a
call center) and then later request
written consent at the first appointment
with the patient to share for TPO
purposes.’’
Response
We decline to adopt an express
permission to accept a verbal consent to
disclose part 2 records for purposes of
intake and referral because prior written
consent is a statutory requirement in 42
U.S.C. 290dd–2(b)(1)(A); however, some
options for handling referrals verbally
may be available depending on the
circumstances. One approach would be
to provide de-identified information
about the patient to a potential
treatment provider to determine if a
placement is suitable and available and
then either provide referral information
to the potential patient so that they can
contact the new provider independently
or include the patient in a three-way
call with the second provider and allow
the patient to provide identifying
information directly to that provider. In
a medical emergency, involving an
attempted overdose, or similar crisis, a
program could disclose part 2 records to
a hotline call center as needed to
provide treatment. Similarly, in 2020
the Department amended part 2 to
permit disclosures of patient
information to another part 2 program or
other SUD treatment provider during
State or federally-declared natural and
major disasters when a part 2 program
is closed or unable to provide services
or obtain patient informed consent.255
Comment
A commenter recommended that,
after obtaining the original written
consent, programs should be required to
notify patients before each use,
disclosure, and redisclosure of their part
2 records and give them the opportunity
to rescind consent.
Response
This recommendation runs counter to
the CARES Act requirement to allow a
single consent for all future uses and
disclosures for TPO. Further, we do not
believe it would be practical to require
255 85
PO 00000
FR 42986, 43018.
Frm 00073
Fmt 4701
Sfmt 4700
12543
that patients be notified and given the
opportunity to rescind consent before
each use, disclosure, and redisclosure of
their part 2 records, and it would likely
create a large increase in burdens for
programs and other entities subject to
part 2 requirements. That said, nothing
in the rule prohibits programs from
notifying a patient before a particular
use or disclosure of their part 2 records.
Designation of Recipients and Purpose
Comment
Several commenters recommended
complete removal of the consent
requirement for TPO, stating that the
new disclosure permission does not go
far enough to align with HIPAA.
Response
This recommendation exceeds the
scope of the changes authorized under
the CARES Act amendments to 42
U.S.C. 290dd–2. The CARES Act did not
eliminate the statutorily mandated
consent requirement for TPO uses and
disclosures.
Comment
A few organizations requested
clarification of whether the phrase,
‘‘people helping to operate this
program,’’ in the general designation for
a TPO consent includes case
management and care coordination
providers and suggested that it should.
Response
We agree with the commenters that
within the part 2 context, ‘‘people
helping to operate this program’’ could
include case management and care
coordination providers who are QSOs.
Disclosures to case management and
care coordination providers who are not
QSOs would also be permitted under a
TPO consent as disclosures for
treatment. Regarding the TPO consent,
the phrase ‘‘people helping to operate
this program’’ is intended to cover those
who are not part 2 program personnel
and who would be QSOs (or business
associates for part 2 programs that are
covered entities).
Comment
Some commenters generally opposed
the proposed change to permit a single
consent for all future uses and
disclosures for TPO in part because it
would not require designating specific
recipients.
Response
The CARES Act amended 42 U.S.C.
290dd–2 to restructure the statutory
permission to disclose part 2 records
with consent for TPO. Thus, the
Department is required to implement
E:\FR\FM\16FER2.SGM
16FER2
12544
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
the consent requirements for the new
disclosure and redisclosure
permissions. The CARES Act
amendments preserved the requirement
to obtain initial consent and the
prohibition against use of records in
proceedings against a patient—both core
elements of the part 2 confidentiality
protections for SUD records. We further
discuss the single TPO consent in
§ 2.33.
Uses and Disclosures With Written
Consent
Comment
Commenters opposing use of a single
TPO consent recommended that the
consent provide clear options for the
types of consent a patient may sign,
which would include a consent for a
specific, one-time use or disclosure. The
commenters believed that this approach
would allow patients to understand
their options and to avoid being
pressured into signing a TPO consent
because they mistakenly believe it is
their only option.
Response
We agree that part 2 programs should
ensure that patients understand their
consent options—which include signing
a consent for a specific, one-time use or
disclosure—and we encourage programs
to draft their consent in a manner that
is clear and easy to understand.
Congress urged the Department to
provide incentives to programs for
explaining to patients the benefits of
sharing their records.256 Accordingly,
the manner in which programs offer
information about different consent
options should not undermine efforts to
explain to patients the benefits of TPO
consent. Sections 2.22 and 2.31(a) of
this final rule require that part 2
programs notify patients of their rights
and obtain consent before using and
disclosing records for TPO.
lotter on DSK11XQN23PROD with RULES2
Comment
Approximately half of commenters on
intermediaries opposed the
Department’s proposal to retain consent
requirements for disclosures to
intermediaries that differ from consent
requirements for disclosures to business
associates generally. Of the HIEs and
health IT vendors that commented on
this set of proposals, most expressed
opposition. Opposing commenters
believed that the special provisions for
intermediaries were a holdover from
before the CARES Act and were
inconsistent with aligning part 2 with
the HIPAA regulations, especially with
256 See
sec. 3221(k)(5) of the CARES Act.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
regard to the new provision to allow a
single TPO consent.
The board of supervisors for a large
county explained the county’s view that
the combination of consent proposals
(allowing TPO consent and retaining the
consent provision for intermediaries)
would result in a system where health
plans, third-party payers, and business
associates may be generally described in
a consent as recipients, but these same
recipient entities must be specifically
named if the disclosure is made through
an HIE. According to the commenter,
‘‘[t]his imposes a burden on the use of
HIEs for enhancing patient care while
providing no discernable privacy
benefit.’’
A state-wide e-health collaborative
that administers a network of HINs
similarly remarked that if a patient
signed a consent form designating ‘‘my
health plan’’ as the recipient, the part 2
program would be permitted to disclose
such information directly to the health
plan, but the program would be
prohibited from disclosing that
information to the very same health
plan if the disclosure was made via an
intermediary without specifically
naming the intermediary and the health
plan. A large health IT vendor also
voiced these concerns, describing the
potential result as a ‘‘two-tiered’’ system
that perpetuates discrimination because
patients with SUD cannot reap the
benefits of integrated care that is
facilitated by shared electronic records.
Response
We appreciate the comments and
information about how intermediaries
operate and acknowledge that the
CARES Act changes to consent for uses
and disclosures for TPO and
redisclosures by business associates
have significantly reduced the need for
a regulatory provision for
intermediaries. In response to public
comments the final rule excludes
covered entities and business associates
from the definition of ‘‘intermediary’’ in
§ 2.11. Thus, an HIE, for example, that
meets the definition of ‘‘business
associate’’ is excluded from the
definition of ‘‘intermediary’’ and would
not need to be specifically named in the
consent—it would fall under the
provision for a general designation
under a TPO consent in § 2.31(a)(4).
Other issues regarding intermediaries
are discussed in §§ 2.11, 2.13, and 2.24.
Comment
A commenter recommended changes
to § 2.31 that would modify the wording
of a consent to specifically permit
disclosures to the Food and Drug
PO 00000
Frm 00074
Fmt 4701
Sfmt 4700
Administration (FDA) even after
revocation of consent.
Response
We appreciate the comment, but
believe expressly permitting additional
disclosures after revocation of consent,
where consent is required, is
inconsistent with respecting patient
choice. However, there may be
circumstances where consent is not
required for disclosures to the FDA, for
example, if they fall within the
provision for program audits and
financial evaluations in § 2.53 or public
health disclosures of de-identified
records under § 2.54.
Comment
One commenter recommended that
disclosures to public health authorities
be included in the general TPO consent.
Response
The CARES Act mandated that
disclosures to public health authorities
are permitted without consent, but this
permission applies only to records that
have been de-identified. Further, the
general consent authorized by the
CARES Act applies only to uses and
disclosures for TPO. Under the HIPAA
Privacy Rule, disclosures to public
health authorities are not considered
disclosures for TPO and we apply this
same interpretation to part 2. To the
extent that a patient elects to consent to
the disclosure of identifiable records to
a public health authority, the consent
must include a specific designation of
the recipient.
Consent for Fundraising and DeIdentification Activities
Comment
A commenter suggested that consent
for fundraising be offered as an opt-out
rather than an opt-in process. Other
commenters requested that fundraising
not be allowed or that consent for use
or disclosure of part 2 information for
fundraising be obtained using a separate
consent form (i.e., not combined with
any other consent). A few commenters
stated that part 2 programs did not need
to use part 2 records for fundraising
purposes.
Response
Under the HIPAA Privacy Rule,
fundraising falls within the definition of
health care operations.257 The CARES
Act required us to incorporate the
definition of health care operations
wholesale into this regulation. However,
the CARES Act also included a Sense of
257 45 CFR 164.501 (definition of ‘‘Health care
operations,’’ paragraph (6)(v)).
E:\FR\FM\16FER2.SGM
16FER2
lotter on DSK11XQN23PROD with RULES2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Congress that health care operations do
not include fundraising for purposes of
part 2.258 Thus, taking into account the
Sense of Congress, a general TPO
consent, without more, is not sufficient
to allow the use and disclosure of
records for fundraising purposes by a
part 2 program that obtains a TPO
consent. We considered whether to
require a separate consent for an entity’s
fundraising activities, but determined
that offering an opt-out for fundraising
on the same form as consent for TPO
would place appropriate guardrails on
fundraising uses and disclosures
consistent with the Sense of Congress
without increasing burdens for part 2
programs. Part 2 programs, covered
entities, and business associates that
receive part 2 records under a TPO
consent would be permitted to use and
redisclose the records according to the
HIPAA requirements. We are
implementing the requirement at 42
U.S.C. 290dd–2(k)(4) to add the
definition of ‘‘health care operations’’ to
this regulation as it is defined in
HIPAA, and operationalizing the Sense
of Congress for fundraising purposes.
negatively affects patient privacy by
increasing permissible but unnecessary
uses and disclosures of identifiable part
2 records in circumstances when deidentified records would serve the
intended purpose.
Comment
In the NPRM, we requested comment
on whether the Department should
require entities subject to part 2
requirements to obtain consent to use
records for de-identification purposes
and whether such consent should be
structured to provide patients with the
ability to opt-in or opt-out of having
their records used in this manner. One
commenter, an HIE, opined that the
Department should not mandate either
option because when de-identification
is done appropriately through expert
determination method or safe harbor
method under 45 CFR 164.514(b), there
is no possibility that information will be
reidentified.
Response
Yes, a consent may apply broadly to
all future uses and disclosures for TPO
and may apply to a patient’s entire
treatment record.
Response
As we explained in the NPRM,
although we believe that an opt-in
requirement would offer more patients
more control over their records and best
fulfill privacy expectations, we also
believe that requiring patient consent
for de-identification activities would be
inconsistent with—and potentially
hinder—the new permission to disclose
de-identified information for public
health purposes under 42 U.S.C. 290dd–
2(b)(2)(D), as amended by section
3221(c) of the CARES Act. Such a
requirement also would create a barrier
to de-identification in a manner that
258 See section 3221(k)(4) stating that paragraph
(6)(v) of ‘‘health care operations’’ in 45 CFR 164.501
shall not apply.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Implementation Concerns
Comment
One commenter recommended that
the Department work with ONC and
provide guidance, technical assistance,
and model forms to assist regulated
entities to comply with the proposed
changes to consent.
Response
We will continue to work with our
Federal partners, including ONC, as
needed to provide guidance, technical
assistance, and model forms for
regulated entities.
Comment
Another commenter requested
clarification of whether consent could
be broadly obtained and apply to a
patient’s entire historical record
maintained by a part 2 program.
Expiration of Consent
Comment
A managed care organization
requested clarification that an
expiration date is not required,
consistent with the HIPAA Privacy
Rule.
Response
The commenter is correct in observing
that an expiration date is not required
under the modified consent
requirements if the consent is for all
future uses and disclosures for TPO. As
noted in the NPRM, the Department
does not intend to create substantive
change by replacing ‘‘expiration date,
event, or condition’’ with ‘‘expiration
date or an expiration event that relates
to the individual patient or the purpose
of the use or disclosure.’’ However, the
example proposed in § 2.31(a)(7) that
allows ‘‘none’’ to be entered if the
consent is for a use or disclosure for
TPO represents a change from the
current part 2 consent. Although the
HIPAA Privacy Rule allows an
authorization to have ‘‘none’’ as an
expiration date or event only in limited
circumstances,259 the ability to enter
‘‘none’’ for TPO consent under part 2
259 45
PO 00000
CFR 164.508(c)(1)(v).
Frm 00075
Fmt 4701
Sfmt 4700
12545
creates greater consistency with the
HIPAA Privacy Rule because the HIPAA
Privacy Rule neither requires consent
nor authorization for TPO uses or
disclosures.260 Under § 2.31(a)(7) a
blank expiration date or event is
insufficient, but an actual date is not
always required. Other expiration
language for a TPO consent that is
consistent with 42 U.S.C. 290dd–
2(b)(1)(C) is a phrase such as ‘‘until
revoked by the patient.’’
Comment
One commenter stated that the
consent should not be indefinite and
suggested that, at a minimum, the
written consent should be renewed
annually.
Response
Annual renewal of consent is not
required under HIPAA, and we are not
finalizing a requirement to do so under
part 2. This would run counter to the
permission to provide consent for all
future uses and disclosures for TPO.
However, we recognize that it may be
valuable to periodically ensure that all
patient documentation is up to date and
that it may be a good practice to invite
patients to review their consent choices
and any documents designating
surrogate decision makers, such as
medical powers of attorney. We view
this as a matter of good practice, rather
than a legal requirement.
Conditioning Treatment on Consent
Overview of Comments
A professional association for SUD
providers and 10 state affiliates as well
as a major health plan/health insurer
(who otherwise supported the TPO
consent) opposed allowing part 2
programs to condition treatment on the
signing of a single consent for all future
uses and disclosures for TPO.
Comment
An SUD provider requested
clarification about conditioning
treatment on signing consent to disclose
records and whether the Department
intended the required statement about
the consequences of not signing the
consent to mean that part 2 programs
will not have to comply with the HIPAA
Privacy Rule (which generally prohibits
conditioning treatment on signing an
authorization).
260 U.S. Dep’t of Health and Human Servs.,
‘‘Guidance: Treatment, Payment, and Health Care
Operations’’ (July 26, 2013), https://www.hhs.gov/
hipaa/for-professionals/privacy/guidance/
disclosures-treatment-payment-health-careoperations/.
E:\FR\FM\16FER2.SGM
16FER2
12546
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Response
A part 2 program is not subject to the
HIPAA Privacy Rule unless it is also a
covered entity. The substantive
differences between the HIPAA Privacy
Rule and part 2 regarding conditioning
treatment on signing a consent or
authorization arise from the fact that the
HIPAA Privacy Rule does not require
any type of consent or authorization for
TPO. Thus, the need to condition
treatment, for example, on an
authorization for payment disclosures,
does not arise under HIPAA. However,
part 2 expressly allows conditioning
treatment on a consent for disclosures
for payment, for example, in § 2.14
(Minor patients). And we stated in the
NPRM preamble that a ‘‘Part 2 program
may condition the provision of
treatment on the patient’s consent to
disclose information as needed, for
example, to make referrals to other
providers, obtain payment from a health
plan (unless the patient has paid in
full), or conduct quality review of
services provided.’’ Because the
prohibition on conditioning treatment
on a signed authorization under HIPAA
does not track closely to part 2,261 we
are adopting, as proposed, only
language from paragraph (c)(2)(ii)(B) of
45 CFR 164.508, and only a modified
version of the first part of that
paragraph. Thus, with respect to
conditioning treatment on consent,
§ 2.31 requires a statement of ‘‘the
consequences to the patient of a refusal
to sign the consent.’’
lotter on DSK11XQN23PROD with RULES2
Comment
Several commenters asserted that part
2 programs should not be permitted to
condition treatment on a requirement
that the patient sign the general TPO
consent. They asserted that could create
a barrier to treatment or harm patients’
privacy interests. A few of these
commenters recommended that if
conditioned consent was allowed the
minimum necessary requirement should
apply to any such disclosures.
Response
The availability of a single consent for
all future uses and disclosures for TPO
raises new considerations for patient
confidentiality and ethical practice if
access to treatment is conditioned on
signing such a consent. Congress did not
directly address whether a program may
condition treatment on a TPO consent,
but emphasized guardrails to ease
261 U.S.
Dep’t of Health and Human Servs., ‘‘What
is the difference between ‘consent’ and
‘authorization’ under the HIPAA Privacy Rule? ’’
(Dec. 28, 2022), https://www.hhs.gov/hipaa/forprofessionals/faq/264/what-is-the-differencebetween-consent-and-authorization/.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
privacy concerns in section 3221 of the
CARES Act. We believe that a program
should not condition treatment on a
TPO consent unless it has taken
reasonable steps to establish a workable
process to address patients’ requests for
restrictions on uses and disclosures for
TPO. We are finalizing as proposed in
§ 2.22 the rule of construction that a
patient has the right to request
restrictions on disclosures for TPO and
in § 2.26 a patient’s right to request
restrictions. Additionally, the existing
rule provides that all disclosures of part
2 records should include only the
information necessary for the purpose of
the disclosure.
Section 2.31(b) Consent Required: SUD
Counseling Notes
In the NPRM, we requested comments
on a potential definition of ‘‘SUD
counseling notes’’ and specific consent
provisions regarding these notes. We
offered for consideration that a separate
consent requirement, if adopted, would
not apply to SUD counseling notes in
certain specific situations such as when
such information was required for the
reporting of child abuse or neglect,
needed for the program to defend itself
in a legal action or other proceeding
brought by the patient, or required for
oversight of the originator of the SUD
counseling notes.262
Comment
Overview of Comments
We received comments in support of
the proposal, asking for modification,
and expressing concern about consent
provisions related to SUD counseling
notes. We also received comments on
such issues as whether a separate
consent should be required for SUD
counseling notes, the similarity or
distinctions between psychotherapy
notes under HIPAA and SUD counseling
notes, and patient rights to access such
notes. We respond to these comments
below. Comments primarily relating to
the proposed definition of ‘‘SUD
counseling notes’’ are discussed in
§ 2.11.
Several other commenters requested
clarification of what is needed to give
patients notice that treatment may be
conditioned on signing consent for TPO.
Response
The regulation does not require
specific language; however, consent for
TPO use and disclosure should include
a statement that patient consent is
needed (or required) to allow the
program to use and disclose the
patient’s records for TPO (or ‘‘to help
the program operate its health care
business’’) or something similar. The
final rule also requires a statement or
statements explaining the consequences
of failing to sign, based on the program’s
consent policies. For example, a
program may decide not to provide
ongoing treatment although it allows for
an initial evaluation, or it may require
payment before services are provided, or
it may offer a more narrow or specific
consent option. The program is not
required to do so, but may find it
helpful to point to the patient’s right to
request restrictions on TPO disclosures
and the program’s commitment to
accommodate such requests. We assume
that programs will carefully consider
their goals, treatment population, and
professional standards in deciding how
to fashion a statement about
conditioning treatment on signing a
TPO consent. New patients are likely to
be more hesitant about signing broad
disclosure permissions than existing
patients who have an established
rapport with staff.
Final Rule
The final rule adopts all proposed
modifications to § 2.31(a), but refers to
‘‘HIPAA regulations’’ in place of the
references to 45 CFR 164.502 and
164.506. This modification aligns with
the addition of the new defined term,
‘‘HIPAA regulations.’’
PO 00000
Frm 00076
Fmt 4701
Sfmt 4700
Comment
We received support for the proposals
in the NPRM concerning SUD
counseling notes from commenters such
as HIE/HINs, state and local agencies,
and recovery organizations for treating
SUD counseling notes under § 2.31
similar to psychotherapy notes in the
HIPAA Privacy Rule by requiring a
separate written consent for their
disclosure. These commenters believed
a separate consent would serve as an
added layer of protection to patients
receiving service under § 2.31. A
medical professionals association
believed that parties are already familiar
with how to comply with
psychotherapy notes under HIPAA. If
such a category is created, the
association urged the Department to
issue clear guidance to make the
segregation of these counseling notes as
easy as possible so that part 2 programs
do not have to take repetitive actions
that would add to their administrative
burden.
Response
We appreciate these comments and
are finalizing provisions in this section
that require a program to obtain separate
262 See
E:\FR\FM\16FER2.SGM
full discussion at 87 FR 74216, 74231.
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
lotter on DSK11XQN23PROD with RULES2
consent for any use or disclosure of SUD
counseling notes subject to certain
specific listed exceptions. We will
consider what additional guidance may
be helpful on these issues after the rule
is finalized.
Comment
According to several SUD and
recovery associations, notes often
contain highly sensitive information
that supports therapy. Limiting access to
these notes is critical to protect the
therapeutic alliance due to the unique
risks that patients face due to the risks
of inappropriate sharing of highly
sensitive information in these notes. A
health care provider believed the SUD
counseling note provision would allow
a SUD provider the ability to more
accurately capture critical impressions
of his or her patient without running the
risk that it could adversely impact the
patient or the provider-patient
relationship.
A few HIE associations commented
that providers rarely use the option to
keep psychotherapy notes as defined in
the HIPAA regulations; instead, the type
of information previously envisioned to
be included in the psychotherapy note
is now included in ‘‘progress notes’’ or
the information is not captured and
documented in an EHR. If organizations
move towards utilizing a separate
category for SUD counseling notes, it
could lead to information either not
being documented, or to important
information not being captured at all,
which is against the principles of
interoperability supported by these
associations and the Federal
Government, these commenters
asserted. A hospital said that in its
experience clinicians, both internal and
external to its organization, usually refer
to these types of notes as ‘‘process
notes’’ which are not part of the
designated record set and are not
documented in the EHR. This
commenter also has heard from
clinicians that these types of notes are
rarely used.
A medical professionals association
believed that SUD counseling notes
should be separated from the rest of the
patient’s health record, to allow a
firewall between notes used by the
individual therapist or treating
professional and the rest of the patient’s
health record (such as diagnosis,
functional status, treatment plan,
symptoms, prognosis, start and stop
times, modalities and frequencies of
treatment, medication prescription and
monitoring, and results of clinical tests)
that is designed to be shared, as
appropriate, with other health care
entities. According to this association,
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
psychotherapy notes provide a vital tool
for psychologists to protect sensitive
therapy details from third parties. These
notes are a way for psychologists to
protect patient privacy as to sensitive
details that are important for the
psychologist to remember, but that do
not need to be shared with other health
care entities.
Response
We discuss our changes to the
definition of ‘‘SUD counseling notes’’ in
§ 2.11 above. We intend for SUD
counseling note provisions in 42 CFR
part 2 to parallel the HIPAA
psychotherapy note provisions.263
Providers may vary in their use of
SUD counseling or psychotherapy notes.
Moreover, some providers in behavioral
health or other medical practices also
may use ‘‘open notes’’ intended to
permit patient access to EHRs, including
provider notes.264 The preamble to the
2000 HIPAA Privacy Rule explained
that ‘‘process notes capture the
therapist’s impressions about the
patient, contain details of the
psychotherapy conversation considered
to be inappropriate for the medical
record, and are used by the provider for
future sessions.’’ The preamble further
noted that ‘‘[w]e were told that process
notes are often kept separate to limit
access, even in an electronic record
system, because they contain sensitive
information relevant to no one other
than the treating provider. These
separate ‘process note’ are what we are
calling ‘psychotherapy notes.’ ’’ 265 By
contrast, progress notes (referred to as
‘‘progress to date’’ in our definition of
‘‘SUD counseling notes’’) would be
included in the patient’s medical record
or part 2 record.
We also believe that licensed part 2
program providers that are especially
trained in the handling of these types of
records (i.e., familiar with and qualified
to maintain separate session notes) will
likely be able to understand and apply
special requirements to protect these
types of notes. We also reiterate from
the NPRM that ‘‘[i]f SUD treatment is
provided by a mental health
professional that is a Part 2 program and
a covered entity, and the provider
creates notes of counseling sessions that
are kept separate from the individual’s
263 As discussed elsewhere in this rule,
psychotherapy notes are part of the designated
record set. See ‘‘Individuals’ Right under HIPAA to
Access their Health Information 45 CFR 164.524,’’
supra note 159.
264 See Steve O’Neill, Charlotte Blease, Tom
Delbanco, ‘‘Open Notes Become Law: A Challenge
for Mental Health Practice,’’ Psychiatric Services
(2021), https://pubmed.ncbi.nlm.nih.gov/
33971748/.
265 65 FR 82461, 82623.
PO 00000
Frm 00077
Fmt 4701
Sfmt 4700
12547
medical record, those notes would be
[considered] psychotherapy notes as
well as Part 2 records.’’ 266
Comment
A health IT vendor was not opposed
to the proposal to create special
protections for SUD counseling notes
but urged the Department to develop
guidance for effective implementation.
Also, although it seems reasonable to
this commenter to align the SUD
counseling note consent requirements to
the HIPAA psychotherapy note consent
requirements, any requirement for ‘‘a
separate written consent that is not
combined with a consent to disclose any
other type of health information’’ could
be burdensome for providers who
provide services to dually diagnosed
(mental health and SUD) consumers.
Response
We are finalizing a modification to
permit consent for use and disclosure of
SUD counseling notes to be combined
with another consent for use and
disclosure of SUD counseling notes.
Combining a consent for disclosure of
SUD counseling notes with an
authorization for the use and disclosure
of psychotherapy notes is not permitted
under the HIPAA Privacy Rule. Further,
we are not aware that psychotherapy
notes or SUD counseling notes are
disclosed with such frequency as to
create a burden for providers.
Comment
A medical professional association
interpreted the NPRM to suggest that
SUD counseling notes, like
psychotherapy notes, would generally
not be accessible to patients. The
association said that in most states,
patients have full or only slightly
limited access to these notes. The reason
is that HIPAA’s preemption requirement
gives priority to state laws that give
patients greater access to their records.
Since most state laws on access to
mental health records do not contain an
exemption for psychotherapy notes,
those laws are not preempted by the
HIPAA provision denying patients
access to psychotherapy notes. The
association believed that the main
exception to this effect is in the
minority of states that have changed
their patient access laws to align with
HIPAA, including the exclusion of
psychotherapy notes from the patient’s
right to access their mental health
records. The association anticipated that
the creation of SUD counseling notes
would have a similar effect on patient
access except to the extent that state
266 87
E:\FR\FM\16FER2.SGM
FR 74216, 74230.
16FER2
12548
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
laws on patient access to records
exclude, or are otherwise different for,
SUD records.
Response
Under the HIPAA Privacy Rule,
patients do not have a right of access to
psychotherapy notes.267 We have noted
that while there is no right of access to
psychotherapy notes, ‘‘HIPAA generally
gives providers discretion to disclose
the individual’s own protected health
information (including psychotherapy
notes) directly to the individual or the
individual’s personal
representative.’’ 268 Under HIPAA,
psychotherapy notes must be
maintained separately from the rest of
the individual’s medical record. We
establish a similar expectation with
respect to SUD counseling notes in this
final rule.
Under the existing (and final) rule,
part 2 programs are vested with
discretion about providing patients with
access to their records. Section 2.23
neither prohibits giving patients access
nor requires it and a part 2 program is
not required to obtain a patient’s written
consent or other authorization to
provide such access to the patient. We
confirm here that SUD counseling notes
fall within the scope of part 2 records
although they are separated from the
rest of the patient’s SUD and medical
record under § 2.11 (SUD counseling
notes). The final rule therefore does not
require under § 2.23 that SUD
counseling notes be disclosed to the
patient, but a clinician may choose to do
so voluntarily.
We assume that SUD treating
professionals are aware of the statutory
and regulatory requirements in their
state pertaining to patient access to
records, including access to separately
maintained notes of counseling
sessions, and considered state
requirements when making decisions
about whether to adopt the use of the
SUD counseling notes provision in this
final rule.
lotter on DSK11XQN23PROD with RULES2
Comment
A medical professional association
commented that since SUDs are
frequently a dual diagnosis with mental
health disorders, it is appropriate for
SUD counseling notes to be like
psychotherapy notes. This approach
would lessen the provider’s burden
267 See 65 FR 82461, 82554; 45 CFR
164.524(a)(1)(i).
268 See U.S. Dep’t of Health and Human Servs.,
‘‘Information Related to Mental and Behavioral
Health, including Opioid Overdose’’ (Dec. 23,
2022), https://www.hhs.gov/hipaa/forprofessionals/special-topics/mental-health/
index.html.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
when treating dual diagnoses by
requiring the same type of notes.
The association described its
concerns, however, that a separate
consent requirement, if adopted, not
apply to training programs in which
students, trainees, or practitioners use to
improve their skills in a SUD treatment
environment. The commenter requested
that we consider patient consent for
educational training using audio or
video recordings. Another professional
association echoed support for allowing
use or disclose of SUD counseling notes
for a program’s supervised student
training activities.
Response
The final rule expressly provides an
exception from requirements for consent
to disclose SUD counseling notes when
such use or disclosure is made ‘‘by the
part 2 program for its own training
programs in which students, trainees, or
practitioners in SUD treatment or
mental health learn under supervision
to practice or improve their skills in
group, joint, family, or individual SUD
counseling.’’ This parallels the
exception for psychotherapy notes in
the HIPAA Privacy Rule for training of
mental health professionals. With
respect to audio or video recording, the
definition of ‘‘SUD counseling notes,’’
like the definition of ‘‘psychotherapy
notes’’ under HIPAA, does not include
such recordings.
Comment
We received many comments on
segregation or separation of SUD
counseling notes from other parts of a
patient’s medical record. A medical
professionals association recommended
that SUD counseling notes be handled
in the same manner that psychotherapy
notes are treated under HIPAA. This
category would provide greater
protection for SUD counseling notes and
limit the notes from being shared under
a TPO consent. Providers are already
familiar with how to comply with
psychotherapy notes under HIPAA. If
such a category is created, the
association encouraged the Department
to issue clear guidance to make the
segregation of these counseling notes as
easy as possible so that part 2 programs
do not have to take repetitive actions
that will add administrative burden.
A medical school trade association
echoed these comments stating that it
supports not disclosing SUD counseling
session notes without a separate written
authorization or consent. These notes,
which are maintained primarily for use
by the originator of the notes, should
have heightened protections and
accountability. This policy would be
PO 00000
Frm 00078
Fmt 4701
Sfmt 4700
consistent with the approach that limits
the individual’s right of access to
psychotherapy notes under HIPAA. The
association requested HHS explore, in
partnership with stakeholders, how
these SUD counseling session notes
would be best protected while
minimizing data segmentation
challenges. The association also asked
that the Department issue guidance on
how these counseling notes could be
segregated.
A health IT vendor indicated that it
understands the importance of
maintaining the confidentiality of
counseling sessions and supports
maintaining strict protections for
counseling session notes. Its platform
enables providers to maintain these
notes as strictly confidential.
A few professional associations and
an individual commenter asserted that
segregation of client notes under this
section creates an extra burden, which
is harder for publicly funded without
money for the systems.
According to a medical professionals’
association, the creation of a distinct
class of psychotherapy notes in HIPAA
provides an illustrative example of the
challenge of implementing specific data
protections within a medical record:
options for segregating SUD records
from other records that require manual
or duplicative action by the clinician are
likely not viable at scale. Further, the
personnel time and infrastructure costs
of configuring such an option in the
EHR is not negligible.
A county department believed that
SUD counseling notes are appropriate to
share with the patient upon request. The
agency asserted that it would be
inadvisable to segregate these notes
from the remainder of the medical
record, and that it would add undue
burden to subject them to a separate
patient consent requirement.
An academic medical center stated
that even if SUD counseling notes were
included in the final rule, it did not
anticipate using them. Segregating a
progress note would be administratively
burdensome to do. Additionally,
segregation of information impacts the
overall care of the patient by not
providing quality continuity of care to
patients being treated in SUD programs,
according to this commenter. The
commenter added, allowing all SUD
progress notes related to a patient’s care
to be accessible and integrated in the
EHR would allow the medical team to
view and use notes from the patient’s
SUD course of treatment to care for the
patient.
A health insurer asserted that
segregation of SUD notes could impede
the sharing of information that should
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
lotter on DSK11XQN23PROD with RULES2
be part of the patient’s overall part 2
record and information that is critical to
support necessary treatment and care
coordination. In addition, the
commenter stated that such segregation
and the attendant requirements attached
to these notes (e.g., separate consent
required for release) would unduly
burden patients, providers, and other
stakeholders with no demonstrated
justification or value. The commenter
requested that, if the Department
created a separate category of record
information for ‘‘SUD counseling
notes,’’ the final rule clarify that this
narrow category is limited to
contemporaneous notes from an inperson counseling session and not, as
was noted in the proposed rule,
summary information from the overall
part 2 record and information such as
diagnosis, treatment plan, progress
notes, etc.
Response
We appreciate comments concerning
the potential challenges of maintaining
SUD counseling notes apart from the
medical or part 2 record. ‘‘SUD
counseling notes’’ as defined in this rule
‘‘are separated from the rest of the
patient’s SUD and medical record.’’
Although the definition is neutral
regarding the format in which SUD
counseling notes are maintained, a key
aspect is that they are not generally
available to anyone other than the
treating clinician. Thus, session notes of
an SUD provider that are maintained in
an EHR environment where they are
accessible by multiple members of the
treatment team would not qualify as
SUD counseling notes nor receive the
additional protection from disclosure.
The final rule’s approach to SUD
counseling notes and requiring that
such notes be separate from other
portions of the record is entirely
consistent with the long-standing
approach regarding psychotherapy notes
within HIPAA which dates back to
2000. In the 2000 HIPAA Privacy Rule,
we explained that ‘‘any notes that are
routinely shared with others, whether as
part of the medical record or otherwise,
are, by definition, not psychotherapy
notes, as we have defined them. To
qualify for the definition and the
increased protection, the notes must be
created and maintained for the use of
the provider who created them . . .
[.]’’ 269
We further elaborated that ‘‘[t]he final
rule retains the policy that
psychotherapy notes be separated from
the remainder of the medical record to
receive additional protection.’’ We
269 65
FR 82461, 82623.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
noted that mental health providers told
the Department that ‘‘information that is
critical to the treatment of individuals is
normally maintained in the medical
record and that psychotherapy notes are
used by the provider who created them
and rarely for other purposes.’’
Similarly, SUD counseling notes
support provider recollections of
sessions with the patient but are not
intended to supplant other information,
such as the patient’s test results and
diagnosis, within the part 2 record or
medical record.
Comment
Several commenters raised concerns
about SUD counseling notes being
distinct from psychotherapy notes
under HIPAA. One commenter did not
believe these SUD counseling notes
with additional protections promote
access and exchange of valuable
information and prefers an approach
that destigmatizes SUD treatment and
promotes access to clinically relevant
information which is valuable and
informative for all TPO purposes.
A state agency believed that SUD
counseling notes are qualitatively
different than psychotherapy notes and
are most frequently maintained by
unlicensed providers. The agency is
concerned that this change would create
additional administrative complexity
and compliance challenges for part 2
programs and may have unintended
consequences by restricting patient
access to, or disclosure of, a significant
segment of their SUD treatment records.
This change seems unlikely to facilitate
information exchange for care
coordination purposes, and as such
would seem to be inconsistent with
many of the other proposed
amendments, according to this
commenter.
One county health department
asserted that the utility of this category
of records is likely minimal, and
another said that requiring separate
consent for SUD counseling notes
would counteract the aim of facilitating
greater information exchange, with
unclear benefits. HHS’ proposed
consent framework for part 2 records
provides patients with sufficient control
to limit what substance use treatment
information is shared and does not
require creation of a category of ‘‘SUD
counseling notes’’ with different
protections.
A health care provider recommended
a different approach whereby all part 2
data is used in a similar manner to
psychotherapy notes. This policy would
reduce the need for new part 2
workflows and interoperability
frameworks. Additionally, by deeming
PO 00000
Frm 00079
Fmt 4701
Sfmt 4700
12549
part 2 information identical to a
psychotherapy note, that data could also
be carved out of the definition of
‘‘electronic health information’’ and
would not be subject to the 21st Century
Cures Act, but still maintain critical
clinical information. For example,
results of clinical tests, summaries of
diagnosis, functionality status,
treatment plan, symptoms, prognosis
and progress to date are all excluded
from a psychotherapy note. By treating
part 2 data or SUD data similar to
psychotherapy notes, the most sensitive
information made available in a part 2
encounter would continue to be
restricted but critical information for
treatment and continuity of care would
remain available.
A health care provider commented
that it did not recommend including
special protection for SUD counseling
notes by requiring a separate written
consent for their disclosure because
they are concerned that it would impede
care coordination. SUD counseling
notes may contain clinically relevant
information and be useful to inform
coordinated treatment plans. Also, given
the variety of part 2 program structures,
as well as differences in state licensing
laws, the categorization of personnel
who could create or view counseling
notes would be confusing to implement
and would require significant
administrative burden to designate
records within the SUD counseling
notes category. As a result, the
commenter believed that some programs
may have difficulty implementing the
requirement and be deterred from
sharing vital information within the
record for TPO purposes.
Response
Use of the SUD counseling notes
provision by an SUD professional is
voluntary and optional, although a
program may adopt a facility-wide
policy that either supports or disallows
the creation and maintenance of such
notes. Also, SUD counseling notes are a
subset of a part 2 record and the
separate consent requirement would
only apply to such notes when they are
maintained separately from the rest of
the part 2 record. Additionally, the
CARES Act, while supporting alignment
of HIPAA and part 2, continues to
recognize the importance of applying
additional protections to SUD
information. Accordingly, the
Department cannot treat psychotherapy
notes and SUD counseling notes as
synonymous as this would be contrary
to the CARES Act and 42 U.S.C. 290dd–
2 as amended. Regarding requests for
additional guidance, we may provide
E:\FR\FM\16FER2.SGM
16FER2
12550
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
additional guidance on these issues after
the rule is finalized.
Comment
An academic health center said that
as proposed, an SUD counseling note,
created by and used by the creating
provider, segments patient care and
could introduce patient safety risks.
Information known to only one member
of the treatment team is antithetical to
an integrated care approach. The
commenter believed that once the
patient has provided consent to be
treated in our SUD program those
records should be visible to the rest of
the care team across the covered entity,
not just the SUD treatment counselor
who created the note or the SUD team.
lotter on DSK11XQN23PROD with RULES2
Response
‘‘SUD counseling notes’’ as defined in
this rule ‘‘excludes medication
prescription and monitoring, counseling
session start and stop times, the
modalities and frequencies of treatment
furnished, results of clinical tests, and
any summary of the following items:
diagnosis, functional status, the
treatment plan, symptoms, prognosis,
and progress to date.’’ SUD counseling
notes are intended, like psychotherapy
notes, to support an individual provider
and are not routinely shared with
others. Information critical to patient
diagnosis and treatment such as
prognosis and test results, should be
within the patient’s medical record or
part 2 record. We do not believe the use
of separate SUD counseling notes will
impede either integrated care or patient
safety; however, a program may adopt
its own policy with respect to the use
by its clinicians of such notes.
Comment
According to a health IT vendor, the
treatment of SUD counseling notes
under part 2 raises complexities similar
to HIPAA with respect to limits on
patient access and for the need for a
distinct specific consent from the
patient. Addressing such matters
depends on whether the notes are
included in a specific medical record
document or record type or comingled
with other documentation. The health
IT vendor stated that many part 2
providers have not been in a habit of
maintaining distinct forms of
documents or records that would allow
for these provisions to be so simply
applied. The commenter urged the
Department develop guidance for their
effective implementation. The
commenter suggested a single consent
option to cover both psychotherapy and
SUD counseling notes, not combined
with any consent to disclose any other
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
type of health information, to facilitate
the release of notes for dually diagnosed
consumers being treated by the same
provider/provider group. For this and
other reasons, it would seem beneficial
to this commenter to align these consent
requirements as closely as possible to
avoid confusion, and variations in data
exchange rules.
Response
As noted, the Department, including
ONC, is working to support
implementation of EHRs and health IT
within the behavioral health sector. We
believe that separate consent for release
of SUD counseling notes is important
because these notes will be maintained
distinctly from other parts of the
patient’s medical record. This approach
is consistent with our approach to
psychotherapy notes under HIPAA.270
According to SAMHSA’s National
Survey on Drug Use and Health, we
know that many patients will have both
mental health and SUDs as well as other
comorbidities or co-occurring
conditions. We believe the definition of
‘‘SUD counseling notes’’ in this final
rule and the consent provisions will
support integration of care and care
coordination for dually diagnosed SUD
and mental health patients.271
Comment
An insurer suggested that the final
rule make clear that this narrow
category of SUD counseling notes is
limited to contemporaneous notes from
an in-person counseling session and
not, as is noted in the proposed rule,
summary information from the overall
part 2 record and information such as
diagnosis, treatment plan, and progress
notes. The commenter asserted that in
practice the HIPAA Privacy Rule’s
provision on ‘‘psychotherapy notes’’ has
been used by some parties as a
justification for information blocking
and refusal to provide information for
TPO in some cases. The commenter
believed that similar behavior could
occur with this provision if boundaries
and limitations are not clearly
articulated both in the definition and
related provisions of the final rule.
270 See ‘‘Does HIPAA provide extra protections
for mental health information compared with other
health information? ’’ supra note 157.
271 See Substance Abuse and Mental Health
Servs. Admin., ‘‘SAMHSA Announces National
Survey on Drug Use and Health (NSDUH) Results
Detailing Mental Illness and Substance Use Levels
in 2021’’ (Jan. 4, 2023), https://www.samhsa.gov/
newsroom/press-announcements/20230104/
samhsa-announces-nsduh-results-detailing-mentalillness-substance-use-levels-2021.
PO 00000
Frm 00080
Fmt 4701
Sfmt 4700
Response
The Department is collaborating to
ensure successful implementation of
information blocking requirements and
acknowledges this commenter’s
concerns.272 That said, we believe the
final definition of ‘‘SUD counseling
notes’’ makes clear that for the purposes
of part 2 SUD counseling notes do not
include medication prescription and
monitoring, counseling session start and
stop times, the modalities and
frequencies of treatment furnished,
results of clinical tests, and any
summary of the following items:
diagnosis, functional status, the
treatment plan, symptoms, prognosis,
and progress to date.
Comment
An HIE/HIN stated its view that
adding an additional level of complexity
in the consent process is likely to cause
confusion and have the practical result
of eliminating data sharing in
circumstances where Congress intended
to facilitate the sharing of data. Should
the Department decide to add such a
definition, the commenter asked that
HHS not prohibit a consent permitting
the release of such notes from being
combined with a general consent to
release part 2 records. The commenter
believed that any heightened security
requirements could be met by requiring
that a consent for release of SUD
counseling notes to explicitly reference
such notes in conspicuous language
separate and apart from any other
permissions to disclose data.
Response
As noted, consistent with the
Department’s approach to
psychotherapy notes in HIPAA, we are
requiring a separate consent for
disclosure of SUD counseling notes and
specifically prohibiting combining a
consent for disclosure of SUD
counseling notes with a consent for
disclosure of any other type of health
information other than for release of
psychotherapy notes. A part 2 consent
form may have a combination of
options, including a check box for SUD
counseling notes. However, when a
patient is consenting for SUD
counseling notes that is the only type of
information that can be indicated on the
consent (other than psychotherapy
notes). For instance, if a patient checks
both ‘‘billing information’’ and ‘‘SUD
counseling notes’’ this consent is not
valid to release the SUD notes.
272 See
E:\FR\FM\16FER2.SGM
‘‘Information Blocking,’’ supra note 160.
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Comment
With respect to the proposed
exception for disclosure of SUD
counseling notes to lessen a serious and
imminent threat to the health or safety
of a person or the public, an individual
commenter said that this proposed
language reflecting this otherwise
known as Tarasoff 273 exception is too
broad.274
The commenter stated the objective in
this exception is to ‘‘lessen’’ a serious
and imminent threat to the health or
safety of a person or the public. The
commenter believed that this approach
was discriminatory because it equated
being in treatment for SUD with being
an imminent threat from a physical or
health perspective. Specifically, the
commenter said inclusion of the term
‘‘health’’ was too vague and suggested
that if a person in SUD treatment has
HIV, hepatitis B or C, or any other
communicable disease, that it is the
responsibility of the SUD counselor to
determine whether to report that
information if the patient is in a
conjugal relationship or might expose
another person. The commenter argued
that it is sufficient to characterize the
nature of the imminent physical threat,
assert that the reporter has reason to
believe that the imminent physical
threat is serious, and any personal
information that would allow a person
to avoid the instigator of the threat or to
allow a person(s) reasonably able to
prevent or lessen the threat.
lotter on DSK11XQN23PROD with RULES2
Response
We acknowledge the commenter’s
concerns about the suggested exception,
which we decline to include in the final
rule. HIPAA and part 2 provisions on
serious and imminent threats and
disclosure differ. With respect to
preventing harm, the final rule permits
use or disclosure of SUD counseling
notes under § 2.63(a)(1) and (2) based on
a court order to disclose ‘‘confidential
communications’’ made by a patient to
a part 2 program when necessary to
protect against an existing threat to life
or of serious bodily injury, or in
connection with the investigation or
prosecution of an extremely serious
crime, such as one which directly
threatens loss of life or serious bodily
273 Tarasoff v. Regents of the Univ. of Cal., 17 Cal.
3d 425 (Cal. 1976).
274 For an analysis of how this applies under
HIPAA, see U.S. Dep’t of Health and Human Servs.,
‘‘If a doctor believes that a patient might hurt
himself or herself or someone else, is it the duty of
the provider to notify the family or law enforcement
authorities? ’’ (Sept. 12, 2017), https://www.hhs.gov/
hipaa/for-professionals/faq/2098/if-doctor-believespatient-might-hurt-himself-or-herself-or-someoneelse-it-duty-provider.html.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
injury, including homicide, rape,
kidnapping, armed robbery, assault with
a deadly weapon, or child abuse and
neglect. When such a use or disclosure
is made, § 2.13 provides that ‘‘[a]ny use
or disclosure made under the
regulations in this part must be limited
to that information which is necessary
to carry out the purpose of the use or
disclosure.’’ Thus, the information
shared under these circumstances or
with respect to any disclosure without
consent should be the minimum
necessary to carry out the purposes of
the disclosure.275
Final Rule
As noted, we have finalized a
definition of ‘‘SUD counseling notes’’
discussed above in section § 2.11. With
respect to consent for use and disclosure
of SUD counseling notes we are
finalizing the provision as § 2.31(b). The
consent requirement does not apply to
SUD counseling notes in certain specific
situations such as the: (1) use by the
originator of the SUD counseling notes
for treatment; (2) use or disclosure by
the program for its own training
programs; or (3) use or disclosure by the
program to defend itself in a legal action
or other proceeding brought by the
patient.
Section 2.31(c) Expired, Deficient, or
False Consent
Proposed Rule
The NPRM proposed in paragraph
(c)(4) of this section to replace the
phrase ‘‘individual or entity’’ with the
term ‘‘person’’ to comport with the
meaning of person in the HIPAA
regulations and as consistent with
similar changes proposed throughout
this part. The revised language would
read, ‘‘[a] disclosure may not be made
on the basis of a consent which . . . [i]s
known, or through reasonable diligence
could be known, by the person holding
the records to be materially false.’’
Additionally, the Department solicited
comments on whether the final rule
should require part 2 programs to
inform an HIE when a patient revokes
consent for TPO so that additional uses
and disclosures by the HIE would not be
imputed to the programs that have
disclosed part 2 records to the HIE.
False or ‘‘Uninformed’’ Consent
Comment
Several commenters said that the rule
should require that programs engage in
an ‘‘informed consent’’ process where
they explain the nature of the consent
and potential consequences to the
275 See
PO 00000
83 FR 239, 244; 85 FR 42986, 43003.
Frm 00081
Fmt 4701
Sfmt 4700
12551
patient. These commenters urged the
Department to adopt an informed
consent process.
Response
‘‘Informed consent’’ generally refers to
consent to receive treatment or consent
to participate in research.276 As such,
the obligation to ensure that patient
consent is informed is outside of the
scope of part 2, but is addressed in other
law and is part of the professional and
ethical requirements for licensed SUD
professionals. However, we expect
programs to ensure that consent is
knowing and voluntary in the sense that
the patient understands the
consequences of signing or not signing
the consent or authorization or that a
personal representative provides
consent when needed. We believe that
consent that has been coerced or
unknowing would be invalid and that,
in the context of an application for a
part 2 court order, the court would
decide such matters. In addition, we
believe that a consent that is based on
false information or a lack of material
information about the nature of the
disclosure would be considered an
invalid consent, as would any consent
if the part 2 program knows or has
reason to know that the signature was
forged.
Revocation of Consent
Comment
Some commenters addressed
revocation of consent for use and
disclosure of part 2 records, including
several member organizations of an HIE/
HIN that co-signed a comment letter.
Some of these commenters urged that
the final rule expressly state that
disclosed part 2 records cannot be
pulled back from the recipient once
released, following a patient’s
revocation of the original signed consent
as stated in the NPRM preamble
discussion.
276 See Off. of Human Research Protections,
‘‘Informed Consent FAQs’’ (Sept. 24, 2003), https://
www.hhs.gov/ohrp/regulations-and-policy/
guidance/faq/informed-consent/
(discussing the HHS Common Rule and other
requirements); Food and Drug Admin., ‘‘Informed
Consent Guidance for IRBs, Clinical Investigators,
and Sponsors,’’ (August 2023) https://www.fda.gov/
regulatory-information/search-fda-guidancedocuments/informed-consent; American Medical
Ass’n, Code of Medical Ethics. Chapter 2, Informed
Consent, Opinion 2.1.1, https://code-medicalethics.ama-assn.org/ethics-opinions/informedconsent; R. Walker, TK Logan, JJ Clark et. al.
Informed consent to undergo treatment for
substance abuse: a recommended approach. 29 J
Subst Abuse Treat. 241–51 (2005); Johns Hopkins
Medicine, Off. of Human Subjects Research,
‘‘Relevant State Law Requirements’’ (August 2020),
https://www.hopkinsmedicine.org/institutionalreview-board/guidelines-policies/guidelines/
marylandlaw. See also, e.g., 42 CFR 482.24(c)(4)(v)).
E:\FR\FM\16FER2.SGM
16FER2
12552
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Response
We appreciate the comments and
information provided about the consent
revocation process, particularly when it
occurs in an HIE environment. We
reaffirm the statement in the NPRM
preamble that revocation does not
require pulling back records that have
been disclosed and do not believe it is
necessary to so state in regulatory text.
lotter on DSK11XQN23PROD with RULES2
Comment
Several commenters recommended
that HIEs be informed when a patient
revokes consent, including an HIE
association, health IT vendors, and a
state government agency. One health IT
vendor explained that consent
revocation mechanisms may be
implemented through the Trusted
Exchange Framework when made by
HIEs and HINs. The vendor asserted that
most HIEs already receive notice of
revocation when they use a model of
exchange in which a potential recipient
seeks medical records from another
exchange participant and the current
status of a patient’s consent permission
to have their records exchanged is
known, including whether a patient has
revoked consent. A health plan
requested that recipients should be
notified so they can stop redisclosing
information they already received based
on consent.
One commenter asserted that the
existing pathways for complying with a
more granular consent (e.g., that is
specific to a certain recipient or
purpose) should remain available and
that HIEs should be informed about
changes to consent for disclosures made
through the HIE. This commenter
recommended that the Department
explore further how HIEs learn of the
consent status, whether it means that
the HIE must directly record the status
of a revocation or if the HIE relies on
some kind of electronic ‘‘polling’’ of the
part 2 program to ascertain if a valid
consent remains or has been revoked.
In contrast, a behavioral health
network/HIE opposed requiring notice
of revocation to an HIE, opining that it
is not necessary because—under the
CARES Act—once part 2 records are
disclosed to a covered entity or business
associate they are no longer part 2
records. As such, the commenter stated,
the records can be redisclosed without
limitation under part 2 even after a part
2 consent to disclose has been revoked.
Response
We appreciate these comments, which
provided perspectives on how consent
and revocation are communicated
through an electronic health exchange.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
We disagree with the view that once
records are disclosed they are no longer
part 2 records. Once received by a
covered entity or business associate, the
part 2 records are also PHI but, under
this final rule, do not have to be
segregated or segmented from other PHI.
However, the records remain subject to
the part 2 prohibitions against uses and
disclosures for certain proceedings
against a patient without written
consent or a court order under this part.
We agree that programs should convey
to recipients when a consent is provided
and, where feasible, when it has been
revoked. This effort should include
using whatever tools are at the disposal
of the program to ensure that only
consented information is exchanged.
While we appreciate the comments
stating that HIEs are able to
operationalize a requirement to provide
notice of revocation, we are concerned
about the burdens that would apply to
all programs if we imposed a
requirement that programs ‘‘must’’
notify recipients upon consent
revocation. Thus, while we are
finalizing additional requirements for a
copy of consent to travel with each
disclosure of records for which consent
is required, we decline to adopt a
requirement for programs to notify
recipients of records of each revocation.
The new requirement to attach a copy
of consent is discussed under § 2.32
(Notice and copy of consent to
accompany disclosure). Regarding
revocation, we intend for programs to
convey to recipients when a patient has
provided written revocation where
feasible. When the records have been
disclosed through an HIE, the
mechanism for informing recipients of a
revocation would likely depend on the
consent model used by the HIE. But our
expectation is that all programs make
efforts to initiate actions needed to
accomplish the notification and to give
full effect to the patient right to revoke
consent as stated in the Patient Notice.
Consistent with the recommendation
of one commenter to explore further
how HIEs learn of the consent status, we
intend to monitor how provision of
notice of revocation could work across
all types of entities, including in a fully
electronic environment such as an HIE,
but also for stand-alone systems and
paper-based exchanges.
Comment
A health information association
recommended requiring programs to
inform HIEs, and HIEs to follow, a
patient’s request to revoke consent for
distribution of their information for
TPO. If patients are not able to stop the
exchange of their information once it is
PO 00000
Frm 00082
Fmt 4701
Sfmt 4700
released to an HIE, they may hesitate to
consent to information being released to
an HIE or HIN. If a patient’s data is out
of date at one provider and the patient
cannot revoke consent for that
information to be exchanged by an HIE,
then they will continue to fight a losing
battle to ensure every subsequent record
is correct as the HIE may still be
exchanging the incorrect information.
Response
The language in the final rule for
§ 2.31(a)(6) regarding ‘‘[t]he patient’s
right to revoke the consent in writing,
except to the extent that the part 2
program, or other lawful holder of
patient identifying information that is
permitted to make the disclosure, has
already acted in reliance on it [. . .]’’ is
broadly applicable and therefore would
include HIEs/HINs. As a result, when an
HIE/HIN learns of a patient’s revocation
of consent they would need to cease
using or redisclosing the patient’s part
2 record to other entities.
Comment
An academic medical center
compared the proposed part 2 TPO
consent to a HIPAA authorization for
TPO disclosures and explained that
during the entire period that the HIPAA
Privacy Rule has been effective they
were not aware of any patient that
sought to revoke a HIPAA authorization
for use of their PHI for purposes of TPO.
Response
We acknowledge the similarities and
differences between part 2 consent and
HIPAA authorization. Under HIPAA,
neither consent nor authorization is
required for TPO, so the opportunity to
revoke such an authorization is unlikely
to exist. Revocation of consent is further
discussed under § 2.31.
Comment
Some commenters addressed the
question of whether a revocation should
halt all future uses and disclosures by
a recipient or whether a revocation
should only prevent any further
disclosures to that recipient.
Commenters did not show a strong
consensus on one approach, although
more comments than not supported
allowing additional redisclosures
following revocation when the
information is limited to records already
in possession of the initial recipient.
HIE-related comments uniformly
affirmed the Department’s statement in
the NPRM preamble that information
did not need to be ‘‘clawed back’’
following a revocation and several
further asserted that an HIE needs to
cease making redisclosures of health
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
lotter on DSK11XQN23PROD with RULES2
information it retains once it learns of
a revocation of consent or HIPAA
authorization. These commenters also
urged express clarification that
revocation of consent only applies going
forward. Commenters that supported the
ability to continue making redisclosures
of information retained by the recipient
requested clarification to reduce
concerns by part 2 programs that they
could be liable for redisclosures made
by recipients after consent has been
revoked. As described in the discussion
of § 2.13 above, a few HIE/HINs
proposed addressing revocation in
§ 2.13 and limiting it to new information
received after the revocation and to
allow continued use and disclosure of
part 2 records the recipient has
receiving prior to the revocation.
Response
As stated in the NPRM, the
Department does not expect a part 2
program to ‘‘pull back’’ records that it
has disclosed under a valid consent
based on a patient’s revocation of
consent. At a minimum we intend that
a written revocation serves to prohibit a
part 2 program from making further uses
and disclosures of a patient’s record
according to the scope of the revocation.
Based on the public comments received,
we also intend that when records have
been transmitted through an HIE, the
HIE should cease making further
disclosures of the patient’s record to
other member participants. As stated in
the NPRM, to fully accomplish the aims
of the right to revoke consent, we expect
that part 2 programs will work to ensure
that any ongoing or automatic
disclosure mechanisms are halted upon
receipt of a request for revocation.
Certain recipients under a consent for
TPO (part 2 programs, covered entities,
and business associates) are permitted
to redisclose records according to the
HIPAA regulations. Under 45 CFR
164.508(b)(5) a covered entity or
business associate is required to cease
making further uses and disclosures of
PHI received once they are informed of
an authorization revocation, except to
the extent they have already taken
action in reliance on the authorization
or if it was obtained as a condition of
obtaining insurance coverage and other
law provides the insurer with the right
to contest a claim. We believe this
requirement applies equally to
revocation of a part 2 consent. This
interpretation is revised from the NPRM
preamble discussion that proposed a
revocation would only be effective to
prohibit further disclosures by a
program and would not prevent a
recipient part 2 program, covered entity,
or business associate from using the
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
record for TPO, or redisclosing the
record as permitted by the HIPAA
Privacy Rule.
Taking into account covered entities’
obligations under HIPAA once they are
informed of a revocation, we believe
they are also obligated to comply with
a revoked consent about which they are
aware. We do not see a reason for a
recipient covered entity to treat a
patient’s revocation of part 2 consent
differently that a revoked HIPAA
authorization. For example, if a part 2
program disclosed part 2 records under
a TPO consent to a health plan and the
patient later revoked said consent, the
health plan that is processing a claim
may complete the transaction but may
not process new part 2 claims for that
patient/plan member. In another
example, a covered entity health care
provider who is currently treating a
patient and has received a patient’s part
2 records will necessarily need to
continue relying on the records it
received to continue treating the patient
(e.g., the provider cannot ‘‘unlearn’’ the
patient’s history); however, it is
prohibited from redisclosing the records
once the patient revokes consent in
writing. Handling revoked
authorizations is not a new process for
covered entities and they should
therefore be capable of handling
revoked consents in the same manner.
Comment
An academic medical center
expressed concern about scenarios in
which the part 2 program relied on the
original consent for a specific use or
disclosure, but such use or disclosure
may need to occur after such revocation
has occurred. Examples include when a
patient signs a consent to permit the
part 2 program to disclose records for
payment purposes, to ensure the
program receives appropriate
reimbursement for its services but then
revokes his or her consent prior to the
part 2 program submitting the bill to the
patient’s payor. According to this
commenter, the NPRM seems to suggest
that the part 2 program would no longer
be permitted to make such a disclosure,
despite the fact that the part 2 program
agreed to treat the patient on the
condition of receiving reimbursement
from the patient’s payor.
Response
If a disclosure cannot practically or
feasibly be stopped after revocation
because it is already in process or due
to technological limitations, this would
constitute such reliance. For example,
such reliance could occur in research or
if the patient is being treated for cooccurring disorders for which close
PO 00000
Frm 00083
Fmt 4701
Sfmt 4700
12553
consultation among specialists is
paramount. Revocation of consent raises
some of the same issues as withholding
consent and conditioning treatment on
consent for necessary disclosures. Thus,
a program would need to explain to the
patient when it is not feasible to stop or
prevent a disclosure from occurring and
discuss with a patient the consequences
of revoking their consent in some
circumstances. It is reasonable that a
patient who seeks to revoke consent for
disclosure to their health plan would be
expected to make another arrangement
to ensure payment which may include
paying out of pocket for services.
Comment
Some commenters specifically
addressed whether oral revocation of
consent should be permitted and were
nearly even in opposition and support.
The several organizations favoring oral
revocation expressed very strong
support for recognizing this as a valid
expression of patient choice. The
rationales offered by commenters that
did not support the proposed changes
were the following:
• HIPAA requires written revocation.
• The CARES Act requires written
revocation.
• Equating oral revocation with oral
consent because part 2 programs are
most likely to document oral consent in
the part 2 record.
• Concern about how oral revocation
would be documented and
communicated to all entities that
receive part 2 records.
Response
The statute, 42 U.S.C. 290dd–2(b)(C),
states that revocation of a TPO consent
must be in writing. At the same time,
consideration should be given to other
civil rights implicated in this interaction
and the entity’s obligation under the
relevant civil rights laws to provide
assistance as needed to ensure
meaningful access by enabling patients
to effectuate a revocation.
Final Rule
The final rule adopts the proposed
changes to the consent requirements in
paragraph (a) with further modifications
to paragraph (a)(4)(iii) to replace
‘‘HIPAA Privacy Rule’’ with ‘‘HIPAA
regulations’’ and remove part 2 program
from the statement about redisclosure
according to the HIPAA regulations and
to paragraph (a)(5)(iii) to require an
opportunity to opt out of fundraising
communications rather than requiring
patient consent. The final rule adopts
the proposed changes to the existing
paragraph (b) of § 2.31 (Expired,
deficient, or false consent) and
E:\FR\FM\16FER2.SGM
16FER2
12554
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
redesignates the content of paragraph (b)
as a new paragraph (c). Additionally,
the final rule adds a new paragraph (b)
to require separate consent for the use
and disclosure of SUD counseling notes,
and a new paragraph (d) to require a
separate consent for use and disclosure
of records in civil, criminal,
administrative, or legislative
proceedings.
Section 2.32—Notice and Copy of
Consent To Accompany Disclosure
Heading of Section
Proposed Rule
The Department proposed to change
the heading of this section from
‘‘Prohibition on re-disclosure’’ to
‘‘Notice to accompany disclosure’’
because § 2.32 is wholly a notice
requirement, while other provisions
(§ 2.12(d)) prohibit recipients of part 2
records from redisclosing the records
without obtaining a separate written
patient consent. To ensure that
recipients of part 2 records comply with
the prohibition at § 2.12(d), § 2.32(a)
requires that part 2 programs attach a
notice whenever part 2 records are
disclosed with patient consent,
notifying the recipient of the prohibition
on redisclosure and of the prohibition
on use of the records in civil, criminal,
administrative, and legislative
proceedings against the patient.
Comments
We received no comments on the
proposed change to the heading of this
section.
Final Rule
The final rule is adopting the
language of the proposed heading with
a further modification to take into
account the new paragraph (b) that we
are adding, as discussed below. The
new heading reads, ‘‘Notice and copy of
consent to accompany disclosure.’’
lotter on DSK11XQN23PROD with RULES2
Expanded Notice of Prohibited Uses and
Disclosures
Proposed Rule
The Department proposed to modify
paragraph (a)(1) of § 2.32 to reflect the
expanded prohibition on use and
disclosure of part 2 records in certain
proceedings against the patient, which
includes testimony that relays
information in a part 2 record and the
use or disclosure of such records or
testimony in civil, criminal,
administrative, and legislative
proceedings, absent consent or a court
order.
In addition, the proposed language of
the notice listed exceptions to the
general rule prohibiting further use or
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
disclosure of the part 2 records by
recipients of such records, which would
allow covered entities, business
associates, and part 2 programs who
receive part 2 records for TPO based on
a patient’s consent to redisclose the
records as permitted by the HIPAA
Privacy Rule. This exception also would
apply to entities that received part 2
records from a covered entity or
business associate under the HIPAA
Privacy Rule disclosure permissions,
although the legal proceedings
prohibition would still apply to covered
entities and business associates that
receive these part 2 records. The
Department stated that these changes
are necessary to conform § 2.32 with 42
U.S.C. 290dd–2(b)(1)(B), as amended by
section 3221(b) of the CARES Act, and
proposed a statement in paragraph (a)(1)
as follows:
This record which has been disclosed to
you is protected by Federal confidentiality
rules (42 CFR part 2). These rules prohibit
you from using or disclosing this record, or
testimony that describes the information
contained in this record, in any civil,
criminal, administrative, or legislative
proceedings by any Federal, State, or local
authority, against the patient, unless
authorized by the consent of the patient,
except as provided at 42 CFR 2.12(c)(5) or as
authorized by a court in accordance with 42
CFR 2.64 or 2.65. In addition, the Federal
rules prohibit you from making any other use
or disclosure of this record unless at least one
of the following applies:
• Further use or disclosure is expressly
permitted by the written consent of the
individual whose information is being
disclosed in this record or is otherwise
permitted by 42 CFR part 2;
• You are a covered entity or business
associate and have received the record for
treatment, payment, or health care operations
as defined in this part; or
• You have received the record from a
covered entity or business associate as
permitted by 45 CFR part 164, subparts A
and E.
Comment
An individual commenter asserted
that disclosures made by a part 2
program to a covered entity or a
business associate for TPO and
redisclosures made by a covered entity
or business associate in accordance with
the HIPAA regulations should not
require a notice accompanying the
disclosure as set out in § 2.32 of the
proposed revisions.
The commenter stated that under the
CARES Act, with the prior written
consent of the patient, the contents of a
part 2 program record may be used or
disclosed by a covered entity, business
associate, or program for TPO as
permitted by the HIPAA regulations.
Further, once disclosed to a covered
PO 00000
Frm 00084
Fmt 4701
Sfmt 4700
entity or business associate, the CARES
Act provides that the information so
disclosed may be redisclosed in
accordance with the HIPAA regulations.
The requirement of an accompanying
written notice for each disclosure
imposes a hurdle to the electronic
exchange of information though a HIE
and is not required under 42 U.S.C.
290dd–2. The commenter suggested that
the provisions of 42 U.S.C. 290dd–2(c)
operate independently and refer to uses
and disclosures in proceedings rather
than uses and disclosures by covered
entities or business associates. Thus, the
prohibition can be enforced
independently by the patient in the
course of any such proceeding. To the
extent that an accompanying notice is
determined to be necessary, it should be
permissible to reference the provisions
of 42 U.S.C. 290dd–2(c) in contractual
agreements between the program,
covered entities, and business associates
rather than requiring that a notice
accompany each disclosure.
An HIE described its reliance on
contractual requirements in its
agreements with data providers to
ensure that it is notified of any
limitations on its ability to share data
prior to receiving that data. That
practice will continue in response to the
proposed changes contained in the
NPRM. The commenter said that if the
final rule includes a requirement for
part 2 programs to notify data
recipients, that requirement should be
that they notify recipients when data is
not received pursuant to a global
consent for TPO, and that the operating
assumption of parties receiving all
forms of health data should be that it
can be used consistently with the
requirements of HIPAA and any
relevant state laws or express
contractual limitations.
Response
The notice does not establish a
limitation on redisclosure but rather is
intended to align the content of § 2.32
(Notice to accompany disclosure) with
the requirements of 42 U.S.C. 290dd–
2(b), as amended by the CARES Act.
As the Department noted in its 2010
HIE guidance and regulations, this
notice was intended to inform
downstream record recipients of part 2
and restrictions on redisclosure.277 The
notice as we have finalized it in this
rule, like the existing notice, continues
to inform record recipients that the
information they receive may not be
277 83 FR 239, 241; See ‘‘Frequently Asked
Questions: Applying the Substance Abuse
Confidentiality Regulations to Health Information
Exchange (HIE),’’ supra note 150.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
used in legal proceedings absent patient
consent or a court order. We believe that
the notice remains applicable to
redisclosures by part 2 programs,
covered entities, and business associates
to operationalize the continuing
prohibition on use and disclosure of
part 2 records in proceedings against the
patient, which applies to redisclosures
by recipients under § 2.12(d).
Also, consistent with 42 U.S.C.
290dd–2 and previous part 2 final rules,
this final rule states in § 2.33 that
‘‘[w]hen disclosed for treatment,
payment, and health care operations
activities [. . .] to a covered entity or
business associate, the recipient may
further use or disclose those records as
permitted by 45 CFR part 164, except for
uses and disclosures for civil, criminal,
administrative, and legislative
proceedings against the patient.’’
Simply citing 42 U.S.C. 290dd–2(c) in
contractual agreements between the
program, covered entities, and business
associates rather than providing a notice
to accompany each disclosure also is
insufficient because this approach
would fail to convey to the recipient of
part 2 records essential information
provided in the Notice to Accompany
Disclosure under § 2.32 as finalized in
this rule. However, business associate or
other contractual agreements may refer
to these provisions. Additionally, part 2
programs do not necessarily have
contractual agreements with every
recipient of records for uses and
disclosures for TPO.
The text of 42 U.S.C. 290dd–2, as
amended by the CARES Act, continues
to emphasize limitations on use of part
2 records in civil, criminal,
administrative, and legislative
proceedings absent patient consent or a
court order. Consistent with the statute
and congressional intent reflected in the
CARES Act, limitations on sharing
information in proceedings within part
2 as finalized also remain distinct and
more restrictive than analogous
provisions within the HIPAA Privacy
Rule.278
lotter on DSK11XQN23PROD with RULES2
Comment
A commenter opined that the notice
prohibiting redisclosure, which
accompanies records disclosed with
patient consent, should clearly identify
whether the records are subject to the
new redisclosure permissions or still
protected by part 2.
278 See U.S. Dep’t of Health and Human Servs.,
‘‘Court Orders and Subpoenas’’ (Nov. 2, 2020),
https://www.hhs.gov/hipaa/for-individuals/courtorders-subpoenas/.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Response
We believe this comment assumes a
false dichotomy—that records are either
subject to redisclosure or protected by
part 2. Records that may be redisclosed
according to the HIPAA standards—
those for which a TPO consent was
obtained—are still protected by the part
2 prohibition on use and disclosure in
proceedings against the patient, absent
consent or a court order under this part.
However, assuming that the commenter
is questioning how the recipient would
identify records that are disclosed under
a single consent for all TPO versus those
that are disclosed under a more limited
consent, we are finalizing an additional
modification in § 2.32(b) to require that
‘‘[e]ach disclosure made with the
patient’s written consent must be
accompanied by a copy of the consent
or a clear explanation of the scope of the
consent provided.’’ We believe this will
provide the information recipients of
records need to understand the
redisclosure permissions that may be
available.
Comment
A few medical professionals’
associations and other commenters said
that retaining the Notice to Accompany
Disclosure requirement means that the
need to identify, segment, and segregate
the data will persist to append the
notice with each disclosure. One
association requested that the
Department exclude covered entities
from this requirement.
Response
We do not believe that the notice
requirement in § 2.32 is what may
prompt segmentation of records or
segregation of part 2 data. The
continuing prohibition in § 2.12(d) on a
recipient’s use or disclosure of records
in legal proceedings must be effectively
operationalized, and it is unclear how
that can be accomplished unless the
recipient is aware that the records are
subject to the prohibition. We believe
this can be accomplished within an
electronic health exchange
environment, and we are finalizing
additional modifications to
§ 2.12(d)(2)(i)(C) to expressly state that
‘‘[a] part 2 program, covered entity, or
business associate that receives records
based on a single consent for all
treatment, payment, and health care
operations is not required to segregate or
segment such records.’’ We believe
health IT vendors are capable of
updating or creating systems that
manage consent, revocation, and other
limitations on disclosure and
redisclosure so long as the users of the
PO 00000
Frm 00085
Fmt 4701
Sfmt 4700
12555
system have current knowledge of the
type of data and the limitations on its
use and disclosure. The final rule
neither requires nor prohibits
segregation of records or segmentation
of data to accomplish these tasks. The
short form of the notice has not changed
and was created for use in an electronic
health information exchange
environment. We further recognize that
the notice is required only for
disclosures made with consent, and
thus the notice would not be required
for redisclosures as permitted by HIPAA
for TPO or other permitted purposes
when the initial disclosure was based
on a TPO consent.
Comment
Some commenters supported
proposed changes in whole or part and
other commenters opposed or expressed
mixed views of proposed changes.
A health care provider supported the
proposed heading clarification, and
further clarification of redisclosure
rights for TPO by covered entities,
business associates and part 2 programs
as allowed by the HIPAA Privacy Rule.
A health insurer supported aligning
notices to accompany disclosures with
the HIPAA Privacy Rule, particularly
adding exceptions for the prohibition on
use or disclosure of part 2 records for
TPO. A few health information
associations supported the Department’s
proposal to include a Notice to
Accompany Disclosure of records to
instruct an organization of their ability
to redisclose this information at the
direction of the patient. A health system
commenter said that it includes a
disclosure statement on all records it
releases. Therefore, it supported a
Notice to Accompany Disclosure of part
2 records. However, the commenter
recommended that the disclosure
statement apply to all disclosures,
including for TPO, stating that this
would minimize time and operational
burden of determining which records
would require the disclosure statement.
Response
We appreciate the comments.
Comment
A health plan and at least a few
associations recommended that the
Notice to Accompany Disclosures be
eliminated. A couple of commenters
stated that retaining the notice to
accompany the disclosure requirement
will ensure that certain protections for
part 2 records continue to ‘‘follow the
record,’’ as compared to HIPAA,
whereby protections are limited to PHI
held by a covered entity or business
associate. A few commenters stated that
E:\FR\FM\16FER2.SGM
16FER2
12556
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
lotter on DSK11XQN23PROD with RULES2
this Notice means that the need to
identify, segment, and segregate the data
will persist to append the notice with
each disclosure. And a few commenters
requested that the Department eliminate
this notice to align with HIPAA. At a
minimum, the Department should
excuse covered entity and business
associate recipients of the part 2 records
from the notice requirement, according
to one commenter.
A few HIEs suggested that the § 2.32
notice requirement has been difficult to
implement in electronic systems and
across electronic networks in part
because it requires the part 2 data to be
treated and maintained differently than
the rest of the clinical record. The
commenters also suggested that it may
also be legally impermissible under the
CARES Act amendments, which
mandate that once a patient’s TPO
consent is obtained, the disclosed part
2 record may be redisclosed in
accordance with HIPAA and HIPAA
does not require use of a prohibition on
redisclosure notice.
Continuing to require the notice,
according to these commenters, may
effectively require the continued
downstream identification,
segmentation, and segregation of part 2
records, because segmentation/
segregation will be necessary to
properly apply, transmit, and display
the notice in an electronic environment.
Even though the Department
emphasizes that the Notice to
Accompany Disclosure is not a consent
requirement (that is, it is not necessary
for there to be a valid disclosure), these
commenters believed that it was still a
legal requirement that would carry
stringent penalties under the HIPAA
enforcement structure. Thus, requiring
the notice would perpetuate the same
barriers to SUD data sharing that the
CARES Act amendment’s changes were
intended to eliminate.
Response
We appreciate input from these
commenters, including concerns about
continued segmentation of part 2
records that may result from providing
the required notice. The introductory
sentence of paragraph (a) of § 2.32
applies to each disclosure made with
the patient’s written consent, which
includes the TPO consent finalized in
this rule. We do not intend for this
requirement to impede the integration of
part 2 records with other PHI and have
expressly removed any requirement to
segregate or segment such records in
this final rule at § 2.12(d)(2)(i)(C).
Additionally, we believe the notice
remains necessary to operationalize the
continuing prohibition on redisclosures
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
for use in civil, criminal, administrative,
and legislative proceedings against the
patient, absent written consent or a
court order under this part. We also
believe that Congress attempted to
balance permitting multiple
redisclosures under a TPO consent for
programs, covered entities, and business
associates who are recipients of part 2
records and retaining the core patient
protection against use of the records in
proceedings against the patient.
Congress could have amended part 2 to
strike entirely the regulatory Notice to
Accompany Disclosure or removed the
consent requirement for disclosures to
programs, covered entities, and business
associates, but it did not do so; instead,
Congress mandated a modified version
of consent. Therefore, we interpret the
existing requirement of a notice that
accompanies each disclosure to apply to
disclosures under a TPO consent in the
same manner as for other disclosures
with consent.
Comment
A commenter asserted that the
proposed Notice to Accompany
Disclosure language might confuse both
patients and part 2 program recipients
because it uses legalese and confusingly
requires provision of the notice while
simultaneously notifying covered entity
and business associate recipients (and
their downstream recipients) that they
are not subject to part 2’s use and
disclosure restrictions. The commenter
stated that proposed § 2.32 was silent
regarding ‘‘intermediaries,’’ which also
seemingly conflicted with the part 2
consent form elements that restrict
redisclosures by covered entities and
business associate that function as
‘‘intermediaries’’ to only named member
participants or participants that have a
‘‘treating provider relationship’’ with
the patient. For these reasons, the
commenter encouraged the Department
to remove the notice requirement under
this section or, at the least, not to
require it for redisclosures made by
covered entities and business associates
(including those that operate as
‘‘intermediaries’’) and their downstream
recipients pursuant to a patient’s TPO
consent.
Response
We appreciate input from these
commenters and agree that the language
of paragraph (a)(1) is more detailed and
involved than paragraph (a)(2) but
provide it as an option for programs that
would find a complete explanation
more useful and that are providing a
paper copy of the notice. Providing the
short form of the notice in paragraph
(a)(2) is permitted. Thus, any program
PO 00000
Frm 00086
Fmt 4701
Sfmt 4700
that prefers to do so may continue to use
the language of the abbreviated notice in
paragraph (a)(2) rather than paragraph
(a)(1). The shorter notice in paragraph
(a)(2) states simply that ‘‘42 CFR part 2
prohibits unauthorized use or disclosure
of these records,’’ and should be readily
understandable to recipients. The longer
notice in paragraph (a)(1) further aligns
with HIPAA. Both notices are consistent
with a 2017 NPRM 279 discussion and
requirements that have been in place
since 2018 280 (for the abbreviated
notice). The requirement added in
paragraph (b) of this section that ‘‘[e]ach
disclosure made with the patient’s
written consent must be accompanied
by a copy of the consent or a clear
explanation of the scope of the consent
provided’’ also should help clarify to
recipients when records are subject to
part 2 because it would indicate that
SUD treatment records are being
disclosed.
We disagree with the commenter’s
interpretation that paragraph (a)(1)
notifies ‘‘covered entity and business
associate recipients (and their
downstream recipients) that they are not
subject to part 2’s use and disclosure
restrictions’’ because the paragraph
(a)(1) explicitly prohibits the recipient
from using or disclosing the record in
any civil, criminal, administrative, or
legislative proceedings against the
patient, absent consent or a court order.
With respect to the role of
intermediaries, addressed in §§ 2.11 and
2.24, we have excluded programs,
covered entities, and business associates
from the definition of intermediary in
this final rule. This relieves HIEs that
are business associates from the
requirements for intermediaries;
however, all HIEs that receive part 2
records with consent (whether they are
intermediaries or business associates)
would need to provide the notice to
accompany disclosure when
redisclosing such records with consent.
Comment
Commenters urged OCR and
SAMHSA to engage technology
companies and intermediaries most
likely involved in these types of
disclosures and the accompanying
notices to understand the feasibilities
and technical capacities in current
technology. As the health system moves
away from paper and the transmission
of paper through processes like fax
machines, having the technical
capabilities in place for providers to
move this information with the record is
crucial, the commenter believed.
279 82
280 83
E:\FR\FM\16FER2.SGM
FR 5485, 5487.
FR 239, 240.
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Engaging the organizations that govern
this work will give OCR and SAMHSA
a clearer picture of understanding
related to the ability for an
accompanying notice of disclosure to be
included with a part 2 record and
consent form.
Response
We acknowledge the commenter’s
concerns about EHRs and the need to
ensure they have the capabilities
necessary to transmit information about
prohibited uses and disclosures and the
scope of consent on which a disclosure
is based. ONC, OCR, SAMHSA, and
other Federal partners are collaborating
to support EHRs and health IT within
the behavioral health sector.281 We also
may provide additional guidance on this
section after the rule is finalized.
lotter on DSK11XQN23PROD with RULES2
Comment
A commenter said that one concern
they had with including a Notice to
Accompany Disclosure on every patient
record that is being redisclosed is the
ability of EHR systems to ingest that
information. The commenter explained
that a v2x HL7 ADT message (or for that
matter a lab message) does not include
this type of language.282
The commenter suggested that even if
an HL7 message could be created with
the information, it is unclear that
receiving systems are currently able to
populate the field in the ADT message
or will be able to consume the message.
The commenter is not aware of any
designated spot for that type of language
on any interstate event notification
specification. Therefore, if a hospital
wanted to share an admission or
discharge notice for a patient admitted
to a substance use unit, they couldn’t
easily include the language in the
notification. Even if the sending part 2
program could transmit the message, the
downstream receiver may not be able to
receive it.
The commenter suggested that it
would be possible to put a
confidentiality/protection flag on an
ADT message—but not general language
like the notice to accompany disclosure
language.
Response
We have previously noted that EHR
systems are beyond the scope of this
rulemaking. However, the abbreviated
notice in § 2.32(a)(2) is intended to
support use of EHRs, and the
abbreviated notice remains a valid
281 See
‘‘Behavioral Health,’’ supra note 133.
Health Level 7 is discussed in ONC
guidance at https://www.healthit.gov/topic/
standards-technology/standards/fhir-fact-sheets.
ADT is a reference to admit, discharge, transfer.
282 Note
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
12557
option. ONC, SAMHSA, and OCR
continue to work to support EHR
implementation and may provide
guidance on these issues after this rule
is finalized.
paragraph (a)(2): ‘‘42 CFR part 2
prohibits unauthorized use or disclosure
of these records.’’
Comment
An academic medical center said that
it saw no value in adding the language
regarding redisclosure to part 2 records
and believed that recipients of these
notices were not familiar with part 2
restrictions. The commenter stated that
it is able to affix stamps on records that
are being disclosed but from a practical
perspective does not believe the stamp
is value added. Recipients may not
know what a part 2 program is. The
commenter has other patients
throughout the medical center that are
not being discharged from part 2
program that also have been or are being
treated for SUD conditions and receive
medications specific to SUDs.
The existing introductory language of
paragraph (a) applies the notice
requirement to ‘‘[e]ach disclosure made
with the patient’s written consent.’’ 284
The abbreviated notice under paragraph
(a)(2) was primarily intended to support
EHR systems. As the Department
explained in 2018, ‘‘SAMHSA has
adopted an abbreviated notice that is 80
characters long to fit in standard freetext space within health care electronic
systems.’’ 285 Though the notice under
paragraph (a)(2) has been modified in
this final rule to include the word
‘‘use,’’ it remains largely as adopted in
2018. At that time the Department also
said that it ‘‘encourages part 2 programs
and other lawful holders using the
abbreviated notice to discuss the
requirements with those to whom they
disclose patient identifying
information.’’ 286 An HIE may elect to
use the abbreviated notice under
paragraph (a)(2) or can choose to use
one of the notices permitted under
paragraph (a)(1). Covered entities and
business associates are referenced in
§ 2.32(a)(1).
Response
We appreciate the commenter’s
perspective on patients’ and recipients’
lack of understanding about part 2
protections. We hope that the revised
Patient Notice will improve part 2
patients’ understanding of their
confidentiality rights under part 2
which should also enhance their
appreciation for the prohibition on
redisclosure in proceedings against
patients. As explained in this rule, we
continue to believe that the Notice to
Accompany Disclosures under § 2.32
provides important protections to part 2
patients, and the lack of these
protections for other patients is not a
justification for reducing or removing
protections for part 2 patients. As stated
in the 2017 final rule, part 2 does not
apply to health information unrelated to
SUDs, such as patient treatment for
unrelated medical conditions.283
Comment
A SUD provider and a health plan
requested clarification about the
applicability of the notice requirement
to recipients who redisclose records,
including whether the requirement for
the Notice to Accompany Disclosure
applies only to part 2 programs, or
whether it also applies to covered
entities, business associates, and
intermediaries that might receive and
redisclose the patient’s PHI. The
commenters asked, collectively,
whether an HIE, covered entity, and
business associate must attach the
notice on part 2 records being
redisclosed in accordance with the
HIPAA privacy regulations, such as in
Response
Comment
An HIE urged the Department to
include language that will resonate with
the patient as opposed to those in the
health care space. The commenter stated
that in the NPRM, the Department
proposed to require the consent form to
notify the patient about how covered
entities and business associate
recipients may use and redisclose
information as permitted by HIPAA.
The commenter expressed concern that
this was problematic for two reasons.
First, this is not an existing requirement
under HIPAA and the objective of the
rule is to align part 2 with HIPAA.
Second, the terms covered entity and
business associate are not terms some
patients may be aware of. To include
this requirement, according to the
commenter, could introduce legalese in
the patient-facing workflow and be
contrary to calls to improve the rule’s
utility for patients. The commenter
asked the Department to use standard
language required under HIPAA that
notifies individuals that not all
recipients are subject to the same laws.
284 52
FR 21796, 21810.
FR 239, 240.
286 83 FR 239, 240.
285 83
283 82
PO 00000
FR 6052, 6089.
Frm 00087
Fmt 4701
Sfmt 4700
E:\FR\FM\16FER2.SGM
16FER2
12558
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Response
We appreciate input from these
commenters and acknowledge the
concerns they express. But we disagree
that the Notice to Accompany
Disclosure will confuse patients. First,
we anticipate that most recipients of
these notices will be health
professionals or staff such as those
working for part 2 programs, covered
entities, and business associates rather
than patients themselves. Second, the
provisions of this rule, including
§§ 2.22, 2.31, and 2.32 are consistent
with the provisions of the HIPAA
Privacy Rule as explained above.
However, even with this rule and
additional alignment with HIPAA
fostered by the CARES Act some part 2
provisions remain distinct from
requirements in HIPAA. Likewise, while
part 2 consent forms under § 2.31 must
include specified required elements for
written consent there is no requirement
these forms use such terms as ‘‘covered
entity’’ or ‘‘business associate.’’ As
noted above, we may provide additional
guidance or template notices or model
forms to help clarify requirements of
this final rule. Finally, the abbreviated
notice in § 2.32(a)(2) is especially brief
and easy to understand, although we
believe the lengthier notice in paragraph
(a)(1) is fairly easy to understand as
well.
Comment
A health plan recommended that the
Department clarify that these
redisclosures do not need to be included
in an accounting of disclosures under
§ 2.25. Requiring a notice to accompany
redisclosures would run counter to the
general exemption of TPO disclosures
under HIPAA’s accounting provisions.
lotter on DSK11XQN23PROD with RULES2
Response
With respect to the right to an
accounting of redisclosures, the
applicability of § 2.25 would depend on
the status of the recipient. For example,
a covered entity or business associate
would be subject to 45 CFR 164.528 for
redisclosures. A part 2 program that
rediscloses records received from
another part 2 program would be subject
to § 2.25 for such redisclosures that fall
within the scope of § 2.25 in the same
manner as for disclosures. The
accounting of disclosures requirements
under § 2.25 do not distinguish between
disclosures and redisclosures, but focus
on whether a disclosure is made with
consent and the purpose of the
disclosure or redisclosure. The § 2.25
requirements are distinct from the
required notices to accompany
disclosures under § 2.32. Therefore, the
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
accounting of disclosures under § 2.25
would not need to include a separate
and distinct list of redisclosures
accompanied by a notice under § 2.32.
Comment
A commenter recommended that HHS
move proposed item (iv) of the
statement in § 2.32(a)(1) to the main text
of the statement, so that it does not
appear to be one of the exceptions
following items (i), (ii), and (iii) of the
statement. The commenter also
suggested revised language for these
provisions.
Response
We retain in the statement in
§ 2.32(a)(1) the following notification:
‘‘[a] general authorization for the release
of medical or other information is NOT
sufficient to meet the required elements
of written consent to further use or
redisclose the record (see 42 CFR 2.31).’’
We have moved this information to the
main text which is consistent with the
commenter’s suggestion.
Comment
An advocacy group opined that
proposed changes to this section will
cause confusion. The commenter said
that at this time all recipients of records
are subject to the same redisclosure
prohibition: they may only use or
disclose the records with patient
consent, pursuant to a court order, or
subject to one of the other limited
exceptions in part 2 that apply to lawful
holders. However, according to this
commenter, this rulemaking introduces
a new standard for some recipients who
receive records pursuant to a TPO
consent: these recipients may redisclose
records pursuant to the HIPAA Privacy
Rule, except if the records will be used
against the patient in a legal proceeding.
A recipient of part 2 records, however,
will have no way of knowing which
redisclosure standard applies to the
records they receive: the standard part
2 redisclosure prohibition, described in
proposed item (i) in the statement in
§ 2.32(a)(1), or redisclosures as
permitted by the HIPAA Privacy Rule
except for legal proceedings against the
patient, described in proposed item (ii)
in the statement in § 2.32(a)(1).
Response
We appreciate the comment and agree
that with the additional changes to
consent in §§ 2.31 and 2.33, the Notice
to Accompany Disclosure is insufficient
to provide needed information to the
recipient about the scope of consent that
pertains to the disclosed records. To
address this issue, we are also finalizing
a new provision in paragraph (b) of this
PO 00000
Frm 00088
Fmt 4701
Sfmt 4700
section to require each disclosure made
with the patient’s written consent to be
accompanied by a copy of the consent
or a clear explanation of the scope of the
consent provided, as discussed below.
Comment
A medical professionals association
said that we should require part 2
programs to give health care providers
adequate written notice well in advance
of sharing any part 2 record, clearly
explaining that such records are subject
to additional Federal confidentiality
regulations and include clear guidance
for non-part 2 providers to understand
their obligations and options concerning
such records once received.
Response
We believe that § 2.32(a) as finalized
clearly notifies the recipient of
redisclosed records whether the records
are subject to part 2. The new
requirement in paragraph (b) of this
section, discussed below, will provide
additional information to recipients
about the scope of the consent that
applies.
Final Rule
The final rule adopts the proposed
language of § 2.32(a) without further
substantive modification, and finalizes
proposed item (i) of the statement in
§ 2.32(a)(1) as part of the statement in
§ 2.32(a)(1).
Copy of Consent To Accompany
Disclosure
Request for Comment
Although we did not propose
requirements for consent management,
we requested comment throughout the
NPRM on how proposed changes to
consent, revocation, and requests for
restrictions could be implemented, the
experience of entities that have already
operationalized aspects of the proposed
changes, potential unforeseen negative
consequences from new or changed
requirements, and data relating to any of
these.
Overview of Comments
We received many comments
addressing cross-cutting issues
involving data segmentation and
segregation of records, use of HIEs for
exchange of ePHI and part 2 records,
how to track consent and consent
revocation, and how to operationalize
patients’ requests for restrictions on
disclosures for TPO. We have responded
to these comments throughout the
preamble to the final rule in relation to
applicable regulatory provisions, and
here we respond to comments that
pertain to tracking consent (which is
E:\FR\FM\16FER2.SGM
16FER2
lotter on DSK11XQN23PROD with RULES2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
required in §§ 2.31 and 2.33), both
global (i.e., TPO consent) and granular
(for a specific use and disclosure). Of
the commenters that addressed whether
the rule should require a copy of
consent to be attached with each
disclosure of records, a majority
opposed such a requirement, several
supported it, and a few responded with
other viewpoints. A mix of professional
associations, SUD providers, and
advocacy organizations provided views
on both sides of the question; however,
all health plans, health IT vendors, and
HIE/HIN organizations that weighed in
opposed the idea and all government
entities that voiced an opinion
supported providing a copy of the
consent.
Response
Comment
Comment
A medical professionals association
urged the Department to ensure that,
going forward, patient information will
be tagged and limited to the purpose of
TPO. The agencies can incentivize
compliance with these goals through
enforcement actions and penalties for
noncompliance. The commenter
believes that technology can assist
physicians with increasing the flow of
information while maintaining privacy
and a patient’s consent. To do so,
information should be tagged to identify
where the information originated, for
what purposes it can be disclosed, and
to whom. Another medical
professionals’ association asked the
Department to facilitate collaboration
with ONC and health IT vendors to
develop technical standards and feasible
certification criteria to identify, tag,
segregate, and remove specific data
based on type of care, provider, and
patient consent. The commenter also
stated that HHS should provide
incentives and support to clinicians,
practices, and EHR vendors—
particularly those designed for specialty
settings or small practices—in designing
and adopting health IT that meets these
objectives. A provider health system
believed that even if HIPAA and part 2
records are treated as PHI for most of the
situations, there will still be the need to
identify part 2 records due to any
directed restrictions and the legal
proceedings prohibition. This could
become further complicated as part 2
records and PHI are intermingled. While
the provider health system supported
alignment of HIPAA and part 2, it
requested the Department provide
guidance about how records will be
denoted and differentiated to ensure
compliance.
A trade association suggested that
HHS is maintaining separate underlying
regulatory structures for SUD patient
records and all other patient data,
meaning EHR vendors will need to
distinguish between the two types of
records. Some SUD patients may not
provide consent or revoke their consent
throughout the course of their treatment,
meaning their record will need to be
flagged differently. This is a significant
health IT challenge that is not addressed
in the NPRM. The commenter stated
that HHS should ensure that there is
ample time and resources for health IT
vendors to update their capabilities and
adapt to the evolving operational needs
of health care providers.
An academic medical center
suggested that information about the
scope of consent be included in the
notice that is required to accompany
disclosures of part 2 records and that
this would be the simplest way to
communicate the patient’s intent and
have that intent stay with the actual
records downstream.
A health IT vendor recommended that
the Department explore further how
revocation becomes known, and if it
means that the HIE must directly record
the status of a revocation (and how this
is done) or if the HIE relies on some
kind of ‘‘polling’’ of the part 2 program
to ascertain if a valid consent remains
effective by interrogating the part 2
program electronically for whether a
valid consent exists or if an applicable
consent has been revoked. In the end, a
revocation needs to not only limit future
disclosures but also limit disclosures of
any part 2 records an HIE already may
possess should they store patient
records.
Among others, a health IT vendor, a
health care provider, and a health
insurer believed that part 2 programs
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
We appreciate input from these
commenters, including suggestions to
tag or segregate part 2 records. We
acknowledge concerns about data
segmentation and address it further in
the discussion of § 2.12. The continuing
prohibition in § 2.12(d) on a recipient’s
use or disclosure of records in legal
proceedings must be effectively
operationalized, and it is unclear how
that can be accomplished unless the
recipient is aware that the records are
subject to the prohibition. Although the
Department may provide further
guidance in relation to data
segmentation, tagging, or tracking, we
are not requiring specific technology or
software solutions.
PO 00000
Frm 00089
Fmt 4701
Sfmt 4700
12559
should not be required to provide a
copy of the written patient consent
when disclosing records. They believe
the notice to accompany disclosures
already required under the § 2.32 is
sufficient to alert the recipient of
potential restrictions regarding
redisclosure and the requirement would
not align with disclosures for TPO
under HIPAA. A health insurer
suggested that allowing a part 2 program
to retain the consent for future auditing
and use or disclosure needs is sufficient
and also helps to share only the
minimum necessary PHI. If the
Department were to also require
provision of the written consent
authorizing the disclosure, it would
place an unnecessary administrative
burden on both the part 2 program and
the recipient of records. Even more
problematic, such a requirement would
create a corresponding duty for the
recipient of records to evaluate the legal
sufficiency of the consent related to the
part 2 program’s disclosure. The
recipient of records should not be
placed in the position of identifying and
correcting errors in a part 2 program’s
disclosure, or assuming any potential
downstream liabilities that may result.
An insurance association supported
the use of electronic processes
whenever feasible. In addition, to
reduce the burden on part 2 programs
and to ensure that HIPAA entities can
act promptly on part 2 data, the
association asked that the Department
clarify in final regulations that HIPAA
entities that receive part 2 data may
accept that the data was disclosed
pursuant to a TPO consent unless
otherwise notified in writing. This is
particularly important in industries
such as pharmacy benefits management,
where data is transmitted in huge
volumes in real time, and there is no
consistent mechanism currently
available to ‘‘flag’’ certain records as
containing part 2 data, nor explain the
legal basis on which the data were
disclosed.
Response
We acknowledge commenter concerns
about how to manage consent and any
limitations on consent within EHRs and
through HIEs and the disadvantages of
segmenting data and segregating
records. Although we are finalizing a
modification to § 2.12 to expressly state
that ‘‘[a] program, covered entity, or
business associate that receives records
based on a single consent for all
treatment, payment, and health care
operations is not required to segregate or
segment such records[,]’’ some means to
ensure that records are used and
disclosed according to the scope of the
E:\FR\FM\16FER2.SGM
16FER2
lotter on DSK11XQN23PROD with RULES2
12560
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
consent will be needed. Thus, we look
to the consent provided by the patient
and the existing requirement to attach a
Notice to Accompany Disclosure as
solutions and are adding a new
requirement in § 2.32(b) to require that
a copy of the consent be attached to
each disclosure for which consent is
required. The attached consent may be
combined with the required Notice to
Accompany Disclosure in § 2.32(a). This
will significantly reduce any
administrative burdens associated with
the new requirement.
We are finalizing a new requirement
in this section to require that each
disclosure made with the patient’s
written consent must be accompanied
by a copy of the consent or a clear
explanation of the scope of the consent
provided. We believe that by putting in
regulatory text that the consent must
accompany the disclosure or provide a
clear description of the scope of the
consent, the recipient will be able to
accurately use and disclose the part 2
records as the patient intended.
Additionally, where feasible, part 2
programs should convey to recipients
when a consent has been revoked to
ensure that only consented information
is exchanged. Combining a copy of the
consent with the required Notice to
Accompany Disclosures in § 2.32 is one
way this requirement may be
implemented, though it is not the only
potential approach to tracking consent,
redisclosure and revocation of consent.
Both paragraphs (a) and (b) of this
section address concerns about ensuring
recipients of records understand
whether or not the records are subject to
part 2.
We acknowledge that there are
technical challenges associated with
complying concurrently with HIPAA
and part 2 and that time and resources
are needed to update technical and
procedural capabilities. The
recommendation for recipients to
assume TPO consent has been provided
unless otherwise notified in writing
does not address how recipients other
than programs, covered entities, and
business associates would learn about
this assumption. Nor does this
recommendation address how a
program (i.e., a discloser) would know
in advance whether a recipient is a
program, covered entity, or business
associate to whom the TPO consent
assumption applies. We evaluated this
recommendation, but are concerned that
the negative requirement (e.g., not to
provide consent unless it is other than
for TPO) places undue burden on the
disclosing program to decide when and
when not to attach a copy of the
consent.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
We believe the concern that receipt of
notice may transfer liability for
improper disclosures from the part 2
program to the recipient is misplaced.
However, the recipient incurs an
obligation for complying with part 2
requirements that apply to them,
namely, the prohibition on use or
disclosure of the records for use in
proceedings against the patient, absent
consent or a court order under this part.
Comment
Regarding intermediaries and tracking
consent, an HIE association suggested
that part 2 providers may need to
include in the consent form a place for
patients to indicate whether they
provide consent for disclosure to the
intermediary. For additional
information on how an intermediary
would accept or track patient consent
for data redisclosure, the commenter
recommended OCR and SAMHSA
consult nationwide HINs, as well as
ONC, to understand how current state
HINs and the TEFCA could impact this
landscape.
Response
We appreciate the comment and the
reference to TEFCA. As discussed above
in relation to § 2.31 (Consent
requirements), a consent to disclose
records via an intermediary must
contain a general designation as well as
additional information about the
recipient(s). Thus, we believe the final
rule provides for the consent form to
have space for an intermediary to be
named as the commenter suggests. We
note, however, that we are excluding
business associates from the final rule
definition of ‘‘intermediary,’’ thus HIE
business associates will not be subject to
the intermediary consent requirements.
Instead, HIEs that are business
associates will fall within the
requirements for a general designation
for the TPO consent which does not
require specifically consenting to use of
an HIE. We received many informative
public comments from HIEs/HINs with
respect to consent (and revocation)
management and will continue to
consult with our partner agencies
within the Department. OCR, SAMHSA,
and others are collaborating to support
participation by behavioral health
entities in health IT and EHRs,
including TEFCA.
Final Rule
This final rule adopts further
modifications in § 2.32 by adding a new
paragraph (b) providing that each
disclosure made with the patient’s
written consent must be accompanied
by a copy of the consent or a clear
PO 00000
Frm 00090
Fmt 4701
Sfmt 4700
explanation of the scope of the consent
provided.
Section 2.33—Uses and Disclosures
Permitted With Written Consent
Proposed Rule
Section 2.33 currently permits part 2
programs to disclose records in
accordance with written patient consent
in paragraph (a) and permits lawful
holders, upon receipt of the records
based on consent for payment or health
care operations purposes, to redisclose
such records to contractors and
subcontractors for certain activities,
such as those provided as examples in
paragraph (b). The Department proposed
substantial changes to paragraph (b) to
apply the new consent structure in
§ 2.31 for a single consent for all TPO
by: applying HIPAA standards for uses
and initial disclosures for TPO, creating
two new categories of redisclosure
permissions, and revising the existing
redisclosure permission. This would
align § 2.33 with the statutory authority
in 42 U.S.C. 290dd–2(b)(1), as amended
by section 3221(b) of the CARES Act.
The first change would permit part 2
programs, covered entities, and business
associates that have obtained a TPO
consent to use and disclose a part 2
record for TPO as allowed by HIPAA.
With respect to redisclosures, proposed
(b)(1) would permit part 2 programs,
covered entities, and business associates
that have received a part 2 record with
consent for TPO to redisclose the
records as permitted by the HIPAA
Privacy Rule, except for proceedings
against a patient which require written
consent or a court order. The second
category, in proposed paragraph (b)(2),
would permit part 2 programs that are
not covered entities or business
associates that have received a part 2
record with consent for TPO to further
use or disclose the records as permitted
by the consent. The third category, in
proposed paragraph (b)(3), would apply
to lawful holders that are not business
associates, covered entities, or part 2
programs and have received part 2
records with written consent for
payment and health care operations
purposes. This provision would permit
the recipient to redisclose the records
for uses and disclosures to its
contractors, subcontractors, and legal
representatives to carry out the intended
purpose, also subject to the limitations
of proposed subpart E of part 2
pertaining to legal proceedings. A
lawful holder under this provision
would not be permitted to redisclose
part 2 records it receives for treatment
purposes before obtaining an additional
written consent from the patient.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Paragraph (c) proposed to require
lawful holders that are not covered
entities or business associates and that
receive records based on written
consent to have contracts in place if
they wish to redisclose the records to
contractors and subcontractors. The
Department proposed to exclude
covered entities and business associates
from the requirements of paragraph (c)
because they are already subject to the
HIPAA Privacy Rule requirements for
business associate agreements.
lotter on DSK11XQN23PROD with RULES2
Overview of Comments
Most commenters on the single
consent for all future TPO supported the
proposal, and all but one of the
supportive commenters represented
organizations. Supportive organizations
included several professional
associations, health systems, and state
or local governments. A few SUD
providers also supported the proposal.
The views expressed by these
commenters in support of the proposal
included the following:
(a) reducing stigma of persons with
SUD by integrating SUD treatment and
SUD treatment records, respectively,
with general health care and PHI;
(b) reducing burdens on the health
care system by aligning part 2
requirements more closely with the
HIPAA regulations; and
(c) improving care coordination,
continuity of care, and patient safety as
a result of greater access to complete
information to treat patients
comprehensively and obtain services to
support their recovery.
As an example, a commenter asserted
that the proposal may make it easier for
the state Medicaid agency to gain input
about barriers for patients receiving
SUD services such as co-occurring
medical or behavioral conditions, or to
address social determinants of health
that impede treatment or recovery. An
association of state hospitals and health
systems illustrated what it views as the
need for an aligned consent process,
citing what it regards as differing
regulatory requirements that may ‘‘cause
confusion, and even fear, among treating
providers, at times leading them to
withhold information that may be
shared.’’
Response
We appreciate the comments about
the proposed changes to implement the
statutory requirements for uses and
disclosures with a single consent for all
future TPO and permitted redisclosures
by certain recipients. The rationales
offered in support—reducing stigma,
integrating and coordinating behavioral
health care, and reducing health care
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
entities’ burdens—are key aims of this
final rule.
Comment
Commenters favoring the proposal
also appreciated the reduction in the
number of consents needed for uses and
disclosures of part 2 records as well as
the reduction in consents required for
redisclosures of records. A health plan
remarked that ‘‘requiring multiple
consents . . . adds confusion and
distrust to an already underserved
population,’’ and further stated that ‘‘[a]
single consent will give stakeholders a
single reference point to review the
patient’s permissions and any relevant
requested restrictions.’’
Response
We agree that the changes to allow a
single consent for all future TPO will
reduce the number of consents that part
2 programs will need to obtain from
patients as well as the number of
consents that recipients will need to
obtain for redisclosures of part 2
records. We have estimated the amount
of that reduction and describe it more
fully in the costs-benefits analysis in the
RIA for this final rule.
Comment
A health system pointed out that
people suffering from untreated SUD are
among the highest utilizers of health
care services and asserted the
importance of reducing barriers to
integrated care. The commenter stated
its belief that the existing part 2
regulation was written before the
current models of care and related best
practices were established and that it
now is a barrier to coordinated care for
patients with SUD.
Response
We appreciate this feedback and
recognize the importance of integrated
health records for providing integrated
and coordinated health care, including
for treatment of SUD in a whole person
context. This perspective underpins one
of the key purposes of section 3221 of
the CARES Act that is being
implemented in this final rule.
Comment
Several commenters who supported
the TPO consent and redisclosure
proposal thought that it did not go far
enough to align with the HIPAA Privacy
Rule and urged the Department to allow
for Patient Notice to replace consent for
TPO disclosures of part 2 records.
Response
The CARES Act amendments to 42
U.S.C. 290dd–2 did not remove the
PO 00000
Frm 00091
Fmt 4701
Sfmt 4700
12561
written consent requirement for
disclosure of part 2 records. Thus, the
Department lacks authority to replace a
patient’s written consent with Patient
Notice. We anticipate that patient
consent will remain as a foundation for
protection of part 2 records.
Comment
The commenters that opposed the
proposals for a single TPO consent and
redisclosure as allowed by HIPAA
presented a largely unified set of views
developed by a core group of
organizations representing addiction
treatment professionals, advocacy and
policy organizations, and SUD
providers. These commenters strongly
believed that the current requirement of
consent for each disclosure and
segregation of part 2 records offers
patients the needed confidence to enter
and remain in treatment and develop
the necessary therapeutic trust to share
details of their lives and struggles with
SUD. The commenters acknowledged
that discrimination is often perpetuated
by those outside of the health care
system as a result of the criminalization
of the use of certain substances and they
oppose finalizing the loosened consent
provisions until the Department issues
the statutorily required
antidiscrimination protections. These
commenters strongly supported
regulatory requirements to ensure
patients’ trust in the SUD treatment and
the health care system. Several other
commenters agreed with this set of core
comments.
Response
We appreciate these comments and
the concerns expressed for access to
SUD treatment, patient trust in the
relationship with treatment providers,
patients’ privacy expectations, the
societal harms of discrimination against
patients with SUD, and the
Department’s obligations to fully
implement section 3221 of the CARES
Act. We believe that the changes
finalized to § 2.33 herein are necessary
and reasonable as a means to implement
to 42 U.S.C. 290dd–2(b), as amended by
the CARES Act.
Comment
Several commenters addressed
whether recipients of records based on
a TPO consent (part 2 programs, covered
entities, and business associates) should
be able redisclose the part 2 information
for any purposes permitted by HIPAA or
only for TPO purposes. And some of
these asserted or recommended that the
rule should permit redisclosures as
permitted by the HIPAA Privacy Rule
(not limited to TPO). A few medical
E:\FR\FM\16FER2.SGM
16FER2
12562
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
lotter on DSK11XQN23PROD with RULES2
professional associations recommended
that redisclosures by recipients under a
TPO consent should only be permitted
for TPO purposes. This would maintain
patient privacy and be consistent with
the consent provided. One association
suggested this could be accomplished
by tagging data associated with the TPO
consent. Another suggested that limiting
redisclosure to TPO would permit PHI
to be integrated into part 2 records
systems, thus partially furthering the
goal of integrating health information.
Response
The changes to consent finalized in
this rule are based on 42 U.S.C. 290dd–
2, as amended by the CARES Act. With
respect to redisclosures by recipients
under a TPO consent, paragraph
(b)(1)(B) of the statute states that once
records are used and disclosed for TPO
they may be further disclosed in
accordance with the HIPAA regulations.
The clear terms of the statute apply the
initial use and disclosure permission to
a part 2 program, covered entity, or
business associate for TPO as permitted
by the HIPAA regulations, and then
allow disclosed records to be more
broadly redisclosed provided that it is
according to the HIPAA regulations. We
interpret the broader HIPAA
redisclosure permission to apply only to
the recipient. Thus, a part 2 program
that obtains a TPO consent is limited to
using or disclosing the record for TPO
purposes—it cannot obtain a TPO
consent and ‘‘disclose’’ the records to
itself to trigger the permission to
redisclose according to the HIPAA
regulations and avoid overall
compliance with part 2. We believe that
a disclosure implies a recipient other
than the entity making the disclosure
and the only recipients authorized by
the statute to redisclose records
according to the HIPAA regulations are
those that are otherwise subject to
HIPAA, which are covered entities
(including those that are also part 2
programs), and business associates. The
redisclosure permission refers to ‘‘in
accordance with HIPAA,’’ and we
believe that part 2 programs that are not
subject to HIPAA would not be qualified
to make such redisclosures in that
manner. Such part 2 programs are not
subject to the same obligations as
covered entities, such as adopting
written policies and procedures for
handling PHI, training members of the
workforce on their policies and
procedures, and adhering to the HIPAA
Security Rule requirements for
safeguarding electronic PHI.
The prohibition on using and
disclosing records in civil, criminal,
administrative, and legislative
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
proceedings against a patient remains
effective once records are disclosed and
this raises the issue for recipients of
potentially tracking, tagging, or
otherwise identifying the part 2 data
that must be protected from such uses
and disclosures absent written consent
or a court order under subpart E of part
2.
The last sentence of paragraph
(b)(1)(B) of the statute provides that the
patient’s right to request restrictions on
uses and disclosures for TPO applies to
all disclosures under paragraph (b)(1),
which includes redisclosures by
recipients of records. Thus, a recipient
entity that complies with a patient’s
request for restrictions on disclosures
for TPO is acting in accordance with the
HIPAA regulations. We believe that
Congress intended to emphasize the
availability of patient-requested
restrictions by the placement of this
right in the part 2 statute with the
redisclosure permission and including it
in both the Rules of Construction and
the Sense of Congress in section 3221 of
the CARES Act.
Final Rule
The final rule adopts the proposed
changes to the header and to paragraph
(c) of § 2.33 without modification. For
clarity, the final rule further modifies
paragraph (a) by adding ‘‘use and’’
before ‘‘disclosure’’ and by
redesignating the content of the
paragraph as paragraph (a)(1) and
adding a new paragraph (a)(2) that
provides, ‘‘[w]hen the consent provided
is a single consent for all future uses
and disclosures for treatment, payment,
and health care operations, a part 2
program, covered entity, or business
associate may use and disclose those
records for treatment, payment, and
health care operations as permitted by
the HIPAA regulations, until such time
as the patient revokes such consent in
writing.’’ This new provision clarifies
the regulatory permission for use and
disclosure for TPO that previously was
only implied by a general reference to
the consent requirements in § 2.31, and
it more explicitly states what the statute
provides relating to reliance on the
HIPAA standards. As a result of this
change, part 2 programs will be able to
rely on the HIPAA regulations when
using or disclosing part 2 records for
TPO in many instances, and covered
entities and business associates will not
need to silo part 2 records once a TPO
consent has been obtained.
This rule also finalizes proposed
paragraph (b)(1) with modifications to
more closely align with the statutory
language by changing ‘‘further use and
disclose’’ to ‘‘further disclose’’ and
PO 00000
Frm 00092
Fmt 4701
Sfmt 4700
replacing ‘‘as permitted by 45 CFR part
164’’ with ‘‘in accordance with the
HIPAA regulations.’’ For clarity, the
final rule also removes ‘‘a program’’
from paragraph (b)(1) because part 2
programs that are not covered entities or
business associates are separately
addressed in paragraph (b)(2). The rule
finalizes proposed paragraph (b)(2) with
the further modification of changing
‘‘further use and disclose’’ to ‘‘further
disclose’’ as in paragraph (b)(1). The
rule finalizes proposed paragraph (b)(3)
with the further modification of
removing the exclusion of ‘‘part 2
program.’’ This has the effect of
applying the existing requirements of
paragraph (b)(3) to a part 2 program
when it is a lawful holder (i.e., a
recipient of part 2 records) and ensures
that redisclosure in accordance with
HIPAA is limited to covered entities and
business associates. We clarify here that
paragraph (b)(3) applies in situations
where the written consent is only for
payment and/or health care operations
and does not include treatment.
Section 2.34—Uses and Disclosures To
Prevent Multiple Enrollments
Comment
While not proposed in the NPRM, an
individual stated that central registries
have not been classified as a QSO or a
business associate and therefore, there
are no safeguards protecting the
information exchanged between central
registries and non-member treating
providers under § 2.34(d). The
commenter further stated that the
patient consents to the use or disclosure
of their SUD information to the central
registry but not to a non-member
treating prescriber.
Response
We appreciate the suggestion to
classify central registries as a QSO or a
business associate; however, that
suggestion is outside the scope of the
current rulemaking.
Final Rule
The final rule adopts the proposed
addition of the language in § 2.34(b) of
‘‘use of information in records’’ instead
of just ‘‘use of information’’ in this
section to make clear that this provision
relates to part 2 records. The final rule
also adopts the proposed replacement of
the phrase ‘‘re-disclose or use’’ to ‘‘use
or redisclose’’ as it relates to preventing
a registry from using or redisclosing part
2 records, to align the language of this
provision with the HIPAA Privacy Rule.
A provider health system supported the
alignment of ‘‘use or redisclose’’ and
there were no other comments on these
proposals.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Section 2.35—Disclosures to Elements
of the Criminal Justice System Which
Have Referred Patients
Proposed Rule
Section 2.35 outlines conditions for
disclosures back to persons within the
criminal justice system who have
referred patients to a part 2 program for
SUD diagnosis or treatment as a
condition of the patients’ confinement
or parole. The Department proposed to
clarify that the permitted disclosures
would be of information from the part
2 record and to replace the term
‘‘individual’’ within the criminal justice
system with ‘‘persons’’ consistent with
similar changes throughout this rule.
The Department also proposed to add
the phrase ‘‘from a record’’ after the
term ‘‘information’’ to make clear that
this section regulates ‘‘records.’’ In
addition to requesting comment on the
proposed wording changes, the
Department invited comments on
whether the alternative term
‘‘personnel’’ would more accurately
cover the circumstances under which
referrals under § 2.35 are made.
Comment
One individual commenter asserted
that the alternative term ‘‘personnel’’
was too broad in this context and would
create circumstances that could
compromise patient confidentiality.
This individual also commented that
replacing the term ‘‘individual’’ with
the term ‘‘person’’ would be more
acceptable. Another commenter, a
provider health system, expressed
support for the term change from
‘‘individual’’ to ‘‘person’’ and stated that
the term ‘‘person’’ is preferable to
‘‘personnel’’ since the term ‘‘personnel’’
may inadvertently imply employment
status while the term ‘‘persons’’ would
accurately reflect referrals from the
criminal justice system regardless of
status as an employee, independent
contractor or other individual on behalf
of the criminal justice system.
lotter on DSK11XQN23PROD with RULES2
Response
We agree with these commenters for
the reasons discussed in the NPRM.
Comment
Several advocacy organizations and a
health IT vendor commented that the
Department’s proposed changes
unnecessarily limit diversion to court
based programs. These commenters
recommended certain changes to the
proposal that, in their opinion, would
include pre-arrest diversion as well as
other types of law enforcement
deflection to avoid the court system and
direct the patient into treatment and
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
services. In § 2.35(a), these commenters
recommended changing ‘‘A part 2
program may disclose information from
a record about a patient to those persons
within the criminal justice system who
have made participation in the part 2
program a condition of the disposition
of any criminal proceedings against the
patient or of the patient’s parole or other
release from custody if . . .’’ to ‘‘A part
2 program may disclose information
from a record about a patient to those
persons within the criminal justice
system who have made participation in
the part 2 program a condition of the
filing, prosecution, or disposition of any
criminal proceedings against the patient
or of the patient’s parole or other release
from custody if . . .’’ (emphasis added).
For § 2.35(a)(1), these commenters
recommended changing ‘‘(e.g., a
prosecuting attorney who is
withholding charges against the patient,
a court granting pretrial or post-trial
release, probation or parole officers
responsible for supervision of the
patient)’’ to ‘‘(e.g., a police officer or a
prosecuting attorney who is
withholding charges against the patient,
a court granting pretrial or post-trial
release, probation or parole officers
responsible for supervision of the
patient)’’ (emphasis added).
Response
We appreciate the detailed
recommendations for regulatory text in
these comments. We also acknowledge
the important social policy raised, to
promote treatment over referral to
courts. However, we believe the consent
process is sufficient for the operation of
diversion and deflection initiatives,
without a need for the Department to
loosen confidentiality restrictions,
because it allows patients to consent to
the release of part 2 records for such
initiatives if they wish to do so.
Final Rule
The Department adopts the proposed
changes without modification.
Subpart D—Uses and Disclosures
Without Patient Consent 287
Section 2.51—Medical Emergencies
Proposed Rule
In § 2.51(c)(2) the Department
proposed for clarity replacing the term
‘‘individual’’ with ‘‘person’’ such that
this now requires a part 2 program to
document the name of the person
making the disclosure in response to a
medical emergency.
287 As described below, the Department adopts
the proposal to add ‘‘Uses and’’ to this heading to
more accurately reflect the scope of activities
regulated in this subpart.
PO 00000
Frm 00093
Fmt 4701
Sfmt 4700
12563
Comment
An advocacy group recommended
that the proposed change to § 2.51
(Medical emergencies), be withdrawn.
The commenter suggested that as part of
its efforts throughout the rulemaking to
standardize regulatory language, HHS
proposed to replace the word
‘‘individual’’ with the word ‘‘person’’ in
the documentation requirements. HHS
proposed to define ‘‘person’’ by
reference to the HIPAA Privacy Rule as
a ‘‘natural person, trust or estate,
partnership, corporation, professional
association or corporation, or other
entity, public or private.’’ The
commenter said that in its view even
though the Department states this
change will promote clarity it will
actually result in less clarity for
patients, who may no longer be able to
tell who disclosed their part 2-protected
information to 911 and medical
personnel. The patient already knows
that the part 2 program was the
‘‘person’’ making a disclosure of part 2
records during a medical emergency.
For this reason, it is the identity of the
individual making the disclosure that is
important to document. In general, the
organization supported the efforts
throughout the rulemaking to streamline
language by replacing the phrase
‘‘individual or entity’’ with the word
‘‘person,’’ but in this instance the
change will diminish patients’ rights
and transparency with no clear benefit
to impacted patients.
Response
We discuss our changes to definitions,
including the term ‘‘person’’ in § 2.11.
Commenters generally supported this
proposed change as providing clarity
and helping to align with HIPAA.
However, we acknowledge that in this
instance replacing the term
‘‘individual’’ with the term ‘‘person’’
could result in less transparency about
who disclosed the patient’s record
during an emergency; however, under
the wording change a part 2 program is
not prevented from identifying the
individual who disclosed the part 2
information. Further, there may be
instances or treatment settings where
documenting only the name of the
disclosing entity, rather than the
individual, is needed to protect the
safety of program staff.
Comment
A few health information associations
supported the ability for providers,
under certain circumstances such as
medical emergencies, to access, use, and
disclose patient part 2 data when
necessary. It is important for providers
E:\FR\FM\16FER2.SGM
16FER2
12564
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
to have access to all points of decisionmaking in a medical emergency to
ensure patients are protected physically
both in the short and the long term. A
health care provider and medical
professionals’ association also
supported the proposed changes in this
section.
Response
We appreciate the comments on our
changes in this section of the rule.
lotter on DSK11XQN23PROD with RULES2
Comment
Another commenter asserted that a
workflow obstacle occurs when patients
previously treated in their part 2
program present to the emergency
department for care. The emergency
department personnel are blinded from
accessing care notes which can be
relevant to the emergency event. In
addition, the current part 2
requirements complicate this
commenter’s ability to meet
interoperability requirements included
in the CARES Act. Under current
regulations, the commenter has not
released part 2 patient records, as they
view the EHR is an all or nothing
proposition; and consenting is unique to
the patient.
Response
We acknowledge the commenter’s
concerns about lack of access to needed
information by treating providers. As
the Department stated in the 2020 final
rule ‘‘[a]lthough not a defined term
under part 2, a ‘bona fide medical
emergency’ most often refers to the
situation in which an individual
requires urgent clinical care to treat an
immediately life-threatening condition
(including, but not limited to, heart
attack, stroke, overdose), and in which
it is infeasible to seek the individual’s
consent to release of relevant, sensitive
SUD records prior to administering
potentially life-saving care.’’ 288 In the
2017 final rule, the Department stated
that ‘‘[w]ith regard to the request that a
‘medical emergency’ be determined by
the treating provider, SAMHSA clarifies
that any health care provider who is
treating the patient for a medical
emergency can make that
determination.’’ 289 While workflow
barriers may exist in particular
institutions or situations during medical
emergencies, patient identifying
information may be disclosed to
medical personnel to meet the bona fide
medical emergency and support patient
treatment.290
288 85
FR 42986, 43018.
FR 6052, 6095.
290 85 FR 42986, 43018; 82 FR 6052.
289 82
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Comment
A medical professionals association
opined that the proposed rule does not
make any changes to the current part 2
exemption for medical emergencies,
which states that SUD treatment records
can be disclosed without patient
consent in a ‘‘bona fide medical
emergency.’’ However, the commenter
stated that there are both real and
perceived barriers to providing
emergency care and coordinating
appropriate transitions of care for
patients with SUD. For example,
patients with SUD can have separate
charts that are not visible to physical
health clinicians in the EHR that could
influence the acute care provided or in
some instances even the existence of
those behavioral health charts. When
information is requested related to
emergency treatment, there is often
confusion about what type of
information can be shared without
violating part 2 requirements. Thus, in
practice, when there is any amount of
uncertainty, part 2 providers and
physical health providers trying to
provide and coordinate care that falls
under part 2 revert to the most
restrictive access possible even if not
indicated at that time. The commenter
provided another potential concern
related to methadone dosing. Unless
patients disclose that they are taking
methadone or it is indicated in prior
notes in the physical health EHR, a
treating emergency physician would
have no way of knowing that the patient
is even taking methadone, let alone their
dosage.
The commenter believed that aligning
the rules governing physical health and
behavioral health, as this proposed rule
attempts to do, will hopefully reduce
stigma and better enable emergency
physicians to care for the whole
individual, working in parallel with
other clinicians.
Response
We acknowledge the commenter’s
concerns and appreciate that the aims of
the changes throughout this regulation
are to reduce stigma for patients with
SUD and improve integrated care.
Additionally, this final rule provides in
§ 2.12(d) that a part 2 program, covered
entity, or business associate that
receives records based on a single
consent for all TPO is not required to
segregate or segment such records,
therefore more integrated care may be
available for patients who sign a TPO
consent.
PO 00000
Frm 00094
Fmt 4701
Sfmt 4700
Final Rule
The final rule adopts the proposed
changes to § 2.51(c)(2) without further
modification.
Section 2.52—Scientific Research
Proposed Rule
Section 2.52 permits part 2 programs
to disclose patient identifying
information for research, without
patient consent, under limited
circumstances. Paragraph (a) sets forth
the circumstances for when patient
identifying information may be
disclosed to recipients conducting
scientific research. Paragraph (b)
governs how recipients conducting the
research may use patient identifying
information. In § 2.52(b)(3), any
individual or entity conducting
scientific research using patient
identifying information may include
part 2 data in research reports only in
non-identifiable aggregate form.
Paragraph (c) governs how researchers
may use patient identifying information
to form data linkages to data
repositories, including requirements for
how researchers must seek Institutional
Review Board approval to ensure
patient privacy concerns are addressed.
The Department proposed to change
the title of this section from ‘‘Research’’
to ‘‘Scientific Research’’ for consistency
with 42 U.S.C. 290dd–2(b)(2)(B) that
permits programs to disclose to
‘‘qualified personnel for the purpose of
conducting scientific research . . . .’’
The Department also proposed to
change the de-identification standard in
§ 2.52(b)(3) to more closely align with
the HIPAA Privacy Rule deidentification standard. Specifically, the
current text for § 2.52(b)(3) permits a
person conducting scientific research
using patient identifying information
that has been disclosed for research to
‘‘include part 2 data in research reports
only in aggregate form in which patient
identifying information has been
rendered non-identifiable such that the
information cannot be re-identified and
serve as an unauthorized means to
identify a patient, directly or indirectly,
as having or having had a substance use
disorder.’’
Consistent with proposed changes to
§ 2.16(a)(1)(v) and (a)(2)(vi) (Security for
records and notification of breaches),
discussed above, the Department
proposed to modify the language in this
section related to rendering information
non-identifiable so that it also refers to
the HIPAA Privacy Rule deidentification standard. Under our
proposal, a person conducting scientific
research using patient identifying
information disclosed for research
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
would have been permitted to ‘‘include
part 2 data in research reports only in
aggregate form in which patient
identifying information has been deidentified in accordance with the
requirements of the HIPAA Privacy Rule
at 45 CFR 164.514(b) such that there is
no reasonable basis to believe that the
information can be used to identify a
patient as having or having had a
substance use disorder.’’
As explained above in section § 2.16,
section 3221(c) of the CARES Act
required the Department to apply the
HIPAA Privacy Rule de-identification
standard for PHI codified in 45 CFR
164.514(b) to part 2 for the purpose of
disclosing part 2 records for public
health purposes. The change here (and
in § 2.16 above) was proposed to further
advance alignment with HIPAA and
reduce burden on disclosing entities
that would otherwise have to apply
differing de-identification standards.
The Department also proposed for
clarity and consistency to replace
several instances of the phrase
‘‘individual or entity’’ with the term
‘‘person,’’ which would encompass both
individuals and entities, and to replace
the term ‘‘individual’’ with the term
‘‘person.’’
Comment
As discussed above in connection to
§ 2.16, commenters that addressed deidentification largely voiced support for
adopting a uniform standard in this
regulation that aligns with HIPAA,
including adopting a de-identification
standard applicable to research data.
Many of these commenters believed that
doing so could facilitate alignment and
understanding among covered entities
and part 2 programs.
Response
The Department appreciates these
comments.
lotter on DSK11XQN23PROD with RULES2
Comment
One commenter questioned whether
the Department should define the terms
‘‘research’’ and ‘‘researcher’’ because it
is not clear how the terms apply outside
a traditional academic or medical
research setting. This commenter also
urged the Department to clarify whether
the definitions of these terms in the
HIPAA Privacy Rule at 45 CFR 164.501
be used as the standard in § 2.52.
Response
We appreciate the comment and have
not applied the HIPAA definitions of
‘‘research’’ and ‘‘researcher’’ with the
final rule because those were not
adopted by the CARES Act amendments
to 42 U.S.C. 290dd–2. We acknowledge
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
that the HIPAA Privacy Rule definition
of ‘‘research’’ is useful and could be
applied to research using part 2 records;
however, we decline in this rule to
require that. Within the Privacy Rule,
‘‘research’’ is defined as ‘‘a systematic
investigation, including research
development, testing, and evaluation,
designed to develop or contribute to
generalizable knowledge.’’ 291 The
HIPAA Privacy Rule does not define the
term ‘‘researcher’’ but in guidance the
Department has explained when a
researcher is considered a covered
entity (‘‘[f]or example, a researcher who
conducts a clinical trial that involves
the delivery of routine health care such
as an MRI or liver function test, and
transmits health information in
electronic form to a third party payer for
payment, would be a covered health
care provider’’).292 We continue to
believe that the purpose behind each
term is sufficiently clear without having
to incorporate regulatory terms in this
part.
Comment
More than half of all commenters that
expressed support for the Department’s
research proposal urged the Department
to expressly permit disclosure of part 2
records in limited data sets protected by
data use agreements as allowed in the
HIPAA Privacy Rule. These commenters
asserted that doing so may greatly
facilitate the exchange of public health
information and research about SUDs.
One commenter, a research company
that expressed support for the deidentification proposal, believed that it
failed to address the creation of limited
data sets as defined by HIPAA,
including that patient consent should
not be required to create limited data
sets. The commenter urged recognition
in § 2.52(a) of what the commenter
referred to as the ‘‘right’’ of part 2
programs or responsible parties
conducting scientific research to use
identifiable part 2 data for making deidentified data or limited data sets
without the need for obtaining
individual consent in the same manner
as is permitted under 45 CFR 164.514.
Response
We decline to finalize a provision that
would incorporate limited data sets into
this regulation. We understand that
291 45 CFR 164.501 (definition of ‘‘Research’’).
The definition is based on the Common Rule
definition of the same term, 45 CFR 46.102 (July 19,
2018).
292 See U.S. Dep’t of Health and Human Servs.,
‘‘When is a researcher considered to be a covered
health care provider under HIPAA’’ (Jan. 9, 2023),
https://www.hhs.gov/hipaa/for-professionals/faq/
314/when-is-a-researcher-considered-a-coveredhealth-care-provider-under-hipaa/.
PO 00000
Frm 00095
Fmt 4701
Sfmt 4700
12565
commenters have questions and
suggestions regarding the interaction of
the HIPAA limited data set
requirements and the part 2 research
requirements. We did not propose any
changes to this regulation to expressly
address limited data sets and are not
finalizing any such changes in this rule;
however, we will take these comments
into consideration for potential future
rulemaking or guidance.
Comment
One commenter, a research
association, perceived a discrepancy in
how part 2 and HIPAA would treat deidentified information under the
proposal. This commenter argued that
under proposed § 2.52(b)(3), part 2
programs must limit the use of deidentified part 2 data in ‘‘research
reports’’ to data presented in aggregate
form instead of treating it as non-PHI as
in the HIPAA Privacy Rule. The
commenter asserted that this
unnecessarily restricts research without
benefiting patients and defeats the
CARES Act objective to align part 2 with
HIPAA. The commenter recommended
that the Department consider alternate
language in § 2.52(b)(3) such as: ‘‘[m]ay
use Part 2 data in research if the patient
identifying information (a) has been deidentified in accordance with any of the
standards of the HIPAA Privacy Rule at
45 CFR 164.514(b); or (b) is in the
format of a limited data set as defined
in 45 CFR 164.514(e), which limited
data set is used in accordance with all
requirements of § 164.514(e), including
the requirement for a data use
agreement.’’
Response
As stated previously, the Department
did not propose to incorporate limited
data sets into this regulation and is not
finalizing such a change in this final
rule. Additionally, the statute limits the
disclosure of records in reports, not the
use of records in conducting research.
Section 290dd–2(b)(2)(B) of title 42
provides that records may be disclosed
without consent ‘‘[t]o qualified
personnel for the purpose of conducting
scientific research . . . but such
personnel may not identify, directly or
indirectly, any individual patient in any
report [emphasis added] of such
research . . .[.]’’
Comment
A few individual commenters claimed
that researchers consistently
demonstrate the ability to re-identify
data so de-identification of SUD records
offers no protection to this sensitive
information and exposes patients to
stigmatization.
E:\FR\FM\16FER2.SGM
16FER2
12566
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Response
As noted above in connection to a
similar comment regarding the deidentification proposal in § 2.16, the
Department is aware of the concerns
related to the potential to re-identify
data. The Department, however, also
recognizes that the HIPAA standard for
de-identification incorporated here is
largely viewed as workable and
understandable. We believe this
sentiment is borne out in the much
larger set of supportive comments.
Final Rule
Similar to the approach adopted in
§ 2.16 (Security for records and
notification of breaches), above, the
final rule incorporates the HIPAA
Privacy Rule de-identification standard
at 45 CFR 164.514(b) into § 2.52 as
proposed, and further modifies this
section to more fully align with the
complete HIPAA de-identification
standard that adopts and includes
language from 45 CFR 164.514(a). The
final rule deletes the phrase in
§ 2.52(b)(3), ‘‘as having or having had a
substance use disorder,’’ and modifies
this language to: ‘‘such that there is no
reasonable basis to believe that the
information can be used to identify a
patient.’’ In so doing, we are aligning
with the HIPAA standard in paragraph
(a) of 45 CFR 164.514 which refers to
‘‘no reasonable basis to believe that the
information can be to identify an
individual,’’ and is not limited to
removing information about a particular
diagnoses or subset of health conditions.
In this way, the final standard
incorporated here is more privacy
protective than the proposed standard.
Moreover, as we also stated in
connection with the final deidentification standard incorporated in
§ 2.16 above, our adoption of the same
de-identification standard for public
health disclosures (new § 2.54) into this
provision provides a uniform method
for de-identifying part 2 records for all
purposes. Finally, we removed the
language ‘‘the HIPAA Privacy Rule’’
from regulatory references to 45 CFR
164.514(b) because we believe it to be
unnecessary.
lotter on DSK11XQN23PROD with RULES2
Section 2.53—Management Audits,
Financial Audits, and Program
Evaluation
Proposed Rule
The Department proposed to change
the heading of § 2.53 to specifically refer
to management audits, financial audits,
and program evaluation to more clearly
describe the disclosures permitted
without consent under 42 U.S.C.
290dd–2(b)(2)(B). The Department also
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
proposed to replace several instances of
the phrase ‘‘individual or entity’’ with
the term ‘‘person’’, which would
encompass both individuals and
entities. The Department also proposed
to modify the audit and evaluation
provisions at § 2.53 by adding the term
‘‘use’’ where the current language of
§ 2.53 refers only to disclosure and by
adding paragraph (h) (Disclosures for
health care operations).
Section 2.53 permits a part 2 program
or lawful holder to disclose patient
identifying information to an individual
or entity in the course of certain
Federal, State, or local audit and
program evaluation activities. Section
2.53 also permits a part 2 program to
disclose patient identifying information
to Federal, State, or local government
agencies and their contractors,
subcontractors, and legal representatives
when mandated by law if the audit or
evaluation cannot be carried out using
de-identified information.
The Department explained in the
NPRM that there is significant overlap
between activities described as ‘‘audit
and evaluation’’ in § 2.53 and health
care operations as defined in the HIPAA
Privacy Rule at 45 CFR 164.501. For
example, the following audit and
evaluation activities under part 2 align
with the health care operations defined
in the HIPAA Privacy Rule, as cited
below:
• Section 2.53(c)(1) (government
agency or third-party payer activities to
identify actions, such as changes to its
policies or procedures, to improve care
and outcomes for patients with SUDs
who are treated by part 2 programs;
ensure that resources are managed
effectively to care for patients; or
determine the need for adjustments to
payment policies to enhance care or
coverage for patients with SUD); 293
• Section 2.53(c)(2) (reviews of
appropriateness of medical care,
medical necessity, and utilization of
services); 294 and
• Section 2.53(d) (accreditation).295
In addition, activities by individuals
and entities (‘‘persons’’ under the final
rule) conducting Medicare, Medicaid,
and CHIP audits or evaluations
described at § 2.53(e) parallel those
defined as health oversight activities in
the HIPAA Privacy Rule at 45 CFR
164.512(d)(1). Part 2 programs and
lawful holders making disclosures to
these persons must agree to comply
with all applicable provisions of 42
293 See, e.g., 45 CFR 164.501 (definition of
‘‘Health care operations,’’ paragraph (5)).
294 See, e.g., 45 CFR 164.501 (definition of
‘‘Health care operations,’’ paragraph (1)).
295 See, e.g., 45 CFR 164.501 (definition of
‘‘Health care operations,’’ paragraph (2)).
PO 00000
Frm 00096
Fmt 4701
Sfmt 4700
U.S.C. 290dd–2, ensure that the
activities involving patient identifying
information occur in a confidential and
controlled setting, ensure that any
communications or reports or other
documents resulting from an audit or
evaluation under this section do not
allow for the direct or indirect
identification (e.g., through the use of
codes) of a patient as having or having
had an SUD, and must establish policies
and procedures to protect the
confidentiality of the patient identifying
information consistent with this part.
Patient identifying information
disclosed pursuant to § 2.53(e) may be
further redisclosed to contractor(s),
subcontractor(s), or legal
representative(s), to carry out the audit
or evaluation, but are restricted to only
that which is necessary to complete the
audit or evaluation as specified in
paragraph (e).296
We confirm here that nothing in the
proposed or final rule is intended to
alter the existing use and disclosure
permissions for the conduct of audits
and evaluations, including for
investigative agencies that conduct
audits. Thus, an investigative agency
that is performing an oversight function
may continue to review records under
the § 2.53 requirements as they did
under the previous rule. At such time
within a review that an audit needs to
be referred for a criminal investigation
or prosecution, that investigative agency
would be expected to follow the
requirements under subpart E for
seeking a court order. In the event an
investigative agency fails to seek a court
order because it is unaware that it has
obtained part 2 records, it may rely on
the newly established safe harbor within
§ 2.3, provided that it first exercised
reasonable diligence in trying to
ascertain if the provider was providing
SUD treatment. In making use of the
safe harbor, an investigative agency
would then be obligated to follow the
new requirements in § 2.66 or § 2.67, as
applicable.
Section 3221(b) of the CARES Act
amended the PHSA to permit part 2
programs, covered entities, and business
associates to use or disclose the contents
of part 2 records for TPO after obtaining
the written consent of a patient.297
Covered entities, including those that
are also part 2 programs, and business
associates are further permitted to
redisclose the same information in
accordance with the HIPAA Privacy
Rule. As the Department noted
throughout the NPRM, these new
296 See
42 CFR 2.53(e)(6).
at 42 U.S.C. 290dd–2(b)(1)(B).
297 Codified
E:\FR\FM\16FER2.SGM
16FER2
lotter on DSK11XQN23PROD with RULES2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
disclosure pathways are permissive, not
required.
To implement the new TPO
permission that includes the ability of
the entities above to use or disclose part
2 records for health care operations with
a general consent, the Department
proposed to modify the audit and
evaluation provisions at § 2.53 by
adding the term ‘‘use’’ where the current
language of § 2.53 refers only to
disclosure and by adding paragraph (h)
(Disclosures for health care operations).
This new paragraph as proposed would
clarify that part 2 programs, covered
entities, and business associates are
permitted to disclose part 2 records
pursuant to a single consent for all
future uses and disclosures for TPO
when a requesting entity is seeking
records for activities described in
paragraph (c) or (d) of § 2.53. Such
activities are health care operations, but
do not include treatment and payment.
To the extent that a requesting entity is
itself a part 2 program, covered entity,
or business associate that has received
part 2 records pursuant to a consent that
includes disclosures for health care
operations, it would then be permitted
to redisclose the records for other
purposes as permitted by the HIPAA
Privacy Rule. Thus, if an auditing entity
is a part 2 program, covered entity, or
business associate that has obtained
TPO consent and is not performing
health oversight, it would not be subject
to all the requirements of § 2.53 (e.g., the
requirement to only disclose the records
back to the program that provided
them). Requesting entities that are not
part 2 programs, covered entities, or
business associates would not have this
flexibility but would still use existing
permissions in § 2.53 to obtain access to
records for audit and evaluation
purposes, and they would remain
subject to the redisclosure limitations
and written agreement requirement
therein.
The Department proposed paragraph
(h) which would leave intact existing
disclosure permissions and
requirements for audit and evaluation
activities without consent, including
health care oversight activities, such as
described in paragraph (e). At the same
time, the proposal would provide a new
mechanism for programs and covered
entities to obtain patient consents for all
future TPO uses and disclosures
(including redisclosures), which in
some instances may include audit and
evaluation activities.
Comment
We received several comments about
audit and evaluation provisions. Most
commenters expressed support for our
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
proposed changes to this section. A
major health plan expressed support
without further comment. Others
expressed support and offered
additional recommendations or
suggestions for further alignment or
clarity. A state data center requested
clarity on whether there could be other
permissible disclosures for licensing
proceedings and hearings before an
administrative tribunal brought by an
agency that provides financial
assistance to the part 2 program or is
authorized by law to regulate the part 2
program and administratively enforce
remedies authorized by law to be
imposed as a result of the findings of the
administrative tribunal. The commenter
suggested adding a new subsection
§ 2.53(c)(3) to address these issues and
add appropriate restrictions.
One state regulatory agency expressed
concerns about § 2.53 describing its
recent experience with licensed health
care facilities significantly disrupting
the department’s regulatory
responsibilities by using 42 CFR part 2
as justification. Specifically, it
expressed concern that licensed health
care facilities may rely on the proposed
public health authority exception to
prevent the state from accessing SUD
records without patient consent or a
court order. This same agency further
commented that the final rule should
clarify the scope of the ‘‘public health
authority’’ exception and affirm the
ability of state licensing authorities to
access identifiable patient records
pursuant to § 2.53 for surveys and
investigations.
Response
We appreciate the comments on our
proposed changes. We discuss
redisclosure provisions in § 2.33. We
clarify here that although the new
disclosure permission for public health
in § 2.54 is limited to records that are
de-identified, the existing permission
for access to identifiable patient
information in § 2.53 remains a valid
and viable means for government
agencies with audit and evaluation
responsibilities to review records
without obtaining a court order. We
believe that Congress enacted the public
health disclosure permission to enhance
the ability of part 2 programs and other
lawful holders of part 2 records to report
to public health authorities. This is
distinct from the regulatory and
oversight authority over programs and
lawful holders that permits them to
review records that are not deidentified, providing the conditions of
§ 2.53 are met. We decline to add a new
subsection to § 2.53(c) to clarify other
disclosure provisions for use by
PO 00000
Frm 00097
Fmt 4701
Sfmt 4700
12567
regulatory agencies with enforcement
authority over part 2 programs and
lawful holders, but §§ 2.62, 2.63, 2.64,
and 2.66 may govern use of audit and
evaluation records in criminal and noncriminal proceedings against a program.
These provisions also are clear that a
court order will not be granted unless
other means of obtaining the records are
unavailable or would be ineffective.
Therefore, use of the disclosure
permission under § 2.53 is encouraged
as courts are unlikely to grant these
orders given the provisions of this rule.
Comment
Several commenters addressed APCDs
or MPCDs. One non-profit agency which
administrates a state-based APCD
commented that the rule should
expressly include a permission to
disclose to state-mandated APCDs for
audit and evaluation purposes required
by statute or regulation. It also
recommended that the Department
clarify that a state mandated APCD
housed in a non-state nonprofit entity
does not need to be providing oversight
and management of a part 2 program as
a prerequisite for relying on § 2.53 to
conduct an audit or evaluation on behalf
of a state agency. It asserted that in
many states the APCD is the most
comprehensive source of cross-payer
data and analytics, and the lack of
clarity around APCD authority to hold
SUD data is actively hampering the
ability to use APCDs to provide
information about the current opioid
epidemic, to evaluate what and where
progress is being made, and to
determine if there are populations with
inequitable access to the programs and
mitigation strategies used across the
country. Another non-government
agency and a state agency made similar
comments and a recommendation for
guidance or an express permission to
disclose SUD records to a state agency
for APCDs.
One commenter remarked that there
continues to be confusion within the
data submitter community about the
ability of health insurance carriers to
legally submit data to state health
database organizations without patient
consent. According to the commenter,
there is an opportunity for the
Department to expressly identify this
use as an authorized release of data to
state agencies. Alternatively, the
Department could provide guidance for
the existing rules with this necessary
clarification rather than use the rulemaking process. The commenter also
suggested that HHS provide clarification
to understand better if the limitations in
§ 2.53(f) apply to audits/evaluations
E:\FR\FM\16FER2.SGM
16FER2
12568
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
conducted under all of § 2.53 or only
those preceding § 2.53(f).
A state agency recommended that
restrictions against law enforcement
accessing the database and against
information in the databases being used
for legal proceedings against the patient
should accompany the permission to
disclose to state APCDs. It further
requested clarity on whether it has
authority to request SUD data from
downstream HIPAA covered entities
(such as health plans and non-part 2
providers) and business associates if
those entities received part 2 records for
TPO purposes with patient consent. The
commenter also opined that although,
by law, it receives data to determine
what actions are needed at a health plan
level to improve care and outcomes for
patients in part 2 programs, it was not
clear if the limitations in § 2.53(f)
prohibited another state agency also
conducting mandated audit or
evaluations under § 2.53(g) from
providing or sharing that data. If not, the
state agency noted government agencies
may not be able to ‘‘directly use’’ its
databases, even if they are conducting
proper but separate audit or evaluations
under § 2.53. Such a result, according to
the commenter, could result in lost
efficiencies and added burdens on part
2 programs or lawful holders because
they would need to provide the data to
the requesting government agencies,
instead of the government agencies
utilizing existing state databases. The
commenter also asserted that per
§ 2.53(g), this data release would only
occur in cases where the work could not
be carried out using de-identified
information (and subject to the
government agency recipient accepting
privacy and security responsibilities
consistent with applicable law).
lotter on DSK11XQN23PROD with RULES2
Response
We appreciate the comments on
APCDs or MPCDs and other provisions
under this section and may provide
additional guidance after this rule is
finalized. In preamble to the 2017 Part
2 Final Rule, the Department stated
‘‘that MPCDs [. . .] are permitted to
obtain part 2 data under the research
exception provided in § 2.52, provided
that the conditions of the research
exception are met. Furthermore, an
MPCD [ . . .] that obtains part 2 data in
this fashion would be considered a
‘lawful holder’ under these final
regulations and would therefore be
permitted to redisclose part 2 data for
research purposes, subject to the other
conditions imposed under § 2.52.’’ 298
298 82
FR 6052, 6102.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
In the preamble to the 2020 Part 2
Final Rule, the Department explained
that under § 2.53, government agencies
and third-party payer entities would be
permitted to obtain part 2 records
without written patient consent to
periodically conduct audits or
evaluations for purposes such as
identifying agency or health plan
actions or policy changes aimed at
improving care and outcomes for part 2
patients.299 Such purposes could
include, e.g., provider education and
recommending or requiring improved
health care approaches.300 The
Department also noted that government
agencies and private not-for-profit
entities granted authority under
applicable statutes or regulations may
be charged with conducting such
reviews for licensing or certification
purposes or to ensure compliance with
Federal or state laws. The 2019 Part 2
NPRM explained ‘‘that the concept of
audit or evaluation is not restricted to
reviews that examine individual part 2
program performance.’’ 301
In this final rule we also provide in
this section that a part 2 program,
covered entity, or business associate
may disclose records in accordance with
a consent that includes health care
operations to the extent that the audit or
evaluation constitutes a health care
operation activity, and the recipient
may redisclose such records as
permitted under the HIPAA Privacy
Rule if the recipient is a covered entity
or business associate. Health care
operations include a broad range of
quality improvement and related
activities, some of which overlap with
the audit and evaluations under
§ 2.53.302
As worded, § 2.53(f) applies to the
entirety of § 2.53 and states that
‘‘[e]xcept as provided in paragraph (e) of
this section, patient identifying
information disclosed under this section
may be disclosed only back to the part
2 program or other lawful holder from
which it was obtained and may be used
only to carry out an audit or evaluation
purpose or to investigate or prosecute
criminal or other activities, as
authorized by a court order entered
under § 2.66.’’
Comment
One managed care entity asserted that
the proposed rule should fully align the
part 2 audit and evaluation provisions
with the HIPAA Privacy Rule to avoid
299 85
FR 42986, 43023.
300 Id.
301 85
FR 42986, 43023; 84 FR 44568, 44579.
‘‘Uses and Disclosures for Treatment,
Payment, and Health Care Operations,’’ supra note
248.
302 See
PO 00000
Frm 00098
Fmt 4701
Sfmt 4700
distinctions between disclosures that
would be permitted as part of health
care operations but might not fit within
the scope of audits and evaluations. It
further commented that such
misalignment could be administratively
challenging and inadvertently impact
the results of audits and evaluations due
to incomplete or inaccurate data sets.
A large pharmacy provider
commented that it strongly supported
alignment of HIPAA and 42 CFR part 2,
and to achieve full alignment, the
Department should clarify that HIPAA
governs all part 2 records that are PHI
when in the hands of covered entities
and business associates for any TPO
purposes, including not applying the
audit and evaluation provisions of
§ 2.53 to covered entities when the
subject activities fall within TPO for
HIPAA purposes. A major health system
commented that the redisclosure
permission granted to part 2 providers,
covered entities, and business associates
for records received under a TPO
consent (including for the clarified
health care operations provision at
§ 2.53) may lead to better SUD treatment
and payment for such treatment, and a
reduction of operational issues between
and among providers and their business
associates.
Response
The changes to § 2.53 as finalized
more closely align with the HIPAA
Privacy Rule because this section now
expressly addresses disclosures for
health care operations that are permitted
with a single consent for all future uses
and disclosures for TPO under §§ 2.31
and 2.33. However, full alignment of
§ 2.53 with the HIPAA Privacy Rule is
not authorized by the CARES Act
because most of this section includes
additional protections for part 2 records
when used or disclosed for oversight,
such as vesting the part 2 program
director with discretion to determine
whether a requester is qualified,
prohibiting redisclosure of the records
by the recipient, and requiring the
return or destruction of records after
completion of the audit and evaluation.
We address redisclosures in more depth
in the discussion of § 2.32 and TPO
disclosures in § 2.33 above.
Comment
Although the CARES Act does not
expressly address § 2.53, one
commenter believed that leaving out
health oversight activities while
including the CARES Act provisions for
TPO purposes makes SUD patients more
vulnerable. This individual commenter
further suggested that the general
regulatory authority given to the
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Department by the CARES Act would
permit incorporating health oversight
into this provision, which the
commenter views as an acceptable
tradeoff for diminished patient
autonomy in terms of consent.
Response
Even though section 3221(e) of the
CARES Act does not expressly address
audits and evaluations, 42 U.S.C.
290dd–2 continues to reference audits
and evaluations. The CARES Act
emphasized use and disclosure of
records for TPO and restrictions on use
and disclosure in civil, criminal,
administrative, or legislative
proceedings. We note and have
discussed in the 2018 and 2020 final
rules 303 and 2022 NPRM that § 2.53 is
comprised of many activities that many
would view as constituting health care
oversight, including audits and quality
improvement activities. Paragraph (e)
specifically concerns Medicare,
Medicaid, CHIP, or related audit or
evaluation. In addition, § 2.62 expressly
precludes records that are obtained
under this section from being used and
disclosed in proceedings against the
patient.
Final Rule
The final rule adopts the proposed
changes to § 2.53, with two
modifications to paragraph (h). The first
is to limit redisclosure to recipients that
are covered entities and business
associates and the second is to refer to
‘‘HIPAA regulations’’ instead of 45 CFR
164.502 and 164.506. We believe this is
consistent with the changes to § 2.33(b)
and the addition of the defined term
‘‘HIPAA regulations.’’
lotter on DSK11XQN23PROD with RULES2
Section 2.54—Disclosures for Public
Health
Proposed Rule
The existing part 2 regulations do not
permit the disclosure of part 2 records
for public health purposes. Section
3221(c) of the CARES Act added
paragraph (b)(2)(D) to 42 U.S.C. 290dd–
2 to permit part 2 programs to disclose
de-identified health information to
public health authorities and required
the content of such de-identified
information to meet the HIPAA Privacy
Rule de-identification standard for PHI
codified in 45 CFR 164.514(b).
Accordingly, the Department proposed
to add a new § 2.54 to permit part 2
programs to disclose part 2 records
without patient consent to public health
authorities provided that the
information is de-identified in
303 See 83 FR 239, 247 and 85 FR 42986, 43025,
respectively.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
accordance with the standards in 45
CFR 164.514(b).
We proposed this change in
conjunction with 42 U.S.C. 290dd–
2(b)(2)(D), as added by CARES Act
section 3221(d), which directed the
Department to add a new definition of
‘‘public health authority’’ to this part.
We also proposed the new definition in
§ 2.11, as discussed above.
Comment
Most commenters voiced support for
the proposal to permit disclosures of deidentified records to public health
authorities. Comments included
assertions that the proposal may:
promote awareness of SUDs; align goals
between providers and public health
authorities regarding SUD treatment;
better help address the drug overdose
crisis by ensuring information was
available to develop useful tools while
not impinging on individuals’ privacy;
assist with addressing population health
matters; improve population health; and
assist vulnerable populations by
ensuring SUD records are available (e.g.,
addressing the COVID–19 pandemic).
Response
The Department appreciates the
comments and takes the opportunity to
reiterate here that the proposal is
consistent with the new authority
enacted in the CARES Act.
Comment
Some commenters asserted that while
the regulation should allow the
disclosure of SUD records for public
health purposes, it should permit the
disclosure of identifiable information
rather than limit it to de-identified data.
A few of these commenters
acknowledged that the CARES Act
modified title 42 to permit disclosure
only of health information de-identified
to the HIPAA standard in 45 CFR
164.512(b). Despite awareness of the
CARES Act, these commenters gave
multiple reasons why they thought the
Department should promulgate a rule
that permits the disclosure of
identifiable data to a public health
authority. For example, several of these
commenters, including an academic
medical center, a private SUD recovery
center, and a state-affiliated HIE,
asserted that state laws often require
public health reporting for
communicable/infectious disease
surveillance. A Tribal consulting firm
asserted that part 2 rules for disclosing
data to public health authorities
contradict state, Tribal, local, and
territorial public health laws when other
health care providers are required to
submit individually identifiable
PO 00000
Frm 00099
Fmt 4701
Sfmt 4700
12569
information. A SUD treatment provider
cited the potential vulnerability of this
patient population to sexually
transmitted diseases and the need for
individual level data (e.g., age, address)
to accomplish effective disease
surveillance and resource allocation. A
managed care organization, a health
system, and a few state/local health
departments commented that the
limitation of disclosing only deidentified information could hinder
public health efforts. A few HIE/HINs
commented that in their role as Health
Data Utilities, they regularly share
critical health data with public health
authorities. They gave examples such as
overdose death information, which
facilitates public health authorities’
provision of appropriate follow-up
services and resources to those affected
by SUD. The HIE/HINs also have a role
in producing public and population
health information such as data maps or
other rendering showing utilization of
SUD facilities and open bed counts for
the purpose of referrals. These
organizations commented that the
differences between HIPAA and the
proposed part 2 public health disclosure
permission may complicate the IT
landscape.
Response
We acknowledge the many good
explanations of how identifiable
information could be useful for public
health purposes that would not involve
public reporting of patient identifying
information. However, we lack authority
to permit disclosures of identifiable
information for public health purposes
absent patient consent. This limitation
is reflected in the amended statute at 42
U.S.C. 290dd–2(b)(2)(D).
Comment
Several other commenters supported
the proposal but suggested other
modifications or accompanying
guidance. For example, one commenter,
a regional HIN, asserted that part 2 and
HIPAA already permit the disclosure of
de-identified data without patient
consent, and therefore the revision is a
clarification rather than a substantive
change. It urged the Department to
clarify that the use of a general
designation on an authorization form
could allow disclosures to public health
authorities operating in their state of
residence. It also requested the
Department to clarify—either in
regulation or in guidance—when
disclosures to public health authorities
may fall into the research or audit and
evaluation consent exceptions. A major
health plan commented that conducting
public health activities using a limited
E:\FR\FM\16FER2.SGM
16FER2
12570
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
data set would be more useful and could
advance important public health goals,
as de-identified data lacks dates of
service and ages which are often
important variables for both research
and public health activities. A state
commented that the Department should
specify what constitutes ‘‘public health
purposes.’’ A large health care provider
commented that the Department could
help clarify the general right to deidentify part 2 records and disclose such
de-identified part 2 records by including
an explicit right to do so in the
regulations as a permitted use,
including an express right to use part 2
records for health care operations and to
create a de-identified data set without
patient consent.
Response
We appreciate these comments but
have proposed this provision consistent
with statutory authority. With respect to
limited data sets, we address this topic
in the discussion of § 2.52 above. We
decline at this time to issue guidance
related to distinctions between public
health activities, research activities, and
audit and evaluation. We have not
received a large number of comments or
requests to do so but will monitor for
the need to address once this rule is
finalized.
lotter on DSK11XQN23PROD with RULES2
Comment
A health information management
organization opposed the proposal and
commented that the Department should
fully understand the realities of deidentified data and should engage
patient advocacy focused organizations
to understand if transmitting deidentified data to public health entities
would jeopardize patient trust in part 2
programs. It further commented that the
de-identification standard for data
within health care continues to evolve
and change overtime as technology and
artificial intelligence is better able to
reidentify patients.
Response
The CARES Act now requires the
Department to finalize a standard that
permits disclosure of information that is
de-identified according to the HIPAA
standard. Although we are obligated to
implement the standard, we will
monitor developments in accepted deidentification practices and how
emerging technology developments may
reduce the effectiveness of current
standards.
Comment
One commenter, a health system,
recommended that the Department
ensure the de-identification standard for
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
records conforms with various state
reporting requirements and patient
expectations. It cited the example of the
state being required to track and report
certain statistical information. The
commenter also believed that adopting
the HIPAA standard should be done in
a way to allow for continued
compliance with these state regulations.
Another commenter, a medical
professionals association, urged the
Department to facilitate coordination
between physicians and health IT
entities to improve de-identification
technology and make it more widely
accessible for physician practices. A few
other commenters, another medical
professional association and a trade
association representing health plans,
commented that it was important for
best practices for de-identification to be
adhered to and reflected in regulations,
and that regulated entities should
specify which de-identification methods
are being used for each data set.
Response
We have found that in most cases,
state reporting requirements
contemplate the disclosure of aggregate
data, which may include de-identified
records. Similarly, our authority to
override state public health report
requirements is statutorily limited. We
express support for and encourage
physicians to work with their respective
technology vendors to assure the
availability of compliant technology in
physician practices.
Final Rule
The final rule adopts the proposed
addition of a new § 2.54 into this
regulation, and the accompanying
definition of ‘‘public health authority’’
discussed in § 2.11. The proposal is
adopted with further modification, but
we believe it remains within our
authority as enacted by the CARES Act.
Consistent with the approach adopted
above in §§ 2.16 (Security for records
and notification of breaches) and 2.52
(Scientific research), we are further
modifying the language proposed to
align with the full HIPAA deidentification standard, which includes
45 CFR 164.514(a). As such, the final
standard here permits a part 2 program
to disclose records for public health
purposes if made to a ‘‘public health
authority’’ and the content has been deidentified in accordance with the
requirements of the HIPAA Privacy Rule
standard at 45 CFR 164.514(b), ‘‘such
that there is no reasonable basis to
believe that the information can be used
to identify a patient.’’ This final
language strikes from the proposal the
limiting phrase after this language that
PO 00000
Frm 00100
Fmt 4701
Sfmt 4700
is in the existing rule: ‘‘as having or
having had a substance use disorder.’’ In
addition, we removed the language ‘‘the
HIPAA Privacy Rule’’ from the
regulatory reference to 45 CFR
164.514(b) because we believe it
unnecessary.
We reiterate here that the proposed
change should not be construed as
extending the protections of part 2 to
de-identified information, as such
information is outside the scope of
§ 2.12(a). Thus, once part 2 records are
de-identified for disclosure to public
health authorities, part 2 no longer
applies to the de-identified records.
Subpart E—Court Orders Authorizing
Use and Disclosure
The CARES Act enacted significant
statutory changes governing how
records could be used in legal
proceedings. Section 290dd–2(c) (Use of
Records in Criminal, Civil, or
Administrative Contexts), as amended
by section 3221(e) of the Act, newly
emphasizes the allowance of written
consent as a basis for disclosing records
for proceedings. Revised paragraph (c)
of 42 U.S.C. 290dd–2, as amended, now
provides ‘‘[e]xcept as otherwise
authorized by a court order under
subsection (b)(2)(c) or by the consent of
the patient, a record referred to in
subsection (a), or testimony relaying the
information contained therein, may not
be disclosed or used in any civil,
criminal, administrative, or legislative
proceedings [. . .] against a patient
[. . .].’’ Thus, paragraph (c) of the
amended statute also applies
restrictions beyond records to
‘‘testimony relaying the information
contained therein.’’ In the NPRM, the
Department proposed to implement this
amended statutory provision across
every subpart E section as applicable,
and in addition, proposed changes to
§§ 2.12(d) and 2.31, discussed above, to
more generally address how restrictions
on use and disclosure of records apply
in legal proceedings, and requirements
for the structure of written consents for
uses and disclosures of record and
information in testimony in legal
proceedings.304
304 As discussed above, the Department is
finalizing changes to § 2.12, Applicability.
Paragraph (d) of § 2.12, as finalized, provides that
restrictions on the use and disclosure of any record
to initiate or substantiate criminal charges against
a patient or to conduct any criminal investigation
of a patient, or to use in any civil, criminal,
administrative, or legislative proceeding against a
patient, applies to any person who obtains the
record from a part 2 program, covered entity,
business associate, intermediary, or lawful holder
regardless of the status of the person obtaining the
record or whether the record was obtained in
accordance with part 2.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
To properly reflect that subpart E
regulates uses and disclosures of
records, information, and testimony
therein, the Department is finalizing the
proposed heading so that it now refers
to ‘‘Court Orders Authorizing Use and
Disclosure.’’ We received no comments
addressing the proposed change in
heading. We also note with respect to
proposed modifications throughout this
subpart, many public comments were
intermingled across sections or intended
to provide comment related to multiple
regulatory sections. To the best of our
ability, we responded to such comments
in the regulatory section where we
believe them most applicable.
Section 2.61—Legal Effect of Order
Section 2.61 includes the requirement
that in addition to a court order that
authorizes disclosure, a subpoena is
required to compel disclosure of part 2
records. The final rule adopts the
proposed addition to add the word
‘‘use’’ to paragraphs (a) and (b)(1) and
(2) to clarify that the legal effect of a
court order with respect to part 2
records would include authorizing the
use of part 2 records, in addition to the
disclosure of part 2 records. The
Department did not propose substantive
changes to this section although in
relation to other provisions of this
rulemaking, a few commenters
expressed concern that the rule
contemplates the added expense of a
subpoena. Those comments are
addressed below.
Section 2.62—Order Not Applicable to
Records Disclosed Without Consent to
Researchers, Auditors, and Evaluators
lotter on DSK11XQN23PROD with RULES2
Proposed Rule
Section 2.62 provides that a court
order issued pursuant to part 2 may not
authorize ‘‘qualified personnel’’ who
have received patient identifying
information without consent for
conducting research, audit, or
evaluation, to disclose that information
or use it to conduct any criminal
investigation or prosecution of a patient.
As we explained in the NPRM, the term
‘‘qualified personnel’’ has a precise
meaning but does not have a regulatory
definition within 42 CFR part 2 and is
used only once within the regulation.
For greater clarity, the Department
proposed to refer instead to ‘‘persons
who meet the criteria specified in
§ 2.52(a)(1)(i) through (iii),’’ and later in
the paragraph to ‘‘such persons.’’ The
individual paragraphs of § 2.52(a)(1)(i)
through (iii) describe the circumstances
by which the person designated as
director, managing director, or
authoritative representative of a part 2
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
program or other lawful holder may
disclose patient identifying information
to a recipient conducting scientific
research.
Comment
The Department did not receive
comments specific to this section.
Final Rule
The Department adopts the proposed
change and additionally inserts ‘‘and
§ 2.53’’ as a technical correction given
that the regulatory text references audit
and evaluation but not § 2.53. The final
text provides that the court ‘‘may not
authorize persons who meet the criteria
specified in §§ 2.52(a)(1)(i) through (iii)
and 2.53, who have received patient
identifying information without consent
for the purpose of conducting research,
audit, or evaluation, to disclose that
information or use it to conduct any
criminal investigation or prosecution of
a patient.’’
Section 2.63—Confidential
Communications
Proposed Rule
Section 2.63 contains provisions that
protect the confidential
communications made by a patient to a
part 2 program. Paragraph (a) of § 2.63
provides that a court order may
authorize disclosure of confidential
communications made by a patient to a
part 2 program during diagnosis,
treatment, or referral only if necessary:
(1) to protect against an existing threat
to life or of serious bodily injury; (2) to
investigate or prosecute an extremely
serious crime, such as one that directly
threatens loss of life or serious bodily
injury, including homicide, rape,
kidnapping, armed robbery, assault with
a deadly weapon, or child abuse and
neglect; or (3) in connection with
litigation or an administrative
proceeding in which the patient
introduces their own part 2 records.
Paragraph (b) of current § 2.63 is
reserved.
To implement changes to 42 U.S.C.
290dd–2 that could properly be applied
to this section, the Department proposed
to specify in § 2.63(a)(3) that civil, as
well as criminal, administrative, and
legislative proceedings are
circumstances under which a court may
authorize disclosures of confidential
communications made by a patient to a
part 2 program. Specifically, the
Department proposed in § 2.63(a)(3) to
expand the permission’s application
from ‘‘litigation or administrative
proceeding’’ to ‘‘civil, criminal,
administrative, or legislative
proceeding’’ in which the patient offers
testimony or other evidence pertaining
PO 00000
Frm 00101
Fmt 4701
Sfmt 4700
12571
to the content of the confidential
communications.
Comment
One commenter expressed support for
the proposal with the caveat that the
part 2 program or covered entity be
permitted to use the records, without a
requirement that the patient first
introduce the records into a legal
proceeding, if the purpose of the use is
for defense against professional liability
claims brought by the patient.
One health plan also expressed
unconditional support for this proposal.
Response
We appreciate the comments. We
reaffirm here that this regulation is
intended to protect those
communications that are narrow in
scope and limited to those statements
made by a patient to a part 2 program
in the course of diagnosis, treatment, or
referral for treatment. We believe
continuing to permit disclosure only
under circumstances of serious harm
coupled with a patient’s own ‘‘opening
the door’’ in legal proceedings strikes
the right balance against an obvious
disincentive to seeking care when such
communications are not kept
confidential. On the other hand, should
an applicant believe it necessary to seek
a court order and subpoena authorizing
and compelling disclosure, respectively,
there is nothing in this section that
would restrict the ability of the
applicant to attempt to convince a court
that the information sought is broader
than that governed by § 2.63, such as
information contained in records subject
to disclosure under § 2.64 and
evaluation by a competent court with
jurisdiction.
Final Rule
The final rule adopts the proposed
changes to this section without further
modification.
Section 2.64—Procedures and Criteria
for Orders Authorizing Uses and
Disclosures for Noncriminal Purposes
Proposed Rule
Section 2.64 describes the procedures
and criteria that permit any person
having a legally recognized interest in
the disclosure of patient records for
purposes ‘‘other than criminal
investigation or prosecution’’ to apply
for a court order authorizing the
disclosure of the records.
The current language of § 2.64 refers
only to ‘‘purposes other than criminal
investigation or prosecution’’ and
‘‘noncriminal purposes’’ in the heading.
To implement the changes to 42 U.S.C.
290dd–2(c), the Department proposed to
E:\FR\FM\16FER2.SGM
16FER2
12572
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
modify paragraph (a) of § 2.64 to expand
the forums for which a court order must
be obtained, absent written patient
consent, to permit use and disclosure of
records in civil, administrative, or
legislative proceedings. The Department
also proposed, consistent with the
language of the amended statute, to
apply the requirement for the court
order to not only records, but
‘‘testimony’’ relaying information
within the records.
lotter on DSK11XQN23PROD with RULES2
Comment
One commenter, a state Medicaid
Office, sought guidance from the
Department on determining the
appropriateness of applying
redisclosure procedures under HIPAA
or part 2 when the underlying
disclosure relates to a judicial or
administrative proceeding. Specifically,
this commenter noted that following a
receipt of records pursuant to a TPO
consent, proposed § 2.33(b) authorizes
subsequent redisclosures under HIPAA
regulations. As an example, it described
a covered entity that receives an order
for part 2 records of a Medicaid
recipient as part of a civil,
administrative, legislative, or criminal
proceeding or criminal investigation.
The proceeding in this situation is not
against the Medicaid recipient who is
instead, a witness, an alternate suspect,
or other third-party individual. In these
cases, this commenter asked if it should
review and respond to the order under
45 CFR 164.512(e) 305 pursuant to the
proposed § 2.33(b) or under the
procedures required by § 2.64.
Response
As we understand the commenter’s
example and question, the underlying
proceedings are not against the subject
of the records or ‘‘patient,’’ and
therefore the covered entity would be
permitted to redisclose the records in
accordance the HIPAA Privacy Rule
permission at 45 CFR 164.512(e). This
response is consistent with the part 2
statute and with revised § 2.33(b) which
provides that ‘‘[i]f a patient consents to
a use or disclosure of their records
consistent with § 2.31, the recipient may
further use or disclose such records as
provided in subpart E of this part, and
as follows . . . [w]hen disclosed for
treatment, payment, and health care
operations activities [. . .] the recipient
may further use or disclose those
records in accordance with the HIPAA
regulations, except for uses and
disclosures for civil, criminal,
305 45 CFR 164.512(e) grants permissions to
covered entities to disclose PHI for judicial and
administrative proceedings.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
administrative, and legislative
proceedings against the patient
[emphasis added].’’
Although revisions to § 2.33 permit a
covered entity or business associate to
redisclose records obtained pursuant to
a TPO consent ‘‘in accordance with the
HIPAA regulations,’’ any person seeking
to redisclose such records or
information in a proceeding against the
patient is required to comply with the
procedures in § 2.64 or § 2.65 to obtain
the part 2 court order or a separate
consent of the patient that meets the
requirements of new § 2.31(d).
Comment
One supportive commenter, a health
system, asserted that a reasonable and
necessary exception to the rule
requiring patient consent or court order
is in the case of a health care entity and
provider needing access to records to
vigorously defend their positions in
legal proceedings against a patient, such
as with a professional liability claim.
This commenter further asserted that
redacted records would be inadequate
for preparation or case presentation.
Response
We do not believe that a professional
liability claim brought by a patient
against a provider is a proceeding
‘‘against a patient.’’ If a provider
believes that a part 2 record or
information is required to mount a
defense against a professional liability
claim brought by a patient, there is
nothing in this regulation which would
prevent the provider from seeking relief
from a court.
Comment
One commenter did not object to the
Department’s proposal extending the
current provision to apply to
administrative and legislative
proceedings, but objected to the
requirement that a part 2 program or
covered entity may incur legal expenses
to obtain an instrument that would
compel compliance (i.e., a subpoena, in
addition to a court order).
Response
We appreciate the comment but even
before this rulemaking, § 2.61 made
clear that the sole purpose of a court
order issued pursuant to subpart E was
to authorize use or disclosure of patient
information but not to compel the same.
Additionally, under the current § 2.61, a
subpoena or a similar legal mandate
must be issued in order to compel
disclosure. There is nothing in the
CARES Act amendments that suggests
we should modify these requirements.
PO 00000
Frm 00102
Fmt 4701
Sfmt 4700
Comment
Several commenters expressed
support for this proposal, including a
county department of public health and
several individuals. One individual
expressed strong support for restricting
disclosures for civil and non-criminal
procedures to promote racial equity.
Another individual commenter thanked
the Department for protecting patients
from having records used against them,
including the content of records in
testimony.
Response
We appreciate the comments, but
historically part 2 has always placed
some restriction on disclosure of records
in both civil and criminal types of
proceedings.
Final Rule
The final rule adopts § 2.64 as
proposed in the NPRM without further
modification.
Section 2.65—Procedures and Criteria
for Orders Authorizing Use and
Disclosure of Records To Criminally
Investigate or Prosecute Patients
Proposed Rule
Section 2.65 establishes procedures
and criteria for court orders authorizing
the use and disclosure of patient records
in criminal investigations or
prosecutions of the patient. Under
§ 2.65(a), the custodian of the patient’s
records or a law enforcement or
prosecutorial official responsible for
conducting criminal investigative or
prosecutorial activities, may apply for a
court order authorizing the disclosure of
part 2 records to investigate or prosecute
a patient. Paragraph (b) describes the
operation of notice to the holder of the
records about the application for a court
order under this section and
opportunity to be heard and present
evidence on whether the criteria in
paragraph (d) for a court order have
been met. Paragraph (d) sets forth
criteria for the issuance of a court order
under this section, including paragraph
(d)(2), which requires a reasonable
likelihood that the records would
disclose information of substantial value
in the investigation or prosecution.
Paragraph (e) sets forth requirements for
the content of a court order authorizing
the disclosure or use of patient records
for the criminal investigation or
prosecution of the patient. Paragraph
(e)(1) requires that such order must limit
disclosure and use to those parts of the
patient’s record as are essential to fulfill
the objective of the order, and paragraph
(e)(2) requires that the order limit the
disclosure to those law enforcement and
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
prosecutorial officials who are
responsible for, or are conducting, the
investigation or prosecution, and limit
their use of the records to investigating
and prosecuting extremely serious
crimes or suspected crimes specified in
the application.306 Paragraph (e)(3)
requires that the order include other
measures as are necessary to limit use
and disclosure to the fulfillment of only
that public interest and need found by
the court.
The Department proposed to modify
§ 2.65 (a) to expand the types of
criminal proceedings related to the
enforcement of criminal laws to include
administrative and legislative criminal
proceedings for which a court order is
required for uses and disclosures of
records, and in paragraphs (a), (d)
introductory text, (d)(2), (e) introductory
text, and (e)(1) and (2), to include
testimony relaying information within
the records. The Department also
proposed a non-substantive change to
move the term ‘‘use’’ before
‘‘disclosure’’ in paragraphs (e)
introductory text and (e)(1) and (3). As
noted in the NPRM, criminal
investigations may be carried out by
executive agencies and legislative
bodies as well as in criminal
prosecutions through the judicial
process. These changes implement 42
U.S.C. 290dd–2(c), as amended by
section 3221(e) of the CARES Act by
widening the scope of confidentiality
protections for patients in all of these
forums where an investigation or action
may be brought against them.
Notably, the statute, as amended by
the CARES Act, also expressly permits
disclosures and uses of records and
testimony in legal proceedings against
the patient if a patient consents. To
address concerns about consent for use
and disclosure of records in proceedings
against the patient, the Department is
adding a separate consent requirement
in § 2.31(d), as discussed above.
Comment
lotter on DSK11XQN23PROD with RULES2
Nearly half of all commenters that
addressed subpart E proposals opposed
the proposal to allow patients to consent
to the use and disclosure of their part 2
records in proceedings against the
patient. Many of these commenters
contended that permitting disclosures of
records and testimony in proceedings
306 Section 2.63(a)(1) and (2) of the current rule
specifies that the type of crime for which an order
to disclose confidential communications could be
granted would be one ‘‘which directly threatens
loss of life or serious bodily injury, including
homicide, rape, kidnapping, armed robbery, assault
with a deadly weapon, or child abuse and neglect.’’
Thus, the use of an illegal substance does not in
itself constitute an extremely serious crime.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
against the patient, based on the
patient’s consent, only makes patients
vulnerable to coercion from law
enforcement who condition certain
outcomes in the matter underlying the
dispute on obtaining consent.
While several commenters
acknowledged the statutory language
that expressly allows consent for court
proceedings, most nonetheless urged the
Department not to implement the
statutory change and instead finalize a
regulatory provision that will protect
patients from law enforcement seeking
to condition outcome in criminal and
civil proceedings on signed consent
forms. Other commenters expressed
alarm that the consent provision would
further disincentivize historically
vulnerable populations experiencing
SUD, including pregnant individuals,
from seeking SUD treatment. One
commenter asserted that recipients of
records released with consent for
criminal, civil, administrative, and
legislative proceedings are lawful
holders under the regulations and
recommended they be expressly barred
from using these records or patient
information in ways that discriminate
against the patient.
Response
We appreciate the sentiments
expressed by many of these commenters
regarding the risks of a consent option.
However, the language of the statute, as
amended by the CARES Act, is clear and
unambiguous and emphasizes the
existing ability of patients to consent to
the use or disclosure of their records or
testimony within such records in legal
proceedings against them. We also view
patient consent as one of the
cornerstones of privacy protection.
Consistent with the statute and
principle of empowering the patient to
control the flow of their own
information, the existing rule at § 2.33(a)
clearly allows patient consent for
disclosure of records for any purpose,
which may include investigations and
proceedings against the patient. The
final rule expands this to encompass
consent for use of records as well as
disclosures. Additionally, in §§ 2.12 and
2.31 above, we discuss the specific
regulatory modifications that refer to
consent for legal proceedings and newly
require separate consent for use and
disclosure of records in civil, criminal,
administrative, and legislative
proceedings. We reiterate here that we
intend for references to such
proceedings to also encompass
investigations, as stated in 42 U.S.C.
290dd–2.
PO 00000
Frm 00103
Fmt 4701
Sfmt 4700
12573
Comment
One commenter, a mental health
advocacy organization, commented that
the Department should establish a safe
harbor that would protect health plans
from civil and criminal penalties when
violations arise from good faith
redisclosures that comply with the
HIPAA Privacy Rule but not part 2.
According to this commenter this
provision could support sharing
information on claims databases since
there are disparate state approaches to
protecting and administering these
records.
Response
We are sympathetic to concerns
related to disparate state laws that
conflict with or overlap with this Part,
and understand the issues faced by
plans that consistently interact with or
disclose information to state claims
databases. However, we believe the
extent of our statutory authority is clear
in how this regulation only permits use
and disclosures of records and
information therein, in legal
proceedings against patients, when
consent or the requisite court order is
obtained. Having said that, under the
newly promulgated enforcement
structure required by statute, criminal
liability inures only when a willful or
knowing violation occurs. Moreover, the
crux of this requirement remains as it
did prior to this rulemaking and the
CARES Act did nothing to modify the
added protection afforded to records
that would otherwise be used to
prosecute a patient. Given the
continuity of this requirement, we
anticipate that plans and state claims
databases should have already built-in
mechanisms to accommodate this
regulation.
Comment
Approximately one-third of
commenters on this topic supported
requiring patient consent or a court
order for use and disclosure of part 2
records against a patient or a part 2
program. Some of these commenters
expressed appreciation for the expanded
protection from use and disclosure in
legislative and administrative
investigations and proceedings, and
express protection of testimony that
conveys information from part 2 records
within the consent or court order
requirements. Some commenters
expressed the sentiment that these
express and expanded protections
would serve as a counterweight to
easing the flow of part 2 records for
health care-related purposes.
E:\FR\FM\16FER2.SGM
16FER2
12574
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Response
We appreciate these comments. As
we’ve stated above, the revised language
of this section, and our revision to
§ 2.12(d), discussed above, implement
key CARES Act statutory modifications.
We agree that the expanded protections
for testimony arising from information
contained in records, and the extension
of protection to additional types of legal
proceedings could counterbalance, in
some respects, the expanded permission
to use and disclose of part 2 records
under a single consent for all future
TPO.
Comment
One commenter, a health system,
expressed support for this proposal but
suggested that a covered entity should
be able to rely and act upon a court
order issued by a court of competent
jurisdiction without potentially
incurring additional legal expenses for
an instrument compelling compliance.
Response
Consistent with our response above,
the requirement for a subpoena has been
firmly enshrined in part 2 and was not
proposed for revision in this
rulemaking.
Comment
An individual appreciated the
emphasis in the § 2.65 NPRM discussion
that ‘‘the use of an illegal substance
does not in itself constitute an
extremely serious crime’’ and
recommended reiterating that neither
substance use nor engagement in SUD
treatment services should in and of
themselves be considered evidence of
child abuse or neglect, including for
people who are pregnant.
Response
We agree and state that the regulation
continues to place emphasis on crimes
that pose threats to loss of life or serious
bodily injury, such as homicide, rape,
kidnapping, armed robbery, assault with
a deadly weapon, and child abuse and
neglect.307
lotter on DSK11XQN23PROD with RULES2
Final Rule
The final rule adopts § 2.65 as
proposed without further modification.
307 See §§ 2.65(d)(1) (criteria for court issuance of
an order authorizing use and disclosure of records
in a criminal proceeding against a patient) and
2.63(a)(2) (limiting disclosure of confidential
communications to investigations or prosecution of
serious crimes).
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Section 2.66—Procedures and Criteria
for Orders Authorizing Use and
Disclosure of Records To Investigate or
Prosecute a Part 2 Program or the Person
Holding the Records
Proposed Rule
The Department proposed to add a
new paragraph (a)(3) that details
procedures for investigative agencies to
follow in the event they unknowingly
obtain part 2 records during an
investigation or prosecution of a part 2
program or person holding part 2
records without obtaining a court order
as required under subpart E. Section
2.66 specifies the persons who may
apply for an order authorizing the
disclosure of patient records for the
purpose of investigating or prosecuting
a part 2 program or ‘‘person holding the
records (or employees or agents of that
part 2 program or person holding the
records)’’ in connection with legal
proceedings, how such persons may file
the application, and provides that, at the
court’s discretion, such orders may be
granted without notice to the part 2
program or patient.
In conjunction with a new definition
of ‘‘investigative agency’’ that the
Department proposed and is finalizing
in § 2.11 above, the Department
modified paragraph (a) to refer only to
‘‘investigative agency’’ as the type of
organization that may apply for an order
under this section. The new term
includes, by definition, the other types
of organizations referenced in the
current provision (i.e., state or Federal
administrative, regulatory, supervisory,
investigative, law enforcement, or
prosecutorial agency having jurisdiction
over the activities of part 2 programs or
other person holding part 2 records) as
well as local, Tribal, and territorial
agencies. The Department also proposed
a new paragraph (a)(3). The
Department’s proposed change would
require an investigative agency (other
than one relying on another disclosure
provision, such as § 2.53(e)) 308 that
discovers in good faith that it has
obtained part 2 records to secure the
records consistent with § 2.16 and
immediately cease using or disclosing
them until it obtains a court order
308 Section
2.53 also permits a person to disclose
patient identifying information for the purpose of
conducting a Medicare, Medicaid, or CHIP audit or
evaluation. However, subpart E proceedings are
distinguished from those under § 2.53 in that § 2.53
audits and evaluation are limited to that conducted
by a governmental agency providing financial
assistance to a part 2 program or other lawful holder
or an entity with direct administrative control over
the part 2 program or lawful holder, and is
determined by the part 2 program or other lawful
holder to be qualified to conduct an audit or
evaluation. See § 2.53 for the provision in its
entirety.
PO 00000
Frm 00104
Fmt 4701
Sfmt 4700
authorizing the use and disclosure of
the records and any records later
obtained. A court order must be
requested within a reasonable period of
time, but not more than 120 days after
discovering it received the records. As
proposed, if the agency does not seek a
court order, it must return the records
to the part 2 program or person holding
the records if it is legally permissible to
do so, within a reasonable period of
time, but not more than 120 days from
discovery; or, if the agency does not
seek a court order or return the records,
it must destroy the records in a manner
that renders the patient identifying
information non-retrievable, within a
reasonable period of time, but not more
than 120 days from discovery. Finally,
if the agency’s application for a court
order is rejected by the court and no
longer subject to appeal, the agency
must return the records to the part 2
program or person holding the records,
if it is legally permissible to do so, or
destroy the records immediately after
notice of rejection from the court.
The Department proposed in
paragraph (b) to provide an option for
substitute notice by publication when it
is impracticable under the
circumstances to provide individual
notification of the opportunity to seek
revocation or amendment of a court
order issued under § 2.66. Additionally,
the Department proposed to reorganize
paragraph (c) by expressly incorporating
the provisions from § 2.64(d) 309 that
would require an applicant to obtain a
good cause determination from a court
and adding the proposed § 2.3(b)
requirements as elements of good cause
for investigative agencies that apply for
a court order under proposed
§ 2.66(a)(3)(ii).
We note at the outset of the
discussion of comments for this section
and § 2.67 that some comments were
intertwined with comments in response
to § 2.3(b), limitation of liability for
investigative agency personnel. Those
comments are addressed above in the
discussion of comments related to
§ 2.3(b).
Comment
A large health system expressed
support for providing a remedy when an
investigative agency discovers in good
faith that it has received part 2 records,
that allows the agency to either seek a
court order or return records in lieu of
an order.
309 In addition to incorporating the provisions in
§ 2.64(d), the Department proposed a slight
modification to § 2.66(c)(1) to add that other ways
of obtaining the information would yield
incomplete information.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Response
We appreciate the comments.
Comment
Several commenters, including a
Medicaid fraud unit and a large health
system, expressed support for the
proposal to allow for substitute notice
under § 2.66 when individual notice is
infeasible or impractical. One
commenter, a state-based regional
Medicaid fraud unit, asked the
Department to consider applying the
‘‘substitute notice by publication’’
requirement retroactively.
Response
We appreciate the comments
regarding substitute notice. In
consideration of the burden that would
inure to part 2 programs and holders of
records, we decline to make this
requirement retroactive.
Comment
A state Medicaid fraud unit
recommended that it not be considered
an ‘‘investigative agency’’ as defined in
§ 2.11 and used in this section and
§ 2.67, and that it be permitted to access
records without a court order. In the
alternative, it expressed support for the
proposed safe harbor and related
procedures proposed in §§ 2.66 and
2.67.
Response
We believe that a state Medicaid fraud
unit meets the definition of
‘‘investigative agency’’ in § 2.11. The
definition that we are finalizing
provides that ‘‘[i]nvestigative agency
means a Federal, state, Tribal, territorial,
or local administrative, regulatory,
supervisory, investigative, law
enforcement, or prosecutorial agency
having jurisdiction over the activities of
a part 2 program or other person holding
part 2 records.’’ We are aware that in
some states, Medicaid fraud units are
created within state attorney general
offices under Federal authority.310
lotter on DSK11XQN23PROD with RULES2
Comment
A commenter, a state-based data
center requested that language be added
to § 2.66(a)(2), (b), and (c) to clarify that
an administrative tribunal can issue
orders under this section, and that a
separate court proceeding is not
required.
Response
As we have noted previously, we lack
authority to circumvent the statutory
310 See, e.g., Maryland Office of the Att’y Gen.,
‘‘Medicaid Fraud Control Unit,’’ https://
www.marylandattorneygeneral.gov/Pages/MFCU/
default.aspx.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
requirement in 42 U.S.C. 290dd–2(c) for
a court order to authorize use and
disclosure of records for civil, criminal,
administrative, and legislative
proceedings, including administrative
tribunals.
Comment
One commenter, a managed care
organization, requested that the
Department require investigative
agencies to notify the program when it
unknowingly is in receipt of part 2
records but lacks the required court
order and whether it intends to seek a
court order, return, or destroy the
records. The organization also requested
clarification that the rule does not
authorize an investigative agency to
destroy records unless it has confirmed
that they are not originals.
Response
We believe the proposed rule
adequately protects the records from
misuse by requiring the person holding
the records to either return the records
in a timely manner or destroy the
records in a manner that renders the
patient identifying information nonretrievable in a timely manner. We do
not believe additional notice to the part
2 program or other holder of the record,
as described by this commenter, is
necessary and believe such a notice
would go beyond the current rule in
§ 2.66 which does not require notice to
be made until such time as a court order
is granted. We agree that it is a best
practice to confirm with the part 2
program that produced the records
whether they are originals before an
investigative agency destroys them.
Comment
One commenter, a state Medicaid
agency recommended that the
Department include language outlining
what ‘‘good faith’’ means and what will
happen if the standard is not met.
Response
We believe it unnecessary to define in
regulation the phrase ‘‘good faith,’’
which is required to support a finding
that an investigative agency
unknowingly acquired part 2 records in
the course of an investigation in § 2.66,
§ 2.67, or a finding that the safe harbor
applies to shield from liability
investigators who are holding such
records.311 We believe the phrase is
311 See our NPRM discussion at 87 FR 74216,
74227 where we stated, ‘‘The proposed safe harbor
could promote public safety by permitting
government agencies to investigate or prosecute
Part 2 programs and persons holding Part 2 records
for suspected criminal activity, in good faith
without risk of HIPAA/HITECH Act penalties.’’
PO 00000
Frm 00105
Fmt 4701
Sfmt 4700
12575
generally understood to mean without
malice or without bad intent. We also
believe that the operation of this
provision is clear, in the event a finding
of good faith is not met. First, if
investigators are found to have acted in
bad faith in obtaining the part 2 records,
penalties could result. Second, in
§§ 2.66 and 2.67, a finding of good faith
is necessary to trigger the ability of the
agency to apply for a court order to use
records that were previously obtained.
Comment
One commenter, an advocacy
organization, requested that additional
protections be added to § 2.66 (as well
as § 2.3) for cloud service providers
(CSPs). Such protections, the
commenter believed, would apply to a
‘‘person holding the record’’ who
coordinates with the SUD data owner
(to the extent permitted by the legal
request) and, despite such coordination
unknowingly makes a record available
in response to an investigatory court
order or subpoena. This same
commenter further requested that the
Department allow CSPs to, at their
discretion: (1) require requestors of
records to certify or attest that, to the
best of the requestor’s knowledge, part
2 records are not part of the request or
that information sought will not be used
as part of proceedings against a patient
of a part 2 program; and (2) rely on such
certifications or attestations of
requestors when making disclosures in
response to an investigatory court order
or subpoena.
Response
We understand the challenges faced
by CSPs and agree that under some
circumstances they may be treated as
the ‘‘person holding the record’’ under
this regulation. However, under many
service agreements the person that
stores data in a CSP system is the one
with the legal capability to disclose the
data. We decline to adopt additional
rules for CSPs that are different than the
rules for other lawful holders of a part
2 record. The rule does not prevent a
person holding the record to inquire of
the requestor whether they have
knowledge as to the nature of the
records within the scope of the request.
However, we believe that a holder of the
record, as a baseline, has some
responsibility to know whether they are
maintaining records that are PHI or
subject to part 2. We also believe that in
most cases, a CSP should be acting
under the purview of a valid business
associate agreement or other contract
that specifies the particular protections
E:\FR\FM\16FER2.SGM
16FER2
12576
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
needed with respect to the type of data
being held and disclosed.312
Comment
One commenter, a medical
professionals association, expressed
concern that the patient notification
process is insufficient (including under
existing policies). In particular,
according to this commenter the
notification process may be problematic
for those patients who lack mailing
addresses, and it is not clear that the
allowance for substitute notice by
publication would increase its
effectiveness. Instead, this commenter
recommended instituting further notice
requirements such as more detailed
information provided to part 2 patients
regarding the potential for court-ordered
disclosure of records, the absence of an
initial notice requirement, and the
potential for substitute notice by
publication. This same commenter
recommended such information be
included in the HIPAA NPP and
included on the part 2 program’s
website; further, if a part 2 program
comes under investigation and receives
a court order authorizing disclosure, the
part 2 program be required to post
information on its website regarding the
investigation and court order.
lotter on DSK11XQN23PROD with RULES2
Response
We assume the crux of this comment
is that the proposal does not account for
an initial notice to a patient upon an
application for a court order by a person
seeking to use or disclose the patient’s
record. We disagree that the regulation
does not provide for adequate notice to
patients and part 2 programs about the
entry of court orders. With respect to
patients, we have proposed and are
finalizing in a revised Patient Notice
required by § 2.22 a requirement that
part 2 programs include in the Patient
Notice a statement such as ‘‘[r]ecords
shall only be used or disclosed based on
a court order after notice and an
opportunity to be heard is provided to
the patient or the holder of the record,
where required by 42 U.S.C. 290dd–2
and this part’’. We believe this
statement provides adequate notice to
the patient such that the patient is made
aware that he or she will be provided
312 See U.S. Dep’t of Health and Human Servs.,
‘‘Guidance on HIPAA & Cloud Computing’’ (Dec.
23, 2022), https://www.hhs.gov/hipaa/forprofessionals/special-topics/health-informationtechnology/cloud-computing/ (‘‘The
BAA also contractually requires the business
associate to appropriately safeguard the ePHI,
including implementing the requirements of the
Security Rule.’’ From an enforcement standpoint,
we would apply this same principle to any
agreement between a CSP and originator of part 2
data under part 2 obligations.).
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
with some type of notice in the event a
court order authorizes a use or
disclosure of the patient’s records. As
we have stated above, the HIPAA
Privacy Rule proposed modifications
and public comments will be
considered in a separate rulemaking.
While we agree with the sentiment
that website notice of a court ruling
permitting use or disclose of a patient’s
records is generally reasonable, we
decline to adopt this as a regulatory
requirement. Given the court
involvement in these proceedings, we
believe it best left to the discretion of
the court to determine the means of
substitute notice that is reasonable
under the specific circumstances that
exist at the time.
Comment
One individual expressed negative
views about this section and opined that
the Department’s proposed new
paragraph § 2.66(a)(3) is not related to
any requirement in the CARES Act. It is
instead, according to this commenter, a
means to excuse efforts by investigative
agencies that fail to presume, as they
should, that an investigation of a part 2
program would result in obtaining part
2 records. This commenter further
recommended that the investigative
agency be required to seek court
authorization prior to any investigation
and that the good faith standard is
‘‘disingenuous.’’ Finally, this
commenter opined that the proposed
option in § 2.66(b) for a substitute notice
by publication when it is deemed
‘‘impracticable’’ under the
circumstances to provide individual
notification of the opportunity to seek
revocation or amendment of a court
order runs counter to the protection of
patients in that an ability to locate a
patient should not diminish their right
to confidentiality.
Response
We understand the underlying
concerns expressed in this comment
and in response, are making some
additional modifications to the
proposed rule as discussed below. Also,
in response, we point to the robust
requirements that relate to obtaining the
court order under paragraph (c) of this
section, including that other ways of
obtaining the information are not
available (or would not be effective or
would yield incomplete results), there is
a public interest that outweighs
potential injury to the patient, and the
required diligence that must be
exercised on the part of the investigative
agency related to determining the
application of this part. Additionally,
with respect to substitute notice, it is
PO 00000
Frm 00106
Fmt 4701
Sfmt 4700
only permitted once it is determined
that individual notice is not available.
Further, we assume that agencies
obtaining a court order under § 2.66
have already complied with the
requirement to use a pseudonym for the
patient in the application for the court
order (or to ensure the court seals the
record of the proceedings) and expect
them to comply with the requirement
not to disclose any patient identifying
information in any public mention of
the court order, which would include
any public form of substitute notice.
Final Rule
We are appreciative of the many
comments in response to this section,
but as we note above, the requirement
of a court order or consent to make uses
and disclosures regulated under this
section has not changed, despite the
widening of application to types of
proceedings and testimony contained in
records. In addition, as proposed, this
change is consistent with the revised
statute. The final rule therefore adopts
§ 2.66 as proposed with one additional
modification. We are modifying
paragraph (c)(3) to clarify that with
respect to an application pursuant to
§ 2.66(a)(3)(ii), it is not permissible to
use information from records obtained
in violation of part 2 to support an
application for a court order under 42
U.S.C. 290dd–2(b)(2)(C). We adopted
this modification in response to
commenters’ concerns about the
potential misuse of the safe harbor
established in § 2.3(b) by investigative
agencies. We are adding this express
prohibition on the use of records
obtained in violation of part 2 to
counterbalance the latitude provided to
investigative agencies and to
disincentivize improper uses of
information to support applications for
court orders.
Section 2.67—Orders Authorizing the
Use of Undercover Agents and
Informants To Investigate Employees or
Agents of a Part 2 Program in
Connection With a Criminal Matter
Proposed Rule
Section 2.67 authorizes the placement
of an undercover agent in a part 2
program as an employee or patient by
law enforcement or a prosecutorial
agency pursuant to court order when the
law enforcement organization has
reason to believe the employees of the
part 2 program are engaged in criminal
misconduct. Paragraph (a) authorizes
the application of an order by law
enforcement or prosecutorial agencies
for placement of undercover agents or
informants in part 2 program based on
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
reason to believe criminal activity is
taking place. Paragraph (c) includes the
‘‘good cause’’ criteria by which an order
under this section may be entered.
The Department proposed to replace
the phrase ‘‘law enforcement or
prosecutorial’’ with ‘‘investigative’’ in
paragraph (a), and clarify that the good
cause criteria for a court order in
paragraph (c)(2) includes circumstances
when obtaining the evidence another
way would ‘‘yield incomplete
evidence.’’ The Department also
proposed to create a new paragraph
(c)(4) addressing investigative agencies’
retroactive applications for a court order
authorizing placement of an undercover
informant or agent to investigate a part
2 program or its employees when
utilizing the safe harbor under § 2.3.
This provision would require the
investigative agency to satisfy the
conditions at proposed § 2.3(b) before
applying for a court order for part 2
records after discovering that it
unknowingly had received such records.
Comment
An individual commenter expressed
strong concern that proposed § 2.67
represents an unnecessary concession to
law enforcement. Citing what this
individual believes to be a prior
concession in the 2020 rulemaking
related to an extension of time from six
to twelve months in which an
undercover agent could be placed in a
part 2 program,313 this commenter
expressed the belief that this proposal
relies on a second concession, grounded
in ‘‘convenience’’ for law enforcement
that uses the ‘‘good cause’’ criteria for a
court order in paragraph (c)(2) as a
justification circumstance when
obtaining the evidence another way
would ‘‘yield incomplete evidence.’’
This commenter specifically objected to
modifying the current in paragraph
(c)(2) by adding ‘‘or would yield
incomplete evidence’’ after ‘‘other ways
of obtaining evidence of the suspected
criminal activity are not available or
would not be effective.’’
Comment
Response
We appreciate the sentiment
expressed in this comment, but believe
that the newly imposed statutory civil
penalties require us to consider, and
finalize, a more workable standard for
law enforcement. We also believe that
the commenter fails to appreciate the
difficulty in determining at times
whether a health care entity has records
that are subject to part 2. The need for
a means for law enforcement to
investigate crimes related to activity by
part 2 programs or their employees
remains a reality, as does the need to
keep sensitive records confidential.
Overall, we believe that because the
standard applied will be adjudicated by
a court of competent jurisdiction from
which appeals may be taken, the
modified criteria is appropriate.
Several commenters, including a large
health system and managed care
organization, expressed support for the
requirement that an investigative agency
placing an undercover agent or
informant must seek a court order and
promote strict adherence to the
requirements, including limitations and
restrictions on uses and disclosures of
part 2 information, of the court order.
One of the commenters asserted that, if
finalized, the proposal may ensure
appropriate conduct by local and state
agencies.
Response
We appreciate the comments.
Comment
One commenter, a regional statebased Medicaid fraud unit,
recommended that the Department
define or issue guidance about the
meaning of ‘‘yield incomplete
evidence.’’
lotter on DSK11XQN23PROD with RULES2
Response
Paragraph (c)(3) addresses one of the
criteria under which a court must make
a good cause determination for the entry
of an order permitting placement of an
undercover agent by an investigative
agency, and requires a finding that other
ways of obtaining information are not
available or would ‘‘yield incomplete
evidence.’’ We believe the court
evaluating the application of this
criteria is best situated to determine the
facts and whether said facts support this
finding.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Final Rule
The final rule adopts § 2.67 as
proposed with one additional
modification to paragraph (c)(4) to
clarify that with respect to an
application submitted after the
placement of an undercover agent or
informant has already occurred, the
applicant is prohibited from using
information from records obtained in
violation of part 2 by that undercover
agent or informant. We adopt this
modification in response to those public
comments expressing concern about the
potential for misuse of the limitation on
liability established in § 2.3(b) to
persons who under the purview of
investigative agencies, are granted safe
313 85
PO 00000
FR 42986, 43039.
Frm 00107
Fmt 4701
Sfmt 4700
12577
harbor for unknowingly and in good
faith obtaining part 2 records. Similar to
our consideration of comment in
response to § 2.66, we believe the
express prohibition on the use of
records obtained in violation of part 2
will disincentivize improper uses of
information to support applications for
court orders.
Section 2.68—Report to the Secretary
Proposed Rule
The Department proposed to create a
new § 2.68 to require investigative
agencies to file an annual report with
the Secretary of the applications for
court orders filed after obtaining records
in an investigation or prosecution of a
part 2 program or holder of records
under § 2.66(a)(3)(ii) and after
placement of an undercover agent or
informant under § 2.67(c)(4). The report
as proposed would also include the
number of instances in which such
applications were denied due to
findings by the court of violations of
this part during the calendar year, and
the number of instances in which the
investigative agency returned or
destroyed part 2 records following
unknowing receipt without a court
order, in compliance with
§ 2.66(a)(3)(iii), (iv), or (v), respectively
during the calendar year. The
Department proposed that such reports
would be due within 60 days following
the end of the calendar year. The
comments and the Department’s
responses regarding § 2.68 are set forth
below.
Comment
A state government asserted that
requiring investigative agencies to file
an annual report of the number of
applications for court orders, the
number of requests for court orders
denied, and the number of instances of
records returned following unknowing
receipt without a court order could be
extremely time consuming and unduly
burdensome. Further, according to this
commenter, calendar year reporting of
this data does not align with Federal
and state fiscal year reporting causing
additional burden on investigative
agencies.
Response
We appreciate the comment. An
investigative agency should file a court
order in advance of receiving part 2
records or placing an undercover agent
or informant in a part 2 program in
accordance with §§ 2.66 and 2.67,
respectively. A report is only required
for investigative agencies that discover
in good faith that they received part 2
records that required a court order in
E:\FR\FM\16FER2.SGM
16FER2
12578
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
advance and a court order was not
initially sought. Additionally, we did
not receive data in public comments
from investigative agencies about how
frequently this occurs, and we will
monitor this requirement after the final
rule to gain an understanding of how
widespread these retroactive discoveries
are. To limit the burden, the Department
has made this an annual report, rather
than per incident reporting, with 60
days to compile the data after the end
of the calendar year. And the calendar
year reporting aligns with the HIPAA
breach reporting requirements for
breaches of unsecured PHI affecting
fewer than 500 individuals. Also, the
Federal, state, and local fiscal year
reporting dates may differ across
jurisdictions, and it is not feasible for
the Department to align all reporting
dates.
Comment
The Department received a few
supportive comments about the benefits
to the annual reporting requirement
which may include: assuring
appropriate conduct by local and state
investigative agencies; assuring ongoing
compliance; auditing the use of the
limitation on liability within this
regulation; and promoting the privacy
and security of part 2 information.
Response
We appreciate the comments.
lotter on DSK11XQN23PROD with RULES2
Comment
One commenter asked: (1) how the
Department will advise Federal, state,
and local law enforcement about the
requirement to submit annual reports;
(2) what the consequences of failing to
submit an annual report will be; (3)
what the purpose is and what criteria
the Department will apply; and (4) how
the Department will use the information
in the annual reports to safeguard
patient privacy rights and improve law
enforcement’s understanding of the rule.
Response
We appreciate the comment. A report
is only required for investigative
agencies that discover in good faith that
they have received part 2 records for
which a court order was required in
advance and that a court order was not
initially sought. We do not have data on
how frequently this occurs and one
purpose of the requirement is to gain an
understanding of how widespread these
retroactive discoveries are. The
consequences of failing to meet the
reporting requirement are the same as
for other violations of the part 2 rule
under the newly established penalties
which utilize the four culpability tiers
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
that are applied to HIPAA violations;
however, part 2 programs, covered
entities, and business associates that
create or maintain part 2 records are the
primary focus of this regulation. In
determining compliance with the safe
harbor reporting requirement, the
Department would focus on an
investigative agency rather than an
employee of that agency. The
Department will provide guidance or
instructions on how to submit the
reports to the Secretary on its website
and through press releases and OCR
listserv announcements.314 The
reporting obligation is not intended to
be a public reporting requirement, but
for the Department’s internal use in
evaluating the utility and effectiveness
of the safe harbor provision in § 2.3. The
Department will review the annual
reports and consider what guidance or
other resources are needed by
investigative agencies that are lawful
holders of part 2 records.
Final Rule
The final rule adopts the proposed
language of new § 2.68, without
modification.
Re-Ordering ‘‘Disclosure and Use’’ to
‘‘Use and Disclosure’’
Proposal
The Department proposed throughout
the NPRM to re-order the terms
‘‘disclosure and use’’ in the part 2
regulation to ‘‘use and disclosure.’’ 315
The new order of these terms is
consistent with their usage in the
HIPAA Privacy Rule which generally
regulates the ‘‘use and disclosure’’ of
PHI and relies on the phrase as a term
of art.316
Comment
The Department received no
substantive comments other than a few
commenters that expressed general
support for re-ordering terms to align
with the HIPAA Privacy Rule.
Final Rule
The final rule adopts each proposal to
re-order these terms,317 although not
314 OCR has established two listservs to inform
the public about health information privacy and
security FAQs, guidance, and technical assistance
materials. To sign up for the OCR Privacy &
Security Listserv, visit: https://www.hhs.gov/hipaa/
for-professionals/list-serve/.
315 See 87 FR 74216, 74225, fn 109.
316 Consistently, the Department refers to ‘‘uses
and disclosures’’ or ‘‘use and disclosure’’ in the
HIPAA Privacy Rule. See, e.g., 45 CFR 164.502 Uses
and disclosures of protected health information:
General rules.
317 See final regulatory text for § 2.2(a)(2) and (3)
and (b)(1); § 2.12(c)(5) and (6); § 2.13(a) and (b);
§ 2.21(b); § 2.34(b); § 2.35(d); § 2.53(a), (b)(1)(iii),
PO 00000
Frm 00108
Fmt 4701
Sfmt 4700
discussed in detail here. As stated in the
NPRM, we believe these changes fall
within the scope of our regulatory
authority and further the intent and
implementation of the CARES Act by
improving the ability of regulated
entities to use and disclose records
subject to protection by part 2 and
HIPAA.
Inserting ‘‘Use’’ or ‘‘Disclose’’ To Reflect
the Scope of Activity
Proposal
The Department also proposed to add
the term (or related forms of the term)
‘‘use’’ where only the term ‘‘disclose’’
was present in the part 2 regulation or
in some cases the term ‘‘disclose’’ (or
related forms) where only the term
‘‘use’’ was present.318 This proposed
change was intended to more accurately
describe the scope of the activity that is
the subject of the regulatory provision.
In the NPRM, the Department described
these changes as non-substantive, but
we did receive comments opining in
some instances that adding the term
‘‘use’’ in particular, changes the scope of
part 2. We also explained in the NPRM
that we believe these changes are
necessary to align with changes made to
42 U.S.C. 290dd–2(b)(1)(A), as amended
by section 3221(b) of the CARES Act
(providing that part 2 records may be
used or disclosed in accordance with
prior written consent); to 42 U.S.C.
290dd–2(b)(1)(B) and (b)(1)(C), as
amended by section 3221(b) of the
CARES Act (providing that the contents
of part 2 records may be used or
disclosed by covered entities, business
associates, or part 2 programs as
permitted by the HIPAA regulations for
TPO purposes); and to 42 U.S.C. 290dd–
2(c), as amended by section 3221(e) of
the CARES Act (prohibiting disclosure
and use of part 2 records in proceedings
against the patient).
Overview of General Comments
The Department requested comment
on these proposed modifications and
received generally supportive or
positive comments in response. Several
commenters suggested the Department
go further than the proposed changes
and the proposed definition of ‘‘use’’ by
adopting the HIPAA definitions of
‘‘use’’ and ‘‘disclosure’’ to further align
part 2 with the HIPAA regulations. A
few HIE associations indicated that they
did not believe that the addition of
‘‘use’’ or ‘‘uses’’ to existing regulatory
text would substantively expand the
(e)(1)(iii), (e)(6), (f); subpart E heading; § 2.61(a);
§ 2.62; § 2.65 heading, (a), (d), (e) introductory text,
and (e)(1) and (3); § 2.66 heading, (a)(1), and (d).
318 See 87 FR 74216, 74225, fn 111.
E:\FR\FM\16FER2.SGM
16FER2
lotter on DSK11XQN23PROD with RULES2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
scope of requirements and prohibitions
where previously the text stated only
‘‘disclosure.’’ One commenter stated the
addition of ‘‘use’’ or ‘‘uses’’ may
actually narrow the scope for which part
2 data can be obtained, as disclosure
does not require the implication that the
data is being used for TPO and could
just be held by an entity. A state agency
said that it would not anticipate adverse
consequences to part 2 programs or to
its own operations from the revisions
throughout the rule that add the terms
‘‘use’’ or ‘‘uses’’ to references to
‘‘disclose’’ or ‘‘disclosure.’’
A health plan said that these changes
may limit confusion around obligations
with respect to ‘‘use’’ and ‘‘disclose.’’
The plan said that these words are often
considered terms of art in contracts and
other privacy-related policies and
documents. As such, clarifying when
requirements apply to either or both
terms by re-ordering or adding such
terms to provisions may help covered
entities and their business associates
better understand their regulatory
requirements under a final rule.
Another health plan supported these
changes asserting that with this
understanding, a part 2 record could be
both used and disclosed for purposes
related to the provision of care, but also
for purposes such as the initiation of a
legal proceeding. This change, the
commenter said, can be supported by
revising the definition within the
HIPAA regulations.
An advocacy organization agreed with
the Department that these changes are
not substantive in nature, given that
under part 2 and HIPAA, ‘‘use’’ and
‘‘disclosure’’ can be mutually exclusive,
independent actions, and that the
proposed definition of ‘‘use’’ is
inclusive of the historical definition of
‘‘use’’ related to legal proceedings under
part 2. A provider said this change adds
clarity and better aligns the proposed
rule with HIPAA terminology.
A health IT vendor had no concerns
with expanding the focus of the part 2
regulations to make reference to uses in
addition to disclosures in the regulatory
text in a manner consistent with the
HIPAA Privacy Rule construction for
how uses and disclosures are defined
and used throughout the HIPAA Privacy
Rule. The commenter opined that part 2
regulations have not addressed the uses
of SUD records for purposes within part
2 programs as they have focused on how
disclosure and redisclosure of part 2
records must be handled. However, the
proposed changes seem appropriate to
this commenter for purpose of parallel
structure and regulatory consistency
between part 2 and the HIPAA Privacy
Rule.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
A provider contended that this change
is necessary and within the
Department’s regulatory authority, even
if not expressly included in the CARES
Act. A health system characterized this
proposal as a good basic change that sets
the stage for several other proposed
changes toward meeting the goal of
aligning with HIPAA. This change also
may help reduce the existing differences
in describing how we manage and
protect our patient’s health information,
across service locations.
Comment on Specific Sections
• A few commenters expressed
support for proposed changes to replace
the phrase ‘‘disclosure and use’’ by reordering the phrase to ‘‘use or
disclosure’’ at § 2.2(a) introductory text,
(a)(4), and (b)(1), to align the language
with that used in the HIPAA Privacy
Rule.
• A health plan expressed support for
proposed changes to § 2.13 for adding
the term ‘‘use’’ to clarify that
confidentiality restrictions and
safeguards apply to both uses and
disclosures.
• A few commenters expressed
support for adding the term
‘‘disclosure’’ to § 2.23.
Response
We appreciate the comments about
these changes. We decline to adopt the
HIPAA formal definitions for the terms
‘‘use’’ or ‘‘disclosure’’ or change the
definitions of the terms in the HIPAA
Privacy Rule as we believe their
application is understood as applied to
part 2 records and PHI, respectively.
The overall sentiment of the comments
is that these modifications bring clarity
and the understanding about how the
terms are used across the two
regulations. The Department disagrees
with the suggestion that adding the term
‘‘use’’ in some cases may narrow the
scope of activity under part 2. In no
regulatory provision are we changing
the term ‘‘disclose’’ to ‘‘use’’ and we
remind stakeholders that many TPO
activities contemplate ‘‘uses.’’
Overview of Final Rule
The final rule adopts all proposed
modifications to add the term ‘‘use’’ or
some form of it or ‘‘disclose’’ or some
form of it to the scope of certain covered
activities under part 2. The Department
also defines the term ‘‘use’’ in regulation
(discussed above in § 2.11).319 As
319 See final regulatory text of: § 2.2(a)(2) and (3)
and (b)(1); § 2.12(a)(1) and (2), (c)(3) and (4), (d)(2)
and (3), (e)(3); § 2.13(a); § 2.14(a) and (b);
§ 2.15(a)(2) and (b); § 2.17(b); § 2.20; § 2.23 heading
and (b); subpart C heading; § 2.31(a) introductory
text and (a)(4)(ii)(B); § 2.32(a)(2); § 2.33 heading, (a),
PO 00000
Frm 00109
Fmt 4701
Sfmt 4700
12579
discussed in the NPRM, historically, the
part 2 regulation associated ‘‘use’’ with
the initiation of legal proceedings
against a patient and associated
‘‘disclosure’’ with sharing records to an
external entity. In contrast, the HIPAA
Privacy Rule applies the term ‘‘use’’ to
refer to internal use of health
information within an entity, such as
access by staff members.320 The part 2
and HIPAA definitions for the term
‘‘disclose’’ are fairly consistent 321 and
therefore a part 2 record can be both
used and disclosed for purposes related
to the provision of health care and for
purposes such as the initiation of a legal
proceeding. Where made, these changes
are also consistent with section 3221(b)
of the CARES Act that addresses
permissions and restrictions for both
uses and disclosures of records for TPO
purposes by part 2 programs and
covered entities, and proscribes the
rules related to certain legal
proceedings.
Antidiscrimination Protections, Stigma
and Discrimination
Overview
As noted in the NPRM and above,
paragraph (g) of section 3221 of the
CARES Act, Antidiscrimination, adds a
new provision (i)(1) to 42 U.S.C. 290dd–
2 to prohibit discrimination against an
individual based on their part 2 records.
We stated in the NPRM and reiterate
that the Department intends to develop
a separate rulemaking to implement the
CARES Act antidiscrimination
prohibitions. Nonetheless, we received
several comments on antidiscrimination
requirements as well as more general
concerns about stigma and
discrimination. While these comments
are outside the scope of this rulemaking,
we briefly summarize and respond to
these comments below.
Comments and Response
Comments we received on
antidiscrimination issues addressed
such topics as:
• Antidiscrimination rulemaking
• Harmful consequences to patients
• Increased reluctance to enter SUD
treatment
• Stigma and discrimination in the
context of criminalization and racial
disparities
• Statistics on stigma and
discrimination
and (b); § 2.34 heading; subpart D heading; § 2.52(a);
§ 2.53(a)(5); § 2.61(a) and (b)(1) and (2); § 2.64
heading, (a), (d)(2), and (e); § 2.65(a), (d)
introductory text, (d)(2), (e) introductory text, (e)(1)
and (2); § 2.66(d)(2); § 2.67(d)(3) and (e).
320 87 FR 74232.
321 42 CFR 2.11, definition of ‘‘Disclose.’’ 45 CFR
160.103, definition of ‘‘Disclosure.’’
E:\FR\FM\16FER2.SGM
16FER2
lotter on DSK11XQN23PROD with RULES2
12580
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
• Unwillingness to disclose SUD
treatment
• Timing of SUD treatment regulatory
framework
• Considering stigma in regulatory
updates
effects of stigma and discrimination
related to SUD and SUD treatment in
the context of criminalization and racial
disparities.
Most commenters also addressed
issues other than antidiscrimination
topics and their comments on other
provisions of part 2 were fully
considered along with other comments
received to the NPRM docket.
Some commenters, including medical
professionals associations, advocacy
organizations, a trade association, a
government agency, a provider-other, a
health system, SUD providers, a
consultant, a researcher, a law
enforcement organization, and
individuals urged the Department to
expedite the rulemaking implementing
the CARES Act antidiscrimination
protections, or to put this rulemaking on
hold until the antidiscrimination
protections are in place. Some
commenters such as SUD providers,
recovery organizations, individuals, and
advocacy organizations also expressed
concern about significant stigma
associated with SUD and SUD
treatment. Several commenters,
including advocacy organizations, a
professional association, a government
agency, and a health plan, cited reports,
survey results, and statistics they
believed reflect the stigma associated
with addiction that continues to
influence the perceptions and behaviors
of health care professionals and
continues to influence patients to avoid
SUD treatment.
Commenters described the many
potential adverse outcomes that they say
privacy protections help prevent,
including discrimination in child
custody, denial of life insurance, loss of
employment, discrimination in health
care decision making, and criminal
charges, among many others. Some
commenters also asserted that under the
current regulations there are patients
that are unwilling to disclose SUD
treatment to caregivers or unwilling to
enter treatment due to the concern
surrounding stigma and discrimination.
Several commenters, including a
mental health provider, medical
professionals’ associations, and a few
individuals, suggested that the proposed
rule may increase the reluctance of
patients to seek help for SUD.
Commenters pointed to such potential
issues as patients being unsure of how
information will be used or having SUD
information used against them.
Additionally, several commenters,
including an advocacy organization, and
individual commenters addressed the
We acknowledge and appreciate
comments asking us to expedite
promulgation of the required
antidiscrimination provisions and
raising concerns about the continued
impacts of discrimination and stigma
within health care and other settings. As
noted, we intend to issue a separate
proposed regulation for part 2
antidiscrimination provisions after this
rule is finalized. For that reason, as
detailed in the NPRM, we also decline
to hold publication of this rule until the
antidiscrimination provisions also are
proposed and finalized. As explained,
comments on the NPRM concerning
antidiscrimination requirements are
beyond the scope of this rulemaking.
However, we will take all comments
received into account as we issue the
forthcoming antidiscrimination
provisions of part 2. We further
encourage these commenters and others
to provide input on the forthcoming
proposed rule containing the
antidiscrimination provisions.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Response
V. Regulatory Impact Analysis
A. Executive Orders 12866 and 13563
and Related Executive Orders on
Regulatory Review
The Department has examined the
impact of the final rule as required by
Executive Order (E.O.) 12866 on
Regulatory Planning and Review as
amended by E.O. 14094, 58 FR 51735
(October 4, 1993); E.O. 13563 on
Improving Regulation and Regulatory
Review, 76 FR 3821 (January 21, 2011);
E.O. 13132 on Federalism, 64 FR 43255
(August 10, 1999); E.O. 13175 on
Consultation and Coordination with
Indian Tribal Governments, 65 FR
67249 (November 9, 2000); the
Congressional Review Act, Public Law
104–121, sec. 251, 110 Stat. 847 (March
29, 1996); the Unfunded Mandates
Reform Act of 1995, Public Law 104–4,
109 Stat. 48 (March 22, 1995); the
Regulatory Flexibility Act, Public Law
96–354, 94 Stat. 1164 (September 19,
1980); E.O. 13272 on Proper
Consideration of Small Entities in
Agency Rulemaking, 67 FR 53461
(August 16, 2002); the Assessment of
Federal Regulations and Policies on
Families, Public Law 105–277, sec. 654,
112 Stat. 2681 (October 21, 1998); and
the Paperwork Reduction Act (PRA) of
1995, Public Law 104–13, 109 Stat. 163
(May 22, 1995).
PO 00000
Frm 00110
Fmt 4701
Sfmt 4700
E.O.s 12866 and 13563 direct us to
assess all costs and benefits of available
regulatory alternatives and, when
regulation is necessary, to select
regulatory approaches that maximize
net benefits (including potential
economic, environmental, public health
and safety, and other advantages;
distributive impacts; and equity).
Section 3(f) of E.O. 12866 (as amended
by E.O. 14094) defines a ‘‘significant
regulatory action’’ as any regulatory
action that is likely to result in a rule
that may: (1) have an annual effect on
the economy of $200 million or more
(adjusted every 3 years by the
Administrator of the Office of
Information and Regulatory Affairs
(OIRA) for changes in gross domestic
product); or adversely affect in a
material way the economy, a sector of
the economy, productivity, competition,
jobs, the environment, public health or
safety, or State, local, territorial, or
Tribal governments or communities; (2)
create a serious inconsistency or
otherwise interfere with an action taken
or planned by another agency; (3)
materially alter the budgetary impact of
entitlements, grants, user fees, or loan
programs or the rights and obligations of
recipients thereof; or (4) raise legal or
policy issues for which centralized
review would meaningfully further the
President’s priorities or the principles
set forth in this E.O., as specifically
authorized in a timely manner by the
Administrator of OIRA in each case.
This final rule is partially regulatory
and partially deregulatory. The
Department estimates that the effects of
the final rule for part 2 programs would
result in new costs of $26,141,649
within 12 months of implementing the
final rule. The Department estimates
these first-year costs would be partially
offset by $13,421,556 of first year cost
savings, attributable to reductions in the
need for part 2 programs to obtain
written patient consent for disclosures
for treatment, payment, or health care
operations (TPO) ($10.3 million);
reductions in the need for covered
entities, business associates, and part 2
programs to obtain written patient
consent for redisclosures ($2.6 million);
and reductions in capital expenses for
printing consent forms ($0.5 million).
This results in an estimated net cost of
$12,720,093 in the first year of the rule.
This is followed by net savings of
approximately $5.2 to $5.4 million
annually in years two through five,
resulting from a continuation of firstyear cost saving of $13.4 million per
year, minus varying Federal costs at
approximately $2.3 to $2.6 million in
years 1 to 5 and the estimated annual
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
costs of $5.7 million primarily
attributable to compliance with
attaching consent forms with every
disclosure and breach notification
requirements. This results in overall net
cost savings of $8,445,536 over 5 years
for changes to 42 CFR part 2.
The Department estimates that the
private sector would bear approximately
60 percent of the costs, with state and
Federal health plans bearing the
remaining 40 percent of the costs. All of
the cost savings experienced from the
first year through subsequent years
would benefit part 2 programs and
covered entities. This final rule is a
significant regulatory action, under sec.
3(f) of E.O. 12866 (as amended by E.O.
14094). Accordingly, the Office of
Management and Budget (OMB) has
reviewed this final rule.
The Department presents a detailed
analysis below.
Summary of the Final Rule
This final rule modifies 42 CFR part
2 (‘‘part 2’’) to implement changes
required by section 3221 of the
Coronavirus Aid, Relief, and Economic
Security (CARES) Act, to further align
12581
$5.7 million are primarily attributable to
compliance with attaching consent
forms and breach notification
requirements and related capital
expenses, on top of variable Federal
costs amounting to roughly $2.3 to $2.5
million from years 1 to 5.
The Department estimates annual cost
savings of $13.4 million per year, over
5 years, attributable to reductions in the
need for part 2 programs to obtain
written patient consent for disclosures
for TPO ($10.3 million), reductions in
the need for covered entities and
business associates to obtain written
patient consent for redisclosures ($2.6
million), and reductions in capital
expenses for printing consent forms
($0.5 million).322
The Department estimates net costs
for part 2 programs totaling
approximately $12.7 million in the first
year followed by net savings of
approximately $5.4 to $5.2 million in
years 2 to 5, resulting in overall net cost
savings of approximately $8.4 million
over 5 years. The yearly costs, costsavings and net for part 2 are displayed
in Table 1 below.
part 2 with the Health Insurance
Portability and Accountability Act of
1996 (HIPAA) Rules, and for clarity and
consistency. Major changes are
summarized in the preamble.
The Department estimates that the
first-year costs for part 2 programs will
total approximately $26.1 million in
2022 dollars. These first-year costs are
attributable to part 2 programs training
workforce members on the revised
requirements ($13.3 million); capital
expenses ($0.9 million); compliance
with breach notification requirements
($1.6 million); updating Patient Notices
($2.6 million); attaching consent forms
for disclosures (2.9 million); updating
consent forms ($1.7 million); updating
the notice to accompany disclosures
($0.7 million); and costs to the
Department for part 2 enforcement and
compliance ($2.3 million). It also
includes nominal costs for responding
to requests for privacy protection,
providing accounting of disclosures,
$32,238 for receiving complaints, and
$61,726 for investigative agencies to file
reports to the Secretary. For years 2
through 5, the estimated annual costs of
Table 1. Part 2 Estimated 5-Year Costs and Cost-Savings, Undiscounted, in Millions.
Total Part 2 Costs and Cost-Savings (2022 dollars)
Total,
Costs
CostSavin2s
Yearl
Year2
$26.1
$8.0
Year2
Year 1
Year4
$8.1
Year3
Year5
$8.2
Year4
Total
$8.2
Year5
$58.7
Total
Total,
Costsavinl!S
$13.4
$13.4
$13.4
$13.4
$13.4
Net
(negative
= savin2s)
$12.7
($5.4)
($5.3)
($5.3)
($5.2) ($8.4)
Need for the Final Rule
lotter on DSK11XQN23PROD with RULES2
Year3
On March 27, 2020, Congress enacted
the CARES Act as Public Law 116–136.
Section 3221 of the CARES Act
amended 42 U.S.C. 290dd–2, the statute
that establishes requirements regarding
the confidentiality and disclosure of
certain records relating to SUD, and
322 Totals in this Regulatory Impact Analysis may
not add up due to showing rounded numbers in the
tables.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
$67.1
section 3221(i) of the CARES Act
requires the Secretary to promulgate
regulations implementing those
amendments.323 With this final rule, the
Department changes part 2 to
implement section 3221 of the CARES
Act, increase clarity, and decrease
compliance burdens for regulated
entities. The Department believes the
changes will reduce the need for data
segmentation within entities subject to
the regulatory requirements
promulgated under part 2.
Significant differences in the
permitted uses and disclosures of part 2
records and protected health
information (PHI) as defined under the
323 Section 3221(i) of the CARES Act requires
implementation on or after the date that is 12
months after the enactment of the CARES Act, i.e.,
March 27, 2021.
PO 00000
Frm 00111
Fmt 4701
Sfmt 4700
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.011
Costs
12582
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
lotter on DSK11XQN23PROD with RULES2
HIPAA Privacy Rule contribute to
ongoing operational compliance
challenges. For example, under the
previous rule, entities subject to part 2
must obtain prior written consent for
most uses and disclosures of part 2
records, including for TPO, while the
HIPAA Privacy Rule permits many uses
and disclosures of PHI without
authorization. Therefore, to comply
with both sets of regulations, HIPAA
covered entities subject to part 2 must
track and segregate part 2 records from
other health records (e.g., records that
are protected under the HIPAA
regulations but not part 2).324
In addition, once PHI is disclosed to
an entity not covered by HIPAA, it is no
longer protected by the HIPAA
regulations. In contrast, part 2 strictly
limits redisclosures of part 2 records by
individuals or entities that receive a
record directly from a part 2 program or
other ‘‘lawful holder’’ of patient
identifying information, absent written
patient consent.325 326 Therefore, any
part 2 records received from a part 2
program or other lawful holder must be
segregated or segmented from non-part
2 records.327 The need to segment part
2 records from other health records
created data ‘‘silos’’ that hamper the
integration of SUD treatment records
into entities’ electronic record systems
and billing processes, which in turn
may impact the ability to integrate
treatment for behavioral health
conditions and other health
conditions.328 Many stakeholders,
including public commenters on the
NPRM, have urged the Department to
take action to eliminate the need for
such data segmentation,329 and the
324 For example, a clinic that provides general
medical services, and has a unit specializing in
SUD treatment that is a part 2 program, would need
to segregate its SUD records from other medical
records, even for the same patient, to ensure that
the SUD records are used and disclosed only as
permitted by part 2.
325 See 42 CFR 2.12(d)(2)(i)(C).
326 See definition of ‘‘Patient identifying
information’’ in 42 CFR 2.11. See also definition of
‘‘Disclose’’ in 42 CFR 2.11.
327 See 42 CFR 2.12(d)(2)(ii).
328 Dennis McCarty, Traci Rieckmann, Robin L.
Baker, et al., ‘‘The Perceived Impact of 42 CFR part
2 on Coordination and Integration of Care: A
Qualitative Analysis,’’ Psychiatric Services (Nov.
2016), https://doi.org/10.1176/appi.ps.201600138.
329 For example, the Ohio Behavioral Health
Providers Network (Network) in an August 21,
2020, letter to SAMHSA, and the Partnership to
Amend Part 2 in a similar January 8, 2021, letter
to the U.S. Department of Health and Human
Services (HHS), both urge that there should be no
requirement for data segmentation or segregation
after written consent is obtained and part 2 records
are transmitted to a health information exchange or
care management entity that is a business associate
of a covered entity covered by the new CARES Act
consent language. In the letter, the Network states
that such requirements are difficult to implement in
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Department believes this final rule will
reduce the need for data segmentation
or tracking. Where segmentation may be
necessary, we encourage the use of data
standards adopted by ONC on behalf of
HHS in 45 CFR part 170, subpart B, and
referenced in the ONC Health IT
Certification Program certification
criteria for security labels and
segmentation of sensitive health data.
Response to Public Comment
The Department requested public
comment on all aspects of the proposed
amendments to the regulations at 42
CFR part 2, Confidentiality of Substance
Use Disorder Patient Records. Seventytwo commenters, both individuals and
organizations, offered views on various
aspects related to the Regulatory Impact
Analysis (RIA).
Comments from organizations who
expressed support for specific issues in
the NPRM pointed to a decrease in the
administrative burden and cost on
providers, an increase in access to care,
a decrease in costs for patients, and a
general improvement in communication
within the industry. One organization
suggested that the changes in the rule
will allow for streamlining care by
decreasing the number of times the
provider must ask for consent from the
patient. Another organization asserted
that the proposed rule changes could
help minimize the stigma surrounding
SUD treatment and help decrease the
technical burdens that the previous
rules have caused.
Organizations and government
entities who expressed opposition to
specific issues in the NPRM asserted
that the changes would increase costs
and legal liability for both patients and
providers, decrease the quality of care,
create additional administrative and
technical burdens, and be overly time
consuming to follow. A government
organization asserted that most current
electronic health care record systems do
not have the ability to give accountings
of TPO disclosures, which would force
the entities using these systems to
manually process the information. This
is a burdensome and time-consuming
task, according to the organization, as
the entities may have to account for
disclosures for the previous six years.
An organization argued that due to
differences in Patient Notice
health centers and other integrated settings in
which SUD treatment may be provided. See also
public comments expressed and summarized in 85
FR 42986 (July 15, 2020); and see Letter from The
Partnership to Amend 42 CFR part 2 to HHS
Secretary Becerra (Jan. 8, 2021), https://aahd.us/wpcontent/uploads/2021/01/
PartnershipRecommendationsforNextPart2-uleLtrto
NomineeBecerra_01082021.pdf.
PO 00000
Frm 00112
Fmt 4701
Sfmt 4700
requirements for part 2 and HIPAA,
there may be different language for each
privacy notice. Multiple organizations
asserted that changing the language of
the privacy notices is expensive,
especially for larger organizations. One
organization suggested that the
expanded requirement to provide TPO
accounting will lead to changes in the
health care system and increased costs
for patients. Another organization
argued that the separation of part 2 data
will lead to delays in care and threats
to patient health as providers may not
be able to see a patient’s full medical
history, which is necessary to give
adequate care. One commenter argued
that the proposed change could weaken
patient privacy and lead to the
information being misused in criminal
investigations and court proceedings.
This change also may put an additional
burden on providers to counsel patients
on the ethical and constitutional
considerations that will go into signing
the form.
Organizations and government
entities who expressed mixed views on
the issues discussed in the excerpts
change agreed with the need for the rule
change and the general change itself but
provided additional comments on
concerns related to specific topics such
as TPO disclosures and notices of
privacy protections. One organization
argued that HHS should take into
consideration the time and costs
associated with updating changes to the
accounting of disclosures requirement
and the timeframe to implement these
changes. Another organization
requested that accounting for TPO
disclosures be delayed until regulations
pursuant to the HITECH Act are
enacted. This commenter asserted that
applying the accounting requirement
only to TPO disclosures made through
an electronic health care record creates
a disincentive to adopt electronic health
care records, especially for small and
rural providers and those serving
patients of color and other historically
underserved communities. Multiple
organizations argued that if
discrepancies exist between part 2 and
HIPAA, there may be administrative
burdens surrounding data segregation.
Due to this part 2 and HIPAA need to
be aligned as much as possible to
minimize impediments to critical care.
One organization believed that it is
unnecessary for part 2 to include
providing a copy of a patient’s consent
and imposing retention periods on
maintaining those consents since other
laws, such as HIPAA, CMS regulations,
and state licensing requirements already
cover these requirements.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
After reviewing the comment
submissions, the Department is making
the following changes to this RIA, some
of which result in changes to the RIA
analysis presented in the proposed
rule.330 Changes to the RIA also include
updating wage rates and other cost
factors to 2022 dollars to reflect more
recent data, adding small quantitative
burdens, and qualitatively discussing
changes from the proposed to the final
rule when unquantifiable.
• Adding a new quantitative
recurring cost for receiving a complaint;
• Adding reference to the changes to
the investigative agency definition;
• Adding a qualitative discussion of
reasonable diligence steps for the
limitation on liability for investigative
agencies and their potential impacts on
costs;
• Increasing the time required and the
number of responses in the quantitative
costs for the right to request restrictions;
• Adding a qualitative discussion of
requirements for intermediaries;
• Adding a qualitative discussion of
the benefit associated with the removal
of data segmentation requirements;
• Adding qualitative discussion of
SUD counseling notes which the
Department does not expect to impose
a quantifiable burden;
• Adding a new quantitative
recurring cost for the requirement to
attach consent with each disclosure or
lotter on DSK11XQN23PROD with RULES2
330 Specific changes to the proposed rule RIA are
discussed in each of the RIA sections where
applicable.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
provide clear description of scope of
consent;
• Including a clarification that
qualified service organizations (QSOs)
are also subject to breach notification
requirements in the quantification of
these costs;
• Qualitatively discussing the
impacts of part 2 programs being
required to notify recipients of a
revocation of consent.
Cost-Benefit Analysis
a. Overview and Methodology
This RIA relies on the same data
source used by SAMHSA for the
estimated number of part 2 programs in
SAMHSA’s 2020 Information Collection
Request (ICR) (‘‘part 2 ICR’’) 331 and uses
an updated statistic from that source.
The final rule also adopts the estimated
number of covered entities used in the
Department’s 2021 ICR for the HIPAA
Privacy Rule NPRM (‘‘2021 HIPAA
ICR’’),332 as well as its cost assumptions
for many requirements of the HIPAA
regulations, including breach
notification activities.
Although HIPAA was a component of
the proposed rule and is not for the final
rule, the HIPAA number of covered
entities (774,331) are still used in some
331 85
FR 42986.
the number of covered entities used in
this final rule was adopted from the 2021 ICR for
the HIPAA Privacy Rule, these numbers are also
reflected in the more recent 2023 ICR for the HIPAA
Privacy Rule NPRM and are the most up to date
numbers the Department has. These ICRs may be
found under OMB control # 0945–0003.
332 While
PO 00000
Frm 00113
Fmt 4701
Sfmt 4700
12583
calculations of costs from part 2 such as
for breach notifications. When applying
HIPAA cost assumptions to part 2
programs, the Department multiplies the
figures by 2 percent (.02), representing
the number of part 2 programs in
proportion to the total number of
covered entities. In some instances, the
estimates historically used by the
Department for similar regulatory
requirements were developed based on
different methodologies, resulting in
significantly different fiscal projections
for some required activities. This RIA
adopts the approach used for HIPAA’s
projected costs and cost savings.
In addition to the quantitative
analyses of the effects of the regulatory
modifications, the Department analyzes
some benefits and burdens qualitatively;
relatedly, there is uncertainty inherent
in predicting the actions that a diverse
scope of regulated entities might take in
response to this final rule.
For reasons explained more fully
below, the changes to the consent
requirements for part 2 programs and
redisclosure permissions for covered
entities and business associates would
result in economic cost savings of
approximately $67,107,778 over 5 years
based on the final rule changes. Table 2
presents the undiscounted and
discounted costs and cost savings
figures over 5 years. All estimates are
presented in millions of year-2022
dollars, using 2024 as the base year for
discounting.
E:\FR\FM\16FER2.SGM
16FER2
12584
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Table 2. Accounting Table.
Accounting Table of Estimated Benefits and Costs
of All Final Rule Chan~es, in Millions, 2022 dollars
COSTS
Year 1
Year2
Year3
Year4
YearS
Total*
Undiscounted
$26.1
$8.0
$8.1
$8.2
$8.2
$58.7
3% Discount
$26.1
$7.8
$7.6
$7.5
$7.3
$56.4
7% Discount
COST
SAVINGS
Undiscounted
$26.1
$7.5
$7.1
$6.7
$6.3
$53.7
Year 1
Year2
Year3
Year4
Years
Total
$13.4
$13.4
$13.4
$13.4
$13.4
$67.0
3% Discount
$13.4
$13.0
$12.7
$12.3
$11.9
$63.3
7% Discount
$13.4
$12.5
$11.7
$11.0
$10.2
$58.9
NET
(undiscounted)
Costs
$8.4
Non-quantified benefits and costs are described below.
* Totals may not add up due to rounding.
lotter on DSK11XQN23PROD with RULES2
In developing its estimates of the
potential costs and cost savings of the
final rule the Department relied
substantially on recent prior estimates
for modifications to this regulation 333
and the HIPAA Privacy Rule 334 and
associated ICRs. Specifically, the part 2
ICR data previously approved under
OMB control #0930–0092 informs the
Department’s estimates with respect to
final rule modifications to part 2
provisions.335 However, for final rule
part 2 provisions that are based on
provisions of the HIPAA regulations, the
Department relies on the HIPAA
regulatory ICRs previously approved
under OMB control # 0945–0003 and
updated consistent with the 2021
HIPAA Privacy Rule NPRM.336
Because the Department lacks data to
determine the percentage of part 2
programs that are also subject to the
HIPAA regulations, the Department
assumes for purposes of this analysis
that the final rule changes to part 2
would affect all part 2 programs
equally—including those programs that
are also HIPAA covered entities, and
333 See
83 FR 239 (Jan. 3, 2018) and 85 FR 42986.
FR 6446 (Jan. 21, 2021).
335 85 FR 42986.
336 84 FR 51604 (Sept. 30, 2019). See also 86 FR
6446.
334 86
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
thus already are subject to requirements
under the HIPAA regulations (e.g.,
breach notification) that the Department
incorporates into part 2. Thus, this RIA
likely overestimates the overall
compliance burden on part 2 programs
posed by the final rule. In contrast, this
RIA likely underestimates the cost
savings of the final rule. The estimated
cost savings are primarily attributed to
the reduction in the number of written
patient consents that would be needed
to use or disclose records for TPO and
to redisclose them for other purposes
permitted by the HIPAA Privacy Rule.
Because the Department lacks data to
estimate the annual numbers of written
patient consents and disclosures to
covered entities, this RIA adopts an
assumption that only three consents per
patient are currently obtained per year
(one each for treatment, payment, and
health care operations) and only one
half of such consents result in a
disclosure of records to a HIPAA
covered entity or business associate, for
which consent would be no longer
required to use or redisclose the record
under the final rule.
337 85
FR 42986.
FR 787 (Jan. 31, 2019).
339 See Substance Abuse and Mental Health
Servs. Admin., ‘‘National Survey of Substance
Abuse Treatment Services (N–SSATS): 2020. Data
338 84
PO 00000
Frm 00114
Fmt 4701
Sfmt 4700
c. Part 2 Programs, Covered Entities, and
Patient Population
The Department relies on the same
source as the approved part 2 ICR 337 as
the basis for its estimates of the total
number of part 2 programs and total
annual part 2 patient admissions. part 2
programs are publicly (Federal, State, or
local) funded, assisted, or regulated
SUD treatment programs. The part 2
ICR’s estimate of the number of such
programs (respondents) is based on the
results of the 2020 National Survey of
Substance Abuse Treatment Services
(N–SSATS), and the average number of
annual total responses is based on the
results of the average number of SUD
treatment admissions from SAMHSA’s
2019 Treatment Episode Data Set
(TEDS) as the number of patients treated
annually by part 2 programs, both
approved under OMB Control No. 0930–
0335.338 In the 2020 data from N–
SSATS, the number of part 2
respondents was 16,066.339 The TEDS
data for SUD treatment admissions has
been updated, so the Department relies
on the 2019 statistic, as shown in Table
3 below.
on Substance Abuse Treatment Facilities’’ (2021),
https://www.samhsa.gov/data/sites/default/files/
reports/rpt35313/2020_NSSATS_FINAL.pdf.
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.012
b. Baseline Assumptions
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
12585
Table 3. Part 2 Programs, Covered Entities, and Patients.
Estimated Number of Part 2
Programs
Total Annual Part 2 Program
Admissions
16,066
1 864 367340
'
'
Estimated Number of Covered
Entities
Total Annual New Patients
774 331 341
'
613 000 000 342
'
'
For purposes of calculating estimated
costs and benefits the Department relies
on mean hourly wage rates for
occupations involved in providing
treatment and operating health care
facilities, as noted in Table 4 below.
This final rule updates the proposed
rule RIA wages to the most recent year
of available data.
Occupational Pay Rates (2022 dollars)a
Hourly Wage Rate x 2b
Occupation Code and Title
340 Substance Abuse and Mental Health Servs.
Admin., Ctr. for Behavioral Health Statistics and
Quality, ‘‘Treatment Episode Data Set (TEDS): 2019.
Admissions to and Discharges From Publicly
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Funded Substance Use Treatment’’ (2021), https://
www.samhsa.gov/data/sites/default/files/reports/
rpt35314/2019_TEDS_Proof.pdf.
PO 00000
Frm 00115
Fmt 4701
Sfmt 4725
341 86
342 Id.
E:\FR\FM\16FER2.SGM
FR 6446, 6497.
at 6515.
16FER2
ER16FE24.013 ER16FE24.014
lotter on DSK11XQN23PROD with RULES2
00-0000 All Occupations
$59.52
43-3021 Billing and Posting Clerks
$43.08
29-0000 Healthcare Practitioners and Technical
$93.04
Occupations
29-9021 Health Information Technologists and
$62.76
Medical Registrars
15-1212 Information Security Analysts
$115.26
23-1011 Lawyer
$157.48
13-1111 Management Analysts
$100.64
11-9111 Medical and Health Services Manager
$123.06
29-2072 Medical Records Specialist
$49.12
43-0000 Office and Administrative Support
$43.80
Occupations
11-2030 Public Relations and Fundraising Managers
$136.80
21-1018 Substance Abuse, Behavioral Disorder, and
$54.06
Mental Health Counselors
13-1151 Training and Development Specialist
$67.18
43-4171 Receptionist and Information Clerk
$33.28
15-1255 Web and Digital Interface Designer
$97.82
a. Bureau of Labor Statistics, U.S. Department of Labor, "Occupational Employment and
Wages" May 2022, https://www.bls.gov/oes/current/oes stru.htm.
b. To incorporate employee fringe benefits and other indirect costs, these figures represent a
doubling of the Bureau of Labor Statistics (BLS) mean hourly wage.
12586
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
d. Qualitative Analysis of NonQuantified Benefits and Burdens
The Department’s analysis focuses on
primary areas of changes imposed by
the final rule that are likely to have an
impact on regulated entities or patients.
These are changes to establish or modify
requirements with respect to:
enforcement and penalties, notification
of breaches, consent for uses and
disclosures, Patient Notice, notice
accompanying disclosure, copy of
consent accompanying disclosure,
requests for privacy protection,
accounting of disclosures, audit and
evaluation, disclosures for public
health, and use and disclosure of
records by investigative agencies. In
addition to these changes, the
Department believes the modifications
to part 2 for clarification, readability, or
consistency with HIPAA terminology,
would have the unquantified benefits of
providing clarity and regulatory
certainty. The provisions that fall into
this category and for which anticipated
benefits are not discussed in-depth, are:
Sections 2.1, 2.2, 2.4, 2.11 Through 2.15,
2.17, 2.19 Through 2.21, 2.23, 2.24, 2.34,
2.35, 2.52, and 2.61 Through 2.65
The Department provides its analysis
of non-quantified benefits and burdens
for the primary areas of final rule
regulatory change below, followed by
estimates and analysis of quantified
benefits and costs in section (e).
lotter on DSK11XQN23PROD with RULES2
Section 2.3—Civil and Criminal
Penalties for Violations
The Department creates limitations on
civil and criminal liability for
investigative agencies in the event they
unknowingly receive part 2 records in
the course of investigating or
prosecuting a part 2 program or other
person holding part 2 records prior to
obtaining the required court order under
subpart E. This safe harbor promotes
public safety by permitting agencies to
investigate part 2 programs and persons
holding part 2 records in good faith with
a reduced risk of HIPAA/HITECH Act
penalties. The liability limitations
would be available only to agencies that
could demonstrate reasonable diligence
in attempting to determine whether a
provider was subject to part 2 before
making a legal demand for records or
placement of an undercover agent or
informant. The changes benefit SUD
providers, part 2 programs, investigative
agencies, and the courts by encouraging
agencies to seek information about a
provider’s part 2 status in advance and
potentially reduce the number of
instances where applications for good
cause court orders are denied.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Incentivizing investigative agencies to
check whether part 2 applies in advance
of investigating a provider would
benefit the court system, programs
public safety, patients, and agencies by
enhancing efficiencies within the legal
system, promoting the rule of law, and
ensuring the part 2 protections for
records are utilized when applicable.
The limitations on liability for
investigative agencies may result in
more disclosures of patient records to
such agencies by facilitating
investigations and prosecutions of part
2 programs and lawful holders. The
Department believes that limiting the
application of § 2.3(b) to investigations
and prosecutions of programs and
holders of records, requiring nonidentifying information in the
application for the requisite court
orders,343 and keeping patient
identifying information under seal 344
will provide strong and continuing
protections for patient privacy while
promoting public safety.
Section 2.12—Applicability
The final rule removes data
segmentation requirements and instead
expressly states that segregation of
records is not required upon receipt.
This results in the final rule neither
requiring nor prohibiting data
segmentation, leading to a benefit to
covered entities, according to public
comments on this issue. The
Department acknowledges that there is
likely a burden reduction from the
express statement that segmentation of
data or records is not required; however,
the Department lacks data on the
number of records benefitting from the
removal of the data segmentation
requirement to quantify this impact.
Section 2.16—Security for Records and
Notification of Breaches
The Department adds notification of
breaches to § 2.16 so that the
requirements of 45 CFR 164.400 through
164.414, apply to breaches of part 2
records programs in the same manner as
those requirements apply to breaches of
PHI. Notification of breaches is a
cornerstone element of good
information practices because it permits
affected individuals or patients to take
steps to remediate harm, such as putting
fraud alerts on their credit cards,
checking their credit reports, notifying
financial institutions, and informing
personal contacts of potential scams
involving the patient’s identity. It is
difficult to quantify the value of
receiving notification in comparison to
343 See
344 See
PO 00000
§ 2.66 (requiring use of ‘‘John Doe’’).
§§ 2.66 and 2.67.
Frm 00116
Fmt 4701
Sfmt 4700
the costs incurred in restoring one’s
credit, correcting financial records, or
the cost of lost opportunities due to loss
of income or reduced credit ratings.345
The benefit to the patient of learning
about a breach of personally identifying
information includes the opportunity
for the patient to take timely action to
regain control over their information
and identity. The Department does not
have data to predict how many patients
will sign up for credit monitoring or
other identity protections after receiving
a notification of breach of their part 2
records; however, the Department
believes that the costs to patients of
taking these actions 346 will be far
outweighed by the savings of avoiding
identity theft.347 Requiring part 2
programs to provide breach notification
ensures that patients of such programs
are provided the same awareness of
breaches as patients that receive other
types of health care services from
HIPAA covered entities.
Section 2.22 Patient Notice
Patients, part 2 programs, and covered
entities are all likely to benefit from
final rule changes to more closely align
the Patient Notice and HIPAA NPP
regulatory requirements, which simplify
their compliance with the two
regulations. The Department establishes
for patients the right to discuss the
Patient Notice with a person designated
by the program as the contact person
and to include information about this
right in the header of the Patient Notice
as proposed in the HIPAA Coordinated
Care and Individual Engagement
NPRM.348 These changes help improve
a patient’s understanding of the
program’s privacy practices and the
patient’s rights with respect to their
records. Even for patients who do not
request a discussion under this final
rule, knowledge of the right may
promote trust and confidence in how
their records are handled.
Section 2.24 Requirements for
Intermediaries
The final rule adopts a definition of
‘‘intermediary’’ that excludes part 2
programs, covered entities, and business
associates. Business associates that are
HIEs will particularly benefit from being
excluded from the definition of
345 See
74 FR 42739, 42765–66 (Aug. 24, 2009).
Alexandria White, ‘‘How much does credit
monitoring cost? ’’ CNBC (Nov. 16, 2021), https://
www.cnbc.com/select/how-much-does-creditmonitoring-cost/.
347 See Kenneth Terrell, ‘‘Identity Fraud Hit 42
Million People in 2021,’’ AARP (Apr. 7, 2022)
(‘‘[T]he average per-victim loss from traditional
identity fraud [is] $1,551.’’), https://www.aarp.org/
money/scams-fraud/info-2022/javelin-report.html.
348 See 86 FR 6446, 6485.
346 See
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
‘‘intermediary’’ because HIEs were the
most representative example of an
intermediary; therefore, had the most to
benefit from burden reduction. They
will not be subject to the requirement in
§ 2.24 to provide a list of disclosures
upon request of a patient; they will not
be subject to the special consent
requirements for intermediaries that
many HIEs have found to be a barrier to
accepting part 2 records in their
systems; and they will be generally
included when a patient signs a TPO
consent. This will also benefit covered
entities that are part 2 programs because
they will be able to use an HIE business
associate to exchange part 2 data as well
as PHI, furthering the integration of
behavioral health information with
other health information. We believe
this will also benefit patients because it
will enhance their ability to receive
comprehensive care.
Section 2.25
Disclosures
Accounting of
Adding a requirement to account for
disclosures for TPO through an
electronic health record (EHR) benefits
patients by increasing transparency
about how their records are used and
disclosed for those purposes. This
requirement could counterbalance
concerns about loss of control that
patients may experience as a result of
the changes to the consent process that
would permit all future TPO uses and
disclosures based on a single general
consent. The data logs that part 2
programs need to maintain to create an
accurate and complete accounting of
TPO disclosures could also be beneficial
for such programs in the event of an
impermissible access by enabling
programs to identify the responsible
workforce member or other wrongful
actor.
lotter on DSK11XQN23PROD with RULES2
Section 2.26 Right To Request Privacy
Protection for Records
Adding a new right for patients to
request restrictions on uses and
disclosures of their records for TPO is
likely to benefit patients by giving them
a new opportunity to assert their
privacy interests to part 2 program staff,
to address patients’ concerns about who
may see their records, and to
understand what may be done with the
information their records contain.
With respect to the right for patients
to restrict disclosures to their health
plan when patients have self-paid in full
for services, patients will benefit by
being shielded from potential harmful
effects of some health plans’ restrictive
coverage policies or other potential
negative effects, such as employers
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
learning of patients’ SUD diagnoses.349
This right may also improve rates of
access to SUD treatment because of
patients’ increased trust that they have
the opportunity to ensure that their
records will remain within the part 2
program. A limitation on the benefits of
this right is that it is only available to
patients with the means to pay privately
for SUD treatment.
Part 2 programs may benefit from
increased frequency of patients paying
in full out of pocket, which could
decrease the time spent by staff in
billing and claims activities. Part 2
programs also may benefit from
increased patient trust in the programs’
protection of records.
Section 2.31 Consent Requirements
and § 2.33 Uses and Disclosures
Permitted With Written Consent
The changes to consent for part 2
records are two-fold: changes to the
required elements on the written
consent form and a reduction in the
instances where a separate written
consent is needed (the process of
obtaining consent). Changes to the
consent form for alignment with the
HIPAA authorization form would likely
benefit part 2 programs because they
would employ more uniform language
and concepts related to information use
and disclosure. Such changes may
particularly benefit part 2 programs that
are also subject to the HIPAA
regulations, so staff do not have to
compare and interpret different terms
on forms that request the use or
disclosure of similar types of
information.
Permitting patients to sign a single
general consent for all uses and
disclosures of their record for TPO, may
carry both burdens and benefits to
patients. Patients may benefit from a
reduction in the amount of paperwork
they must sign to give permission for
routine purposes related to the
treatment and payment and associated
reductions in time spent waiting for
referrals, transfer of records among
providers, and payment of health
insurance claims. At the same time,
patients may experience a sense of loss
of control over their records and the
information they contain when they lose
the opportunity to make specific
349 Nat’l Academies of Sciences, Engineering, and
Medicine, The Nat’l Acads. Press, ‘‘Ending
Discrimination Against People with Mental and
Substance Use Disorders: The Evidence for Stigma
Change’’ (2016), https://www.nap.edu/23442; U.S.
Dep’t of Health and Human Servs., Office of the
Surgeon General, ‘‘Facing Addiction in America:
The Surgeon General’s Report on Alcohol, Drugs,
and Health’’ (Nov. 2016), https://store.samhsa.gov/
sites/default/files/d7/priv/surgeon-generalsreport.pdf.
PO 00000
Frm 00117
Fmt 4701
Sfmt 4700
12587
decisions about which uses and
disclosures they would permit. In some
instances, the reduced ability to make
specific use and disclosure decisions
could result in a greater likelihood of
harm to reputation, relationships, and
livelihood.
Part 2 programs would likely benefit
from the efficiencies resulting from
permitting a general consent for all TPO
uses and disclosures by freeing staff
from burdensome paperwork. In
contrast, clinicians in part 2 programs
may find it harder to gain the
therapeutic trust needed for patients to
divulge sensitive information during
treatment if patients become less
confident about where their information
may be shared and their ability to
control those uses and disclosures.
Some potential patients may avoid
initiating treatment altogether, which
would harm both patients and
programs.
Covered entities and business
associates would benefit markedly from
the ability to follow only one set of
Federal regulations when making
decisions about using and disclosing
part 2 records by streamlining processes
and simplifying decision making
procedures. Additionally, covered
entities and business associates would
no longer need to segregate SUD
treatment data and could improve care
coordination and integration of
behavioral health with general medical
treatment, resulting in comprehensive
holistic treatment of the entire patient.
In contrast, this final rule could also
create a burden because covered entities
and business associates subject to part 2
may need to sort and filter part 2
records for certain uses and disclosures,
such as audit and evaluation activities
that are health care operations,
according to whether or not a patient
consent for TPO has been obtained.
Section 2.32 Notice and Copy of
Consent To Accompany Disclosure
The revisions to the notice
accompanying each disclosure of part 2
records made with written consent
benefit patients by ensuring that
recipients of part 2 records are notified
of the expanded prohibition on use of
such records against patients in legal
proceedings even though uses and
redisclosures for other purposes would
be more readily permissible. Due to the
final rule changes in redisclosure
permissions for recipients of part 2
records that are covered entities and
business associates, the importance of
the Notice to Accompany Disclosure
would increase.
Part 2 programs will benefit from
having notice language that accurately
E:\FR\FM\16FER2.SGM
16FER2
12588
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
reflects statutory changes in the privacy
protections for records. Retaining the
notice to accompany disclosure
requirement would also ensure that
certain protections for part 2 records
continue to ‘‘follow the record,’’
compared to the HIPAA Privacy Rule
whereby protections are limited to PHI
held by a covered entity or business
associate.
Section 2.53 Management Audits,
Financial Audits, and Program
Evaluation
Part 2 programs that are also covered
entities would benefit from the final
rule changes that would clarify that the
limits on use and disclosure for audit
and evaluation purposes do not apply to
covered entities and business associates
to the extent these activities fall within
the HIPAA Privacy Rule disclosure
permissions for health care operations.
This benefit provides regulatory
flexibility for covered entities when part
2 records are subject to audit or
evaluation.
In some instances, a third-party
auditor or evaluator may also be a part
2 program or a covered entity or
business associate. As recipients of part
2 records, such third parties would be
permitted to redisclose the records as
permitted by the HIPAA Privacy Rule,
with patient consent for TPO. This
flexibility would not extend to
government oversight audits and
evaluations.
Section 2.54 Disclosures for Public
Health
The Department creates a new
permission to disclose de-identified
records without patient consent for
public health activities, consistent with
statutory changes. This benefits public
health by permitting records to be
disclosed that would address the opioid
overdose crisis and other public health
issues related to SUDs, and it protects
patient confidentiality because the
permission is limited to disclosure of
de-identified records.
lotter on DSK11XQN23PROD with RULES2
Section 2.66 Procedures and Criteria
for Orders Authorizing Use and
Disclosure of Records To Investigate or
Prosecute a Part 2 Program or the Person
Holding the Records
The Department specifies the actions
investigative agencies should take when
they discover in good faith that they
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
have received part 2 records without
obtaining the required court order, such
as securing the records, ceasing to use
or disclose the records, applying for a
court order, and returning or destroying
the records, as applicable to the
situation. This final rule would provide
the benefit of enabling agencies to move
forward with investigations when they
have unknowingly sought records from
a part 2 program. The final rule limits
the liability of investigative agencies
that unknowingly obtain records
without the necessary court order and
increase agencies’ effectiveness in
prosecuting programs. The minimal
burden for exercising reasonable
diligence before an unknowing receipt
of part 2 records is outweighed by the
reduction in risk of a penalty for
noncompliance. This analysis applies as
well to § 2.67 below.
Section 2.67 Orders Authorizing the
Use of Undercover Agents and
Informants To Investigate Employees or
Agents of a Part 2 Program in
Connection With a Criminal Matter
The Department’s final rule adds a
requirement for investigative agencies
that seek a good cause court order after
placement of an undercover agent or
information in a part 2 program to first
meet the reasonable diligence criteria in
§ 2.3(b). This requirement ensures that
agencies take basic actions to determine
whether a SUD treatment provider is
subject to part 2 before seeking to place
an undercover agent or informant with
the provider. As discussed above in
reference to § 2.66, this final rule also
has the benefit of aiding courts to
streamline the application process for
court orders for the use and disclosure
of records.
Section 2.68
Report to the Secretary
The Department created a
requirement for annual reports by
investigative agencies concerning
applications for court orders made after
receipt of part 2 records. This new
requirement benefits programs, patients,
and investigative agencies by making
data available about the frequency of
investigative requests made ‘‘after the
fact.’’ This requirement benefits
agencies and programs by highlighting
the potential need for increased
awareness about part 2’s applicability. A
program that makes its part 2 status
PO 00000
Frm 00118
Fmt 4701
Sfmt 4700
publicly known benefits from the
procedural protections afforded within
the court order requirements of §§ 2.66
and 2.67 in the event it becomes the
target of an investigation. The final
rule’s reporting requirement could also
potentially serve as a deterrent to
agencies from overly relying on the
ability to obtain belated court orders
instead of doing a reasonable amount of
research to determine before making an
investigative demand whether part 2
applies. Any resulting reduction in
unauthorized uses and disclosures of
records could be viewed as a benefit by
patients and privacy advocates. In
contrast, investigative agencies could
view the reporting requirement as an
administrative burden requiring
resources that otherwise could be used
to pursue investigations.
e. Estimated Quantified Cost Savings
and Costs From the Final Rule
The Department has estimated
quantified costs and cost savings likely
to result from the final rule modifying
three core expense categories (capital
expenses, attaching consent forms, and
workforce training) and seven
substantive regulatory requirements.
The remaining regulatory changes are
unlikely to result in quantifiable costs or
cost savings, as explained following the
discussion of projected costs and
savings.
i. Capital Expenses
Capital expenses related to
compliance with the final rule fall into
two categories: notification of breaches
and printing forms and notices. The
Department’s estimates for capital costs
related to providing breach notification
are based on estimates from the HIPAA
ICR multiplied by a factor of 0.02,
representing the proportion of part 2
programs compared to covered entities
(774,331 × 16,066 = .02). For example,
for an estimated 58,482 annual breaches
of PHI the Department calculates that
there are 1,170 breaches of part 2
records (58,482 × .02 = 1,170), and
associated costs. Those costs are
estimated on an ongoing annual basis
because part 2 programs could
experience a breach at any time that
would require notification. Capital costs
for breach notifications are presented in
Table 5 below.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
12589
Table 5. Estimated Capital Expenses -Breach Notification.
Breach Notification Activity
# of
Occurrences
Cost per
Occurrence
Total Costs
The Department’s estimate of the
costs for printing revised consent forms
is based on SAMHSA’s part 2 ICR
estimates for total annual patient
admissions to part 2 programs 350 at a
rate of $0.11 per copy. Programs are
already required to print forms and
notices on an ongoing basis and no
change to the number of such forms and
notices is projected, so the Department
has not added any new capital costs for
printing the revised Patient Notice and
Notice to Accompany Disclosures.
However, the Department estimates that
as a result of changes to the requirement
to obtain consent for disclosures related
to TPO, part 2 programs and covered
entities and business associates would
experience cost savings from a
significant reduction in the number of
needed consent forms. The Department
assumes that, on average, each patient’s
treatment results in a minimum of three
written consents obtained by part 2
programs, one each for treatment,
payment, and health care operations
purposes. The final rule is estimated to
result in a decrease in the total number
of consents by two-thirds because only
one patient consent would be required
to cover all TPO uses and disclosures.
At an estimated cost of $0.11 per
consent, for a total of 1,864,367 annual
patient admissions, this would result in
an annual cost savings to part 2
programs of 3,728,734 fewer written
consents, or $396,222.
Additionally, covered entities and
business associates that receive part 2
records will also experience a reduced
need to obtain written patient consent
or a HIPAA authorization because
redisclosure under the HIPAA Privacy
Rule does not require patient consent or
authorization for TPO and many other
purposes. The Department lacks data to
make a precise estimate of projected
cost savings, but each patient record
disclosed to a covered entity or business
associate would potentially generate a
savings based on eliminating the need
for the recipient to obtain additional
consent for redisclosure. The
Department has adopted a low-cost
savings estimate that one-half of part 2
annual admissions would result in
receipt of part 2 records by a covered
entity or business associate that would
no longer be required to obtain specific
written patient consent to redisclose
such record, representing an annual
capital expense savings from printing
932,184 fewer consent forms. At a perconsent cost of $0.11,351 this would
result in annual savings of $99,056. The
capital expense savings for printing
consent forms are presented in Table 6
below. The savings related to the cost of
staff time to obtain the patient consent
are estimated and discussed separately
in the section on consent below.
350 Substance Use Disorder Patient Records
Supporting Statement A_06102020—OMB 0930–
0092, https://omb.report/omb/0930-0092.
351 The Department relies on its estimated capital
expenses for printing HIPAA breach notification
letters adjusted to 2022 dollars. See 2021 HIPAA
ICR, https://www.reginfo.gov/public/do/
PRAViewICR?ref_nbr=202011-0945-001.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
PO 00000
Frm 00119
Fmt 4701
Sfmt 4700
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.015
lotter on DSK11XQN23PROD with RULES2
$765.04b
$894,822
1,170a
Breach--Printing & Postage
Breach--Posting Substitute
55c
$510.06
$28,012
Notice
$79.l0d
55
$4,344
Breach--Call Center
TOTAL
$927,178
a. Total number of breaches of PHI in 2015 multiplied by a factor of .02 to represent breaches of
part 2 records (58,482 x .02).
b. The Department assumes that half of all affected individuals (half of 113,535,549 equals
56,767,775) would receive paper notification and half would receive notification by email.
Therefore, on average, 971 individuals per breach will receive notification by mail. Further, the
Department estimates that each mailed notice will cost $.06 for paper and envelope, $.08 for
printing, and $.60 for postage. Accordingly, on average, the capital cost for mailed notices for
each breach is $.74 for each of 971 notices, or $719.96. The Department accepts these
assumptions for part 2 breach notification costs as well.
c. The number of breaches requiring substitute notice equals all 267 large breaches and all 2,479
breaches affecting 10-499 individuals multiplied by .02 to represent breaches of part 2 records
(2,746 X .02).
d. This number includes $60 per breach for start-up and monthly costs, plus $.35 cents per call
(at a standard rate of $.07 per minute for five minutes) for an average of 41.25 individual calls
per breach and is then adjusted to 2022 dollars (from 2021 dollars).
12590
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Table 6. Estimated Capital Expense Savings - Printing Consent Forms.
# of
Occurrences
lotter on DSK11XQN23PROD with RULES2
Reduction in Consent Forms for
Part 2 Programs
Reduction in Consent Forms for
CEs&BAs
TOTAL ANNUAL SAVINGS
Cost per
Occurrence
3,728,734
$0.11
$396,222
932,184
$0.11
$99,056
$495,278
ii. Training Costs
Although part 2 does not expressly
require training and the final rule does
not require retraining, the Department
anticipates that all part 2 programs will
choose to train their workforce members
on the modified part 2 requirements to
ensure compliance. The Department
estimates costs that all part 2 programs
would incur to train staff on the changes
to the confidentiality requirements. As
indicated in the chart below, only
certain staff would need to be trained on
specific topics and each program would
rely on a training specialist whose
preparation time would also be
accounted for. Compared to the
proposed HIPAA Privacy Rule right to
discuss privacy practices, the costs for
training part 2 counselors include a
higher number of staff per program
because part 2 programs have no
required Privacy Officer who is already
assigned similar duties and are more
likely to incur costs for developing a
new training regimen. The Department
of Labor, BLS last reported statistics for
substance use and behavioral disorder
counselors separate from mental health
counselors in 2016, and substance use
and behavioral disorder counselors
represented 65 percent of the combined
352 This final rule RIA updates the number of
counselors based on more recent data from the May
2022 National Occupational Employment and Wage
Estimates. In 2022, the number of part 2 counselors
is estimated to be 224,231 (344,970 substance abuse
and behavioral disorder counselors separate from
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
PO 00000
Frm 00120
Total Cost
Savings
Fmt 4701
Sfmt 4700
total. The Department thus calculates its
estimate for the number of substance
use and behavioral disorder counselors
as 65 percent of the workers in the BLS
occupational category for ‘‘substance
abuse, behavioral disorder, and mental
health counselors’’ and uses that as a
proxy for the number of part 2 program
counselors that would require training
on the new Patient Notice.352 The
Department estimates that a total of
$13.3 million in one-time new training
costs would be incurred in the first year
of the final rule’s implementation, as
presented in Table 7 below.
BILLING CODE 4153–01–P
mental health counselors. SOC code 21–1018) ×
.65).
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.016
Regulatory Activity
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
12591
Table 7. Estimated Workforce Training Costs.
lotter on DSK11XQN23PROD with RULES2
iii. Receiving a Complaint
The Department estimates a new
burden in this final rule, for covered
entities to receive complaints filed by
patients against a program, covered
entity, business associate, qualified
service organization, or other lawful
holder in violation of this part would
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
amount to a total annual labor cost of
$38,328. This estimate is derived under
the assumption that one in every
thousand patients would file a
complaint, leading to 1,864 complaints
annually.353 The complaint is also
assumed to be received by a manager
and take 10 minutes to address. The cost
of receiving complaints poses both a
recurring annual cost as well as a onetime cost to establish procedures for
handling complaints. It is assumed that
353 The assumption that one out of every 1,000
patients would file a complaint was adopted from
the 2000 HIPAA Final Rule RIA’s calculation of
costs of internal complaints under 45 CFR part 160.
PO 00000
Frm 00121
Fmt 4701
Sfmt 4700
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.017
Training
Number
Total
TopicsTime in
Hourly
of
Training
Total Costs
Staff
Training
Wage Rate
Trainees
Hours
Member
Complaint
Procedures &
16,066
12,050
$123.06
$1,482,811
0.75
N onretaliation
-Manager
Breach
Notification 16,066
1
16,066
$123.06
$1,977,082
Manager
Obtaining
Consent32,132
0.5
16,066
$33.28
$534,676
Receptionist
Patient
Notices &
Right to
224,231a
56,058
$54.06
$3,030,475
0.25
DiscussSUD
Counselor
Requests for
Restrictions Receptionist,
48,198
12,050
$41.83
$503,990
0.25
Medical
Records,
Billing Clerk
Accounting of
Disclosures 16,066
0.5
8,033
$49.12
$394,581
Med. Records
Specialist
Training
Specialist's
16,066
80,330
$67.18
$5,396,569
5
Time
TOTAL
TRAINING
200,652
$13,320,186
COSTS
a. This figure is the number of SUD and behavioral disorder counselors as a proxy for the
number of part 2 program counselors.
12592
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
the cost for setting up complaint
procedures is captured under the
training requirement as well as the
Patient Notice requirements, laid out in
Tables 7 and 10 respectively. Table 8
presents the costs for receiving a
complaint.
Table 8. Estimated Costs for Receiving a Complaint.
Number of
Regulatory Number of
Responses
Action
Respondents
per
Respondent
Average
burden
Total
hours
Burden
per
Hours
Response
Hourly
Wage
Ratew/
Benefits
(Base*2)
Total
Respondent
Costs
2.4
1,864a
Receiving a
1
0.167
322
$123.06
$38,238
Complaint
a. It is assumed that there will be one complaint for every 1,000 patients (or part 2 Program
Admissions) thus there are an estimated 1,864 respondents (l,864,367/1,000).
lotter on DSK11XQN23PROD with RULES2
The Department estimates annual
labor costs of $1.6 million to part 2
programs for providing notification of
breaches of unsecured records,
including notification to the Secretary,
affected patients, and the media,
consistent with the requirements of the
HIPAA Breach Notification Rule. This
estimate is derived from calculating two
percent of the total estimated breach
notification activities for covered
entities, business associates, and
qualified service organizations under
the HIPAA Breach Notification Rule.354
Costs for the labor spent to provide
breach notifications are estimated in
Table 9 below. Capital costs for
providing breach notification are
discussed separately in Table 5 above.
354 See 2021 HIPAA ICR, https://omb.report/icr/
202011-0945-001. Wage rates are updated to 2022
figures.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
PO 00000
Frm 00122
Fmt 4701
Sfmt 4700
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.018
iv. Notification of Breaches
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
12593
Table 9. Estimated Costs of Breach Notification.
Section of 45
CFR
164.404
164.404
164.404
164.404
164.404
164.404
164.406
164.408
164.408
164.414
164.414
164.414
Number of
Respondents
Notification Activity
Individual Notice-Written and Email Notice (drafting)
Individual Notice-Written and Email Notice (preparing and
documenting notification)
Individual Notice-Written and Email Notice (processing and sending)
Individual Notice-Substitute Notice
(posting or publishing)
Individual Notice-Substitute Notice
(staffing toll-free number)
Individual Notice-Substitute Notice
(individuals' voluntary burden to call
toll-free number for information)
Media Notice
Notice to Secretary (notice for
breaches affecting 500 or more
individuals)
Notice to Secretary (notice for
breaches affecting fewer than 500
individuals)
500 or More Affected Individuals
(investigating and documenting
breach)
Less than 500 Affected Individuals
(investigating and documenting
breach) -- affecting 10-499
Less than 500 Affected Individuals
(investigating and documenting
breach) -- affecting <10
Total
Respondent
Costs
1,170a
$54,412
1,170
$25,615
1,170
$795,503
55b
$5,372
55
$8,227
2,265c
$16,854
5.34d
$543
5.34
$543
1,164e
$50,996
5.34
$32,857
50
$48,811
1,115f
$548,710
$1,588,441
a. Total number of breach reports submitted to OCR in 2015 (58,482) multiplied by .02 to
represent part 2 breaches.
b. All 267 large breaches and all 2,479 breaches affecting 10-499 individuals (2,746) multiplied
by 02.
c. As noted in the previous footnote, this number equals 1% of the affected individuals who
require substitute notification (0.01 x 11,326,441 = 113,264) multiplied by .02 to represent part 2
program breaches.
d. The total number of breaches affecting 500 or more individuals in 2015, multiplied by .02 to
represent the number of part 2 breaches.
e. The total number of HIPAA breaches affecting fewer than 500 individuals in 2015, multiplied
by .02 to represent the number of part 2 breaches.
f. 55,736 multiplied by .02.
BILLING CODE 4153–01–C
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
PO 00000
Frm 00123
Fmt 4701
Sfmt 4700
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.019
lotter on DSK11XQN23PROD with RULES2
TOTAL
12594
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
v. Patient Notice
The Department estimates a first-year
total of $2.6 million in costs to part 2
programs for updating the Patient
Notice, as applicable, and providing
patients a right to discuss the program’s
Patient Notice. Under the final rule’s
modifications to § 2.22, as under the
existing rules, a part 2 program that is
also a covered entity only needs to have
one notice that meets the requirements
of both rules, so the Department’s
estimates are based on an unduplicated
count of part 2 programs, each one
needing to update its Patient Notice.
The Department’s estimate is based on
the number of total entities and one
hour of a lawyer’s time to update the
notice(s), as detailed in Table 10. There
would be no new costs for providers
associated with distribution of the
revised notice other than posting it on
the entity’s website (where available), as
providers have an ongoing obligation to
provide the notice to first-time patients.
The Department bases the estimate on
its previous estimates from the 2013
Omnibus Final Rule, in which the
Department estimated approximately
613 million first time visits with health
care providers annually.355
In addition to the costs of updating
the Patient Notice, the Department
estimates that part 2 programs incur
ongoing costs to implement the right to
discuss a program’s Patient Notice
calculated as 1 percent of all patients, or
18,644 requests, at the hourly wage of a
substance abuse, behavioral disorder,
and mental health counselor, as defined
by BLS, for an average of 7 minutes per
request or $117,586 total per year. The
number of discussions is based on the
same percentage of new patients as the
parallel proposal in the HIPAA
Coordinated Care and Individual
Engagement NPRM, which reflects the
anticipated number of patients who
would ask to speak with the identified
contact person or office about the
Patient Notice. It does not include the
discussion that each counselor may
have with a new patient about
confidentiality in the clinical context
which the Department views as part of
treatment. Total costs for the Patient
Notice are presented in Table 10 below.
Table 10. Estimated Costs for Patient Notice.
Regulatory
Activity
Total
Responses
Hours
per
response
Total
Burden
Hours
Hourly
Wage Rate
w/ Benefits
(Base*2)
Total Annual
Cost
lotter on DSK11XQN23PROD with RULES2
vi. Accounting of Disclosures
The Department’s estimate of minimal
annual costs to part 2 programs for
providing patients an accounting of
disclosures is based on the Department’s
estimates for covered entities to comply
with the requirements in 45 CFR
164.528 multiplied by a factor of .02.
This represents two percent of the total
estimated requests for an accounting of
disclosures under the HIPAA Privacy
Rule. The Department included this
estimate in its calculations (detailed in
Table 11), although it is negligible, due
to the CARES Act mandate to include
the requirement in part 2. In addition,
these costs will not constitute an
immediate burden since they are
contingent on the promulgation of
355 78
FR 5565, 5675 (Jan. 25, 2013).
FR 64302 (Dec. 14, 2018).
357 See generally, public comments posted in
response to Docket ID# HHS–OCR–2018–0028,
356 83
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
HITECH Act modifications to the
accounting of disclosures standard in
the HIPAA Privacy Rule at 45 CFR
164.528, which the Department has not
yet finalized.
The responses to the Department’s
2018 Request for Information on
Modifying HIPAA Rules to Improve
Coordinated Care 356 indicated that
covered entities and their business
associates receive very few requests for
an accounting of disclosures annually (a
high of .00006).357 Comments received
on the part 2 NPRM were consistent
with these and suggested that covered
entities still receive very few requests;
however, one commenter asserted that a
request can take approximately 40 hours
of labor to address.358 We believe this
figure is an outlier and that most
requests cover a narrow time period
related to a specific disclosure concern.
The Department is unable to estimate
the additional burdens, if any, of
offering these accountings in a machine
readable or other electronic format.
Further, the Department lacks specific
information about the costs to revise
EHR systems to generate a report of
disclosures for TPO, other than they
could be substantial.359 We note too that
the compliance date for the accounting
of disclosures requirement is tolled
until modifications to the accounting
requirement are finalized in 45 CFR
164.528 of the HIPAA Privacy Rule.
Table 11 presents the estimated costs for
accounting of disclosures.
https://www.regulations.gov/document/HHS-OCR2018-0028-0001/comment.
358 See public comments posted in response to
Docket ID# HHS–OCR–2022–0018–0001, https://
www.regulations.gov/document/HHS-OCR-20220018-0001.
359 Id.
PO 00000
Frm 00124
Fmt 4701
Sfmt 4700
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.020
2.22 Update
Patient Notice
16,066
1
16,066
$157.48
$2,530,074
(lawyer)
2.22 Discuss
18,644a
0.12
2,175
$54.06
$117,586
Patient Notice
TOTAL
$2,647,659
a. Respondents are 1% of all new patients and the cost is based on the hourly wage for a
substance abuse, behavioral, and mental health counselor.
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
12595
Table 11. Estimated Costs for Accounting of Disclosures.
Number of
Regulatory Number of
Responses
Action
Respondents
per
Respondent
Average
burden
Total
hours
Burden
per
Hours
Response
Hourly
Wage
Ratew/
Benefits
(Base*2)
Total
Respondent
Costs
2.25
Accounting
100a
of Part 2
1
0.05
5
$49.12
$246
TPO
Disclosures
a. Calculated as 2% multiplied by the estimate that covered entities annually fulfill 5,000
requests from individuals for an accounting of TPO disclosures at the hourly wage for a medical
records specialist.
vii. Requests for Privacy Protection for
Records
The Department estimates that part 2
programs would incur a total of $5,019
in annual costs arising from the right to
request restrictions on disclosures.
OCR’s HIPAA ICR estimate of costs for
covered entities to comply with the
parallel requirement under 45 CFR
164.522 represents a doubling of
previous estimated responses from
20,000 to 40,000.360 However, costs
remain low for compliance with this
regulatory requirement, in part because
the requirement to accept a patient’s
request for restrictions is mandatory
only for services for which the patient
has paid in full; the cost of complying
with a request not to disclose records or
PHI to a patient’s health plan occurs in
a context in which providers are saved
the labor that would be needed to
submit claims to health insurers.
The Department acknowledges that in
addition to the handling of restriction
requests, providers will likely also incur
costs related to the adjustment of their
technological capabilities. Comments
received on the part 2 NPRM outlined
some of the existing shortcomings and
potential improvements to the EHR
systems. Some of the issues discussed
included perceptions regarding the
inability of current EHR systems to
automatically flag and separate part 2
records, and challenges of granular data
segmentation functionality, inability of
systems to handle multiple types of
information workflows, and difficulties
in ensuring that the current systems
protect part 2 data adequately from
access and redistribution in large
patient settings where data is received
and redistributed electronically.
Commenters suggested, among others,
the development of broader
interoperability frameworks, and the
development of consistent standards as
potential remedies for those technical
issues, but there was no specific
actionable data provided that could
inform the cost analysis of such efforts.
The Department therefore lacks a basis
to formally quantify these costs and
does include them in this RIA.
The estimated costs for requests for
privacy protection for records is
presented in Table 12 below. The
estimated number of responses is
increased from the proposed rule to
1,200 and the average burden doubled
to 6 minutes (0.1 hours) to account for
the final rule adding the requirement
that covered entities use reasonable
effort to accommodate patient’s request
for restrictions resulting in a slight
increase in estimated burden.
Table 12. Estimated Costs for Request for Privacy Protection for Records.
Regulatory
Activity
[l]
2.26 Requests for
privacy protection
1,200
lotter on DSK11XQN23PROD with RULES2
viii. Updated Consent Form
The Department estimates that each
part 2 program would incur the costs for
360 86
Average
burden
hours per
Response
Total
Burden
Hours
0.1
Hourly
Wage Rate
w/ Benefits
(Base*2)
120
40 minutes of a lawyer’s time to update
its patient consent form for use and
disclosure of records. This would result
in an estimated total nonrecurring cost
$41.83
18:41 Feb 15, 2024
Jkt 262001
PO 00000
Frm 00125
Fmt 4701
Sfmt 4700
$5,019
of approximately $1.7 million, to be
incurred in the first year after
publication of a final rule, as detailed in
Table 13 below.
FR 6446, 6498. See also 84 FR 51604.
VerDate Sep<11>2014
Total
Respondent
Costs
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.021 ER16FE24.022
Number of
Responses
12596
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Table 13. Estimated Cost for Updating Consent Forms.
Regulatory
Activity
Total
Responses
Average
Burden
Hour
16,066
0.67
2.31 Consent
Form - Updating
ix. Attaching Consent Form
The Department estimates a new cost
in this final rule (compared to the
proposed rule RIA) for the requirement
associated with § 2.32 that each part 2
program would need to attach consent
forms with each disclosure. The
Total
Burden
Hours
10,710.67
Hourly
Wage Rate
w/ Benefits
(Base*2)
Total One-time Cost
$157.48
$1,686,716
Department assumes an average of three
(3) annual disclosures per patient. The
Department assumes consent forms
would need to be attached to paper
disclosures as well as electronic
disclosures and assumes ninety percent
(90%) of disclosures are received
electronically while the remaining ten
percent (10%) would be received in
paper format. This would result in a
total recurring cost of $2.9 million per
year. The estimated costs for attaching
consent form are presented in Table 14
below.
Table 14. Estimated Costs for Attaching Consent Form.
Regulatory
Activity
Total
Average
Responses Burden
Hour
2.32 Consent
Form - Attach
consent form with
each disclosure
(Paper records
disclosed)
2.32 Consent
Form - Attach
consent form with
each disclosure
(electronic records
disclosed)
Total
Burden
Hours
Hourly
Wage Rate
w/ Benefits
(Base*2)
Total Recurring Cost
(2022 dollars)
559,310a
0.08
46,609
$33.28
$1,551,153
5,033,791 b
0.01
41,948
$33.28
$1,396,038
TOTAL
$2,947,191
lotter on DSK11XQN23PROD with RULES2
x. Updated Notice To Accompany
Disclosures
The Department estimates that each
part 2 program would incur the costs for
20 minutes of a health care managers’
time to update the regulatory notice that
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
is to accompany each disclosure of
records with written patient consent.
The Department believes that in most
cases a manager can accomplish this
task, rather than a lawyer, because
specific text for the Notice to
Accompany Disclosure is required and
PO 00000
Frm 00126
Fmt 4701
Sfmt 4700
is included in the final rule. For a total
of 16,066 programs this would result in
estimated total nonrecurring costs in the
first year of the rule’s implementation of
approximately $0.7 million as detailed
in Table 15 below.
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.040 ER16FE24.023
a. Calculated as the number of patient admissions multiplied by the number of paper consent
forms that need to be attached (10% of total) times the number of disclosures per patient (3).
b. Calculated as the number of patient admissions multiplied by the number of electronic consent
forms that need to be attached (90% of total) times the number of disclosures per patient (3).
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
12597
Regulatory
Activity
Time
(hours)
Hourly
Wage Rate
w/ Benefits
(Base*2)
0.33
$123.06
lotter on DSK11XQN23PROD with RULES2
2.32 Notice and
Copy of Consent to
Accompany
Disclosure Updating
No. of
occurrences
Total
Burden
Hours
Total Onetime Cost
(2022
dollars)
16,066
5,355
$659,027
xi. New Reporting to the Secretary
The final rule’s reporting
requirements in § 2.68 are directed to
those agencies that investigate and
prosecute programs and holders of part
2 records. Part 2 programs are subject,
for example, to investigations for
Medicare and Medicaid fraud and
diversion of opioids used in
medications for opioid use disorder
(MOUD). Medicaid and Medicare fraud
investigations may involve several
agencies, such as the Department of
Justice (DOJ), HHS Office of the
Inspector General (OIG), and state
agencies. Investigations involving the
use and disclosure of part 2 records
include those where SUD providers are
the targeted entities as well as where
other health care providers are the target
and have received records from a part 2
program. The Department has revised its
estimates of the number of
investigations that involve part 2
records, resulting in an increase of more
than 100 percent from the 225 estimated
investigations in the NPRM. The
Department estimates that
approximately 506 investigations,
prosecutions, or sanctions involve part
2 programs or records annually, based
on FY 2021 statistics. The reported data
does not separately track part 2
programs so we based our estimate on
the proportion of part 2 programs as
compared to covered entities, which is
2 percent, as we have done for other
estimates within the analysis for this
rule.361 We acknowledge that this may
not capture all the entities subject to
investigations that include part 2
records. At the same time, we have
added a more extensive list of
investigations and actions against health
care entities, many of which represent
duplicate actions, such as the removal
of entities from Medicare participation
based on a fraud conviction against the
same entity that is also counted within
the same year and counting both new
fraud investigations and pending cases
at the year’s end. We included data from
FY 2021 362 for the following actions:
• 831 new criminal health care fraud
investigations (DOJ).
• 462 cases of criminal charges filed
by Federal prosecutors.
• 805 new civil health care fraud
investigations (DOJ).
• 1,432 civil health care fraud matters
pending at the end of the fiscal year
(DOJ).
• 107 health care fraud criminal
enterprises dismantled (FBI).
• 504 criminal actions for Medicare
and Medicaid crimes (HHS–OIG).
• 669 civil actions (HHS–OIG).
• 1,689 individuals and entities
excluded from participation in
Medicare, Medicaid, and other Federal
health care programs (HHS–OIG).
• 18,815 open investigations by state
Medicaid Fraud Control Units in FY
2021.363
This results in a count of 25,314
actions taken by investigative agencies
and 506 as the estimated proportion
involving use and disclosure of part 2
records. The Department assumes, as an
over-estimate, that all 506 cases involve
use of the safe harbor under § 2.3 and
result in a required report under § 2.68.
The burden on investigative agencies
for annual reporting about unknowing
receipt of part 2 records prior to a court
order includes the labor of gathering
data and submitting it to the Secretary.
As a proxy for this burden, the
Department estimates that the labor
would be equal to reporting large
breaches of PHI under HIPAA which
has been calculated at 1.5 hours per
response at an hourly wage rate of
$81.28 364 for a total estimated cost of
$121.92 per response. For an estimated
506 annual investigations this would
result in a total cost of $61,726. This
figure represents an overestimate
because it assumes 100 percent of
investigations would involve
unknowing receipt of part 2 records
prior to seeking a court order. The
Department assumes that the actual
proportion of investigations falling
within the reporting requirement would
be less than 25 percent of cases,
although it lacks data to substantiate
this assumption. The final rule also
adds to the definition of investigative
agencies to include local, territorial, and
Tribal agencies. The Department
acknowledges the potential for
expanding the definition to increase the
affected population for investigative
agencies; however, the Department lacks
sufficient data to quantify the number of
additional agencies impacted by the
rule. The estimated costs for new
reporting to the Secretary are presented
in Table 16 below.
361 16,066 part 2 programs/774,331 covered
entities = .02
362 Annual Report of the Departments of Health
and Human Services and Justice, FY 2021 Health
Care Fraud and Abuse Control Report (July 2022).
We include data reflecting OIG investigations as
one representative data point in an effort to estimate
the volume of relevant records obtained through
investigations throughout the country. Annual
reporting will be conducted consistent with
applicable Federal laws.
363 https://oig.hhs.gov/fraud/medicaid-fraudcontrol-units-mfcu/expenditures_statistics/fy2021statistical-chart.pdf. https://oig.hhs.gov/fraud/
medicaid-fraud-control-units-mfcu/expenditures_
statistics/fy2021-statistical-chart.pdf.
364 This is a composite wage rate used in burden
estimates for the Department’s breach notification
Information Collection Request.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
PO 00000
Frm 00127
Fmt 4701
Sfmt 4700
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.024
Table 15. Estimated Cost for Updated Notices to Accompany Disclosures.
12598
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Table 16. Estimated Cost for New Reporting to the Secretary.
Regulatory
Activity
Total
Responses
2.68 Report to
Secretary
Average
Burden
Hour
506
1.5
Total
Burden
Hours
759
Hourly
Wage
Ratew/
Benefits
(Base*2)
Total
Recurring
Cost
(2022
dollars)
$81.28
$61,726
f. Summary of First Year Costs
Table 17 presents the total first year
part 2 quantified costs presented in the
above sections, totaling $23.9 million.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
PO 00000
Frm 00128
Fmt 4701
Sfmt 4700
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.025
lotter on DSK11XQN23PROD with RULES2
BILLING CODE 4153–01–P
12599
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Table 17. Estimated Annual Part 2 Costs in First Year oflmplementation.
Hours
per
response
Total
Responses
Total
Burden
Hours
2.4 Receiving a
1,864
0.167
Complaint
2.16 Breach Notification (from Table 9)
2.22 Updating
16,066
1
Patient Notice
2.22 Right to
18,644
0.12
Discuss
2.25
Accounting of
100
0.05
Disclosures
2.26 Requests
0.1
for privacy
1,200
protection
2.31 -Updating
16,066
0.67
Consent Form
2.32 Notice and
Copy of
Consent to
16,066
0.33
Accompany
Disclosures
Hourly
Wage Rate
331
Total Cost
$123.06
$38,238
$1,588,441
16,066
$157.48
$2,530,074
2,175
$54.06
$117,586
5
$49.12
$246
120
$41.83
$5,019
10,711
$157.48
$1,686,716
5,355
$123.06
$659,027
2.32 Attaching
Consent Form
5,593,101
0.09
88,557
$33.28
$2,947,191
2.68 Report to
the Secretary
506
1.5
759
$81.28
$61,726
Workforce Training (from Table 7)
Capital Expenses (from Table 5)
$13,320,186
$927,178
$23,881,628
TOTAL ANNUAL COSTS (first year)
BILLING CODE 4153–01–C
regulatory requirements. Thus, the
Department’s analysis does not estimate
any program costs for the changes to
§§ 2.1 and 2.2 of 42 CFR part 2.
g. Final Rule Changes Resulting in
Negligible Fiscal Impact
lotter on DSK11XQN23PROD with RULES2
Sections 2.1 and 2.2 Statutory
Authority and Enforcement
While civil enforcement of part 2 by
the Department may increase costs for
part 2 programs or lawful holders that
experience a breach or become the
subject of a part 2 complaint or
compliance review, the costs of
responding to a potential violation are
not calculated separately from the costs
of complying with new or changed
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Section 2.3 Civil and Criminal
Penalties for Violations
The final rule adds local, territorial,
and Tribal agencies to the investigative
agency definition. In § 2.3(b)(1),
investigative agencies that do not use
reasonable diligence would be
precluded from seeking a court order to
use or disclose part 2 records that they
later discover in their possession. The
PO 00000
Frm 00129
Fmt 4701
Sfmt 4700
Department acknowledges there may be
an overall increase in the affected
population associated with including
local, territorial, and Tribal agencies to
investigative agency definition;
however, the Department lacks
sufficient data on the extent these
agencies are involved in investigating
part 2 programs to quantify these
potential impacts.
Section 2.3 also creates a limitation
on civil or criminal liability for persons
acting on behalf of investigative
agencies when they may unknowingly
receive part 2 records without first
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.026
Regulatory
Activity
12600
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
lotter on DSK11XQN23PROD with RULES2
obtaining the requisite court order. The
final rule mandates reasonable diligence
steps that mean taking all of the
following actions:
Searching for the practice or provider
among the SUD treatment facilities in
SAMHSA’s online treatment locator;
searching in a similar state database of
treatment facilities where available;
checking a practice or program’s
website, where available, or physical
location; viewing the entity’s Patient
Notice or HIPAA NPP if it is available;
and taking all these steps within no
more than 60 days before requesting
records or placing an undercover agent
or informant. The regulatory change
encourages investigative agencies to
take preventative measures, reducing
the need for after-the-fact court orders.
The Department acknowledges that the
reasonable diligence steps may result in
additional burdens for investigative
agencies to check websites and visit
physical locations; however, the
Department lacks sufficient data to
quantify the additional burden and
expects that it is negligible.
Section 2.11 Definitions
Changes to the regulatory definitions
are not likely to create significant
increases or decreases in burdens for
part 2 programs or covered entities and
business associates. These entities,
collectively, would benefit from the
regulatory certainty resulting from
clarification of terms; however, the
definitions are generally intended to
codify current usage and understanding
of the defined terms. One change that
has the potential to result in additional
burden to part 2 programs but
potentially represents a benefit of
increased privacy protection for patients
would be the inclusion of a new
definition of ‘‘SUD counseling notes.’’
The Department has discussed the
potential impact to the inclusion of SUD
counseling notes in § 2.31. The
Department also changes the definition
of ‘‘investigative agency’’ to include
local, territorial, and Tribal agencies.
This change in the definition has the
potential to increase the population of
investigative agencies. Additional
discussion on the potential impact of
adding local, territorial, and Tribal
agencies is discussed in § 2.3. The final
rule adds a new definition on ‘‘lawful
holder’’ used in several provisions. The
final rule also adds a new definition of
‘‘personal representative,’’ replacing
language in § 2.15 describing
individuals authorized to act on a
patient’s behalf, as mentioned under the
discussion on § 2.15 below. Another
change to the definition of
‘‘intermediary’’ excludes part 2
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
programs, covered entities, and business
associates and may result in burden
decreases to these entities, as mentioned
under the discussion on § 2.24 below.
The Department estimates that these
three changes will have a negligible
impact.
Section 2.12
Applicability
The final rule change from ‘‘Armed
Forces’’ to ‘‘Uniformed Services’’ in
paragraphs (b)(1) and (c)(2) of § 2.12 is
likely to result in only a negligible
change in burden because this
terminology is already in use in 42
U.S.C. 290dd–2. Adding ‘‘uses’’ and
‘‘disclosures’’ in several places provides
clarity and consistency, but is unlikely
to create quantifiable costs or cost
savings. Adding the four express
statutory restrictions on use and
disclosure of records for court
proceedings 365 in paragraph (d)(1) of
this section will likely result in no
significant burden change, as the
restrictions on use and disclosure of
records for criminal investigations and
prosecutions of patients are already
stringent and the ability to obtain a
court order remains. Excluding covered
entities from the restrictions applied to
other ‘‘third-party payers’’ in paragraph
(d)(2) of this section would reduce
burden on covered entities that are
health plans because they will be
permitted to disclose records for a wider
range of health care operations than
under the current regulation. However,
this burden reduction is similar to that
for all covered entities under the final
rule, so the Department has not
estimated the costs or benefits
separately from the effects of § 2.33
(Uses and disclosures permitted with
written consent).
Section 2.13 Confidentiality
Restrictions and Safeguards
The primary change to this section is
to remove paragraph (d) and redesignate
it as § 2.24. Additionally, adding the
term ‘‘use’’ to the circumstances when
disclosures are permitted or prohibited
provides clarification, but is unlikely to
generate a change in burden associated
with this provision.
Section 2.14
Minor Patients
The final rule changes to this section
would clarify that a part 2 program
director may clinically evaluate whether
a minor has decision making capacity,
but not issue a legal judgment to that
effect. The changes also add ‘‘uses’’ to
‘‘disclosures’’ as the types of activities
regulated under this section. None of
365 See
PO 00000
42 U.S.C. 290dd–2(c).
Frm 00130
Fmt 4701
Sfmt 4700
the changes would be likely to result in
quantifiable burdens to part 2 programs.
Section 2.15 Patients Who Lack
Capacity and Deceased Patients
The final rule replaces the terms for
‘‘guardian or other individual
authorized under state law to act on the
patient’s behalf’’ with the term
‘‘personal representative’’ under § 2.11,
as described above. The Department
does not anticipate this to result in any
significant burdens or benefits. The
Department’s final rule will also replace
outdated references to incompetence
and instead refer to a lack of capacity to
make health care decisions and will add
‘‘uses’’ to ‘‘disclosures’’ to describe the
activities permitted when certain
conditions are met. These clarifications
and additions are unlikely to generate a
change in burden that can be quantified,
and thus they are not included in the
Department’s calculation of estimated
costs and cost savings.
Section 2.17
Informants
Undercover Agents or
The final rule adds the phrase ‘‘and
disclosure’’ in the heading of paragraph
(b) of this section and ‘‘or disclosed’’
after ‘‘used’’ in paragraph (b) for
consistency with changes throughout
the rule to align with HIPAA language.
We do not expect any change in burden
as a result of this change.
Section 2.20
Laws
Relationship to State
The final rule adds the term ‘‘use’’ to
describe activities regulated by this
section. Similar to 42 CFR part 2, state
laws impose restrictions on uses and
disclosures related to SUD and the
Department assumes programs subject
to regulation by this part would be able
to comply with part 2 and the state law.
The Department does not anticipate
these changes would result in a
quantifiable increase or decrease in
burden.
Section 2.21 Relationship to Federal
Statutes Protecting Research Subjects
Against Compulsory Disclosure of Their
Identity
The Department replaced ‘‘disclosure
and use’’ with ‘‘use and disclosure’’ to
align the language of this section with
the HIPAA Privacy Rule. The edit does
not require any changes to existing part
2 requirements. The Department does
not anticipate this change would result
in a quantifiable increase or decrease in
burden.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Section 2.24 Requirements for
Intermediaries
The final rule changes the definition
of ‘‘intermediary’’ to exclude part 2
programs, covered entities, and business
associates, as noted above. The
Department acknowledges that this
poses a burden reduction to covered
entities and business associates as they
are no longer subject to these
requirements; however, the Department
does not anticipate these changes to
have a significant impact.
Section 2.31
Consent Requirements
lotter on DSK11XQN23PROD with RULES2
Section 2.34 Uses and Disclosures To
Prevent Multiple Enrollments
The final rule adds the term ‘‘uses’’ to
the heading and incorporate minor word
changes and style edits for clarity. The
edits do not require any changes to
existing part 2 requirements. The
Department does not anticipate these
changes would result in a quantifiable
increase or decrease in burden.
18:41 Feb 15, 2024
Jkt 262001
The final rule replaces the term
‘‘individuals’’ with ‘‘persons,’’ clarify
that permitted redisclosures of
information are from part 2 records, and
make minor word and style edits for
clarity. The edits do not require any
changes to existing part 2 requirements.
The Department does not anticipate
these changes would result in a
quantifiable increase or decrease in
burden.
Section 2.52
The final rule adds a new consent
requirement at § 2.31(b), requiring
separate consent for the use and
disclosure of SUD counseling notes. The
final rule limits use and disclosure of
SUD counseling notes without patient
consent in a manner that aligns with the
HIPAA Privacy Rule authorization
requirements for psychotherapy notes.
The Department believes there is a
qualitative benefit to patients and
clinicians who keep separate SUD
counseling notes. Requiring a separate
consent for SUD counseling notes offers
a means for patients to selectively
disclose sensitive information and
reduces barriers to clinicians recording
treatment information for patients
concerned about their confidentiality
being protected. The Department
acknowledges that there is a potential
increase in the administrative burden to
part 2 programs for segmenting SUD
counseling notes as well as obtaining an
additional patient consent; however, a
separate consent requirement strikes a
balance between heightened protection
and an appropriately tailored
permission for uses and disclosures that
are low risk for abuse or related to
requirements in law. The Department
lacks sufficient data on the number of
SUD counseling notes requiring
additional consent and does not expect
there to be a large number; and
therefore, does not anticipate these
changes would result in a quantifiable
increase or decrease in burden.
VerDate Sep<11>2014
Section 2.35 Disclosures to Elements
of the Criminal Justice System Which
Have Referred Patients
Scientific Research
The Department considered whether
the requirement to align the deidentification standard in § 2.52 (and
throughout part 2) with the HIPAA
Privacy Rule de-identification standard
in 45 CFR 164.514 would significantly
increase burden for part 2 programs or
result in any unintended negative
consequences. The Department
concluded that the final rule change
would not significantly increase burden
because a part 2 program would need to
follow detailed protocols to ensure that
the current standard is met that are
similar to the level of work needed to
adhere to the HIPAA Privacy Rule
standard. Additionally, the final rule
ensures that all part 2 programs are
following similar standards for deidentification, which would benefit
researchers when creating data sets from
different part 2 programs, by enabling
them to populate the data sets with
similar content elements.
Section 2.53 Management Audits,
Financial Audits, and Program
Evaluation
The final rule clarifies that some audit
and evaluation activities may be
considered health care operations could
be used by part 2 programs, covered
entities, and business associates to
obtain records based on consent for
health care operations and then such
entities could redisclose them as
permitted by the HIPAA Privacy Rule.
The HIPAA Privacy Rule may allow
these entities greater flexibility to use or
redisclose the part 2 records for
permitted purposes compared to the
limitations contained in § 2.53 of part 2.
For part 2 programs that are covered
entities, this change could result in
burden reduction because they would
not have to track the records used for
audit and evaluation purposes as
closely; however, the Department is
without data to quantify the potential
cost reduction. For business associates,
there would likely be no change in
burden because they are already
PO 00000
Frm 00131
Fmt 4701
Sfmt 4700
12601
obligated by contract to only use or
disclose PHI (which may be part 2
records) as allowed by the agreement
with the covered entity.
As discussed in preamble, the
disclosure permission under § 2.53
would continue to apply to audits and
evaluations conducted by a health
oversight agency without patient
consent. The Department does not
believe that the text of section 3221(e)
of the CARES Act indicates
congressional intent to alter the
established oversight mechanisms for
part 2 programs, including those that
provide services reimbursed by
Medicare, Medicaid, and Children’s
Health Insurance Program (CHIP). The
Department also intends that a
government agency conducting
activities that could fall within either
§ 2.53 or § 2.33 for health care
operations would have the flexibility to
choose which permission to rely on and
would not have to meet the conditions
of both sections. In the event that the
agency is a covered entity that has
received the records based on a consent
for TPO, it could further redisclose the
records as permitted by the HIPAA
Privacy Rule. Further, the Department
intends that the availability of the safe
harbor under § 2.3 does not affect the
ability of government agencies
conducting health oversight to continue
relying on § 2.53 to access records
without a court order.
Section 2.54
Health
Disclosures for Public
The Department does not believe that
an express permission to disclose
records to public health authorities
without patient consent will impact
burdens to a significant degree. While
part 2 programs will likely experience a
burden reduction from the lifting of a
consent requirement, the permission
may cause an increase in disclosures to
public health authorities, resulting in a
net impact of no change to burdens.
Additionally, to the extent these
disclosures are required by other law,
the compliance burden is not calculated
as a change caused by part 2.
Sections 2.61 Through 2.65
for Court Orders
Procedures
The Department lacks sufficient data
to estimate the number of instances
where the expanded scope of protection
from use or disclosure of records against
the patient in legal proceedings
(including in administrative and
legislative forums) would result in
increased applications for court orders
authorizing the disclosure of part 2
records or testimony.
E:\FR\FM\16FER2.SGM
16FER2
12602
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
lotter on DSK11XQN23PROD with RULES2
Section 2.66 Procedures and Criteria
for Orders Authorizing Use and
Disclosure of Records To Investigate or
Prosecute a Part 2 Program or the Person
Holding the Records
Section 2.66(a)(3) provides specific
procedures for investigative agencies to
follow upon discovering after the fact
that they are holders of part 2 records,
such as securing, returning, or
destroying the records and optionally
seeking a court order under subpart E.
Although the existing regulation does
not expressly require law enforcement
agencies to return or destroy records
that it cannot use in investigations or
prosecutions against a part 2 program
when it does not obtain the required
court order, it requires lawful holders to
comply with § 2.16 (Security for
records). The Department developed the
requirements in § 2.66(a)(3) (to return or
destroy records that an investigative
agency is unable to use or disclose in an
investigation or prosecution) to parallel
the existing requirements in § 2.16 for
programs and lawful holders to
establish policies for securing paper and
electronic records, removing them, and
destroying them. Section 2.66(c)
requirements to obtain a court order,
obtain information in violation if this
part, or to return or destroy the records
within a reasonable time (no more than
120 days from discovering it has
received part 2 records), would not
significantly increase the existing
burden for investigative agencies to
comply with § 2.16.
Section 2.67 Orders Authorizing the
Use of Undercover Agents and
Informants To Investigate Employees or
Agents of a Part 2 Program in
Connection With a Criminal Matter
Section 2.67(c)(4) restricts an
investigative agency from seeking a
court order authorizing placement of an
undercover agent or informant unless it
has first exercised reasonable diligence
as described by § 2.3(b). This provision
serves as a prerequisite that would
allow an investigative agency to
continue placement of the undercover
agent or informant in a part 2 program
by correcting an error of oversight if the
investigative agency learns after the fact
that the undercover agent or informant
is in a part 2 program and avoiding the
risk of penalties for the violation. The
Department anticipates that the added
burden for searching SAMHSA’s online
treatment locator (FindTreatment.gov)
and a similar state database, and a
program’s website or physical location,
including its Patient Notice or HIPAA
NPP to ascertain whether the program
provides SUD treatment, would be
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
minimal, as these activities would
normally be included in the course of
investigating and prosecuting a part 2
program. The requirement would
merely shift the timing of these actions
in some cases so that investigative
agencies ensure they are completed
prior to requesting court approval of an
undercover agent or use of an informant.
The primary burden on investigative
agencies would be to include a
statement in an application for a court
order after learning of the program’s part
2 status after the fact, that the
investigator or prosecutor first exercised
reasonable diligence to determine
whether the program provided SUD
treatment. The burden for including this
statement within an application for a
court order is minimal and could
consist of standard language used in
each application. Thus, the Department
has not calculated specific quantitative
costs for compliance.
h. Costs Borne by the Department
This rule has cost impact on HHS.
HHS has the primary responsibility to
assess the regulatory compliance of
covered entities and business associates
and part 2 programs. This final rule
would extend those responsibilities to
part 2 programs. In addition to
promulgating the current regulation,
HHS would be responsible for
developing guidance and conducting
outreach to educate the regulated
community and the public. The final
rule also requires HHS to investigate
and resolve complaints and compliance
reviews as part of its expanded
responsibility for part 2 compliance and
enforcements. The Department
estimates that implementing the new
part 2 enforcement requirements would
require two full-time policy employees
(or contractors) at the Office of
Personnel Management (OPM) General
Schedule (GS) GS–14 or equivalent level
who will develop regulation, guidance,
and national-level outreach.
Additionally, the Department estimates
needing eight full-time employees (or
contractors) for enforcement at a GS–13
or equivalent level to investigate, train
investigators, and provide local
outreach to regulated entities.366 The
366 To determine the salary rate of the employees
at the GS–13 and GS–14 pay scale, the Department
used the U.S. OPM’s GS classification and pay
system and used the Department’s General
Schedule (Base) annual rates. The Department used
the available 2022 data for the estimated costs. In
2022, the salary table for schedule GS–13, step 1
annual rate is $213,646, including $106,832 plus
100% for fringe benefits and overhead, and the GS–
14, step 1 annual rate is $252,466, including
$126,233 plus 100% for fringe benefits and
overhead. The Department estimated the costs over
5 years based on within-grade step increases based
PO 00000
Frm 00132
Fmt 4701
Sfmt 4700
cost of labor for enforcement of part 2
programs across the ten employees
described above amounts to $2,214,100
in the first year and $11,808,508 over all
five years from 2024 to 2028, including
appropriate step increases expected
across years. The Department also
estimates costs for hiring a contractor to
create a breach portal or a part 2 module
for the existing HIPAA breach portal.
The Department assumes that the costs
of hiring each contractor to maintain the
breach portal amounts to 5 percent of
the annual operation and management
funding for the breach portal.367 The
initial posting of such breaches is
automated, and HHS currently pays a
contractor approximately $13,814
annually to maintain the database to
receive reports of breaches from HIPAA
covered entities. Under the same
assumptions, the Department estimates
approximately $13,814 to hire a second
contractor to maintain the database to
exclusively receive reports of breaches
from part 2 programs. Additionally,
HHS drafts and posts summaries of each
large breach on the website, using a
combination of GS–12, GS–13, GS–14,
and GS–15 workers.368 In total, the
Department assumes it will take workers
1.5 hours to summarize each breach and
that there will be 267 breaches requiring
summaries per year, equaling a labor
cost of approximately $32,107 per year.
To implement the enforcement
requirements, breach portal
maintenance, and breach summary
reporting, the Department estimates that
first year Federal costs will be
approximately $2,260,021 million. The
Department estimates that based on the
GS within grade step increases for each
of the GS–13 and GS–14 employees
working to enforce part 2 the Federal
costs will be approximately $12,038,112
million over 5 years. These costs are
presented in Table 18 below. The NPRM
had not originally included the cost to
the Department in the total cost
estimate. However, as these costs to the
Department are new to establish an
on an acceptable level of performance and longevity
(waiting periods of 1 year at steps 1–3 and 2 years
at steps 4–6).
367 The Department estimates that the O&M costs
of maintaining the portal are $276,281 in 2022.
368 The Department uses hourly rates for Federal
employees from the OPM’s GS Base hourly rates for
2022. All workers are assumed to be at step 1. In
2022, GS–12 workers’ hourly rate is $65.46,
including $32.73 plus 100% for fringe benefits and
overhead; GS–13 workers’ hourly rate is $77.84,
including $38.92 plus 100% for fringe benefits and
overhead; an average rate between GS–14 and GS–
15 workers is used, equaling $100.08, including
$50.04 plus fringe benefits and overhead; and lastly
HHS headquarters staff is calculated at the GS–12
step 1 level with Washington, DC locality pay,
equaling $86.06, including $43.04 plus 100% for
fringe benefits and overhead.
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
enforcement program for part 2, they
12603
have been incorporated into the final
costs, presented below.369
BILLING CODE 4153–01–P
Table 18. Part 2 Federal Costs (2022 dollars)
Federal Cost
Enforcement
Labor Cost
Cost for Contract
to Maintain
Breach Portal
Summary
Drafting Labor
Cost
TOTAL
Year 1
Year2
Year3
Year4
YearS
$2,214,200
$2,287,908
$2,361,700
$2,435,504
$2,509,296
$13,814
$13,814
$13,814
$13,814
$13,814
$32,107
$32,107
$32,107
$32,107
$32,107
$12,038,112
i. Comparison of Benefits and Costs
The final rule results in costs, cost
savings, and benefits as described in the
preceding sections. Table 19 presents
the 5-year costs and cost savings
associated with part 2. Finally, Table 20
provides a narrative description of the
non-quantified final rule changes and
costs and benefits.
Table 19. Total Part 2 Costs and Savings Over 5-year Time Horizon (2022 dollars).
5-YEAR COSTS
$191,191
$7,942,207
$3,118,002
$1,228
$25,096
$1,686,716
$659,027
$14,735,957
$308,630
$13,320,1864
$4,635,891
($2,476,388)
($64,631,389)
$12,038,112
TOTAL
lotter on DSK11XQN23PROD with RULES2
5-YEAR COST SAVINGS
$58,662,242
($67,107,778)
NET SAVIN GS/COSTS
($8,445,706)
369 Note, an FY 2024 budget request to support
additional enforcement activity is pending. See U.S.
Dep’t of Health and Human Servs., ‘‘Department of
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Health and Human Services, Fiscal Year 2024,’’ FY
2024 Budget Justification, General Department
PO 00000
Frm 00133
Fmt 4701
Sfmt 4725
Management, Office for Civil Rights, at 255, https://
www.hhs.gov/sites/default/files/fy-2024-gdm-cj.pdf.
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.027 ER16FE24.028
COST ITEM
2.4 Receiving a Complaint
2.16 Breach Notice
2.22 Patient Notice & Right to
Discuss
2.25 Accounting of
Disclosures
2.26 Requests for Restrictions
2.31 Updating Consent Form
2.32 Updating Disclosure
Notice
2.32 Attaching Consent Form
2.68 Reporting to the
Secretary
Training
Capital Expenses
Obtaining Consent
Federal Costs
12604
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Table 20. Non-quantified Benefits/Costs for Regulated Entities and Patients.
Change the consent form
content requirements and
reduce instances where a
separate written consent is
needed.
Align the Patient Notice
and the HIPAA NPP.
Adding right to discuss
program's Patient Notice.
Change the content
requirements for the notice
accompanying disclosure.
lotter on DSK11XQN23PROD with RULES2
Add a new right for
patients to request
restrictions on uses and
disclosures of their records
for TPO.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
PO 00000
Benefits
Increased opportunity for
patients to take steps to
mitigate harm. Would
provide the same
information protections to
patients receiving SUD
treatment as are afforded to
patients that receive other
types of health care
services.
Potential loss to patients of Improved clarity and
opportunity to provide
reduction of paperwork for
patients, part 2 programs,
granular consent for each
use and disclosure;
covered entities, and
potential to chill some
business associates.
patients' willingness to
access care.
Improved understanding of
patients' rights and covered
entities' privacy practices.
Improved understanding of
patients' rights &
programs' confidentiality
practices; improved access
to care.
Increased knowledge by
patients of the expanded
prohibition on use of
records against patients in
legal proceedings.
Improved coordination for
certain protections for part
2 records to "follow the
record."
New opportunity for
patients to assert their
privacy interests to
program staff; increased
patient control through
ability to prevent
disclosures to their health
plan when patient has paid
in full for services. For part
2 programs, likely increase
in full payment by patients
which would decrease staff
Costs
Frm 00134
Fmt 4701
Sfmt 4725
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.029
Re2ulatory Chan2es
Add notification of
breaches of records by part
2 programs in the same
manner the Breach
Notification Rule applies to
breaches of PHI by covered
entities.
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Regulatory Changes
Benefits
time spent with billing and
claims activities.
Potential increased costs to Increased transparency
modify information
about how records and part
systems to capture required 2 information are disclosed
for TPO.
data.
Improved understanding by
regulated entities, patients,
and the public.
Costs
Modifications for
clarification, readability, or
consistency with HIP AA
terminology.
Limiting investigative
agencies' potential liability
for unknowing receipt of
part 2 records.
Increased awareness of part
2 obligations for
investigative agencies.
Opportunity for
investigative agencies to
pursue action against part 2
programs despite initial
procedural errors.
Creates transparency and
accountability for agencies'
use of part 2 records in
civil, criminal,
administrative, and
legislative proceedings.
Requiring investigative
agencies to report annually
to the Secretary if they seek
to use records obtained
prior to seeking a court
order.
Consideration of Regulatory
Alternatives
Upon review of public comments on
the NPRM, the Department considered
alternatives to several proposals and the
provisions that are finalized in this rule
as explained below.
Section 2.11
Definitions
lotter on DSK11XQN23PROD with RULES2
Lawful Holder
Although not required by the CARES
Act, the Department is finalizing a
regulatory definition of the term ‘‘lawful
holder.’’ We considered expressly
excluding family, friends, and informal
caregivers from the definition because
we understand that these types of
informal caregivers are overwhelmingly
not professional entities and would not
have the means or other resources
necessary to meet obligations that part
2 places upon them. For example, § 2.16
requires part 2 programs or other lawful
holders to have in place formal policies
and procedures to protect against
unauthorized disclosures and a patient’s
family member who receives a record
based on consent could not be
reasonably expected to comply.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
The description of ‘‘lawful holder’’ as
a person who has received a part 2
record based on consent means that any
person who receives records pursuant to
a valid consent could be considered a
lawful holder. We believe maintaining
the parameters of the definition so it is
confined to those who receive records as
specified, is clear and unambiguous. To
maintain this clarity, the Department
believes it more appropriate to carve out
an exception in § 2.16 for certain types
of lawful holders (i.e., family, friends,
and informal caregivers) from those
obligations to which they should not
reasonably be expected to adhere. As we
discuss in preamble, we do expect that
these informal caregivers will still
exercise some level of caution and care
when handling these records.
Section 2.12 Exception for Reporting
Suspected Abuse and Neglect
The Department considered for a
second time expanding the exception
under § 2.12(c)(6) for reporting
suspected child abuse and neglect to
include reporting suspected abuse and
neglect of adults. Such an expansion
would be consistent with the HIPAA
Privacy Rule permission to report abuse,
PO 00000
Frm 00135
Fmt 4701
Sfmt 4700
neglect, or domestic violence at 45 CFR
164.512(c), and could be beneficial for
vulnerable adults, such as persons who
are incapacitated or otherwise are
unable to make health care decisions on
their own behalf. However, § 2.12(c)(6),
under the authority of 42 U.S.C. 290dd–
2, limits the reporting of abuse and
neglect to reporting child abuse and
neglect as required by State or local law.
Further, section (c) of the authorizing
statute also restricts uses of records in
criminal, civil, or administrative
contexts, which could include
investigations by a protective services
agency, for example, unless pursuant to
a court order or with the patient’s
consent. Therefore, the Department
determined that expanding the
exception under § 2.12(c)(6) to include
reporting abuse and neglect of adults
would exceed the statutory authority
although we believe such reporting is
needed.
Section 2.16 Security of Records and
Notification of Breaches
The Department considered further
harmonizing part 2 and the HIPAA
regulations by applying the HIPAA
Security Rule, or components of it, to
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.030
Add an accounting of
disclosures for TPO.
BILLING CODE 4153–01–C
12605
12606
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
part 2 programs and other lawful
holders with respect to electronic part 2
records. A majority of commenters who
addressed this issue recommended
applying the HIPAA Security Rule to
part 2 programs; however, few of these
comments were from part 2 programs.
Further, the CARES Act did not make
the HIPAA Security Rule applicable to
part 2 programs. The Department is not
finalizing any additional modifications
to align the HIPAA Security Rule and
part 2 at this time, but will take these
comments into consideration in
potential future rulemaking.
lotter on DSK11XQN23PROD with RULES2
Breach Notification Obligation for QSOs
The Department considered expressly
applying breach notification provisions
finalized in paragraph (b) of § 2.16 to
qualified service organizations ‘‘in the
same manner as those provisions apply
to a business associate [. . .]’’. To the
extent that QSOs handle unsecured part
2 records on behalf of part 2 programs,
the same policy objectives for requiring
breach notification would equally
apply. Further, to align with the
structure of HIPAA, which imposes
breach notification obligations on both
covered entities and business associates,
the Department considered that
finalizing a parallel provision would
further align the regulations. However,
in analyzing title 42, as amended by the
CARES Act, Congress was silent on this
issue. In comparison, in section
13402(b) of the HITECH Act, Congress
expressly extended the obligation of a
business associate to notify covered
entity in the event of a breach of PHI.
This difference leads us to conclude that
the requirement for QSOs to report was
not intended. However, we expect that
part 2 programs are likely to consider
adding such requirements to QSO
agreements to enable the programs to
meet their breach notification
obligations.
Section 2.26 Right To Request
Restrictions Based on Ability To Pay
Section 290dd–2 of title 42 of U.S.C.,
as amended by the CARES Act, applied
section 13405(c) of the HITECH Act,
including the right of a patient to obtain
restrictions on disclosures to health
plans for services paid in full similar to
how the right is structured in the
HIPAA Privacy Rule at 45 CFR 164.522
with respect PHI. In response to public
comments, the Department considered a
more equitable provision that would
require part 2 programs to agree to a
requested restriction in the case of those
who cannot afford to pay for care in full.
The Department determined that the
amended statute did not grant such
authority. The Sense of Congress in the
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
CARES Act, section 3221(k)(3), provides
that: ‘‘[c]overed entities should make
every reasonable effort to the extent
feasible to comply with a patient’s
request for a restriction regarding a
particular use or disclosure.’’ Although
the Sense of Congress did not include
part 2 programs in its urging, we
encourage these programs to also make
every reasonable effort to fulfill
requested restrictions on disclosures for
TPO.
Sections 2.31 and 2.32 Tracking
Consent and Revocation of Consent
The Department considered
alternatives to facilitate the new TPO
consent and redisclosure permission for
recipients of part 2 records and ensure
such records are protected from use and
disclosure in proceedings against the
patient, absent consent or a court order.
The Department further considered how
other changes to the scope of a patient’s
consent would be tracked or
communicated to recipients, such as
patient-requested restrictions on
disclosures and revocation of consent.
We received many comments offering
information about current practices,
technology capabilities, and different
approaches to tracking consent,
revocation, and restrictions, as
discussed in the preamble, and
considered not imposing any new
requirements. However, comments that
sought no requirement to track the
scope of consent provided were from
organizations that did not believe that
the prohibition on use of records in
proceedings against patients should
continue to apply to records received by
a covered entity or business associate
under a TPO consent. We disagree with
this view and further, recognize that
patients may still provide a consent for
disclosures that is not a TPO consent.
We considered requiring a copy of
consent to be attached to each
disclosure without any other option;
however, in consideration of the amount
of the burden and the available HIE
models used to exchange electronic
records, we offer an option in new
paragraph (b) of § 2.32 for disclosers to
provide a clear explanation of the scope
of the consent provided. We believe this
offers the flexibility needed for health IT
systems to exchange needed information
about the consent status of an electronic
record.
The Department also analyzed how
part 2 programs and recipients of
records would effectively implement a
patient’s revocation of consent and
considered adding a requirement for
programs to notify recipients when a
consent is revoked. Upon consideration
of the complexities and burden this
PO 00000
Frm 00136
Fmt 4701
Sfmt 4700
would impose we decided not to create
a regulatory requirement, but to explain
our expectation in preamble that
programs would ensure patients’
revocation rights are respected.
Section 2.52 Adding a Permission To
Disclose Records in Limited Data Sets
The Department considered adding a
permission to allow part 2 programs to
disclose records in the form of a limited
data set. The part 2 requirements for a
limited data set would have matched
those for limited data sets under the
HIPAA Privacy Rule (45 CFR
164.504(e)) and would have responded
to public comments requesting such a
permission for research and public
health disclosures of records. However,
title 42 refers only to the disclosure of
records de-identified to the HIPAA
standard at 45 CFR 164.514(b) for public
health purposes and this differs from
de-identification allowed for a limited
data set under 45 CFR 164.514(e).
Although the Department is finalizing
new standards for public health and
research purposes that align with the 45
CFR 164.514(a) and (b), we are not
promulgating a standard for limited data
sets at this time.
Subpart E Evidentiary Suppression
Remedy for Records Obtained in
Violation of Part 2
In response to commenters’ concerns
about the potential for law enforcement
to obtain records through coerced
patient consent, we considered creating
an express right for patients to request
suppression of records obtained in
violation of this part for use as evidence
in proceedings against them. However,
we determined that was unnecessary for
two reasons. First, the provision for
patients to consent to use and disclosure
of records in investigations and
proceedings against them is not new—
it is covered in § 2.33(a)—thus, newly
heightened concern about consent based
on changes in this final rule is
unwarranted. Second, the prohibition
on disclosures based on false consent in
§ 2.31(c) offers some protection to
patients from coerced consent.
Sections 2.66 and 2.67 Preventing
Misuse of Records by Investigative
Agencies
In response to public comments
expressing concern about misuse of
records by investigative agencies
shielded from liability under the
proposed safe harbor, the Department
considered describing, in preamble, the
expectation that information from
records obtained in violation of part 2
cannot be used to apply for a court order
for such records. Instead, the
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Department added language to
§§ 2.66(c)(3) and 2.67(c)(4) to expressly
prohibit the use of such information, in
regulatory text. The Department believes
codifying the prohibition in regulatory
text creates an enforceable legal
prohibition and more strongly deters
investigative agencies from misusing
records or information obtained in
violation of part 2.
lotter on DSK11XQN23PROD with RULES2
HIPAA NPP
The Department considered finalizing
modifications to 45 CFR 164.520 in this
final rule and decided not to do so, in
part, because of limitations on how
often modifications may be made to the
HIPAA Privacy Rule.370 Thus, it is
necessary to combine changes to the
HIPAA NPP with other changes to the
HIPAA NPP that are anticipated in the
future. Finalizing changes to the HIPAA
NPP in this final rule would prevent us
from making any further modifications
to the HIPAA NPP for one year. We
realize this creates a possible gap when
covered entities may have changes in
policies and procedures that are not
reflected in their HIPAA NPP; however,
potentially needing to make multiple
changes to the HIPAA NPP over a short
time span would be equally problematic
and confusing to individuals.
Additionally, each set of revisions to the
HIPAA NPP would add a burden to
covered entities for making updates and
distributing the HIPAA NPP totaling
approximately $45 million as described
in the NPRM.371 As explained in
preamble, we intend to align
compliance dates for any required
changes to the HIPAA NPP and part 2
Patient Notice to enable covered entities
to make such changes at the same time.
B. Regulatory Flexibility Act
The Department has examined the
economic implications of this final rule
as required by the Regulatory Flexibility
Act (5 U.S.C. 601–612). If a rule has a
significant economic impact on a
substantial number of small entities, the
Regulatory Flexibility Act (RFA)
requires agencies to analyze regulatory
options that would lessen the economic
effect of the rule on small entities. For
purposes of the RFA, small entities
include small businesses, nonprofit
organizations, and small governmental
jurisdictions. The Act defines ‘‘small
entities’’ as (1) a proprietary firm
meeting the size standards of the Small
Business Administration (SBA), (2) a
370 See 45 CFR 160.104 (limiting changes by the
Secretary to HIPAA standards or implementation
specifications to once every 12 months).
371 See 87 FR 74216 (Dec. 2, 2022), Table 9b.
Privacy Rule Costs and Savings Over 5-year Time
Horizon.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
nonprofit organization that is not
dominant in its field, and (3) a small
government jurisdiction of less than
50,000 population. The Department did
not receive any public comments on the
NPRM small business analysis
assumptions and is therefore making no
changes to them for this final rule;
however, we have updated this analysis
of small entities for consistency with
revisions to the regulatory impact
analysis relating to the costs and cost
savings to part 2 programs and covered
entities. The Department has
determined that roughly 90 percent or
more of all health care providers meet
the SBA size standard for a small
business or are nonprofit organization.
The Department assumes the part 2
program entities have the same size
distribution as health care providers.
Therefore, the Department estimates
there are 14,459 small entities affected
by this rule.372 The SBA size standard
for health care providers ranges between
a maximum of $9 million and $47
million in annual receipts, depending
upon the type of entity.373
The projected costs and savings are
discussed in detail in the RIA (section
4.e.). This final rule would create cost
savings for regulated entities (part 2
programs and covered entities), many of
which are small entities. The
Department considers a threshold for
the size of the impact of 3 to 5 percent
of entity annual revenue as a measure of
significant economic impact. The
Department estimates the annualized 3
percent discounted net savings,
excluding Federal Government costs
since they do not apply to covered or
small entities, of this rule to be
$4,921,888. Spread across 14,459 small
entities, the average savings per small
entity are equal to $340.39. Since even
the smallest entities in Sector 62 average
over $55,000 in annual receipts, the
projected impact for most of them is
well below the 3 to 5 percent
threshold.374 Therefore, the Secretary
certifies that this final rule would not
result in a significant negative impact
372 14,459 = 16,066 (the number of part 2
program) × 0.9 (90% of all health care providers are
small entities).
373 This range of size standards covers the full list
of 6-digit codes in Sector 62—Health Care and
Social Assistance. The analysis uses SBA size
standards effective as of March 17, 2023. U.S. Small
Business Admin., ‘‘Table of Small Business Size
Standards,’’ https://www.sba.gov/sites/sbagov/files/
2023-06/Table%20of%20Size%20Standards_
Effective%20March%2017%2C%202023
%20%282%29.pdf.
374 The entities in the smallest recorded receipt
size category (<$100,000) average $56,500 in annual
receipts (in 2022 dollars). See U.S. Census. ‘‘2017
SUSB Annual Data Tables by Establishment
Industry’’. https://www.census.gov/data/tables/
2017/econ/susb/2017-susb-annual.html.
PO 00000
Frm 00137
Fmt 4701
Sfmt 4700
12607
on a substantial number of small
entities.
C. Unfunded Mandates Reform Act
Section 202(a) of The Unfunded
Mandates Reform Act of 1995 requires
that agencies assess anticipated costs
and benefits before issuing any rule
whose mandates require spending that
may result in expenditures in any one
year of $100 million in 1995 dollars,
updated annually for inflation. The
current threshold after adjustment for
inflation is $177 million, using the most
current (2022) Implicit Price Deflator for
the Gross Domestic Product. The
Department does not anticipate that this
final rule would result in the
expenditure by state, local, and Tribal
governments, taken together, or by the
private sector, of $177 million or more
in any one year. The final rule, however,
present novel legal and policy issues,
for which the Department is required to
provide an explanation of the need for
this final rule and an assessment of any
potential costs and benefits associated
with this rulemaking in accordance with
E.O.s 12866 and 13563. The Department
presents this analysis in the preceding
sections.
D. Executive Order 13132—Federalism
Executive Order 13132 establishes
certain requirements that an agency
must meet when it promulgates a
proposed rule (and subsequent final
rule) that imposes substantial direct
requirement costs on state and local
governments, preempts state law, or
otherwise has federalism implications.
The Department does not believe that
this rulemaking would have any
federalism implications.
The federalism implications of the
HIPAA Privacy, Security, Breach
Notification, and Enforcement Rules
were assessed as required by E.O. 13132
and published as part of the preambles
to the final rules on December 28,
2000,375 February 20, 2003,376 and
January 25, 2013.377 Regarding
preemption, the preamble to the final
HIPAA Privacy Rule explains that the
HIPAA statute dictates the relationship
between state law and HIPAA Privacy
Rule requirements, and the Privacy
Rule’s preemption provisions do not
raise federalism issues. The HITECH
Act, at section 13421(a), provides that
the HIPAA preemption provisions shall
apply to the HITECH Act provisions and
requirements.
The federalism implications of part 2
were assessed and published as part of
375 65
FR 82462, 82797.
FR 8334, 8373.
377 78 FR 5566, 5686.
376 68
E:\FR\FM\16FER2.SGM
16FER2
12608
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
the preamble to proposed rules on
February 9, 2016.378
The Department anticipates that the
most significant direct costs on state and
local governments would be the cost for
state and local government-operated
covered entities to revise consent forms,
policies and procedures, providing
notification in the event of a breach of
part 2 records and drafting, printing,
and distributing Patient Notices for
individuals with first-time health
encounters. The RIA above addresses
these costs in detail.
In considering the principles in and
requirements of E.O. 13132, the
Department has determined that the
final rule would not significantly affect
the rights, roles, and responsibilities of
the States.
E. Assessment of Federal Regulation
and Policies on Families
Section 654 of the Treasury and
General Government Appropriations
Act of 1999 379 requires Federal
departments and agencies to determine
whether a proposed or final policy or
regulation could affect family wellbeing. If the determination is
affirmative, then the Department or
agency must prepare an impact
assessment to address criteria specified
in the law. The Department believes that
these regulations would positively
impact the ability of patients and
families to coordinate treatment and
payment for health care, particularly for
families to participate in the care and
recovery of their family members
experiencing SUD treatment, by aligning
the permission for covered entities and
business associates to use and disclose
records disclosed to them for TPO
purposes with the permissions available
in the HIPAA Privacy Rule. The
378 81
FR 6987, 7012 (Feb. 9, 2016).
Law 105–277, 112 Stat. 2681 (Oct. 21,
379 Public
lotter on DSK11XQN23PROD with RULES2
1998).
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Department does not anticipate negative
impacts on family well-being as a result
of this regulation or the separate
rulemaking as described.
F. Paperwork Reduction Act of 1995
Under the Paperwork Reduction Act
of 1995 (PRA) (Pub. L. 104–13), agencies
are required to submit to the OMB for
review and approval any reporting or
recordkeeping requirements inherent in
a proposed or final rule, and are
required to publish such proposed
requirements for public comment. The
PRA requires agencies to provide a 60day notice in the Federal Register and
solicit public comment on a proposed
collection of information before it is
submitted to OMB for review and
approval. To fairly evaluate whether an
information collection should be
approved by OMB, section 3506(c)(2)(A)
of the PRA requires that the Department
solicit comment on the following issues:
1. Whether the information collection
is necessary and useful to carry out the
proper functions of the agency;
2. The accuracy of the agency’s
estimate of the information collection
burden;
3. The quality, utility, and clarity of
the information to be collected; and
4. Recommendations to minimize the
information collection burden on the
affected public, including automated
collection techniques.
The PRA requires consideration of the
time, effort, and financial resources
necessary to meet the information
collection requirements referenced in
this section. The Department did not
receive comments related to the
previous notice but has adjusted the
estimated respondent burden in this
request to reflect revised assumptions
based on updated information available
at the time of the final rule’s
publication. This revision resulted in
adjusted cost estimates that are
PO 00000
Frm 00138
Fmt 4701
Sfmt 4700
consistent with the RIA presented in
this final rule. The estimates covered
the employees’ time for reviewing and
completing the collections required.
As discussed below, the Department
estimates a total part 2 program burden
associated with all final rule part 2
changes of 672,663 hours and
$50,516,207, including capital costs and
one-time burdens, across all 16,066 part
2 programs for 1,864,367 annual patient
admissions. On average, this equates to
an annual burden of 42 hours and
$3,1444 per part 2 program and 0.36
hours and $27 per patient admission.
Excluding one-time costs that would be
incurred in the first year of the final
rule’s implementation, the average
annual burden would be 27 hours and
$1,940 per part 2 program and 0.24
hours and $17 per patient admission. In
addition to program burdens, the
Department’s final rule would increase
burdens on investigative agencies for
reporting annually to the Secretary in
the collective amount of 759 hours of
labor and $61,726 in costs. This would
result in a total burden for part 2 of
672,663 hours in the first year after the
rule becomes effective and 439,880
annual burden hours thereafter.
In this final rule, the Department is
revising certain information collection
requirements and, as such, is revising
the information collection last prepared
in 2020 and previously approved under
OMB control #0930–0092.
Explanation of Estimated Annualized
Burden Hours for 42 CFR Part 2
The Department presents, in separate
tables below, revised estimates for
existing burdens (Table 21), previously
unquantified ongoing burdens (Table
22), new ongoing burdens of the final
rule (Table 23), and new one-time
burdens of the final rule (Table 24).
BILLING CODE 4153–01–P
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
12609
Table 21. Annualized Estimates of Current Burdens.*
Part2
Provision
2.22
2.31
2.36
2.51
2.52
2.52
2.53
2.53
Responses
Respondents
per
Respondent
Type of
Respondent
Patient
Notice
Obtaining
Consent for
TPO
Disclosures
PDMPb
Reporting
Documenting
Emergency
Tx.
Disclosure
Disclosures
for Research
-Elec.
Disclosures
for Research
- Paper
Disclosures
for Audit &
Eval. - Elec.
Disclosures
for Audit &
Eval. - Paper
Total
Responses
Average
Time per
Response
(hours)
Total
Burden
Hours
1,864,367
0.021
38,841
0.0833
155,364
0.0333
94,268
0.167
5,355
1,864,367a
1
1,864,367
1
16,066c
176.03
16,066
2
125,845d
1
125,845
0.083
10,487
13,983e
1
13,983
0.250
3,496
125,845f
1
0.083
10,487
13,983g
1
0.250
3,496
Total Ongoing Burdens, Currently Approved380
1,864,367
2,828,0501
32,132
125,845
13,983
6,868,571
321,794
* Not all decimal places are shown.
lotter on DSK11XQN23PROD with RULES2
BILLING CODE 4153–01–C
As shown in Table 21, the Department
is adjusting the currently approved
burden estimates to reflect an increase
in the number of part 2 programs, from
380 This refers to approved information
collections; however, the burden hours shown are
adjusted for the final rule.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
13,585 to 16,066. The respondents for
this collection of information are
publicly (Federal, State, or local)
funded, assisted, or regulated SUD
treatment programs. The estimate of the
number of such programs (respondents)
is based on the results of the 2020 N–
SSATS, which represents an increase of
PO 00000
Frm 00139
Fmt 4701
Sfmt 4700
2,481 program from the 2017 N–SSATS
which was the basis for the approved
ICR under OMB No. 0930–0335. The
average number of annual total
responses is based the results of the
average number of SUD treatment
admissions from SAMHSA’s 2019 TEDS
as the number of annual patient
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.031
a. Number of annual part 2 program admissions as a proxy for total number of patients.
b. For more information about PDMPs, see https://store.samhsa.gov/product/In-BriefPrescription-Drug-Monitoring-Programs-A-Guide-for-Healthcare-Providers/SMA16-4997.
c. Total number of part 2 programs.
d. Estimated number ofresearch disclosures made electronically.
e. Estimated number of research disclosures on paper.
f. Estimated number of disclosures for audit and evaluation made electronically.
g. Estimated number of disclosures for audit and evaluation made on paper.
12610
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
admissions by part 2 programs
(1,864,367 patients). To accurately
reflect the number of disclosures, the
Department based some estimates on the
number of patients (or a multiple of that
number) and then divided by the
number of programs to arrive at the
number of responses per respondent.
The Department based other estimates
on the number of programs and then
multiplied by the estimated number of
disclosures to arrive at the total number
of responses.
The estimate in the currently
approved ICR includes the time spent
with the patient to obtain consent and
the time for training for counselors.381
The Department is now estimating the
time for obtaining consent separately
from the burden of training time and
applies an average of 5 minutes per
patient admission for obtaining consent.
For §§ 2.31, 2.52, and 2.53, the
Department is separating out estimates
for each provision which were
previously reported together and is also
adjusting the estimates. For § 2.31, the
Department believes that disclosures
with written consent for TPO are made
for 100 percent of patients; due to the
final rule changes to the consent
requirements, the Department assumes
that part 2 programs would experience
a decreased burden from an average of
3 consents per admission to 1 consent.
Table 21 reflects 1 consent for each of
the 1,864,367 annual patient admissions
(used as a proxy for the estimated
number of patients) and a time burden
of 5 minutes per consent for a total of
155,364 burden hours. The previously
unacknowledged burden of obtaining
multiple consents for each patient is
shown in Table 22, below.
The Department previously estimated
that for §§ 2.31 (consent), 2.52
(research), and 2.53 (audit and
evaluation) combined, part 2 programs
would need to disclose an average of 15
percent of all patients’ records
(1,864,367 records × .15 = 279,655
disclosures). The Department is
adjusting its estimates to reflect that 15
percent of patients would have records
disclosed without consent for research
and audits or evaluations and that this
would be divided evenly between the
two provisions, resulting in 7.5% of
1,864,367 records (or approximately
139,828 disclosures) for § 2.52
disclosures and the same for § 2.53
disclosures. The Department previously
estimated that 10 percent of disclosed
records would be disclosed in paper
form while the remaining 90 percent
would be disclosed electronically. The
time burden for disclosing a paper
record is estimated as 15 minutes and
the time for disclosing an electronic
record as 5 minutes. For part 2 programs
using paper records, the Department
expects that a staff member would need
to gather and aggregate the information
from paper records, and manually track
disclosures; for those part 2 programs
with a health IT system, the Department
expects records and tracking
information will be available within the
system.
For § 2.36, the Department used the
average number of opiate treatment
admissions from SAMHSA’s 2019 TEDS
(565,610 admissions) and assumed the
PDMP databases would need to be
accessed and reported once initially and
quarterly thereafter for each patient
(565,610 × 5 = 2,828.050). Dividing the
number of opiate treatment admissions
by the number of SUD programs results
in an average of 35.21 patients per
program (565,610 patients ÷ 16,066
programs) and 176.03 PDMP updates
per respondent (35.21 patients/program
× 5 PDMP updates per patient). Based
on discussions with providers, the
Department believes accessing and
reporting to PDMP databases would take
approximately 2 minutes per patient,
resulting in a total annual burden of 10
minutes (5 database accesses/updates ×
2 minutes per access/update) or 0.166
hours annually per patient. For § 2.51,
the time estimate for recordkeeping for
a clerk to locate a patient record, record
the necessary information and re-file the
record is 10 minutes.
Table 22. Annualized Estimate of Previously Unquantified Burden.
Part2
Type of
Respondents
Provision Respondent
Average
Responses
Total
Time per
per
Responses Response
Respondent
(hours)
Total
Burden
Hours
Obtaining
1,864,367a
2.5
4,660,918
0.083
388,410
Consent
a. Annual number of part 2 program admissions as a proxy for number of part 2 patients.
As shown in Table 22, for § 2.31 the
Department is recognizing for the first
time the burden on part 2 programs to
obtain multiple consents for each
patient annually. The Department
estimates that for each patient
admission to a program a minimum of
3 consents is needed for disclosures of
records: one each for treatment,
payment, and health care operations
(1,864,367 × 3).
As shown in Table 21, a burden is
already recognized for obtaining
consent, but the estimate assumed only
one consent per admission under the
existing regulation and it was combined
with estimates for disclosures without
consent under §§ 2.52 (research) and
2.53 (audit and evaluation). The
Department believes its previous
calculations underestimated the
numbers of consents obtained annually,
and thus the Department views its
updated estimate (i.e., adding two
consents per patient annually) as
acknowledging a previously
unquantified burden. Additionally,
recipients of part 2 records that are
covered entities or business associates
must obtain consent for redisclosure of
these records. The Department estimates
an average of one-half of patients’
records are disclosed to a covered entity
or business associate that needs to
redisclose the record with consent
(1,864,367 × .5), and this also represents
a previously unquantified burden.
Together, this would result in an
increase of 2.5 consents annually per
381 The Department estimated that the amount of
time for disclosure to a patient ranged from a low
of 3–5 minutes to a high of almost 38 minutes; the
approximately 12-minute estimate used to estimate
burden reflected a judgment about the time needed
to adequately comply with the legal requirements
and for basic training of counselors on the
importance of patient confidentiality.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
PO 00000
Frm 00140
Fmt 4701
Sfmt 4700
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.032
lotter on DSK11XQN23PROD with RULES2
2.31
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
patient. However, this would be offset
by the changes in this final rule which
is estimated to result in a reduction in
the number of consents by 2.5 per
patient, thus resulting in no change
12611
from the currently approved burden of
1 consent per patient.
BILLING CODE 4153–01–P
Table 23. Annualized Estimates for Final Rule New Recurring Burdens.
Number of
Responses per
Respondent
1,864
1
1,864
0.167
331
1,170a
1
1,170
0.5
585
1,170
1
1,170
0.5
585
1,170
1,941
2,270,271b
0.008
18,162
55
1
55
1
55
55c
1
55
3.42d
188
Entities
Receiving a
Complaint
Individual
NoticeWritten and
E-mail
Notice
(drafting)
Individual
NoticeWritten and
E-mail
Notice
(preparing
and
documenting
notification)
Individual
NoticeWritten and
E-mail
Notice
(processing
and sending)
Individual
NoticeSubstitute
Notice
(posting or
publishing)
Individual
NoticeSubstitute
Notice
(staffing tollfree number)
VerDate Sep<11>2014
18:41 Feb 15, 2024
Average
burden
hours per
Response
Number of
Respondents
Jkt 262001
PO 00000
Frm 00141
Fmt 4701
Sfmt 4725
Total
Responses
E:\FR\FM\16FER2.SGM
16FER2
Total
Burden
Hours
ER16FE24.033
lotter on DSK11XQN23PROD with RULES2
Type of
Respondent
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Individual
NoticeSubstitute
Notice
(individuals'
voluntary
burden to call
toll-free
number for
information)
2,265e
1
2,265
.125f
283
Media Notice
5g
1
5
1.25
7
5
1
5
1.25
7
1,164h
1
1,164
1
1,164
5i
1
5.34
50
267
5oi
1
49.58
8
397
1,115k
1
1114.72
4
4,459
Notice to
Secretary
(notice for
breaches
affecting 500
or more
individuals)
Notice to
Secretary
(notice for
breaches
affecting
fewer than
500
individuals)
500 or More
Affected
Individuals
(investigating
and
documenting
breach)
Less than
500 Affected
Individuals
(investigating
and
documenting
breach) -affecting 10499
Less than
500 Affected
Individuals
(investigating
and
documenting
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
PO 00000
Frm 00142
Fmt 4701
Sfmt 4725
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.034
lotter on DSK11XQN23PROD with RULES2
12612
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
12613
Right to
Discuss
18,6441
18,644
2,175
1
0.12
Patient
Notice
Accounting
for
100m
Disclosures
1
800
0.05
5
of Part 2
Records
Rights to
1,200n
1
1,200
120
Request
0.1
Restrictions
Attach
consent form
with each
disclosure
186,437°
46,609
3
0.08
559,310
(Paper
records
disclosed)
Attach
consent form
with each
l,677,930P
42,948
0.01
disclosure
3
5,033,791
(Electronic
records
disclosed)
Report to the
506q
1
506
1.5
759
Secretary
TOTAL
7,892,746
118,086
a. Total number of breach reports submitted to OCR in 2015 (58,482) multiplied by .02 to
represent part 2 breaches.
b. Average number of individuals affected per breach incident reported in 2015 (113,513,562)
multiplied by .02.
c. All 267 large breaches and all 2,479 breaches affecting 10-499 individuals (2,746) multiplied
by 02.
d. This assumes that 10% of the sum of (a) all individuals affected by large breaches in 2015
(113,250,136) and (b) 5% of individuals affected by small breaches (0.05 x 285,413 = 14,271)
will require substitute notification. Thus, the Department calculates 0.10 x (113,250,136 +
14,271) = 11,326,441 affected individuals requiring substitute notification for an average of
4,125 affected individuals per such breach. The Department assumes that 1% of the affected
individuals per breach requiring substitute notice annually will follow up with a telephone call,
resulting in 41.25 individuals per breach calling the toll-free number. The Department assumes
that call center staff will spend 5 minutes per call, with an average of 41 affected individuals per
breach requiring substitute notice, resulting in 3.42 hours per breach spent answering calls from
affected individuals.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
PO 00000
Frm 00143
Fmt 4701
Sfmt 4725
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.035
lotter on DSK11XQN23PROD with RULES2
breach) -affecting <10
12614
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
In Table 23 above, the Department
shows an annualized new hourly
burden of approximately 94,781 hours
due to final rule requirements for
receiving complaints, breach
notification, accounting of disclosures
of records, responding to patient’s
requests for restrictions on disclosures,
discussing the Patient Notice, attaching
consent form with each disclosure, and
required reporting by investigative
agencies. These burdens would be
recurring. The estimates represent 2
percent of the total estimated by the
Department for compliance with the
parallel HIPAA requirements for
covered entities. This percentage was
calculated by dividing the total number
of covered entities by the number of part
2 programs (16,066/774,331 = .02). The
Department recognizes that this is an
overestimate because an unknown
proportion of part 2 programs are also
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
covered entities. As a result of these
calculations, the estimated number of
respondents and responses is a not a
whole number. The totals were based on
calculations that included decimals not
shown in the table, resulting in different
totals than computed in ROCIS for some
line items. For § 2.32, the Department
estimates a new burden for attaching a
consent or a clear explanation of the
scope of the consent to each disclosure.
The Department estimates that each part
2 program would make three (3) annual
disclosures per patient for 1,864,367
patients yearly. The Department also
estimates that consent forms would
need to be attached to paper disclosures
as well as electronic disclosures and
assumes ninety percent (90%) of
disclosures are received electronically,
totaling 5,033,791 consents or
explanations of consent attached to
electronic disclosures, while the
PO 00000
Frm 00144
Fmt 4701
Sfmt 4700
remaining ten percent (10%) would be
received in paper format, totaling
559,310 attached paper disclosures. The
Department assumes a receptionist or
information clerk would take 5 minutes
to attach a consent form for each paper
disclosure and 30 second to attach a
consent form for each electronic
disclosure. This would result in a total
recurring burden of 46,609 hours for
paper disclosures and 41,948 hours for
electronic disclosures.
The total number of responses for the
accounting of disclosures has been
corrected in the table to show 100,
whereas the proposed rule displayed a
total of 800. The total in Table 23 also
includes the Department’s estimates for
a recurring annual burden on
investigative agencies of 759 hours,
relying on previous estimates for the
burden of reporting breaches of PHI to
the Secretary at 1.5 hours per report.
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.036
lotter on DSK11XQN23PROD with RULES2
e. As noted in the previous footnote, this number equals 1% of the affected individuals who
require substitute notification (0.01 x 11,326,441 = 113,264) multiplied by .02 to represent part 2
program breaches.
f. This number includes 7 .5 minutes for each individual who calls with an average of 2.5 minutes
to wait on the line/decide to call back and 5 minutes for the call itself.
g. The total number of breaches affecting 500 or more individuals in 2015, multiplied by .02 to
represent the number of part 2 breaches.
h. The total number of HIP AA breaches affecting fewer than 500 individuals in 2015, multiplied
by .02 to represent the number of part 2 breaches.
i. 267 multiplied by .02.
j. 2,479 multiplied by .02.
k. 55,736 multiplied by .02.
1. The Department estimates that 1 percent of all patients annually would request a discussion of
the Patient Notice for an average of 7 minutes per discussion, calculated as .01 x 1,864,367 at the
hourly wage of a SUD counselor.
m. The Department estimates that covered entities annually fulfill 5,000 requests from
individuals for an accounting of disclosures of their PHI multiplied by .02 to represent the
number of requests from patients for an accounting from part 2 patients.
n. The Department doubled the estimated number of requests for confidential communications or
restrictions on disclosures of PHI per year (to 40,000) due to the effect of the broadened TPO
consent and related redisclosure permission and multiplied it by .03 to represent requests from
part 2 patients.
o. Calculated as the number of patient admissions multiplied by the number of paper consent
forms that need to be attached ( 10% of total patient admissions and 3 copies of consent forms
each).
p. Calculated as the number of patient admissions multiplied by the number of electronic consent
forms (or an explanation of consent) that need to be attached (90% of total patient admissions
and 3 copies of consent forms each).
q. Estimated number of investigations of programs, used as a proxy for the instances an
investigative agency would be in receipt of a record prior to obtaining the required court order.
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
12615
lotter on DSK11XQN23PROD with RULES2
Type of
Respondent
Number
of
Respondents
2.04 Complaint
Procedures &
NonretaliationTraining
(manager)
2.16 Breach
Notice Training
(manager)
2.22 Patient
Notice, incl.
right to discuss
-Training
(counselor)
2.22 Updating
Patient Notice
(lawyer)
2.25
Accounting of
Disclosures Training (med.
records
specialist)
2.26 Requests
for Restrictions
-Training
(receptionist,
medical records,
& billing)
2.31 Updating
Consent Form
(lawyer)
2.31 Obtaining
ConsentTraining
(receptionist)
2.32 Updating
Notice and
Copy of
Consent to
Accompany
Disclosure
(manager)
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Number of
Responses
Total
per
Responses
Respondent
Average
burden
hours
per
Response
Total Burden
Hours
16,066a
1
16,066
0.75
12,050
16,066
1
16,066
1
16,066
202,072
1
224,231
0.25
45,058
16,066
1
16,066
1
16,066
16,066
1
16,066
0.5
8,033
16,066
3
48,198
0.25
12,050
16,066
1
16,066
0.66
10,711
16,066
2
32,132
0.5
16,066
16,066
1
16,066
0.333
5,355
PO 00000
Frm 00145
Fmt 4701
Sfmt 4725
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.037
Table 24. Estimates for Nonrecurring New Burdens.
12616
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
Training
Specialist's
16,066
1
Time
TOTAL
a. Estimated total number of part 2 programs.
lotter on DSK11XQN23PROD with RULES2
As shown in Table 24, the Department
estimates one-time burden increases as
a result of final rule changes to §§ 2.16,
2.22, 2.31, and 2.32 and due to new
provisions §§ 2.25 and 2.26. The
nonrecurring burdens are for training
staff on the final rule provisions and for
updating forms and notices. The
Department estimates that each part 2
program would need 5 hours of a
training specialist’s time to prepare and
present the training for a total of 80,330
burden hours.
For § 2.16, the Department estimates
that each part 2 program would need to
train 1 manager on breach notification
requirements for 1 hour, for a total of
16,066 burden hours. For § 2.22, the
Department estimates that each program
will need 1 hour of a lawyer’s time to
update the content of the Patient Notice
(for a total of 16,066 burden hours) and
15 minutes to train 202,072 part 2
counselors on the new Patient Notice
and right to discuss the Patient Notice
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
16,066
Frm 00146
Fmt 4701
Total Burden
Hours
5
80,330
417,023
requirements (for 56,058 total burden
hours).
For § 2.25, the Department estimates
that each part 2 program would need to
train a medical records specialist on the
requirements of accounting of
disclosures requirements for 30
minutes, resulting in a total burden of
approximately 8,033 hours. For § 2.26,
the Department estimates that each part
2 program would need to train three
staff (a front desk receptionist, a medical
records technician, and a billing clerk
(16,066 part 2 programs x 3 staff)) for 15
minutes each on the right of a patient to
request restrictions on disclosures for
TPO. The base wage rate is an average
of the mean hourly rate for the three
occupations being trained. This would
total approximately 12,050 burden
hours.
For § 2.31, each part 2 program would
need 40 minutes of a lawyer’s time to
update the consent to disclosure form
(for a total of approximately 10,711
PO 00000
Average
burden
hours
per
Response
Sfmt 4700
232,784
burden hours) and 30 minutes to train
an average of 2 front desk receptionists
on the changed requirements for
consent (for a total of approximately
16,066 burden hours). For § 2.32, the
Department estimates that each part 2
program would need 20 minutes of a
health care manager’s time to update the
content of the Notice to Accompany
Disclosure with the changed language
provided in the final rule, for a total of
approximately 5,355 burden hours. This
is likely an over-estimate because an
alternative, short form of the notice is
also provided in regulation, and the
language for that form is unchanged
such that part 2 programs that are using
the short form notice could continue
using the same notice and avoid any
burden increase.
Explanation of Estimated Capital
Expenses for 42 CFR Part 2
BILLING CODE 4153–01–P
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.038
Type of
Respondent
Number of
Number
Responses
Total
of
per
Responses
Respondents
Respondent
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
12617
Table 25. Capital Expenses for Part 2 Activities.*
45CFR
Breach
Section
Number of
Breaches
Cost Elements
Individual Notice-Postage,
164.404 Paper, and Envelopes
Individual Notice164.404 Substitute Notice Media
Posting
Individual Notice164.404 Substitute Notice-TollFree Number
Average
Cost per
Breach
Total Breach
Cost
1,170
$765.04
$894,822
55
$510.06
$28,012
55
$79.10
$4,344
Total Breach
$927,178
Number of
Notices
Average
Cost per
Notice
Total Notice
Cost
2.22 Printing Patient Notice
932,184
$0.11
$99,056
2.31
Printing Consent Form
932,184
$0.11
$99,056
2.32
Printing Notice to
Accompany Disclosure
186,437
$0.11
$19,811
Part2
Section
Activity
Total
Part2
Forms
$217,922
TOTAL CAPITAL COSTS
$1,145,000
* Not all decimal places are shown.
List of Subjects in 42 CFR Part 2
As shown above in Table 25, part 2
programs would incur new capital costs
for providing breach notification. The
table also reflects existing burdens for
printing the Patient Notice, the Notice to
Accompany Disclosure, and Consents.
The Department has estimated 50
percent of forms used would be printed
on paper, taking into account the
notable increase in the use of telehealth
services for the delivery of SUD
treatment and the expectation that the
demand for telehealth will continue.382
382 See
Todd Molfenter, Nancy Roget, Michael
Chaple, et al., ‘‘Use of Telehealth in Substance Use
Disorder Services During and After COVID–19:
Online Survey Study,’’ JMIR Mental Health (Aug. 2,
2021), https://mental.jmir.org/2021/2/e25835.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Administrative practice and
procedure, Alcohol use disorder,
Alcoholism, Breach, Confidentiality,
Courts, Drug abuse, Electronic
information system, Grant programs—
health, Health, Health care, Health care
operations, Health care providers,
Health information exchange, Health
plan, Health records, Hospitals,
Investigations, Medicaid, Medical
research, Medicare, Patient rights,
Penalties, Privacy, Reporting and
recordkeeping requirements, Security
measures, Substance use disorder.
Final Rule
For the reasons stated in the
preamble, the U.S. Department of Health
PO 00000
Frm 00147
Fmt 4701
Sfmt 4700
and Human Services amends 42 CFR
part 2 as set forth below:
Title 42—Public Health
PART 2—CONFIDENTIALITY OF
SUBSTANCE USE DISORDER PATIENT
RECORDS
1. Revise the authority citation for part
2 to read as follows:
■
Authority: 42 U.S.C. 290dd–2; 42 U.S.C.
290dd–2 note.
■
2. Revise § 2.1 to read as follows:
§ 2.1 Statutory authority for confidentiality
of substance use disorder patient records.
Title 42, United States Code, section
290dd–2(g) authorizes the Secretary to
prescribe regulations to carry out the
purposes of section 290dd–2. Such
E:\FR\FM\16FER2.SGM
16FER2
ER16FE24.039
lotter on DSK11XQN23PROD with RULES2
BILLING CODE 4153–01–C
12618
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
regulations may contain such
definitions, and may provide for such
safeguards and procedures, including
procedures and criteria for the issuance
and scope of orders under subsection
290dd–2(b)(2)(C), as in the judgment of
the Secretary are necessary or proper to
effectuate the purposes of section
290dd–2, to prevent circumvention or
evasion thereof, or to facilitate
compliance therewith.
■ 3. Revise § 2.2 to read as follows:
lotter on DSK11XQN23PROD with RULES2
§ 2.2
Purpose and effect.
(a) Purpose. Pursuant to 42 U.S.C.
290dd–2(g), the regulations in this part
impose restrictions upon the use and
disclosure of substance use disorder
patient records (‘‘records,’’ as defined in
this part) which are maintained in
connection with the performance of any
part 2 program. The regulations in this
part include the following subparts:
(1) Subpart B: General Provisions,
including definitions, applicability, and
general restrictions;
(2) Subpart C: Uses and Disclosures
With Patient Consent, including uses
and disclosures that require patient
consent and the consent form
requirements;
(3) Subpart D: Uses and Disclosures
Without Patient Consent, including uses
and disclosures which do not require
patient consent or an authorizing court
order; and
(4) Subpart E: Court Orders
Authorizing Use and Disclosure,
including uses and disclosures of
records which may be made with an
authorizing court order and the
procedures and criteria for the entry and
scope of those orders.
(b) Effect. (1) The regulations in this
part prohibit the use and disclosure of
records unless certain circumstances
exist. If any circumstance exists under
which use or disclosure is permitted,
that circumstance acts to remove the
prohibition on use and disclosure but it
does not compel the use or disclosure.
Thus, the regulations in this part do not
require use or disclosure under any
circumstance other than when
disclosure is required by the Secretary
to investigate or determine a person’s
compliance with this part pursuant to
§ 2.3(c).
(2) The regulations in this part are not
intended to direct the manner in which
substantive functions such as research,
treatment, and evaluation are carried
out. They are intended to ensure that a
patient receiving treatment for a
substance use disorder in a part 2
program is not made more vulnerable by
reason of the availability of their record
than an individual with a substance use
disorder who does not seek treatment.
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
(3) The regulations in this part shall
not be construed to limit:
(i) A patient’s right, as described in 45
CFR 164.522, to request a restriction on
the use or disclosure of a record for
purposes of treatment, payment, or
health care operations.
(ii) A covered entity’s choice, as
described in 45 CFR 164.506, to obtain
the consent of the patient to use or
disclose a record to carry out treatment,
payment, or health care operations.
■ 4. Revise § 2.3 to read as follows:
§ 2.3 Civil and criminal penalties for
violations.
(a) Penalties. Any person who violates
any provision of 42 U.S.C. 290dd–2(a)–
(d), shall be subject to the applicable
penalties under sections 1176 and 1177
of the Social Security Act, 42 U.S.C.
1320d–5 and 1320d–6.
(b) Limitation on criminal or civil
liability. A person who is acting on
behalf of an investigative agency having
jurisdiction over the activities of a part
2 program or other person holding
records under this part (or employees or
agents of that part 2 program or person
holding the records) shall not incur civil
or criminal liability under 42 U.S.C.
290dd–2(f) for use or disclosure of such
records inconsistent with this part that
occurs while acting within the scope of
their employment in the course of
investigating or prosecuting a part 2
program or person holding the record, if
the person or investigative agency
demonstrates that the following
conditions are met:
(1) Before presenting a request,
subpoena, or other demand for records,
or placing an undercover agent or
informant in a health care practice or
provider, as applicable, such person
acted with reasonable diligence to
determine whether the regulations in
this part apply to the records, part 2
program, or other person holding
records under this part. Reasonable
diligence means taking all of the
following actions where it is reasonable
to believe that the practice or provider
provides substance use disorder
diagnostic, treatment, or referral for
treatment services:
(i) Searching for the practice or
provider among the substance use
disorder treatment facilities in the
online treatment locator maintained by
the Substance Abuse and Mental Health
Services Administration.
(ii) Searching in a similar state
database of treatment facilities where
available.
(iii) Checking a provider’s publicly
available website, where available, or its
physical location to determine whether
in fact such services are provided.
PO 00000
Frm 00148
Fmt 4701
Sfmt 4700
(iv) Viewing the provider’s Patient
Notice or the Health Insurance
Portability and Accountability Act
(HIPAA) Notice of Privacy Practices
(NPP) if it is available online or at the
physical location.
(v) Taking all these actions within a
reasonable period of time (no more than
60 days) before requesting records from,
or placing an undercover agent or
informant in, a health care practice or
provider.
(2) The person followed all of the
applicable provisions in this part for
any use or disclosure of the received
records under this part that occurred, or
will occur, after the person or
investigative agency knew, or by
exercising reasonable diligence would
have known, that it received records
under this part.
(c) Enforcement. The provisions of 45
CFR part 160, subparts C, D, and E, shall
apply to noncompliance with this part
in the same manner as they apply to
covered entities and business associates
for noncompliance with 45 CFR parts
160 and 164.
■ 5. Revise § 2.4 to read as follows:
§ 2.4
Complaints of noncompliance.
(a) Receipt of complaints. A part 2
program must provide a process to
receive complaints concerning the
program’s compliance with the
requirements of this part.
(b) Right to file a complaint. A person
may file a complaint to the Secretary for
a violation of this part by a part 2
program, covered entity, business
associate, qualified service organization,
or lawful holder in the same manner as
a person may file a complaint under 45
CFR 160.306 for a violation of the
administrative simplification provisions
of the Health Insurance Portability and
Accountability Act (HIPAA) of 1996.
(c) Refraining from intimidating or
retaliatory acts. A part 2 program may
not intimidate, threaten, coerce,
discriminate against, or take other
retaliatory action against any patient for
the exercise by the patient of any right
established, or for participation in any
process provided for, by this part,
including the filing of a complaint
under this section or § 2.3(c).
(d) Waiver of rights. A part 2 program
may not require patients to waive their
right to file a complaint under this
section or § 2.3 as a condition of the
provision of treatment, payment,
enrollment, or eligibility for any
program subject to this part.
■ 6. Amend § 2.11 by:
■ a. Adding in alphabetical order
definitions of ‘‘Breach’’, ‘‘Business
associate’’, ‘‘Covered entity’’, ‘‘Health
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
care operations’’, ‘‘HIPAA’’, and
‘‘HIPAA regulations’’;
■ b. Revising the introductory text in the
definition of ‘‘Informant’’;
■ c. Adding in alphabetical order
definitions of ‘‘Intermediary’’,
‘‘Investigative agency’’, and ‘‘Lawful
holder’’;
■ d. Revising the definition of ‘‘Part 2
program director’’;
■ e. Adding a sentence at the end of the
definition of ‘‘Patient’’;
■ f. Revising the definition of ‘‘Patient
identifying information’’;
■ g. Adding in alphabetical order the
definition of ‘‘Payment’’;
■ h. Revising the definition of ‘‘Person’’;
■ i. Adding in alphabetical order the
definition of ‘‘Personal representative’’;
■ j. Revising paragraph (1) in the
definition of ‘‘Program’’;
■ k. Adding in alphabetical order the
definition of ‘‘Public health authority’’;
■ l. Revising the introductory text and
paragraph (2) introductory text and
adding paragraph (3) in the definition of
‘‘Qualified service organization’’;
■ l. Revising the definitions of
‘‘Records’’ and ‘‘Substance use
disorder’’;
■ m. Adding in alphabetical order the
definition of ‘‘Substance use disorder
(SUD) counseling notes’’;
■ n. Revising the definitions of ‘‘Thirdparty payer’’, ‘‘Treating provider
relationship’’, and ‘‘Treatment’’;
■ o. Adding in alphabetical order
definitions of ‘‘Unsecured protected
health information’’, ‘‘Unsecured
record’’, and ‘‘Use’’.
The revisions and additions read as
follows:
§ 2.11
Definitions.
lotter on DSK11XQN23PROD with RULES2
*
*
*
*
*
Breach has the same meaning given
that term in 45 CFR 164.402.
Business associate has the same
meaning given that term in 45 CFR
160.103.
*
*
*
*
*
Covered entity has the same meaning
given that term in 45 CFR 160.103.
*
*
*
*
*
Health care operations has the same
meaning given that term in 45 CFR
164.501.
HIPAA means the Health Insurance
Portability and Accountability Act of
1996, Public Law 104–191, as amended
by the privacy and security provisions
in subtitle D of title XIII of the Health
Information Technology for Economic
and Clinical Health Act, Public Law
111–5 (‘‘HITECH Act’’).
HIPAA regulations means the
regulations at 45 CFR parts 160 and 164
(commonly known as the HIPAA
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
Privacy, Security, Breach Notification,
and Enforcement Rules or ‘‘HIPAA
Rules’’).
Informant means a person:
*
*
*
*
*
Intermediary means a person, other
than a part 2 program, covered entity, or
business associate, who has received
records under a general designation in
a written patient consent to be disclosed
to one or more of its member
participant(s) who has a treating
provider relationship with the patient.
Investigative agency means a Federal,
state, Tribal, territorial, or local
administrative, regulatory, supervisory,
investigative, law enforcement, or
prosecutorial agency having jurisdiction
over the activities of a part 2 program
or other person holding records under
this part.
Lawful holder means a person who is
bound by this part because they have
received records as the result of one of
the following:
(1) Written consent in accordance
with § 2.31 with an accompanying
notice of disclosure.
(2) One of the exceptions to the
written consent requirements in 42
U.S.C. 290dd–2 or this part.
*
*
*
*
*
Part 2 program director means:
(1) In the case of a part 2 program that
is a natural person, that person.
(2) In the case of a part 2 program that
is an entity, the person designated as
director or managing director, or person
otherwise vested with authority to act as
chief executive officer of the part 2
program.
Patient * * * In this part where the
HIPAA regulations apply, patient means
an individual as that term is defined in
45 CFR 160.103.
Patient identifying information means
the name, address, Social Security
number, fingerprints, photograph, or
similar information by which the
identity of a patient, as defined in this
section, can be determined with
reasonable accuracy either directly or by
reference to other information.
Payment has the same meaning given
that term in 45 CFR 164.501.
Person has the same meaning given
that term in 45 CFR 160.103.
Personal representative means a
person who has authority under
applicable law to act on behalf of a
patient who is an adult or an
emancipated minor in making decisions
related to health care. Within this part,
a personal representative would have
authority only with respect to patient
records relevant to such personal
representation.
Program * * *
PO 00000
Frm 00149
Fmt 4701
Sfmt 4700
12619
(1) A person (other than a general
medical facility) that holds itself out as
providing, and provides, substance use
disorder diagnosis, treatment, or referral
for treatment; or
*
*
*
*
*
Public health authority has the same
meaning given that term in 45 CFR
164.501.
Qualified service organization means
a person who:
*
*
*
*
*
(2) Has entered into a written
agreement with a part 2 program under
which that person:
*
*
*
*
*
(3) Qualified service organization
includes a person who meets the
definition of business associate in 45
CFR 160.103, paragraphs (1), (2), and
(3), for a part 2 program that is also a
covered entity, with respect to the use
and disclosure of protected health
information that also constitutes a
‘‘record’’ as defined by this section.
Records means any information,
whether recorded or not, created by,
received, or acquired by a part 2
program relating to a patient (e.g.,
diagnosis, treatment and referral for
treatment information, billing
information, emails, voice mails, and
texts), and including patient identifying
information, provided, however, that
information conveyed orally by a part 2
program to a provider who is not subject
to this part for treatment purposes with
the consent of the patient does not
become a record subject to this part in
the possession of the provider who is
not subject to this part merely because
that information is reduced to writing
by that provider who is not subject to
this part. Records otherwise transmitted
by a part 2 program to a provider who
is not subject to this part retain their
characteristic as records in the hands of
the provider who is not subject to this
part, but may be segregated by that
provider.
Substance use disorder (SUD) means
a cluster of cognitive, behavioral, and
physiological symptoms indicating that
the individual continues using the
substance despite significant substancerelated problems such as impaired
control, social impairment, risky use,
and pharmacological tolerance and
withdrawal. For the purposes of the
regulations in this part, this definition
does not include tobacco or caffeine use.
Substance use disorder (SUD)
counseling notes means notes recorded
(in any medium) by a part 2 program
provider who is a SUD or mental health
professional documenting or analyzing
the contents of conversation during a
private SUD counseling session or a
E:\FR\FM\16FER2.SGM
16FER2
lotter on DSK11XQN23PROD with RULES2
12620
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
group, joint, or family SUD counseling
session and that are separated from the
rest of the patient’s SUD and medical
record. SUD counseling notes excludes
medication prescription and
monitoring, counseling session start and
stop times, the modalities and
frequencies of treatment furnished,
results of clinical tests, and any
summary of the following items:
diagnosis, functional status, the
treatment plan, symptoms, prognosis,
and progress to date.
Third-party payer means a person,
other than a health plan as defined at 45
CFR 160.103, who pays or agrees to pay
for diagnosis or treatment furnished to
a patient on the basis of a contractual
relationship with the patient or a
member of the patient’s family or on the
basis of the patient’s eligibility for
Federal, state, or local governmental
benefits.
Treating provider relationship means
that, regardless of whether there has
been an actual in-person encounter:
(1) A patient is, agrees to be, or is
legally required to be diagnosed,
evaluated, or treated, or agrees to accept
consultation, for any condition by a
person; and
(2) The person undertakes or agrees to
undertake diagnosis, evaluation, or
treatment of the patient, or consultation
with the patient, for any condition.
Treatment has the same meaning
given that term in 45 CFR 164.501.
*
*
*
*
*
Unsecured protected health
information has the same meaning given
that term in 45 CFR 164.402.
Unsecured record means any record,
as defined in this part, that is not
rendered unusable, unreadable, or
indecipherable to unauthorized persons
through the use of a technology or
methodology specified by the Secretary
in the guidance issued under Public
Law 111–5, section 13402(h)(2).
Use means, with respect to records,
the sharing, employment, application,
utilization, examination, or analysis of
the information contained in such
records that occurs either within an
entity that maintains such information
or in the course of civil, criminal,
administrative, or legislative
proceedings as described at 42 U.S.C.
290dd–2(c).
*
*
*
*
*
■ 7. Amend § 2.12 by:
■ a. Revising paragraphs (a)(1)
introductory text, (a)(1)(ii), and (a)(2);
■ b. Revising paragraph (b)(1);
■ c. Revising paragraphs (c)(2), (c)(3)
introductory text, (c)(4), (c)(5)
introductory text, and (c)(6);
■ d. Revising paragraphs (d)(1) and (2);
and
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
e. Revising paragraphs (e)(3), (e)(4)
introductory text, and (e)(4)(i).
The revisions read as follows:
■
§ 2.12
Applicability.
(a) * * *
(1) Restrictions on use and disclosure.
The restrictions on use and disclosure
in the regulations in this part apply to
any records which:
*
*
*
*
*
(ii) Contain substance use disorder
information obtained by a federally
assisted substance use disorder program
after March 20, 1972 (part 2 program),
or contain alcohol use disorder
information obtained by a federally
assisted alcohol use disorder or
substance use disorder program after
May 13, 1974 (part 2 program); or if
obtained before the pertinent date, is
maintained by a part 2 program after
that date as part of an ongoing treatment
episode which extends past that date;
for the purpose of treating a substance
use disorder, making a diagnosis for that
treatment, or making a referral for that
treatment.
(2) Restriction on use or disclosure.
The restriction on use or disclosure of
information to initiate or substantiate
any criminal charges against a patient or
to conduct any criminal investigation of
a patient (42 U.S.C. 290dd–2(c)) applies
to any information, whether or not
recorded, which is substance use
disorder information obtained by a
federally assisted substance use disorder
program after March 20, 1972 (part 2
program), or is alcohol use disorder
information obtained by a federally
assisted alcohol use disorder or
substance use disorder program after
May 13, 1974 (part 2 program); or if
obtained before the pertinent date, is
maintained by a part 2 program after
that date as part of an ongoing treatment
episode which extends past that date;
for the purpose of treating a substance
use disorder, making a diagnosis for the
treatment, or making a referral for the
treatment.
(b) * * *
(1) It is conducted in whole or in part,
whether directly or by contract or
otherwise by any department or agency
of the United States (but see paragraphs
(c)(1) and (2) of this section relating to
the Department of Veterans Affairs and
the Uniformed Services);
*
*
*
*
*
(c) * * *
(2) Uniformed Services. The
regulations in this part apply to any
information described in paragraph (a)
of this section which was obtained by
any component of the Uniformed
Services during a period when the
PO 00000
Frm 00150
Fmt 4701
Sfmt 4700
patient was subject to the Uniform Code
of Military Justice except:
(i) Any interchange of that
information within the Uniformed
Services and within those components
of the Department of Veterans Affairs
furnishing health care to veterans; and
(ii) Any interchange of that
information between such components
and the Uniformed Services.
(3) Communication within a part 2
program or between a part 2 program
and an entity having direct
administrative control over that part 2
program. The restrictions on use and
disclosure in the regulations in this part
do not apply to communications of
information between or among
personnel having a need for the
information in connection with their
duties that arise out of the provision of
diagnosis, treatment, or referral for
treatment of patients with substance use
disorders if the communications are:
*
*
*
*
*
(4) Qualified service organizations.
The restrictions on use and disclosure
in the regulations in this part do not
apply to the communications between a
part 2 program and a qualified service
organization of information needed by
the qualified service organization to
provide services to or on behalf of the
program.
(5) Crimes on part 2 program premises
or against part 2 program personnel.
The restrictions on use and disclosure
in the regulations in this part do not
apply to communications from part 2
program personnel to law enforcement
agencies or officials which:
*
*
*
*
*
(6) Reports of suspected child abuse
and neglect. The restrictions on use and
disclosure in the regulations in this part
do not apply to the reporting under state
law of incidents of suspected child
abuse and neglect to the appropriate
state or local authorities. However, the
restrictions continue to apply to the
original substance use disorder patient
records maintained by the part 2
program including their use and
disclosure for civil or criminal
proceedings which may arise out of the
report of suspected child abuse and
neglect.
(d) * * *
(1) Restriction on use and disclosure
of records. The restriction on the use
and disclosure of any record subject to
the regulations in this part to initiate or
substantiate criminal charges against a
patient or to conduct any criminal
investigation of a patient, or to use in
any civil, criminal, administrative, or
legislative proceedings against a patient,
applies to any person who obtains the
E:\FR\FM\16FER2.SGM
16FER2
lotter on DSK11XQN23PROD with RULES2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
record from a part 2 program, covered
entity, business associate, intermediary,
or other lawful holder, regardless of the
status of the person obtaining the record
or whether the record was obtained in
accordance with subpart E of this part.
This restriction on use and disclosure
bars, among other things, the
introduction into evidence of a record or
testimony in any criminal prosecution
or civil action before a Federal or state
court, reliance on the record or
testimony to inform any decision or
otherwise be taken into account in any
proceeding before a Federal, state, or
local agency, the use of such record or
testimony by any Federal, state, or local
agency for a law enforcement purpose or
to conduct any law enforcement
investigation, and the use of such record
or testimony in any application for a
warrant, absent patient consent or a
court order in accordance with subpart
E of this part. Records obtained by
undercover agents or informants, § 2.17,
or through patient access, § 2.23, are
subject to the restrictions on uses and
disclosures.
(2) Restrictions on uses and
disclosures—(i) Third-party payers,
administrative entities, and others. The
restrictions on use and disclosure in the
regulations in this part apply to:
(A) Third-party payers, as defined in
this part, with regard to records
disclosed to them by part 2 programs or
under § 2.31(a)(4)(i);
(B) Persons having direct
administrative control over part 2
programs with regard to information
that is subject to the regulations in this
part communicated to them by the part
2 program under paragraph (c)(3) of this
section; and
(C) Persons who receive records
directly from a part 2 program, covered
entity, business associate, intermediary,
or other lawful holder of patient
identifying information and who are
notified of the prohibition on
redisclosure in accordance with § 2.32.
A part 2 program, covered entity, or
business associate that receives records
based on a single consent for all
treatment, payment, and health care
operations is not required to segregate or
segment such records.
(ii) Documentation of SUD treatment
by providers who are not part 2
programs. Notwithstanding paragraph
(d)(2)(i)(C) of this section, a treating
provider who is not subject to this part
may record information about a SUD
and its treatment that identifies a
patient. This is permitted and does not
constitute a record that has been
redisclosed under this part. The act of
recording information about a SUD and
its treatment does not by itself render a
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
medical record which is created by a
treating provider who is not subject to
this part, subject to the restrictions of
this part.
*
*
*
*
*
(e) * * *
(3) Information to which restrictions
are applicable. Whether a restriction
applies to the use or disclosure of a
record affects the type of records which
may be disclosed. The restrictions on
use and disclosure apply to any records
which would identify a specified
patient as having or having had a
substance use disorder. The restriction
on use and disclosure of records to bring
a civil action or criminal charges against
a patient in any civil, criminal,
administrative, or legislative
proceedings applies to any records
obtained by the part 2 program for the
purpose of diagnosis, treatment, or
referral for treatment of patients with
substance use disorders. (Restrictions on
use and disclosure apply to recipients of
records as specified under paragraph (d)
of this section.)
(4) How type of diagnosis affects
coverage. These regulations cover any
record reflecting a diagnosis identifying
a patient as having or having had a
substance use disorder which is initially
prepared by a part 2 program in
connection with the treatment or
referral for treatment of a patient with
a substance use disorder. A diagnosis
prepared by a part 2 program for the
purpose of treatment or referral for
treatment, but which is not so used, is
covered by the regulations in this part.
The following are not covered by the
regulations in this part:
(i) Diagnosis which is made on behalf
of and at the request of a law
enforcement agency or official or a court
of competent jurisdiction solely for the
purpose of providing evidence; or
*
*
*
*
*
■ 8. Amend § 2.13 by:
■ a. Revising paragraphs (a), (b), and
(c)(1); and
■ b. Removing paragraph (d).
The revisions read as follows:
§ 2.13 Confidentiality restrictions and
safeguards.
(a) General. The patient records
subject to the regulations in this part
may be used or disclosed only as
permitted by the regulations in this part
and may not otherwise be used or
disclosed in any civil, criminal,
administrative, or legislative
proceedings conducted by any Federal,
state, or local authority. Any use or
disclosure made under the regulations
in this part must be limited to that
information which is necessary to carry
out the purpose of the use or disclosure.
PO 00000
Frm 00151
Fmt 4701
Sfmt 4700
12621
(b) Unconditional compliance
required. The restrictions on use and
disclosure in the regulations in this part
apply whether or not the part 2 program
or other lawful holder of the patient
identifying information believes that the
person seeking the information already
has it, has other means of obtaining it,
is a law enforcement agency or official
or other government official, has
obtained a subpoena, or asserts any
other justification for a use or disclosure
which is not permitted by the
regulations in this part.
(c) * * *
(1) The presence of an identified
patient in a health care facility or
component of a health care facility that
is publicly identified as a place where
only substance use disorder diagnosis,
treatment, or referral for treatment is
provided may be acknowledged only if
the patient’s written consent is obtained
in accordance with subpart C of this
part or if an authorizing court order is
entered in accordance with subpart E of
this part. The regulations permit
acknowledgment of the presence of an
identified patient in a health care
facility or part of a health care facility
if the health care facility is not publicly
identified as only a substance use
disorder diagnosis, treatment, or referral
for treatment facility, and if the
acknowledgment does not reveal that
the patient has a substance use disorder.
*
*
*
*
*
■ 9. Amend § 2.14 by revising
paragraphs (a), (b)(1), (b)(2) introductory
text, (b)(2)(ii), and (c) to read as follows:
§ 2.14
Minor patients.
(a) State law not requiring parental
consent to treatment. If a minor patient
acting alone has the legal capacity under
the applicable state law to apply for and
obtain substance use disorder treatment,
any written consent for use or
disclosure authorized under subpart C
of this part may be given only by the
minor patient. This restriction includes,
but is not limited to, any disclosure of
patient identifying information to the
parent or guardian of a minor patient for
the purpose of obtaining financial
reimbursement. The regulations in this
paragraph (a) do not prohibit a part 2
program from refusing to provide
treatment until the minor patient
consents to a use or disclosure that is
necessary to obtain reimbursement, but
refusal to provide treatment may be
prohibited under a state or local law
requiring the program to furnish the
service irrespective of ability to pay.
(b) * * *
(1) Where state law requires consent
of a parent, guardian, or other person for
E:\FR\FM\16FER2.SGM
16FER2
12622
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
a minor to obtain treatment for a
substance use disorder, any written
consent for use or disclosure authorized
under subpart C of this part must be
given by both the minor and their
parent, guardian, or other person
authorized under state law to act on the
minor’s behalf.
(2) Where state law requires parental
consent to treatment, the fact of a
minor’s application for treatment may
be communicated to the minor’s parent,
guardian, or other person authorized
under state law to act on the minor’s
behalf only if:
*
*
*
*
*
(ii) The minor lacks the capacity to
make a rational choice regarding such
consent as determined by the part 2
program director under paragraph (c) of
this section.
(c) Minor applicant for services lacks
capacity for rational choice. Facts
relevant to reducing a substantial threat
to the life or physical well-being of the
minor applicant or any other person
may be disclosed to the parent,
guardian, or other person authorized
under state law to act on the minor’s
behalf if the part 2 program director
determines that:
(1) A minor applicant for services
lacks capacity because of extreme youth
or mental or physical condition to make
a rational decision on whether to
consent to a disclosure under subpart C
of this part to their parent, guardian, or
other person authorized under state law
to act on the minor’s behalf; and
(2) The minor applicant’s situation
poses a substantial threat to the life or
physical well-being of the minor
applicant or any other person which
may be reduced by communicating
relevant facts to the minor’s parent,
guardian, or other person authorized
under state law to act on the minor’s
behalf.
■ 10. Amend § 2.15 by revising the
section heading and paragraphs (a) and
(b)(2) to read as follows:
lotter on DSK11XQN23PROD with RULES2
§ 2.15 Patients who lack capacity and
deceased patients.
(a) Adult patients who lack capacity
to make health care decisions—(1)
Adjudication by a court. In the case of
a patient who has been adjudicated as
lacking the capacity, for any reason
other than insufficient age, to make their
own health care decisions, any consent
which is required under the regulations
in this part may be given by the
personal representative.
(2) No adjudication by a court. In the
case of a patient, other than a minor or
one who has been adjudicated as
lacking the capacity to make health care
decisions, that for any period suffers
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
from a medical condition that prevents
knowing or effective action on their own
behalf, the part 2 program director may
exercise the right of the patient to
consent to a use or disclosure under
subpart C of this part for the sole
purpose of obtaining payment for
services from a third-party payer or
health plan.
(b) * * *
(2) Consent by personal
representative. Any other use or
disclosure of information identifying a
deceased patient as having a substance
use disorder is subject to the regulations
in this part. If a written consent to the
use or disclosure is required, that
consent may be given by the personal
representative.
■ 11. Revise § 2.16 to read as follows:
§ 2.16 Security for records and notification
of breaches.
(a) The part 2 program or other lawful
holder of patient identifying
information must have in place formal
policies and procedures to reasonably
protect against unauthorized uses and
disclosures of patient identifying
information and to protect against
reasonably anticipated threats or
hazards to the security of patient
identifying information.
(1) Requirements for formal policies
and procedures. These policies and
procedures must address all of the
following:
(i) Paper records, including:
(A) Transferring and removing such
records;
(B) Destroying such records, including
sanitizing the hard copy media
associated with the paper printouts, to
render the patient identifying
information non-retrievable;
(C) Maintaining such records in a
secure room, locked file cabinet, safe, or
other similar container, or storage
facility when not in use;
(D) Using and accessing workstations,
secure rooms, locked file cabinets, safes,
or other similar containers, and storage
facilities that use or store such
information; and
(E) Rendering patient identifying
information de-identified in accordance
with the requirements of 45 CFR
164.514(b) such that there is no
reasonable basis to believe that the
information can be used to identify a
particular patient.
(ii) Electronic records, including:
(A) Creating, receiving, maintaining,
and transmitting such records;
(B) Destroying such records, including
sanitizing the electronic media on
which such records are stored, to render
the patient identifying information nonretrievable;
PO 00000
Frm 00152
Fmt 4701
Sfmt 4700
(C) Using and accessing electronic
records or other electronic media
containing patient identifying
information; and
(D) Rendering the patient identifying
information de-identified in accordance
with the requirements of 45 CFR
164.514(b) such that there is no
reasonable basis to believe that the
information can be used to identify a
patient.
(2) Exception for certain lawful
holders. Family, friends, and other
informal caregivers who are lawful
holders as defined in this part are not
required to comply with paragraph (a) of
this section.
(b) The provisions of 45 CFR part 160
and subpart D of 45 CFR part 164 shall
apply to part 2 programs with respect to
breaches of unsecured records in the
same manner as those provisions apply
to a covered entity with respect to
breaches of unsecured protected health
information.
■ 12. Amend § 2.17 by revising
paragraph (b) to read as follows:
§ 2.17
Undercover agents and informants.
*
*
*
*
*
(b) Restriction on use and disclosure
of information. No information obtained
by an undercover agent or informant,
whether or not that undercover agent or
informant is placed in a part 2 program
pursuant to an authorizing court order,
may be used or disclosed to criminally
investigate or prosecute any patient.
■ 13. Amend § 2.19 by:
■ a. Revising paragraphs (a)(1) and (2);
■ b. Adding paragraph (a)(3);
■ c. Revising paragraphs (b)(1)
introductory text, (b)(1)(i) introductory
text, (b)(1)(i)(A), and (b)(2).
The addition and revisions read as
follows:
§ 2.19 Disposition of records by
discontinued programs.
(a) * * *
(1) The patient who is the subject of
the records gives written consent
(meeting the requirements of § 2.31) to
a transfer of the records to the acquiring
program or to any other program
designated in the consent (the manner
of obtaining this consent must minimize
the likelihood of a disclosure of patient
identifying information to a third party);
(2) There is a legal requirement that
the records be kept for a period
specified by law which does not expire
until after the discontinuation or
acquisition of the part 2 program; or
(3) The part 2 program is transferred,
retroceded, or reassumed pursuant to
the Indian Self-Determination and
Education Assistance Act (ISDEAA), 25
U.S.C. 5301 et seq., and its
E:\FR\FM\16FER2.SGM
16FER2
lotter on DSK11XQN23PROD with RULES2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
implementing regulations in 25 CFR
part 900.
(b) * * *
(1) Records in non-electronic (e.g.,
paper) form must be:
(i) Sealed in envelopes or other
containers labeled as follows: ‘‘Records
of [insert name of program] required to
be maintained under [insert citation to
statute, regulation, court order or other
legal authority requiring that records be
kept] until a date not later than [insert
appropriate date]’’.
(A) All hard copy media from which
the paper records were produced, such
as printer and facsimile ribbons, drums,
etc., must be sanitized to render the data
non-retrievable.
*
*
*
*
*
(2) All of the following requirements
apply to records in electronic form:
(i) Records must be:
(A) Transferred to a portable
electronic device with implemented
encryption to encrypt the data at rest so
that there is a low probability of
assigning meaning without the use of a
confidential process or key and
implemented access controls for the
confidential process or key; or
(B) Transferred, along with a backup
copy, to separate electronic media, so
that both the records and the backup
copy have implemented encryption to
encrypt the data at rest so that there is
a low probability of assigning meaning
without the use of a confidential process
or key and implemented access controls
for the confidential process or key.
(ii) Within one year of the
discontinuation or acquisition of the
program, all electronic media on which
the patient records or patient identifying
information resided prior to being
transferred to the device specified in
paragraph (b)(2)(i)(A) of this section or
the original and backup electronic
media specified in paragraph (b)(2)(i)(B)
of this section, including email and
other electronic communications, must
be sanitized to render the patient
identifying information non-retrievable
in a manner consistent with the
discontinued program’s or acquiring
program’s policies and procedures
established under § 2.16.
(iii) The portable electronic device or
the original and backup electronic
media must be:
(A) Sealed in a container along with
any equipment needed to read or access
the information, and labeled as follows:
‘‘Records of [insert name of program]
required to be maintained under [insert
citation to statute, regulation, court
order or other legal authority requiring
that records be kept] until a date not
later than [insert appropriate date];’’ and
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
(B) Held under the restrictions of the
regulations in this part by a responsible
person who must store the container in
a manner that will protect the
information (e.g., climate-controlled
environment).
(iv) The responsible person must be
included on the access control list and
be provided a means for decrypting the
data. The responsible person must store
the decryption tools on a device or at a
location separate from the data they are
used to encrypt or decrypt.
(v) As soon as practicable after the
end of the required retention period
specified on the label, the portable
electronic device or the original and
backup electronic media must be
sanitized to render the patient
identifying information non-retrievable
consistent with the policies established
under § 2.16.
■ 14. Revise § 2.20 to read as follows:
§ 2.20
Relationship to state laws.
The statute authorizing the
regulations in this part (42 U.S.C.
290dd–2) does not preempt the field of
law which they cover to the exclusion
of all state laws in that field. If a use or
disclosure permitted under the
regulations in this part is prohibited
under state law, neither the regulations
in this part nor the authorizing statute
may be construed to authorize any
violation of that state law. However, no
state law may either authorize or
compel any use or disclosure prohibited
by the regulations in this part.
■ 15. Amend § 2.21 by revising
paragraph (b) to read as follows:
§ 2.21 Relationship to federal statutes
protecting research subjects against
compulsory disclosure of their identity.
*
*
*
*
*
(b) Effect of concurrent coverage. The
regulations in this part restrict the use
and disclosure of information about
patients, while administrative action
taken under the research privilege
statutes and implementing regulations
in paragraph (a) of this section protects
a person engaged in applicable research
from being compelled to disclose any
identifying characteristics of the
individuals who are the subjects of that
research. The issuance under subpart E
of this part of a court order authorizing
a disclosure of information about a
patient does not affect an exercise of
authority under these research privilege
statutes.
■ 16. Revise § 2.22 to read as follows:
§ 2.22 Notice to patients of Federal
confidentiality requirements.
(a) Notice required. At the time of
admission to a part 2 program or, in the
PO 00000
Frm 00153
Fmt 4701
Sfmt 4700
12623
case that a patient does not have
capacity upon admission to understand
their medical status, as soon thereafter
as the patient attains such capacity,
each part 2 program shall inform the
patient that Federal law protects the
confidentiality of substance use disorder
patient records.
(b) Content of notice. In addition to
the communication required in
paragraph (a) of this section, a part 2
program shall provide notice, written in
plain language, of the program’s legal
duties and privacy practices, as
specified in this paragraph (b).
(1) Required elements. The notice
must include the following content:
(i) Header. The notice must contain
the following statement as a header or
otherwise prominently displayed.
Notice of Privacy Practices of [Name of
Part 2 Program]
This notice describes:
• HOW HEALTH INFORMATION
ABOUT YOU MAY BE USED AND
DISCLOSED
• YOUR RIGHTS WITH RESPECT TO
YOUR HEALTH INFORMATION
• HOW TO FILE A COMPLAINT
CONCERNING A VIOLATION OF THE
PRIVACY OR SECURITY OF YOUR
HEALTH INFORMATION, OR OF
YOUR RIGHTS CONCERNING YOUR
INFORMATION
YOU HAVE A RIGHT TO A COPY OF
THIS NOTICE (IN PAPER OR
ELECTRONIC FORM) AND TO
DISCUSS IT WITH [ENTER NAME OR
TITLE] AT [PHONE AND EMAIL] IF
YOU HAVE ANY QUESTIONS.
(ii) Uses and disclosures. The notice
must contain:
(A) A description of each of the
purposes for which the part 2 program
is permitted or required by this part to
use or disclose records without the
patient’s written consent.
(B) If a use or disclosure for any
purpose described in paragraph
(b)(1)(ii)(A) of this section is prohibited
or materially limited by other applicable
law, the description of such use or
disclosure must reflect the more
stringent law.
(C) For each purpose described in
accordance with paragraphs (b)(1)(ii)(A)
and (B) of this section, the description
must include sufficient detail to place
the patient on notice of the uses and
disclosures that are permitted or
required by this part and other
applicable law.
(D) A description, including at least
one example, of the types of uses and
disclosures that require written consent
under this part.
(E) A statement that a patient may
provide a single consent for all future
E:\FR\FM\16FER2.SGM
16FER2
lotter on DSK11XQN23PROD with RULES2
12624
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
uses or disclosures for treatment,
payment, and health care operations
purposes.
(F) A statement that the part 2
program will make uses and disclosures
not described in the notice only with
the patient’s written consent.
(G) A statement that the patient may
revoke written consent as provided by
§§ 2.31 and 2.35.
(H) A statement that includes the
following information:
(1) Records, or testimony relaying the
content of such records, shall not be
used or disclosed in any civil,
administrative, criminal, or legislative
proceedings against the patient unless
based on specific written consent or a
court order;
(2) Records shall only be used or
disclosed based on a court order after
notice and an opportunity to be heard
is provided to the patient or the holder
of the record, where required by 42
U.S.C. 290dd–2 and this part; and
(3) A court order authorizing use or
disclosure must be accompanied by a
subpoena or other similar legal mandate
compelling disclosure before the record
is used or disclosed.
(iii) Separate statements for certain
uses or disclosures. If the part 2 program
intends to engage in any of the
following activities, the description
required by paragraph (b)(1)(ii)(D) of
this section must include a separate
statement as follows:
(A) Records that are disclosed to a
part 2 program, covered entity, or
business associate pursuant to the
patient’s written consent for treatment,
payment, and health care operations
may be further disclosed by that part 2
program, covered entity, or business
associate, without the patient’s written
consent, to the extent the HIPAA
regulations permit such disclosure.
(B) A part 2 program may use or
disclose records to fundraise for the
benefit of the part 2 program only if the
patient is first provided with a clear and
conspicuous opportunity to elect not to
receive fundraising communications.
(iv) Patient rights. The notice must
contain a statement of the patient’s
rights with respect to their records and
a brief description of how the patient
may exercise these rights, as follows:
(A) Right to request restrictions of
disclosures made with prior consent for
purposes of treatment, payment, and
health care operations, as provided in
§ 2.26.
(B) Right to request and obtain
restrictions of disclosures of records
under this part to the patient’s health
plan for those services for which the
patient has paid in full, in the same
manner as 45 CFR 164.522 applies to
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
disclosures of protected health
information.
(C) Right to an accounting of
disclosures of electronic records under
this part for the past 3 years, as
provided in § 2.25, and a right to an
accounting of disclosures that meets the
requirements of 45 CFR 164.528(a)(2)
and (b) through (d) for all other
disclosures made with consent.
(D) Right to a list of disclosures by an
intermediary for the past 3 years as
provided in § 2.24.
(E) Right to obtain a paper or
electronic copy of the notice from the
part 2 program upon request.
(F) Right to discuss the notice with a
designated contact person or office
identified by the part 2 program
pursuant to paragraph (b)(1)(vii) of this
section.
(G) Right to elect not to receive
fundraising communications.
(v) Part 2 program’s duties. The notice
must contain:
(A) A statement that the part 2
program is required by law to maintain
the privacy of records, to provide
patients with notice of its legal duties
and privacy practices with respect to
records, and to notify affected patients
following a breach of unsecured records;
(B) A statement that the part 2
program is required to abide by the
terms of the notice currently in effect;
and
(C) For the part 2 program to apply a
change in a privacy practice that is
described in the notice to records that
the part 2 program created or received
prior to issuing a revised notice, a
statement that it reserves the right to
change the terms of its notice and to
make the new notice provisions
effective for records that it maintains.
The statement must also describe how it
will provide patients with a revised
notice.
(vi) Complaints. The notice must
contain a statement that patients may
complain to the part 2 program and to
the Secretary if they believe their
privacy rights have been violated, a brief
description of how the patient may file
a complaint with the program, and a
statement that the patient will not be
retaliated against for filing a complaint.
(vii) Contact. The notice must contain
the name, or title, telephone number,
and email address of a person or office
to contact for further information about
the notice.
(viii) Effective date. The notice must
contain the date on which the notice is
first in effect, which may not be earlier
than the date on which the notice is
printed or otherwise published.
(2) Optional elements. (i) In addition
to the content required by paragraph
PO 00000
Frm 00154
Fmt 4701
Sfmt 4700
(b)(1) of this section, if a part 2 program
elects to limit the uses or disclosures
that it is permitted to make under this
part, the part 2 program may describe its
more limited uses or disclosures in its
notice, provided that the part 2 program
may not include in its notice a
limitation affecting its right to make a
use or disclosure that is required by law
or permitted to be made for emergency
treatment.
(ii) For the part 2 program to apply a
change in its more limited uses and
disclosures to records created or
received prior to issuing a revised
notice, the notice must include the
statements required by paragraph
(b)(1)(v)(C) of this section.
(3) Revisions to the notice. The part 2
program must promptly revise and
distribute its notice whenever there is a
material change to the uses or
disclosures, the patient’s rights, the part
2 program’s legal duties, or other
privacy practices stated in the notice.
Except when required by law, a material
change to any term of the notice may
not be implemented prior to the
effective date of the notice in which
such material change is reflected.
(c) Implementation specifications:
Provision of notice. A part 2 program
must make the notice required by this
section available upon request to any
person and to any patient; and
(1) A part 2 program must provide the
notice:
(i) No later than the date of the first
service delivery, including service
delivered electronically, to such patient
after the compliance date for the part 2
program; or
(ii) In an emergency treatment
situation, as soon as reasonably
practicable after the emergency
treatment situation.
(2) If the part 2 program maintains a
physical service delivery site:
(i) Have the notice available at the
service delivery site for patients to
request to take with them; and
(ii) Post the notice in a clear and
prominent location where it is
reasonable to expect patients seeking
service from the part 2 program to be
able to read the notice in a manner that
does not identify the patient as
receiving treatment or services for
substance use disorder; and
(iii) Whenever the notice is revised,
make the notice available upon request
on or after the effective date of the
revision and promptly comply with the
requirements of paragraph (c)(2)(ii) of
this section, if applicable.
(3) Specific requirements for
electronic notice include all the
following:
E:\FR\FM\16FER2.SGM
16FER2
Federal Register / Vol. 89, No. 33 / Friday, February 16, 2024 / Rules and Regulations
(i) A part 2 program that maintains a
website that provides information about
the part 2 program’s customer services
or benefits must prominently post its
notice on the website and make the
notice available electronically through
the website.
(ii) A part 2 program may provide the
notice required by this section to a
patient by email, if the patient agrees to
electronic notice and such agreement
has not been withdrawn. If the part 2
program knows that the email
transmission has failed, a paper copy of
the notice must be provided to the
patient. Provision of electronic notice by
the part 2 program will satisfy the
provision requirements of this
paragraph (c) when timely made in
accordance with paragraph (c)(1) or (2)
of this section.
(iii) For purposes of paragraph (c)(2)(i)
of this section, if the first service
delivery to an individual is delivered
electronically, the part 2 program must
provide electronic notice automatically
and contemporaneously in response to
the individual’s first request for service.
The requirements in paragraph (c)(2)(ii)
of this section apply to electronic
notice.
(iv) The patient who is the recipient
of electronic notice retains the right to
obtain a paper copy of the notice from
a part 2 program upon request.
■ 17. Amend § 2.23 by revising the
section heading and paragraph (b) to
read as follows:
§ 2.23 Patient access and restrictions on
use and disclosure.
*
*
*
*
*
(b) Restriction on use and disclosure
of information. Information obtained by
patient access to their record is subject
to the restriction on use and disclosure
of records to initiate or substantiate any
criminal charges against the patient or
to conduct any criminal investigation of
the patient as provided for under
§ 2.12(d)(1).
■ 18. Add § 2.24 to subpart B to read as
follows:
lotter on DSK11XQN23PROD with RULES2
§ 2.24
Requirements for intermediaries.
Upon request, an intermediary must
provide to patients who have consented
to the disclosure of their records using
a general designation, pursuant to
§ 2.31(a)(4)(ii)(B), a list of persons to
which their records have been disclosed
pursuant to the general designation.
(a) Under this section, patient
requests:
(1) Must be made in writing; and
(2) Are limited to disclosures made
within the past 3 years.
(b) Under this section, the entity
named on the consent form that
VerDate Sep<11>2014
18:41 Feb 15, 2024
Jkt 262001
discloses information pursuant to a
patient’s general designation (the entity
that serves as an intermediary) must:
(1) Respond in 30 or fewer days of
receipt of the written request; and
(2) Provide, for each disclosure, the
name(s) of the entity(ies) to which the
disclosure was made, the date of the
disclosure, and a brief description of the
patient identifying information
disclosed.
■ 19. Add § 2.25 to subpart B to read as
follows:
§ 2.25
Accounting of disclosures.
(a) General rule. Subject to the
limitations in paragraph (b) of this
section, a part 2 program must provide
to a patient, upon request, an
accounting of all disclosures made with
consent under § 2.31 in the 3 years prior
to the date of the request (or a shorter
time period chosen by the patient). The
accounting of disclosures must meet the
requirements of 45 CFR 164.528(a)(2)
and (b) through (d).
(b) Accounting of disclosures for
treatment, payment, and health care
operations. (1) A part 2 program must
provide a patient with an accounting of
disclosures of records for treatment,
payment, and health care operations
only where such disclosures are made
through an electronic health record.
(2) A patient has a right to receive an
accounting of disclosures described in
paragraph (b)(1) of this section during
only the 3 years prior to the date on
which the accounting is requested.
■ 20. Add § 2.26 to subpart B to read as
follows:
§ 2.26 Right to request privacy protection
for records.
(a)(1) A part 2 program must permit
a patient to request that the part 2
program restrict uses or disclosures of
records about the patient to carry out
treatment, payment, or health care
operations, including when the patient
has signed written consent for such
disclosures.
(2) Except as provided in paragraph
(a)(6) of this section, a part 2 program
is not required to agree to a restriction.
(3) A part 2 program that agrees to a
restriction under paragraph (a)(1) of this
section may not use or disclose records
in violation of such restriction, except
that, if the patient who requested the
restriction is in need of emergency
treatment and the restricted record is
needed to provide the emergency
treatment, the part 2 program may use
the restricted record, or may disclose
information derived from the record to
a health care provider, to provide such
treatment to the patient.
PO 00000
Frm 00155
Fmt 4701
Sfmt 4700
12625
(4) If information from a restricted
record is disclosed to a health care
provider for emergency treatment under
paragraph (a)(3) of this section, the part
2 program must request that such health
care provider not further use or disclose
the information.
(5) A restriction agreed to by a part 2
program under paragraph (a) of this
section is not effective under this
subpart to prevent uses or disclosures
required by law or permitted by this
part for purposes other than treatment,
payment, and health care operations.
(6) A part 2 program must agree to the
request of a patient to restrict disclosure
of records about the patient to a health
plan if:
(i) The disclosure is for the purpose
of carrying out payment or health care
operations and is not otherwise required
by law; and
(ii) The record pertains solely to a
health care item or service for which the
patient, or person other than the health
plan on behalf of the patient, has paid
the part 2 program in full.
(b) A part 2 program may terminate a
restriction, if one of the following
applies:
(1) The patient agrees to or requests
the termination in writing.
(2) The patient orally agrees to the
termination and the oral agreement is
documented.
(3) The part 2 program informs the
patient that it is terminating its
agreement to a restriction, except that
such termination is:
(i) Not effective for records restricted
under paragraph (a)(6) of this section;
and
(ii) Only effective with respect to
records created or received after it has
so informed the patient.
■ 21. Revise the heading of subpart C to
read as follows:
Subpart C—Uses and Disclosures With
Patient Consent
*
*
*
*
*
22. Amend § 2.31 by:
a. Revising paragraphs (a)
introductory text and (a)(2) through (8);
■ b. Adding paragraph (a)(10);
■ c. Redesignating paragraph (b) as
paragraph (c);
■ d. Adding a new paragraph (b);
■ e. Revising newly redesignated
paragraph (c); and
■ f. Adding paragraph (d).
The revisions and additions read as
follows:
■
■
§ 2.31
Consent requirements.
(a) Required elements for written
consent. A written consent