Confidentiality of Substance Use Disorder (SUD) Patient Records

AGENCY:

Office for Civil Rights, Office of the Secretary, Department of Health and Human Services; Substance Abuse and Mental Health Services Administration (SAMHSA), Department of Health and Human Services.

ACTION:

Final rule.

SUMMARY:

The United States Department of Health and Human Services (HHS or “Department”) is issuing this final rule to modify its regulations to implement section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The Department is issuing this final rule after careful consideration of all public comments received in response to the notice of proposed rulemaking (NPRM) for the Confidentiality of Substance Use Disorder (SUD) Patient Records. This final rule also makes certain other modifications to increase alignment with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to improve workability and decrease burden on programs, covered entities, and business associates.

DATES:

Effective date: This final rule is effective on April 16, 2024.

Compliance date: Persons subject to this regulation must comply with the applicable requirements of this final rule by February 16, 2026.

FOR FURTHER INFORMATION CONTACT:

Marissa Gordon-Nguyen at (202) 240–3110 or (800) 537–7697 (TDD).

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Executive Summary

A. Purpose of Rulemaking and Issuance of Proposed Rule

B. Severability

C. Summary of the Major Provisions

D. Summary of the Costs and Benefits of the Major Provisions

II. Statutory and Regulatory Background

III. Overview of Public Comments

A. General Discussion of Comments

B. General Comments

1. General Support for the Proposed Rule

2. General Opposition to the Proposed Rule

IV. Analysis and Response to Public Comments and Final Modifications

A. Effective and Compliance Dates

B. Substantive Proposals and Responses to Comments

V. Regulatory Impact Analysis

A. Executive Orders 12866 and 13563 and Related Executive Orders on Regulatory Review

1. Summary of the Final Rule

2. Need for the Final Rule

3. Response to Public Comment

4. Cost-Benefit Analysis

5. Consideration of Regulatory Alternatives

B. Regulatory Flexibility Act

C. Unfunded Mandates Reform Act

D. Executive Order 13132—Federalism

E. Assessment of Federal Regulation and Policies on Families

F. Paperwork Reduction Act of 1995

1. Explanation of Estimated Annualized Burden Hours for 42 CFR Part 2

2. Explanation of Estimated Capital Expenses for 42 CFR Part 2

I. Executive Summary

A. Purpose of Rulemaking and Issuance of Proposed Rule

On March 27, 2020, Congress enacted the Coronavirus Aid, Relief, and Economic Security (CARES) Act, including section 3221 of the Act entitled “Confidentiality and Disclosure of Records Relating to Substance Use Disorder.” Section 3221 enacts statutory amendments to section 290dd–2 of title 42 United States Code (42 U.S.C. 290dd–2). These amendments require the U.S. Department of Health and Human Services (HHS or “Department”) to increase the regulatory alignment between title 42 of the Code of Federal Regulations (CFR) (42 CFR part 2 or “part 2”), which includes privacy provisions that protect SUD patient records, and key aspects of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Breach Notification, and Enforcement regulations (“HIPAA regulations”), which govern the use and disclosure of protected health information (PHI).

On December 2, 2022, the Department published a notice of proposed rulemaking (NPRM) proposing to modify part 2 consistent with the requirements of section 3221. In the NPRM, the Department proposed to: (1) enhance restrictions against the use and disclosure of part 2 records in civil, criminal, administrative, and legislative proceedings; (2) provide for civil enforcement authority, including the imposition of civil money penalties (CMPs); (3) modify consent for uses and disclosures of part 2 records for treatment, payment, and health care operations (TPO) purposes; (4) impose breach notification obligations; (5) incorporate some definitions from the HIPAA regulations into part 2; (6) provide new patient rights to request restrictions on uses and disclosures and obtain an accounting of disclosures made with consent; (7) add a permission to disclose de-identified records to public health authorities; and (8) address concerns about potential unintended consequences for government agencies that investigate part 2 programs due to the change in enforcement authority and penalties for violations of part 2.

The 60-day public comment period for the proposed rule closed on January 31, 2023, and the Department received approximately 220 comments in response to its proposal. After considering the public comments, the Department is issuing this final rule that adopts many of the proposals set forth in the NPRM, with certain modifications based on the input received. This final rule aligns certain part 2 requirements more closely with requirements of the HIPAA regulations to improve the ability of entities that are subject to part 2 to use and disclose part 2 records and make other changes to part 2, as described in this preamble. We believe this final rule implements the modifications required by the CARES Act amendments to 42 U.S.C. 290dd–2 and will decrease burdens on patients and providers, improve coordination of care and access to care and treatment, and protect the confidentiality of treatment records.

The provisions of the proposed rule and the public comments received that were within the scope of the proposed rule are described in more detail below in sections III and IV.

B. Severability

In this final rule, we adopt modifications to 42 CFR part 2 that support a unified scheme of privacy protections for part 2 records. While the unity and comprehensiveness of this scheme maximizes its utility, we clarify that its constituent elements operate independently to protect patient privacy. Were a provision of this regulation stayed or invalidated by a reviewing court, the provisions that remain in effect would continue to provide vital patient privacy protections. For example, the essential part 2 provisions concerning such issues as restrictions on use of part 2 records in criminal, civil, and administrative proceedings and written consent requirements would remain in effect even if certain other provisions, such as the limitation on civil or criminal liability in § 2.3(b), were no longer in effect. Similarly, the provisions regulating different forms of conduct under part 2 ( e.g., use, disclosure, consent requirements) each provide distinct benefits for patient privacy. Thus, we consider the provisions adopted in this final rule to be severable, both internally within this final rule and from the other provisions in part 2, and the Department's intent is to preserve the rule in its entirety, and each independent provision of the rule, to the fullest extent possible.

Accordingly, any provision of 42 CFR part 2 that is held to be invalid or unenforceable by its terms, or as applied to any person or circumstance, should be construed so as to give maximum effect to the provision permitted by law, unless such holding is one of utter invalidity or unenforceability, in which event the provision is intended to be severable from this part and not affect the remainder thereof or the application of the provision to other persons not similarly situated or to other dissimilar circumstances.

C. Summary of the Major Provisions

After consideration of the public comments received in response to the NPRM, the Department is issuing this final rule as follows:

1. Section 2.1—Statutory Authority for Confidentiality of Substance Use Disorder Patient Records

Finalizes § 2.1 to more closely reflect the authority granted in 42 U.S.C. 290dd–2(g), including with respect to court orders authorizing the disclosure of records under 42 U.S.C. 290dd–2(b)(2)(C).

2. Section 2.2—Purpose and Effect

Finalizes paragraph (b) of § 2.2 to compel disclosures to the Secretary that are necessary for enforcement of this rule, using language adapted from the HIPAA Privacy Rule at 45 CFR 164.502(a)(2)(ii). Finalizes a new paragraph (b)(3) that prohibits any limits on a patient's right to request restrictions on use of records for TPO or a covered entity's choice to obtain consent to use or disclose records for TPO purposes as provided in the HIPAA Privacy Rule. References “use and disclosure” in § 2.2(a) and (b). Removes reference to criminal penalty and finalizes new paragraph (b)(3).

3. Section 2.3—Civil and Criminal Penalties for Violations

Finalizes the heading of this section as above. This section as finalized now references the HIPAA enforcement authorities in the Social Security Act at sections 1176 (civil enforcement, including the culpability tiers established by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009) and 1177 (criminal penalties), as implemented in the HIPAA Enforcement Rule. Paragraph (b) includes a limitation on civil or criminal liability (“safe harbor”) under part 2 for investigative agencies that act with reasonable diligence before making a demand for records in the course of an investigation or prosecution of a part 2 program or person holding the record, provided that certain conditions are met. Further modifies the “reasonable diligence” steps to mean taking all of the following actions: searching for the practice or provider among the SUD treatment facilities in SAMHSA's online treatment locator; searching in a similar state database of treatment facilities where available; checking a practice or program's website, where available, or physical location; viewing the entity's Patient Notice or HIPAA NPP if it is available; and taking all these steps within no more than 60 days before requesting records or placing an undercover agent or informant. Updates language referring to enforcement, now set forth in paragraph (c).

4. Section 2.4—Complaints of Noncompliance

Modifies the heading to refer to “Complaints of noncompliance.” Finalizes inclusion of requirements consistent with those applicable to HIPAA complaints under 45 CFR 164.530(d), (g), and (h), including: a requirement for a part 2 program to establish a process to receive complaints. Adds a new provision permitting patients to file complaints with the Secretary in the same manner as under 45 CFR 160.306. Finalizes a prohibition against taking adverse action against patients who file complaints and a prohibition against requiring patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.

5. Section 2.11—Definitions

Finalizes definitions of the following terms within this part consistent with the NPRM: “Breach,” “Business associate,” “Covered entity,” “Health care operations,” “HIPAA,” “HIPAA regulations,” “Informant,” “Part 2 program director,” “Program,” “Payment,” “Person,” “Public health authority,” “Records,” “Substance use disorder (SUD),” “Third-party payer,” “Treating provider relationship,” “Treatment,” “Unsecured protected health information,” “Unsecured record,” and “Use.” Adds a definition of “Substance Use Disorder (SUD) counseling notes” on which input was requested in the NPRM. Adds new definitions of “Lawful holder” and “Personal representative.” Adopts a revised definition of “Intermediary,” but with an exclusion for part 2 programs, covered entities, and business associates. Modifies definition of “Investigative agency” to reference state, local, territorial, and Tribal investigative agencies. Modifies definition of “Patient identifying information” to ensure consistency with the de-identification standard incorporated into this final rule. Modifies the proposed definition of “Qualified Service Organization” (QSO) to expressly include business associates as QSOs where the QSO meets the definition of business associate for a covered entity that is also a part 2 program.

6. Section 2.12—Applicability

Replaces “Armed Forces” with “Uniformed Services” in paragraphs (b)(1) and (c)(2) of § 2.12. Incorporates four statutory examples of restrictions on the use or disclosure of part 2 records to initiate or substantiate any criminal charges against a patient or to conduct any criminal investigation of a patient. Adds language to qualify the term “Third-party payer” with the phrase “as defined in this part.” Specifies that a part 2 program, covered entity, or business associate that receives records based on a single consent for all future uses and disclosures for TPO is not required to segregate or segment such records. Revises paragraph (e)(4)(i) to clarify when a diagnosis is not covered by part 2.

7. Section 2.13—Confidentiality Restrictions and Safeguards

Finalizes the redesignation of § 2.13(d) requiring a list of disclosures as new § 2.24 and modifies the text for clarity.

8. Section 2.14—Minor Patients

Finalizes the change of the verb “judges” to “determines” to describe a part 2 program director's evaluation and decision that a minor lacks decision making capacity.

9. Section 2.15—Patients Who Lack Capacity and Deceased Patients

Finalizes changes proposed in the NPRM. Changes the heading as above. Replaces outdated terminology and clarifies that paragraph (a) of this section refers to an adjudication by a court of a patient's lack of capacity to make health care decisions while paragraph (b) refers to a patient's lack of capacity to make health care decisions without court adjudication. Clarifies consent for uses and disclosures of records by personal representatives for patients who lack capacity to make health care decisions in paragraph (a) and deceased patients in paragraph (b)(2).

10. Section 2.16—Security for Records and Notification of Breaches

Finalizes changes proposed in the NPRM. Changes the heading as above. Finalizes the de-identification provision to align with the HIPAA Privacy Rule standard at 45 CFR 164.514. Creates an exception to the requirement that part 2 programs and lawful holders create policies and procedures to secure records that applies to family, friends, and other informal caregivers who are lawful holders as defined in this regulation. Applies the HITECH Act breach notification provisions that are currently implemented in the HIPAA Breach Notification Rule to breaches of records by part 2 programs. Modifies the exemption for lawful holders by exempting them from § 2.16(a) instead of only paragraph (a)(1).

11. Section 2.19—Disposition of Records by Discontinued Programs

Finalizes an exception to clarify that these provisions do not apply to transfers, retrocessions, and reassumptions of part 2 programs pursuant to the Indian Self-Determination and Education Assistance Act (ISDEAA), to facilitate the responsibilities set forth in 25 U.S.C. 5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C. 5324(e), 25 U.S.C. 5330, 25 U.S.C. 5386(f), 25 U.S.C. 5384(d), and the implementing ISDEAA regulations. Updates the language to refer to “non-electronic” records and include “paper” records as an example of non-electronic records.

12. Section 2.22—Notice to Patients of Federal Confidentiality Requirements

Finalizes proposed changes to requirements for notice to patients of Federal confidentiality requirements (hereinafter, “Patient Notice”) to address protections required by 42 U.S.C. 290dd–2, as amended by section 3221 of the CARES Act. Modifies the statement of a patient's right to discuss the notice with a designated contact person by permitting the part 2 program to list an office rather than naming a person. Further modifies the list of patient rights to include the following: (1) a right to a list of disclosures by an intermediary for the past 3 years as provided in § 2.24 (moved from the consent requirements in § 2.31); and (2) a right to elect not to receive any fundraising communications to fundraise for the benefit of the part 2 program. Further modifies the fundraising provision by replacing the proposed requirement to obtain patient consent with a requirement to provide individuals with the opportunity to opt out of receiving fundraising communications, which more closely aligns with the HIPAA regulations. Clarifies that a court order authorizing use or disclosure must be accompanied by a subpoena or similar legal mandate compelling disclosure.

13. Section 2.23—Patient Access and Restrictions on Use and Disclosure

Finalizes the heading as above. Adds the term “disclosure” to the heading and body of this section to clarify that information obtained by patient access to their record may not be used or disclosed for purposes of a criminal charge or criminal investigation.

14. Section 2.24—Requirements for Intermediaries

Finalizes the retitling of the redesignated section that is moved from § 2.13(d) as above to clarify the responsibilities of recipients of records received under a consent with a general designation (other than part 2 programs, covered entities, and business associates), such as research institutions, accountable care organizations (ACOs), and care management organizations.

15. Section 2.25—Accounting of Disclosures

Finalizes this new section to implement 42 U.S.C. 290dd–2(b)(1)(B), as amended by the section 3221 of the CARES Act, to add a right to an accounting of all disclosures made with consent for up to three years prior to the date the accounting is requested. A separate provision applies to disclosures for TPO purposes made through an EHR. The compliance date for § 2.25 is tolled until the HIPAA Accounting of Disclosures provision at 45 CFR 164.528 is revised to address accounting for TPO disclosures made through an EHR.

16. Section 2.26—Right To Request Privacy Protection for Records

Finalizes this new section to implement 42 U.S.C. 290dd–2(b)(1)(B), as amended by the section 3221 of the CARES Act, to incorporate into part 2 the rights set forth in the HIPAA Privacy Rule at 45 CFR 164.522, including: (1) a patient right to request restrictions on disclosures of records otherwise permitted for TPO purposes, and (2) a patient right to obtain restrictions on disclosures to health plans for services paid in full by the patient.

17. Subpart C—Uses and Disclosures With Patient Consent

Finalizes change to the heading of subpart C as above to reflect changes made to the provisions of this subpart related to the consent to use and disclose part 2 records, consistent with 42 U.S.C. 290dd–2(b), as amended by the section 3221(b) of the CARES Act.

18. Section 2.31—Consent Requirements

Finalizes the proposed alignment of the content requirements for part 2 written consent with the content requirements for a valid HIPAA authorization and clarifies how recipients may be designated in a consent to use and disclose part 2 records for TPO. Further modifies the rule by replacing the proposed requirement to obtain consent for fundraising with an opportunity for the patient to opt out. Adds consent provisions for uses and disclosures of SUD counseling notes, and adds an express requirement for separate consent for use and disclosure of records in civil, criminal, administrative, or legislative proceedings.

19. Section 2.32—Notice and Copy of Consent To Accompany Disclosure

Further modifies the proposed heading to read as above by inserting “and copy of consent”. Finalizes the proposed alignment of the content requirements for the required notice that accompanies a disclosure of records (hereinafter “Notice to Accompany Disclosure”) with the requirements of 42 U.S.C. 290dd–2(b), as amended by section 3221(b) of the CARES Act. Further modifies this section by creating a new requirement that each disclosure made with the patient's written consent must be accompanied by a copy of the consent or a clear explanation of the scope of the consent provided.

20. Section 2.33—Uses and Disclosures Permitted With Written Consent

Changes the heading as proposed, to read as above. Aligns this provision with the statutory authority in 42 U.S.C. 290dd–2(b)(1), as amended by section 3221(b) of the CARES Act. Replaces the provisions requiring consent for uses and disclosures for payment and certain health care operations with permission to use and disclose records for TPO with a single consent given once for all such future uses and disclosures (“TPO consent”) as permitted by the HIPAA regulations, until such time as the patient revokes the consent in writing. Finalizes proposed redisclosure permissions for three categories of recipients of part 2 records pursuant to a written consent with some additional modifications to limit the ability to redisclose part 2 records in accordance with HIPAA to covered entities and business associates, as follows: (1) permits a covered entity or business associate that receives part 2 records pursuant to a TPO consent to redisclose the records in accordance with the HIPAA regulations, except for certain proceedings against the patient; (2) permits a part 2 program that is not a covered entity to redisclose records received pursuant to a TPO consent according to the consent; and (3) permits a lawful holder that is not a covered entity or business associate to redisclose part 2 records for payment and health care operations to its contractors, subcontractors, or legal representatives as needed to carry out the activities specified in the consent. Finalizes the contracting requirements in paragraph (c) to exclude covered entities and business associates because they are subject to HIPAA business associate agreement requirements.

21. Section 2.35—Disclosures to Elements of the Criminal Justice System Which Have Referred Patients

Finalizes the proposals to replace “individuals” with “persons” and clarifies that permitted redisclosures of information are from part 2 records.

22. Subpart D—Uses and Disclosures Without Patient Consent

Finalizes the proposal to change the heading of subpart D to reflect changes made to the provisions of this subpart related to the consent to use and disclose part 2 records, consistent with 42 U.S.C. 290dd–2 as amended by the CARES Act.

23. Section 2.51—Medical Emergencies

Finalizes the proposal to replace the term “individual” with the term “person” in § 2.51(c)(2).

24. Section 2.52—Scientific Research

Finalizes the proposed modifications to the heading as above to reflect statutory language. The final rule further aligns with the HIPAA Privacy Rule by replacing the requirements to render part 2 data in research reports non-identifiable with the HIPAA Privacy Rule's de-identification standard in 45 CFR 164.514.

25. Section 2.53—Management Audits, Financial Audits, and Program Evaluation

Finalizes changes as proposed. Modifies the heading to reflect statutory language. To support implementation of 42 U.S.C. 290dd–2(b)(1), as amended by section 3221(b) of the CARES Act, adds a provision to acknowledge the permission to use and disclose records for health care operations purposes based on written consent of the patient and the permission to redisclose such records as permitted by the HIPAA Privacy Rule if the recipient is a part 2 program, covered entity, or business associate.

26. Section 2.54—Disclosures for Public Health

Finalizes the proposed addition of this section to implement 42 U.S.C. 290dd–2(b)(2)(D), as amended by section 3221(c) of the CARES Act, to permit the disclosure of records without patient consent to public health authorities provided that the records disclosed are de-identified according to the standards established in section 45 CFR 164.514.

27. Subpart E—Court Orders Authorizing Use and Disclosure

Finalizes proposed modifications to the heading of subpart E as above to reflect changes made to the provisions of this subpart related to the uses and disclosure of part 2 records in proceedings consistent with 42 U.S.C. 290dd–2(b) and (2)(c), as amended by sections 3221(b) and (e) of the CARES Act.

28. Section 2.62—Order Not Applicable to Records Disclosed Without Consent to Researchers, Auditors, and Evaluators

Finalizes the proposed replacement of the term “qualified personnel” with a reference to the criteria that define such persons and adds a reference to § 2.53 as a technical edit.

29. Section 2.63—Confidential Communications

Finalizes proposed changes to paragraph (a)(3) of § 2.63 to expressly include civil, criminal, administrative, and legislative proceedings as forums where the requirements for a court order under this part would apply, to implement 42 U.S.C. 290dd–2(c), as amended by section 3221(c) of the CARES Act.

30. Section 2.64—Procedures and Criteria for Orders Authorizing Uses and Disclosures for Noncriminal Purposes

Finalizes proposed changes that expand the types of forums where restrictions on use and disclosure of records in civil proceedings against patients apply to expressly include administrative and legislative proceedings and also restricts the use of testimony conveying information in a record in civil proceedings against patients, absent consent or a court order.

31. Section 2.65—Procedures and Criteria for Orders Authorizing Use and Disclosure of Records To Criminally Investigate or Prosecute Patients

Finalizes changes as proposed. Modifies the heading as above. Expands the types of forums where restrictions on uses and disclosure of records in criminal proceedings against patients apply to expressly include administrative and legislative proceedings and also restricts the use of testimony conveying information in a part 2 record in criminal proceedings against patients, absent consent or a court order.

32. Section 2.66—Procedures and Criteria for Orders Authorizing Use and Disclosure of Records To Investigate or Prosecute a Part 2 Program or the Person Holding the Records

Finalizes changes as proposed and adds new changes. Modifies the heading as above. Finalizes requirements for investigative agencies to follow in the event that they discover in good faith that they received part 2 records during an investigation or prosecution of a part 2 program or the person holding the records, in order to seek a court order as required under § 2.66. Adds a further modification to provide that information from records obtained in violation of this part cannot be used in an application for a court order to obtain such records.

33. Section 2.67—Orders Authorizing the Use of Undercover Agents and Informants To Investigate Employees or Agents of a Part 2 Program in Connection With a Criminal Matter

Finalizes proposed criteria for issuance of a court order in instances where an application is submitted after the placement of an undercover agent or informant has already occurred, requiring an investigative agency to satisfy the conditions at § 2.3(b). Adds a further modification to provide that information from records obtained in violation of this part cannot be used in an application for a court order to obtain such records.

34. Section 2.68—Report to the Secretary

Finalizes the proposed requirement for investigative agencies to file annual reports about the instances in which they applied for a court order after receipt of part 2 records or placement of an undercover agent or informant as provided in §§ 2.66(a)(3) and 2.67(c)(4).

35. General Changes To Use and Disclosure

Finalizes proposed changes to re-order “disclosure and use” to “use and disclosure” throughout the regulation consistent with their usage in the HIPAA Privacy Rule which generally regulates the “use and disclosure” of PHI and relies on the phrase as a term of art. Inserts “use” or “disclose” to reflect the scope of activity that is the subject of the regulatory provision.

D. Summary of the Costs and Benefits of the Major Provisions

This final rule is anticipated to have an annual effect on the economy of $12,720,000 in the first year of the rule, followed by net savings in years two through five, resulting in overall net cost savings of $8,445,706 over five years. The Office of Management and Budget (OMB) has determined that this proposed rule is a significant regulatory action under section 3(f) of E.O. 12866, but not under section 3(f)(1).

Accordingly, the Department has prepared a Regulatory Impact Analysis (RIA) that presents the estimated costs and benefits of the rule.

II. Statutory and Regulatory Background

Confidentiality of SUD Records

Congress enacted the first Federal confidentiality protections for SUD records in section 333 of the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970. This statute authorized “persons engaged in research on, or treatment with respect to, alcohol abuse and alcoholism to protect the privacy of individuals who [were] the subject of such research or treatment” from persons not connected with the conduct of the research or treatment by withholding identifying information.

Section 408 of the Drug Abuse Office and Treatment Act of 1972 applied confidentiality requirements to records relating to drug abuse prevention authorized or assisted under any provision of the Act. Section 408 permitted disclosure, with a patient's written consent, for diagnosis or treatment by medical personnel and to government personnel for obtaining patient benefits to which the patient is entitled. The 1972 Act also established exceptions to the consent requirement to permit disclosures for bona fide medical emergencies; to qualified personnel for conducting certain activities, such as scientific research or financial audit or program evaluation, as long as the patient is not identified in any reports; and as authorized by court order granted after application showing good cause.

The Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act Amendments of 1974 expanded the types of records protected by confidentiality restrictions to include records relating to “alcoholism,” “alcohol abuse”, and “drug abuse” maintained in connection with any program or activity conducted, regulated, or directly or indirectly federally assisted by any United States agency. The 1974 Act also permitted the disclosure of records based on prior written patient consent only to the extent such disclosures were allowed under Federal regulations. Additionally, the 1974 Act excluded the interchange of records within the Armed Forces or components of the U.S. Department of Veterans Affairs (VA), then known as the Veterans' Administration, from the confidentiality restrictions.

In 1992, section 131 of the Alcohol, Drug Abuse, and Mental Health Administration Reorganization Act (ADAMHA Reorganization Act) added section 543, Confidentiality of Records, to the Public Health Service Act (PHSA) (“part 2 statute”), which narrowed the grounds upon which a court could grant an order permitting disclosure of such records from “good cause” ( i.e., based on weighing the public interest in the need for disclosure against the injury to the patient, physician patient relationship, and treatment services) to “the need to avert a substantial risk of death or serious bodily harm.” Congress also established criminal penalties for part 2 violations under title 18 of the United States Code, Crimes and Criminal Procedure. Finally, section 543 granted broad authority to the Secretary of HHS to prescribe regulations to carry out the purposes of section 543 and provide for safeguards and procedures, including criteria for the issuance and scope of court orders to authorize disclosure of SUD records, “as in the judgment of the Secretary are necessary or proper to effectuate the purposes of this section, to prevent circumvention or evasion thereof, or to facilitate compliance therewith.”

In 1975, the Department promulgated the first Federal regulations implementing statutory SUD confidentiality provisions at 42 CFR part 2. In 1987, the Department published a final rule making substantive changes to the scope of part 2 to clarify the regulations and ease the burden of compliance by part 2 programs within the parameters of the existing statutory restrictions. After the 1992 enactment of the ADAMHA Reorganization Act, the Department later clarified the definition of “program” in a 1995 final rule to narrow the scope of part 2 regulations pertaining to medical facilities to cover identified units within general medical facilities which holds themselves out as providing, and provide SUD treatment and medical personnel or other staff in a general medical care facility whose primary function is the provision of SUD diagnosis, treatment or referral for treatment and who are identified as such providers.

HIPAA and the HITECH Act

In 1996, Congress enacted HIPAA, which included Administrative Simplification provisions requiring the establishment of national standards to protect the privacy and security of individuals' PHI and establishing civil money and criminal penalties for violations of the requirements, among other provisions. The Administrative Simplification provisions and implementing regulations apply to covered entities, which are health care providers who conduct covered health care transactions electronically, health plans, and health care clearinghouses. Certain provisions of the HIPAA regulations also apply directly to “business associates” of covered entities.

The HIPAA Privacy Rule, including provisions implemented as a result of the HITECH Act, regulates the use and disclosure of PHI by covered entities and business associates, requires covered entities to have safeguards in place to protect the privacy of PHI, and requires covered entities to obtain the written authorization of an individual to use and disclose the individual's PHI unless the use or disclosure is otherwise required or permitted by the HIPAA Privacy Rule. The HIPAA Privacy Rule includes several use and disclosure permissions that are relevant to this NPRM, including the permissions for covered entities to use and disclose PHI without written authorization from an individual for TPO; to public health authorities for public health purposes; and for research in the form of a limited data set or pursuant to a waiver of authorization by a Privacy Board or Institutional Review Board. The HIPAA Privacy Rule also establishes the rights of individuals with respect to their PHI, including the rights to: receive adequate notice of a covered entity's privacy practices; request restrictions of certain uses and disclosures; access ( i.e., to inspect and obtain a copy of) their PHI; request an amendment of their PHI; and receive an accounting of certain disclosures of their PHI. Finally, the HIPAA Privacy Rule specifies standards for de-identification of PHI such that, when implemented, the information is no longer individually identifiable health information subject to the HIPAA regulations.

The HIPAA Security Rule, codified at 45 CFR parts 160 and 164, subparts A and C, requires covered entities and their business associates to implement administrative, physical, and technical safeguards to protect electronic PHI (ePHI). Specifically, covered entities and business associates must ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit; protect against reasonably anticipated threats or hazards to the security or integrity of the information and reasonably anticipated impermissible uses or disclosures; and ensure compliance by their workforce.

The HIPAA Breach Notification Rule, codified at 45 CFR parts 160 and 164, subparts A and D, implements HITECH Act requirements for covered entities to provide notification to affected individuals, the Secretary, and in some cases the media, following a “breach” of unsecured PHI. The HIPAA Breach Notification Rule also requires a covered entity's business associate that experiences a breach of unsecured PHI to notify the covered entity of the breach. A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of “unsecured” PHI, subject to three exceptions: (1) the unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority; (2) the inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement in which the covered entity participates; and (3) the covered entity or business associate making the disclosure has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not reasonably have been able to retain the information.

The HIPAA Breach Notification Rule provides that a covered entity may rebut the presumption that such impermissible use or disclosure constituted a breach by demonstrating that there is a low probability that PHI has been compromised based on a risk assessment of at least four required factors: (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated.

The HIPAA Enforcement Rule, codified at 45 CFR part 160 subparts C, D, and E, includes standards and procedures relating to investigations into complaints about noncompliance with the HIPAA regulation, compliance reviews, the imposition of CMPs, and procedures for hearings. The HIPAA Enforcement Rule states generally that the Secretary will impose a CMP upon a covered entity or business associate if the Secretary determines that the covered entity or business associate violated a HIPAA Administrative Simplification provision. However, the HIPAA Enforcement Rule also provides for informal resolution of potential noncompliance, which occurs through voluntary compliance by the regulated entity, corrective action, or a resolution agreement with the payment of a settlement amount to HHS Office for Civil Rights (OCR).

The Department promulgated or modified key provisions of the HIPAA regulations as part of the “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act, and Other Modifications to the HIPAA Rules” final rule (“2013 Omnibus Final Rule”), in which the Department implemented applicable provisions of the HITECH Act, among other modifications. For example, the Department strengthened privacy and security protections for PHI, finalized breach notification requirements, and enhanced enforcement by increasing potential CMPs for violations, including establishing tiers of penalties based on a covered entity's or business associate's level of culpability.

The Secretary of HHS delegated authority to OCR to make decisions regarding the implementation and interpretation of the HIPAA Privacy, Security, Breach Notification, and Enforcement regulations.

Earlier Efforts To Align Part 2 With the HIPAA Regulations

Prior to amendment by the CARES Act, 42 U.S.C. 290dd–2 provided that records could be disclosed only with the patient's prior written consent, with limited exceptions. The exceptions related to records maintained by VA or the Armed Forces and, for example, disclosures for continuity of care in emergency situations or between personnel who have a need for the information in connection with their duties that arise out of the provision of the diagnosis, treatment, or referral for treatment of patients with SUD. The exceptions did not include, for example, a disclosure of part 2 records by a part 2 program to a third-party medical provider to treat a condition other than SUD absent an emergency situation. Therefore, the current part 2 regulations require prior written consent of the patient for most uses and disclosures of part 2 records, including for non-emergency treatment purposes. In contrast, the HIPAA Privacy Rule permits covered entities to use and disclose an individual's PHI for TPO without the individual's HIPAA authorization.

The Department has modified and clarified part 2 several times to align certain provisions more closely with the HIPAA Privacy Rule, address changes in health information technology (health IT), and provide greater flexibility for disclosures of patient identifying information within the health care system, while continuing to protect the confidentiality of part 2 records. For example, the Department clarified in a 2017 final rule that the definition of “patient identifying information” in part 2 includes the individual identifiers listed in the HIPAA Privacy Rule at 45 CFR 164.514(b)(2)(i) for those identifiers that are not already listed in the part 2 definition. The 2017 final rule also revised § 2.16 (Security for Records) to more closely align with HIPAA and permitted the use of a consent that generally designates the recipient of records rather than naming a specific person.

In 2018, the Department issued a final rule clarifying the circumstances under which lawful holders and their legal representatives, contractors, and subcontractors could use and disclose part 2 records related to payment and health care operations in § 2.33(b) and for audit or evaluation-related purposes. The Department clarified that previously listed types of payment and health care operations uses and disclosures under the lawful holder permission in § 2.33(b) were illustrative, and not definitive so as to be included in regulatory text. The Department also acknowledged the similarity of the list of activities to those included in the HIPAA Privacy Rule definition of “health care operations” but declined to fully incorporate that definition into part 2. The Department specifically excluded care coordination and case management from the list of payment and health care operations activities permitted without prior written consent of the patient under part 2 based on a determination that these activities are akin to treatment.

In 2018 the Department also codified language for an abbreviated Notice to Accompany Disclosure of part 2 records. Although the rule retained the requirement that a patient must consent before a lawful holder may redisclose part 2 records for treatment, the Department explained that the purpose of the part 2 regulations is to ensure that a patient receiving treatment for an SUD is not made more vulnerable by reason of the availability of their patient records than an individual with a SUD who does not seek treatment. The Department simultaneously recognized the legitimate needs of lawful holders to obtain payment and conduct health care operations as long as the core protections of part 2 are maintained.

In a final rule published July 15, 2020, the Department retained the requirement that programs obtain prior written consent before disclosing part 2 records in the first instance (outside of recognized exceptions). At the same time the Department reversed its previous exclusion of care coordination and case management from the list of payment and health care operations in § 2.33(b) for which a lawful holder may make further disclosures to its contractors, subcontractors, and legal representatives. The Department based this change on comments received on the proposed rule in 2019 and on section 3221(d)(4) of the CARES Act, which incorporated the HIPAA Privacy Rule definition of “health care operations,” including care coordination and case management activities, into paragraph (k)(4) of 42 U.S.C. 290dd–2. The July 2020 final rule also modified the consent requirements in § 2.31 by establishing special requirements for written consent when the recipient of part 2 records is a health information exchange (HIE) (as defined in 45 CFR 171.102 ). In this final rule, the Department now finalizes a definition of the term “intermediary” to further facilitate the exchange of part 2 records in new models of care, including those involving a research institution providing treatment, an ACO, or a care coordination or care management organization.

The Department again modified part 2 on December 14, 2020, by amending the confidential communications section of § 2.63(a)(2), which enumerated a basis for a court order authorizing the use of a record when “the disclosure is necessary in connection with investigation or prosecution of an extremely serious crime allegedly committed by the patient.” The December 2020 final rule removed the phrase “allegedly committed by the patient,” explaining that the phrase was included in previous rulemaking by error, and clarifying that a court has the authority to permit disclosure of confidential communications when the disclosure is necessary in connection with investigation or prosecution of an extremely serious crime that was allegedly committed by either a patient or an individual other than the patient.

Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act

On March 27, 2020, Congress enacted the CARES Act to provide emergency assistance to individuals, families, and businesses affected by the COVID–19 pandemic. Section 3221 of the CARES Act, Confidentiality and Disclosure of Records Relating to Substance Use Disorder, substantially amended 42 U.S.C. 290dd–2 to more closely align Federal privacy standards applicable to part 2 records with the HIPAA and HITECH Act privacy standards, breach notification standards, and enforcement authorities that apply to PHI, among other modifications.

The requirements in 42 U.S.C. 290dd–2(b), (c), and (f), as amended by section 3221 of the CARES Act, with respect to patient consent and redisclosures of SUD records, now align more closely with HIPAA Privacy Rule provisions permitting uses and disclosures for TPO and establish certain patient rights with respect to their part 2 records consistent with provisions of the HITECH Act; restrict the use and disclosure of part 2 records in legal proceedings; and set civil and criminal penalties for violations. Section 3221 also amended 42 U.S.C. 290dd–2(j) and (k) by adding HITECH Act breach notification requirements and new terms and definitions consistent with the HIPAA regulations and the HITECH Act, respectively. Finally, section 3221 requires the Department to modify the HIPAA NPP requirements at 45 CFR 164.520 so that covered entities and part 2 programs provide notice to individuals regarding privacy practices related to part 2 records, including individuals' rights and uses and disclosures that are permitted or required without authorization.

Paragraph (b) of section 3221 (Disclosures to Covered Entities Consistent with HIPAA), adds a new paragraph (1) (Consent), to section 543 of the PHSA and expands the ability of covered entities, business associates, and part 2 programs to use and disclose part 2 records for TPO. The text of section 3221(b) adding paragraph (1)(B) to 42 U.S.C. 290dd–2 states that once prior written consent of the patient has been obtained, those contents may be used or disclosed by a covered entity, business associate, or a program subject to 290dd–2 for the purposes of TPO as permitted by the HIPAA regulations. Any disclosed information may then be redisclosed in accordance with the HIPAA regulations.

To the extent that 42 U.S.C. 290dd–2(b)(1) now provides for a general written patient consent covering all future uses and disclosures for TPO “as permitted by the HIPAA regulations,” and expressly permits the redisclosure of part 2 records received for TPO “in accordance with the HIPAA regulations,” the Department believes this means the recipient redisclosing the records must be a covered entity, business associate, or part 2 program that has received part 2 records under a TPO consent. The Department's proposals throughout this final rule are premised on its reading of section 3221(b) as applying to redisclosures of part 2 records by covered entities, business associates, and part 2 programs, including those covered entities that are part 2 programs.

In addition to the provisions of section 3221 described above, paragraph (g) of section 3221, Antidiscrimination, adds a new provision (i)(1) to 42 U.S.C. 290dd–2 to prohibit discrimination against an individual based on their part 2 records in: (A) admission, access to, or treatment for health care; (B) hiring, firing, or terms of employment, or receipt of worker's compensation; (C) the sale, rental, or continued rental of housing; (D) access to Federal, State, or local courts; or (E) access to, approval of, or maintenance of social services and benefits provided or funded by Federal, State, or local governments. Further, the new paragraph (i)(2) prohibits discrimination by any recipient of Federal funds against individuals based on their part 2 records. As stated in the NPRM, the Department intends to implement the CARES Act antidiscrimination provisions in a separate rulemaking. However, we discuss below and briefly respond to comments we received on the NPRM concerning antidiscrimination and stigma issues.

III. Overview of Public Comments

A. General Discussion of Comments

The Department received approximately 220 comments on the NPRM. By a wide margin, most of the commenters represented organizations rather than individuals (87 percent versus 13 percent). Professional and trade associations, including medical professional associations, and patient, provider, or other advocacy organizations were the most represented, followed by organizations that could fall within multiple categories. Other commenters included hospitals and health care systems, state and local government agencies, health plans and managed care organizations, health IT vendors, and unaffiliated individuals. Among the 27 individual commenters, nearly a third stated that they had current or past experience as an SUD provider, health care administrator, or health IT or legal professional.

The specific issue mentioned most frequently in comments was the proposal to allow patients to sign a single consent form for all future uses and disclosures of their SUD records for TPO purposes. This was followed by the proposed consent requirements, regulatory definitions, protections for patients in investigations and proceedings against them, and requirements for intermediaries, in that order.

B. General Comments

Approximately 75 percent of commenters provided general views on the NPRM covering multiple issues, including the need for better or complete alignment with HIPAA, concerns about erosion of privacy and the need for informed consent for disclosures, requests for Departmental guidance, and requests to better fund SUD treatment services and health IT technology for part 2 providers.

General Support for the Proposed Rule

Public comments showed strong general support for the NPRM, with nearly half voicing clear support and nearly one-third expressing support while offering suggestions for improvement. Comments in support of the proposed rule stated that the proposed changes would improve care coordination, support patient privacy, reduce data and information gaps between patients and providers, reduce the stigma around SUD treatment, and reduce costs.

A group of commenters supported the proposed changes but did not view the proposals as sufficient—they sought more comprehensive change, to essentially recreate a set of HIPAA standards for part 2 records.

General Opposition to the Proposed Rule

Some commenters that expressed opposition to the NPRM stressed the importance of privacy and the need for informed consent regarding the use and disclosure of SUD treatment information, particularly for the use of records in investigations and proceedings against a patient. Some SUD providers, medical professionals, trade associations, advocacy organizations, a mental health provider, and nearly all individual commenters urged the Department not to make changes to part 2, largely to maintain the existing privacy protections. One advocacy organization urged the Department to weigh the risk to patients of their data being used without their permission and their potential loss of privacy surrounding seeking treatment for SUD, against any potential benefits provided for providers by the new rule.

IV. Analysis and Response to Public Comments and Final Modifications

The discussion below provides a section-by-section description of the final rule and responds to comments received from the public in response to the 2022 NPRM. As the Department discussed in the NPRM, the CARES Act did not expressly require every proposal promulgated by the Department. Some of the Department's proposals were proposed to align the language of this regulation with that in the HIPAA Privacy Rule and to clarify already-existing part 2 permissions or restrictions.

A. Effective and Compliance Dates

Proposed Rule

In the NPRM, the Department proposed to finalize an effective date for a final rule that would occur 60 days after publication, and a compliance date that would occur 22 months after the effective date. Taken together, the two dates would give entities two years after publication to finalize compliance measures. In the NPRM, we stated “[e]ntities subject to a final rule would have until the compliance date to establish and implement policies and practices to achieve compliance.” The Department proposed to provide the same compliance date for both the proposed modifications to 45 CFR 164.520, the HIPAA NPP provision, and the more extensive part 2 modifications.

The HIPAA regulations generally require covered entities and business associates to comply with new or modified standards or implementation specifications no later than 180 days from the effective date of any such standards or implementation specifications, whereas the part 2 regulation does not contain a standard compliance period for regulatory changes.

However, as we explained in the NPRM, the proposed compliance period would allow part 2 programs to revise existing policies and practices, complete other implementation requirements, and train their workforce members on the changes, as well as minimize administrative burdens on entities subject to the HIPAA Privacy Rule.

We requested comment on the adequacy of the 22-month compliance period that follows the proposed effective date and any benefits or unintended adverse consequences for entities or individuals of a shorter or longer compliance period.

Comment

More than half of the commenters who addressed the timeline for compliance, including several providers, health plans, professional medical and trade associations, and HIE networks, expressed support or opined that the proposed dates were feasible. Some of these commenters believed changes could be implemented sooner. Several of these supportive commenters offered the opinion that compliance deadlines facilitate care coordination and therefore should not be unnecessarily delayed, but that the Department should offer technical assistance leading up to the compliance deadline to assist entities in implementing these changes. Some commenters stated that the Department should make clear that covered entities and part 2 programs who wish to comply with new finalized provisions, such as permissively using and disclosing SUD records for TPO or using the new authorization form with a general designation, before the proposed timeline should be able to do so voluntarily.

Several commenters opined that the compliance timeline should be shortened. In general, these commenters stated that a shorter compliance timeline would more quickly facilitate improved care coordination for SUD patients and avoid extending the opioid crisis. A few of these commenters suggested that the gap in time between the effective date and compliance date would allow entities to “choose” whether to follow existing or revised regulations for a period of time, and thus impede interoperability. Others in this group of commenters suggested that the proposed compliance date was excessively long, demonstrated a lack of urgency by the Department for improving SUD data exchange and care for SUD patients, and would prolong the “misalignment” of privacy protections for different types of information. One of these commenters recommended an alternative 12-month timeline that would include the effective date with only 10 additional months for compliance. A few of these commenters further encouraged the Department to clarify that entities wishing to implement any regulatory changes before the proposed timelines could voluntarily do so.

Response

We appreciate the comments and clarify here that persons who are subject to the regulation and are able to voluntarily comply with regulatory provisions finalized in this rulemaking may do so at any time after the effective date. We also agree with the commenters who emphasized the important role that this rule will play in improving care coordination for patients experiencing addiction or other forms of SUD, and we acknowledge their concerns about timely implementation. As finalized, we believe the effective and compliance dates strike the right balance between incentivizing entities to come into compliance in a timely fashion, and granting them sufficient time to adjust policies, procedures, and, in some cases, technology to support new or revised regulations.

Comment

A few commenters expressed support for the proposed timelines but requested clarification about whether new finalized provisions would apply to records created prior to the compliance date of the final rule. These commenters urged the Department to apply modified requirements to part 2 records created prior to the compliance date of the final rule to avoid the burdensome task of separating records and applications for consent.

Response

The changes finalized in this rule will apply to records created prior to the final rule. We agree with commenters who stated that separating records by date of creation for differential treatment would be unduly burdensome.

Comment

Slightly less than half of the commenters about this topic, including medical associations, a technology vendor, HIE/HINs, state and local agencies, health plans, and professional provider organizations, suggested that the Department should either lengthen the compliance timeline or finalize the proposed compliance date but delay enforcement, or issue a compliance safe harbor beyond the compliance date. For example, one commenter suggested that the Department implement a two-year enforcement delay while a few other commenters suggested a three-year enforcement delay or two-year phased enforcement approach beyond the compliance date. Some commenters requested that the Department spend the time tolled by the enforcement delay to issue implementation guidance addressing the interaction of the Centers for Medicare & Medicaid Services (CMS) Interoperability Rule, HIPAA regulations, and 42 CFR part 2, or work with the IT vendor community to address data segmentation approaches.

A few state and local agencies opined that the 22-month compliance period following the effective date would not be adequate for communication, training, implementation, and monitoring of extensive SUD provider networks with varying delivery options. One of these agencies cited as an example the state of California where the Medicaid SUD service delivery system may include hundreds of county and contracted providers such that the burden of audits, deficiency findings, and corrective actions would be felt statewide. Another state agency commented that its state needed more time to develop a means to track TPO disclosures and recommended a 60-month timeline after publication of the rule. Other alternative timelines suggested by commenters included a recommendation by a dental professional association to establish an effective date of no less than one year after publication of the final rule, and a compliance date of no less than one year after the effective date; an additional 12 months beyond the proposed 22-month compliance timeline to better accommodate new interoperability rules and a corresponding need by part 2 programs to update technology; or a 34-month period following the 60-day effective date period to grant part 2 programs greater time to implement changes in practice related to the rule, as well as additional time for questions and clarifications from the Department. Commenters also suggested that an enforcement delay include a delay in imposing civil monetary penalties or “safe harbor” protection for part 2 programs, providers, business associates, and covered entities acting in good faith.

Response

We disagree with commenters who suggested or recommended that the Department delay enforcement of a final part 2 rule beyond the proposed timeline. We also disagree that additional safe harbor protection for the entities that would be regulated under this rule is necessary or appropriate. Either an enforcement delay or an enforcement safe harbor (that would effectively extend the compliance timeline) would frustrate the timely implementation of the CARES Act amendments to meaningfully improve the ability of impacted entities to coordinate care for individuals experiencing SUD, as suggested by the many commenters who either agreed with the proposed effective and compliance dates or sought a shorter compliance timeline. The Department may provide further guidance on the CMS Interoperability Rule in relation to data segmentation issues, HIPAA, and part 2, but we do not believe that this should delay finalization of the modifications to the part 2 rule or compliance deadlines.

Comment

One commenter, a Tribal health board, recommended that Indian Health Service (IHS) and Tribal facilities using the existing IHS medical record system be exempted from compliance with part 2 until such time as IHS modernizes its electronic health record (EHR) system, projected for 2025. It further requested that SAMHSA issue guidance for pharmacies utilizing and issuing electronic prescriptions through the Resource and Patient Management System (RPMS) EHR system, and associated redisclosures, in the context of an integrated pharmacy system with the full RPMS EHR.

Response

The timeline finalized here is consistent with this request. As explained, the two-month delay between publication and an effective date combined with a 22-month compliance deadline beyond the effective date grants entities two years after publication to comply. Absent extenuating circumstances that cause the Department to require compliance sooner, this final rule will require compliance no earlier than third quarter of calendar year 2025.

Comment

A few commenters representing HIE networks expressed support for the Department's proposal to toll the date by which part 2 programs must comply with the proposed accounting of disclosures requirements at § 2.25 until the effective date of a final rule on a revised HIPAA accounting of disclosures standard at 45 CFR 164.528 to ensure the consistency with HIPAA.

Response

We appreciate these comments.

Comment

A few commenters recommended that the Department delay this rule in its entirety until other proposed HIPAA regulations are finalized to permit commenters to better assess interactions between the alignment and to reduce administrative burden, such as reviewing multiple proposed HIPAA NPP provisions.

Response

The Department is not finalizing the proposed HIPAA NPP provisions in this final rule, but plans to do so in a future HIPAA final rule. We intend to align compliance dates for any required changes to the HIPAA NPP and part 2 Patient Notice to enable covered entities to make such changes at the same time. We believe the two-year compliance timeline following publication of this rule provides adequate time to assess alignment implications between HIPAA and part 2 and adjust accordingly.

Final Dates

The final rule adopts the proposed effective date of 60 days after publication of this final rule, and the proposed compliance date of 24 months after the publication of this final rule. We are also finalizing the proposed accounting of disclosure provision at § 2.25, but tolling the effective and compliance dates for that provision until such time as the Department finalizes a revised provision in HIPAA at 45 CFR 164.528.

B. Substantive Proposals and Responses to Comments

Section 2.1—Statutory Authority for Confidentiality of Substance Use Disorder Patient Records

Proposed Rule

Section 2.1 describes the statutory authority vested in 42 U.S.C. 290dd–2(g) to prescribe implementing regulations. The Department proposed to revise § 2.1 to more closely align this section with the statutory text of 42 U.S.C. 290dd–2(g) and subsection 290dd–2(b)(2)(C) related to the issuance of court orders authorizing disclosures of part 2 records.

Comment

A health plan commenter expressed support for this language alignment and that the specific references to authorized disclosures pursuant to court order will assist part 2 programs in their compliance efforts. A state agency said that these changes to part 2 will affect its Medicaid system and Prepaid Inpatient Health Plans. Compliance is further required for State licensed narcotic treatment facilities and residential alcohol and drug treatment facilities.

Response

We appreciate these comments.

Final Rule

The final rule adopts the proposed changes to this section without further modification.

Section 2.2—Purpose and Effect

Proposed Rule

Section 2.2 establishes the purpose and effect of regulations imposed in this part upon the use and disclosure of part 2 records. The Department proposed to amend paragraph (b) of this section to reflect that § 2.2(b) compels disclosures to the Secretary that are necessary for enforcement of this rule, using language adapted from the HIPAA Privacy Rule at 45 CFR 164.502(a)(2)(ii). In the NPRM, the Department stated that the regulations do not require use or disclosure under any circumstance other than when disclosure is required by the Secretary to investigate or determine a person's compliance with this part. The Department also proposed to add a new paragraph (b)(3) to this section to clarify that nothing in this rule should be construed to limit a patient's right to request restrictions on use of records for TPO or a covered entity's choice to obtain consent to use or disclose records for TPO purposes as provided in the HIPAA Privacy Rule. The Department specifically stated that the “regulations in this part are not intended to direct the manner in which substantive functions such as research, treatment, and evaluation are carried out.”

Comment

A commenter said that it is logical for disclosures to the Secretary under § 2.2 to be consistent with analogous disclosures under HIPAA. Regarding the proposed modification to § 2.2(b)(1) to provide that the regulations generally do not require the use and disclosure of part 2 records, except when disclosure is required by the Secretary, another commenter said that it would be more logical and appropriate to treat part 2 records as HIPAA-covered records. The commenter believed that continued stigmatization of the diagnoses treated by part 2 facilities is a barrier to treatment and creates a two-tiered approach to use and disclosure that provides no meaningful benefit to patients.

Response

We appreciate these comments and have finalized this section as noted below. We believe our changes align part 2 more closely with HIPAA while also acknowledging changes to 42 U.S.C 290dd–2 , as amended by section 3221 of the CARES Act, which continue to provide additional protection for part 2 records, especially in legal proceedings against a patient. This section is needed to prevent harm to patients from stigma and discrimination consistent with the intent of part 2 and the CARES Act, including newly added statutory antidiscrimination requirements (42 U.S.C. 290dd–2(i)).

Comment

A SUD professional association discussed stigma and discrimination to which SUD patients are subject and asked that any discussion of proposed changes in the NPRM first begin with the context of why these protections exist. Citing to § 2.2(b)(2), the association noted that there are a number of adverse impacts to which patients are vulnerable including those related to: criminal justice, health care, housing, life insurance coverage, loans, employment, licensure, and other intentional or passive discrimination against patients. A psychiatric hospital said that, under current § 2.2(b)(2), the purpose of the substance use disorder confidentiality protections is to encourage care without fear of stigma-related adverse impacts, not to block access to it for patients.

Response

We have long emphasized and agree with commenters that one primary purpose of the part 2 regulations is to, as the 1987 rule stated, ensure “that an alcohol or drug abuse patient in a federally assisted alcohol or drug abuse program is not made more vulnerable by reason of the availability of his or her patient record than an individual who has an alcohol or drug problem and who does not seek treatment.” The final rule continues to emphasize, including in this section, that most uses and disclosures allowed under part 2 are permissive and not mandatory. The final rule adds that disclosure may be required “when disclosure is required by the Secretary to investigate or determine a person's compliance with this part pursuant to § 2.3(c).” Likewise, a court order with a subpoena or similar legal mandate may compel disclosure of part 2 records, as explained in § 2.61, Legal effect of order.

Comment

A commenter believed the Department's proposal to add a new paragraph (b)(3) to § 2.2 to provide that nothing in this part shall be construed to limit a patient's right to request restrictions on use of records for TPO or a covered entity's choice to obtain consent to use or disclose records for TPO purposes as provided in the HIPAA Privacy Rule appears consistent with patients' rights requirements under HIPAA and is a logical clarification.

Response

We appreciate the comment on our proposed changes which are finalized here.

Final Rule

The final rule adopts all changes to § 2.2 as proposed, without further modification.

Section 2.3—Civil and Criminal Penalties for Violations

Proposed Rule

Section 2.3 of 42 CFR part 2 currently requires that any person who violates any provision of the part 2 regulations be criminally fined in accordance with title 18 U.S.C. The Department proposed multiple changes to this section to implement the new authority granted in section 3221(f) of the CARES Act as applied in 42 U.S.C. 290dd–2(f) so that sections 1176 and 1177 of the Social Security Act apply to a part 2 program for a violation of 42 CFR part 2 in the same manner as they apply to a covered entity for a violation of part C of title XI of the Social Security Act (HIPAA Administrative Simplification).

The Department proposed to replace title 18 criminal enforcement with civil and criminal penalties under sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d–5, 1320d–6), respectively, as implemented in the HIPAA Enforcement Rule. The Department also proposed to rename § 2.3 as “Civil and criminal penalties for violations” and reorganize § 2.3 into paragraphs (a), (b), and (c). Proposed § 2.3(a) would incorporate the penalty provisions of 42 U.S.C. 290dd–2(f), which apply the civil and criminal penalties of sections 1176 and 1177 of the Social Security Act, respectively, to violations of part 2. Proposed changes and comments regarding paragraphs (a), (b), and (c) are discussed below.

Comment

We received comments concerning proposed revisions to § 2.3(a). A state agency requested clarification regarding the agencies authorized to enforce § 2.3. Given statutory changes made by the CARES Act, the commenter asked that the Department clarify which agencies are authorized to enforce part 2 pursuant to the proposed provision. This commenter opined that section 1176 of the Social Security Act authorizes the Secretary to impose penalties, the attorney general of a state to bring a civil action for statutory damages in certain circumstances, and OCR to use corrective action in cases where the person did not know of the violation involved. The commenter asked for confirmation that the Department is the Federal agency that is authorized to enforce part 2 through civil penalties and further seeks clarification regarding whether the Department will act through OCR, SAMHSA, or another entity. The commenter also seeks clarification that the authorized state enforcement agency is the office of the attorney general. Additionally, section 1177 of the Social Security Act pertains to criminal penalties for knowing violations, but does not identify the specific agency charged with enforcement. The commenter seeks confirmation that under the proposed rule, the Federal Department of Justice (DOJ) has jurisdiction over enforcement of part 2 through criminal penalties.

Response

We appreciate requests for clarification on enforcement of part 2 as proposed and now finalized in this rule. As we have noted in previous rulemakings such as the “HIPAA Administrative Simplification: Enforcement” final rule “[u]nder sections 1176 and 1177 of the Act, 42 U.S.C. 1320d–5 and 6, these persons or organizations, collectively referred to as `covered entities,' may be subject to CMPs and criminal penalties for violations of the HIPAA regulations. HHS enforces the CMPs under section 1176 of the Act, and [DOJ] enforces the criminal penalties under section 1177 of the Act.” As part of the HITECH Act, state attorneys general may bring civil suits for violations of the HIPAA Privacy and Security Rules on behalf of state residents. Under this final rule, alleged violators of part 2 are subject to the same penalties as HIPAA covered entities through sections 1176 and 1177 of the Social Security Act. The CARES Act granted enforcement authority to the Secretary for civil penalties and the Department will identify the enforcing agency before the compliance date of this final rule.

Comment

A state agency said that its state strongly opposes what it perceives as increasing the civil and criminal penalties described in § 2.3. Understanding the desire to ensure strong privacy protections are in place and that sanctions are necessary, the agency opined that the current enforcement framework is adequate and increasing sanctions would be punitive rather than promoting compliance. Punitive sanctions should be brought only against those entities or individuals that failed to use due diligence and/or make every reasonable attempt to protect against unauthorized disclosure. Unintended unauthorized disclosures that result in no material patient harm should be treated as that—unintended disclosures that cause de minimis or no harm to patients. Increasing sanctions may have the unintended consequence of part 2 programs not sharing patient records even if the patient in fact desires disclosure.

Response

We appreciate this commenter's concerns about part 2 enforcement and disagree that the sanctions for violations will be harsher than for violations of the HIPAA regulations. We note that 42 U.S.C. 290dd–2(f), as amended by section 3221(f) of the CARES Act, applies the provisions of sections 1176 and 1177 of the Social Security Act to a violation of 42 CFR part 2 in the same manner as they apply to a violation of part C of title XI of the Social Security Act. We are implementing these requirements in this final rule. As of the compliance date for this final rule, we anticipate taking a similar approach to addressing noncompliance under part 2 as for violations of HIPAA, ranging from voluntary compliance and corrective action to civil and criminal penalties. Indeed, we are finalizing below § 2.3(c) which provides that the provisions of 45 CFR part 160, subparts C, D, and E, shall apply to noncompliance with this part with respect to records in the same manner as they apply to covered entities and business associates for violations of 45 CFR parts 160 and 164 with respect to PHI. As proposed, we are incorporating the entirety of 45 CFR part 160, subpart D, which includes the mitigating factors in 45 CFR 160.408 and the affirmative defenses in 45 CFR 160.410, to align part 2 enforcement with the HIPAA Enforcement Rule.

In contrast, prior to this final rule, all alleged part 2 violations were subject only to potential criminal penalties. Aligning part 2 and HIPAA enforcement approaches should make the enforcement process more straightforward for part 2 programs that are covered entities because it offers the same mitigating factors for consideration in enforcement, such as the number of individuals affected by the violation; whether the violation caused physical, financial, or reputational harm to the individual or jeopardized an individual's ability to obtain health care, the size of the covered entity or part 2 program; and whether the penalty would jeopardize the covered entity or part 2 program's ability to continue doing business. This alignment also affords part 2 programs, including those that are covered entities, the same affirmative defenses to alleged noncompliance and generally prohibits the imposition of a civil money penalty for a violation that is not due to willful neglect and is corrected within 30 days of discovery.

Final Rule

We are finalizing § 2.3(a) to specify that under 42 U.S.C. 290dd–2(f), any person who violates any provision of this part shall be subject to the applicable penalties under sections 1176 and 1177 of the Social Security Act, 42 U.S.C. 1320d–5 and 1320d–6, as implemented in the HIPAA Enforcement Rule.

Section 2.3(b) Limitation on Criminal or Civil Liability

Proposed Rule

As noted in the NPRM, after consultation with DOJ, the Department proposed in § 2.3(b) to create a limitation on civil or criminal liability (“safe harbor”) for persons acting on behalf of investigative agencies when, in the course of investigating or prosecuting a part 2 program or other person holding part 2 records, such agencies or persons unknowingly receive part 2 records without first obtaining the requisite court order. The proposed safe harbor applies only in instances where records are obtained for the purposes of investigating a part 2 program or person holding the record, not a patient. Further, investigative agencies would be required to follow part 2 requirements for obtaining, using, and disclosing part 2 records as part of an investigation or prosecution, including requirements related to seeking a court order, filing protective orders, maintaining security for records, and ensuring that records obtained in program investigations are not used in legal actions against patients who are the subjects of the records.

This safe harbor would be available for uses or disclosures inconsistent with part 2 only when the person acting on behalf of an investigative agency acted with reasonable diligence to determine in advance whether part 2 applied to the records or part 2 program. Paragraph (b)(1) proposed to clarify what constitutes reasonable diligence in determining whether part 2 applies to a record or part 2 program before an investigative agency makes an investigative demand or places an undercover agent with the part 2 program or person holding the records. The Department proposed specifically that reasonable diligence under this provision would require acting within a reasonable period of time, but no more than 60 days prior to, the request for records or placement of an undercover agent or informant. As proposed, reasonable diligence would include taking the following actions to determine whether a health care practice or provider (where it is reasonable to believe that the practice or provider provides SUD diagnostic, treatment, or referral for treatment services) provides such services: (1) checking a prescription drug monitoring program (PDMP) in the state where the provider is located, if available and accessible to the agency under state law; or (2) checking the website or physical location of the provider.

In addition, § 2.3(b) as proposed was intended to require an investigative agency to meet any other applicable requirements within part 2 for any use or disclosure of the records that occurred, or would occur, after the investigative agency knew, or by exercising reasonable diligence would have known, that it received part 2 records. The Department also proposed amending §§ 2.66 and 2.67 to be consistent with and further implement these proposed changes in § 2.3.

Comment

A state agency that regulates health facilities expressed concern that statements made by HHS in the NPRM when describing the need for the safe harbor provision for investigative agencies might bring its authority to obtain part 2 records from health care facilities into question. The commenter explains that the Department's justification and interpretation of the need for a safe harbor provision could result in licensed health care facilities refusing to provide it with access to part 2 records until the state agency obtains a court order under subpart E. While the commenter appreciated the clarification provided by the Department in the NPRM (“[HHS] does not intend to modify the applicability of § 2.12 or § 2.53 for investigative agencies”), the commenter asked that § 2.3(b) affirm that investigative agencies will not be required to demonstrate due diligence or obtain a court order if their access, use, and disclosure of part 2 records is covered by another exception to part 2, such as the audit and evaluation exception in § 2.53.

An academic medical center advocated for a narrower definition of “investigative agency” than proposed and expressed concern about applying the proposed limitation on liability to a broad category of agencies. Several other commenters also addressed in their comments the Department's proposed definition of “investigative agency” in § 2.11, suggesting inclusion of state, Tribal, or local agencies in this definition.

Response

We address comments on definitions below in § 2.11, including concerns about potential unintended adverse consequences of including “supervisory” agencies in the definition of “investigative agency”. We believe that the definition of “investigative agency”, combined with the safe harbor (and its reasonable diligence prerequisite) and the annual reporting requirement, provides an appropriate check on government access to records in the course of investigating a part 2 program or lawful holder in those situations where an agency discovers it has unknowingly obtained part 2 records. The safe harbor option to apply for a court order retroactively does not alter the criteria for a court to grant the order, which includes a finding that other means of obtaining the records were unavailable, would not be effective, or would yield incomplete information. Here, we also clarify that we do not intend, in § 2.3(b), to override the existing authority of investigative or oversight agencies to access records, without court order, when permitted under another section of this regulation. Rather than narrowing the definition, we also include, as some commenters requested, local, territorial, and Tribal investigative agencies in the final “investigative agency” definition because they have a role in investigations of part 2 programs.

Comment

Some SUD policy organizations and other commenters suggested that the Department should not include a safe harbor provision for investigative agencies, as this is not required by the CARES Act and is duplicative of existing protections such as qualified immunity. According to these commenters, the CARES Act does not require a limitation on civil or criminal liability for persons acting on behalf of investigative agencies if they unknowingly receive part 2 records. Additionally, this provision is deleterious to the confidentiality of patients relying on part 2 protections of their records in seeking or receiving SUD treatment, further eroding the trust necessary between provider and patient for successful SUD treatment.

The commenters further addressed in their comments the reasonable diligence steps proposed to identify whether a provider is a covered part 2 program. Though the NPRM proposed that passing by a part 2 program to observe its operations or checking a PDMP is sufficient to determine whether a provider offers SUD services, many SUD providers are not required to share information with PDMPs, the commenters assert. One commenter suggested that PDMPs do not contain any information from part 2 programs that do not prescribe controlled substances to patients. Under § 2.36, opioid treatment programs (OTPs) may report methadone dispensing information to PDMPs, but only if the reporting is mandated by state law and authorized by a part 2-compliant consent form. The commenters asserted that more accurate verification methods exist, such as SAMHSA's online treatment locator or state treatment databases. If such a safe harbor provision is included, the standard for diligence must be made more explicit and subject to more rigorous standards, according to these commenters.

A legal advocacy organization commented that the safe harbor proposal fell outside the scope of the CARES Act and was an unnecessary change. It further commented that despite disclosing that it consulted with the DOJ, HHS failed to adequately explain why law enforcement merits special consideration for protection from liability or why HHS did not consult with civil rights organizations, legal and policy advocates, providers, or patients. In addition, this commenter opined that the proposed safe harbor provision had inadequate guardrails to protect privacy because the Department proposed a very low standard of reasonable diligence that the investigative agency would be required to show and insufficient examples of actions an investigative agency must take to identify whether a provider offered SUD treatment under part 2. The commenter also remarked that checking a state's PDMP website should not be sufficient to establish reasonable diligence since the majority of part 2 programs do not report information to PDMPs, and similarly, driving by a provider's physical location should not be considered sufficient to establish reasonable diligence because many SUD providers preserve their patients' privacy by avoiding overt street signage or advertisements. This commenter suggested checking SAMHSA's online treatment locator or the state oversight agency's list of licensed and certified providers as better alternatives than those proposed in the NPRM.

An HIE association expressed concern that if patients believe that their information related to seeking SUD treatment or admitting continued SUD while in treatment could be disclosed to an investigative Federal Government agency, then they may forgo or stop receiving that treatment. SUD treatment and the part 2 patient records are some of the most sensitive pieces of a person's health record. The commenter suggested that it is important for OCR and SAMHSA to engage with patient advocacy organizations to understand the needs of patients to protect that privacy and ensure treatment is not foregone due to a fear of exposure. An individual commenter also recommended consultation by the Department with SUD patients and former patients.

Another group of commenters claimed that the proposed rule's new safe harbor provision in § 2.3 was unnecessary, overly broad, and was not required by the CARES Act. HHS should withdraw this proposed change, these commenters stated, or at least should include more accurate methods of how investigative agencies can determine a provider offers SUD services (and thus may be subject to part 2) such as consulting the SAMHSA online treatment locator.

An individual commenter viewed the proposed § 2.3(b) changes as stigmatizing because it would promote access to patients' records against their interests by law enforcement. Another individual commenter suggested the proposed safe harbor may create a chilling effect, dissuading people from seeking the SUD care and other kinds of health care, including prenatal care, that they need. One person in recovery said that the proposal's language is vague and open-ended, leaving room for interpretation and loopholes for fishing expeditions by law enforcement through patient records. This commenter further stated that while it is important that bad actor treatment centers or providers are held accountable, the solution should not sacrifice fundamental privacy rights of patients.

Another commenter recommended a bar against using the safe harbor provision without inquiring directly with the provider about whether part 2 applies. The organization has helped part 2 programs respond to hundreds of law enforcement requests for SUD treatment records. Based on its experience, many part 2 programs report that law enforcement officials are not familiar with part 2 and do not listen to program staff when they flag its requirements for law enforcement. The commenter stated that part 2 program staff have even been arrested and charged with obstruction for attempting to explain the Federal privacy law as a result of this lack of knowledge by law enforcement.

A county government expressed opposition to the Department's proposals in § 2.3, and relatedly in §§ 2.66 and 2.67. According to this commenter, the Department should consider that once information is received by an investigator, there is no way to undo the knowledge learned even if records are destroyed as required in §§ 2.66 and 2.67. Thus, the commenter concluded, the Department should not finalize the safe harbor.

Another county government, also expressing opposition to proposed changes in §§ 2.3 and 2.66, commented that it believes the creation of a safe harbor for improper use or disclosure of part 2 records by investigative agencies is contrary to the “fundamental policy goals” that support more stringent privacy protections for substance use treatment records under 42 CFR part 2. This commenter explained its view that patients remain fearful of legal repercussions for engaging in substance use and will be discouraged from seeking treatment if guardrails that protect information are lowered. This commenter further opined that creating a safe harbor for investigative agencies could have the unintended consequence of creating an incentive for investigative agencies to design document requests to technically meet the requirements of the safe harbor, with the hopes of providers turning over part 2 records to which the investigative agency would not otherwise have access. Furthermore, according to the commenter, the contents of part 2 records could conceivably be used as a basis for meeting the criteria for a court order to use or disclose these, or other part 2 records, under § 2.64. This commenter further recommended that investigators not be permitted to retroactively seek a court order to use or disclose part 2 record, and in no event should investigative agencies be able to use information from part 2 records that they did not have proper authority to receive as the basis for a retroactive court order for use of disclosure of part 2 records.

Response

As noted above and in response to comments, this final rule no longer considers the reasonable diligence requirement specific to the safe harbor to be met by checking the applicable PDMP. Instead, this rule in the regulatory text of § 2.3 provides that “reasonable diligence” means taking all of the following actions: searching for the practice or provider among the SUD treatment facilities in SAMHSA's online treatment locator; searching in a similar state database of treatment facilities where available; checking a practice or program's website, where available, or physical location; viewing the entity's Patient Notice or HIPAA NPP if it is available; and taking all these steps within no more than 60 days before requesting records or placing an undercover agent or informant.

SAMHSA's online treatment locator, even if it does not include every SUD provider or may include outdated information for some providers, still is more inclusive than PDMPs. Generally, only SUD providers who prescribe controlled substances submit data to PDMPs while SAMHSA's online treatment locator also includes SUD providers who do not prescribe controlled substances. Further, we believe that requiring consultation of a PDMP by investigative agencies could unnecessarily increase exposure of patient records that are contained in a PDMP with the records of part 2 programs or lawful holders who are under investigation. The inherent risk of an unnecessary disclosure of patient records runs counter to the underlying intent to keep these records confidential. Finally, the SAMHSA online treatment locator uses existing Departmental resources and is readily available to the general public at no cost.

As to the suggestion that checking state licensing information would be a better indicator of a program's part 2 status, the Department disagrees. Licensing may occur at the facility level, or separately by occupational specialty, which would require an investigative agency to scour several sources of information. Further, the definition of part 2 program is broader than that of licensed SUD treatment providers because it can include prevention programs, so the pool of licensed provider is overly narrow and does not address the requirements that a program “hold itself out” as providing SUD services or that it is in receipt of Federal assistance.

Regarding comments that HHS did not consult with civil rights organizations, legal and policy advocates, providers, or patients, we note that we received and reviewed comments submitted by individuals and advocacy and civil rights organizations as we are required to do as part of the rulemaking process. We also consulted with DOJ and other Federal agencies.

We also acknowledge and appreciate concerns among some individual commenters that this provision may further stigmatize people seeking SUD treatment. However, we believe the requirement to demonstrate reasonable diligence to determine part 2 status in the safe harbor along with the requirements in §§ 2.66 and 2.67 that prohibit use or disclosure of records against a patient in a criminal investigation or prosecution or in an application for a court order to obtain records for such purposes will help ensure and enhance patient privacy consistent with the purpose and intent of part 2 and 42 U.S.C. 290dd–2 as amended by the CARES Act. We will monitor implementation and take steps to address any unintended adverse consequences that may follow, particularly for patients because they are not the intended focus of these investigations.

The safe harbor is not required by the CARES Act; it is grounded in the Secretary's general rulemaking authority for the confidentiality of SUD patient records under 42 U.S.C. 290dd–2(g) and is necessary to operationalize subpart E, particularly in the context of other health care investigations. For example, investigative agencies may inadvertently obtain records from part 2 programs in the course of their investigations under other laws such as Medicaid fraud regulations, Drug Enforcement Administration (DEA) regulations, and HIPAA, where the applicability of part 2 (and the court order requirement for program investigations) is not obvious. The safe harbor provision facilitates a pathway to conduct the investigation under the amended part 2 statute. Contrary to some views expressed by commenters, it may be inappropriate for an investigative agency to directly discuss with or contact the provider about whether part 2 applies because this could apprise them of an investigation or potential use of an informant under subpart E. In contrast, reliance on a publicly available directory, a HIPAA NPP, or Patient Notice offers neutral sources to alert agencies to the potential applicability of part 2.

Comment

A health care system commented that an investigative agency should have ample and sufficient notice that it may receive or come into contact with SUD records in the course of investigating or prosecuting a part 2 program. However, depending on the requirements or standards to be met, the commenter stated that it may be more expedient for an investigating agency to rely on the safe harbor after it comes into contact with part 2 records. As a result, investigative agencies might intentionally bypass the requirement to obtain consent or a court order and decide instead to avail themselves of the safe harbor after disclosure. In addition, the commenter asserted that the good faith standard could easily become diluted and might permit an investigator to hide behind the safe harbor when their conduct is the result of ignorance or an error in judgment. The commenter also expressed concern that the good faith standard would allow for a spectrum of interpretations and different courts may apply the standard differently, leading to inconsistent results; as such, it would be important for the Department to audit and monitor the use of the safe harbor to ensure it is being used appropriately.

An individual commenter asserted that expanding the reach of the CARES Act to create safe harbors for the criminal justice communities for violations of part 2 is beyond the intent of Congress, noting that the CARES Act does not require the creation of a limitation on civil or criminal liability for persons acting on behalf of investigative agencies if they unknowingly receive part 2 records. This commenter expressed concern that creating a limitation on civil or criminal liability under § 2.3 of 42 CFR part 2 or a good faith exception under the proposed new paragraph under § 2.66(a)(3) of 42 CFR part 2 would “encourage lax investigative actions on the part of an investigative agency.” The commenter believed that investigative agencies should continue to be required to seek an authorization from a court to use or disclose any records implicated by part 2 protections because admonishing an investigative agency to cease using or disclosing part 2 records after the fact would in practice give the investigative agency license to screen and review part 2 records. This commenter also said that the good faith standard of § 2.66(a)(3) would offer investigative agencies an “excuse” to receive and review part 2 records. This commenter also asserted that §§ 2.3 and 2.66(a)(3) and (b) should be eliminated from the final rule as not required by the CARES Act and inconsistent with the confidentiality of a patient relying on part 2 protections of their records in seeking or receiving SUD treatment.

Another commenter argued that the limitation of liability would not negatively affect a patient's access to SUD treatment but might “influence the investigative agency to be cavalier in obtaining the appropriate [consent or court order] if they are aware that its liability will be limited.” This commenter further opined that the annual reporting to the Secretary could serve as an important way to audit the use of the safe harbor this protection, and the limitation of liability may support an investigative agency's ability to investigate a program, which could increase the quality of care.

Response

We believe that some commenters misunderstand the process of investigating a health care provider and we disagree that an investigator would always know before seeking records that a provider is subject to part 2. In many instances, an investigation is focused on the use of public money such as Medicaid or Medicare claims and reimbursement, and the focus is not on whether a provider is treating SUDs. Regarding the good faith standard as we explain below, we believe the phrase is generally understood to means acting consistent with both the text and intent of the statute and part 2 regulations.

We believe that the operation of this provision is clear in the event a finding of good faith is not met. First, a lack of good faith could result in the imposition of HIPAA/HITECH Act penalties under 42 U.S.C. 290dd–2, as amended, if investigators are found to have acted in bad faith in obtaining the part 2 records. Second, in §§ 2.66 and 2.67, a finding of good faith is necessary to trigger the ability of the agency to apply for a court order to use records that were previously obtained.

We also disagree that this provision will encourage lax investigative actions or prompt agencies to “game” the regulations to improperly obtain records. First, the manner in which agencies obtain records will be considered by a court as part of the court order process. Second, while the safe harbor operates as a limitation on civil and criminal liability under 42 U.S.C. 290dd–2(f), it does not provide absolute immunity under Federal or state law should an agency or person knowingly obtain records improperly or under false pretenses. For example, it would be improper to knowingly obtain records without following the required procedures for the type of request, or under false pretenses.

We agree with the sentiment that the reporting requirement in § 2.68 will serve as a useful tool to help monitor the appropriateness of investigative agencies' reliance on the regulatory safe harbor. We also appreciate the view that facilitating appropriate investigations will play an important role in ensuring the quality of care delivered by part 2 programs.

Comment

An SUD provider said that this safe harbor essentially could establish a loophole for investigative agencies to obtain part 2 records without following part 2 requirements, and thus adversely affect patient privacy. This commenter believed that the proposed rule attempted to justify the safe harbor by addressing the increased liability due to added penalties for violations of part 2, the need to prosecute bad actors, and public safety. However, this justification was misplaced, according to this commenter, and the safe harbor might only reduce important protections that limit investigative agencies' ability to obtain protected records. By replacing the required elements in place to protect the privacy of patients with a loosely defined reasonable diligence standard, the proposed rule would only increase the chances of investigative agencies unknowingly receiving part 2 records, according to this commenter. The proposed reasonable diligence standard provides investigative agencies with two options to determine part 2 application on a provider both of which the commenter views as insufficient. Ultimately, these proposed reasonable diligence standards can be easily bypassed as a way to obtain records without the requisite requirements. The organization expressed the belief that if a reasonable diligence standard remains in place, the Department should impose more stringent requirements under this standard, such as obtaining a copy of a provider's HIPAA NPP to determine part 2 applicability or comparable requirement.

Response

We acknowledge this commenter's concerns. As noted in this final rule at § 2.3, we are revising the proposed “reasonable diligence” standard to mean taking all of the following actions: searching for the practice or provider among the SUD treatment facilities in SAMHSA's online treatment locator; searching in a similar state database of treatment facilities where available; checking a practice or program's website, where available, or its physical location; viewing the entity's Patient Notice or HIPAA NPP if it is available; and taking all these steps within no more than 60 days before requesting records or placing an undercover agent or informant. We are requiring these reasonable diligence steps to be taken in response to commenters' concerns about the effects of the safe harbor on patient privacy and their specific recommendations for strengthening those steps. Importantly, an investigative agency could be subject to penalties under the CARES Act enforcement provisions if it does not take all of the steps in the required time frame as necessary to qualify for the protection afforded by the safe harbor. Finally, as discussed above, the reporting requirement to the Secretary will play an important role in ensuring transparency. After this rule is finalized, the Department intends to make use of such reports to monitor compliance with these requirements and work to educate patients, providers, investigative agencies and others about these provisions.

Comment

An individual commenter expressed concern about what they characterized as a broad swath of potential agencies that conduct activities covered by the term “investigation.” The commenter opined that the types of agencies that conduct investigations are broad and many have repeatedly demonstrated their lack of prioritization of patient privacy and personal rights. The commenter believed that the Department outlines reasonable minimums including access controls, requesting and maintaining the minimum data required, and taking the most basic steps to determine if staff should or could access patient data before doing so, as well as obtaining the legally required permissions to lawfully receive such data. However, inability to follow these most basic guidelines does not support reducing liability, the commenter asserted, suggesting that the reasonable steps the Department describes in § 2.3 should be required for investigatory agencies to receive any PHI or part 2 records or to deploy an informant.

An anonymous commenter alleged that parole officers in their state frequently violate part 2 by making notes in an automated system redisclosing part 2 information from community providers. Until there is a regulatory and investigative agency invested in ensuring strict adherence to this regulation, the commenter said the Department should not ease up on the restrictions and access to SUD confidential information.

Response

We acknowledge that a broad range of agencies is encompassed within the definition of “investigative agency,” and they have varying degrees of involvement with the provision of health care. The prerequisites for accessing part 2 records for audit and evaluation differ, intentionally, from the prerequisites for placing an informant within a program, although both may involve investigative agency review of part 2 records. The requirement to first obtain a court order before records are sought in a criminal investigation or prosecution is a much higher standard. While the safe harbor operates as a limitation on civil and criminal liability for agencies that have acted in good faith, it does not provide immunity under Federal or state law should an investigative agency knowingly obtain records improperly or under false pretenses. Further, this final rule establishes a right to file a complaint with the Secretary for violations of part 2 by, among others, lawful holders.

Comment

A medical professional association encouraged extending safe harbor protections to part 2 programs, providers, business associates, and covered entities acting in good faith for at least 34 months following the 60-day effective date period (36 total months). According to the commenter, this protection is essential to encourage providers to hold themselves out as SUD providers and other entities to support part 2 programs, which will be especially important as the health care system implements these new regulations. However, the commenter opposed the proposed the safe harbor for investigative agencies as written. According to this commenter, as written the proposed safe harbor could reduce access to care if part 2 programs or providers feel more at risk for acting in good faith than the investigative agencies that do not provide patient care.

Response

As discussed in the proposed rule, the effective date of a final rule will be 60 days after publication and the compliance date will be 24 months after the publication date. The Department acknowledges concerns about compliance and may provide additional guidance after the rule is finalized. We acknowledge requests by commenters to extend the safe harbor beyond investigative agencies to covered entities, health plans, HIEs/HINs, part 2 programs, APCDs, and others. However, we decline to make these requested changes because § 2.3 is specifically intended to operate in tandem with §§ 2.66 and 2.67 when investigative agencies unknowingly obtain part 2 records in the course of investigating or prosecuting a part 2 program and, as a result, fail to obtain the required court order in advance. We also believe that covered entities and business associates that are likely to receive part 2 records are routinely engaged in health care activities and are more likely to be aware when they are receiving such records.

Comment

A health IT vendor addressed our request for comment on whether to expand the limitation on civil or criminal liability for persons acting on behalf of investigative agencies to other entities. The commenter requested clarification on how the Department defines “unknowingly” when considering whether a safe harbor should be created for SUD providers that unknowingly hold part 2 records and unknowingly disclose them in violation of part 2.

Response

We have not developed a formal definition of “unknowingly;” however, the safe harbor for investigative agencies addresses situations where the recipient is unaware that records they have obtained contain information subject to part 2 although the agency first exercised reasonable diligence to determine if the disclosing entity was a part 2 program. The reasonable diligence expected of an SUD provider would be different in nature because such a provider uniquely possesses the information necessary to evaluate whether it is subject to this part, and consequently whether any patient records it creates are also subject to this part. We think it is more likely that the “unknowing” situation could occur when an entity other than a part 2 program receives records without the Notice to Accompany Disclosure and rediscloses them in violation of this part because it is unaware that it possesses part 2 records. As we stated in the NPRM, we believe this scenario is addressed by the HITECH penalty tiers, so we are not expanding the safe harbor to other entities. Covered entities and business associates that are likely to receive part 2 records are routinely engaged in health care activities and are more likely to be aware that they are receiving such records. Further, the HITECH penalty tiers were designed to address privacy violations by covered entities and business associates.

Comment

Many commenters argued that the proposed safe harbor provisions should apply to entities beyond investigative agencies. The commenters included a medical association, a state Medicaid agency, a managed care organization, health care providers, HIEs, a state HIE association, and other professional and trade associations. The range of entities for which a safe harbor was recommended include the following: non-investigative agencies; covered entities; business associates; other SUD providers, facilities, and other providers generally who act in good faith and use reasonable diligence to determine whether records received/maintained are covered by part 2; health plans based on good faith redisclosures that comply with the HIPAA Privacy rule but not with the part 2 Rule; HIEs; SUD providers that are unaware of its practice designation as a part 2 provider; state Medicaid agency administering the Medicaid program; all payer claims databases (APCDs); part 2 programs; and lawful holders who, in good faith, unknowingly receive part 2 records and then unintentionally violate part 2 with respect to those records.

A county government argued that amending § 2.3 to contain a safe harbor provision for providers would better serve the policy goals of protecting patient privacy, while recognizing that health systems are moving toward integrating substance use treatment with other health conditions and behavioral health needs. Many part 2 programs provide integrated substance use and mental health treatment, and include providers who provide both mental health and substance use treatment or work in collaboration with mental health treatment providers. In these “dual diagnosis” programs, mental health providers may over time unknowingly generate and/or receive and possess records subject to part 2.

Another commenter, a professional association, urged that such a safe harbor should remain in place until such time as there is an operationally viable means of providing the Notice to Accompany Disclosures of part 2 records in § 2.32. It should apply to HIPAA entities only if and to the extent that HHS does not, in the final rule, permit these entities to integrate these records with their existing patient records and treat the data as PHI which, the association asserted is the best approach from both patient care and operational perspectives.

Response

We acknowledge requests by commenters to extend the safe harbor beyond investigative agencies to covered entities, health plans, HIEs/HINs, part 2 programs, APCDs, and others. However, we decline to make these requested changes because § 2.3 is specifically intended to operate in tandem with §§ 2.66 and 2.67 when investigative agencies unknowingly obtain part 2 records in the course of investigating or prosecuting a part 2 program and, as a result, fail to obtain the required court order in advance. By contrast, §§ 2.12, 2.31, and 2.32, including the requirement in this final rule that each disclosure made with the patient's written consent must be accompanied by a notice and a copy of the consent or a clear explanation of the scope of the consent, should be sufficient to inform recipients of part 2 records of the applicability of part 2 in circumstances that do not involve investigations or use of informants.

SUD providers, in particular, are obligated to know whether they are subject to part 2. In the event of an enforcement action against a lawful holder that involves an unknowing receipt or disclosure of part 2 records despite the lawful holder having exercised reasonable diligence, the Department will consider the facts and circumstances and make a determination as to whether the disclosure of part 2 records warrants an enforcement action against the lawful holder. This would include considering application of the “did not know” culpability tier for such violations.

Comment

A health information management association remarked that covered entities, lawful holders, and other recipients of SUD PHI are obligated to be aware of what information is being disclosed prior to disclosing it. Law enforcement requests for information should be clear to prevent inadvertent disclosures. According to the commenter, a court order, subpoena, or patient “authorization” should be necessary before obtaining SUD information. Under 45 CFR 164.512(e) criteria required for a valid court order and/or subpoena protects the SUD PHI. Disclosing SUD information before the correct protections are in place could result in the SUD information becoming discoverable through the Freedom of Information Act (FOIA). In addition, once the information is disclosed the recipients cannot unsee or unknow the information, nor are mechanisms in place to properly return or destroy the information.

Response

Part 2, subpart E, requirements are distinct from the HIPAA Privacy Rule requirements at 45 CFR 164.512(e). We agree that it is important to engage with patients and patient organizations to ensure part 2 continues to bolster patient privacy and access to SUD treatment. SAMHSA provides funding to support the Center of Excellence for Protected Health Information Related to Behavioral Health which does not provide legal advice but can help answer questions from providers and family members about HIPAA, part 2, and other behavioral health privacy requirements. The required report to the Secretary in § 2.68 will help the Department monitor investigations and prosecutions involving part 2 records. While in theory FOIA or similar state laws could apply to mistakenly released information, FOIA includes several exemptions and exclusions that could apply to withhold information from release in response to a request for such information, including FOIA Exemptions 3 (requires the withholding of information prohibited from disclosure by another Federal statute), 6 (protects certain information about an individual when disclosure would constitute a clearly unwarranted invasion of personal privacy), and 7 (protects certain records or information compiled for law enforcement purposes). State health privacy laws or freedom of information laws may contain similar exemptions.

Final Rule

We are finalizing § 2.3(b) with the additional modifications discussed above in response to public comments and reorganizing for clarity. This final rule strengthens the safe harbor's proposed reasonable diligence requirements in response to public comments that the proposed steps would be insufficient and provides that all of the specified actions must be initiated for the limitation on liability to apply. We clarify here that if any of the actions taken results in knowledge that a program or person holding records is subject to part 2, no further steps are required to further confirm that the program or person holding records is subject to part 2.

Section 2.3(c) Applying the HIPAA Enforcement Rule to Part 2 Violations

Proposed Rule

Proposed § 2.3(c) stated that the HIPAA Enforcement Rule shall apply to violations of part 2 in the same manner as they apply to covered entities and business associates for violations of part C of title XI of the Social Security Act and its implementing regulations with respect to PHI.

Comment

A state agency stated its view that if § 2.3(c) applies the various sanctions of HIPAA to part 2 programs regardless of whether the program is a HIPAA covered entity or business associate, the need to retain QSOs for part 2 programs that are not covered entities seems to be eliminated.

Response

We disagree that including this section obviates the need for QSOs, which we discuss below in § 2.11.

Final rule

We are finalizing § 2.3(c) with modifications changing references to “violations” to “noncompliance.” This minor change recognizes that the provisions of the HIPAA Enforcement Rule address not only penalties based on formal findings of violations but also many other aspects of the enforcement process, including procedures for receiving complaints and conducting investigations into alleged or potential noncompliance, which could result in informal resolution without a formal finding of a violation.

Section 2.4—Complaints of Noncompliance

Proposed Rule

The Department proposed to change the existing language of paragraphs (a) and (b) of § 2.4 which provide that reports of violations of the part 2 regulations may be directed to the U.S. Attorney for the judicial district in which the violation occurs and reports of any violation by an OTP may be directed to the U.S. Attorney and also to SAMHSA. Section 290dd–2(f) of 42 U.S.C., as amended by section 3221(f) of the CARES Act, grants civil enforcement authority to the Department, which currently exercises its HIPAA enforcement authority under section 1176 of the Social Security Act in accordance with the HIPAA Enforcement Rule. To implement these changes, the Department proposed to re-title the heading to this section by replacing “Reports of violations” with “Complaints of noncompliance,” and to replace the existing provisions about directing reports of part 2 violations to the U.S. Attorney's Office and to SAMHSA with provisions about directing complaints of potential violations to a part 2 program. The Department noted that SAMHSA continues to oversee OTP accreditation and certification and therefore may receive reports of alleged violations by OTPs of Federal opioid treatment standards, including privacy and confidentiality requirements.

The Department proposed to add § 2.4(a) to require a part 2 program to have a process to receive complaints concerning a program's compliance with the part 2 regulations. Proposed § 2.4(b) provided that a part 2 program may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any patient for the exercise of any right established, or for participation in any process provided for in part 2, including the filing of a complaint. The Department also proposed to add § 2.4(c) to prohibit a part 2 program from requiring patients to waive their right to file a complaint as a condition of the provision of treatment, payment, enrollment, or eligibility for any program subject to part 2.

Comment

Commenters generally supported the Department's proposal to establish a complaint process under § 2.4 that aligns with HIPAA and ensures part 2 programs would not retaliate against patients who filed a complaint or condition treatment or receipt of services on a patient's waiving any rights to file a complaint. Commenters advocated for part 2 patients being protected against potential discrimination, such as job loss, that may occur following improper disclosures of their treatment records. They further suggested that this provision aligns with the HIPAA Privacy Rule and thus will help to reduce administrative burdens. For example, covered entities can use their existing Privacy Offices and processes to oversee both part 2 and HIPAA compliance. Commenters also believed that application of the HIPAA Breach Notification Rule and the HIPAA Enforcement Rule will further help to protect part 2 patients. Additionally, commenters supported the inclusion of business associates and covered entities within the scope of this section.

Response

We appreciate the comments for the proposed changes to align part 2 with HIPAA Privacy Rule provisions concerning complaints. Patients with SUD continue to experience the effects of stigma and discrimination, one reason why privacy protections as established in this regulation remain important. We agree that aligning part 2 and HIPAA requirements may reduce administrative burdens.

Comment

One commenter expressed concern about enhanced penalties, which it characterized as potentially punitive and best reserved for those who fail to exercise due diligence. Such penalties may deter part 2 programs from sharing part 2 information, this commenter asserted. Other commenters similarly noted what they viewed as potential deterrent effects of penalties provided for in this regulation on information sharing. A commenter urged reduced penalties for unintentional disclosures by part 2 programs as they may require time and assistance to comply with these regulations. Another commenter urged that clinicians should not be held liable for unintentional disclosures of part 2 records by part 2 programs which may need additional time and technical assistance to comply with these updated regulations in accordance with this regulation.

By contrast, another commenter urged strict enforcement of this provision including penalties for both negligent and intentional breaches. The commenter recommended enforcement by states' attorneys general and a private right of action for complainants under part 2 if states' attorneys general do not pursue enforcement.

Response

Existing part 2 language imposes a criminal penalty for violations. Section 3221(f) of the CARES Act (codified at 42 U.S.C. 290dd–2(f)) requires the Department to apply the provisions of sections 1176 and 1177 of the Social Security Act to a part 2 program for a violation of 42 CFR part 2 in the same manner as they apply to a covered entity for a violation of part C of title XI of the Social Security Act. Accordingly, the Department proposed to replace title 18 U.S.C. criminal enforcement in the current regulation with civil and criminal penalties under sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d–5, 1320d–6), respectively, as implemented in the HIPAA Enforcement Rule. Under the HIPAA Enforcement Rule, criminal violations fall within the purview of DOJ. Historically, commenters have noted that enforcement of penalties concerning alleged part 2 violations has been limited. By aligning part 2 requirements in this final rule with current HIPAA provisions, part 2 programs now will be subject to an enforcement approach that is consistent with that for HIPAA-regulated health care providers, thereby reducing administrative burdens for part 2 programs that are also HIPAA-covered entities. As some commenters suggested, this will also enable staff within HIPAA and part 2-regulated entities to more effectively collaborate given additional alignment of part 2 and HIPAA regulatory provisions.

Therefore, it is unlikely that part 2 programs will experience an adverse impact beyond that which in general applies to covered entities under HIPAA. As the Department has explained elsewhere, alleged unintentional violations are often resolved with covered entities through voluntary compliance or corrective action.

Knowing or intentional violations of HIPAA may be referred to DOJ for a criminal investigation. As noted in the NPRM, criminal penalties may be imposed by DOJ for certain violations under 42 U.S.C. 1320d–6. After publication of this final rule, the Department may provide additional guidance specific to part 2; however, we anticipate that many entities now will be more comfortable appropriately sharing information and developing plans to mitigate risks of part 2 and HIPAA violations because the HIPAA and part 2 complaint provisions are now better aligned.

Section 1176 of the Social Security Act, (codified at 42 U.S.C. 1320d–5), also provides for enforcement by states' attorneys general in the form of a civil action. The reference to this statutory provision in § 2.3 encompasses this avenue of enforcement.

Although the HIPAA and HITECH penalties do not provide a private right of action for privacy violations, as discussed elsewhere in this preamble, in this final rule we provide a right for a person to file a complaint to the Secretary for an alleged violation by a part 2 program, covered entity, business associate, qualified service organization, or other lawful holder of part 2 records. While a person may file a complaint to the Secretary, part 2 programs also must establish a process for the program to directly receive complaints. The right to file a complaint directly with the Secretary for an alleged violation is analogous to a similar provision within the HIPAA Privacy Rule. Although the right to file a complaint to the Secretary for an alleged violation of part 2 was not included in the proposed text of § 2.4, it was included in the required statements for the Patient Notice. Adding the language to § 2.4 is a logical outgrowth of the NPRM and a response to public comments received.

Comment

One commenter asked for a clarification of what is considered an “adverse action” for the purposes of this section. Other commenters requested clarification from the Department that acting on a complaint that was held in abeyance after a patient exercises their right to withdraw consent would not be viewed as retaliation.

Response

In the NPRM the Department referred to a prohibition on “taking adverse action against patients who file complaints.” This prohibition is broadly similar to that which exists within HIPAA in 45 CFR 160.316 and 164.530. The Department has described “adverse actions” as those that may constitute intimidation or retaliation, such as suspending someone's participation in a program. We are not clear what the commenter means in referring to taking action on a complaint that was held in abeyance after a patient exercises their right to withdraw consent not being viewed as retaliation. However, a complaint can be withdrawn by the filer. Health care entities can likewise take steps to investigate complaints internally and OCR has developed tools and resources to support HIPAA compliance.

Comment

Several commenters, including legal and SUD recovery advocacy organizations, urged the Department to include in the final rule provisions permitting a patient to complain directly to OCR or the Secretary, paralleling provisions in HIPAA. Another commenter asked about obligations of entities, such as medical licensing boards and physician health programs, and how a patient would report alleged violations by those entities.

Response

In response to public comments, we are adding a new provision to § 2.4 in this final rule to permit a person to file a complaint to the Secretary for a violation of this part by, among others, a lawful holder of part 2 records in the same manner as a person may file a complaint under 45 CFR 160.203 for a HIPAA violation. Specifically, we provide in § 2.4(b) that “[a] person may file a complaint to the Secretary for a violation of this part by a part 2 program, covered entity, business associate, qualified service organization, or other lawful holder” in the same manner as under HIPAA (45 CFR 160.306). By making this change, we are aligning part 2 with HIPAA and ensuring an adequate mechanism for review and disposition of complaints related to alleged part 2 violations. We are also adding a regulatory definition of lawful holder in this final rule at § 2.11. The Department will provide information about how to file complaints of alleged part 2 violations before the compliance date for the final rule.

Comment

A commenter asked whether the state, agency, or disclosing person would be penalized for a violation that results in the impermissible disclosure of records subject to HIPAA or part 2.

Response

Whether a party subject to part 2 is held accountable for a particular violation will depend on the facts and circumstances of the case. The Department has explained elsewhere that it will attempt to resolve enforcement actions through voluntary compliance, corrective action, and/or a resolution agreement, and we anticipate that applying the HIPAA Enforcement Rule framework to part 2 will have similar results. Further, lawful holders are prohibited from using and disclosing records in proceedings against a patient absent written consent or a court order. In the case of an improper disclosure by a part 2 program employee, the part 2 program would likely be provided with notice of an investigation and the investigator would review whether the program had policies and procedures in place and whether those were followed in its handling of the improper disclosure. An entity's compliance officer can help ensure breaches are properly investigated and reported to the Department, and has responsibilities to develop and implement a compliance plan.

Comment

A commenter asked for clarification that penalties would not be concurrently imposed under both HIPAA and part 2 for the same alleged violation(s).

Response

HIPAA and part 2 regulations stem from different statutory authorities and are different compliance regulations. With the CARES Act, Congress replaced the previous criminal penalties established for part 2 violations with a civil and criminal penalty structure imported from HITECH. Nothing in the CARES Act states that an entity that is subject to both regulatory schemes shall be subject to only one regulation or one regulation's penalties. Therefore, an entity potentially remains subject to both regulations, including their provisions on penalties for violations.

What penalties could or would be imposed by the Department in a particular case, and under which statutes or regulations (HIPAA, HITECH, part 2, other regulations), remains a fact-specific inquiry. State law provisions also may apply concurrently with some part 2 and HIPAA requirements. Additionally, some aspects of part 2 or HIPAA violations may fall within the jurisdiction of other agencies such as SAMHSA (which continues to oversee accreditation of OTPs).

Comment

One commenter noted that some covered entities may not be part 2 providers and urged HHS to ease the burden on such programs. Another urged that business associates be included within the scope of this section.

Response

We provide in § 2.4(b) that “[a] person may file a complaint to the Secretary for a violation of this part by a part 2 program, covered entity, business associate, qualified service organization, or other lawful holder in the same manner as a person may file a complaint under 45 CFR 160.306 for a violation of the administrative simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.” Thus, covered entities and business associates are included within the scope of this section. The compliance burdens for covered entities of receiving part 2 complaints can be minimized by using the same process they already have in place for receiving HIPAA complaints.

Comment

Commenters provided their views as to which agency or agencies should receive part 2-related complaints. One commenter requested that the regulation expressly identify the agency(ies) authorized to receive part 2 complaints from patients. The commenter suggested that complaints made to part 2 programs by patients can raise conflict of interest issues because the program is investigating its own or its staff's alleged misconduct. The commenter further urged that the regulation identify specific agencies, such as OCR and SAMHSA, and state their obligation to investigate complaints received. Other commenters urged that OCR, rather than part 2 programs, receive complaints, that patients be permitted to complain directly of violations to OCR or that the Department clarify the various roles of OCR, SAMHSA, and other agencies. One commenter supported part 2 programs having a process to receive complaints but said these programs are understaffed and underfunded so they would need additional resources. A health system that is a part 2 program and a covered entity also supported part 2 programs developing a process to receive complaints. A county health department asked that § 2.4 be amended to include specific provisions about how and where patients can file their complaints with the HHS Secretary and the roles of HHS components in receiving and investigating complaints.

Response

In response to public comments, and as provided in the HIPAA regulations, we are finalizing an additional modification to § 2.4 that was not included in this section but was proposed as a required statement of rights in the Patient Notice in § 2.22(b)(1)(vi). The intent of the enforcement provisions in § 2.4 was to create a process that mirrors that for HIPAA violations, but the Department inadvertently omitted from its proposed changes to this section an express right to complain to the Secretary. Analogous to 45 CFR 160.306, which permits the submission of complaints to the Secretary alleging noncompliance by covered entities with the HIPAA Privacy Rule, we are providing in this final rule a right for a person to file a complaint to the Secretary for an alleged violation by a part 2 program, covered entity, business associate, qualified service organization, and other lawful holder of part 2 records. Part 2 programs also must establish a process for the program to receive complaints. A patient is not obliged to report an alleged violation either to the Secretary or part 2 program but may report to either or both. OCR has explained how HIPAA complaints are investigated, which may be instructive, but is not dispositive of how part 2 complaints will be handled. We believe our changes are a logical outgrowth of the NPRM which provided an opportunity for public input and we are making these changes in response to public comments received. We also anticipate releasing information about the specific complaint process after publication of this final rule.

Comment

A commenter urged that the complaint process reflect the needs of those with limited English proficiency.

Response

Part 2 programs should be mindful that Federal civil rights laws require certain entities, including recipients of Federal financial assistance and public entities, to take appropriate steps. For instance, such entities must take steps to ensure that communications with individuals with disabilities are as effective as communications with others, including by providing appropriate auxiliary aids and services where necessary. In addition, recipients of Federal financial assistance must take reasonable steps to ensure meaningful access to their programs and activities for individuals with limited English proficiency, including through language assistance services when necessary. The Department stated in the 2017 Part 2 Final Rule that materials such as consent forms “should be written clearly so that the patient can easily understand the form.” The Department further stated that it “encourages part 2 programs to be sensitive to the cultural and linguistic composition of their patient population when considering whether the consent form should also be provided in a language(s) other than English ( e.g., Spanish).” Consistent with these legal requirements, the Department strongly encourages development of § 2.4 materials that are clear and reflect the needs of a program's patient population.

Comment

Another commenter remarked that some covered entities may need technical assistance from the Department to establish complaint processes under this section.

Response

The Department has existing materials to support compliance with HIPAA and part 2. SAMHSA supports a Center of Excellence for Protected Health Information Related to Behavioral Health that may provide educational materials and technical assistance to providers, patients, family members, and others. The Department will consider what additional guidance, technical assistance, and engagement on these issues may be helpful for covered entities and the public after this regulation is finalized.

Comment

Other commenters emphasized that the Department may need additional funding and staff adequate to receive and investigate complaints and enforce these provisions. Another commenter similarly suggested that part 2 programs may need more resources to develop a complaint process, describing this as a “substantial burden” given part 2 program staff and funding challenges.

Response

With respect to the burden on programs to develop a complaint process, we believe that the two-year compliance timeline will provide programs with sufficient time to plan for complaint management. We have accounted for the burden associated with complaints in the RIA. The Department has requested that Congress provide additional funding to support part 2 compliance, enforcement, and other activities. OCR, SAMHSA, CMS, and the Office of the National Coordinator for Health Information Technology (ONC) have and will continue to collaborate to support EHRs and health IT within the behavioral health space.

Comment

Another commenter believed that programs may need time and support to adapt their information technology and EHRs, and urged SAMHSA to work with ONC to support such efforts.

Response

The Department has estimated the cost to the Department to implement this final rule and enforce part 2 and has included that in the RIA. It has also requested additional funding to support compliance, enforcement, and other activities. The number of part 2 programs in relation to HIPAA covered entities and business associates is very small, so the costs will not rise to the same level as for HIPAA implementation efforts. OCR, SAMHSA, CMS, and ONC have collaborated and will continue to collaborate to support EHRs and health IT within the behavioral health space.

Final Rule

We are finalizing this section as proposed in the NPRM and further modifying it by adding a new paragraph that provides a patient right to file a complaint directly with the Secretary for violations of part 2 by programs, covered entities, business associates, qualified service organizations, and other lawful holders.

As noted in the NPRM, these changes to § 2.4 will align part 2 with HIPAA Privacy Rule provisions concerning complaints. Section 2.4(a) is consistent with the administrative requirements in 45 CFR 164.530(d) (Standard: Complaints to the covered entity). Proposed § 2.4(c) would align with the HIPAA Privacy Rule provision at 45 CFR 164.530(g) (Standard: Refraining from intimidating or retaliatory acts). The proposed § 2.4(d) would be consistent with the HIPAA Privacy Rule provision at 45 CFR 164.530(h) (Standard: Waiver of rights). Thus, part 2 programs that are also covered entities already have these administrative requirements in place, but programs that are not covered entities would need to adopt new policies and procedures.

Section 2.11—Definitions

Proposed Rule

Section 2.11 includes definitions for key regulatory terms in 42 CFR part 2. The Department proposed to add thirteen defined regulatory terms and modify the definitions of ten existing terms. Nine of the new regulatory definitions proposed for incorporation into part 2 were required by section 3221(d) of the CARES Act: “Breach,” “Business associate,” “Covered entity,” “Health care operations,” “HIPAA regulations,” “Payment,” “Public health authority,” “Treatment,” and “Unsecured protected health information.” In each case, 42 U.S.C. 290dd–2(k), as amended by section 3221(d), requires that each term “has the same meaning given such term for purposes of the HIPAA regulations.”

Other proposed new or modified definitions included: “Informant,” “Intermediary,” “Investigative agency,” “Part 2 program director,” “Patient,” “Person,” “Program,” “Qualified service organization,” “Records,” “Third-party payer,” “Treating provider relationship,” “Unsecured record,” and “Use.” Some of these terms and definitions were proposed by either referencing existing HIPAA regulatory terms in 45 CFR parts 160 and 164 in part based on changes required by the CARES Act. We also proposed changes for clarity and consistency in usage between the HIPAA and part 2 regulations and to operationalize other changes proposed in the NPRM.

In addition, the Department discussed three definitions—for “Lawful holder,” “Personal representative,” and “SUD counseling notes”—in requests for comments. The Department proposed each definition because it believed the definitions improve alignment of this regulation with HIPAA and support implementation efforts.

Further, we are finalizing a modified definition of “Patient identifying information” as an outgrowth of changes to the standard for de-identification of records in §§ 2.16, 2.52, and 2.54 that are being finalized in response to comments in the NPRM.

General Comment

Several commenters, including large provider organizations, health systems, and an employee benefits association, expressed general support for the Department's approach to aligning the definitions for terms that would appear in both HIPAA and part 2. One large provider organization specifically commented that alignment of definitions within HIPAA and part 2 would reduce administrative burden for covered entities and part 2 providers by eliminating inconsistent terminology, duplicative policies (including overlapping workforce training requirements), and regulatory risk due to misinterpretation. An academic medical center recommended that the Department compare and incorporate any HIPAA definition, in their entirety, as applicable to part 2 programs which are also HIPAA covered entities.

General Response

We appreciate the comments. The Department undertook a careful analysis of definitions that, if incorporated, would result in the further alignment of this regulation with HIPAA, or that are required to operationalize required amendments to the regulations. Responses to specific comments about each proposed definition are discussed below.

Breach

Section 290dd–2(k), as added by the CARES Act, required the Department to adopt the term “breach” in part 2 by reference to the definition in 45 CFR 164.402 of the HIPAA Breach Notification Rule. HIPAA defines “breach” as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E which compromises the security or privacy of the protected health information.” HIPAA also describes the circumstances that are considered a “breach” and explains that a breach is presumed to have occurred when an “acquisition, access, use, or disclosure” of PHI occurs in a manner not permitted under the HIPAA Privacy Rule unless a risk assessment shows a low probability that health information has been compromised. To implement section 290dd–2(j) added by section 3221(h) of the CARES Act, which requires notification in case of a breach of part 2 records, we reference and incorporate the HIPAA breach notification provisions.

Comment

One legal services commenter requested clarification on the term “breach” and suggested that the Department amend the definition to expressly refer to the misuse of records in a manner not permitted under 42 CFR part 2 and that compromises the security or privacy of the part 2 record, instead of referring to PHI. A medical professionals association questioned whether the term “breach” could properly be applied to lawful holders, but this comment and other comments related to the application of breach notification provisions to lawful holders are addressed in the description of comments for § 2.16.

Response

We understand the request to expressly refer to part 2 records instead of PHI, but as explained above, we are applying the statutory definition that adopts the definition of “breach” in this regulation by reference to the HIPAA provision. We believe the discussion above makes clear that the definition should be applied to records under part 2 instead of PHI under HIPAA, and we further clarify that breach includes use and disclosure of part 2 records in a manner that is not permitted by part 2.

Final Rule

The final rule adopts the proposed definition of “breach” without modification.

Business Associate

Consistent with 42 U.S.C. 290dd–2(k), the Department proposed to adopt the same meaning of “business associate” as is used in the HIPAA regulations by incorporating the HIPAA definition codified at 45 CFR 160.103. Within HIPAA, a “business associate” generally describes a person who, for or on behalf of a covered entity and other than a workforce member of the covered entity, creates, receives, maintains, or transmits PHI for a function or activity regulated by HIPAA, or who provides services to the covered entity involving the disclosure of PHI from the covered entity or from another business associate of the covered entity to the person.

Comment

The Department received only supportive comments for its proposed adoption of the term “business associate” into part 2 and the proposed definition, as described above. In contrast, many commenters expressed concern about the Department's proposal to incorporate business associates into the definition of “Qualified service organization” or how business associates relate to the proposed term “Intermediary,” and those comments are discussed in applicable definitional sections below.

Response

We appreciate the comments.

Final Rule

The final rule adopts the proposed definition of “business associate” without modification.

Covered Entity

Consistent with 42 U.S.C. 290dd–2(k), the Department proposed to adopt the same meaning of the term “Covered entity” as is used in the HIPAA regulations by incorporating the HIPAA definition codified at 45 CFR 160.103. Within HIPAA a “covered entity” means: (1) a health plan; (2) a health care clearinghouse; or (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by subchapter C of HIPAA, Administrative Data Standards and Related Requirements.

Comment

A large hospital system commented that it supported the inclusion of “health plan” as part of the definition of “covered entity” asserting that it would allow for more consistent sharing of information with its own health plan and for certain redisclosures of part 2 records in alignment with HIPAA.

Response

The HIPAA definition of “covered entity” has long included health plans. However, to the extent that the commenter may be referring to the narrowed definition of “third party payer,” which excludes health plans because they are already incorporated within the HIPAA definition of covered entities, we agree that the change could have the effect described by the commenter.

Final Rule

The final rule adopts the proposed definition of “covered entity” without modification.

Health Care Operations

Consistent with 42 U.S.C. 290dd–2(k), the Department proposed to adopt the same meaning of this term as is used in the HIPAA regulations by incorporating the HIPAA definition codified at 45 CFR 164.501. Within HIPAA, “health care operations” refer to a set of specified activities, described in six paragraphs, that are conducted by covered entities related to covered functions. Paragraphs (1) through (6) generally refer to quality assessment and improvement; assessing professional competency or qualifications; insurance; detecting and addressing fraud and abuse and conducting medical reviews; business planning and development; and business management and general administrative activities.

Comment

A provider group specifically supported adoption of the HIPAA definition of the term “health care operations” and its incorporation into this regulation. A large health plan recommended expanding the proposed definition to include care coordination and case management by health plans as proposed by the Department in the 2021 HIPAA Privacy Rule NPRM. One individual, commenting anonymously, asserted that “public health” should be recognized as a health care operation to counter what it termed “legal activism” to re-define the term “life.”

Response

We appreciate the comments. The Department also notes that changing the HIPAA definition of “health care operations” is outside the scope of its authority for this rulemaking, and public comments submitted in response to the 2021 NPRM remain under consideration.

Final Rule

The final rule adopts the proposed definition of “health care operations” without modification.

HIPAA

Although not directed by statute, the Department proposed to add a definition of HIPAA that explicitly references the Health Insurance Portability and Accountability Act of 1996 as amended by the Privacy and Security provisions in subtitle D of title XIII of the 2009 HITECH Act. These provisions pertain specifically to the privacy, security, breach notification, and enforcement standards governing the use and disclosure of PHI, but exclude other components of the HIPAA statute, such as insurance portability, and other HIPAA regulatory standards, such as the standard electronic transactions regulation. The Department proposed this definition of “HIPAA” to make clear the specific components of the relevant statutes that would be incorporated into this part.

Comment

The Department did not receive any comments specific to its adoption of this definition.

Final Rule

The final rule adopts the proposed definition of “HIPAA” without modification.

HIPAA Regulations

The current part 2 rule does not define “HIPAA regulations.” Consistent with 42 U.S.C. 290dd–2(k), the Department proposed to adopt the same meaning of this term as is purposed for parts 160 and 164 of title 45 CFR, the regulatory provisions that codify the HIPAA Privacy, Security, Breach Notification, and Enforcement regulations (collectively referred to as “HIPAA regulations”). For purposes of this rulemaking, the term does not include Standard Unique Identifiers, Standard Electronic Transactions, and Code Sets, 42 CFR part 162.

Comment

The Department did not receive any specific comments, other than those already discussed above, concerning its proposed definition of this term.

Final Rule

The final rule adopts the proposed definition of “HIPAA regulations” without modification.

Informant

Part 2 currently states that an “informant” means an individual: (1) who is a patient or employee of a part 2 program or who becomes a patient or employee of a part 2 program at the request of a law enforcement agency or official; and (2) who at the request of a law enforcement agency or official observes one or more patients or employees of the part 2 program for the purpose of reporting the information obtained to the law enforcement agency or official. Within the definition of “informant,” the Department proposed to replace the term “individual” with the term “person” as is used in the HIPAA regulations. The Department believes that this change will foster alignment with HIPAA, avoid confusion with the definition of individual in HIPAA, and improve the public's understanding of HIPAA and the part 2 rules.

Comment

As noted below, the Department received general support for its proposal to align the definition of “person” within part 2 with the HIPAA definition of “person” in 45 CFR 160.103. The Department did not receive other specific comments on “informant”.

Final Rule

The final rule adopts the proposed definition of “informant” without modification.

Intermediary

The current rule imposes requirements on intermediaries in § 2.13(d)(2) and special consent provisions in § 2.31(a)(4) without defining the term “intermediary.” Examples of an intermediary include, but are not limited to, a HIE, a research institution that is providing treatment, an ACO, or a care management organization. To improve understanding of the requirements for intermediaries, and to distinguish those requirements from the proposed accounting of disclosure requirements, the Department proposed to establish a definition of intermediary as “a person who has received records, under a general designation in a written patient consent, for the purpose of disclosing the records to one or more of its member participants who has a treating provider relationship with the patient.” Consistent with HIPAA's definition of “person,” and as defined in this regulation, an “intermediary” may include entities as well as natural persons. The requirements for intermediaries were proposed to remain unchanged but to be redesignated from § 2.13(d) (Lists of disclosures) to new § 2.24 (Requirements for intermediaries).

Comment

Approximately half of the commenters on intermediaries opposed the Department's proposal to define intermediary and retain consent requirements for disclosures to intermediaries that differ from consent for disclosures to business associates generally. Three-fourths of the HIE/HIN and health IT vendors that commented on this set of proposals opposed them. Several commenters, including a national trade association and a leading authority on the use of health IT, stated that the proposed definition is too vague and confusing.

Response

We appreciate these comments about the lack of clarity in the current understanding and proposed definition of “intermediary.” As we stated in the NPRM, the term “intermediary” is based on the function of the person—receiving records from a part 2 program and disclosing them to other providers as a key element of its role—rather than on a title or category of an organization or business. We agree that the interaction of this term with “program,” “business associate,” and “covered entity” is a source of confusion and believe a modified definition could address this confusion.

Comment

Commenters suggested a range of changes to the proposed definition. These included revising the HIPAA definition of “covered entity” to include examples of the intermediaries and removing the part 2 definition of “intermediary;” excluding the following from the definition of intermediary: business associates, health IT vendors, and health plans; and clarifying what types of HIEs or health IT vendors are included in the definition (because some HIE technology or EHR software does not maintain data or have access to it when exchanging data between systems).

Response

We considered the possibility of removing the part 2 definition of “intermediary” entirely; however, that would leave a gap in privacy protection for records that are disclosed to intermediaries that are not subject to HIPAA requirements. For example, intermediaries may include research institutions and care coordination organizations that are not always subject to HIPAA. We adopt the proposed language of the definition with modification: we exclude programs, covered entities, and business associates, in part because the primary requirement of intermediaries—to provide a list of disclosures upon patient request—is similar to the new accounting of disclosures requirements that the CARES Act applied to part 2 programs and that already applies to covered entities and business associates.

For clarification, we reiterate here that a research institution that is not providing treatment would not be considered an intermediary because it would not have member participants with a treating provider relationship to a patient. A health app that is providing individual patients with access to their records would not be considered an intermediary unless it is also facilitating the exchange of part 2 records from a part 2 program to other treating providers using a general designation in a consent.

We also clarify that member participants of an intermediary refers to health care provider practices or health-related organizations, such as health plans. The member participants of an intermediary may or may not be covered entities. Individual health plan subscribers ( i.e., enrollees, members of a health plan) are not considered member participants of an intermediary, although they may access records through an EHR, because they are not providers or health-related organizations. Further, employees of providers or health-related organizations who share access to the same EHR system are not considered member participants of an intermediary because the employer as an entity is considered the participant. However, an HIE/HIN that is providing services to a part 2 program that is not a covered entity would be an intermediary (and the HIE/HIN would also be a QSO).

Comment

An SUD provider recommended modifying the proposed definition of “intermediary” to include “a member of the intermediary named in the consent,” rather than limiting it to members of the intermediary that have a treating provider relationship with the patient.

Response

Expanding the definition of “intermediary” to include any member participant would open the door to accessing patients' SUD records without their specific knowledge in advance (because the recipient would be in a general designation within a consent). Although the CARES Act expanded health plans' and other providers' access to records for TPO, we do not believe the intention was to remove all restrictions on access by member participants of a research institution, for example. Removing programs, covered entities, and business associates from the definition carves out a significant portion of entities that would otherwise be subject to the intermediary requirements so that it is not necessary to change the definition as suggested by the commenter.

Final Rule

We are adopting the proposed definition of “intermediary,” but with an exclusion for part 2 programs, covered entities, and business associates. We believe excluding business associates, in particular, will encourage HIEs to accept part 2 records and include part 2 programs as participants and reduce burdens on business associates that serve as HIEs.

Investigative Agency

The Department proposed to create a new definition of “investigative agency” to describe those government agencies with responsibilities for investigating and prosecuting part 2 programs and persons holding part 2 records, such that they would be required to comply with subpart E when seeking to use or disclose records against a part 2 program or lawful holder. In conjunction with proposed changes to subpart E pertaining to use and disclosure of records for investigating and prosecuting part 2 programs, the Department proposed to define an “investigative agency” as “[a] state or federal administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agency having jurisdiction over the activities of a part 2 program or other person holding part 2 records.” Such agencies potentially will have available a new limitation on liability under § 2.3 if they unknowingly obtain part 2 records before obtaining a court order for such records, provided they meet certain prerequisites.

Comment

Several commenters recommended that local, territorial, and Tribal investigative agencies be added to the definition of “investigative agency” because they have a role in investigations of part 2 program. These commenters asserted, for instance, that local agencies play a role in investigating or prosecuting part 2 programs or other holders of part 2 records and excluding them from the definition could create an uneven application of the law.

Response

We appreciate the feedback in response to the request for comment on whether other types of agencies should be included in the definition of “investigative agency”, and specifically whether adding agencies that may be smaller or less resourced would present any concerns or unintended consequences. We believe it is useful to include local, Tribal, and territorial agencies in the definition; however, such agencies should be aware that use of the safe harbor also requires reporting to the Secretary of instances when it is applied in an investigation or proceeding against a part 2 program or other holder of records.

Comment

A few commenters recommended narrowing the definition of “investigative agency” by excluding agencies that supervise part 2 programs, to avoid creating uncertainty about whether, in performing their supervisory functions, they are expected to obtain a court order to use or disclose part 2 records of their subordinate programs. For example, a state agency believed that, as proposed, the safe harbor applies whenever an agency has obtained records without a court order—thus the existence of the safe harbor implies that a court order may be required for all types of investigations, even when other part 2 disclosure permissions apply, such as § 2.53 (Management audits, financial audits, and program evaluation). They expressed concern that holders of records may resist legitimate agency requests for records and urge the agency to first seek a court order. One commenter recommended clarifying that existing permissions for agencies to obtain records without a court order still apply. Another commenter pointed out that § 2.12(c)(3)(ii) already allows unlimited communication “[b]etween a part 2 program and an entity that has direct administrative control over the program,” which includes government- run SUD programs and administering agencies.

Response

We appreciate these concerns and believe that the existing criteria for court orders are sufficient to prevent overuse of the court order process by government agencies. Specifically, §§ 2.66 and 2.67 require a finding by the court that “other ways of obtaining the information are not available.” These include, for example, § 2.12(c) for agencies with direct administrative control and § 2.53 for agencies with oversight roles or that act as third-party payers. We believe that the existing disclosure permissions for government agencies are sufficient to clarify the scope of access to records by supervisory agencies without obtaining a court order and that our explanation will reinforce agencies' abilities to continue to obtain part 2 records under permissions they have historically used and not burden courts with unnecessary and potentially ineffective applications for court orders. We reiterate here that the existence of the safe harbor provision and the opportunity to seek a court order retroactively do not affect the availability of other part 2 provisions that allow access to records without written consent or a court order.

We believe this discussion will encourage investigative agencies to evaluate how other disclosure permissions may apply to their requests for records when they are in the role of a supervisory agency to a part 2 program.

Comment

One commenter, a state Medicaid fraud unit, recommended that their agency be excluded from the proposed definition of “investigative agency” and that they be able to access records without a court order. In the alternative, they support the proposed safe harbor and related procedures proposed in §§ 2.66 and 2.67.

Response

Agencies with oversight authority may continue to rely on § 2.53 to conduct program evaluations and financial audits without obtaining a court order. Comments regarding the ability of a fraud unit to rely on the proposed safe harbor are addressed below in the discussion of § 2.66.

Final Rule

In the final rule we are adopting the proposed definition of “investigative agency” and further modifying it to add local, Tribal, and territorial agencies.

Lawful Holder

Lawful holders are not formally defined within part 2. In the January 2017 final rule, the Department clarified its use of the term “lawful holder”, stating that a “lawful holder” of patient identifying information is an individual or entity who has received such information as the result of a part 2-compliant patient consent (with a prohibition on re-disclosure notice) or as a result of one of the exceptions to the consent requirements in the statute or implementing regulations and, therefore, is bound by 42 CFR part 2.

Lawful holders are subject to numerous obligations within the regulation, including the following:

• Prohibited from using records in investigations or proceedings against a patient without consent or a court order, § 2.12(d).
• Adopting policies and procedures to protect records received, § 2.16.
• Providing notice upon redisclosure, § 2.32.
• Having a contract in place to redisclose records for payment and health care operations that binds recipients to comply with part 2 and redisclose only back to the program, § 2.33.
• Reporting to Prescription Drug Monitoring Programs only with patient consent, § 2.36.
• Lawful holder that is a covered entity—may apply HIPAA standards for research disclosures, § 2.52.
• Complying with audit and evaluation disclosure provisions, § 2.53.

In the NPRM the Department proposed three key changes that affect lawful holders:

• Section 2.4—to allow patients to file complaints of part 2 violations against both programs and lawful holders.
• Section 2.12(d)—to expressly state that downstream recipients from a lawful holder continue to be bound by the prohibition on use of a patient's records in proceedings against the patient, absent written consent or a court order.
• Section 2.33(b)(3) and (c)—to exclude covered entities and business associates from certain requirements for lawful holders who have received records based on consent for payment and health care operations; the requirement is for lawful holders to have a written contract (with required provisions) before redisclosing records to contractors or subcontractors. This section also provides that when records are disclosed for payment or health care operations activities to a lawful holder that is not a covered entity, business associate, or part 2 program, the recipient may further use or disclose those records as may be necessary for its contractors, subcontractors, or legal representatives to carry out the payment or health care operations specified in the consent on behalf of such lawful holders.

Overview of Comments

Some commenters provided views on whether to create a regulatory definition of “lawful holder,” and if so, what entities should fall within the definition. A significant majority of those commenters recommended creation of a regulatory definition to help provide clarity about responsibilities of respective types of recipients of part 2 records and none opposed a new regulatory definition. A few organizations did not make a specific recommendation in their comments about a regulatory definition of lawful holder but requested that the Department provide clarification in the final rule. Several commenters offered other views on lawful holders. Additional comments about lawful holders are included in the comments on intermediaries.

Comment

Commenters recommended various definitions of “lawful holder” that exclude covered entities, business associates, family members, or personal representatives.

Response

We appreciate these recommendations. We are not excluding part 2 programs, covered entities, and business associates from the finalized regulatory definition of lawful holder when they receive part 2 records from a part 2 program. However, covered entities and business associates that receive part 2 records based on a TPO consent may redisclose them as permitted by § 2.33(b)(1) and part 2 programs that are not covered entities or business associates, and that receive part 2 records based on a TPO consent, may redisclose the records for TPO as permitted by § 2.33(b)(2). These recipients of part 2 records (part 2 programs, covered entities, and business associates) are not subject to the additional limitations in § 2.33(b)(3) and (c) that apply to other lawful holders who have received records based on consent for payment and health care operations. Family members remain included as lawful holders; however, they are excluded from the requirements in § 2.16 to have formal policies and procedures to protect records.

Comment

Commenters recommended that the lawful holder provision provide a safe harbor from the imposition of civil or criminal monetary penalties under the HIPAA Breach Notification Rule for the unintentional redisclosure of part 2 records by lawful holders that would have otherwise been a compliant disclosure of PHI under the HIPAA Privacy Rules TPO permission.

Response

We appreciate the feedback but decline to create a new safe harbor for unintentional violations by lawful holders because we believe the existing penalty tier under the HITECH Act for “did not know” violations is appropriate to address these types of violations.

Comment

An advocacy organization for behavioral health recommended that the Department define mobile health apps that are business associates as “lawful holders” and consider whether other health care interoperability applications or mobile health apps would also fall within the new definition.

Response

We appreciate this feedback on how technology may interact with the part 2 regulations. Because we are excluding business associates from certain requirements that apply to “lawful holders” a mobile health app that is a business associate would also be excluded. However, we do not believe a technology would qualify on its own as a business associate, but rather the owner or developer of the technology that qualifies as a person capable of executing a business associate agreement. To the extent that the owner or developer of a health app, through the use of its technology, becomes a recipient of records in the manner described in the definition of “lawful holder,” it would be a lawful holder subject to the requirements and prohibitions on lawful holders of part 2 records.

Comment

A state agency urged that the rule add lawful holders and intermediaries to § 2.12 to permit them to verbally receive part 2 information and include it in a record without it being considered a part 2 record.

Response

We appreciate this recommendation, but do not believe it is necessary for several reasons. First, we are finalizing the definition of “lawful holder” and the definition of “intermediary” (that excludes covered entities and business associates). Thus, covered entities and business associates will not be subject to requirements for lawful holders or intermediaries. Second, we are finalizing changes to § 2.12(d) that: (a) expressly state that data segmentation and record segregation is not required by part 2 programs, covered entities, and business associates that have received records based on a single consent for all future TPO; and (b) remove language requiring segmentation of part 2 data or segregation of records. As a result of these changes, to the extent a lawful holder or intermediary is a part 2 program, covered entity, or business associate, it is not required to segregate the information, but it is still considered a part 2 record subject to the prohibition against disclosure in proceedings against a patient. Third, the existing rule contains a provision for non-part 2 providers who document verbally shared part 2 information, excluding that information from part 2 status. Thus, only a small set of recipients are still subject to the data segregation requirement, taking into account the combination of changes finalized within this rule.

Comment

One commenter, a medical professionals association for SUD providers, recommended that the definition of “lawful holders” encompass entities with access to individual part 2 records outside the HIPAA/HITECH and part 2 rules, and that the Department should clarify that mobile health apps and “interoperability applications” that are business associates of covered entities would be considered lawful holders.

Response

Rather than refer to specific types of entities, we believe a definition based on the status of the person with respect to how they received subject records is a more workable definition and likely to facilitate common understanding. In this regard, whether a person is a managed care organization or mobile app, if that person received records pursuant to a part 2-compliant consent with an accompanying notice of disclosure, or as a result of a consent exception, the person will be properly considered a lawful holder under this final rule.

Final Rule

The final rule adds a new regulatory definition of “lawful holder” that is based on SAMHSA's previous explanations and guidance, to read as noted in § 2.11.

Part 2 Program Director

To foster alignment between the HIPAA regulations and the part 2 Rules, the Department proposed to replace the first instance of the term “individual” with the term “natural person” and the other instances of the term “individual” with the term “person” within the definition of “part 2 program director.”

Comment

As noted below, the Department received general support for its proposal to align the definition of person within part 2 with the HIPAA definition of person in 45 CFR 160.103.

Response

We appreciate the comments on the proposed changes.

Final Rule

The final rule adopts the proposed definition of “part 2 program director” without further modification. The Department believes that this change will foster alignment with HIPAA and understanding of HIPAA and the part 2 rules.

Patient

The Department proposed to add language to the existing definition to clarify that when the HIPAA regulations apply to part 2 records, a “patient” is an individual as that term is defined in the HIPAA regulations.

Comment

The Department received general support for further aligning the part 2 definition of patient with the definition of individual within the HIPAA regulations.

Final Rule

The final rule adopts the proposed definition of “patient” without further modification.

Patient Identifying Information

Request for Comment

The Department did not propose changes to the definition of “patient identifying information” but requested comment on all proposed changes to part 2, including the modifications to the de-identification standard in §§ 2.16, 2.52, and 2.54.

Comment

Comments on the proposed de-identification standard are discussed in the sections listed above where de-identification is applied.

Response

In addressing the comments received on the proposed de-identification standard and developing additional modification to better align part 2 with the HIPAA de-identification standard in 45 CFR 164.514(b), we identified additional changes needed to clarify and align terms related to de-identification, including “patient identifying information.” These changes are described below.

Final Rule

We are finalizing a modification to clarify the definition of “patient identifying information” and ensure consistency with the de-identification standard incorporated into this final rule. This change is in response to comments received on the NPRM and to align with the finalization of the de-identification standard in §§ 2.16, 2.52, and 2.54, and is consistent with the Department's existing interpretation of the term. The final rule retains the part 2 term, “patient identifying information,” rather than replacing it with the HIPAA term, “individually identifiable health information,” because the two regulatory schemes apply to different sets of health information and the CARES Act mandate for alignment did not erase those distinctions.

The first sentence of the definition of “patient identifying information” lists the following identifiers: name, address, social security number, fingerprints, photograph, or similar information by which the identity of a patient, as defined in § 2.11, can be determined with reasonable accuracy either directly or by reference to other information. This identifying information is consistent with the identifiers listed in in 45 CFR 164.514(b)(2)(i) of the HIPAA Privacy Rule that must be removed from PHI for it to be considered de-identified and no longer subject to HIPAA protections. As explained in the background section of this rule, the Department clarified in a 2017 final rule that the definition of patient identifying information in part 2 includes the individual identifiers listed in the HIPAA Privacy Rule at 45 CFR 164.514(b)(2)(i) for those identifiers that are not already listed in the part 2 definition, and in preamble listed those identifiers.

However, the second sentence of the definition of “patient identifying information” in the part 2 rule currently in effect allows retention of “a number assigned to a patient by a part 2 program, for internal use only by the part 2 program, if that number does not consist of or contain numbers (such as a social security, or driver's license number) that could be used to identify a patient with reasonable accuracy from sources external to the part 2 program.” This exclusion from the definition for a number that could be a part 2 program's equivalent of a medical record number conflicts with one of the identifiers that must be removed under the HIPAA de-identification standard (and that is listed in the 2017 Part 2 Final Rule), namely, “[a]ny other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section[.]” Paragraph (c) of § 164.514 allows a covered entity to assign a code or other record identifier that can be used to re-identify the PHI, but it must be kept secure and not used for any other purpose. The allowable code referred to in paragraph (c) is different from the number assigned to a patient by a part 2 program, which is more likely to be a provider's internal record identifier that may be ubiquitous throughout a patient's medical record. Thus, we believe a clarification of the current rule is needed that removes the last sentence of the definition of patient identifying information.

The final rule adopts a modified definition of “patient identifying information” to align more closely with the HIPAA standard in 45 CFR 164.514.

Payment

The Department proposed to adopt the same definition of this term as in the HIPAA regulations. This proposal would implement 42 U.S.C. 290dd–2(k), added by section 3221(d) of the CARES Act, requiring the term “payment” in this part be given the same meaning of the term for the purposes of the HIPAA regulations.

Comment

The Department received general support for aligning the part 2 definition of payment with the HIPAA definition.

Response

We appreciate the comments on adopting the HIPAA definition of “payment” and confirm that the intent is to uniformly apply the term “payment” in both this regulation and the HIPAA context.

Final Rule

The final rule adopts the proposed definition of “payment” without further modification.

Person

The term “person” is defined within part 2 as “an individual, partnership, corporation, federal, state or local government agency, or any other legal entity, (also referred to as `individual or entity').” The part 2 regulation uses the term “individual” in reference to someone who is not the patient and therefore not the subject of a part 2 record. In contrast, the HIPAA regulations at 45 CFR 160.103 define the term “individual” to refer to the subject of PHI, and “person” to refer to “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.” Thus, the HIPAA definition includes both natural persons and corporate entities.

To further the alignment of part 2 and the HIPAA regulations and provide clarity for part 2 programs and entities that must comply with both sets of requirements, the Department proposed to replace the part 2 definition of “person” with the HIPAA definition in 45 CFR 160.103. As an extension of this clarification , the Department further proposed to replace the term “individual” with “patient” when the regulation refers to someone who is the subject of part 2 records, to use the term “person” when it refers to someone who is not the subject of the records at issue, and to modify the definition of “patient” in part 2 to include an “individual” as that term is used in the HIPAA regulations. The Department stated that this combination of modifications would promote the understanding of both part 2 and the HIPAA regulations and requested comment on whether this or other approaches would provide more clarity.

Comment

Commenters generally supported this proposed change as providing clarity and helping to align with HIPAA. One commenter, a county SUD provider, suggested that referring to “person” is helpful for clarity and also emphasizes patient autonomy and whole person care. Another commenter supported the efforts throughout the rulemaking to streamline language by replacing the phrase “individual or entity” with the word “person,” but questioned use of this term in § 2.51 (Medical emergencies).

Response

We appreciate the comments. We confirm here that within this rule “person” refers to both a natural person and an entity, which may include a government agency, a health care provider, or another type of organization. Thus, the term “person” in the new safe harbor at § 2.3 applies to an investigative agency as well as a natural person who is acting under a grant of authority from an investigative agency. The comment about disclosures for medical emergencies is discussed further in § 2.51 (Medical emergencies).

Final Rule

The final rule adopts the proposed definition of “person” without further modification.

Personal Representative

The Department did not propose a regulatory definition of “personal representative” for this rule but requested comment on whether to do so and apply it to § 2.15 which addresses surrogate decision making for patients who are deceased or lack capacity to make decisions about their health care. Under the existing § 2.15(a)(1) provision, consent for disclosures of records may be given by the guardian or other individual authorized under state law to act on behalf of a patient who has been adjudicated as lacking capacity, for any reason other than insufficient age, to manage their own affairs. In circumstances without adjudication, under § 2.15(a)(2) the part 2 program director may exercise the right of the patient to consent to disclosure for the sole purpose of obtaining payment for services from a third-party payer for an adult patient who for any period suffers from a medical condition that prevents knowing or effective action on their own behalf.

The existing rule, at § 2.15(b)(2), requires a written consent by an executor, administrator, or other personal representative appointed under applicable state law for disclosures for a deceased patient's record. If there is no legally appointed personal representative, the consent may be given by the patient's spouse or, if none, by any responsible member of the patient's family. However, part 2 does not define any of the terms for the persons who can provide the consent, including “personal representative.”

Comment

Several commenters, including state agencies and health technology vendors, suggested that the Department provide that personal representatives can give consent to use and disclose part 2 records on behalf of an incapacitated patient. One of the state agencies commented that such a grant of authority to personal representatives would help ensure care coordination. All agreed that the Department should define “personal representative” and a few of these commenters commented that the Department should define it consistent with HIPAA. Specifically, a few of these commenters described facilities being faced with requests for records by many individuals of varying relationships to patients. They asserted that the NPRM leaves room for interpretation about who has authority, making it difficult to ensure patient privacy consistent with HIPAA.

Response

We acknowledge and agree with the commenters who provided views on this topic. HIPAA does not include “personal representative” in its definitions section but provides a clear standard in 45 CFR 164.502(g)(2), where it describes the responsibilities of a personal representative as having “authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care.” Section 164.502(g) provides when, and to what extent, a personal representative must be treated as the individual for purposes of the HIPAA Privacy Rule. Section 164.502(g)(2) requires a covered entity to treat a person with legal authority to act on behalf of an adult or emancipated minor in making decisions related to health care as the individual's personal representative with respect to PHI relevant to such personal representation. Adopting a definition in the final rule will clarify who qualifies as a personal representative for decisions about uses and disclosures for adults who lack the capacity to make decisions about consenting to uses or disclosures of their SUD records and provide needed consistency between part 2 and the HIPAA Privacy Rule. Defining the term “personal representative” consistent with the HIPAA standard furthers the alignment of part 2 and HIPAA in accordance with the CARES Act and will also assist with treatment and care coordination. We considered but decline to adopt 45 CFR 164.502(g) in its entirety because several paragraphs conflict with part 2, such as consent by minors, and we believe it is important to maintain those provisions of part 2 that are more protective of patient privacy.

Final Rule

We are finalizing in § 2.11 a new regulatory definition of “personal representative” that mirrors language in the HIPAA Privacy Rule at 45 CFR 164.502(g).

Program

Within the definition of “program,” the Department proposed to replace the term “individual or entity” with the term “person” as is used in the HIPAA regulations and make no other changes. Part 2 defines program as: (1) An individual or entity (other than a general medical facility) who holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or (2) An identified unit within a general medical facility that holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or (3) Medical personnel or other staff in a general medical facility whose primary function is the provision of substance use disorder diagnosis, treatment, or referral for treatment and who are identified as such providers.

Comment

The Department received several comments on the existing definition of “program,” including several elements for which no changes were proposed. Some providers commented that they continue to be confused as to the meaning of “holds itself out.” Commenters also requested clarity as to whether they or their facility's “primary function” was the provision of SUD treatment. Commenters requested more objective definitions of these terms or use of another approach to defining a program, such as HHS creating a central registry of part 2 programs similar to that developed by the Health Resources and Services Administration for health centers or the 340B Drug Pricing Program. Lacking such clarity, commenters asserted that it may be difficult for providers to distinguish between claims that are subject to part 2 consent or other provisions from those that are not. Commenters also asked whether a program or provider holds themselves out based on their advertising SUD services or based on their being known to provide, refer, or bill for SUD treatment. One commenter believed that general medical facilities are exempt from the definition of part 2 programs yet in practice, such facilities may offer SUD treatment and this may be widely known in the community. The commenter urged the Department to provide additional clarity is needed on how part 2 applies to general medical facilities or practices given current emphasis on behavioral health integration and care coordination for patients. Another commenter noted that facilities making it known that they offer SUD treatment can help to reduce stigma and discrimination and encourage patients to seek needed care.

A medical professionals' association asserted that EHRs are not designed to treat some units or locations within a facility, such as emergency departments, differently than others. The commenter urged the Department to define part 2 “program” as being limited to licensed SUD providers to help provide needed clarity. Other commenters suggested that providers may offer medications for opioid use disorder (MOUD) (also known as medication assisted treatment (MAT)) but do not specifically hold themselves out as being part 2 programs. Commenters urged the Department to clarify that facilities or providers providing MOUD do not become part 2 programs unless doing so is their primary function.

Response

We did not propose changes to the long-standing definition of a part 2 “program” in 42 CFR part 2, and thus the final rule is limited to interpreting the definition rather than revising it. Whether a provider holds itself out as providing SUD treatment or as a practice with the primary function of providing SUD treatment within a general medical facility setting is a fact-specific inquiry that may depend on how a particular program operates and describes or publicizes its services. That said, the Department acknowledges comments about providers' challenges in applying the definition of part 2 “program” in integrated care settings or using EHRs and other technologies to support coordinated, integrated care. The Department has provided guidance on this issue in the past. After this rule is final, the Department may update or provide additional guidance to help further clarify the definition of program. The Department has historically noted that most SUD treatment programs are federally assisted and therefore that prong of part 2 typically applies. In 2017, the Department largely reiterated its proposed interpretations of “holds itself out” and “primary function,” and more recently developed guidance on the applicability of part 2.

Comment

Another commenter asked that the Department specifically carve out from part 2 IHS and Tribal facilities that provide MOUD incident to their provision of general medical care.

Response

We appreciate the comment; however, this change is beyond the scope of this rulemaking. The Department conducted a Tribal consultation about the CARES Act changes to this rule in March 2022 and will continue to provide support to Tribal entities and collaborate with IHS in implementing the final rule. The Department also notes that some facilities and providers, even if they do not meet the definition of program, still may be required by state regulations to comply with part 2 requirements.

Final Rule

The final rule adopts the proposed definition of “program” without further modification.

Public Health Authority

The Department proposed to adopt the same meaning for this term as in the HIPAA Privacy Rule at 45 CFR 164.501. This proposal would implement subsection (k) of 42 U.S.C. 290dd–2, added by section 3221(d) of the CARES Act, requiring the term in this part be given the same meaning of the term for the purposes of the HIPAA regulations.

Comment

The Department received a few specific supportive comments, including from several state agencies, that the addition of the proposed definition would facilitate public health authorities' provision of comprehensive health and health care information to the public, and would help clarify the provision of comprehensive data and information to public health authorities for critical public health needs.

Response

We appreciate the comments.

Final Rule

The final rule adopts the proposed definition of “public health authority” without further modification.

Qualified Service Organization

The Department proposed to modify the definition of “qualified service organization” by adding HIPAA business associates to the regulatory text to clarify that they are QSOs in circumstances when part 2 records also meet the definition of PHI ( i.e., when a part 2 program is also a covered entity). The Department stated that this proposal would facilitate the implementation of the CARES Act with respect to disclosures to QSOs. The HIPAA regulations generally permit disclosures from a covered entity to a person who meets the definition of a business associate ( i.e., a person who works on behalf of or provides services to the covered entity) without an individual's authorization, when based on a business associate agreement that incorporates certain protections. Similarly, the use and disclosure restrictions of this part do not apply to the communications between a part 2 program and QSO when the information is needed by the QSO to provide services to the part 2 program. This definition is proposed in conjunction with a proposal to modify § 2.12 (Applicability), to clarify that QSOs also use part 2 records received from programs to work “on behalf of” the program.

The Department also proposed a wording change to replace the phrase “individual or entity” with the term “person” as proposed to comport with the HIPAA meaning of the term.

Comment

Several organizations commented on QSOs. A behavioral health advocacy organization supported the proposed change because consent requirements would not apply to information exchanges between part 2 programs and business associates when they are providing “service work” on behalf of the part 2 program and this expansion would encourage data sharing for part 2 programs. A state health data agency recommended eliminating the QSO definition in favor of business associate. The commenter believed that if § 2.3(c) applies the various sanctions of HIPAA to part 2 programs regardless of whether the program is a HIPAA covered entity or business associate, the need to retain QSOs for part 2 programs that are not covered entities seems to be eliminated. A health system commenter has found the existing definition of QSO to be broad, and said that it is difficult to know which recipients are receiving part 2 records. This commenter would support the proposed definition if it meant that compliance with a business associate agreement would meet the part 2 requirements for a QSO agreement (QSOA).

Response

The Department is maintaining a distinct definition in part 2 for QSOs. The revised definition clarifies the obligations of a business associate that has records created by a covered entity that is a part 2 program (which is subject to all part 2 requirements) and a business associate that has records from a covered entity that is only a recipient of part 2 records (and subject to the new redisclosure permission as allowed under the HIPAA Privacy Rule). While QSOs supporting part 2 programs in such activities as data processing and other professional services are analogous to the activities of business associates supporting covered entities, QSOs have a distinct function within part 2. For these reasons, QSOA under part 2 should be understood as distinct from business associate agreements required by HIPAA.

Comment

Another state commenter suggested that QSOs should be included in the breach notification requirements that are being newly applied to part 2 programs.

Response

We considered finalizing a requirement for QSOs to comply with the new breach reporting requirements in § 2.16 in the same manner as they apply to business associates under HIPAA. We believe subjecting QSOs to this requirement would have underscored the status of QSOs as similar to business associates; however, we are not making this change because the CARES Act provides that breach notification should apply to part 2 programs in the same manner as it does to covered entities and does not mention breach notification requirements with respect to QSOs or business associates. Regardless, part 2 programs are likely to address breach notifications in contractual provisions within a QSOA, so QSOs need to be aware of breach notification.

Comment

A few HIN/HIEs requested that the definition of QSO be modified to expressly include subcontractors of QSOs. The commenters further requested that the Department withdraw prior regulatory guidance regarding “contract agents,” because it has been interpreted by some as requiring a Federal agency-level relationship between the QSO and the QSO's subcontractor to permit the QSO to engage with a subcontractor.

Response

The Department declines to withdraw previous guidance concerning contract agents or subcontractors, which it still views as relevant. In its 2010 HIE guidance, the Department stated that “[a]n HIO may disclose the Part 2 information to a contract agent of the HIO, if it needs to do so to provide the services described in the QSOA, and as long as the agent only discloses the information back to the HIO or the Part 2 program from which the information originated.” In 2017 the Department noted that “[w]e have previously clarified in responses to particular questions that contracted agents of individuals and/or entities may be treated as the individual/entity.” In the 2018 final rule, the Department stated that “SAMHSA guidance indicates that a QSOA does not permit a QSO to re-disclose information to a third party unless that third party is a contract agent of the QSO, helping them provide services described in the QSOA, and only as long as the agent only further discloses the information back to the QSO or to the part 2 program from which it came.”

The Department, in the 2020 Part 2 Final Rule, noted that activities of QSOs “would overlap with those articulated in § 2.33(b) related to information disclosures to a lawful holder's contractors, subcontractors, and legal representatives for the purposes of payment and/or health care operations.” This guidance continues to be relevant to the roles of QSOs and their subcontractors or agents.

Comment

According to one county government, the addition of business associates to the definition of a “qualified service organization” is helpful for the county health system's ability to serve patients in need of SUD treatment. As a large health system and provider of behavioral health services, this county relies on business associates to operate its programs. A clearer definition of QSOs will allow the county and its part 2 programs to expand services using business associates to provide much needed assistance with claims, data and analytics, and quality assurance, the commenter said.

Response

The Department appreciates the comments on its proposed change.

Comment

An advocacy organization urged HHS to clarify that a business associate must still meet all aspects of the QSO definition, including entering into a QSOA. It also suggested that HHS should consider creating and publishing an official version of a joint QSOA and business associate agreement and that HHS should also work to improve major technology vendors' understanding of part 2, so that part 2 programs and their patients can benefit from services like email, cloud-based storage, and telehealth platforms, while maintaining confidentiality safeguards. Another commenter said the Department should provide guidance on how terms such as intermediaries, business associates, qualified service organizations, and lawful holders interact and differ.

Response

The Department appreciates these comments and will consider what additional guidance may be helpful after this rule is finalized. The Department explains throughout this rule that the roles and functions of lawful holders, business associates, QSOs, and intermediaries but may provide additional, concise guidance in the future. As highlighted in its guidance entitled “Disclosure of Substance Use Disorder Patient Records: Does Part 2 Apply to Me? ” such inquiries are fact-specific depending on an organization's or provider's role in SUD treatment and the records it shares or receives.

Final Rule

The final rule adopts the proposed definition of QSO to expressly include business associates as QSOs where the PHI in question also constitutes a part 2 record and further modifies the new paragraph by adding a clarification that the definition of QSO includes business associates where the QSO meets the definition of business associate for a covered entity that is also a part 2 program. Finalizing the changes to expressly include business associates as QSOs responds to comments received on the NPRM and those from others on previous part 2 rulemakings (such as during SAMHSA's 2014 Listening Session) noting that the role of QSOs is analogous to business associates such that aligning terminology makes sense given the purpose of section 3221 of the CARES Act to enhance harmonization of HIPAA and part 2. As noted in the NPRM, the Department also believes finalizing this proposal facilitates the implementation of the CARES Act with respect to disclosures to QSOs.

Records

The definition of “records” specifies the scope of information that part 2 protects. The Department proposed to insert a clause to expressly include patient identifying information within the definition of records and to remove, as unnecessary, the last sentence that expressly included paper and electronic records.

Comment

Several organizations commented on the definition of “records.” Several commenters on the definition of “record” requested that the final rule expressly state that records received from a part 2 program under a consent for TPO no longer retain their characteristic as part 2 records. These commenters provided their views of the difficulties associated with tracking the provenance of a particular data element once it has been added to a record. One comment suggested that the recipient should be able to redisclose the data for TPO even if the provenance could not be tracked.

Response

We appreciate the comments but decline to add a statement that records received under a consent for TPO are no longer part 2 records. Instead, in response to other comments we are finalizing an express statement in § 2.12(d) that segregation of records received by a part 2 program, covered entity, or business associate under a consent for TPO is not required. We believe it is necessary for the records received to retain their characteristic as part 2 records to ensure that recipients comply with the continuing prohibition on use and disclosure of the records in investigations or proceedings against the patient, absent written consent or a court order. We agree with the comment that a recipient that is a part 2 program, covered entity, or business associate should be able to redisclose the data for TPO as permitted by HIPAA and believe that the suite of modifications in the final rule accomplishes that end.

Comment

According to one commenter, the definitions of “record,” “program,” and “patient identifying information” and how they are applied are inconsistent, cross-referential, and confusing. This commenter urged the Department to simplify and clarify these terms, perhaps by adopting a single term as used in HIPAA ( e.g., “protected health information”) to uniformly apply throughout the regulation.

Response

We appreciate this comment and are finalizing a number of changes to improve consistency and clarity throughout the rule; however, we are also mindful that many definitions have a special meaning within this part and the primary aim of this rulemaking is to implement the CARES Act amendments to 42 U.S.C. 290dd–2. We are incorporating the term “patient identifying information” into the definition of record, in part to align with the HIPAA definition of PHI which includes demographic information. Thus, with this modification the definition includes both information that could identify a patient as having or having had an SUD, but also information that identifies the patient.

Comment

An individual commenter recommended that the Department retain the last sentence of the definition because it is helpful to indicate that part 2 may apply to paper and electronic records and removing it might suggest to programs that the regulation no longer applies to paper records.

Response

In the five decades since the promulgation of the part 2 regulation, health IT has become widely adopted and it is evident that records include both paper and electronic formats. The Department does not intend to change the meaning or understanding of records with this proposed modification, but only to streamline the description.

Final Rule

We are adopting the proposed definition of “records” without further modification.

SUD Counseling Notes

In the NPRM, we requested input about whether to create a new definition similar to psychotherapy notes within HIPAA that is specific to the notes of SUD counseling sessions by a part 2 program professional. Such notes would be part 2 records, but could not be disclosed based on a general consent for TPO. They could only be disclosed with a separate written consent that is not combined with a consent to disclose any other type of health information. We requested comments on the benefits and burdens of creating such additional privacy protection for SUD counseling notes that are maintained primarily for use by the originator of the notes, similar to psychotherapy notes as defined in the HIPAA Privacy Rule. We provided potential language for “SUD counseling notes”, defining it as notes recorded (in any medium) by a part 2 program provider who is an SUD or mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the patient's record. “SUD counseling notes” excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

Comment

Many commenters somewhat or strongly supported the Department's proposal to include a definition of “SUD counseling notes.” We are finalizing the proposed definition and discuss comments specifically regarding the proposed definition below and other comments relating to consent and disclosure of SUD counseling notes within § 2.31.

Comments Supporting a Proposed SUD Counseling Notes Definition

An SUD recovery organization supported the potential definition. An association of medical professionals also supported establishing a definition of “SUD counseling notes” that effectively copies the definition of “psychotherapy notes” under the HIPAA Privacy Rule. A state health department supported an “SUD counseling notes” definition in § 2.11 because this would permit disclosure without patient consent for the purpose of oversight of the originator of the SUD counseling notes to ensure patient safety. Another state agency urged that SUD counseling session notes be treated similarly to psychotherapy notes as now addressed in HIPAA ( i.e., SUD counseling notes be given protections equal to psychotherapy notes). A provider supported the addition of a definition of “SUD counseling notes” as written to incorporate the same protections as described in the HIPAA regulations for psychotherapy notes. The provider believed that any perceived burdens to creating a separate definition of SUD counseling notes are outweighed by the benefits of the additional protections by requiring separate authorization for release of the SUD counseling notes. A county agency recommended that we add this protection in alignment with the psychotherapy notes restriction under HIPAA and further suggests that the protection extend to all clinical notes in addition to the notes of SUD counselors. The commenter further recommended that the definition of “counseling notes” include assessment forms. This added protection would safeguard against use of SUD counseling notes in pending legal cases and pending dependency court (child custody) cases.

A hospital commenter supported providing a corresponding protection in part 2 for certain notes for SUD patients, like psychotherapy notes have under HIPAA, but did not support the use of a new term that would differentiate SUD counseling notes from psychotherapy notes. Instead, the hospital recommended using psychotherapy notes or SUD psychotherapy notes for consistency. The commenter also suggested further discussion of the use of the term “psychotherapy notes” in the regulations, since the term continues to generate confusion. The commenter stated that the terms “counseling notes” and “psychotherapy notes” have a different meaning in routine clinical practice and are used frequently, but do not seem to meet the definition in the NPRM.

Response

We appreciate comments concerning our proposed definition of “SUD counseling notes” and respond as follows. As discussed in the NPRM, the intent of the potential definition we described was to align with HIPAA provisions regarding psychotherapy notes, and we discuss psychotherapy notes further in § 2.31 below. We believe the final definition of “SUD counseling notes” will ease compliance burdens for part 2 programs because the definition almost exactly matches the definition of “psychotherapy notes” under the HIPAA Privacy Rule except for the references to SUD professionals and SUD notes.

As we explained in the 2000 final HIPAA Privacy Rule, psychotherapy notes “are the personal notes of the therapist, intended to help him or her recall the therapy discussion and are of little or no use to others not involved in the therapy.” While the commenter above did not define what it meant by assessment forms, consistent with HIPAA our final definition of “SUD counseling notes” expressly excludes “medication prescription and monitoring, counseling session start and stop times, modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.”

Comment

Several SUD recovery organizations supported a “SUD counseling notes” definition because these notes often contain highly sensitive information that supports therapy. Limiting access to these notes is critical to protect the therapeutic alliance due to the unique risks that patients face due to the highly sensitive information in these notes. An SUD recovery association and SUD provider commented that the Department should protect counseling notes using a new definition similar to psychotherapy notes, require specific consent, and not allow such consent to be combined with consent to disclose any other type of health information. According to these two commenters the patient's prognosis should be considered a counseling note because it could bias staff toward the patient's situation; it is subjective and the large turnover of counseling staff results in greater reliance on existing reports. An individual commenter also said that they supported the Department's version of SUD counseling notes, but expressed concern about excluding prognosis from SUD counseling notes; they too believed that prognosis is too subjective and its exclusion from the definition could result in bias or prejudice. Given the large turnover of counseling staff and the use of fairly junior clinicians to provide service, prognosis should be considered a counseling note. A few SUD treatment professionals associations also said that counseling notes should be so protected using a new definition similar to psychotherapy notes.

Response

We appreciate comments from SUD recovery organizations and others about our proposed changes. The final definition of “SUD counseling notes” expressly excludes “medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.” Thus, prognosis information is excluded from “SUD counseling notes” under the definition adopted in this final rule. Information critical to the patients' diagnosis and treatment such as prognosis and test results, should be within the patient's part 2 record or medical record such that it may be available for such activities as treatment consultation, medication management, care coordination, and billing.

Neither HIPAA nor part 2 provides a right of access to psychotherapy notes or SUD counseling notes, but for different reasons. Under HIPAA, although psychotherapy notes are part of the designated record set (because the clinician may use them to make decisions about the individual), they are specifically excluded from the right of access in 45 CFR 164.524. Under part 2, there is no general right of access for part 2 records, and thus there is no right of access for SUD counseling notes, which are a narrow subset of part 2 records. However, under both HIPAA and part 2, clinicians may exercise their discretion and voluntarily provide patients with access to psychotherapy notes and/or SUD counseling notes or a portion of such notes.

Comment

A local government agency supported explicitly defining “SUD counseling notes” as discussed in the NPRM. The commenter said we should clearly define how and where SUD counseling notes must be treated differently from other part 2 records and the HIPAA designated record set. Such clarification will assist dually regulated entities' efforts to comply with the HIPAA Privacy Rule and Information Blocking requirements. The commenter proposed redefining “HIPAA psychotherapy notes” to include all part 2-defined SUD counseling notes by reference. Such a straightforward alignment would minimize burden and maximize ease of compliance.

Response

We appreciate comments concerning the definition of “SUD counseling notes” including the suggestion to redefine HIPAA “psychotherapy notes” at 45 CFR 164.501 to include SUD counseling notes. However, changes to the HIPAA definitions are outside the scope of this rulemaking.

Comment

A health insurer supported a separate definition of “SUD counseling notes” that makes clear the distinction between these types of notes, other notes, and part 2 records. SUD counseling notes are distinct from other notes, such as psychotherapy and analysis notes, according to this commenter. Most treatment for SUDs is done through individual and group counseling to address specific goals of a treatment plan, the commenter said, so excluding all notes would in effect exclude the disclosure of SUD information, unless there is differentiation between these notes. Even though the commenter recognizes the definitions would overlap in several aspects—such as for consent requirements—it welcomed the overlap, as there would be an additional administrative burden around creating a separate consent for SUD counseling notes if requirements differed within the definition.

Response

We appreciate this comment on our proposed changes. The commenter correctly apprehends that the provisions for SUD counseling notes require that they be separated from the rest of the part 2 and/or medical record to be recognized as “SUD counseling notes” and afforded additional privacy protection. We agree that the definition of “SUD counseling notes” in this final rule will support patient participation in individual and group SUD counseling. SAMHSA has noted elsewhere the importance of privacy and confidentiality in both individual and group counseling settings.

Comments Opposing a New SUD Counseling Notes Definition or Requesting Clarification

Comment

A county government asked that HHS make SUD records a specific category of PHI under HIPAA in a way similar to psychotherapy notes. It is inequitable, said the commenter, that patients have more confidentiality of their records when receiving SUD services from a part 2 program versus a primary care provider that is not a part 2 program. A state agency said that the proposed definition of “SUD counseling notes” and the existing definition of “psychotherapy notes” in 45 CFR 164.501 do not accurately capture the intent of the right of access exclusion. The agency suggested using headings of “SUD process notes” and “psychotherapy process notes” to clarify that these are non-clinical notes and avoid creating confusion for patients in understanding what they are in fact requesting to exclude.

Response

We appreciate suggestions concerning changes or clarifications to provisions concerning the definition of HIPAA “psychotherapy notes” at 45 CFR 164.501. However, changes to the HIPAA definitions are outside the scope of our part 2 rulemaking. With respect to SUD counseling notes, we clarify that the exclusion of psychotherapy notes from the right of access in the HIPAA Privacy Rule does not have a parallel in part 2 because part 2 does not contain a right of access. We do not believe that renaming these notes as process notes would promote understanding of their essential nature—that they are separately maintained and intended primarily for use by the direct treating clinician with few exceptions. Further, we do not categorize SUD counseling notes or psychotherapy notes as either clinical or non-clinical. We expect that they contain a mix of information useful to the clinician but not necessary for routine uses or disclosures for TPO.

Comment

A few HIE associations questioned the definition discussed in the NPRM stating that psychotherapy notes rarely exist as they are not considered in the HIPAA designated record set; therefore, such psychotherapy notes are not accessible under the patient right of access or available in the patient portal. These commenters and others, as discussed below in § 2.31, expressed concern about the need to keep such records compartmentalized or distinct from other part 2 records and associated burdens for data sharing, health IT, and other activities.

Response

As the Department explained in guidance, “[d]esignated record sets include medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals.” Psychotherapy notes are used by the treating clinician to make decisions about individuals, and thus are part of the designated record set, but, they are expressly excluded from the individual right of access to PHI. However, the HIPAA Privacy Rule permits a treating provider to voluntarily grant an individual access to such notes. Similarly, § 2.23 permits, but does not require, part 2 programs to provide a patient with access to part 2 records (including SUD counseling notes as finalized here), based on the patient's consent. As explained above, changes to the HIPAA Privacy Rule definition of “psychotherapy notes” are beyond the scope of this rulemaking.

Comment

A health care provider asserted that it is not necessary to create a separate term and definition of SUD counseling notes because the HIPAA term “psychotherapy notes” meets these needs. The commenter supported applying the HIPAA standard to psychotherapy notes created within a part 2 program.

Response

We appreciate this comment. As noted in the NPRM, we believe that it is important to include within part 2 a definition of “SUD counseling notes” specific to the notes of SUD counseling sessions by a part 2 program professional. SUD counseling notes under this final rule are part 2 records but cannot be disclosed based on a general consent for TPO. If this rule failed to include a definition of SUD counseling notes HIPAA's psychotherapy notes provisions and definitions in 45 CFR 164.501 and 164.508 would not apply to part 2 programs that are not covered entities and SUD counseling notes could be disclosed under a general TPO consent, which would undermine the utility of these notes being maintained separately from the designated record set by some SUD providers.

Comment

A county health department stated that SUD counseling notes are different from psychotherapy notes, which often focus on more intimate and deeper clinical considerations, while SUD counseling notes often include more straightforward clinical details that do not require additional privacy protections. This commenter stated that the differences in the nature of such notes is due to differences in the scope of practice of the different workforces of SUD programs and therapists. The commenter also stated that, because most of the services provided by part 2 programs are documented via SUD counseling notes, requiring separate consent for SUD counseling notes would counteract the aim of facilitating greater information exchange without providing a clear benefit. As such, the commenter urged the Department to reject the idea of applying additional privacy protections for SUD counseling notes.

Another county department similarly stated that the nature of SUD counseling notes is fundamentally different from psychotherapy notes, and does not warrant enhanced confidentiality. As described by this commenter, while psychotherapy notes focus on intimate and nuanced clinical considerations, the typical SUD counseling note is far less detailed and more like a standard progress note in a medical record. In addition, SUD counseling notes are usually kept by providers with less education and training than psychiatrists, who do not have a professional practice of maintaining separate counseling notes primarily for use by the originator of the notes.

A state agency expressed concern that adopting special protections for SUD counseling notes would create additional administrative complexity and compliance challenges for part 2 programs and may have unintended adverse consequences by restricting patient access to, or beneficial disclosures of, a significant segment of their SUD treatment records. The commenter asserted that such a change seemed unlikely to facilitate information exchange for care coordination purposes, and thus would seem to be inconsistent with many of the other proposed amendments.

Response

We acknowledge comments that SUD counseling notes and psychotherapy notes are not precisely equivalent. However, SUD counseling notes, like psychotherapy notes, may also include particularly sensitive details about a patient's medical conditions and personal history. Such concerns may be especially acute, for instance, with pediatric patients or patients who have or are at risk of conditions such as human immunodeficiency virus (HIV). While these commenters' anecdotal accounts are helpful to our understanding of the issues, these experiences and comments, do not necessarily apply to the majority of SUD counseling situations in which the clinician's notes may play an important role in patient treatment and necessitate the additional protections made available in this final rule. More than two-thirds of commenters on this issue expressed support for moving forward with a new definition and heightened protections for SUD counseling notes.

Comment

A health care provider expressed support for an approach that destigmatizes SUD treatment and promotes access to clinically relevant information that is valuable and informative for all TPO purposes. As such, the provider did not believe that creating additional protections for SUD counseling notes would promote access and exchange of valuable information. An SUD treatment provider association urged the Department to limit disclosures of patient information that are not necessary for the purpose of the disclosure, such as details of trauma history that are not needed for TPO, except by the treating clinician. An insurance association suggested that a new definition of “SUD counseling notes” could be beneficial in some circumstances when heightened privacy is warranted. But a new definition also could impede care coordination because SUD counseling notes may contain clinically relevant information and help inform coordinated treatment plans, according to this commenter, who also asserted that some programs may have difficulty implementing the requirement and be unable to share the remainder of the record for TPO. The commenter urged the Department not to create a separate category for SUD counseling notes but instead to allow SUD providers to determine how to best record these notes. Another insurance association requested that the Department use this rule as an opportunity to: (1) reinforce the existing HIPAA restrictions on sharing psychotherapy notes; and (2) clarify that SUD counseling notes are not psychotherapy notes and maybe used and disclosed for TPO.

Response

We acknowledge these comments and discuss additional related provisions below in § 2.31. We do not believe the final “SUD counseling notes” definition will contribute to stigma or discrimination for SUD patients because it strengthens confidentiality for the most sensitive information shared during treatment and does so in a manner similar to what already exists in the HIPAA regulations. We do not agree that the “SUD counseling notes” definition will impede care coordination because the nature of these notes is that they are intended primarily for use by the direct treating clinician. We agree that the final rule may be an opportunity to provide additional education on existing HIPAA psychotherapy note provisions and will consider what additional guidance may be helpful after this rule is finalized. In addition, we note that a part 2 program's use of separate SUD counseling notes is voluntary and optional—although a program may adopt a facility-wide policy that either supports or disallows the creation and maintenance of such notes. As noted above, through the separate definition adopted in this final rule in § 2.11, SUD counseling notes under this final rule are part 2 records but cannot be disclosed based on a TPO consent.

Comment

A medical professionals association expressed concern about potential challenges associated with maintaining SUD counseling notes, noting that the creation of a distinct class of psychotherapy notes in HIPAA provides an illustrative example of the challenge of implementing specific data protections within a medical record: although the “psychotherapy notes” option was added to HIPAA to protect psychotherapist-patient privilege, this option specifically excludes key elements of psychotherapy session notes that are required for routine clinical care as well as for billing purposes ( e.g., medication prescription and monitoring, summary of diagnosis, treatment plan). As a result, according to this commenter, if a HIPAA-defined “psychotherapy note” is used, it must always be accompanied by a clinical note that includes the essential elements for routine clinical care and billing.

Response

We acknowledge this comment and appreciate the analogy to HIPAA psychotherapy notes in clinical practice; however, we believe the framework is a valuable option for some clinicians, with the understanding that the notes are intended to be used only by the clinician. Neither the HIPAA Privacy Rule nor this final rule mandate the use within a mental health practice or a part 2 program of “psychotherapy notes” or “SUD counseling notes” as defined within the respective regulations. However, clinicians who choose to keep separate notes for their own use are afforded some additional privacy and the patient's confidentiality is also protected by additional consent requirements under § 2.31(b) (Consent required: SUD counseling notes).

Comment

A medical professionals association suggested that the Department create a regulatory definition of an “SUD professional” who is qualified to perform treatment and prepare SUD counseling notes.

Response

The definition of “SUD counseling notes” matches the definition of “psychotherapy notes” under the HIPAA Privacy Rule except for the references to SUD professionals and SUD notes. Historically, the Department has considered licensed providers as “professionals.” We did not propose and therefore are not finalizing a definition of SUD professionals either separately or in relation to SUD counseling notes. The exception to the consent requirement for use in a part 2 program's training program indicates that an “SUD professional” may be someone who is completing their practical experience to receive a degree or professional certification or license, and, additionally, that such notes may be used in clinical supervision.

Final Rule

The final rule adopts the definition of “SUD counseling notes” as proposed in the NPRM.

Third-Party Payer

The term “third-party payer” refers to an entity with a contractual obligation to pay for a patient's part 2 services and includes some health plans, which by definition are covered entities under HIPAA. The current regulation, at § 2.12(d)(2), limits disclosures by third-party payers to a shorter list of purposes than the HIPAA Privacy Rule allows for health plans. The Department proposed to exclude covered entities from the definition of “third-party payer” to facilitate implementation of 42 U.S.C. 290dd–2(b)(1)(B), as amended by section 3221(b) of the CARES Act, which enacted a permission for certain recipients of part 2 records to redisclose them according to the HIPAA standards. The result of this proposed change would be that the current part 2 disclosure restrictions continue to apply to a narrower set of entities. The Department believes that this approach would carry out the intent of the CARES Act, while preserving the privacy protections that apply to payers that are not covered entities. The Department also proposed a wording change to replace the phrase “individual or entity” with the term “person” as now proposed to comport with the HIPAA meaning of the term.

Comment

The Department received overwhelmingly supportive comments on the intent to distinguish health plans, which are covered entities, from other third-party payers who would be subject to part 2 (but not HIPAA). The rationales offered for supporting this proposal were that it furthers the implementation of the CARES Act requirement to align part 2 with HIPAA, reduces the need to segment part 2 records, reduces health plan burden, and allows health plans to engage in more activities that improve health care, such as care coordination and accountable care.

Response

We appreciate the comments.

Comment

Several commenters stated that the definition could be confusing to some readers and requested clarification in the final rule along with additional examples of entities that would remain subject to part 2 as third-party payers. Specifically, a trade association requested that the Department exclude business associates of health insurance providers ( i.e., a health plan/payer) from this definition because they are not independent “third-party payers” but rather are acting on behalf of a health insurance provider. A health system requested that the Department ensure that ACOs and population health providers have access to full part 2 information without a beneficiary having to explicitly opt-in to data sharing.

Response

We appreciate the comments and clarify that business associates acting on behalf of health plans are not independent “third-party payers” who would fall within this definition. However, business associates are listed along with covered entities in the new language of § 2.12(d)(2)(i)(C), which expressly states that covered entities and business associates are not required to segregate records or segment part 2 data once received from a part 2 program based on a TPO consent.

Comment

One commenter asserted that the proposed rule did not clearly address the role of third-party payers, including the more active role of these entities in coordinating patient care. This commenter cited, for example, that third-party payers could provide direct care coordination; services such as home health visits as a covered entity; or function solely as a third-party payer, making payment and overseeing quality claims reporting for providers. The commenter cited the Ohio Medicaid Comprehensive Privacy Care or “CPC” alternative payment program as an example where health plans act as managed care organizations that oversee various avenues of payment as well as core coordination in conjunction with providers. This commenter also believed that the definition is intended to ensure that third-party payers that are not HIPAA covered entities are also subject to the same rules as a covered entities with respect to part 2 records and recommended that HHS clarify the definitions of “covered entity” and “third-party payer” to explain the relationship between these groups and the obligations of each with respect to part 2 information.

Response

We appreciate the commenter's description of new models of payment and care coordination. However, we believe the commenter misapprehends the intent of the proposed definition, which is finalized in this rule. The intent is to distinguish third-party payers, which are not covered entities, from health plans (which, by definition, are covered entities). If a third-party payer is not a covered entity, then it is not subject to part 2 provisions that apply to covered entities except when (a) specifically identified as being subject to these provisions or (b) in those instances where third-party payers are lawful holders by virtue of having received part 2 records under a written consent or an exception to the consent requirements. For example, some non-profit organizations provide health care reimbursement for individuals and some entities provide payment as part of an insurance policy that does not meet the definition of health plan in HIPAA.

Final Rule

The final rule adopts all proposed modifications to the definition of “third-party payer” in § 2.11, without further modification.

Treating Provider Relationship

The Department proposed to modify the part 2 definition of “treating provider relationship” by replacing the phrase “individual or entity” with “person,” in accordance with the proposed changes to the definition of “person” described above. Additionally, several minor wording changes were proposed for clarity.

Comment

We received no comments on the proposed changes to this definition.

Final Rule

The final rule adopts the proposed changes to the definition of “treating provider relationship” without further modification.

Treatment

The Department proposed to modify the part 2 definition of “treatment” by adopting the HIPAA Privacy Rule definition in 45 CFR 164.501 by reference. This would implement subsection (k) of 42 U.S.C. 290dd–2, added by section 3221(d) of the CARES Act, requiring that the term be given the same meaning of the term for the purposes of the HIPAA regulations. As discussed in the NPRM, by replacing the existing language, the Department does not intend to change the scope of activities that constitute treatment. In this context, treatment includes the care of a patient suffering from an SUD, a condition which is identified as having been caused by the SUD, or both, to reduce or eliminate the adverse effects upon the patient.

Comment

In addition to the supportive comments discussed above, a state government expressed specific support for the adoption of the HIPAA definition of the term “treatment.”

Response

We appreciate the comments.

Final Rule

The final rule adopts all proposed modifications to the definition of “treatment” in § 2.11, without further modification.

Unsecured Protected Health Information

The Department proposed to adopt the same meaning of this term as used in the HIPAA regulations at 45 CFR 164.402 to mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance. This proposal would implement subsection (k) of 42 U.S.C. 290dd–2, added by section 3221(d) of the CARES Act, requiring that the term in this part be given the same meaning as the term for the purposes of the HIPAA regulations.

Comment

Other than the supportive comments discussed above pertaining to the changes to definitions generally, the Department did not receive specific comments for its proposed definition of this term in the regulation.

Response

We appreciate the comments.

Final Rule

The final rule adopts all proposed modifications to the definition of “unsecured protected health information” in § 2.11, without further modification.

Unsecured Record

In the NPRM, the Department explained its view that the proposed addition was necessary to implement the newly required breach notification standards for part 2 records. To align with the definition of “unsecured protected health information” in the HIPAA regulations at 45 CFR 164.402, the Department proposed to apply a similar concept to records, as defined in this part. Thus, an “unsecured record” would be one that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under Public Law 111–5, section 13402(h)(2).

Comment

The Department received one comment from a state government that suggested eliminating “unsecured record,” in favor of “unsecured protected health information” because two terms are unnecessary.

Response

We appreciate the comment but believe both terms are needed to implement the newly required breach notification standards for part 2 records, which are defined differently from PHI.

Final Rule

The final rule adopts all proposed modifications to the definition of “unsecured record” in § 2.11, without further modification.

Use

The Department proposed to add a definition of this term that is consistent with the definition in the HIPAA regulations at 45 CFR 160.103 and as the term is applied to the conduct of proceedings specified in 42 U.S.C. 290dd–2(c). As explained in the NPRM, the Department believes this addition is necessary to more fully align part 2 with the HIPAA regulations' use of the phrase “use and disclosure,” as well as make clear, where applicable, that many of the activities regulated by this part involve not only disclosures but internal uses of part 2 records by programs or recipients of part 2 records. The Department also proposed this definition to clarify that in this part, the term “use” has a secondary meaning in accordance with the statutory requirements at 42 U.S.C. 290dd–2(c) for “use” of records in civil, criminal, administrative, and legislative investigations and proceedings. The Department discusses in greater detail the addition of the term “use” to specific provisions throughout this rule.

Comment

The Department received overwhelmingly supportive comments on the proposed changes throughout this rule to include “use and” preceding “disclosure.” With respect to proposed definitions of “use” and “disclosure,” one commenter stated that the term “use” was broad enough to incorporate both the current understanding (as applied to legal proceedings) and the HIPAA understanding (applied to use of records within a health care entity) without creating confusion and other commenters agreed the proposal would provide clarity. Additionally, several commenters recommended that the Department adopt the HIPAA definitions of “use” and “disclosure” to further align part 2 with the HIPAA regulations. Another commenter suggested further that the final rule eliminate the clause “or in the course of civil, criminal, administrative, or legislative proceedings as described at 42 U.S.C. 290dd–2(c)” because the proposed language departs from the HIPAA definition and is unnecessary.

Response

We appreciate the comments. Although we are declining to adopt the HIPAA definition of “use,” we believe that the definition finalized in this rule is consistent with HIPAA's definition and with the additional second meaning in this part in accordance with the statutory requirements at 42 U.S.C. 290dd–2(c) for “use” of records in civil, criminal, administrative, and legislative proceedings.

Comment

One commenter, a health system, suggested that the Department revise the definition of “use” within the HIPAA regulations to match the understanding of its meaning as proposed here, to include the initiation of a legal proceeding.

Response

We appreciate this comment, but it is not within the scope of this rulemaking to address the definition of “use” within the HIPAA regulations.

Final Rule

The final rule adopts all proposed modifications to the definition of “use” in § 2.11, without further modification.

Section 2.12—Applicability

Proposed Rule

In addition to changes to the use and disclosure language in this section, discussed above, the Department proposed to modify paragraph (a) to update the terminology by replacing “drug abuse” with “substance use disorder.” The Department also proposed to modify paragraph (c)(2) of this section, which excludes from part 2 requirements certain interchanges of information within the Armed Forces and between the Armed Forces and the VA, by replacing “Armed Forces” with “Uniformed Services.” This proposed change would align the regulatory text with the statutory language at 42 U.S.C. 290dd–2(e).

As we noted in the 2021 HIPAA NPRM to modify the HIPAA Privacy Rule, the U.S. Public Health Service (USPHS) and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps share responsibility with the Armed Services for certain critical missions, support military readiness and maintain medical fitness for deployment in response to urgent and emergency public health crises, and maintain fitness for deployment onto U.S. Coast Guard manned aircraft and shipboard missions. Because this part 2 proposal with respect to the Uniformed Services is consistent with the underlying statute, the Department does not believe the modification will change how SUD treatment records are treated for USPHS and NOAA Commissioned Corps personnel, but requested comment on this assumption.

The Department proposed in paragraph (d)(1) of this section to expand the restrictions on the use of records as evidence in criminal proceedings against the patient by incorporating the four prohibited actions specified in 42 U.S.C. 290dd–2(c), as amended by the CARES Act, and expanding the regulatory prohibition on use and disclosure of records against patients to cover civil, administrative, or legislative proceedings in addition to criminal proceedings. Absent patient consent or a court order, the proposed prohibitions are: (1) the introduction into evidence of a record or testimony in any criminal prosecution or civil action before a Federal or State court; (2) reliance on the record or testimony to form part of the record for decision or otherwise be taken into account in any proceeding before a Federal, State, or local agency; (3) the use of such record or testimony by any Federal, State, or local agency for a law enforcement purpose or to conduct any law enforcement investigation; and (4) the use of such record or testimony in any application for a warrant.

The Department further proposed changes to paragraph (d)(2) (Restrictions on use and disclosures). In paragraph (d)(2)(i) (Third-party payers, administrative entities, and others), the term “third-party payer” as modified in § 2.11 would have the effect of excluding covered entity health plans from the limits on redisclosure of part 2 records. To clarify the modified scope of this paragraph, the Department proposed to insert qualifying language in § 2.12(d)(2)(i)(A) to refer to “third-party payers, as defined in this part.” This approach implements the CARES Act changes in a manner that preserves the existing redisclosure limitations for any third-party payers that are not covered entities. The modified definition of “third-party payer” in § 2.11 excludes health plans by describing a “third-party payer” as “a person, other than a health plan as defined at 45 CFR 160.103, who pays or agrees to pay for diagnosis or treatment furnished to a patient on the basis of a contractual relationship with the patient or a member of the patient's family or on the basis of the patient's eligibility for Federal, state, or local governmental benefits” [emphasis added]. As a result of the proposal, health plans would be permitted to redisclose part 2 information as permitted by the HIPAA regulations and other “third-party payers” would remain subject to the existing part 2 prohibition on redisclosure.

The Department also proposed to substitute the term “person” for the term “entity” and the phrase “individuals and entities” in § 2.12(d)(2)(i)(B) and (C), respectively. As discussed above in relation to § 2.11 (Definitions), the Department does not intend this to be a substantive change, but rather an alignment with the term as it is defined in the HIPAA Privacy Rule at 45 CFR 160.103.

In addition to these proposed changes to § 2.12(d), the Department requested comment on how the proposed revisions to § 2.33 (Uses and disclosures with written consent), might affect the future data segregation practices of part 2 programs and recipients of part 2 records. We include comments on that topic in this section because it provides the only explicit reference to data segmentation and segregation of records within the regulation. Operationalizing consent for TPO, more narrow consent, revocation of consent, and requests for restrictions on disclosures for TPO may raise challenges concerning tagging, tracking, segregating and segmenting records and health data. These issues are addressed across multiple sections of the final rule, including §§ 2.12, 2.22, 2.31, 2.32, and 2.33.

The Department proposed to conform paragraph (e)(3) of § 2.12 to 42 U.S.C. 290dd–2(c), as amended by section 3221(e) of the CARES Act, by expanding the restrictions on the use of part 2 records in criminal proceedings against the patient to expressly include disclosures of part 2 records and to add civil and administrative proceedings as additional types of forums where use and disclosure of part 2 records is prohibited, absent written patient consent or a court order. Additionally, the Department proposed to clarify language in paragraph (e)(4)(i) of § 2.12, which excludes from part 2 those diagnoses of SUD that are created solely to be used as evidence in a legal proceeding. The proposed change would narrow the exclusion to diagnoses of SUD made “on behalf of and at the request of a law enforcement agency or official or a court of competent jurisdiction” to be used as evidence “in legal proceedings.” The Department believed the proposed clarification would tighten the nexus between a law enforcement or judicial request for the diagnosis and the use or disclosure of the SUD diagnosis based on that request, and requested comment on this approach.

We respond to comments on all aspects of § 2.12 below.

Comment

A few health system commenters supported the proposed change in paragraph (c)(2) to replace Armed Forces with Uniformed Services to be more inclusive.

Response

We appreciate the comments.

Comment

A few commenters expressed concerns about paragraph (c)(6) of this section, which excludes from part 2 applicability the use and disclosure of part 2 records in reports of child abuse and neglect mandated by state law and the fact that the exception does not allow for reporting of vulnerable adult and elder abuse or domestic violence.

Response

Modifications to this provision are outside of the scope of this rulemaking. Moreover, the exception that allows part 2 programs to disclose otherwise confidential records for child abuse reporting is based in a statutory exclusion in 42 U.S.C. 290dd–2(e). Because Congress had the opportunity to address this statutory exclusion in the CARES Act amendments and did not do so we do not believe we can unilaterally expand the exclusion by adding a regulatory exception for elder or vulnerable adult abuse similar to that for child abuse reporting. Congress could in the future choose to add to the statute an exception that would allow part 2 programs to report vulnerable adult and elder abuse and neglect. We further address options for disclosures to prevent harm in the discussion of § 2.20 (Relationship to state laws).

Comment

Some commenters supported the proposed changes in paragraph (d)(2) to the prohibition on use and disclosure of part 2 records against a patient or a part 2 program in investigations and proceedings absent patient consent or a court order. These commenters appreciated the expanded protection from use and disclosure in legislative and administrative investigations and proceedings and the express protection of testimony that conveys information from part 2 records within the consent or court order requirements. Some commenters thought that these express and expanded protections would serve as a beneficial counterweight to easing the flow of part 2 records for health care-related purposes.

Response

We appreciate the comments and agree that the expanded scope of protection to include not only records but testimony and to include legislative and administrative proceedings provides greater protection to patients and part 2 programs that are the subject of investigations and proceedings.

Comment

Many commenters expressed concern about the use of written consent as a way to overcome the prohibition against the use of records in proceedings against patients, expressing alarm that this could allow coerced consent by law enforcement.

Response

We address the concerns about allowing patient consent for use and disclosure of records in legal proceedings in the discussion of § 2.31 (Consent requirements). Patient consent was not the intended focus of the modifications to § 2.12(d), but was included to mirror the statutory language in 42 U.S.C. 290dd–2(c), as amended by section 3221(e) of the CARES Act. The final rule provides guardrails for the consent process in a new paragraph to § 2.31, discussed below.

Comment

A county board of supervisors commented on changes to paragraph (d)(2), stating that the current regulations require a special court order to authorize the use or disclosure of patient records in a criminal investigation or prosecution. The county expressed concern that a lack of meaningful safeguards when allowing the disclosure of patients' SUD records by patient consent may result in patients being asked to consent to disclosures of their protected SUD treatment records as a condition of a plea deal, sentencing, or release from custody, and that without adequate protections individuals may fear this information being used against them and may not seek treatment. According to the commenter, expanding the ability to access and use patients' SUD treatment records in criminal cases may result in harm to patients such as exacerbation of disparities in access to SUD treatment, criminalization of SUD, and treatment outcomes. The commenter recommended that HHS include meaningful protections in the final rule against patients being coerced into signing consent forms that can be used against them in a criminal or civil case.

Response

We have added at § 2.31(d) an express requirement that consent for use and disclosure of records in civil, criminal, administrative, and legislative investigations and proceedings be separate from consent to use and disclose part 2 records for other purposes. The existing rule, at § 2.33(a), permits patients to consent to use and disclosure of their records and that part 2 programs may disclose the records according to the consent. We interpret this to include consent for use and disclosure of records in legal proceedings, including those that are brought against a patient. Thus, we do not view this final rule's language about consent in § 2.12(d) as creating a substantive change to patients' rights or the existing procedures for legal proceedings, but as clarifying how consent is one option for achieving the use and disclosure of records in proceedings against a patient.

Nonetheless, because the role of patient consent is expanding, we created the new requirement for separate consent as § 2.31(d) in response to many comments about the potential for coerced consent and specific suggestions about ways to reduce instances of potential coercion, including requiring it to be separate from TPO consent or consent to treatment. This paragraph provides that patient consent for use and disclosure of records (or testimony relaying information contained in a record) in a civil, criminal, administrative, or legislative investigation or proceeding cannot be combined with a consent to use and disclose a record for any other purpose. Some commenters asserted that patients are particularly vulnerable to coerced consent at the initiation of treatment when they are suffering the effects of SUD and that they may not fully appreciate how their records may be used or disclosed in proceedings against them. Thus, requiring separate consent for use or disclosure of records in investigations or proceedings against a patient would help ensure that patients are better aware of the nature of the proceedings and how their records may be used. Signing a separate document specific to one purpose draws attention to the consent decision and provides greater opportunity for review of the nature of the consent. Comments about the proposed changes for legal proceedings are also addressed in §§ 2.2, 2.31, 2.66, and 2.67. Additional comments with similar concerns are discussed in § 2.31.

Comment

With respect to the applicability of part 2 to third-party payers, we received overwhelming support from the several organizations that commented on the proposed changed definition of third-party payer as applied in paragraph (d)(2)(i) of this section. These commenters supported the proposal to distinguish health plans, which are covered entities, from other third-party payers who are subject to part 2 (but not subject to HIPAA). One commenter explained their understanding that covered entity payers ( e.g., health plans) would already be included in the meaning of covered entity for the purposes of part 2 and HIPAA, and therefore able to operate under the relaxation of the redisclosure prohibition for TPO purposes while “third-party payers” under this narrowed definition would not. The commenter stated its belief that the change was an important and useful clarification of the continued redisclosure prohibition on treatment uses by such third-party payers.

A few HIE/HIN commenters strongly supported this change because the inability to segment the part 2-protected claims/encounter data from the non-part 2 data has often been a barrier to health plans contributing the clinical component of this administrative data to local, regional, and national HIE efforts. Additionally, a health system requested that the Department ensure that ACOs and population health providers have access to full part 2 information without a beneficiary having to explicitly opt-in to data sharing.

Response

We appreciate the comments concerning how the proposed narrower definition of “third-party payer” operates in paragraph (d)(2) of this section. Applicability to health plans is now addressed under paragraph (d)(2)(C) within the reference to covered entities. Additionally, the new statement in paragraph (d)(2)(C) in this final rule provides that health plans are not required to segregate records or segment data upon receipt from a part 2 program. ACOs and population health providers will need to evaluate the applicability provision based on their status as covered entities or business associates.

Comment

A medical professionals association voiced its strong support for data segmentation in support of data interoperability while maintaining patient privacy; capabilities for EHRs to track and protect sensitive information before it can be disclosed or redisclosed; and continuous monitoring and data collection regarding unintended harm to patients from sharing their sensitive information.

Response

We appreciate the comment about improving the capabilities for EHRs to segment data to maintain patient privacy while also remaining interoperable. The final rule change expressly stating that data segmentation is not required by recipients under a TPO consent does not preclude the voluntary use of data segmentation or tracking as means to protect sensitive data from improper disclosure or redisclosure. As a result of the modifications to paragraph (d)(2) of § 2.12, key recipients of part 2 records may choose the best method for their health IT environment and organizational structure to protect records from use and disclosure in legal proceedings against the patient, absent consent or a court order. For example, the use of the data segmentation for privacy (“DS4P”) standard as adopted as part of the ONC Health IT Certification Program criteria in 45 CFR 170.315(b) is a technical capability that would be acceptable/sufficient.

Comment

A few individual commenters, a police and community treatment collaborative, a health IT vendor, and an SUD recovery policy organization, requested changes to paragraph (e)(4), which applies to a “[d]iagnosis which is made on behalf of and at the request of a law enforcement agency or official or a court of competent jurisdiction solely for the purpose of providing evidence[.]” Specifically, they recommended in § 2.12(e)(4)(i) that we add language to include the purpose of determining eligibility for participation in deflection, diversion, or reentry alternatives to incarceration. The commenters stated that alternatives to incarceration require swift assessments, diagnoses, and referrals to treatment and care, and that the requested change is narrowly tailored and consistent with best practice and priorities within the justice field.

Response

We decline to further modify paragraph (e)(4) in the manner suggested, although we appreciate the comment and the intent to support criminal justice deflection programs and alternatives to incarceration where appropriate. The changes we proposed to this paragraph were for clarification and not intended to create substantive modifications. However, we believe that as drafted, the final regulatory language supports the disclosure of diagnoses made for the purpose of providing evidence for any number of purposes, which could include determining eligibility for participation in deflection, diversion, or reentry alternatives to incarceration. Thus, in our view, the suggested change is not necessary to meet the commenter's purposes.

Final Rule

The final rule adopts all proposed changes to § 2.12 and further modifies this section by: (1) clarifying that the restrictions on uses and disclosures of records in proceedings against a patient apply to persons who receive records from not only part 2 programs and lawful holders, but also from covered entities, business associates, and intermediaries to allow for the new operation of consent as enacted by the CARES Act; (2) modifying paragraph (b)(1) by replacing “Armed Forces” with “Uniformed Services” to conform with the changes in paragraph (c)(2) and the statutory language at 42 U.S.C. 290dd–2(e); (3) adding an express statement to paragraph (d)(2)(i)(C) that recipients of records under a TPO consent who are part 2 programs, covered entities, and business associates are not required to segregate the records received or segment part 2 data; and (4) removing a phrase in paragraph (d)(2)(ii) that implied a requirement for recipients of part 2 records to segregate or segment the data received, including removing the requirement from covered entities, business associates, and intermediaries, as well as from part 2 programs.

Section 2.13—Confidentiality Restrictions and Safeguards

Proposed Rule

The current provisions of this section apply confidentiality restrictions and safeguards to how part 2 records may be “disclosed and used” in this part, and specifically provide that part 2 records may not be disclosed or used in any civil, criminal, administrative, or legislative proceedings. The current provisions also provide that unconditional compliance with part 2 is required by programs and lawful holders and restrict the ability of programs to acknowledge the presence of patients at certain facilities. Changes to the Department's use of terms “use” and “disclose” in this section are discussed above. Paragraph (d) of § 2.13 (List of disclosures), includes a requirement for intermediaries to provide patients with a list of entities to which an intermediary, such as an HIE, has disclosed the patient's identifying information pursuant to a general designation. The Department proposed to remove § 2.13(d) and redesignate the content as § 2.24, change the heading of § 2.24 to “Requirements for intermediaries,” and in § 2.11 create a regulatory definition of the term “intermediary” as discussed above. The Department's proposal to redesignate § 2.13(d) as § 2.24 would move the section toward the end of subpart B (General Provisions), to be grouped with the newly proposed §§ 2.25 and 2.26 about patient rights and disclosure. Section 2.24 is discussed separately below.

In addition to these proposed structural changes, the Department also proposed minor wording changes to paragraphs (a) through (c) of § 2.13 to clarify who is subject to the restrictions and safeguards with respect to part 2 records. The Department solicited comment on the extent to which part 2 programs look to the HIPAA Security Rule as a guide for safeguarding part 2 electronic records. The Department also requested comment on whether it should modify part 2 to apply the same or similar safeguards requirements to electronic part 2 records as the HIPAA Security Rule applies to ePHI or whether other safeguards should be applied to electronic part 2 records.

Comment

We received general support from an HIE regarding our efforts to align the security requirements in part 2 for EHRs with the HIPAA Security Rule. An individual commenter said that similar safeguard requirements should apply to electronic part 2 records as the HIPAA Security Rule applies to ePHI. The commenter stated that, ideally, stronger safeguards should apply to electronic part 2 records because these records can function as a bridge to discrimination, sanctions, and adverse actions. An insurer commenter stated that it manages electronic part 2 records and information consistent with the HIPAA Security Rule currently and would—in keeping with the concept of treating SUD information the same as other PHI—support applying the same rules and protections of the HIPAA Security Rule to electronically stored and managed part 2 records and information. Noting that the HIPAA Privacy and Security Rules are widely adopted across the health care continuum, an HIE association encouraged the Department to pursue further alignment with HIPAA Security Rule requirements where appropriate. Another health insurer supported aligning part 2 safeguards with the safeguards applicable under the HIPAA regulations. This commenter stated that, as HHS works to align part 2 regulations with HIPAA regulations, the ultimate goal should be to streamline policies while ensuring the protection of patient data across programs and data sharing platforms. The health plan and another commenter, a health insurer, believed that different types of PHI should share the same level of protection and supports Department efforts toward this end.

Response

We appreciate the comments on our proposed changes and comments on modifying part 2 to apply the same or similar safeguard requirements to electronic part 2 records as apply to the HIPAA Security Rule. Prior to our changes in this final rule, part 2 programs and other lawful holders already were required to have in place formal policies and procedures to reasonably protect against unauthorized uses and disclosures of patient identifying information and to protect against reasonably anticipated threats or hazards to the security of patient identifying information. The provisions applied to paper records and electronic records.

Consistent with the amendment enacted in the CARES Act and codified at 42 U.S.C. 290dd–2(j), the final rule applies breach notification requirements to “unsecured records” in the same manner as they currently apply to “unsecured PHI” in the Breach Notification Rule, including specific requirements related to the manner in which breach notification is provided. We are not making any additional modifications to align the HIPAA Security Rule and part 2 at this time, but will take these comments into consideration in potential future rulemaking.

Comment

A few HIEs/HIE associations urged the Department to add new language to § 2.13 that expressly provides: “[c]onsent revocation. If a patient revokes a consent, the consent revocation is only effective to prevent additional disclosures from the part 2 program(s) to the consent recipient(s). A recipient is not required to cease using and disclosing part 2 records received prior to the revocation.”

The commenters believed that adding this language to § 2.13 would mitigate part 2 program concerns that they might be held accountable for a recipient's continued use and disclosure of previously disclosed part 2 program records. The Department sought comment on whether it should require part 2 programs to inform an HIE when a patient revokes consent for TPO so that additional uses and disclosures by the HIE would not be imputed to the programs that have disclosed part 2 records to the HIE. These commenters responded that requiring such notification would directly contradict the Department's statements in the preamble to the NPRM—and the purpose of the CARES Act—because a notification implies that it would be unlawful for the HIE to continue to use and disclose the part 2 records it received prior to revocation. A better approach according to these commenters would be to clarify in the part 2 regulations what is and is not permitted after a revocation.

Response

Revocation of consent is associated with a patient's wish to modify or rescind previously granted written consent provided under § 2.31 in subpart C. We do not agree that stating revocation requirements in this section would clarify these requirements and those issues are addressed in the discussion of § 2.31.

Comment

A medical professionals association generally supported the alignment of redisclosure processes with HIPAA. The commenter also supported prohibiting redisclosures of records for use in civil, criminal, administrative, and legal proceedings. Along with increased patient and provider education about disclosure and data protection, the association further encouraged the Department to support the development of technological infrastructure to manage these data once disclosed.

Response

We appreciate this comment on the Department's proposed changes. We have revised the part 2 redisclosure requirements to align more closely with HIPAA requirements with respect to disclosures of PHI. We clarify applicability of these changes to business associates and covered entities. Subject to limited exceptions, such redisclosed records cannot be used in any civil, criminal, administrative, or legislative proceedings by any Federal, State, or local authority against the patient, unless authorized by the consent of the patient.

Final Rule

The final rule adopts the changes to § 2.13 as proposed, including removing paragraph (d) and redesignating it as § 2.24 (Requirements for intermediaries).

Section 2.14—Minor Patients

Proposed Rule

The Department proposed to change the verb “judges” to “determines” to describe a part 2 program director's evaluation and decision that a minor lacks decision making capacity, which can lead to a disclosure to the patient's parents without the patient's consent. This change is intended to distinguish between the evaluation by a part 2 program director about patient decision making capacity and an adjudication of incompetence made by a court, which is addressed in § 2.15. The Department also proposed a technical edit to § 2.14(c)(1) to correct a typographical error from “youthor” to “youth or.”

The Department also proposed to substitute the term “person” for the term “individual” in § 2.14(b)(1) and (2), (c) introductory text, and (c)(1) and (2), respectively.

Overview of Comments

The Department received general support for its proposed changes to § 2.14. However, some commenters expressed concern about certain proposed changes or requested additional clarity, as described below.

Comment

An HIE association urged the Department to align the part 2 requirements regarding minors with the state-based requirements regarding minor access, consent, and disclosure of their health records. The commenter noted that some states have stringent rules for when a minor patient can control different sections of their health record and urged the Department to engage with patient advocacy organizations to fully understand the implications of the minor consent provisions in part 2. Another commenter noted that jurisdictions vary with respect to the age of majority, who is considered a legal guardian or authorized representative, emancipated minors, and specific consent for special health services ( e.g., HIV testing, reproductive services, mental and behavioral health). Commenters cited examples of states such as California, which they perceived to have strong consent and privacy provisions for minors and argued that it was important that part 2 foster alignment between consent to receive care and access to medical information by the person authorized to provide consent to treatment.

Response

We acknowledge that regulations and statutes pertaining to behavioral health, including treatment and access to records by those who consent, differ by state. The Department has previously highlighted that § 2.14 states that “these regulations do not prohibit a part 2 program from refusing to provide treatment until the minor patient consents to the disclosure necessary to obtain reimbursement, but refusal to provide treatment may be prohibited under a state or local law requiring the program to furnish the service irrespective of ability to pay.” State laws may also vary with respect to access to records by parents or caregivers. As provided in § 2.20 (Relationship to state laws), part 2 “does not preempt the field of law which they cover to the exclusion of all state laws in that field.” Thus, states may impose requirements for consent, including for minors, that are more stringent than what Federal regulations may require. The Department understands that there exist variations among jurisdictions concerning minor and parent or guardian consent requirements. Part 2 programs and other regulated entities are advised to seek legal advice on the application of their state and local laws when appropriate.

Comment

One commenter urged the Department to proactively partner with states to design state-specific educational resources and tools to expedite access to SUD treatments. The commenter cited as one example the New York Civil Liberties Union 2018 pamphlet entitled “Teenagers, Health Care and the Law: A Guide to Minors' Rights in New York State” as one helpful resource. Other commenters also urged the Department to provide guidance about minor consent in relation to Medicaid, the Children's Health Insurance Program (CHIP), and other health coverage programs.

Response

The Department appreciates examples of what commenters view as relevant or helpful resources and publications but does not necessarily endorse the content of specific publications not developed or reviewed by HHS. We will consider what additional guidance from HHS may be helpful after this rule is finalized.

Comment

Commenters generally supported the proposed change from “judges” to “determines” to better distinguish a part 2 program director's evaluation and decision that a minor lacks decision-making capacity from when a court adjudicates ( i.e., judges) a patient as lacking decision-making capacity. But one association noted that in addition to the Federal regulation, states can also have their own requirements related to minors, decision-making capacity, and their ability to make independent decisions regarding care and treatment. The commenter believed that part 2 programs, consumers, and other stakeholders could benefit from the Department discussing the Federal standard in the preamble to final regulations or in future guidance discussing how states can align with the standard and potential areas for Federal and state conflicts. Other commenters also urged the Department to provide additional guidance on the intersection of state and Federal laws, including for minors out of state and receiving SUD treatment.

Response

The Department appreciates the comments about changing “judges” to “determines” and will consider what additional guidance on these issues may be helpful after this rule is finalized.

Comment

Commenters supported the proposal to remove the term “incompetent” and instead refer to patients who lack the capacity to make health care decisions to distinguish between lack of capacity and adjudication of incompetence.

Response

The Department appreciates the comments on this proposed change.

Comment

Commenters emphasized the importance of minors being able to control their health records but also ensuring that parents and guardians do not face unnecessary barriers to obtaining SUD treatment for youth in their care. Providers, one commenter asserted, are reluctant or even unwilling to include parents and guardians in treatment, even when their clinical judgment would dictate otherwise.

Response

The Department agrees that it is important for minors to have input concerning the use and disclosure of their health records in a manner that is consistent with state law. The Department also has emphasized both with respect to HIPAA and part 2 that parents, guardians, and other caregivers should not face unnecessary barriers in supporting a loved one's care. SAMHSA has published resources for families coping with mental health and SUDs and OCR has issued guidance for consumers and health professionals on HIPAA and behavioral health.

Comment

To allow for meaningful care coordination for minors, a state agency urged the Department to modify proposed § 2.14(b)(2) as follows: “[w]here state law requires parental consent to treatment, any consent required under this Part may be given by the minor's parent, guardian, or other person authorized under state law to act on the minor's behalf only if: * * *.”

Response

We appreciate the suggestion; however, because we did not propose modifications to this language or request public comment related to it, making this change would be outside the scope of this rulemaking. For purposes of this rulemaking, finalizing the existing language, without modification, accurately reflects the current balance between part 2 confidentiality requirements and state legal requirements concerning minor consent.

Comment

One commenter expressed concern that, in their view, part 2 provides no options for part 2 providers to involve parents or guardians in a minor's treatment without the minor's consent, even where state law explicitly permits such involvement or even requires providers to make determinations about the appropriateness of a parent or guardian's involvement. The commenter urged the Department to align § 2.14 with provisions in the Privacy Rule permitting access to treatment records if a minor consents to care as provided under state law.

Response

The Department acknowledges the complexity of the intersection of part 2 and state requirements concerning minor consent, including parental or caregiver involvement. After this rule is finalized, the Department may provide additional guidance on these issues. Part 2, in part, provides that “[w]here state law requires consent of a parent, guardian, or other individual for a minor to obtain treatment for a substance use disorder, any written consent for disclosure authorized under subpart C of this part must be given by both the minor and their parent, guardian, or other individual authorized under state law to act in the minor's behalf.” The Department has published relevant resources for families and guidance on applying behavioral health privacy laws to mental health and SUDs.

Comment

With respect to the role of part 2 program director, one association of medical professionals asserted that the decision-making of a minor should be made in consultation with the treatment plan team and not in isolation by a part 2 program director.

Response

The Department appreciates this input on clinician-based decisions about patients. While the part 2 program director has specific responsibilities under this section, the Department would expect most part 2 programs to have protocols detailing the program director's role and consultation with others on the treatment team as needed. As the person with authority over the part 2 program, the director would be responsible for how the program operates, so we do not view additional regulatory requirements as necessary.

Final Rule

The Department is finalizing all proposed changes to § 2.14 without further modification. This includes a technical edit in § 2.14(c)(1) to correct a typographical error from “youthor” to “youth or” and changing the verb “judges” to “determines” to describe a part 2 program director's evaluation and decision that a minor lacks decision making capacity that could lead to a disclosure to the patient's parents without the patient's consent.

Section 2.15—Patients Who Lack Capacity and Deceased Patients

Proposed Rule

The Department proposed to replace outdated terminology in this section that referred to “incompetent” patients, refer to the “use” of records in addition to disclosures, and to substitute the term “person” for the term “individual” as discussed above in relation to § 2.11 (Definitions). The Department further proposed to clarify that paragraph (a) of this section refers to a lack of capacity to make health care decisions as adjudicated by a court while paragraph (b) refers to lack of capacity to make health care decisions that is not adjudicated by a court, and to add health plans to the list of entities to which a part 2 program may disclose records without consent to obtain payment during a period when the patient has an unadjudicated inability to make decisions. We also proposed updates to paragraph (b) of this section concerning consent by personal representatives.

Comment

A health plan commenter supported inclusion of health plans to the list of entities to which a part 2 program can disclose records when a patient lacks capacity. An association of medical professionals also supported adding health plans to the list of entities to which a part 2 program may disclose records without consent when a patient lacks capacity to make health care decisions to ensure that part 2 programs receive appropriate and timely payment for their services. A health system expressed general support for our proposed changes.

Response

We appreciate the comments on the proposed changes.

Comment

An association of medical professionals supported the proposed change from “incompetent patients” to “patients who lack capacity to make health care decisions,” whether adjudicated or not. The commenter also supported the addition of health plans to the list of entities to which a program may disclose records without consent. The commenter also said that families often request the records of deceased patients and there does not appear to be a consistent policy about this among SUD treatment centers. It would be helpful to have this matter addressed.

Response

We appreciate the comment on our proposed changes. With respect to deceased patients, part 2 regulations as finalized “do not restrict the disclosure of patient identifying information relating to the cause of death of a patient under laws requiring the collection of death or other vital statistics or permitting inquiry into the cause of death.” Additionally, the regulations state that “[a]ny other use or disclosure of information identifying a deceased patient as having a substance use disorder is subject to the regulations in this part. If a written consent to the use or disclosure is required, that consent may be given by the personal representative.” In the preamble for § 2.11 of this rule, we discuss applying the HIPAA definition of “personal representative.” We have stated in guidance for the HIPAA Privacy Rule that “[s]ection 164.502(g) provides when, and to what extent, [a] personal representative must be treated as the individual for purposes of the [HIPAA Privacy] Rule.” Section 164.502(g)(2) requires a covered entity to treat a person with legal authority to act on behalf of an adult or emancipated minor in making decisions related to health care as the individual's personal representative with respect to PHI relevant to such personal representation. The definition in this rule mirrors language in the HIPAA Privacy Rule at 45 CFR 164.502(g).

Comment

An association of medical professionals supported the proposed changes but urged the Department to reduce confusion and avoid potential conflicts with state law by amending § 2.15(b)(2) to clarify that this section only applies if there are no applicable state laws governing surrogate decision making.

Response

We decline to modify this section to refer to state law requirements, as we discuss intersections with state law in § 2.20 and we do not anticipate that the definition of “personal representative,” which mirrors the standard in the HIPAA regulations, will conflict with state law requirements.

Comment

One commenter believed that even though the NPRM addressed the issue of a patient's lack of capacity to sign an informed consent, it failed to address circumstances involving diminished capacity associated with intoxication, withdrawal, medication induction, and early phases of treatment. The commenter asserted that addressing the issue of temporary diminished capacity is critical to the proposed perpetual consent for TPO purposes promoted by the NPRM. The commenter also stated that relying on a single enduring consent made at a time when a person is most vulnerable and cognitively compromised is unethical, and that a signed consent around the time of treatment entry should be valid for no more than six months. According to this commenter, it is important to stress that the authority of the part 2 program director to exercise the right of the patient to consent to uses and disclosures of their records is restricted to that period where the patient suffers from a medical condition that creates a lack of capacity to make knowing or effective health care decisions on their own behalf. Further, according to this commenter, that authority is limited to obtaining payment for services from a third-party payer or health plan, and should not extend more than 30 days. After such time, the part 2 program director should seek a court order, according to the commenter.

Response

We agree with the commenter that, as stated in the regulation, the part 2 program director's authority in § 2.15(a)(2) extends only to obtaining payment for services from a third-party payer or health plan.

In some cases, a patient who has diminished capacity due to overdose, intoxication, withdrawal, or other medical conditions may be considered by a medical provider to be experiencing a “bona fide medical emergency in which the patient's prior written consent cannot be obtained.” As the Department explained in preamble to its final 2020 rule, under § 2.51, disclosures of SUD treatment records without patient consent are permitted in a bona fide medical emergency. Although not a defined term under part 2, a “bona fide medical emergency” most often refers to the situation in which an individual requires urgent clinical care to treat an immediately life-threatening condition (including, but not limited to, heart attack, stroke, overdose), and in which it is infeasible to seek the individual's consent to release of relevant, sensitive SUD records prior to administering potentially life-saving care. In such cases, the medical emergency provisions of part 2 would apply.

In addition, provisions of § 2.31 (Consent requirements), are pertinent to this comment. Section 2.31(a)(6) of this final rule requires that the consent must inform the patient of “[t]he patient's right to revoke the consent in writing, except to the extent that the part 2 program, or other lawful holder of patient identifying information that is permitted to make the disclosure, has already acted in reliance on it, and how the patient may revoke consent.” Thus, a patient, after their medical condition has been treated, will be able to modify any part 2 written consent at a later date.

Comment

An academic health system believed that under § 2.15(a)(2), patients who may lack capacity temporarily, without court intervention, have no one with the legal authority to consent to uses or disclosures other than for payment purposes. The commenter viewed this restriction as inconsistent with both state law and HIPAA and as an outdated and problematic limitation. The commenter said that at times its part 2 programs admit a patient who lacks capacity temporarily (where there is no need for court intervention) and permit a surrogate to consent to treatment as permitted by state law, particularly in the inpatient context. The commenter added, the regulations should reflect that if a surrogate or personal representative has the ability under state law to consent to treatment, then that same surrogate or personal representative should have the ability to consent to the use and disclosure of part 2 records regardless of whether there has been an adjudication by a court. Otherwise, part 2 programs would be admitting a patient into treatment with no one who has the legal authority to consent to critical uses or disclosures that are essential or legally required to operate the part 2 program. According to the commenter, making this change would also better align part 2 with HIPAA and the concept that a personal representative has authority under state law to consent to both treatment and the uses and disclosures of information related to that treatment.

Response

We refer the commenter to our responses above regarding the part 2 medical emergency provisions that may apply to such circumstances and to our comments on the definition of personal representative. We discuss intersections with state law in § 2.20.

Comment

A commenter anticipated that once the proposed rule is finalized, part 2 programs will begin to utilize existing technologies and workflows that have been created to comply with HIPAA standards. The commenter stated that many part 2 programs may require all patients to sign a global consent as a condition of treatment to take advantage of these current technologies and workflows that will now be available to part 2 programs. The commenter expressed concern that, once these part 2 programs change their practices to align with existing technologies and workflows, there would be no mechanism for a part 2 program to treat a patient who refuses to sign a global consent. The commenter suggested that the “payment only” limitation in § 2.15(a)(2) would prevent part 2 programs from offering treatment to those most vulnerable patients because no one will have the authority to consent to the use and disclosure of part 2 information. Having a patient admitted into a part 2 program with no one able to provide TPO consent that would permit subsequent beneficial redisclosures, may penalize patients who are most in need of treatment, according to this commenter.

Another commenter, a health plan association, also urged HHS to allow the part 2 program director to exercise the patient's right to consent to any use or disclosure under part 2 when the patient is incompetent but not yet adjudicated by a court as such. The commenter stated that the rule should not deprive incompetent persons most in need of care from the ability to access care and expressed particular concern about circumstances in which a part 2 program may be the only mental health provider in the area ( e.g., in rural locations). The commenter stated that part 2 should not prevent part 2 programs from divulging information without which the incompetency adjudication process cannot proceed; otherwise, part 2 would create a barrier to access to care for incompetent patients because the information the part 2 program has might be the only information that would enable an adjudication of incompetence. The “medical emergency” exception, the commenter asserted, would sometimes be of little use if the emergency providers to whom information is disclosed cannot obtain consent to render care, and a court adjudication of incompetency is impossible to achieve without part 2 program information.

Additionally, the commenter found that the proposed rule did not address advance directives like durable powers of attorney that do not involve court adjudication but physician adjudication to trigger the provisions conferring authority to the patient's personal representative. Therefore, according to the commenter, § 2.15(a)(2) should read: “[i]n the case of a patient, other than a minor or one who has been adjudicated as lacking the capacity to make health care decisions, that for any period suffers from a medical condition that prevents knowing or effective action on their own behalf, the part 2 program director may exercise the right of the patient to consent to a use or disclosure under subpart C of this part.”

Response

As noted above, the part 2 medical emergency provisions may apply to the circumstances described by the commenter if a patient cannot consent to treatment due to a bona fide medical emergency. Absent a medical emergency, under § 2.15(a)(2) the part 2 program director may exercise the right of the patient to consent to disclosure for the sole purpose of obtaining payment for services from a third-party payer for an adult patient who for any period suffers from a medical condition that prevents knowing or effective action on their own behalf. Consistent with the Privacy Rule's provisions on personal representatives, we state in § 2.11 that a personal representative means a person who has authority under applicable law to act on behalf of a patient who is an adult or an emancipated minor in making decisions related to health care. Also, consistent with the Privacy Rule, a personal representative under part 2 would have authority only with respect to patient records that are relevant to such personal representation.

Comment

A state agency recommended modifying § 2.15(a) to specifically address adult patients who lack capacity, but have appointed a personal representative. This change, according to the commenter, would allow for better care and coordination for patients who have a personal representative.

Response

We believe our modifications to § 2.15(a) as finalized in this rule respond to the commenter's concerns about the role of the personal representative. We decline to make additional changes to this section as requested by the commenter because the new definition of “personal representative” defers to state law.

Comment

A health plan commenter stated that when a patient has an unadjudicated inability to make decisions due to a medical condition, this section of the final rule should clarify that patients would be allowed to request that their billing information not be sent to a health plan if the patient (or third party other than the health plan) agrees to pay for services in full. The commenter also expressed concern about a general lack of guidance on how proof of an unadjudicated inability to made decisions (other than in an emergency) would be documented and sought further clarification. The commenter asked the Department to confirm that a health plan would not be required to (1) confirm how consent was obtained and (2) treat SUD information of patients who lack capacity in a special manner—for example, through specialized documentation and other procedures—or differently from information of patients who directly provided consent. The commenter said that these changes would help facilitate treatment and payment for patients who lack capacity temporarily, which may lead to more timely care and better outcomes. According to this commenter, relying on a part 2 program's director expertise to determine the patient's present capacity would facilitate more timely care decisions and reduce burden on health plans.

Response

We discuss consent provisions elsewhere in this rule. We confirm that this final rule does not create new requirements for special or unique treatment of SUD information of patients who lack capacity.

As we discuss above, when a patient suffers from a medical condition that prevents knowing or effective action on their own behalf for any period, the part 2 program director may exercise the right of the patient to consent to a use or disclosure under subpart C for the sole purpose of obtaining payment for services from a third-party payer or health plan. If a part 2 program director believes that this step is unnecessary after speaking with the patient or others, the director may choose not to exercise this right. If a patient has an unadjudicated inability to make decisions due to a medical condition that prevents them from knowing or taking action, he or she may be unable to consent to or refuse consent to a use or disclosure for the sole purpose of obtaining payment for services from a third-party payer or health plan; in such circumstances, the part 2 program director's ability to exercise the patient's right to consent for the sole purpose of obtaining payment may apply.

Final Rule

In additional to finalizing changes such as replacing “individual” with “person” and referring to “use” in addition to “disclosures,” we are finalizing the proposal to remove the term “incompetent” in this section and refer instead to patients who lack capacity to make health care decisions. We also are finalizing the proposal to clarify that paragraph (a) of this section refers to lack of capacity to make health care decisions as adjudicated by a court while paragraph (b) refers to lack of capacity to make health care decisions that is not adjudicated, and to add health plans to the list of entities to which a part 2 program may disclose records without consent to obtain payment during a period when the patient has an unadjudicated inability to make decisions. We also are finalizing updates to paragraph (b) of this section concerning deceased patients and consent by personal representatives.

Section 2.16—Security for Records and Notification of Breaches

Overview of Rule

Section 2.16 (Security for records) contains several requirements for securing records. Specifically, § 2.16(a) requires a part 2 program or other lawful holder of patient identifying information to maintain formal policies and procedures to protect against unauthorized uses and disclosures of such information, and to protect the security of this information. Section 2.16(a)(1) and (2) set forth minimum requirements for what these policies and procedures must address with respect to paper and electronic records, respectively, including, for example, transfers of records, maintaining records in a secure location, and appropriate destruction of records. Section 2.16(a)(1)(v) requires part 2 programs to implement formal policies and procedures to address removing patient identifying information to render it non-identifiable in a manner that creates a low risk of re-identification.

The current part 2 requirements for maintaining the security of records are limited to these provisions requiring policies and procedures. In contrast, the HIPAA regulations include a HIPAA Security Rule with specific standards and implementation specifications for how covered entities and business associates are required to safeguard ePHI. Part 2 does not have similar requirements.

Application of Part 2 Security Requirements to Lawful Holders

Current § 2.16 applies security requirements to part 2 programs and lawful holders. The term “lawful holder” is a recognized term that is applied in several part 2 regulatory provisions; however, it is not defined in regulation. Generally, it refers to “an individual or entity who has received such information as the result of a part 2-compliant patient consent (with a prohibition on re-disclosure) or as a result of one of the exceptions to the consent requirements in the statute or implementing regulations and, therefore, is bound by 42 CFR part 2.”

The Department sought public comment on whether security requirements should apply uniformly across all persons who receive part 2 records pursuant to consent such that certain failures, such as a failure to have “formal policies and procedures” or to “protect” against threats, would result in the imposition of civil or criminal penalties again all persons who receive these records pursuant to consent. The Department's request for comment in this regard asked, “whether the requirements of this section that apply to a lawful holder should in any way depend on the level of sophistication of a lawful holder who is in receipt of Part 2 records by written consent, or should depend on whether the lawful holder is acting in some official or professional capacity connected to or related to the Part 2 records.”

Comment

One commenter, an association, of medical professionals, opined that all entities that hold personal health information should be required to notify persons when their information is breached, but also that breach rules must not hold parties responsible for the actions of other parties over whom they do not have control.

Response

We agree with the sentiments expressed in this comment and assume that the commenter's use of the term “entity” is referring to an organizational or professional entity and not an individual acting in a personal capacity. The final rule requires part 2 programs to provide breach notification for breaches of part 2 records in the same manner as breach notification is required for breaches of PHI, which would include breaches of part 2 records held on behalf of a program by QSOs or business associates. Under HIPAA, a business associate is required to notify a covered entity of breaches and we believe part 2 programs that are not covered entities could obligate their QSOs to notify the programs of breaches through contractual provisions. A part 2 program would not be responsible for breaches by QSOs or business associates. However, the part 2 program is responsible under this rule for having in place contractual requirements to ensure that it is timely notified of a breach by such entities so that it can meet its obligations to notify affected individuals.

Comment

A few commenters, including a managed care organization and a county health department, opined that it is appropriate to apply breach notification requirements to QSOs. Another commenter, a health plan, requested confirmation from the Department that the part 2 breach notification requirements are the same as the requirements under the HIPAA Breach Notification Rule, and also sought confirmation that the requirements would not apply to lawful holders who are caregivers not acting in a professional capacity.

Response

Our close review of the statute leads us to believe that there is no authority to apply notification requirements to QSOs as they are applied to business associates under the HIPAA Breach Notification Rule. We also agree that non-professional lawful holders, such as family members, friends, or other informal caregivers, are not the same as lawful holders acting in a professional capacity. However, non-professionals should nonetheless take reasonable steps to protect records in their custody.

Final Rule for Lawful Holders and Security of Records

We are re-organizing § 2.16(a) and finalizing additional language to clarify to whom the security requirements apply. Specifically, we are creating a new exception for certain lawful holders in new paragraph (a)(2) that expressly excludes “family, friends, and other informal caregivers” from the requirements to develop formal policies and procedures. We expect that informal caregivers and other similar lawful holders who would be subject to this exception still recognize some responsibility to safeguard these sensitive records and exercise caution when handling such records. We clarify here that while we are not making informal caregivers subject to the final rule requirements to develop formal policies and procedures, we do encourage all lawful holders to protect records. For example, informal caregivers should at least take reasonable steps to protect the confidentiality of patient identifying information.

We are finalizing breach notification requirements for part 2 programs; lawful holders are not subject to breach notification requirements.

De-Identification

Proposed Rule

Section 3221(c) of the CARES Act required the Department to apply the HIPAA standard in 45 CFR 164.514(b) for de-identification of PHI to part 2 for the purpose of disclosing part 2 records for public health purposes. To further advance alignment with HIPAA and reduce burden on disclosing entities, the Department proposed to apply 45 CFR 164.514(b) to the existing de-identification requirements in part 2: §§ 2.16 (Security for records) and 2.52 (Research) (discussed below). Specifically, the Department proposed to modify § 2.16(a)(1)(v) (for paper records) and (a)(2)(iv) (for electronic records), to read as follows: “[r]endering patient identifying information de-identified in accordance with the requirements of the [HIPAA] Privacy Rule at 45 CFR 164.514(b), such that there is no reasonable basis to believe that the information can be used to identify a patient as having or having had a substance use disorder.”

As proposed, this provision would permit part 2 programs to disclose records de-identified in accordance with the implementation specification in the HIPAA Privacy Rule ( i.e., the expert determination method or the safe harbor method) but the provision does not reference the HIPAA Privacy Rule standard at 45 CFR 164.514(a) that the implementation specification is designed to achieve—that the information is de-identified such that there is no reasonable basis to believe that the information disclosed can be used to identify an individual.

Comment

Many commenters expressed support for the Department's de-identification proposal citing a variety of reasons. One health system, stating that many part 2 programs are embedded within covered entities or share workforces with such programs, commented that de-identification standards within part 2 consistent with the HIPAA Privacy Rule would reduce workforce confusion, inadvertent non-compliance, and unintentional leaks of confidential information. A government agency commented that the express alignment with the HIPAA Privacy Rule was a welcome clarification that would protect the privacy and confidentiality of SUD patients. An individual commented that it would be prudent to enact the standards in 45 CFR 164.514(b) to offer more protection to patients and that doing so would not create adverse consequences. A managed care organization suggested that HIPAA provided an appropriate existing regulatory standard for rendering part 2 records non-identifiable. A few commenters, all health systems that partly specialize in providing SUD services, expressed strong support for the proposal and the principle that programs should not be required to obtain consent from individuals prior to de-identifying their information.

Response

We appreciate these comments.

Comment

Some commenters, including a health IT vendor and a few health information management associations, expressed support for the Department's proposal but also urged the Department to “fully align” the part 2 de-identification standard with the HIPAA Privacy Rule. For example, one of these commenters opined that the language “such that there is no reasonable basis to believe that the information can be used to identify a patient as having or having had a substance use disorder” is not the HIPAA de-identification standard, and that the Department should instead use the exact language of HIPAA. Other commenters urged the Department to expressly clarify that both the HIPAA safe harbor method and expert determination method could satisfy the proposed de-identification requirements for part 2 records. A behavioral health advocacy organization asked the Department to clarify that the definition of part 2 “records” does not include de-identified records consistent with the HIPAA Privacy Rule's treatment of de-identified health information.

Response

We agree that, as drafted, the Department's proposal does not fully align with the regulatory text of the full de-identification standard in the HIPAA Privacy Rule, which includes paragraphs (a) and (b) of 45 CFR 164.514. We clarify here that by incorporating the HIPAA standard codified at 45 CFR 164.514(b), either method of de-identification of PHI can be used to de-identify records under part 2. We also note here a critical difference between the definitions of PHI under the HIPAA Privacy Rule and records in this part. The definition of PHI is grounded in the recognition that it is “individually identifiable health information.” The HIPAA Privacy Rule standard for de-identification therefore renders PHI no longer “individually identifiable.” In this part, the definition of records does not refer to “individually identifiable” information, but rather information “relating to a patient” and is already understood to relate to SUD records. The final rule modifies the de-identification standard in § 2.16(a)(1)(v) (for paper records) and (a)(2)(iv) (for electronic records) so it aligns more closely with the HIPAA language such that the de-identified part 2 information cannot be “used to identify a patient.”

Comment

A few HIEs asked the Department to re-examine the “base minimum” standards for de-identified data, opining that some data may be anonymized for some algorithms, but as technology continues to improve, “de-identification in perpetuity” is truly unknown, and therefore the proposed standard may still represent a privacy risk for patients.

Response

The Department acknowledges the concerns about the burgeoning ability of some technologists to re-identify data stored in large data sets. The Department is committed to monitoring these issues as it works to determine their application to the HIPAA and part 2 de-identification standards.

Comment

One commenter, a health system, suggested that the Department make explicit the right to use part 2 records for health care operations to create a de-identified data set without patient consent. Another commenter, a health plan, recommended that the Department remove the requirement to obtain express written consent to create a de-identified data set because it conflicts with the HIPAA Privacy Rule, is counterproductive, and confuses patients when they receive a notice requesting consent to use their SUD data once de-identified.

Response

We appreciate the comment, but are constrained by the authorizing statute at 42 U.S.C. 290dd–2, which sets forth the circumstances for which records subject to part 2 may be disclosed. Where part 2 programs are not disclosing to a covered entity, the CARES Act amendments did not rescind the requirement to obtain consent prior to disclosing records for TPO.

Comment

One commenter, an industry trade association for pharmacies, commented that § 2.16 should simply refer to rendering the patient identifying information de-identified where practicable, and then define “de-identified” in section § 2.11 as data which meets the standard for de-identification under HIPAA.

Response

The proposed regulatory text is consistent with the intent expressed by the commenter, but still comports with the language required by the CARES Act for disclosures for public health activities. We therefore believe that we are finalizing a more workable standard because it is uniform across the regulation.

Comment

Several commenters opposed the proposed de-identification standard for various reasons. A privacy advocacy organization commented that the target HIPAA standard is outdated and needs “tightening.” A few HIE organizations commented that the proposal would materially and detrimentally affect the use of SUD information from part 2 records in limited data sets. These organizations interpreted the current part 2 regulations to only require removal of “direct identifiers” and believed that, under HIPAA, a limited data set can be used and disclosed for research, public health, and health care operations activities if the recipient agrees to a HIPAA data use agreement, which prohibits (among other things) re-identification of individuals. These organizations further suggested that changing §§ 2.16 and 2.52 to require use of the more stringent HIPAA de-identification standard under 45 CFR 164.514(b) will prevent researchers, public health authorities, quality improvement organizations, and others from using a limited data set containing part 2 SUD data. A limited data set is useful for research, public health, and quality improvement activities because it permits analysis of health data in connection with certain identifiers that are relevant to health outcomes, such as age, race, and gender. Prohibiting use of limited data sets for research involving part 2 records may ultimately deny SUD patients the benefits of better and more effective treatments and services. They recommended that the Department continue to consider limited data sets of SUD records as non-patient identifying information under part 2 at least for purposes of research, public health, and health care operations. With respect to consent models for de-identification, these entities requested that it be left up to part 2 programs and other lawful holders of part 2 data to decide—based on their patient populations and business needs—what is the most effective model for their community.

Response

We acknowledge the relatively large number of commenters raising the possibility that the Department codify a limited data set option in this regulation. Because many of these comments were submitted in response to our proposal to incorporate the same de-identification standard proposed here into § 2.52 (Scientific research), our response to the comments on limited data sets and similar comments related to research are addressed together, below.

Comment

One individual commented that the proposal to re-align de-identification with HIPAA lowers the part 2 standard from an objective standard to one that is subjective. The commenter believed that the phrase “no reasonable basis to believe” was subjective and would decrease the researcher's responsibility. By contrast, under existing § 2.52 requirements information is de-identified “such that the information cannot be re-identified and serve as an unauthorized means to identify a patient” is a more objective standard. Another individual commented that the proposed standard is vague and likely unenforceable.

Response

We disagree with the commenters' characterization of the proposed change as creating a standard that is subjective or vague and unenforceable. The HIPAA standard incorporated here clearly identifies two methods for de-identifying records, the expert determination method and the safe harbor method, which set forth specific requirements that are long established and well understood in the health care industry.

Final Rule Related to De-Identification of Records

We agree with commenters who urged the Department to fully align the de-identification standard in this part with the standard in the HIPAA Privacy Rule. Whereas the part 2 requirement protected records identifying a patient as having or having had an SUD, the HIPAA standard at 45 CFR 164.514(a) protects information that identifies or can be used to identify an individual. The existing part 2 standard focuses on protection of a limited number of data points based on one health condition ( i.e., SUD) while HIPAA protects the identity of the individual in connection with any health care and thus already incorporates protection of the information in part 2. Because 45 CFR 164.514(a) shields a wider range of data elements from disclosure, it is more protective of privacy than the existing part 2 de-identification requirement. By complying with the HIPAA standard, a part 2 program would also be meeting the requirements of the existing part 2 de-identification standard.

The final rule incorporates the HIPAA Privacy Rule de-identification standard in 45 CFR 164.514(b) into § 2.16 as proposed, and further modifies paragraph (a) of this section to more fully align with the complete HIPAA de-identification standard, including language that is similar to that in the HIPAA Privacy Rule at 45 CFR 164.514(a). To achieve this, we are deleting the existing part 2 phrase “as having or having had a substance use disorder” and retaining the phrase “such that there is no reasonable basis to believe that the information can be used to identify a particular patient.” Section 2.16(a)(1)(v) and (a)(2)(iv) are now modified as § 2.16(a)(1)(i)(E) and (a)(1)(ii)(D) and read as “[r]endering patient identifying information de-identified in accordance with the requirements of 45 CFR 164.514(b) such that there is no reasonable basis to believe that the information can be used to identify a particular patient.” We removed the language “the HIPAA Privacy Rule” from in front of the regulatory references to 45 CFR 164.514(b) because we believe it unnecessary and for consistency throughout this final rule.

By adopting the same de-identification standard as we are required to adopt for public health disclosures (in new § 2.54) into this provision (and in § 2.52 for scientific research purposes, discussed below), we provide a uniform method for de-identifying part 2 records for all purposes and provide more privacy protection than our proposed incorporation of only HIPAA 45 CFR 164.514(b). We also make clear here that the inability to identify an individual, as consistent with the language in 45 CFR 164.514(a) of HIPAA, includes the inability to identify them as a person with SUD. The final rule therefore would include the interpretation that is consistent with our initial proposal, but we believe it also protects from reidentification a broader scope of identifiers. This approach is also most responsive to commenters who generally agreed that the de-identification standards for both HIPAA and part 2 should completely align.

Breach Notification

Overview

Section 290dd–2(j) of 42 U.S.C., as amended by the CARES Act, requires the Department to apply the HIPAA breach notification provisions of the HITECH Act (codified as 42 U.S.C. 17932, Notification in the case of breach) to part 2 records “to the same extent and in the same manner as such provisions apply to a covered entity in the case of a breach of unsecured protected health information.” Paragraph (k)(1) of 42 U.S.C. 290dd–2 incorporated a definition of the term breach, giving it the same meaning as under the HIPAA regulations. The HIPAA Breach Notification Rule at 45 CFR 164.402 defines breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.” Paragraph (k)(9) of the 42 U.S.C. 290dd–2 incorporated a definition of “unsecured protected health information,” giving it the same meaning as under the HIPAA regulations. The HIPAA Breach Notification Rule defines “unsecured protected health information” to mean PHI “that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111–5.”

Paragraph (a) of 42 U.S.C. 17932 contains the HIPAA breach notification requirements for covered entities; paragraph (b) requires a business associate of a covered entity to notify the covered entity when there is a breach and includes requirements for the notice; paragraph (c) sets forth the circumstances for when a covered entity or business associate shall treat a breach as discovered; and paragraphs (d) through (g) contain requirements related to timeliness of notice, method of notice, content of notice, and allowance for delay of notice authorized by law enforcement, respectively. Other paragraphs define “unsecured PHI,” set forth requirements for congressional reporting, and authorize interim regulations. The Department implemented 42 U.S.C. 17932 in the HIPAA Breach Notification Rule codified at 45 CFR 164.400 through 164.414.

Proposed Rule

To implement the new requirements in paragraph (j) of 42 U.S.C. 290dd–2, as amended by the CARES Act, the Department proposed to modify the heading of § 2.16 to add “and notification of breaches” and add a new paragraph § 2.16(b) to require part 2 programs to establish and implement policies and procedures for notification of breaches of unsecured part 2 records consistent with the requirements of 42 U.S.C. 17932. The HIPAA Breach Notification Rule refers to “unsecured protected health information.” The existing part 2 regulation does not have a definition of “unsecured records” but to align with HIPAA we proposed such a definition, as discussed in § 2.11, above.

Comment

The commenters who addressed the breach notification proposals unanimously expressed support for applying breach notification requirements to part 2, with slightly more than half expressing general support without further elaboration. Other supportive commenters expressed additional views, including that the Department's proposal: implemented the CARES Act; was likely to ensure patient confidentiality in the same manner as HIPAA; and could provide a “counterweight” to the perceived lessening of part 2 protections brought about by the CARES Act.

Response

The Department appreciates these comments.

Comment

Almost half of all commenters on breach notification expressed support for the proposal but requested clarification or guidance, especially related to the interaction of newly proposed breach notification requirements and HIPAA breach notification requirements. For example, one commenter, a health plan association, recommended that the Department clarify that if a use or disclosure of part 2 records is permitted by the HIPAA Privacy Rule, then the same use or disclosure would not be considered a breach under part 2. This same commenter requested, in the alternative, that if the activity did amount to a breach under part 2, the rule should provide that states have the ability to exempt HIPAA covered entities and business associates from part 2 breach notification requirements to avoid overlap, confusion, or conflict among individuals who receive notification. A legal advocacy association commented that HHS should clarify that the breach notification requirement applies to disclosures that violate the part 2 standard of confidentiality, and not just disclosures that violate the HIPAA Privacy Rule, and that the Department should amend the definition of “breach” in § 2.11 or clarify in § 2.16 that patients should be notified of any acquisition, access, use, or disclosure of part 2 records in a manner not permitted under 42 CFR part 2. Yet another commenter, a health system, requested clarification of whether overlapping breach reporting obligations triggered by an activity that violated both HIPAA and part 2 would involve communicating with OCR, SAMHSA, or both.

Response

In the CARES Act, Congress replaced the criminal penalties for part 2 violations with the HITECH civil penalty structure that is applied to violations of the HIPAA regulations, as well as criminal penalties for certain violations. The CARES Act did not include an exemption for persons who are subject to both regulatory schemes, and who commit acts that violate both regulatory schemes. We expect a new enforcement process to ensure efficient use of Department agencies' resources, emphasize bringing entities into compliance with part 2, and avoid duplicative reporting by part 2 programs.

Comment

We received several comments related to breach notification and the impact of the proposed effective dates and compliance dates for a final rule. A hospital association and a health IT vendor recommended that the Department phase in the breach notification requirements or extend the period of time for compliance beyond the proposed timeline, noting that compliance with part 2 is already complex and a potential deterrent to treating patients with SUD, and that the risk of monetary penalties would further deter providers from taking on these patients. One of these commenters also noted that implementing breach notification capability could be a time-consuming process requiring time beyond what the Department estimated. Several commenters stated that many part 2 programs are also subject to HIPAA and thus are already complying with breach notification, so the proposal would not create any additional burden for such programs. One commenter believed that the number of entities or individuals affected by the proposal (part 2 programs not subject to HIPAA) would be small.

Response

We appreciate the concerns expressed about the potential complexity of implementing breach notification among this community of providers but agree that many providers have already implemented breach notification because they are also covered entities under HIPAA and that overall, a relatively small number of entities will be affected. We are mindful, however, that this regulation must also still serve the community of part 2 programs that are not subject to HIPAA. We remind such entities that the required compliance date would not occur until almost two years after the rule becomes effective. These entities may wish to review existing guidance on breach notification.

Comment

One anonymous commenter urged the Department to cease or disallow part 2 programs, covered entities, and investigative agencies from relying on TV and newspaper notification avenues because these methods are no longer likely to be seen by patients, and therefore should not be treated as meaningful or considered cost effective.

Response

We note at the outset that we have not proposed to make breach notification applicable to lawful holders such as “investigative agencies.” We agree that breach notification provisions across types of entities should be uniform. We also believe the commenter's suggestion is reasonable; however, we believe that more breach notification options, rather than fewer options, are preferable.

Final Rule

The Department adopts the proposal to add paragraph (b) to § 2.16 to require part 2 programs to establish and implement policies and procedures for notification of breaches of unsecured part 2 records consistent with the requirements of 45 CFR parts 160 and 164, subpart D. First, we believe this provision is consistent with the CARES Act requirement to apply breach notification to part 2 in the same manner as it applies to covered entities for breaches of unsecured PHI. Second, we believe the same public policy objectives of the HIPAA Breach Notification Rule as applied to covered entities are furthered by establishing analogous requirements for part 2 programs. In the NPRM we established those policy objectives as: (1) greater accountability for part 2 programs through requirements to maintain written policies and procedures to address breaches and document actions taken in response to a breach; (2) enhanced oversight and public awareness through notification of the Secretary, affected patients, and in some cases the media; (3) greater protection of patients through obligations to mitigate harm to affected patients resulting from a breach; and (4) improved measures to prevent future breaches as part 2 programs timely resolve the causes of record breaches.

Finally, as we discuss in greater detail in Definitions, in § 2.11 above, we are finalizing proposed definitions for “breach” and “unsecured records.” In addition to the term “breach” being required by the amended statute, we believe incorporating these terms and definitions, as proposed, helps bring clarity to regulated entities on how to operationalize breach notification requirements aligned with HIPAA in part 2. In keeping with these changes, we are finalizing the proposed modification of the heading of § 2.16 so that it now reads “Security for records and notification of breaches.”

Section 2.17—Undercover Agents and Informants

As we discussed above, the final rule adopts the proposed addition of the language “or disclosed” behind “used” in this section so that the use and disclosure of part 2 records is prohibited by this section pursuant to the statutory authority. We did not receive public comments on this proposal and there are no other substantive changes to this section.

Section 2.19—Disposition of Records by Discontinued Programs

Proposed Rule

Section 2.19 requires a part 2 program to remove patient identifying information or destroy the records when a program discontinues services or is acquired by another program, unless patient consent is obtained or another law requires retention of the records. The Department proposed to create a third exception to this general requirement to clarify that these provisions do not apply to transfers, retrocessions, and reassumptions of part 2 programs pursuant to the ISDEAA, to facilitate the responsibilities set forth in 25 U.S.C. 5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C. 5324(e), 25 U.S.C. 5330, 25 U.S.C. 5386(f), 25 U.S.C. 5384(d), and the implementing ISDEAA regulations. The Department also proposed wording changes to improve readability and modernize the regulation, such as by referring to “non-electronic” records instead of “paper” records, and structural changes to the numbering of paragraphs.

Comment

One commenter asserted that the Department's proposed exception to clarify that these provisions do not apply to transfers, retrocessions, and reassumptions of part 2 programs pursuant to the ISDEAA is a logical addition that will promote continuity of patient treatment. However, the commenter requested further clarification of the rule's record retention requirements for discontinued or acquired programs, including the provision that requires labeling stored non-electronic record with specific regulatory language. The commenter asked if the reference in the NPRM preamble to “another law” that might require record retention was a reference to HIPAA for covered entities.

Response

The Department appreciates the comments about clarifying in the final rule that these provisions do not apply to transfers, retrocessions, and reassumptions of part 2 programs pursuant to the ISDEAA. Part 2 has long had requirements pertaining to paper records which were updated in 2017 to apply to electronic records of discontinued programs as well.

When there is a legal requirement that the records be kept for a period specified by law which does not expire until after the discontinuation or acquisition of the part 2 program, the dates of record retention would be reflected in the requirements of that law under § 2.19(a)(2). The NPRM discussion of this was not intended as a reference to a specific law, but more generally to records retention laws which are typically established in state law for medical records. The HIPAA regulations do not address the time period for retention of medical records, but contain requirements for how retained records must be safeguarded. The HIPAA regulations also address retention of compliance documentation that may be located within a medical record (such as a signed authorization) or stored separately (such as security risk analyses). HIPAA Security Rule requirements for proper storage and security of records also may apply to records maintained by part 2 programs that also are covered entities.

Comment

Another commenter expressed concern that current EHR systems do not support removing only part 2 data from one program for a particular patient or subset of patients, so it may not be technically feasible to remove patient identifying information or destroy the data as required by § 2.19. The commenter claimed that the requirements for this section as described in the NPRM would require EHRs to be redesigned and therefore recommends alignment with the HIPAA Privacy and Security Rules. The commenter asserted that the HIPAA Security Rule requires that covered entities implement policies and procedures that address the final disposition of ePHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of ePHI from electronic media before the media are made available for re-use.

Response

We appreciate the feedback. Distinct requirements for disposition of part 2 records for discontinued programs have existed since 1987. In 2017 the Department applied this section to electronic records. At that time, we cited resources that may support compliance with this requirement including from OCR ( e.g., Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule) and the National Institute of Standards and Technology (NIST) ( e.g., Special Publication 800–88, Guidelines for Media Sanitization ). These and other resources developed by OCR, NIST, ONC, and others can continue to aid compliance with this section. The Department also notes that part 2 has established distinct requirements in § 2.19 for disposition of part 2 records that may be more stringent and specific than those articulated in the HIPAA Security Rule based on the purposes of part 2 and stigma and discrimination associated with improper disclosure of SUD records. This section was updated in the 2020 final rule to apply to use of personal devices and accounts.

Final Rule

The Department is finalizing all proposed changes to this section without further modification.

Section 2.20—Relationship to State laws

Proposed Rule

Section 2.20 establishes the relationship of state laws to part 2 and provides that part 2 does not preempt the field of law which it covers to the exclusion of all applicable state laws, but that no state law may either authorize or compel a disclosure prohibited by part 2. Part 2 records frequently are also subject to regulation by various state laws. For example, similar to part 2, state laws impose restrictions to varying degree on uses and disclosures of records related to SUD and other sensitive health information, such as reproductive health, HIV, or mental illness. The Department stated in the NPRM its assumption that, to the extent state laws address SUD records, part 2 programs generally are able to comply with part 2 and state law. The Department requested comment on this assumption and further requested examples of any circumstances in which a state law compels a use or disclosure that is prohibited by part 2, such that part 2 preempts such state law.

Comment

Several commenters asserted that complete Federal preemption is needed on part 2 issues with respect to state law, or barriers to care coordination will continue to exist. One commenter, a county government, said that part 2 preemption of state law is a problem in California because it creates a barrier when parents attempt to obtain SUD treatment for their minor children over the objection of the minor. Part 2 prevents disclosure of the minor's records without the minor's consent. Another commenter believed that part 2 conflicts with state law regarding state-mandated reporting on other types of abuse other than child abuse (such as elder abuse or domestic violence) and creates a dilemma for part 2 providers who need to report because there is not a “required by law” exception within part 2.

Response

We acknowledge that considerable variation in patient consent laws exists for minors at the state level and discuss these issues in more detail in responding to comments regarding § 2.14. The Department also notes that state behavioral health privacy laws may vary.

With respect to reporting abuse and neglect, 42 U.S.C. 290dd–2 expressly states that the prohibitions of part 2 “do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities.” However, no similar references are made to domestic violence, elder abuse, animal abuse, or other similar activities. Moreover, such changes were not proposed in the NPRM. Part 2 does, however, permit reporting a crime on the premises or against part 2 program personnel (§ 2.12(c)(5)), or applying for a court order to disclose confidential communications about an existing threat to life or serious bodily injury (§ 2.62). The Department also advised in the 2017 rule that “if a program determines it is important to report elder abuse, disabled person abuse, or a threat to someone's health or safety, or if the laws in a program's state require such reporting, the program must make the report anonymously, or in a way that does not disclose that the person making the threat is a patient in the program or has a substance use disorder.” A program could file a report therefore in such a way that does not note that the subject of the report is a patient in a part 2 program or has an SUD.

Comment

One commenter supported balancing the alignment of Federal privacy law and regulations with HIPAA and applicable state law for the purposes of TPO. Another commenter believed that to foster care coordination the Department should work with states to better align with the Federal standards to improve care coordination and individual patient outcomes.

Response

We appreciate the comments on our proposed changes to align part 2 with HIPAA consistent with the CARES Act.

Comment

A state agency requested express permission within the regulation to permit disclosures to state data collection agencies, such as APCDs, because there is not a “required by law” provision in this part that would otherwise permit SUD records to be submitted to the state agencies that collect other health and claims data. A state agency requested that the final rule clearly authorize state agencies that maintain repositories of health care claims and discharge data to receive SUD information under 42 CFR part 2. SAMHSA, the commenter said, addressed a similar issue with state-operated PDMPs by clarifying in its 2020 final rule that such disclosures were authorized under 42 CFR part 2. The commenter reported that the PDMP modification strengthened a critical component of states' ability to monitor access, use, and abuse of prescription drugs, while protecting patient privacy and confidentiality.

Response

We appreciate the comment and recommendation. The Department, in 2020, added a new section § 2.36 (Disclosures to prescription drug monitoring programs), based on a regulatory proposal. No provision was proposed in the NPRM pertaining to APCDs/multi-payer claims databases (MPCDs) and thus there is no basis to add such a provision in the final rule. The Department previously declined to include exceptions to various requirements for APCDs/MPCDs after consideration of comments received on these issues in 2017.

Comment

A state agency said that in its state, the majority of SUD treatment records are covered by part 2; it has communicated to licensed SUD treatment providers that they will not be cited for state regulatory violations if they disclose information as permitted by part 2. Licensed providers who are not part 2 programs are currently asked to verify this status with the state if a disclosure is made under HIPAA that would not be permitted by part 2.

Response

The Department appreciates this information in response to our request for input about these issues.

Comment

For one commenter, the final rule provides an opportunity to encourage states to update regulations that can often be outdated and confusing with regard to applicability. Such updates could facilitate care coordination and access. A hospital association requested more guidance on the interaction of Federal and state laws and that hospitals in states with confidentiality laws specific to SUD or citing part 2 will have to invest significant time and financial resources into understanding the interaction between Federal and state laws and how to incorporate those laws into real-time care decisions. Some hospitals also may provide services in multiple states, the commenter pointed out, and patients may therefore receive treatment at facilities in more than one state. Other commenters requested additional guidance on the interaction between Federal and state SUD confidentiality requirements and provide technical assistance to help providers operationalize these requirements. One commenter also requested guidance to address such issues as hospitals providing services in multiple states and application of state laws to out-of-state telehealth consultations.

Response

We appreciate these comments and may provide additional guidance and technical support to states and others after this rule is finalized. As previously noted, the Department supports the Center of Excellence for Protected Health Information Related to Behavioral Health, that can provide guidance and technical support on behavioral health privacy laws. The Department will continue to support this Center. The Department supports efforts to facilitate telehealth use consistent with HIPAA, part 2, and other state and Federal requirements. The Department has developed and supported resources to promote appropriate use of telehealth for SUD and other behavioral health conditions. The Department acknowledges that hospitals or other providers providing services in multiple states may face more complex compliance burdens and may need to consult legal counsel to ensure compliance, as the Department has previously advised.

Comment

One commenter said that any changes need to take into account discrepancies between state and Federal laws regarding release of information and ways to protect patients from the consequences of their information being used against them.

Response

The Department acknowledges that the complex intersection of state and Federal behavioral health privacy statutes and regulations may result in unnecessary or improper disclosures. As we have noted in this section, part 2 does not preempt more stringent state statutes or regulations. Likewise, we have stated that HIPAA constitutes a floor of privacy protection that does not preclude more stringent state laws.

Comment

One commenter was concerned that Federal efforts to promote interoperability may intersect with conflicting state requirements, pointing to the Federal Trusted Exchange Framework and Common Agreement (TEFCA) initiative as an example. The commenter believed that the health care industry does not yet fully understand all the potential conflicts and how they will impact health information exchange. Another commenter suggested requiring electronic records to display the basis when certain information is not visible or accessible ( e.g., due to state law, patient restriction, etc.).

Response

The Department will continue to support health IT and behavioral health integration by ensuring that TEFCA and other efforts are consistent with part 2 and take into account state requirements. As noted above, the Department has developed guidance for part 2 programs on exchanging part 2 data and may update such guidance in the future. The Department continues to support EHRs and health IT compliant with part 2 and HIPAA requirements as well as care coordination and behavioral health integration.

Comment

A commenter recommended that a Federal electronic consent standard should override conflicting state law.

Response

While electronic signatures are beyond the scope of this rulemaking and no modifications to electronic signature requirements were proposed by the Department, both HIPAA and part 2 permit electronic signatures for authorizations or consents consistent with state law. As stated in HHS guidance, the HIPAA Privacy Rule “allows HIPAA authorizations to be obtained electronically from individuals, provided any electronic signature is valid under applicable law.” The Department also has stated in guidance and regulation that under part 2 electronic signatures are permissible. In 2017 the Department revised § 2.31 to “to permit electronic signatures to the extent that they are not prohibited by any applicable law.” However, the Department also advised that “[b]ecause there is no single federal law on electronic signatures and there may be variation in state laws, SAMHSA recommends that stakeholders consult their attorneys to ensure they are in compliance with all applicable laws.”

The requirements for providing consent under § 2.31 and the notice and copy of consent to accompany disclosure under § 2.32 could be met in electronic form. The requirements of § 2.32 would not require the written consent, copies of a written consent, or a notice to accompany a disclosure of part 2 records to be in paper or other hard copy form, provided that any required signatures obtained in electronic form would be valid under applicable law. This interpretation is consistent with the Department's approach under the HIPAA Privacy Rule. OCR has provided prior guidance stating that covered entities can disclose PHI pursuant to an electronic copy of a valid and signed authorization, and the Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals, provided that any electronic signature is valid under applicable law.

Final Rule

After considering the public comments on the relationship of part 2 to state laws we are finalizing this section as proposed without further modification.

Section 2.21—Relationship to Federal Statutes Protecting Research Subjects Against Compulsory Disclosure of Their Identity

The Department adopts the proposal in § 2.21(b) to reorder “disclosure and use” to read “use and disclosure” to better align the wording of this section with language used in the HIPAA Privacy Rule. A provider health system supported the proposal and no other comments were received on this proposal.

Section 2.22—Notice to Patients of Federal Confidentiality Requirements

Patient Notice

Proposed Rule

Section 3221(i) of the CARES Act required the Secretary to update the HIPAA NPP requirements at 45 CFR 164.520 to specify new requirements for covered entities and part 2 programs with respect to part 2 records that are PHI ( i.e., records of SUD treatment by a part 2 program that are transmitted or maintained by or for covered entities). By applying such requirements, entities that are dually regulated by both part 2 and HIPAA would be subject to the notice requirements. Discussed here and consistent with our approach throughout this rulemaking, in addition to proposing the required updates to 45 CFR 164.520 (discussed below), we also proposed to revise the Patient Notice at § 2.22.

As explained in the NPRM, to the extent the HIPAA regulations and part 2 cover different, but often overlapping, sets of regulated entities, and the HIPAA NPP offers more robust notice requirements than the Patient Notice, the Department proposed to modify § 2.22 to provide the same information to patients of part 2 programs as individuals receive under the HIPAA Privacy Rule. The Department's proposed modifications to the Patient Notice would also restructure it to substantially mirror the structure of the HIPAA NPP but exclude those elements that are inapplicable to part 2 programs. The specific proposed changes are described in detail in the NPRM and set forth below following the discussion of general comments.

Overview of Comments

The Department received more comments about its approach to modifying the Patient Notice to align with the HIPAA NPP than comments about specific elements of the proposed notice. Some commenters supported aligning part 2 Patient Notice requirements with the HIPAA NPP. Other commenters expressed concerns, asked for clarity on certain specific proposed requirements, or urged the Department to provide resources or examples to support compliance.

Response

We appreciate the comments about the proposed changes and discuss our response to specific concerns expressed by commenters below.

Patient Understanding

Comment

Some commenters questioned whether the Patient Notice would ensure part 2 patients, programs, and recipients of part 2 records understand how part 2 records will be used, disclosed, and protected. Such requirements, these commenters said, should be delineated in easy-to-understand wording in the patient's primary language. One commenter, describing their experiences as a patient and professional, said that they were not educated about the consent forms or what they were disclosing and their rights.

Some commenters expressed concern that patients may not understand the revised notices, suggesting that the Department's approach could lead to additional downstream disclosures and legal consequences for patients even as it supported care coordination. A medical professionals association also emphasized its view that the Department should ensure standard and easily understandable notices of privacy practices. Other commenters suggested the Patient Notices be simplified and streamlined such as limiting notices to one page or gearing notices to a fifth-grade reading level. A state agency suggested that the Patient Notice adhere to language and disability access standards to the extent required under HIPAA. A privacy association opined that the proposed rule allows a patient to consent to a broad range of TPO disclosures, but also notes that SUD patients may at times lack capacity to understand the Patient Notice. These challenges may also apply to understanding consents and to managing revocation of consents. However, the association believes that this result is dictated by the statute rather than the Department's approach in the NPRM. A county government also expressed its view that it is difficult to provide these notices when the patient is undergoing detoxification or treatment for a SUD.

Response

We appreciate these comments. We mirrored required elements of the HIPAA NPP in the Patient Notice because we believe that patients have become familiar with it and to reflect the closer alignment between part 2 and HIPAA in the final rule. We have provided further clarification concerning the substantive alignment of part 2 and HIPAA requirements through responses to public comments in several other sections of the final rule. The Department recognizes that outreach and further guidance will be needed both to persons with SUD and to providers in connection with the final rule. The Department will continue to monitor the response to part 2 in the SUD treatment community and will provide clarification of the final rule as needed. We discuss patients who lack capacity to make health care decisions in § 2.15 above.

Single or Streamlined Form

Comment

Commenters expressed different views as to whether they preferred using a single document or separate HIPAA and part 2 notices to provide notice statements to patients to aid compliance and patient understanding. One public health agency asked HHS to confirm that a single notice of privacy practices can fulfill both part 2 and HIPAA obligations. Some commenters said that for them that a single notice of privacy practices would reduce burdens or be the most effective way to convey privacy information to patients without creating unnecessary confusion and burden through excessive paperwork and asked for confirmation this was permitted. An academic health center supported covered entities which have part 2 programs using one NPP addressing key elements of the HIPAA NPP such as a Header, Uses and Disclosures, Individual Rights. If a joint notice is acceptable, a commenter asked that proposed 42 CFR 2.22(b)(1)(i) be updated to note that the 45 CFR 164.520(b)(1)(v)(C) header may be used in a combined notice. A trade association and health plan supported part 2 notices including elements of the HIPAA NPP such as a description of the permitted uses and disclosures of part 2 records, the complaint process, and the patient's right to revoke their consent for the part 2 program to disclose records in certain circumstances.

Response

We have stated both in HIPAA and part 2 guidance that notices for different purposes may be separate or joint/combined so long as the required elements are included. Thus, either using separate HIPAA, state law, or part 2 notices or combining these notices into one form would be acceptable so long as all required elements are included.

Comment

Commenters also urged the Department to support a simplified or streamlined Patient Notice. One advocacy organization characterized the proposed notice as unwieldy and overly detailed for both patients seeking to understand their rights and covered entities. The Department should streamline both notices and develop model Patient Notices as it has done for HIPAA NPPs. A health plan encouraged the Department to align with the HIPAA Privacy Rule by developing two versions of the part 2 model notice language: (a) the minimum necessary additional language/verbiage, which would be required to be added to an existing HIPAA NPP for entities which already are subject to that requirement; and (b) a notice similar to what is in the proposed rule for entities which do not already have a notice.

Other commenters urged the Department to develop notice templates or model forms in multiple languages. A state agency supported the HIPAA NPP's being translated, at a minimum, into the top three languages for a provider's client population. One commenter asked the Department to develop at least two example Patient Notices—one directed at providers, and the other directed at payers and health coverage issuers. Another commenter suggested that model Patient Notices were needed for a HIPAA covered entity that has an existing HIPAA NPP and therefore HHS should create a minimal addendum or template which highlights any additional language specifically required to be added to that existing HIPAA NPP relative to this rule. The commenter also urged the Department to develop a Patient Notice template for third-party payers or other entities which may not already use a HIPAA NPP. Commenters urged that given the HIPAA enforcement proposal, there should be a safe harbor for using these standard notices.

Response

We appreciate this comment and understand the value of having a sample or model notice that incorporated the changes finalized in this rule. The Department may, at a future time, develop sample templates and forms to support compliance with § 2.22. We also note that this final rule provides 24 months from the date of publication for compliance with its provisions.

Administrative Burdens

Comment

The Department received several comments stating that proposed changes to the part 2 notice would either reduce or increase part 2 program, provider, or covered entity burdens. While part 2 programs and covered entities would need to update both the Patient Notice and the HIPAA NPP, the benefits outweighed the burdens, according to some commenters. One commenter asked HHS to clarify that § 2.22 only applies to part 2 programs that are not subject to HIPAA. Another commenter said that as a dually regulated entity it believed that aligning these two notices will reduce dually regulated entities' burden of compliance, and improve patient understanding by reducing the amount of reading required. The commenter said updating notices concurrently would reduce their burden. Many commenters said examples of the updated HIPAA NPP and Patient Notice would be helpful and reduce their administrative burdens. Others also suggested the Department reduce administrative burdens and improve compliance by providing educational resources and templates to providers and patients and work with advocacy organizations to ensure the notice requirements are understood by patients and practical for providers.

Another commenter supported the proposed changes, stating that it anticipated an additional administrative burden on part 2 programs which are not covered by HIPAA but limited impact or additional burden on those part 2 programs covered by HIPAA. One commenter similarly described what it viewed as potential burdens but said that for entities which are both part 2 programs and covered entities, a portion of the burden would be offset by the ability to have consistent policies and procedures given the new alignment between the part 2 rules and the HIPAA regulations. A medical professionals association, while supporting alignment of the part 2 notice with the HIPAA NPP, suggested there would be an additional burden that modifying the HIPAA NPP for physician practices, especially small practices and those in rural areas.

Response

The Department detailed its analysis of potential costs and benefits in the NPRM and in the RIA below. As we earlier noted, we are finalizing the part 2 Rule only at this time. The Department intends to publish the CARES Act required revisions to the HIPAA NPP provision (45 CFR 164.520) as part of a future HIPAA rulemaking. Thus, this final rule focuses only on changes to the Patient Notice under § 2.22. We intend to align compliance dates for any required changes to the HIPAA NPP and part 2 Patient Notice to enable covered entities to makes such changes at the same time.

After both this rule and the forthcoming HIPAA Privacy Rule changes are finalized, while entities initially may require time to update the content of the Patient Notice and HIPAA NPP, commenters stated many part 2 programs, such as those that also are covered entities, may be able to save time and patients may benefit from enhanced protections offered by the revised notices. The Department acknowledges that some smaller, rural, or other types of practices may face increased burdens relative to larger entities, though this may not be true in all cases as many smaller practices or providers may also have familiarity both with HIPAA and part 2. After this rule is finalized, the Department may develop template/model forms or other guidance subsequent to finalizing this rule.

Notifying Patients

Comment

Some commenters expressed concerns about notifying patients of new or updated notices. A medical professionals association expressed concern that the notification process as described in the NPRM may be problematic for those patients who lack mailing addresses and substitute notice by publication still might not be sufficient to inform patients about release of their records.

Response

We appreciate the comments and acknowledge that updating the Patient Notice will create some burden for part 2 programs, as may copying and mailing costs; however, we believe that the burdens will be balanced by the overall burden reduction as a result of the decreased number of consents that are required for routine uses and disclosures. Section 2.22 as revised in this rule requires part 2 programs to notify patients when requirements that pertain to a patient's treatment have materially changed. It specifically requires the updated Patient Notice to be provided by the first day the health care is provided to the patient after the compliance date for the program, or for emergency treatment as soon as reasonably practicable after the emergency. The Department's stated intention to hold in abeyance updates to the HIPAA NPP pending a future rulemaking does not negate the Department's expectation that part 2 programs will comply with the requirements in § 2.22. However, as explained above, we intend to align compliance dates for any required changes to the HIPAA NPP and part 2 Patient Notice to enable covered entities to make such changes at the same time.

Recommendations To Change the Proposal

Comment

One commenter noted that the proposed Patient Notice did not include notice that patients could obtain copies of their records at limited costs or in some case, free of charge. The commenter stated that, although §§ 2.22 and 2.23 do not require a part 2 program to give a patient the right to inspect or get copies of their records, but the Department should use the general regulatory authority of the CARES Act (section 3221(i)(1)) to require part 2 programs to allow patients to inspect or get copies of their records. This commenter supported the Patient Notice statement describing the duties of part 2 programs with respect to part 2 records even though it is not required by 42 U.S.C. 290dd–2.

Response

The commenter is correct that these regulations do not create a patient right of access to their records analogous to the HIPAA Privacy Rule right of access. We discuss patient access and restrictions on use and disclosure in § 2.23.

Comment

A commenter requested modification of the section of the notice pertaining to complaints so that complaints may be filed “either to the Part 2 Program or the Secretary” rather than to the program and the Secretary. Requiring the patient to complain to both entities may intimidate the patient especially if they are dependent on the part 2 program for employment, child welfare, or criminal justice purposes, the commenter asserted.

Response

As we state in § 2.4 (Complaints of noncompliance), a person may file a complaint with the Secretary for a violation of this part by a part 2 program, covered entity, business associate, qualified service organization, or other lawful holder but is not compelled to file a complaint of violation both with the Secretary and the part 2 program. This “no wrong door” approach mirrors the language in the HIPAA NPP for the HIPAA Privacy Rule, and OCR has continued to receive thousands of privacy complaints annually. A patient who files a complaint with a provider may or may not receive a response, and we do not believe a patient should be required to wait before bringing their complaints of noncompliance to the Department's attention. Further, many complaints filed with the Department are readily resolved through voluntary compliance and technical assistance to aid the entity's compliance with the regulation. Thus, we do not believe it will overly burden part 2 programs to allow patients to file complaints directly with the Department.

Final Rule

Header

The Department proposed to require a header for the Patient Notice that would be nearly identical to the header required in the HIPAA NPP (and as proposed for amendment in the NPRM) at 45 CFR 164.520(b)(1)(i) except where necessary to distinguish components of the notice not applicable to 42 CFR part 2. For example, the Patient Notice that would be provided pursuant to this part would not include notice that patients could exercise the right to get copies of records at limited costs or, in some cases, free of charge, nor would it provide notice that patients could inspect or get copies of records under HIPAA.

The final rule adopts the header as proposed without modification.

Uses and Disclosures

The Department is finalizing its proposal, without modification, to require a part 2 program to include in its Patient Notice descriptions of uses and disclosures that are permitted for TPO, are permitted without written consent, or will only be made with written consent. The Department is finalizing its proposed requirement that a covered entity that creates or maintains part 2 records include sufficient detail in its Patient Notice to place the patient on notice of the uses and disclosures that are permitted or required. Although, as stated in the NPRM, the Department believes section 3221(k)(4) of the CARES Act—stating that certain de-identification and fundraising activities should be excluded from the definition of health care operations—has no legal effect as a Sense of Congress, the Department will finalize its proposed new paragraph (b)(1)(iii) in § 2.22. This provision requires that a part 2 program provide notice to patients that the program may use and disclose part 2 records to fundraise for the program's own behalf only if the patient is first provided with a clear and conspicuous opportunity to elect not to receive fundraising communications. This new notice requirement is consistent with the requirement at § 2.31(a)(5)(iii) in which a part 2 program, when obtaining a patient's TPO consent, must provide the patient the opportunity to elect not to receive fundraising communications.

Rather than referring to “the HIPAA Privacy Rule” we instead refer in this rule to “HIPAA regulations” to describe the redisclosure permission applicable to part 2 programs, covered entities, and business associates following an initial disclosure based on a TPO consent. We believe this modification to what we initially proposed is consistent with our incorporation of the new defined term “HIPAA regulations” into part 2.

Patient Rights

The Department is finalizing its proposal, with further modification, to require that a part 2 program include in the Patient Notice statements of patients' rights with respect to part 2 records. The structure mirrors the statements of rights required in the HIPAA NPP for covered entities and PHI but, be based on amended 42 U.S.C. 290dd–2, and patient rights under the final rule. The patient rights listed include, for example, the rights to:

• Request restrictions of disclosures made with prior consent for purposes of TPO, as provided in 42 U.S.C. 290dd–2(b)(1)(C).
• Request and obtain restrictions of disclosures of part 2 records to the patient's health plan for those services for which the patient has paid in full, in the same manner as 45 CFR 164.522 applies to restrictions of disclosures of PHI.
• Obtain an electronic or non-electronic copy of the notice from the part 2 program upon request.
• Discuss the notice with a designated contact person identified by the part 2 program pursuant to paragraph 45 CFR 164.520(b)(1)(vii).
• A list of disclosures by an intermediary for the past 3 years as provided in 42 CFR 2.24.
• Elect not to receive any fundraising communications.

Part 2 Program's Duties

The Department is finalizing its proposal, without modification, to incorporate into the Patient Notice statements describing the duties of part 2 programs with respect to part 2 records that parallel the statements of duties of covered entities required in the HIPAA NPP with respect to PHI. Although this change is not required by 42 U.S.C. 290dd–2, the statement of duties would put patients on notice of the obligations of part 2 programs to maintain the privacy and security of part 2 records, abide by the terms of the Patient Notice, and inform patients that it may change the terms of a Patient Notice. The Patient Notice also would include a statement of the new duty under 42 U.S.C. 290dd–2(j) to notify affected patients following a breach of part 2 records.

Complaints

The Department is finalizing its proposal, without modification, to require that a part 2 program inform patients, in the Patient Notice, that the patients may complain to the part 2 program and Secretary when they believe their privacy rights have been violated, as well as a brief description of how the patient may file the complaint and a statement that the patient will not be retaliated against for filing a complaint. We are finalizing the new provision that patients may complain to the Secretary as well as the part 2 program. These changes support the implementation of the CARES Act enforcement provisions, which apply the civil enforcement provisions of section 1176 of the Social Security Act to violations of 42 U.S.C. 290dd–2.

Contact and Effective Date

The Department is finalizing its proposal, without modification, to require that the Patient Notice provide the name or title, telephone number, and email address of a person or office a patient may contact for further information about the part 2 Notice, and information about the date the Patient Notice takes effect. We intend to align compliance dates for any required changes to the HIPAA NPP and part 2 Patient Notice to enable covered entities to make such changes at the same time.

Optional Elements

The Department is finalizing its proposal, without modification, to incorporate into the Patient Notice the optional elements of a HIPAA NPP, which a part 2 program could include in its Patient Notice. This provision permits a program that elects to place more limits on its uses or disclosures than required by part 2 to describe its more limited uses or disclosures in its notice, provided that the program may not include in its notice a limitation affecting its ability to make a use or disclosure that is required by law or permitted to be made for emergency treatment.

Revisions to the Patient Notice

The Department is finalizing the proposal, without modification, to require that a part 2 program must promptly revise and distribute its Patient Notice when there has been a material change and provide that, except when required by law, such material change may not be implemented prior to the effective date of the Patient Notice.

Implementation Specifications

The Department is finalizing its proposal, without modification, to require that a part 2 program provide the § 2.22 notice to anyone who requests it and provide it to a patient not later than the date of the first service delivery, including where first service is delivered electronically, after the compliance date for the Patient Notice. This provision also would require that the notice be provided as soon as reasonably practicable after emergency treatment. If the part 2 program has a physical delivery site, the notice would have to be posted in a clear and prominent location at the delivery site where a patient would be able to read the notice in a manner that does not identify the patient as receiving SUD treatment, and the Patient Notice would need to be included on a program's website, where available. These provisions would parallel the current requirements for provision of the HIPAA NPP by HIPAA-covered health care providers.

45 CFR 164.520 HIPAA Notice of Privacy Practices

In the NPRM, we proposed to update the HIPAA NPP requirements consistent with requirements in the CARES Act using plain language that is easily understandable. We also proposed additional updates consistent with changes to the HIPAA NPP we proposed in January 2021 (Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement). This part 2 final rule adopts changes to the part 2 Patient Notice only; it does not include finalized changes to the HIPAA NPP in 45 CFR 164.520. The Department intends to publish modifications to 45 CFR 164.520 as part of a future HIPAA rulemaking. Comments received regarding changes to the HIPAA NPP proposed in the 2022 NPRM will be addressed when those changes are published as part of a HIPAA final rule. As we consider public comments received related to the HIPAA NPP, we intend to carefully consider the progress made by affected entities working to implement changes to the Patient Notice.

Section 2.23—Patient Access and Restrictions on Use and Disclosure

Proposed Rule

In addition to the paragraph (b) changes discussed above in the “use” or “disclosure” section, the Department proposed wording changes to paragraph (b) to improve readability and to replace the phrase “this information” with “records,” which more accurately describes the scope of the information to which the regulation applies. The comments and the Department's responses regarding § 2.23 are set forth below.

Comment

While not proposed in the NPRM, a few commenters suggested adding a patient right to direct copies of PHI to a third party, as follows: (1) to define a right to direct copies to prevent unintended parties from receiving records; (2) to allow covered entities to restrict or refuse requests from any entity that are not the individual or an entity authorized by the individual; and (3) to create a patient right to direct a copy of records to third parties without a consent form to align with HIPAA.

Response

We appreciate the suggestion to create a patient right to direct copies of PHI to a third party; however, that suggestion is outside the scope of the current rulemaking.

Comment

While not proposed in the NPRM, a few commenters also suggested creating a right of access for part 2 records to afford part 2 patients the same rights as individuals under the HIPAA Privacy Rule.

Response

We appreciate the suggestion to create a right of access for part 2 records and the intent to provide equity for those being treated for SUD with respect to their patient rights compared to the rights for patients with other health conditions under HIPAA. This proposal falls outside the scope of the part 2 rulemaking and we did not propose this change or request comment on this topic in the NPRM; therefore, there is not an adequate foundation for adopting a right of access in the final rule.

The HIPAA Privacy Rule established for an individual the right of access to their PHI in a designated record set. The HIPAA right of access applies to records created by a part 2 program that is also a covered entity as well as part 2 records received by a covered entity. For part 2 programs that are not covered entities, § 2.23 does not prohibit a part 2 program from giving a patient access to their own records, including the opportunity to inspect and copy any records that the part 2 program maintains about the patient.

Comment

One commenter recommended that the Department not adopt the changes proposed to the right of access in its 2021 HIPAA NPRM on coordination of care because the proposed changes “would create new pathways for third parties to easily access patient health information through personal health apps with little to no requirements for patient education and consent, thus eroding longstanding privacy protections and increasing burden on providers.”

Response

We appreciate the comment; however, the topic is outside the scope of the current rulemaking.

Comment

One commenter appreciated knowing that once they receive SUD records, the records become PHI and are subject to the access requirements in the HIPAA Privacy Rule.

Response

We appreciate the comment. We clarify that when part 2 records are received by or for a covered entity and are part of a designated record set they become PHI and are subject to the HIPAA Privacy Rule access requirements. Generally, the HIPAA Privacy Rule gives individuals the right to access all of their PHI in a designated record set. A “designated record set” is a group of records maintained by or for a covered entity that are a provider's medical and billing records, a health plan's enrollment, payment, claims adjudication, and case or medical management record systems, and any other records used, in whole or in part, by or for the covered entity to make decisions about individuals. A covered entity's part 2 records usually fall into one of these categories and thus are part of the designated record set. This is true when a part 2 program is a covered entity, as well as when a covered entity receives part 2 records but is not a part 2 program. As such, the records held by a covered entity are subject to the HIPAA Privacy Rule's right of access requirements.

Comment

One commenter expressed concerns about any access or disclosures that could subject part 2 patients to criminal charges.

Response

We appreciate this comment. The revisions to § 2.23 clarify the existing prohibition on use and disclosure of information obtained by patient access to their record for purposes of a criminal charge or criminal investigation of the patient.

Comment

One commenter believed that the Department was proposing to remove the written consent requirement for patient access to their own records.

Response

Section 2.23 does not require a part 2 program to obtain a patient's written consent or other authorization to provide access by the patient to their own records, and the final rule is not changing this. Thus, the ability of a patient to obtain access to their record without written consent will be maintained.

Final Rule

The final rule adopts all proposed modifications to § 2.23(b), without further modification.

Section 2.24—Requirements for Intermediaries

Proposed Rule

The Department proposed to address the role of intermediaries by: (a) creating a regulatory definition of the term in § 2.11; (b) reorganizing the existing requirements for intermediaries and redesignating that provision as § 2.24; and (c) clarifying in § 2.31(a)(4)(ii)(B) how a general designation in a consent for use and disclosure of records to an intermediary would operate. The definition as proposed would read as follows: Intermediary means a person who has received records under a general designation in a written patient consent to be disclosed to one or more of its member participant(s) who has a treating provider relationship with the patient. The current part 2 consent requirements in § 2.31 contain special instructions when making a disclosure to entities that fall within the proposed definition of intermediary: the consent must include the name of the intermediary and one of the following: (A) the name(s) of member participant(s) of the intermediary; or (B) a general designation of a participant(s) or class of participants, which must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being disclosed. The NPRM proposed to replace “entities that facilitate the exchange of health information and research institutions” with “intermediaries” and add “used and” before “disclosed” in § 2.31.

Comment

We received comments both supporting and opposing the Department's proposal to define “intermediary” and retain consent requirements for disclosures to intermediaries. Most HIEs/HINs and health IT vendors that commented on this set of proposals, expressed concern about our changes. Opposing commenters stated their views that the special provisions for intermediaries were a holdover from before the CARES Act and were inconsistent with its alignment of part 2 and HIPAA, especially with regard to the new provision to allow a single consent for all future TPO. Some commenters suggested that the CARES Act may require the Department to remove the intermediary provisions. Other commenters believed that these provisions did not support care coordination or were inconsistent with allowing a single consent for TPO.

Commenters asked that we revise the HIPAA definition of “covered entity” to include examples of the intermediaries and remove the part 2 definition of “intermediary”; exclude business associates, health IT vendors, or health plans from the part 2 definition of intermediary; expressly allow intermediaries to disclose for TPO; expressly allow HIEs and HIE participants to be listed in a general designation in the consent for disclosures for TPO; and clarify what types of HIEs or health IT vendors are included in the definition (because some HIE technology or EHR software does not maintain data or have access to it when exchanging data between systems).

One commenter asserted that the CARES Act does not define nor use the term “intermediary” and the Department should instead rely upon established terms of “covered entity,” “business associate,” and part 2 “programs.” Another commenter believed the NPRM created a “two-tiered” system that perpetuates discrimination because patients with SUD cannot reap the benefits of integrated care that is facilitated by shared electronic records. A health plan said that there would not be sufficient oversight of intermediaries under the proposed definition because they include entities that are not subject to HIPAA.

One commenter, a health plan association, asserted that business associates should be carved out from the definition of “intermediary” as most already defined as covered entities or business associates under HIPAA. Others agreed that the role of intermediaries such as HIEs/HINs or ACOs should be carved out from this definition. A few HIE commenters viewed requirements for intermediaries as based on 2017 rule changes, in which the Department attempted to limit those instances when a general designation consent could be used without specifically naming the persons entitled to receive the part 2 record. Additionally, the 2017 rule changes layered on additional accounting and consent requirements that—together with the operational challenge of determining when and whether a downstream entity has a “treating provider relationship” with the patient—resulted in low adoption due to the technical and administrative challenges in implementing these requirements and limitations. A county department argued that there is no analog to intermediary within HIPAA, thus these changes are inconsistent with the CARES Act effort to foster closer alignment between HIPAA and part 2.

Response

We appreciate input from commenters and have made changes in response to their expressed concerns. Our final definition of “intermediary” in § 2.11 includes “a person, other than a program, covered entity, or business associate, who has received records under a general designation in a written patient consent to be disclosed to one or more of its member participant(s) who has a treating provider relationship with the patient.” We also are finalizing provisions that an intermediary must provide to patients who have consented to the disclosure of their records using a general designation, pursuant to § 2.31(a)(4)(ii)(B), a list of persons to whom their records have been disclosed pursuant to the general designation. These changes will implement the CARES Act consent provisions by permitting HIEs that are business associates to receive part 2 records under a broad TPO consent and redisclose them consistent with the HIPAA regulations. These changes also will encourage HIEs to accept part 2 records and include part 2 programs as participants, facilitate integration of behavioral health information with other medical records, and reduce burdens on business associates that serve as HIEs. Our final rule also is consistent with previous SAMHSA guidance to ensure part 2 data exchanged by HIEs remains subject to protection under this final rule.

Comment

According to one commenter, if a patient signed a consent form designating “my health plan” as the recipient, the part 2 program would be permitted to disclose such information directly to the health plan but would be prohibited from disclosing that information to the very same health plan if the disclosure was made via an intermediary without specifically naming the intermediary and the health plan. This approach could thus impede operations of HIEs/HINs.

Response

We agree with the commenter's concerns that the proposed consent requirements for intermediaries may impede HIEs/HINs. The finalized definition of intermediary in § 2.11 excludes part 2 programs, covered entities, and business associates. This approach should help remove barriers to HIEs'/HINs' inclusion of part 2 records from part 2 programs that are also covered entities. As noted, we believe excluding business associates, in particular, will encourage HIEs to accept part 2 records and include part 2 programs as participants and reduce burdens on business associates that serve as HIEs.

Comment

One HIE commenter said that the NRPM provides an example of an intermediary being an electronic health vendor that enables entities at two different health systems to share records and would be bound by the requirements proposed under § 2.24. However, that same vendor would not be an intermediary when used by employees in different departments of a hospital to access the same patient's records. The commenter finds this confusing and seeks clarification on the definition of intermediary and their associated requirements. Another commenter, a health IT vendor, also questioned our example in the NPRM claiming that the developer of the product used in an exchange of information is no more an intermediary to the exchange than the manufacturer of a fax machine is an intermediary to information faxed from one place to another. The EHR vendor described in the NPRM should only be considered an intermediary when it controls the exchange of health records between systems using its software or when it serves as the recipient of records.

Response

We acknowledge that some commenters may have found this NPRM example confusing. We believe our revised definition and changes to § 2.24 help clarify the role of intermediaries. We have in the NPRM and other past rules and guidance cited HIEs/health information networks or “HINs,” ACOs, coordinated care organizations, care management organizations, and research institutions as examples of intermediaries but this may be a fact-specific inquiry.

Comment

Other comments on the proposal addressed the role of community-based organizations (CBOs), such as those providing services to people experiencing homelessness. A few commenters requested that such CBOs be considered as intermediaries, and one pointed out that the limitation on sharing part 2 records through an intermediary would likely result in limiting the sharing of records with CBOs via an HIE because CBOs are not treating providers. A county HIE said that it fosters data sharing across dozens of health care providers, managed care, and CBOs to enable better care coordination to and address social determinants of health. The county asserted that allowing part 2 records to be shared based on a single consent for TPO would be “deeply enhanced by pairing it with the technology of an HIE.”

Response

We have noted the definition of “intermediary” and examples above. An intermediary may be named in a general designation in § 2.31(a)(4) though special instructions apply to such use. Under the final rule, we have excluded business associates, part 2 programs, and covered entities from the definition of “intermediary” in § 2.11. Thus, HIEs that meet the definition of “business associates” are not intermediaries.

Part 2 programs, covered entities, and business associates (notably HIEs) are permitted to disclose records for TPO under the new TPO consent requirements and redisclose records as permitted by the HIPAA Privacy Rule once a consent for all future uses and disclosures for TPO is obtained. Accordingly, when a part 2 program that is covered entity discloses records through an HIE, the intermediary consent requirements under § 2.31(a)(4) do not apply because the HIE would be serving as a business associate of the part 2 program/covered entity, and as a business associate the HIE would be excluded from the definition of “intermediary.” We believe that part 2 programs that rely on HIEs are those most likely to be covered entities and to benefit from the narrowed definition of intermediary in the final rule.

Comment

A commenter said that definition of “intermediary” is broad enough that a primary care provider connecting a patient (and a patient's part 2 records) from one program to another could be seen as an intermediary. This commenter seeks guidance on the relationship between part 2 programs and intermediaries, and what unintended consequences the Department is seeking to avoid. The commenter suggests collaboration with ONC to leverage TEFCA, as there seems to be overlap between what constitutes an intermediary and how ONC defines a Qualified Health Information Network under TEFCA.

An insurance association referenced TEFCA and said that it is expected to be operating this year, creating a national network for health care information exchange among both HIPAA covered and non-HIPAA covered entities. The part 2 rule, the association said, should be structured to ensure data can be seamlessly shared among covered entities for TPO and other purposes designated in an individual's consent. However, the commenter believed that robust privacy protections for part 2 records remain critical for all entities involved in health data exchanges. The TEFCA processes are building in governance and operating requirements parallel to the HIPAA privacy and security requirements for all participants in the system even if they are not covered entities under the law to ensure robust protections no matter what role the entity plays. The commenter was concerned that a single weak link in the chain could compromise the entire system.

The commenter also stated that activities by HIEs that go beyond the role of a “basic conduit” should come with commensurate responsibilities for data protections. Therefore, the commenter questioned the definition of “intermediary” as proposed, asserting that it would minimize the accountability of these entities.

Response

We appreciate input from commenters on the role of HIEs and TEFCA. ONC, OCR, SAMHSA and others are collaborating to support participation in TEFCA and implementation of health IT and EHRs within the behavioral health sector. When an HIE is acting as a business associate to a part 2 program that is also a covered entity, it would not be considered an “intermediary” as defined in this final rule because we have excluded business associates (along with programs and covered entities) from the definition. An HIE that is a “business associate” is subject to certain HIPAA requirements, including safeguards under the HIPAA Security Rule.

For clarity, we also explain here that the exclusion of business associates from the “intermediary” definition in § 2.11 results in far fewer entities being subject to intermediary consent requirements under § 2.31(a)(4) and the list of disclosures obligations under § 2.24 because most HIEs—which were the most typical example of an intermediary—are business associates. A QSO—which is analogous to a business associate for a part 2 program—is only considered an intermediary when it is providing services to a program that is not a covered entity. We believe that part 2 programs that are covered entities are those most likely to make use of HIE services and that the burden reduction on HIE business associates in this final rule may incentivize them to accept part 2 records into their systems more frequently than under the existing part 2 regulation.

Comment

SUD recovery organizations recommended modifying the proposed definition of “intermediary” to also include “a member of the intermediary named in the consent,” rather than limiting it to members of the intermediary that have a treating provider relationship with the patient. A state data agency urged us to add intermediaries and other lawful holders to the language of § 2.12(d)(2)(ii), which permitted a non-part 2 treatment provider who receives part 2 information to record it without it becoming a part 2 record, so long as any part 2 records they receive are segregated from other health information.

Response

Section 2.12(d)(2)(ii) applies to persons who receive records directly from a part 2 program or other lawful holder of patient identifying information and who are notified of the prohibition on redisclosure in accordance with § 2.32. We are finalizing a modification to this provision to expressly state that: “[a] program, covered entity, or business associate that receives records based on a single consent for all treatment, payment, and health care operations is not required to segregate or segment such records.” Thus, an HIE that is a business associate of a covered entity that operates a part 2 program cannot, by definition, be an intermediary, and thus would not be required to segregate the part 2 records they receive. However, the records would still be considered part 2 records (as well as PHI) and there is a continuing obligation to protect the records from use or disclosure in proceedings against the patient.

Because the concept of intermediary by its nature is limited to organizations that mediate the interactions between a program and an intended recipient of records, it would not be practical to include in the definition of “intermediary” language concerning “a member of the intermediary named in the consent.”

Comment

Several commenters requested clarification of certain aspects of the proposal, such as: whether entities already subject to HIPAA are included as intermediaries; whether QSOs can serve as intermediaries and how the QSO role would fit into the requirements; whether the intermediary definition is limited to facilitating access for treatment purposes or whether the definition contemplates facilitating access for other purposes ( e.g., for payment purposes, patient access, etc.); and which entities have the responsibility for the required list of disclosures and exactly which responsibilities related to that requirement. One commenter requested that the Department expressly clarify that QSOs are not intermediaries since QSOs do not receive records under a general designation in a written patient consent, but rather they receive records through a QSOA.

Response

We discuss our changes to the definition of “intermediary” here and in § 2.11. As noted, in response to public comments we are excluding covered entities, business associates, and part 2 programs from the definition of “intermediary.” Further, the “intermediary” definition is not, in and of itself, expressly limited to facilitating access for treatment purposes; however, by the operation of the consent requirement in § 2.31, the use of intermediaries is generally limited to facilitating the exchange of records among treating providers. The final rule definition of “qualified service organization” includes a person who meets the definition of “business associate” in 45 CFR 160.103, for a part 2 program that is a covered entity, with respect to the use and disclosure of PHI that also constitutes a part 2 record. Expressly including business associates as QSOs, where both definitions are met, responds to comments received on the NPRM noting that the role of QSOs is analogous to business associates, such that aligning terminology makes sense given the purpose of section 3221 of the CARES Act to enhance harmonization of HIPAA and part 2. Additionally, as commenters requested, we have carved out business associates from the definition of “intermediary.” Thus, while a QSO may be a business associate, it cannot at the same time also be considered an intermediary. As a result, an HIE/HIN that is a QSO and business associate for a part 2 program that is also a covered entity would not be subject to the intermediary requirements ( e.g., a general designation in a consent and the list of disclosures).

Comment

About half of the commenters on intermediaries opposed the requirement that intermediaries provide a list of disclosures for the 3 years preceding the request. Many commenters expressed concern that the TPO consent provisions in §§ 2.31 and 2.33 would result in an increase in requests for a list of disclosures made via an intermediary and that HIEs were not equipped to respond in volume. One commenter opined that millions of transactions will be facilitated by the intermediary daily and, as a result, it would be difficult for both the part 2 program and the intermediary to provide a full accounting of disclosure that would feasibly be usable and helpful to the patient. Others suggested the part 2 program directly assume this obligation.

While supporting the proposed changes, a few commenters raised substantial concerns about the existing requirements, stating that it would be difficult for an intermediary to log individual accesses and reasons why data was accessed over a multi-year period. While patients should understand where and how their data is being transferred, it must be done while maintaining the interoperability pathway outlined by other HHS programs and with the full understanding of burden represented. A few commenters specifically supported the proposed extension for the list of disclosures from 2 to 3 years. A local government and a health system appreciated that the obligation for producing the list of disclosures remains with the intermediary and not the part 2 program. A few commenters asserted that the proposed changes would help address technological issues with HIEs that are compliant with part 2. Others suggested this process would be burdensome for HIEs and part 2 programs.

Response

We acknowledge these comments. The final rule in § 2.24 extends the “look back” period for the required list of disclosures by an intermediary from 2 years to 3 years as proposed. We made this change to align with the new right to an accounting of disclosures in § 2.25 for disclosures made with consent, that contains a 3-year look back period. As we have stated prior to this final rule, the intermediary, not the part 2 program itself, is responsible for compliance with the required list of disclosures under § 2.24. We discuss costs and benefits associated with this rule below including for §§ 2.24 and 2.25.

Comment

Comments asserted that the accounting requirement for intermediaries was duplicative of the accounting of disclosure for TPO from an EHR requirements under HIPAA (which have not been finalized in regulation) and had created barriers to the use of HIEs to exchange part 2 records. One commenter asserted that they have not allowed part 2 records in their system due to the differing requirements and that the intermediary proposal would perpetuate this outcome. Another commenter explained that a group of organizations that tested part 2 disclosure models did not ultimately adopt them because the part 2 requirements were too problematic. Several commenters requested that the requirement for providing the list of disclosures be tolled until the finalization of the expected HIPAA accounting of disclosures regulation for TPO disclosures through an EHR.

Response

We are not tolling the list of disclosures requirements for intermediaries because these obligations already exist in § 2.13(d) and are simply being continued in a new section § 2.24 with the time period covered being extended from 2 years to 3. Intermediaries are not subject to the HIPAA accounting of disclosures requirements, by definition, because we have excluded covered entities and business associates from the definition of “intermediary” in the final rule. Because the HIPAA accounting of disclosures requirement for TPO disclosures through an EHR has not yet been finalized, we believe this distinct list of disclosures requirement should remain effective.

Final Rule

We are finalizing in this section, redesignated as § 2.24, that an intermediary must provide to patients who have consented to the disclosure of their records using a general designation pursuant to § 2.31(a)(4)(ii)(B), a list of persons to whom their records have been disclosed pursuant to the general designation.

Section 2.25—Accounting of Disclosures

Proposed Rule

The Department noted in the NPRM that except for disclosures made by intermediaries, the current part 2 regulation did not have provisions that included a right for patients to obtain an accounting of disclosures of part 2 records. Section 290dd–2(b)(1)(B) of 42 U.S.C., as amended by section 3221(b) of the CARES Act, applies section 13405(c) of the HITECH Act, 42 U.S.C. 17935(c) (Accounting of Certain Protected Health Information Disclosures Required if Covered Entity Uses Electronic Health Record), to part 2 disclosures for TPO with prior written consent. Therefore, the Department proposed to add a new § 2.25 (Accounting of disclosures) to establish the patient's right to receive, upon request, an accounting of disclosures of part 2 records made with written consent for up to three years prior to the date the accounting is requested.

This proposal was intended to apply the individual right to an accounting of disclosures in the HITECH Act to disclosure of part 2 records. The Department proposed at § 2.25(a) that paragraph (a) would generally require an accounting of disclosures made with patient consent for a period of 6 years prior to the request, and paragraph (b) would limit the requirement with respect to disclosures made with TPO consent, which would only be required for disclosures made from an EHR system for a period of 3 years prior to the request. In both instances, the proposed changes would be contingent on the promulgation of HITECH Act modifications to the accounting of disclosures standard in the HIPAA Privacy Rule at 45 CFR 164.528.

The Department stated in the NPRM preamble that this proposed accounting requirement is consistent with section 3221(b) of the CARES Act, 42 U.S.C. 290dd–2(b)(1)(B), as amended. The Department noted that the CARES Act applied the HITECH Act “look back” time period for accounting of disclosures to “all disclosures” of part 2 records with consent and not just those disclosures contained in an EHR. From a policy perspective, the Department therefore proposed to apply the 3-year “look back” to all accountings of disclosures with consent and not just for accountings of disclosures of records contained in an EHR.

Because the Department has not yet finalized the HITECH Act accounting of disclosures modifications within the HIPAA Privacy Rule, the Department did not propose to require compliance with § 2.25 before finalizing the HIPAA Privacy Rule provision in 45 CFR 164.528. The comments and the Department's responses regarding § 2.25 are set forth below.

Accounting of Disclosures for TPO

Comment

A few commenters expressed opposition to the accounting of disclosures for TPO because: (1) the proposal does not align with the HIPAA Privacy Rule, including the exclusion pursuant to an authorization; (2) it would increase administrative burden; and (3) the existing and established technology lacks the capability, including manual collection of data from multiple systems ( e.g., EHR and practice management system for payment and health care operations). Other commenters remarked that unless technical capabilities are developed within certified EHR technology to capture why someone has opened a patient record, providing a full accounting would be impossible and requiring providers to mark and maintain a full accounting would incentivize providers to forego going into a patient's record, even when it may be better for treatment coordination.

Response

We appreciate the comments. However, the proposed change is required by section 290dd–2(b)(1)(B) of 42 U.S.C., as amended by section 3221(b) of the CARES Act, that applies section 13405(c) of the HITECH Act, 42 U.S.C. 17935(c), to part 2 disclosures for TPO with prior written consent. The final rule attempts to balance the potential compliance burden by tolling the effective and compliance dates for the HITECH accounting of disclosures requirement until it is finalized within the HIPAA Privacy Rule.

Comment

A health system and a health IT vendor commented on the timeframes covered in accountings of disclosure and suggested that the period for which accountings can be requested be limited to those after the rule is effective because of different applicable privacy standards prior to rule finalization. For example, if the Department finalizes the accounting of disclosures provision to include data for six years prior to the request date, the first day for which part 2 programs would need to provide accountings would be the effective date of the rule.

Response

We appreciate the comments. We clarify that the period for which an accounting can “look back” is limited to those disclosures occurring after the first day of the compliance date.

Comment

An HIE association requested the Department provide a specific maximum allowable cost to a patient for fulfilling a requested accounting of disclosures for their PHI in the final rule. According to the commenter, the Department provides guidance in other resources on the maximum allowable cost that a patient can incur when requesting an accounting of disclosures but the NPRM did not provide a clear and concise regulatory specification.

Response

We appreciate the comment and decline at this time to state a maximum patient cost; however, we will further consider the comment in drafting the HIPAA accounting of disclosures final rule to implement section 13405(c) of the HITECH Act, 42 U.S.C. 17935(c). We are not aware of resources that discuss the maximum allowable cost that a patient can incur when requesting an accounting of disclosure. However, the Department has provided guidance in other resources on the costs a covered entity may charge individuals to receive a copy of their PHI, which is a different cost from providing individuals an accounting of disclosures. For an accounting of disclosures, the HIPAA Privacy Rule at 45 CFR 164.528(c)(2) requires a covered entity provide the first accounting to an individual in any 12-month period without charge. The covered entity may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same individual within the 12-month period, provided that the covered entity informs the individual in advance of the fee and provides the individual with an opportunity to withdraw or modify the request.

Comment

Several commenters were supportive of the proposal to add a new accounting of disclosures requirement in part 2 because it would align with an individual's rights under the HIPAA Privacy Rule. One health IT vendor said health IT and other digital technologies should incorporate audit trails to help detect inappropriate access to PHI. An advocacy organization supported the proposed timeframes an accounting of disclosures would cover, while a health system said the three-year timeframe for TPO disclosures should match the six-year timeframe in the HIPAA Privacy Rule.

Response

We appreciate the comments. With respect to the “look back” period for accounting of disclosures in the HIPAA Privacy Rule, an individual has a right to receive an accounting of disclosures of PHI made by a covered entity in the six years prior to the date on which the accounting is requested. The HITECH accounting requirement covers disclosures for TPO made via an EHR and a look back period of only three years; however, this has not been finalized in the HIPAA Privacy Rule, so we cannot harmonize the part 2 TPO disclosure timeframe to that of the HIPAA Privacy Rule accounting of disclosure requirement. Additionally, a HIPAA accounting of disclosures rulemaking would implement the HITECH Act modification to 45 CFR 164.528 for disclosures for TPO to three years prior to the date which the accounting is requested.

Comment

A few trade associations and a health IT vendor requested the Department provide a template for the accounting of disclosures that includes the level of detail necessary to fulfill the requirement.

Response

We appreciate the comments and will consider providing a template when the HITECH accounting of disclosures requirement is finalized within the HIPAA Privacy Rule.

Tolling of Compliance Date

Comment

A few commenters addressed tolling the compliance date for part 2 programs and each of them agreed with tolling the effective and compliance dates of the accounting of disclosures proposal until the effective and compliance dates of the modified HIPAA Privacy Rule accounting provision to provide consistency for part 2 providers, covered entities, and business associates.

Response

We appreciate the comments. We are tolling the effective and compliance dates for part 2 programs until the effective and compliance dates of a final rule on the HIPAA/HITECH accounting of disclosures standard (section 13405(c) of the HITECH Act) to ensure part 2 programs do not incur new compliance obligations before covered entities and business associates under the HIPAA Privacy Rule are obligated to comply. We are also mindful that the alignment of the part 2 and HIPAA compliance dates for the accounting of disclosures is most important for part 2 programs that are also covered entities. We also note the part 2 programs are not required to include the statement of a patient's right to an accounting of disclosures in the Patient Notice under § 2.22 until the future compliance date of the accounting of disclosures.

Other Comments on Requests for Accountings of Disclosures

The Department, in the NPRM, asked for feedback on potential burdens such as staff time and other costs associated with accounting of disclosure requests. The Department also requested data on the extent to which covered entities receive requests from patients to restrict disclosures of patient identifying information for TPO purposes, how covered entities document such requests, and the procedures and mechanisms used by covered entities to ensure compliance with patient requests to which they have agreed or that they are otherwise required to comply with by law.

Comment

A few commenters said they rarely receive requests for an accounting of disclosures and a few commenters stated they receive between 1–10 requests annually. Some of these commenters said in their experiences a single request for an accounting of disclosures from a patient may take one staffer with the current functionality within an organization a full 40-hour week to respond.

Response

We appreciate the comments and the information provided on the number and type of requests for an accounting of disclosures of PHI received annually and the staff time involved in responding to an individual's request for an accounting of disclosures of PHI.

Final Rule

The final rule adopts all proposed modifications to § 2.25, with a correction to the timeframe in paragraph (a) to require an accounting of disclosures made with consent in the 3 years prior to the date of the request.

Section 2.26—Right to Request Privacy Protection for Records

Proposed Rule

Prior to the CARES Act amendments, the part 2 statute did not explicitly provide a patient the right to request restrictions on disclosures of part 2 records for TPO, although patients could tailor the scope of their consent, which would govern the disclosure of their part 2 records. Section 3221(b) of the CARES Act amended 42 U.S.C. 290dd–2 such that section 13405(c) of the Health Information Technology and Clinical Health Act (42 U.S.C. 17935(c)) applies to subsection (b)(1). Therefore, the Department proposed to codify in § 2.26 a patient's rights to: (1) request restrictions on disclosures of part 2 records for TPO purposes, and (2) obtain restrictions on disclosures to health plans for services paid in full. The proposed provision would align with the individual right in the HITECH Act, as implemented in the HIPAA Privacy Rule at 45 CFR 164.522. As with the HIPAA Privacy Rule right to request restrictions, a part 2 program that denies a request for restrictions still would be subject to any applicable state or other law that imposes greater restrictions on disclosures than part 2 requires.

In addition to applying the HITECH Act requirements to part 2, the CARES Act emphasized the importance of the right to request restrictions in three provisions, including:

(1) a rule of construction that the CARES Act should not be construed to limit a patient's right under the HIPAA Privacy Rule to request restrictions on the use or disclosure of part 2 records for TPO;

(2) a Sense of Congress that patients have the right to request a restriction on the use or disclosure of a part 2 record for TPO; and

(3) a Sense of Congress that encourages covered entities to make every reasonable effort to the extent feasible to comply with a patient's request for a restriction regarding TPO uses or disclosures of part 2 records.

Comment

Commenters provided general support for the proposal to modify part 2 to implement requirements in the CARES Act concerning a patient's right to request restrictions on uses and disclosures of part 2 records. For instance, a medical professionals association supported this proposed change, stating that transparent privacy policies should accommodate patient preference and choice as long as those preferences and choices do not preclude the delivery of clinically appropriate care, public health, or safety. A county health system said the proposed changes will promote patient advocacy, privacy, and transparency. Health system and health plan commenters supported the proposed language allowing patients to request restrictions on the use or disclosure of their PHI if this request aligns with the HIPAA Privacy Rule, which gives covered entities the ability to approve or deny these requests. Others such as state agencies, health care providers, and a health IT vendor also supported provisions to request restrictions on disclosures including for disclosures otherwise permitted for TPO purposes.

Response

We appreciate the comments about the proposed addition of a new patient right to request restrictions on uses and disclosures of part 2 records for TPO and the alignment of the right with the parallel HIPAA provision.

Comment

A health information association supported a mechanism for patients to request to restrict where and who can access their records in specific situations as this approach builds trust and allows the patient to control use and disclosure of their health record. The commenter further asserted that while data segmentation challenges exist, most providers follow HIPAA and align with state law privacy requirements regarding use and disclosure of part 2 records. However, the association urged that as the Department finalizes these requirements the ability for a patient to request restriction of disclosure should not be mandatory for providers to adhere to when they are otherwise required to provide disclosure. Another provider supported aligning the right to request a restriction with HIPAA language to include specific language which clarifies a covered entity and/or part 2 program is under no obligation to agree to requests for restrictions. Due to EHR functionality limitations, the provider cannot accommodate most requests for restrictions, especially related to treatment.

Response

We appreciate the comments about our proposed change to align part 2 and HIPAA requirements. As stated in § 2.26(a)(5): “[a] restriction agreed to by a part 2 program under paragraph (a) of this section is not effective under this subpart to prevent uses or disclosures required by law or permitted by this regulation for purposes other than treatment, payment, and health care operations, as defined in this part.” Paragraph (a)(6) of § 2.26 also states that “[a] part 2 program must agree to the request of a patient to restrict disclosure of records about the patient to a health plan if . . . [t]he disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law [. . .].” Therefore, a part 2 program that is a covered entity is not required by this section to agree to restrict a disclosure that otherwise is required by law or for a purpose permitted by part 2 other than TPO.

Comment

An individual commenter urged the Department to expand its proposal by using the general regulatory authority given it by the CARES Act to modify 42 CFR part 2 to indicate that a covered entity is required to agree to a patient's requested restriction of uses and disclosures of part 2 information. Thus, the commenter suggested the provisions of 45 CFR 164.522(a)(1)(ii) and (a)(2)(iii) would be eliminated. The commenter asserted that a “rule of construction” in the CARES Act should not be construed to limit a patient's right under the HIPAA Privacy Rule to request restrictions on the use or disclosure of part 2 records for TPO. The commenter stated its interpretation of the Sense of Congress in the CARES Act that patients have the right to request a restriction on the use or disclosure of a part 2 record for TPO and that encourages covered entities to make every reasonable effort to the extent feasible to comply with a patient's request for a restriction regarding TPO uses or disclosures of part 2 records.

A health system also supported this change stating that this provision aligns with existing standards under the HIPAA Privacy Rule, which allows a patient to request restrictions, while a covered entity is not obligated to agree to that request (except when the service in question has been paid in full). The health system appreciated that HHS proposed to allow the same flexibility and decision-making capacity for part 2 programs. Another commenter proposed that the same standards are applied in part 2 as in HIPAA, which requires covered entities to evaluate requests and take reasonable means. The commenter believed that a covered entity is not mandated to honor a restriction for purposes of operation/treatment but would be for payment in circumstances where the patient pays out of pocket, in full. The commenter suggested applying the same standards to part 2 as applied to covered entities in the HIPAA restriction process. A health system said it supported aligning part 2 and HIPAA, but if there is a part 2 entity that is not already a covered entity under HIPAA, HHS should expand the HIPAA definition of covered entity rather than duplicate HIPAA provisions in this rule.

Response

We acknowledge these comments and emphasize the Sense of Congress expressed in section 3221(k)(3) of the CARES Act that “[c]overed entities should make every reasonable effort to the extent feasible to comply with a patient's request for a restriction” regarding such use or disclosure.

Comment

A health system citing to 42 CFR 2.12(c)(3) supported HHS' attempt to better align part 2 with HIPAA as it relates to both uses and disclosures, stated that the introduction of restrictions on uses poses significant challenges for part 2 programs unless additional changes or clarifications to the regulations are made. The commenter urged the Department to clarify in the final rule that permitted uses also include those uses necessary to carry out the payment or health care operations of the part 2 program. Such clarification will ensure part 2 programs may continue to use part 2 records internally for payment and health care operations that may not directly relate to the diagnosis, treatment, or referral for treatment of patients. Without this clarification, if a part 2 program fails to secure consent from a patient, the part 2 program would be prohibited from using part 2 records for essential internal purposes, such as quality improvement, peer review, and other legally required patient safety activities.

Response

Section 2.12(c)(3), which excludes from part 2 restrictions treatment-related internal communications among staff in a program and communications with entities that have direct administrative control of the program, is not inconsistent with the new patient right to request restrictions on disclosures for TPO purposes, and a patient's right to obtain restrictions on disclosures to health plans for services paid in full by the patient. Additional changes desired by the commenter to § 2.12(c)(3) are outside the scope of this rulemaking.

Comment

A medical professionals association asserted that given the sensitivity of SUD data patients may request that their SUD treatment data not be shared with other clinicians nor be accessible via various third-party applications. The commenter believed that physicians, especially those in primary care, generally lack the ability to segment out certain parts of a patient's record while maintaining the ability to meaningfully share the non-SUD treatment data with the patient's care team for the purposes of care coordination and management. The commenter explained its view that this lack of granular data segmentation functionality increases administrative burden and creates challenges for clinicians who are complying with requests not to disclose SUD treatment data while still complying with HIPAA and information blocking requirements. As a result, clinicians must either place sensitive data in the general medical record and institute policies and procedures outside of the EHR to protect this data or create a new location or shadow chart that houses and protects the data. These workarounds disrupt the flow of comprehensive health data within a patient's care team and increases administrative tasks. The association urges HHS to work with EHR vendors to modernize the functionality of health care data management platforms to ensure part 2 programs can keep patients' data confidential when requested. Another medical association also reflected similar views.

A health IT vendor claimed that several NPRM provisions, including § 2.26, would require it to implement procedural changes. But the vendor stated that these updates are necessary to eliminate barriers to data sharing amongst patients, providers, and health care facilities. The vendor also believed these requirements can be implemented within the proposed 22-month compliance period.

A health IT association supported alignment with a patient's right to request restrictions under the existing HIPAA Privacy Rule. But the commenter believed that it is important not to add a burden on covered entities participating in a shared electronic health information platform or with an HIE or HIN. The commenter urged OCR and SAMHSA to connect to health IT developers, technology companies, HIE, and HINs to ensure that technology exists to feasibly allow for covered entity compliance with interoperability and information blocking requirements.

Response

We acknowledge concerns that data segmentation may be difficult for part 2 programs and covered entities and discuss this further in § 2.12. However, covered entities have had to address individuals' requests for restrictions of TPO uses and disclosures since the HIPAA Privacy Rule was implemented more than two decades ago. The renewed emphasis on the right to request restrictions on uses and disclosures of records for TPO is closely linked to the new permission to use and disclose records based on a single consent for all future TPO. We have stated in the discussion of the new consent permission that programs and covered entities that want to utilize the TPO consent mechanism should be prepared from a technical perspective to also afford patients their requested restrictions when it is otherwise reasonable to do so. Entities that are planning to benefit from streamlined transmission and integration of part 2 records by using the single consent for all TPO should be prepared to ensure that patients' privacy also benefits from the use of health IT.

EHR systems' technical capabilities are outside the scope of this rulemaking, but we are cognizant of and refer throughout this rule to the existing health IT capabilities supported by data standards adopted by ONC on behalf of HHS in 45 CFR part 170, subpart B, and referenced in the ONC Health IT Certification Program certification criteria for security labels and segmentation of sensitive health data. ONC, SAMHSA, OCR, and others collaborate to support EHRs and health IT in behavioral health and integrated care settings.

Comment

A provider association opined that the NPRM overemphasizes the social harms that disclosing SUD clinical information creates, at the risk of medical harms and overdose deaths that are a consequence of poor care coordination. The commenter urged the Department to provide guidance on precisely what is expected of providers as they incorporate processes to respect these patient rights if the provisions are finalized as proposed.

Response

We appreciate this comment and the concern for patient safety. As noted above, providers are not required to agree to all patient requests for restrictions on uses and disclosures for TPO, but are encouraged to make reasonable efforts to do so. Providers retain the responsibility for patient care and determining what is reasonable under the circumstances. The final rule is emphasizing, however, that programs and covered entities are expected to do more than merely establish policies and procedures on the right to request restrictions—they need to make a concerted effort to evaluate how they can reasonably accommodate patients' requests.

Comment

An academic health center stated its general support for patients' rights to limit access to their medical records but wanted to avoid creating further administrative and operational burdens on staff and avoid managing patient data retroactively.

Response

We acknowledge this comment and concerns about burdens that could result from § 2.26 implementation. However, part 2 programs that are covered entities are already subject to the HIPAA provisions on the right to request restrictions in 45 CFR 164.522. As finalized, we believe this section is consistent with HIPAA as well as CARES Act requirements.

Comment

A medical professionals association asserted that the NPRM does not account for patient protections in plans self-funded through an employer. The association requested clarity on how TPO information will be kept protected from the employer and how patients will be protected against discriminatory practices, arguing that without further clarification, employees will be hesitant to seek treatment if there is an assumption that an employer will have knowledge of his or her SUD.

In contrast, a national employee benefits association for large employers urged the Department to allow health plan sponsors ( i.e., employers) to access part 2 records containing de-identified claims data that are held by third-party vendors that manage SUD programs. From the employer/health plan sponsors' perspective, these records are needed to evaluate and improve health benefits.

Response

Self-funded group health plans are not permitted to retaliate against SUD or other patients/employees for seeking care. HHS has explained in guidance application of HIPAA to self-funded employer group health plans that: “the [HIPAA] Privacy Rule does not directly regulate employers or other plan sponsors that are not HIPAA covered entities. However, the [HIPAA] Privacy Rule, in 45 CFR 164.504(f) does control the conditions under which the group health plan can share protected health information with the employer or plan sponsor when the information is necessary for the plan sponsor to perform certain administrative functions on behalf of the group health plan [. . . .] The covered group health plan must comply with [HIPAA] Privacy Rule requirements, though these requirements will be limited when the group health plan is fully insured.”

In discussing 45 CFR 164.530, HHS has further stated in guidance that “group health plans are exempt from most of the administrative responsibilities under the [HIPAA] Privacy Rule. These health plans are still required, however, to refrain from intimidating or retaliatory acts, and from requiring an individual to waive their privacy rights.”

As well, self-funded group health plans are subject to the Mental Health Parity and Addiction Equity Act (MHPAEA) which requires that most health plans providing mental health and SUD benefits must provide services comparable to those for medical/surgical conditions. While previously able to opt-out of these requirements, recent changes made by the Consolidated Appropriations Act of 2023 state that “self-funded, non-Federal governmental group health plans that opt out of compliance with MHPAEA are required to come into compliance with these requirements.” This change too should mitigate the potential of employees to be subject to stigma and discrimination within self-funded group health plans because they have or are in recovery from an SUD.

With respect to employer/health plan sponsor access to de-identified part 2 records, the Department did not propose to create new use and disclosure permissions specific to employers/health plan sponsors and does not adopt such changes in this final rule. However, under this final rule, a covered entity or business associate that receives records under a TPO consent may redisclose them in accordance with the HIPAA Privacy Rule, which does not place limitations on the use or disclosure of de-identified information.

Comment

A health plan asserted that, as written, the rule might be interpreted to prevent plans with part 2 data from redisclosing it without consent. Additional restrictions around TPO may negatively impact plans' business operations since plans would need to separate part 2 records from other records. This restriction would be burdensome and more operationally challenging even for the most sophisticated stakeholders, according to the commenter, who also asserted that patients may be more likely to receive unnecessary information in these broad disclosures. The commenter believed that the proposed expanded TPO restriction would overwhelm both patients and plans, ultimately hindering efforts toward more efficient care coordination for patients with SUD.

Response

This section as finalized is consistent with the Sense of Congress as articulated in the CARES Act, which provides that patients have the right to request a restriction on the use or disclosure of a part 2 record for TPO. The CARES Act similarly encourages covered entities to make every reasonable effort to the extent feasible to comply with a patient's request for a restriction regarding TPO uses or disclosures of part 2 record.

A patient's right to request restrictions does not prevent health plans with part 2 records from redisclosing such records without patient consent as permitted under this rule, except in those situations where the plan has agreed to a requested restriction.

Comment

A few commenters, including an advocacy organization, professional associations, and a recovery organization asserted that the proposed right is profoundly inequitable because it is only available to patients with the means to pay privately for SUD treatment. Pointing to what it views as disparities and the cost of SUD treatment, one commenter asserted that underserved communities and persons affected by poverty and inequality thus will be less able to exercise this right to restrict uses and disclosures of their SUD records. Other commenters expressed concern that some patients can afford to self-pay and may not wish to face the risks of restrictive health plan coverage policies, employers, and others finding out they are being treated for an SUD, but this right is not extended to those who cannot self-pay. These commenters believed that the rule should not subject most Americans to these very real risks while acknowledging that persons of means can avoid them.

The commenter recommended that HHS strengthen this provision so that providers comply with all patients' requests to restrict disclosures of this sensitive health information—not just those patients who are wealthy enough to pay in full and out-of-pocket. The commenter argued that strengthening the provision is also consistent with the CARES Act's “Sense of Congress” in section 3221(k)(3): “covered entities should make every reasonable effort to the extent feasible to comply with a patient's request for a restriction regarding such use or disclosure.” The commenter asserted that when patients request a restriction on disclosure of their part 2 records, the default answer should be “yes,” subject to narrow exceptions such as disclosures to treat a medical emergency. In practice, however, providers' default answer is almost always “no,” which is why HHS should provide a more enforceable right here.

Response

We acknowledge that, as structured, some elements of the right to request restrictions may benefit patients who can self-pay rather than those who are unable to do so. However, the provision requiring covered entities to agree to certain requests is statutory. For this reason and to align with HIPAA requirements pertaining to requests for restrictions by self-pay patients. The Department also acknowledges and is working to address disparities in access to SUD treatment.

Comment

One county government stated that in its experience there are very few requests for restriction received each year and virtually none are agreed to because of the related operational challenges. An academic health center said that in its experience of patients who request restrictions annually, only a relatively small number of restrictions are made in the context of self-pay for services. The center urged HHS to align the request for restriction process for part 2 records with what it views as the already established and operationally familiar process under HIPAA, explaining that from a technological perspective restricting patient information within the organization for TPO is burdensome, and highly error-prone. Restrictions for treatment purposes can endanger patients, as members of the treatment team need information to safely provide care, according to this commenter.

Response

We appreciate this information in response to our request for input in the NPRM. Given that the number of requests for restrictions is small, the overall organizational burden for fulfilling such requests should not be overwhelming. When a regulated entity agrees to a requested restriction, we encourage it to explain to the patient any limits on its ability to ensure that the request is implemented fully.

Comment

A commenter requested that notice of the right to request limitations of disclosures of health records, and the process for doing so comply with Federal guidance and best practices for individuals with limited English proficiency and individuals with limited literacy or health literacy skills.

Response

We discuss notice requirements in § 2.22 above. We have in the past stated that materials should take into consideration the cultural and linguistic needs of a provider's patients and be written to be clear and understandable.

Comment

A privacy foundation cited one of its resources concerning HIPAA and why the right to request restrictions is in its view almost meaningless. The commenter suggested that the rule does not require a covered entity to agree to a restriction requested by a patient. More importantly, the covered entity does not have to agree even if the patient's request is reasonable. If HHS does not require a covered entity to respond to a patient's request for restriction, even to state whether the request is granted or declined, the right to request restrictions is meaningfully diminished, according to the commenter, which, added that in some cases, the right to request restrictions will be—for all intents and purposes—abrogated in cases where the request is never given any response.

Response

As finalized, we believe this section is consistent with HIPAA as well as CARES Act requirements. We have provided guidance within HIPAA about requests for restrictions on disclosures of PHI in HIPAA under 45 CFR 164.522. The right to request restrictions must be balanced with other regulatory requirements and patient needs, such as for emergency treatment even when use of records has been restricted. We also note that as required by § 2.26(a)(6)(ii), a part 2 program must implement restrictions on disclosure when requested by a patient if a record pertains solely to a health care item or service for which the patient, or person other than the health plan on behalf of the patient, has paid the part 2 program in full.

Comment

An SUD provider recommended eliminating the ability for tailored restrictions by patients. Additionally, should the Department implement this requirement, the provider requests requested that the regulations clarify whether a part 2 program is responsible for notifying other recipients of part 2 information if a patient decides to restrict future disclosures.

Response

As explained, we are finalizing the proposed requirements. Redisclosure provisions are discussed in this rule in §§ 2.12(d) and 2.33. As we note, consistent with the Sense of Congress in the CARES Act, section 3221(k)(3), covered entities, including those covered entities that also are part 2 programs, should make every reasonable effort to the extent feasible to comply with a patient's request for a restriction regarding a particular use or disclosure. This would apply should a patient subsequently modify a request under this section.

Comment

An advocacy group supported the proposed right of patients to request privacy protections as a means of building trust with the patient but urged HHS to adopt a reasonable or as practicable a standard as possible when adopting this proposal. Some patient requests may not be feasible, and a part 2 program should not have to comply with requests that are overly burdensome or impractical.

Response

We draw attention to the Sense of Congress expressed in the CARES Act that “[c]overed entities should make every reasonable effort to the extent feasible to comply with a patient's request for a restriction regarding such use or disclosure,” and we encourage part 2 programs to do so as well. We believe that this language makes it clear that reasonable effort is expected and that it may be balanced by what is feasible. We believe that a program should not condition treatment on a TPO consent unless it has some capacity to fulfill patients' requests for restrictions on uses and disclosures for TPO such that “every reasonable effort” has some meaning. We are finalizing as proposed in § 2.22 a requirement to include in the Patient Notice a statement that the patient has the right to request restrictions on disclosures for TPO and in § 2.26 a patient's right to request restrictions.

Comment

With respect to proposed § 2.26(a)(4), a health system suggested that a request to restrict access to records for treatment purposes would likely not be granted since such a restriction could not be reasonably guaranteed in an EHR. In its system, part 2 programs have been implemented as restricted departments. Access controls have been implemented to permit emergency physicians to access such records by breaking the glass and documenting the purpose of access. At this time, the commenter believed that there is not a practical way to operationalize the inclusion of additional language in the break the glass process so emergency physicians could view language to not further use or disclose this information.

Response

As finalized § 2.26(a)(4) states that “[i]f information from a restricted record is disclosed to a health care provider for emergency treatment under paragraph (a)(3) of this section, the part 2 program must request that such health care provider not further use or disclose the information.” Section 2.26(a)(3) permits use of restricted records for emergency treatment. While we have stated in this rule that data segmentation is not required, we also stated in 2017 that “data systems must be designed to ensure that the part 2 program is notified when a `break the glass' disclosure occurs and part 2 records are released pursuant to a medical emergency. The notification must include all the information that the part 2 program is required to document in the patient's records.” We recognize that EHR systems have varying degrees of functionality for implementing requested restrictions and programs are in different stages of updating their systems; however, we believe that programs need to evaluate how the limitations of their EHRs may affect patient choice and develop policies accordingly. For example, if a program conditions treatment on a patient's TPO consent and the patient agrees to sign the consent, but only if their records are not provided to a certain provider, the program should have the means to accommodate the request and if not, allow the patient to sign a more limited consent as appropriate within the context. While lack of EHR system capability may be a valid rationale for not accommodating some patients' requests for restrictions, it may also be a basis for not adopting a policy of conditioning treatment on signing a single consent for all TPO if the program has no other mechanism available to limit disclosures of part 2 records in the event that patients request restrictions.

Final Rule

We are finalizing this new section as proposed. We also note the Sense of Congress expressed in section 3221(k)(3) of the CARES Act stating that “[c]overed entities should make every reasonable effort to the extent feasible to comply with a patient's request for a restriction regarding a particular use or disclosure.” We also encourage part 2 programs that are not covered entities to make such efforts. OCR has provided examples in guidance about the analogous HIPAA provision that could demonstrate “reasonable effort” to operationalize compliance with a patient's request for a restriction including in circumstances when an individual is unable to pay for their health care in full. For instance, consistent with 45 CFR 164.522(a)(1)(vi) we cite the example that “if an individual pays for a reproductive health care visit out-of-pocket in full and requests that the covered health care provider not submit PHI about that visit in a separate claim for follow-up care to their health plan, the provider must agree to the requested restriction.” If an individual wishes to not receive fundraising communications, we noted in preamble to the 2013 Omnibus Final Rule that “[c]overed entities should consider the use of a toll-free phone number, an email address, or similar opt out mechanisms that provide individuals with simple, quick, and inexpensive ways to opt out of receiving further fundraising communications.” For instance, a covered entity might develop a phone-based process that supports individuals in making appropriate requests for restrictions on use and disclosure of PHI.

Some entities also have developed specific forms to facilitate compliance with 45 CFR 164.522 requirements. Similar reasonable efforts could be used to operationalize requests for restrictions in § 2.26 as finalized, such as supporting options for a patient wishing to restrict disclosures for TPO.

Section 2.31—Consent Requirements.

Section 2.31(a) Requirements for Written Consent

Proposed Rule

The Department proposed to align the required elements for a part 2 consent in paragraph (a) with the required elements of a HIPAA authorization, to include: the patient's name; the person or class of persons making the disclosure; a description of the information to be disclosed in a specific and meaningful fashion; a designation of recipients; a description of the purpose or if no stated purpose, “at the request of the patient;” the patient's right to revoke consent and how to do so; an expiration date or event; the patient's or authorized person's signature; and the date signed. In addition, the Department proposed several provisions in the consent requirements to support implementation of the CARES Act requirement to permit a single consent for all future uses and disclosures for TPO, as listed below:

• The recipient may be a class of persons including a part 2 program, covered entity, or business associate and the consent may describe the recipient as “my treating providers, health plans, third-party payers, and those helping operate this business” or use similar language. The consent also may include a named intermediary under paragraph (a)(4)(ii), as applicable.
• The statement, “for treatment, payment, and health care operations” is a sufficient description of the purpose when a patient provides consent for all future uses or disclosures for those purposes.
• The required expiration date or event may be “none” for a consent for all future uses and disclosures for TPO.
• The consent must include:

○ The statement that the patient's record (or information contained in the record) may be redisclosed in accordance with the permissions contained in the HIPAA regulations, except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient.

○ A statement about the potential for the records used or disclosed pursuant to the consent to be subject to redisclosure by the recipient and no longer protected by this part.

○ The consequences to the patient of a refusal to sign the consent.

The Department proposed to require that a consent to disclose part 2 records to intermediaries state the name(s) of the intermediary(ies) and one of the following:

• The name(s) of member participant(s) of the intermediary; or
• A general designation of a participant(s) or class of participants, which must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being used or disclosed.

The Department proposed to remove from the consent requirements a required statement of a patient's right to obtain a list of disclosures made by an intermediary.

Finally, the Department proposed wording changes to replace the term “individual” with the term “person” to comport with the meaning of person in the HIPAA regulations and consistent with similar changes proposed throughout this part.

Required Elements of Consent

Comment

Some commenters who supported the proposed alignment of part 2 with the HIPAA regulations expressed enthusiasm for what they described as a long-awaited change that would support the streamlining of administrative processes, improvements in care coordination, and reduced inequities in how SUD treatment is viewed compared with general health care. One commenter specifically appreciated the clarification that electronic signatures are permitted. An Indian health board noted that allowing American Indian/American Native patients to identify a “class of participants” with a treating provider relationship (like a “health care team”) within a single prior consent would facilitate care within the Indian health system. Another supporter pointed out that including “use” as well as “disclosure” clarifies the consent form and noted that informing patients about the ability for information to be redisclosed it also important. A health information management association described the changes as “removing regulatory morass.” A health plan believed that the proposed changes “mak[e] it easier to comply with both regulatory requirements [of part 2 and the HIPAA regulations] without adding an additional layer of regulatory burden. The statutorily required six elements [of a consent] noted above as well the additional explanations for failing to sign a consent will better ensure that patients are apprised of their rights under Part 2 and instill patients' trust.”

Response

We appreciate the comments about our efforts to improve health care and reduce burdens on regulated entities by aligning the required elements of the written consent for disclosure of part 2 records with the required elements of a HIPAA authorization to disclose PHI.

Comment

Many commenters requested clarification and simplification of the consent requirements. One commenter recommended that the Department develop model consent language, limited to a single comprehensible paragraph with an option to find further information online, such as through a scannable QR code. Some commenters stated that the part 2 consent is vague, complicated, and difficult to read and should be simplified into plain language for an ordinary person and they opposed the proposed changes to consent. They also urged the Department to “prioritize transparency.” Another commenter asserted that it is in providers' best interests to inform patients “of their rights in a straightforward, easy-to-understand manner, focusing on how their information will be used and who will have access to it.”

Response

We appreciate the comments recommending simplification and streamlining of the required consent and will consider the various suggestions for doing so as we develop guidance or other materials. We agree that consent should be in plain language that ordinary readers can understand and believe that the required statements can be drafted in that manner.

Comment

Several commenters believed that since the proposed part 2 consent requirements are like a HIPAA authorization, it is confusing to have similar documents with different purposes. They recommended that the consent process be easily folded into existing HIPAA compliance processes, preferably incorporating the acknowledgment of receipt of the HIPAA NPP and the patient's part 2 consent into the same document.

Response

We appreciate the concern and believe that aligning the required elements of a part 2 consent with those required for a HIPAA authorization will facilitate the use of a single form by part 2 programs that are covered entities, and thus must meet both sets of requirements.

Comment

Several commenters suggested ceasing use of the word “consent” when referring to disclosure of records and using the term “authorization” instead.

Response

We decline to make this change because covered entities and part 2 programs, particularly those that are not covered entities, are still obligated to comply with differing sets of disclosure permissions. Moreover, 42 U.S.C. 290dd–2, as amended by the CARES Act, continues to expressly refer to consent and thus this final rule remains consistent with statutory terminology.

Although we are modifying the requirements for a part 2 consent to align more closely with a HIPAA authorization, the scope and effect of these documents continue to differ in meaningful ways. For example, a part 2 consent is required for uses and disclosures of part 2 records for TPO, but a HIPAA authorization is not required for uses and disclosures of PHI for TPO. The part 2 consent is required for part 2 programs and the authorization is for covered entities and business associates. Because of these and other differences, we believe using the term “authorization” for individual permission under HIPAA as well as for patient permission under part 2 would create confusion.

Comment

An academic medical center suggested making no changes to part 2 consent requirements for HIPAA covered entities, but instead allowing them to use the HIPAA authorization to obtain consent for TPO and to use the patient's right to request a restriction for more granular consents, such as for disclosure limited to a specific provider.

Response

We assume in this response that the granular consent referred to in the comment is a consent for some aspects of TPO, but not the full scope of the TPO consent. We decline to adopt this suggestion in its entirety because the HIPAA authorization applies to a narrower set of uses and disclosures than part 2 and does not have all the required elements of a part 2 consent. For example, the consent, as finalized here, requires a statement about the potential for records to be redisclosed by the recipient when they are disclosed under a TPO consent, and it contains special requirements for disclosures through an intermediary. Covered entities that are also part 2 programs will have more flexibility under the final rule consent requirements, so that they may be able to use a single form that meets the applicable requirements of a part 2 consent and a HIPAA authorization. Covered entities that are recipients of part 2 records but are not operating a part 2 program do not need to create or use a part 2 consent. Instead, covered entities that are not part 2 programs may use a HIPAA authorization to disclose part 2 records they receive provided that the authorization is not for the release of medical or other information generally. The authorization form must be specific to part 2 records or records of SUD treatment rather than “my medical records,” so that it identifies the information in a specific and meaningful fashion according to § 2.31.

Comment

In addition to supporting the proposal to allow a single consent for all future uses and disclosures for TPO, a county government recommended that programs be allowed to rely on verbal consent when making patient referrals, particularly at the initial stages of patient access to and engagement in treatment and requested regulatory guidance on how to do so. The commenter explained the importance of verbal consent for referral or intake purposes before a treatment relationship has been established in many instances. In the alternative, the commenter suggested creating a safe harbor from part 2 violations “for providers who share information based on a verbal consent to refer a patient for treatment (which may first take place through a call center) and then later request written consent at the first appointment with the patient to share for TPO purposes.”

Response

We decline to adopt an express permission to accept a verbal consent to disclose part 2 records for purposes of intake and referral because prior written consent is a statutory requirement in 42 U.S.C. 290dd–2(b)(1)(A); however, some options for handling referrals verbally may be available depending on the circumstances. One approach would be to provide de-identified information about the patient to a potential treatment provider to determine if a placement is suitable and available and then either provide referral information to the potential patient so that they can contact the new provider independently or include the patient in a three-way call with the second provider and allow the patient to provide identifying information directly to that provider. In a medical emergency, involving an attempted overdose, or similar crisis, a program could disclose part 2 records to a hotline call center as needed to provide treatment. Similarly, in 2020 the Department amended part 2 to permit disclosures of patient information to another part 2 program or other SUD treatment provider during State or federally-declared natural and major disasters when a part 2 program is closed or unable to provide services or obtain patient informed consent.

Comment

A commenter recommended that, after obtaining the original written consent, programs should be required to notify patients before each use, disclosure, and redisclosure of their part 2 records and give them the opportunity to rescind consent.

Response

This recommendation runs counter to the CARES Act requirement to allow a single consent for all future uses and disclosures for TPO. Further, we do not believe it would be practical to require that patients be notified and given the opportunity to rescind consent before each use, disclosure, and redisclosure of their part 2 records, and it would likely create a large increase in burdens for programs and other entities subject to part 2 requirements. That said, nothing in the rule prohibits programs from notifying a patient before a particular use or disclosure of their part 2 records.

Designation of Recipients and Purpose

Comment

Several commenters recommended complete removal of the consent requirement for TPO, stating that the new disclosure permission does not go far enough to align with HIPAA.

Response

This recommendation exceeds the scope of the changes authorized under the CARES Act amendments to 42 U.S.C. 290dd–2. The CARES Act did not eliminate the statutorily mandated consent requirement for TPO uses and disclosures.

Comment

A few organizations requested clarification of whether the phrase, “people helping to operate this program,” in the general designation for a TPO consent includes case management and care coordination providers and suggested that it should.

Response

We agree with the commenters that within the part 2 context, “people helping to operate this program” could include case management and care coordination providers who are QSOs. Disclosures to case management and care coordination providers who are not QSOs would also be permitted under a TPO consent as disclosures for treatment. Regarding the TPO consent, the phrase “people helping to operate this program” is intended to cover those who are not part 2 program personnel and who would be QSOs (or business associates for part 2 programs that are covered entities).

Comment

Some commenters generally opposed the proposed change to permit a single consent for all future uses and disclosures for TPO in part because it would not require designating specific recipients.

Response

The CARES Act amended 42 U.S.C. 290dd–2 to restructure the statutory permission to disclose part 2 records with consent for TPO. Thus, the Department is required to implement the consent requirements for the new disclosure and redisclosure permissions. The CARES Act amendments preserved the requirement to obtain initial consent and the prohibition against use of records in proceedings against a patient—both core elements of the part 2 confidentiality protections for SUD records. We further discuss the single TPO consent in § 2.33.

Uses and Disclosures With Written Consent

Comment

Commenters opposing use of a single TPO consent recommended that the consent provide clear options for the types of consent a patient may sign, which would include a consent for a specific, one-time use or disclosure. The commenters believed that this approach would allow patients to understand their options and to avoid being pressured into signing a TPO consent because they mistakenly believe it is their only option.

Response

We agree that part 2 programs should ensure that patients understand their consent options—which include signing a consent for a specific, one-time use or disclosure—and we encourage programs to draft their consent in a manner that is clear and easy to understand. Congress urged the Department to provide incentives to programs for explaining to patients the benefits of sharing their records. Accordingly, the manner in which programs offer information about different consent options should not undermine efforts to explain to patients the benefits of TPO consent. Sections 2.22 and 2.31(a) of this final rule require that part 2 programs notify patients of their rights and obtain consent before using and disclosing records for TPO.

Comment

Approximately half of commenters on intermediaries opposed the Department's proposal to retain consent requirements for disclosures to intermediaries that differ from consent requirements for disclosures to business associates generally. Of the HIEs and health IT vendors that commented on this set of proposals, most expressed opposition. Opposing commenters believed that the special provisions for intermediaries were a holdover from before the CARES Act and were inconsistent with aligning part 2 with the HIPAA regulations, especially with regard to the new provision to allow a single TPO consent.

The board of supervisors for a large county explained the county's view that the combination of consent proposals (allowing TPO consent and retaining the consent provision for intermediaries) would result in a system where health plans, third-party payers, and business associates may be generally described in a consent as recipients, but these same recipient entities must be specifically named if the disclosure is made through an HIE. According to the commenter, “[t]his imposes a burden on the use of HIEs for enhancing patient care while providing no discernable privacy benefit.”

A state-wide e-health collaborative that administers a network of HINs similarly remarked that if a patient signed a consent form designating “my health plan” as the recipient, the part 2 program would be permitted to disclose such information directly to the health plan, but the program would be prohibited from disclosing that information to the very same health plan if the disclosure was made via an intermediary without specifically naming the intermediary and the health plan. A large health IT vendor also voiced these concerns, describing the potential result as a “two-tiered” system that perpetuates discrimination because patients with SUD cannot reap the benefits of integrated care that is facilitated by shared electronic records.

Response

We appreciate the comments and information about how intermediaries operate and acknowledge that the CARES Act changes to consent for uses and disclosures for TPO and redisclosures by business associates have significantly reduced the need for a regulatory provision for intermediaries. In response to public comments the final rule excludes covered entities and business associates from the definition of “intermediary” in § 2.11. Thus, an HIE, for example, that meets the definition of “business associate” is excluded from the definition of “intermediary” and would not need to be specifically named in the consent—it would fall under the provision for a general designation under a TPO consent in § 2.31(a)(4). Other issues regarding intermediaries are discussed in §§ 2.11, 2.13, and 2.24.

Comment

A commenter recommended changes to § 2.31 that would modify the wording of a consent to specifically permit disclosures to the Food and Drug Administration (FDA) even after revocation of consent.

Response

We appreciate the comment, but believe expressly permitting additional disclosures after revocation of consent, where consent is required, is inconsistent with respecting patient choice. However, there may be circumstances where consent is not required for disclosures to the FDA, for example, if they fall within the provision for program audits and financial evaluations in § 2.53 or public health disclosures of de-identified records under § 2.54.

Comment

One commenter recommended that disclosures to public health authorities be included in the general TPO consent.

Response

The CARES Act mandated that disclosures to public health authorities are permitted without consent, but this permission applies only to records that have been de-identified. Further, the general consent authorized by the CARES Act applies only to uses and disclosures for TPO. Under the HIPAA Privacy Rule, disclosures to public health authorities are not considered disclosures for TPO and we apply this same interpretation to part 2. To the extent that a patient elects to consent to the disclosure of identifiable records to a public health authority, the consent must include a specific designation of the recipient.

Consent for Fundraising and De-Identification Activities

Comment

A commenter suggested that consent for fundraising be offered as an opt-out rather than an opt-in process. Other commenters requested that fundraising not be allowed or that consent for use or disclosure of part 2 information for fundraising be obtained using a separate consent form ( i.e., not combined with any other consent). A few commenters stated that part 2 programs did not need to use part 2 records for fundraising purposes.

Response

Under the HIPAA Privacy Rule, fundraising falls within the definition of health care operations. The CARES Act required us to incorporate the definition of health care operations wholesale into this regulation. However, the CARES Act also included a Sense of Congress that health care operations do not include fundraising for purposes of part 2. Thus, taking into account the Sense of Congress, a general TPO consent, without more, is not sufficient to allow the use and disclosure of records for fundraising purposes by a part 2 program that obtains a TPO consent. We considered whether to require a separate consent for an entity's fundraising activities, but determined that offering an opt-out for fundraising on the same form as consent for TPO would place appropriate guardrails on fundraising uses and disclosures consistent with the Sense of Congress without increasing burdens for part 2 programs. Part 2 programs, covered entities, and business associates that receive part 2 records under a TPO consent would be permitted to use and redisclose the records according to the HIPAA requirements. We are implementing the requirement at 42 U.S.C. 290dd–2(k)(4) to add the definition of “health care operations” to this regulation as it is defined in HIPAA, and operationalizing the Sense of Congress for fundraising purposes.

Comment

In the NPRM, we requested comment on whether the Department should require entities subject to part 2 requirements to obtain consent to use records for de-identification purposes and whether such consent should be structured to provide patients with the ability to opt-in or opt-out of having their records used in this manner. One commenter, an HIE, opined that the Department should not mandate either option because when de-identification is done appropriately through expert determination method or safe harbor method under 45 CFR 164.514(b), there is no possibility that information will be reidentified.

Response

As we explained in the NPRM, although we believe that an opt-in requirement would offer more patients more control over their records and best fulfill privacy expectations, we also believe that requiring patient consent for de-identification activities would be inconsistent with—and potentially hinder—the new permission to disclose de-identified information for public health purposes under 42 U.S.C. 290dd–2(b)(2)(D), as amended by section 3221(c) of the CARES Act. Such a requirement also would create a barrier to de-identification in a manner that negatively affects patient privacy by increasing permissible but unnecessary uses and disclosures of identifiable part 2 records in circumstances when de-identified records would serve the intended purpose.

Implementation Concerns

Comment

One commenter recommended that the Department work with ONC and provide guidance, technical assistance, and model forms to assist regulated entities to comply with the proposed changes to consent.

Response

We will continue to work with our Federal partners, including ONC, as needed to provide guidance, technical assistance, and model forms for regulated entities.

Comment

Another commenter requested clarification of whether consent could be broadly obtained and apply to a patient's entire historical record maintained by a part 2 program.

Response

Yes, a consent may apply broadly to all future uses and disclosures for TPO and may apply to a patient's entire treatment record.

Expiration of Consent

Comment

A managed care organization requested clarification that an expiration date is not required, consistent with the HIPAA Privacy Rule.

Response

The commenter is correct in observing that an expiration date is not required under the modified consent requirements if the consent is for all future uses and disclosures for TPO. As noted in the NPRM, the Department does not intend to create substantive change by replacing “expiration date, event, or condition” with “expiration date or an expiration event that relates to the individual patient or the purpose of the use or disclosure.” However, the example proposed in § 2.31(a)(7) that allows “none” to be entered if the consent is for a use or disclosure for TPO represents a change from the current part 2 consent. Although the HIPAA Privacy Rule allows an authorization to have “none” as an expiration date or event only in limited circumstances, the ability to enter “none” for TPO consent under part 2 creates greater consistency with the HIPAA Privacy Rule because the HIPAA Privacy Rule neither requires consent nor authorization for TPO uses or disclosures. Under § 2.31(a)(7) a blank expiration date or event is insufficient, but an actual date is not always required. Other expiration language for a TPO consent that is consistent with 42 U.S.C. 290dd–2(b)(1)(C) is a phrase such as “until revoked by the patient.”

Comment

One commenter stated that the consent should not be indefinite and suggested that, at a minimum, the written consent should be renewed annually.

Response

Annual renewal of consent is not required under HIPAA, and we are not finalizing a requirement to do so under part 2. This would run counter to the permission to provide consent for all future uses and disclosures for TPO. However, we recognize that it may be valuable to periodically ensure that all patient documentation is up to date and that it may be a good practice to invite patients to review their consent choices and any documents designating surrogate decision makers, such as medical powers of attorney. We view this as a matter of good practice, rather than a legal requirement.

Conditioning Treatment on Consent

Overview of Comments

A professional association for SUD providers and 10 state affiliates as well as a major health plan/health insurer (who otherwise supported the TPO consent) opposed allowing part 2 programs to condition treatment on the signing of a single consent for all future uses and disclosures for TPO.

Comment

An SUD provider requested clarification about conditioning treatment on signing consent to disclose records and whether the Department intended the required statement about the consequences of not signing the consent to mean that part 2 programs will not have to comply with the HIPAA Privacy Rule (which generally prohibits conditioning treatment on signing an authorization).

Response

A part 2 program is not subject to the HIPAA Privacy Rule unless it is also a covered entity. The substantive differences between the HIPAA Privacy Rule and part 2 regarding conditioning treatment on signing a consent or authorization arise from the fact that the HIPAA Privacy Rule does not require any type of consent or authorization for TPO. Thus, the need to condition treatment, for example, on an authorization for payment disclosures, does not arise under HIPAA. However, part 2 expressly allows conditioning treatment on a consent for disclosures for payment, for example, in § 2.14 (Minor patients). And we stated in the NPRM preamble that a “Part 2 program may condition the provision of treatment on the patient's consent to disclose information as needed, for example, to make referrals to other providers, obtain payment from a health plan (unless the patient has paid in full), or conduct quality review of services provided.” Because the prohibition on conditioning treatment on a signed authorization under HIPAA does not track closely to part 2, we are adopting, as proposed, only language from paragraph (c)(2)(ii)(B) of 45 CFR 164.508, and only a modified version of the first part of that paragraph. Thus, with respect to conditioning treatment on consent, § 2.31 requires a statement of “the consequences to the patient of a refusal to sign the consent.”

Comment

Several commenters asserted that part 2 programs should not be permitted to condition treatment on a requirement that the patient sign the general TPO consent. They asserted that could create a barrier to treatment or harm patients' privacy interests. A few of these commenters recommended that if conditioned consent was allowed the minimum necessary requirement should apply to any such disclosures.

Response

The availability of a single consent for all future uses and disclosures for TPO raises new considerations for patient confidentiality and ethical practice if access to treatment is conditioned on signing such a consent. Congress did not directly address whether a program may condition treatment on a TPO consent, but emphasized guardrails to ease privacy concerns in section 3221 of the CARES Act. We believe that a program should not condition treatment on a TPO consent unless it has taken reasonable steps to establish a workable process to address patients' requests for restrictions on uses and disclosures for TPO. We are finalizing as proposed in § 2.22 the rule of construction that a patient has the right to request restrictions on disclosures for TPO and in § 2.26 a patient's right to request restrictions. Additionally, the existing rule provides that all disclosures of part 2 records should include only the information necessary for the purpose of the disclosure.

Comment

Several other commenters requested clarification of what is needed to give patients notice that treatment may be conditioned on signing consent for TPO.

Response

The regulation does not require specific language; however, consent for TPO use and disclosure should include a statement that patient consent is needed (or required) to allow the program to use and disclose the patient's records for TPO (or “to help the program operate its health care business”) or something similar. The final rule also requires a statement or statements explaining the consequences of failing to sign, based on the program's consent policies. For example, a program may decide not to provide ongoing treatment although it allows for an initial evaluation, or it may require payment before services are provided, or it may offer a more narrow or specific consent option. The program is not required to do so, but may find it helpful to point to the patient's right to request restrictions on TPO disclosures and the program's commitment to accommodate such requests. We assume that programs will carefully consider their goals, treatment population, and professional standards in deciding how to fashion a statement about conditioning treatment on signing a TPO consent. New patients are likely to be more hesitant about signing broad disclosure permissions than existing patients who have an established rapport with staff.

Final Rule

The final rule adopts all proposed modifications to § 2.31(a), but refers to “HIPAA regulations” in place of the references to 45 CFR 164.502 and 164.506. This modification aligns with the addition of the new defined term, “HIPAA regulations.”

Section 2.31(b) Consent Required: SUD Counseling Notes

In the NPRM, we requested comments on a potential definition of “SUD counseling notes” and specific consent provisions regarding these notes. We offered for consideration that a separate consent requirement, if adopted, would not apply to SUD counseling notes in certain specific situations such as when such information was required for the reporting of child abuse or neglect, needed for the program to defend itself in a legal action or other proceeding brought by the patient, or required for oversight of the originator of the SUD counseling notes.

Overview of Comments

We received comments in support of the proposal, asking for modification, and expressing concern about consent provisions related to SUD counseling notes. We also received comments on such issues as whether a separate consent should be required for SUD counseling notes, the similarity or distinctions between psychotherapy notes under HIPAA and SUD counseling notes, and patient rights to access such notes. We respond to these comments below. Comments primarily relating to the proposed definition of “SUD counseling notes” are discussed in § 2.11.

Comment

We received support for the proposals in the NPRM concerning SUD counseling notes from commenters such as HIE/HINs, state and local agencies, and recovery organizations for treating SUD counseling notes under § 2.31 similar to psychotherapy notes in the HIPAA Privacy Rule by requiring a separate written consent for their disclosure. These commenters believed a separate consent would serve as an added layer of protection to patients receiving service under § 2.31. A medical professionals association believed that parties are already familiar with how to comply with psychotherapy notes under HIPAA. If such a category is created, the association urged the Department to issue clear guidance to make the segregation of these counseling notes as easy as possible so that part 2 programs do not have to take repetitive actions that would add to their administrative burden.

Response

We appreciate these comments and are finalizing provisions in this section that require a program to obtain separate consent for any use or disclosure of SUD counseling notes subject to certain specific listed exceptions. We will consider what additional guidance may be helpful on these issues after the rule is finalized.

Comment

According to several SUD and recovery associations, notes often contain highly sensitive information that supports therapy. Limiting access to these notes is critical to protect the therapeutic alliance due to the unique risks that patients face due to the risks of inappropriate sharing of highly sensitive information in these notes. A health care provider believed the SUD counseling note provision would allow a SUD provider the ability to more accurately capture critical impressions of his or her patient without running the risk that it could adversely impact the patient or the provider-patient relationship.

A few HIE associations commented that providers rarely use the option to keep psychotherapy notes as defined in the HIPAA regulations; instead, the type of information previously envisioned to be included in the psychotherapy note is now included in “progress notes” or the information is not captured and documented in an EHR. If organizations move towards utilizing a separate category for SUD counseling notes, it could lead to information either not being documented, or to important information not being captured at all, which is against the principles of interoperability supported by these associations and the Federal Government, these commenters asserted. A hospital said that in its experience clinicians, both internal and external to its organization, usually refer to these types of notes as “process notes” which are not part of the designated record set and are not documented in the EHR. This commenter also has heard from clinicians that these types of notes are rarely used.

A medical professionals association believed that SUD counseling notes should be separated from the rest of the patient's health record, to allow a firewall between notes used by the individual therapist or treating professional and the rest of the patient's health record (such as diagnosis, functional status, treatment plan, symptoms, prognosis, start and stop times, modalities and frequencies of treatment, medication prescription and monitoring, and results of clinical tests) that is designed to be shared, as appropriate, with other health care entities. According to this association, psychotherapy notes provide a vital tool for psychologists to protect sensitive therapy details from third parties. These notes are a way for psychologists to protect patient privacy as to sensitive details that are important for the psychologist to remember, but that do not need to be shared with other health care entities.

Response

We discuss our changes to the definition of “SUD counseling notes” in § 2.11 above. We intend for SUD counseling note provisions in 42 CFR part 2 to parallel the HIPAA psychotherapy note provisions.

Providers may vary in their use of SUD counseling or psychotherapy notes. Moreover, some providers in behavioral health or other medical practices also may use “open notes” intended to permit patient access to EHRs, including provider notes. The preamble to the 2000 HIPAA Privacy Rule explained that “process notes capture the therapist's impressions about the patient, contain details of the psychotherapy conversation considered to be inappropriate for the medical record, and are used by the provider for future sessions.” The preamble further noted that “[w]e were told that process notes are often kept separate to limit access, even in an electronic record system, because they contain sensitive information relevant to no one other than the treating provider. These separate `process note' are what we are calling `psychotherapy notes.' ” By contrast, progress notes (referred to as “progress to date” in our definition of “SUD counseling notes”) would be included in the patient's medical record or part 2 record.

We also believe that licensed part 2 program providers that are especially trained in the handling of these types of records ( i.e., familiar with and qualified to maintain separate session notes) will likely be able to understand and apply special requirements to protect these types of notes. We also reiterate from the NPRM that “[i]f SUD treatment is provided by a mental health professional that is a Part 2 program and a covered entity, and the provider creates notes of counseling sessions that are kept separate from the individual's medical record, those notes would be [considered] psychotherapy notes as well as Part 2 records.”

Comment

A health IT vendor was not opposed to the proposal to create special protections for SUD counseling notes but urged the Department to develop guidance for effective implementation. Also, although it seems reasonable to this commenter to align the SUD counseling note consent requirements to the HIPAA psychotherapy note consent requirements, any requirement for “a separate written consent that is not combined with a consent to disclose any other type of health information” could be burdensome for providers who provide services to dually diagnosed (mental health and SUD) consumers.

Response

We are finalizing a modification to permit consent for use and disclosure of SUD counseling notes to be combined with another consent for use and disclosure of SUD counseling notes. Combining a consent for disclosure of SUD counseling notes with an authorization for the use and disclosure of psychotherapy notes is not permitted under the HIPAA Privacy Rule. Further, we are not aware that psychotherapy notes or SUD counseling notes are disclosed with such frequency as to create a burden for providers.

Comment

A medical professional association interpreted the NPRM to suggest that SUD counseling notes, like psychotherapy notes, would generally not be accessible to patients. The association said that in most states, patients have full or only slightly limited access to these notes. The reason is that HIPAA's preemption requirement gives priority to state laws that give patients greater access to their records. Since most state laws on access to mental health records do not contain an exemption for psychotherapy notes, those laws are not preempted by the HIPAA provision denying patients access to psychotherapy notes. The association believed that the main exception to this effect is in the minority of states that have changed their patient access laws to align with HIPAA, including the exclusion of psychotherapy notes from the patient's right to access their mental health records. The association anticipated that the creation of SUD counseling notes would have a similar effect on patient access except to the extent that state laws on patient access to records exclude, or are otherwise different for, SUD records.

Response

Under the HIPAA Privacy Rule, patients do not have a right of access to psychotherapy notes. We have noted that while there is no right of access to psychotherapy notes, “HIPAA generally gives providers discretion to disclose the individual's own protected health information (including psychotherapy notes) directly to the individual or the individual's personal representative.” Under HIPAA, psychotherapy notes must be maintained separately from the rest of the individual's medical record. We establish a similar expectation with respect to SUD counseling notes in this final rule.

Under the existing (and final) rule, part 2 programs are vested with discretion about providing patients with access to their records. Section 2.23 neither prohibits giving patients access nor requires it and a part 2 program is not required to obtain a patient's written consent or other authorization to provide such access to the patient. We confirm here that SUD counseling notes fall within the scope of part 2 records although they are separated from the rest of the patient's SUD and medical record under § 2.11 (SUD counseling notes). The final rule therefore does not require under § 2.23 that SUD counseling notes be disclosed to the patient, but a clinician may choose to do so voluntarily.

We assume that SUD treating professionals are aware of the statutory and regulatory requirements in their state pertaining to patient access to records, including access to separately maintained notes of counseling sessions, and considered state requirements when making decisions about whether to adopt the use of the SUD counseling notes provision in this final rule.

Comment

A medical professional association commented that since SUDs are frequently a dual diagnosis with mental health disorders, it is appropriate for SUD counseling notes to be like psychotherapy notes. This approach would lessen the provider's burden when treating dual diagnoses by requiring the same type of notes.

The association described its concerns, however, that a separate consent requirement, if adopted, not apply to training programs in which students, trainees, or practitioners use to improve their skills in a SUD treatment environment. The commenter requested that we consider patient consent for educational training using audio or video recordings. Another professional association echoed support for allowing use or disclose of SUD counseling notes for a program's supervised student training activities.

Response

The final rule expressly provides an exception from requirements for consent to disclose SUD counseling notes when such use or disclosure is made “by the part 2 program for its own training programs in which students, trainees, or practitioners in SUD treatment or mental health learn under supervision to practice or improve their skills in group, joint, family, or individual SUD counseling.” This parallels the exception for psychotherapy notes in the HIPAA Privacy Rule for training of mental health professionals. With respect to audio or video recording, the definition of “SUD counseling notes,” like the definition of “psychotherapy notes” under HIPAA, does not include such recordings.

Comment

We received many comments on segregation or separation of SUD counseling notes from other parts of a patient's medical record. A medical professionals association recommended that SUD counseling notes be handled in the same manner that psychotherapy notes are treated under HIPAA. This category would provide greater protection for SUD counseling notes and limit the notes from being shared under a TPO consent. Providers are already familiar with how to comply with psychotherapy notes under HIPAA. If such a category is created, the association encouraged the Department to issue clear guidance to make the segregation of these counseling notes as easy as possible so that part 2 programs do not have to take repetitive actions that will add administrative burden.

A medical school trade association echoed these comments stating that it supports not disclosing SUD counseling session notes without a separate written authorization or consent. These notes, which are maintained primarily for use by the originator of the notes, should have heightened protections and accountability. This policy would be consistent with the approach that limits the individual's right of access to psychotherapy notes under HIPAA. The association requested HHS explore, in partnership with stakeholders, how these SUD counseling session notes would be best protected while minimizing data segmentation challenges. The association also asked that the Department issue guidance on how these counseling notes could be segregated.

A health IT vendor indicated that it understands the importance of maintaining the confidentiality of counseling sessions and supports maintaining strict protections for counseling session notes. Its platform enables providers to maintain these notes as strictly confidential.

A few professional associations and an individual commenter asserted that segregation of client notes under this section creates an extra burden, which is harder for publicly funded without money for the systems.

According to a medical professionals' association, the creation of a distinct class of psychotherapy notes in HIPAA provides an illustrative example of the challenge of implementing specific data protections within a medical record: options for segregating SUD records from other records that require manual or duplicative action by the clinician are likely not viable at scale. Further, the personnel time and infrastructure costs of configuring such an option in the EHR is not negligible.

A county department believed that SUD counseling notes are appropriate to share with the patient upon request. The agency asserted that it would be inadvisable to segregate these notes from the remainder of the medical record, and that it would add undue burden to subject them to a separate patient consent requirement.

An academic medical center stated that even if SUD counseling notes were included in the final rule, it did not anticipate using them. Segregating a progress note would be administratively burdensome to do. Additionally, segregation of information impacts the overall care of the patient by not providing quality continuity of care to patients being treated in SUD programs, according to this commenter. The commenter added, allowing all SUD progress notes related to a patient's care to be accessible and integrated in the EHR would allow the medical team to view and use notes from the patient's SUD course of treatment to care for the patient.

A health insurer asserted that segregation of SUD notes could impede the sharing of information that should be part of the patient's overall part 2 record and information that is critical to support necessary treatment and care coordination. In addition, the commenter stated that such segregation and the attendant requirements attached to these notes ( e.g., separate consent required for release) would unduly burden patients, providers, and other stakeholders with no demonstrated justification or value. The commenter requested that, if the Department created a separate category of record information for “SUD counseling notes,” the final rule clarify that this narrow category is limited to contemporaneous notes from an in-person counseling session and not, as was noted in the proposed rule, summary information from the overall part 2 record and information such as diagnosis, treatment plan, progress notes, etc.

Response

We appreciate comments concerning the potential challenges of maintaining SUD counseling notes apart from the medical or part 2 record. “SUD counseling notes” as defined in this rule “are separated from the rest of the patient's SUD and medical record.” Although the definition is neutral regarding the format in which SUD counseling notes are maintained, a key aspect is that they are not generally available to anyone other than the treating clinician. Thus, session notes of an SUD provider that are maintained in an EHR environment where they are accessible by multiple members of the treatment team would not qualify as SUD counseling notes nor receive the additional protection from disclosure.

The final rule's approach to SUD counseling notes and requiring that such notes be separate from other portions of the record is entirely consistent with the long-standing approach regarding psychotherapy notes within HIPAA which dates back to 2000. In the 2000 HIPAA Privacy Rule, we explained that “any notes that are routinely shared with others, whether as part of the medical record or otherwise, are, by definition, not psychotherapy notes, as we have defined them. To qualify for the definition and the increased protection, the notes must be created and maintained for the use of the provider who created them . . . [.]”

We further elaborated that “[t]he final rule retains the policy that psychotherapy notes be separated from the remainder of the medical record to receive additional protection.” We noted that mental health providers told the Department that “information that is critical to the treatment of individuals is normally maintained in the medical record and that psychotherapy notes are used by the provider who created them and rarely for other purposes.” Similarly, SUD counseling notes support provider recollections of sessions with the patient but are not intended to supplant other information, such as the patient's test results and diagnosis, within the part 2 record or medical record.

Comment

Several commenters raised concerns about SUD counseling notes being distinct from psychotherapy notes under HIPAA. One commenter did not believe these SUD counseling notes with additional protections promote access and exchange of valuable information and prefers an approach that destigmatizes SUD treatment and promotes access to clinically relevant information which is valuable and informative for all TPO purposes.

A state agency believed that SUD counseling notes are qualitatively different than psychotherapy notes and are most frequently maintained by unlicensed providers. The agency is concerned that this change would create additional administrative complexity and compliance challenges for part 2 programs and may have unintended consequences by restricting patient access to, or disclosure of, a significant segment of their SUD treatment records. This change seems unlikely to facilitate information exchange for care coordination purposes, and as such would seem to be inconsistent with many of the other proposed amendments, according to this commenter.

One county health department asserted that the utility of this category of records is likely minimal, and another said that requiring separate consent for SUD counseling notes would counteract the aim of facilitating greater information exchange, with unclear benefits. HHS' proposed consent framework for part 2 records provides patients with sufficient control to limit what substance use treatment information is shared and does not require creation of a category of “SUD counseling notes” with different protections.

A health care provider recommended a different approach whereby all part 2 data is used in a similar manner to psychotherapy notes. This policy would reduce the need for new part 2 workflows and interoperability frameworks. Additionally, by deeming part 2 information identical to a psychotherapy note, that data could also be carved out of the definition of “electronic health information” and would not be subject to the 21st Century Cures Act, but still maintain critical clinical information. For example, results of clinical tests, summaries of diagnosis, functionality status, treatment plan, symptoms, prognosis and progress to date are all excluded from a psychotherapy note. By treating part 2 data or SUD data similar to psychotherapy notes, the most sensitive information made available in a part 2 encounter would continue to be restricted but critical information for treatment and continuity of care would remain available.

A health care provider commented that it did not recommend including special protection for SUD counseling notes by requiring a separate written consent for their disclosure because they are concerned that it would impede care coordination. SUD counseling notes may contain clinically relevant information and be useful to inform coordinated treatment plans. Also, given the variety of part 2 program structures, as well as differences in state licensing laws, the categorization of personnel who could create or view counseling notes would be confusing to implement and would require significant administrative burden to designate records within the SUD counseling notes category. As a result, the commenter believed that some programs may have difficulty implementing the requirement and be deterred from sharing vital information within the record for TPO purposes.

Response

Use of the SUD counseling notes provision by an SUD professional is voluntary and optional, although a program may adopt a facility-wide policy that either supports or disallows the creation and maintenance of such notes. Also, SUD counseling notes are a subset of a part 2 record and the separate consent requirement would only apply to such notes when they are maintained separately from the rest of the part 2 record. Additionally, the CARES Act, while supporting alignment of HIPAA and part 2, continues to recognize the importance of applying additional protections to SUD information. Accordingly, the Department cannot treat psychotherapy notes and SUD counseling notes as synonymous as this would be contrary to the CARES Act and 42 U.S.C. 290dd–2 as amended. Regarding requests for additional guidance, we may provide additional guidance on these issues after the rule is finalized.

Comment

An academic health center said that as proposed, an SUD counseling note, created by and used by the creating provider, segments patient care and could introduce patient safety risks. Information known to only one member of the treatment team is antithetical to an integrated care approach. The commenter believed that once the patient has provided consent to be treated in our SUD program those records should be visible to the rest of the care team across the covered entity, not just the SUD treatment counselor who created the note or the SUD team.

Response

“SUD counseling notes” as defined in this rule “excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.” SUD counseling notes are intended, like psychotherapy notes, to support an individual provider and are not routinely shared with others. Information critical to patient diagnosis and treatment such as prognosis and test results, should be within the patient's medical record or part 2 record. We do not believe the use of separate SUD counseling notes will impede either integrated care or patient safety; however, a program may adopt its own policy with respect to the use by its clinicians of such notes.

Comment

According to a health IT vendor, the treatment of SUD counseling notes under part 2 raises complexities similar to HIPAA with respect to limits on patient access and for the need for a distinct specific consent from the patient. Addressing such matters depends on whether the notes are included in a specific medical record document or record type or comingled with other documentation. The health IT vendor stated that many part 2 providers have not been in a habit of maintaining distinct forms of documents or records that would allow for these provisions to be so simply applied. The commenter urged the Department develop guidance for their effective implementation. The commenter suggested a single consent option to cover both psychotherapy and SUD counseling notes, not combined with any consent to disclose any other type of health information, to facilitate the release of notes for dually diagnosed consumers being treated by the same provider/provider group. For this and other reasons, it would seem beneficial to this commenter to align these consent requirements as closely as possible to avoid confusion, and variations in data exchange rules.

Response

As noted, the Department, including ONC, is working to support implementation of EHRs and health IT within the behavioral health sector. We believe that separate consent for release of SUD counseling notes is important because these notes will be maintained distinctly from other parts of the patient's medical record. This approach is consistent with our approach to psychotherapy notes under HIPAA. According to SAMHSA's National Survey on Drug Use and Health, we know that many patients will have both mental health and SUDs as well as other comorbidities or co-occurring conditions. We believe the definition of “SUD counseling notes” in this final rule and the consent provisions will support integration of care and care coordination for dually diagnosed SUD and mental health patients.

Comment

An insurer suggested that the final rule make clear that this narrow category of SUD counseling notes is limited to contemporaneous notes from an in-person counseling session and not, as is noted in the proposed rule, summary information from the overall part 2 record and information such as diagnosis, treatment plan, and progress notes. The commenter asserted that in practice the HIPAA Privacy Rule's provision on “psychotherapy notes” has been used by some parties as a justification for information blocking and refusal to provide information for TPO in some cases. The commenter believed that similar behavior could occur with this provision if boundaries and limitations are not clearly articulated both in the definition and related provisions of the final rule.

Response

The Department is collaborating to ensure successful implementation of information blocking requirements and acknowledges this commenter's concerns. That said, we believe the final definition of “SUD counseling notes” makes clear that for the purposes of part 2 SUD counseling notes do not include medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

Comment

An HIE/HIN stated its view that adding an additional level of complexity in the consent process is likely to cause confusion and have the practical result of eliminating data sharing in circumstances where Congress intended to facilitate the sharing of data. Should the Department decide to add such a definition, the commenter asked that HHS not prohibit a consent permitting the release of such notes from being combined with a general consent to release part 2 records. The commenter believed that any heightened security requirements could be met by requiring that a consent for release of SUD counseling notes to explicitly reference such notes in conspicuous language separate and apart from any other permissions to disclose data.

Response

As noted, consistent with the Department's approach to psychotherapy notes in HIPAA, we are requiring a separate consent for disclosure of SUD counseling notes and specifically prohibiting combining a consent for disclosure of SUD counseling notes with a consent for disclosure of any other type of health information other than for release of psychotherapy notes. A part 2 consent form may have a combination of options, including a check box for SUD counseling notes. However, when a patient is consenting for SUD counseling notes that is the only type of information that can be indicated on the consent (other than psychotherapy notes). For instance, if a patient checks both “billing information” and “SUD counseling notes” this consent is not valid to release the SUD notes.

Comment

With respect to the proposed exception for disclosure of SUD counseling notes to lessen a serious and imminent threat to the health or safety of a person or the public, an individual commenter said that this proposed language reflecting this otherwise known as Tarasoff exception is too broad.

The commenter stated the objective in this exception is to “lessen” a serious and imminent threat to the health or safety of a person or the public. The commenter believed that this approach was discriminatory because it equated being in treatment for SUD with being an imminent threat from a physical or health perspective. Specifically, the commenter said inclusion of the term “health” was too vague and suggested that if a person in SUD treatment has HIV, hepatitis B or C, or any other communicable disease, that it is the responsibility of the SUD counselor to determine whether to report that information if the patient is in a conjugal relationship or might expose another person. The commenter argued that it is sufficient to characterize the nature of the imminent physical threat, assert that the reporter has reason to believe that the imminent physical threat is serious, and any personal information that would allow a person to avoid the instigator of the threat or to allow a person(s) reasonably able to prevent or lessen the threat.

Response

We acknowledge the commenter's concerns about the suggested exception, which we decline to include in the final rule. HIPAA and part 2 provisions on serious and imminent threats and disclosure differ. With respect to preventing harm, the final rule permits use or disclosure of SUD counseling notes under § 2.63(a)(1) and (2) based on a court order to disclose “confidential communications” made by a patient to a part 2 program when necessary to protect against an existing threat to life or of serious bodily injury, or in connection with the investigation or prosecution of an extremely serious crime, such as one which directly threatens loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, or child abuse and neglect. When such a use or disclosure is made, § 2.13 provides that “[a]ny use or disclosure made under the regulations in this part must be limited to that information which is necessary to carry out the purpose of the use or disclosure.” Thus, the information shared under these circumstances or with respect to any disclosure without consent should be the minimum necessary to carry out the purposes of the disclosure.

Final Rule

As noted, we have finalized a definition of “SUD counseling notes” discussed above in section § 2.11. With respect to consent for use and disclosure of SUD counseling notes we are finalizing the provision as § 2.31(b). The consent requirement does not apply to SUD counseling notes in certain specific situations such as the: (1) use by the originator of the SUD counseling notes for treatment; (2) use or disclosure by the program for its own training programs; or (3) use or disclosure by the program to defend itself in a legal action or other proceeding brought by the patient.

Section 2.31(c) Expired, Deficient, or False Consent

Proposed Rule

The NPRM proposed in paragraph (c)(4) of this section to replace the phrase “individual or entity” with the term “person” to comport with the meaning of person in the HIPAA regulations and as consistent with similar changes proposed throughout this part. The revised language would read, “[a] disclosure may not be made on the basis of a consent which . . . [i]s known, or through reasonable diligence could be known, by the person holding the records to be materially false.” Additionally, the Department solicited comments on whether the final rule should require part 2 programs to inform an HIE when a patient revokes consent for TPO so that additional uses and disclosures by the HIE would not be imputed to the programs that have disclosed part 2 records to the HIE.

False or “Uninformed” Consent

Comment

Several commenters said that the rule should require that programs engage in an “informed consent” process where they explain the nature of the consent and potential consequences to the patient. These commenters urged the Department to adopt an informed consent process.

Response

“Informed consent” generally refers to consent to receive treatment or consent to participate in research. As such, the obligation to ensure that patient consent is informed is outside of the scope of part 2, but is addressed in other law and is part of the professional and ethical requirements for licensed SUD professionals. However, we expect programs to ensure that consent is knowing and voluntary in the sense that the patient understands the consequences of signing or not signing the consent or authorization or that a personal representative provides consent when needed. We believe that consent that has been coerced or unknowing would be invalid and that, in the context of an application for a part 2 court order, the court would decide such matters. In addition, we believe that a consent that is based on false information or a lack of material information about the nature of the disclosure would be considered an invalid consent, as would any consent if the part 2 program knows or has reason to know that the signature was forged.

Revocation of Consent

Comment

Some commenters addressed revocation of consent for use and disclosure of part 2 records, including several member organizations of an HIE/HIN that co-signed a comment letter. Some of these commenters urged that the final rule expressly state that disclosed part 2 records cannot be pulled back from the recipient once released, following a patient's revocation of the original signed consent as stated in the NPRM preamble discussion.

Response

We appreciate the comments and information provided about the consent revocation process, particularly when it occurs in an HIE environment. We reaffirm the statement in the NPRM preamble that revocation does not require pulling back records that have been disclosed and do not believe it is necessary to so state in regulatory text.

Comment

Several commenters recommended that HIEs be informed when a patient revokes consent, including an HIE association, health IT vendors, and a state government agency. One health IT vendor explained that consent revocation mechanisms may be implemented through the Trusted Exchange Framework when made by HIEs and HINs. The vendor asserted that most HIEs already receive notice of revocation when they use a model of exchange in which a potential recipient seeks medical records from another exchange participant and the current status of a patient's consent permission to have their records exchanged is known, including whether a patient has revoked consent. A health plan requested that recipients should be notified so they can stop redisclosing information they already received based on consent.

One commenter asserted that the existing pathways for complying with a more granular consent ( e.g., that is specific to a certain recipient or purpose) should remain available and that HIEs should be informed about changes to consent for disclosures made through the HIE. This commenter recommended that the Department explore further how HIEs learn of the consent status, whether it means that the HIE must directly record the status of a revocation or if the HIE relies on some kind of electronic “polling” of the part 2 program to ascertain if a valid consent remains or has been revoked.

In contrast, a behavioral health network/HIE opposed requiring notice of revocation to an HIE, opining that it is not necessary because—under the CARES Act—once part 2 records are disclosed to a covered entity or business associate they are no longer part 2 records. As such, the commenter stated, the records can be redisclosed without limitation under part 2 even after a part 2 consent to disclose has been revoked.

Response

We appreciate these comments, which provided perspectives on how consent and revocation are communicated through an electronic health exchange. We disagree with the view that once records are disclosed they are no longer part 2 records. Once received by a covered entity or business associate, the part 2 records are also PHI but, under this final rule, do not have to be segregated or segmented from other PHI. However, the records remain subject to the part 2 prohibitions against uses and disclosures for certain proceedings against a patient without written consent or a court order under this part. We agree that programs should convey to recipients when a consent is provided and, where feasible, when it has been revoked. This effort should include using whatever tools are at the disposal of the program to ensure that only consented information is exchanged.

While we appreciate the comments stating that HIEs are able to operationalize a requirement to provide notice of revocation, we are concerned about the burdens that would apply to all programs if we imposed a requirement that programs “must” notify recipients upon consent revocation. Thus, while we are finalizing additional requirements for a copy of consent to travel with each disclosure of records for which consent is required, we decline to adopt a requirement for programs to notify recipients of records of each revocation. The new requirement to attach a copy of consent is discussed under § 2.32 (Notice and copy of consent to accompany disclosure). Regarding revocation, we intend for programs to convey to recipients when a patient has provided written revocation where feasible. When the records have been disclosed through an HIE, the mechanism for informing recipients of a revocation would likely depend on the consent model used by the HIE. But our expectation is that all programs make efforts to initiate actions needed to accomplish the notification and to give full effect to the patient right to revoke consent as stated in the Patient Notice.

Consistent with the recommendation of one commenter to explore further how HIEs learn of the consent status, we intend to monitor how provision of notice of revocation could work across all types of entities, including in a fully electronic environment such as an HIE, but also for stand-alone systems and paper-based exchanges.

Comment

A health information association recommended requiring programs to inform HIEs, and HIEs to follow, a patient's request to revoke consent for distribution of their information for TPO. If patients are not able to stop the exchange of their information once it is released to an HIE, they may hesitate to consent to information being released to an HIE or HIN. If a patient's data is out of date at one provider and the patient cannot revoke consent for that information to be exchanged by an HIE, then they will continue to fight a losing battle to ensure every subsequent record is correct as the HIE may still be exchanging the incorrect information.

Response

The language in the final rule for § 2.31(a)(6) regarding “[t]he patient's right to revoke the consent in writing, except to the extent that the part 2 program, or other lawful holder of patient identifying information that is permitted to make the disclosure, has already acted in reliance on it [. . .]” is broadly applicable and therefore would include HIEs/HINs. As a result, when an HIE/HIN learns of a patient's revocation of consent they would need to cease using or redisclosing the patient's part 2 record to other entities.

Comment

An academic medical center compared the proposed part 2 TPO consent to a HIPAA authorization for TPO disclosures and explained that during the entire period that the HIPAA Privacy Rule has been effective they were not aware of any patient that sought to revoke a HIPAA authorization for use of their PHI for purposes of TPO.

Response

We acknowledge the similarities and differences between part 2 consent and HIPAA authorization. Under HIPAA, neither consent nor authorization is required for TPO, so the opportunity to revoke such an authorization is unlikely to exist. Revocation of consent is further discussed under § 2.31.

Comment

Some commenters addressed the question of whether a revocation should halt all future uses and disclosures by a recipient or whether a revocation should only prevent any further disclosures to that recipient. Commenters did not show a strong consensus on one approach, although more comments than not supported allowing additional redisclosures following revocation when the information is limited to records already in possession of the initial recipient. HIE-related comments uniformly affirmed the Department's statement in the NPRM preamble that information did not need to be “clawed back” following a revocation and several further asserted that an HIE needs to cease making redisclosures of health information it retains once it learns of a revocation of consent or HIPAA authorization. These commenters also urged express clarification that revocation of consent only applies going forward. Commenters that supported the ability to continue making redisclosures of information retained by the recipient requested clarification to reduce concerns by part 2 programs that they could be liable for redisclosures made by recipients after consent has been revoked. As described in the discussion of § 2.13 above, a few HIE/HINs proposed addressing revocation in § 2.13 and limiting it to new information received after the revocation and to allow continued use and disclosure of part 2 records the recipient has receiving prior to the revocation.

Response

As stated in the NPRM, the Department does not expect a part 2 program to “pull back” records that it has disclosed under a valid consent based on a patient's revocation of consent. At a minimum we intend that a written revocation serves to prohibit a part 2 program from making further uses and disclosures of a patient's record according to the scope of the revocation. Based on the public comments received, we also intend that when records have been transmitted through an HIE, the HIE should cease making further disclosures of the patient's record to other member participants. As stated in the NPRM, to fully accomplish the aims of the right to revoke consent, we expect that part 2 programs will work to ensure that any ongoing or automatic disclosure mechanisms are halted upon receipt of a request for revocation.

Certain recipients under a consent for TPO (part 2 programs, covered entities, and business associates) are permitted to redisclose records according to the HIPAA regulations. Under 45 CFR 164.508(b)(5) a covered entity or business associate is required to cease making further uses and disclosures of PHI received once they are informed of an authorization revocation, except to the extent they have already taken action in reliance on the authorization or if it was obtained as a condition of obtaining insurance coverage and other law provides the insurer with the right to contest a claim. We believe this requirement applies equally to revocation of a part 2 consent. This interpretation is revised from the NPRM preamble discussion that proposed a revocation would only be effective to prohibit further disclosures by a program and would not prevent a recipient part 2 program, covered entity, or business associate from using the record for TPO, or redisclosing the record as permitted by the HIPAA Privacy Rule.

Taking into account covered entities' obligations under HIPAA once they are informed of a revocation, we believe they are also obligated to comply with a revoked consent about which they are aware. We do not see a reason for a recipient covered entity to treat a patient's revocation of part 2 consent differently that a revoked HIPAA authorization. For example, if a part 2 program disclosed part 2 records under a TPO consent to a health plan and the patient later revoked said consent, the health plan that is processing a claim may complete the transaction but may not process new part 2 claims for that patient/plan member. In another example, a covered entity health care provider who is currently treating a patient and has received a patient's part 2 records will necessarily need to continue relying on the records it received to continue treating the patient ( e.g., the provider cannot “unlearn” the patient's history); however, it is prohibited from redisclosing the records once the patient revokes consent in writing. Handling revoked authorizations is not a new process for covered entities and they should therefore be capable of handling revoked consents in the same manner.

Comment

An academic medical center expressed concern about scenarios in which the part 2 program relied on the original consent for a specific use or disclosure, but such use or disclosure may need to occur after such revocation has occurred. Examples include when a patient signs a consent to permit the part 2 program to disclose records for payment purposes, to ensure the program receives appropriate reimbursement for its services but then revokes his or her consent prior to the part 2 program submitting the bill to the patient's payor. According to this commenter, the NPRM seems to suggest that the part 2 program would no longer be permitted to make such a disclosure, despite the fact that the part 2 program agreed to treat the patient on the condition of receiving reimbursement from the patient's payor.

Response

If a disclosure cannot practically or feasibly be stopped after revocation because it is already in process or due to technological limitations, this would constitute such reliance. For example, such reliance could occur in research or if the patient is being treated for co-occurring disorders for which close consultation among specialists is paramount. Revocation of consent raises some of the same issues as withholding consent and conditioning treatment on consent for necessary disclosures. Thus, a program would need to explain to the patient when it is not feasible to stop or prevent a disclosure from occurring and discuss with a patient the consequences of revoking their consent in some circumstances. It is reasonable that a patient who seeks to revoke consent for disclosure to their health plan would be expected to make another arrangement to ensure payment which may include paying out of pocket for services.

Comment

Some commenters specifically addressed whether oral revocation of consent should be permitted and were nearly even in opposition and support. The several organizations favoring oral revocation expressed very strong support for recognizing this as a valid expression of patient choice. The rationales offered by commenters that did not support the proposed changes were the following:

• HIPAA requires written revocation.
• The CARES Act requires written revocation.
• Equating oral revocation with oral consent because part 2 programs are most likely to document oral consent in the part 2 record.
• Concern about how oral revocation would be documented and communicated to all entities that receive part 2 records.

Response

The statute, 42 U.S.C. 290dd–2(b)(C), states that revocation of a TPO consent must be in writing. At the same time, consideration should be given to other civil rights implicated in this interaction and the entity's obligation under the relevant civil rights laws to provide assistance as needed to ensure meaningful access by enabling patients to effectuate a revocation.

Final Rule

The final rule adopts the proposed changes to the consent requirements in paragraph (a) with further modifications to paragraph (a)(4)(iii) to replace “HIPAA Privacy Rule” with “HIPAA regulations” and remove part 2 program from the statement about redisclosure according to the HIPAA regulations and to paragraph (a)(5)(iii) to require an opportunity to opt out of fundraising communications rather than requiring patient consent. The final rule adopts the proposed changes to the existing paragraph (b) of § 2.31 (Expired, deficient, or false consent) and redesignates the content of paragraph (b) as a new paragraph (c). Additionally, the final rule adds a new paragraph (b) to require separate consent for the use and disclosure of SUD counseling notes, and a new paragraph (d) to require a separate consent for use and disclosure of records in civil, criminal, administrative, or legislative proceedings.

Section 2.32—Notice and Copy of Consent To Accompany Disclosure

Heading of Section

Proposed Rule

The Department proposed to change the heading of this section from “Prohibition on re-disclosure” to “Notice to accompany disclosure” because § 2.32 is wholly a notice requirement, while other provisions (§ 2.12(d)) prohibit recipients of part 2 records from redisclosing the records without obtaining a separate written patient consent. To ensure that recipients of part 2 records comply with the prohibition at § 2.12(d), § 2.32(a) requires that part 2 programs attach a notice whenever part 2 records are disclosed with patient consent, notifying the recipient of the prohibition on redisclosure and of the prohibition on use of the records in civil, criminal, administrative, and legislative proceedings against the patient.

Comments

We received no comments on the proposed change to the heading of this section.

Final Rule

The final rule is adopting the language of the proposed heading with a further modification to take into account the new paragraph (b) that we are adding, as discussed below. The new heading reads, “Notice and copy of consent to accompany disclosure.”

Expanded Notice of Prohibited Uses and Disclosures

Proposed Rule

The Department proposed to modify paragraph (a)(1) of § 2.32 to reflect the expanded prohibition on use and disclosure of part 2 records in certain proceedings against the patient, which includes testimony that relays information in a part 2 record and the use or disclosure of such records or testimony in civil, criminal, administrative, and legislative proceedings, absent consent or a court order.

In addition, the proposed language of the notice listed exceptions to the general rule prohibiting further use or disclosure of the part 2 records by recipients of such records, which would allow covered entities, business associates, and part 2 programs who receive part 2 records for TPO based on a patient's consent to redisclose the records as permitted by the HIPAA Privacy Rule. This exception also would apply to entities that received part 2 records from a covered entity or business associate under the HIPAA Privacy Rule disclosure permissions, although the legal proceedings prohibition would still apply to covered entities and business associates that receive these part 2 records. The Department stated that these changes are necessary to conform § 2.32 with 42 U.S.C. 290dd–2(b)(1)(B), as amended by section 3221(b) of the CARES Act, and proposed a statement in paragraph (a)(1) as follows:

This record which has been disclosed to you is protected by Federal confidentiality rules (42 CFR part 2). These rules prohibit you from using or disclosing this record, or testimony that describes the information contained in this record, in any civil, criminal, administrative, or legislative proceedings by any Federal, State, or local authority, against the patient, unless authorized by the consent of the patient, except as provided at 42 CFR 2.12(c)(5) or as authorized by a court in accordance with 42 CFR 2.64 or 2.65. In addition, the Federal rules prohibit you from making any other use or disclosure of this record unless at least one of the following applies:

• Further use or disclosure is expressly permitted by the written consent of the individual whose information is being disclosed in this record or is otherwise permitted by 42 CFR part 2;
• You are a covered entity or business associate and have received the record for treatment, payment, or health care operations as defined in this part; or
• You have received the record from a covered entity or business associate as permitted by 45 CFR part 164, subparts A and E.

Comment

An individual commenter asserted that disclosures made by a part 2 program to a covered entity or a business associate for TPO and redisclosures made by a covered entity or business associate in accordance with the HIPAA regulations should not require a notice accompanying the disclosure as set out in § 2.32 of the proposed revisions.

The commenter stated that under the CARES Act, with the prior written consent of the patient, the contents of a part 2 program record may be used or disclosed by a covered entity, business associate, or program for TPO as permitted by the HIPAA regulations. Further, once disclosed to a covered entity or business associate, the CARES Act provides that the information so disclosed may be redisclosed in accordance with the HIPAA regulations. The requirement of an accompanying written notice for each disclosure imposes a hurdle to the electronic exchange of information though a HIE and is not required under 42 U.S.C. 290dd–2. The commenter suggested that the provisions of 42 U.S.C. 290dd–2(c) operate independently and refer to uses and disclosures in proceedings rather than uses and disclosures by covered entities or business associates. Thus, the prohibition can be enforced independently by the patient in the course of any such proceeding. To the extent that an accompanying notice is determined to be necessary, it should be permissible to reference the provisions of 42 U.S.C. 290dd–2(c) in contractual agreements between the program, covered entities, and business associates rather than requiring that a notice accompany each disclosure.

An HIE described its reliance on contractual requirements in its agreements with data providers to ensure that it is notified of any limitations on its ability to share data prior to receiving that data. That practice will continue in response to the proposed changes contained in the NPRM. The commenter said that if the final rule includes a requirement for part 2 programs to notify data recipients, that requirement should be that they notify recipients when data is not received pursuant to a global consent for TPO, and that the operating assumption of parties receiving all forms of health data should be that it can be used consistently with the requirements of HIPAA and any relevant state laws or express contractual limitations.

Response

The notice does not establish a limitation on redisclosure but rather is intended to align the content of § 2.32 (Notice to accompany disclosure) with the requirements of 42 U.S.C. 290dd–2(b), as amended by the CARES Act.

As the Department noted in its 2010 HIE guidance and regulations, this notice was intended to inform downstream record recipients of part 2 and restrictions on redisclosure. The notice as we have finalized it in this rule, like the existing notice, continues to inform record recipients that the information they receive may not be used in legal proceedings absent patient consent or a court order. We believe that the notice remains applicable to redisclosures by part 2 programs, covered entities, and business associates to operationalize the continuing prohibition on use and disclosure of part 2 records in proceedings against the patient, which applies to redisclosures by recipients under § 2.12(d).

Also, consistent with 42 U.S.C. 290dd–2 and previous part 2 final rules, this final rule states in § 2.33 that “[w]hen disclosed for treatment, payment, and health care operations activities [. . .] to a covered entity or business associate, the recipient may further use or disclose those records as permitted by 45 CFR part 164, except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient.”

Simply citing 42 U.S.C. 290dd–2(c) in contractual agreements between the program, covered entities, and business associates rather than providing a notice to accompany each disclosure also is insufficient because this approach would fail to convey to the recipient of part 2 records essential information provided in the Notice to Accompany Disclosure under § 2.32 as finalized in this rule. However, business associate or other contractual agreements may refer to these provisions. Additionally, part 2 programs do not necessarily have contractual agreements with every recipient of records for uses and disclosures for TPO.

The text of 42 U.S.C. 290dd–2, as amended by the CARES Act, continues to emphasize limitations on use of part 2 records in civil, criminal, administrative, and legislative proceedings absent patient consent or a court order. Consistent with the statute and congressional intent reflected in the CARES Act, limitations on sharing information in proceedings within part 2 as finalized also remain distinct and more restrictive than analogous provisions within the HIPAA Privacy Rule.

Comment

A commenter opined that the notice prohibiting redisclosure, which accompanies records disclosed with patient consent, should clearly identify whether the records are subject to the new redisclosure permissions or still protected by part 2.

Response

We believe this comment assumes a false dichotomy—that records are either subject to redisclosure or protected by part 2. Records that may be redisclosed according to the HIPAA standards—those for which a TPO consent was obtained—are still protected by the part 2 prohibition on use and disclosure in proceedings against the patient, absent consent or a court order under this part. However, assuming that the commenter is questioning how the recipient would identify records that are disclosed under a single consent for all TPO versus those that are disclosed under a more limited consent, we are finalizing an additional modification in § 2.32(b) to require that “[e]ach disclosure made with the patient's written consent must be accompanied by a copy of the consent or a clear explanation of the scope of the consent provided.” We believe this will provide the information recipients of records need to understand the redisclosure permissions that may be available.

Comment

A few medical professionals' associations and other commenters said that retaining the Notice to Accompany Disclosure requirement means that the need to identify, segment, and segregate the data will persist to append the notice with each disclosure. One association requested that the Department exclude covered entities from this requirement.

Response

We do not believe that the notice requirement in § 2.32 is what may prompt segmentation of records or segregation of part 2 data. The continuing prohibition in § 2.12(d) on a recipient's use or disclosure of records in legal proceedings must be effectively operationalized, and it is unclear how that can be accomplished unless the recipient is aware that the records are subject to the prohibition. We believe this can be accomplished within an electronic health exchange environment, and we are finalizing additional modifications to § 2.12(d)(2)(i)(C) to expressly state that “[a] part 2 program, covered entity, or business associate that receives records based on a single consent for all treatment, payment, and health care operations is not required to segregate or segment such records.” We believe health IT vendors are capable of updating or creating systems that manage consent, revocation, and other limitations on disclosure and redisclosure so long as the users of the system have current knowledge of the type of data and the limitations on its use and disclosure. The final rule neither requires nor prohibits segregation of records or segmentation of data to accomplish these tasks. The short form of the notice has not changed and was created for use in an electronic health information exchange environment. We further recognize that the notice is required only for disclosures made with consent, and thus the notice would not be required for redisclosures as permitted by HIPAA for TPO or other permitted purposes when the initial disclosure was based on a TPO consent.

Comment

Some commenters supported proposed changes in whole or part and other commenters opposed or expressed mixed views of proposed changes.

A health care provider supported the proposed heading clarification, and further clarification of redisclosure rights for TPO by covered entities, business associates and part 2 programs as allowed by the HIPAA Privacy Rule. A health insurer supported aligning notices to accompany disclosures with the HIPAA Privacy Rule, particularly adding exceptions for the prohibition on use or disclosure of part 2 records for TPO. A few health information associations supported the Department's proposal to include a Notice to Accompany Disclosure of records to instruct an organization of their ability to redisclose this information at the direction of the patient. A health system commenter said that it includes a disclosure statement on all records it releases. Therefore, it supported a Notice to Accompany Disclosure of part 2 records. However, the commenter recommended that the disclosure statement apply to all disclosures, including for TPO, stating that this would minimize time and operational burden of determining which records would require the disclosure statement.

Response

We appreciate the comments.

Comment

A health plan and at least a few associations recommended that the Notice to Accompany Disclosures be eliminated. A couple of commenters stated that retaining the notice to accompany the disclosure requirement will ensure that certain protections for part 2 records continue to “follow the record,” as compared to HIPAA, whereby protections are limited to PHI held by a covered entity or business associate. A few commenters stated that this Notice means that the need to identify, segment, and segregate the data will persist to append the notice with each disclosure. And a few commenters requested that the Department eliminate this notice to align with HIPAA. At a minimum, the Department should excuse covered entity and business associate recipients of the part 2 records from the notice requirement, according to one commenter.

A few HIEs suggested that the § 2.32 notice requirement has been difficult to implement in electronic systems and across electronic networks in part because it requires the part 2 data to be treated and maintained differently than the rest of the clinical record. The commenters also suggested that it may also be legally impermissible under the CARES Act amendments, which mandate that once a patient's TPO consent is obtained, the disclosed part 2 record may be redisclosed in accordance with HIPAA and HIPAA does not require use of a prohibition on redisclosure notice.

Continuing to require the notice, according to these commenters, may effectively require the continued downstream identification, segmentation, and segregation of part 2 records, because segmentation/segregation will be necessary to properly apply, transmit, and display the notice in an electronic environment. Even though the Department emphasizes that the Notice to Accompany Disclosure is not a consent requirement (that is, it is not necessary for there to be a valid disclosure), these commenters believed that it was still a legal requirement that would carry stringent penalties under the HIPAA enforcement structure. Thus, requiring the notice would perpetuate the same barriers to SUD data sharing that the CARES Act amendment's changes were intended to eliminate.

Response

We appreciate input from these commenters, including concerns about continued segmentation of part 2 records that may result from providing the required notice. The introductory sentence of paragraph (a) of § 2.32 applies to each disclosure made with the patient's written consent, which includes the TPO consent finalized in this rule. We do not intend for this requirement to impede the integration of part 2 records with other PHI and have expressly removed any requirement to segregate or segment such records in this final rule at § 2.12(d)(2)(i)(C). Additionally, we believe the notice remains necessary to operationalize the continuing prohibition on redisclosures for use in civil, criminal, administrative, and legislative proceedings against the patient, absent written consent or a court order under this part. We also believe that Congress attempted to balance permitting multiple redisclosures under a TPO consent for programs, covered entities, and business associates who are recipients of part 2 records and retaining the core patient protection against use of the records in proceedings against the patient. Congress could have amended part 2 to strike entirely the regulatory Notice to Accompany Disclosure or removed the consent requirement for disclosures to programs, covered entities, and business associates, but it did not do so; instead, Congress mandated a modified version of consent. Therefore, we interpret the existing requirement of a notice that accompanies each disclosure to apply to disclosures under a TPO consent in the same manner as for other disclosures with consent.

Comment

A commenter asserted that the proposed Notice to Accompany Disclosure language might confuse both patients and part 2 program recipients because it uses legalese and confusingly requires provision of the notice while simultaneously notifying covered entity and business associate recipients (and their downstream recipients) that they are not subject to part 2's use and disclosure restrictions. The commenter stated that proposed § 2.32 was silent regarding “intermediaries,” which also seemingly conflicted with the part 2 consent form elements that restrict redisclosures by covered entities and business associate that function as “intermediaries” to only named member participants or participants that have a “treating provider relationship” with the patient. For these reasons, the commenter encouraged the Department to remove the notice requirement under this section or, at the least, not to require it for redisclosures made by covered entities and business associates (including those that operate as “intermediaries”) and their downstream recipients pursuant to a patient's TPO consent.

Response

We appreciate input from these commenters and agree that the language of paragraph (a)(1) is more detailed and involved than paragraph (a)(2) but provide it as an option for programs that would find a complete explanation more useful and that are providing a paper copy of the notice. Providing the short form of the notice in paragraph (a)(2) is permitted. Thus, any program that prefers to do so may continue to use the language of the abbreviated notice in paragraph (a)(2) rather than paragraph (a)(1). The shorter notice in paragraph (a)(2) states simply that “42 CFR part 2 prohibits unauthorized use or disclosure of these records,” and should be readily understandable to recipients. The longer notice in paragraph (a)(1) further aligns with HIPAA. Both notices are consistent with a 2017 NPRM discussion and requirements that have been in place since 2018 (for the abbreviated notice). The requirement added in paragraph (b) of this section that “[e]ach disclosure made with the patient's written consent must be accompanied by a copy of the consent or a clear explanation of the scope of the consent provided” also should help clarify to recipients when records are subject to part 2 because it would indicate that SUD treatment records are being disclosed.

We disagree with the commenter's interpretation that paragraph (a)(1) notifies “covered entity and business associate recipients (and their downstream recipients) that they are not subject to part 2's use and disclosure restrictions” because the paragraph (a)(1) explicitly prohibits the recipient from using or disclosing the record in any civil, criminal, administrative, or legislative proceedings against the patient, absent consent or a court order.

With respect to the role of intermediaries, addressed in §§ 2.11 and 2.24, we have excluded programs, covered entities, and business associates from the definition of intermediary in this final rule. This relieves HIEs that are business associates from the requirements for intermediaries; however, all HIEs that receive part 2 records with consent (whether they are intermediaries or business associates) would need to provide the notice to accompany disclosure when redisclosing such records with consent.

Comment

Commenters urged OCR and SAMHSA to engage technology companies and intermediaries most likely involved in these types of disclosures and the accompanying notices to understand the feasibilities and technical capacities in current technology. As the health system moves away from paper and the transmission of paper through processes like fax machines, having the technical capabilities in place for providers to move this information with the record is crucial, the commenter believed. Engaging the organizations that govern this work will give OCR and SAMHSA a clearer picture of understanding related to the ability for an accompanying notice of disclosure to be included with a part 2 record and consent form.

Response

We acknowledge the commenter's concerns about EHRs and the need to ensure they have the capabilities necessary to transmit information about prohibited uses and disclosures and the scope of consent on which a disclosure is based. ONC, OCR, SAMHSA, and other Federal partners are collaborating to support EHRs and health IT within the behavioral health sector. We also may provide additional guidance on this section after the rule is finalized.

Comment

A commenter said that one concern they had with including a Notice to Accompany Disclosure on every patient record that is being redisclosed is the ability of EHR systems to ingest that information. The commenter explained that a v2x HL7 ADT message (or for that matter a lab message) does not include this type of language.

The commenter suggested that even if an HL7 message could be created with the information, it is unclear that receiving systems are currently able to populate the field in the ADT message or will be able to consume the message. The commenter is not aware of any designated spot for that type of language on any interstate event notification specification. Therefore, if a hospital wanted to share an admission or discharge notice for a patient admitted to a substance use unit, they couldn't easily include the language in the notification. Even if the sending part 2 program could transmit the message, the downstream receiver may not be able to receive it.

The commenter suggested that it would be possible to put a confidentiality/protection flag on an ADT message—but not general language like the notice to accompany disclosure language.

Response

We have previously noted that EHR systems are beyond the scope of this rulemaking. However, the abbreviated notice in § 2.32(a)(2) is intended to support use of EHRs, and the abbreviated notice remains a valid option. ONC, SAMHSA, and OCR continue to work to support EHR implementation and may provide guidance on these issues after this rule is finalized.

Comment

An academic medical center said that it saw no value in adding the language regarding redisclosure to part 2 records and believed that recipients of these notices were not familiar with part 2 restrictions. The commenter stated that it is able to affix stamps on records that are being disclosed but from a practical perspective does not believe the stamp is value added. Recipients may not know what a part 2 program is. The commenter has other patients throughout the medical center that are not being discharged from part 2 program that also have been or are being treated for SUD conditions and receive medications specific to SUDs.

Response

We appreciate the commenter's perspective on patients' and recipients' lack of understanding about part 2 protections. We hope that the revised Patient Notice will improve part 2 patients' understanding of their confidentiality rights under part 2 which should also enhance their appreciation for the prohibition on redisclosure in proceedings against patients. As explained in this rule, we continue to believe that the Notice to Accompany Disclosures under § 2.32 provides important protections to part 2 patients, and the lack of these protections for other patients is not a justification for reducing or removing protections for part 2 patients. As stated in the 2017 final rule, part 2 does not apply to health information unrelated to SUDs, such as patient treatment for unrelated medical conditions.

Comment

A SUD provider and a health plan requested clarification about the applicability of the notice requirement to recipients who redisclose records, including whether the requirement for the Notice to Accompany Disclosure applies only to part 2 programs, or whether it also applies to covered entities, business associates, and intermediaries that might receive and redisclose the patient's PHI. The commenters asked, collectively, whether an HIE, covered entity, and business associate must attach the notice on part 2 records being redisclosed in accordance with the HIPAA privacy regulations, such as in paragraph (a)(2): “42 CFR part 2 prohibits unauthorized use or disclosure of these records.”

Response

The existing introductory language of paragraph (a) applies the notice requirement to “[e]ach disclosure made with the patient's written consent.” The abbreviated notice under paragraph (a)(2) was primarily intended to support EHR systems. As the Department explained in 2018, “SAMHSA has adopted an abbreviated notice that is 80 characters long to fit in standard free-text space within health care electronic systems.” Though the notice under paragraph (a)(2) has been modified in this final rule to include the word “use,” it remains largely as adopted in 2018. At that time the Department also said that it “encourages part 2 programs and other lawful holders using the abbreviated notice to discuss the requirements with those to whom they disclose patient identifying information.” An HIE may elect to use the abbreviated notice under paragraph (a)(2) or can choose to use one of the notices permitted under paragraph (a)(1). Covered entities and business associates are referenced in § 2.32(a)(1).

Comment

An HIE urged the Department to include language that will resonate with the patient as opposed to those in the health care space. The commenter stated that in the NPRM, the Department proposed to require the consent form to notify the patient about how covered entities and business associate recipients may use and redisclose information as permitted by HIPAA. The commenter expressed concern that this was problematic for two reasons. First, this is not an existing requirement under HIPAA and the objective of the rule is to align part 2 with HIPAA. Second, the terms covered entity and business associate are not terms some patients may be aware of. To include this requirement, according to the commenter, could introduce legalese in the patient-facing workflow and be contrary to calls to improve the rule's utility for patients. The commenter asked the Department to use standard language required under HIPAA that notifies individuals that not all recipients are subject to the same laws.

Response

We appreciate input from these commenters and acknowledge the concerns they express. But we disagree that the Notice to Accompany Disclosure will confuse patients. First, we anticipate that most recipients of these notices will be health professionals or staff such as those working for part 2 programs, covered entities, and business associates rather than patients themselves. Second, the provisions of this rule, including §§ 2.22, 2.31, and 2.32 are consistent with the provisions of the HIPAA Privacy Rule as explained above. However, even with this rule and additional alignment with HIPAA fostered by the CARES Act some part 2 provisions remain distinct from requirements in HIPAA. Likewise, while part 2 consent forms under § 2.31 must include specified required elements for written consent there is no requirement these forms use such terms as “covered entity” or “business associate.” As noted above, we may provide additional guidance or template notices or model forms to help clarify requirements of this final rule. Finally, the abbreviated notice in § 2.32(a)(2) is especially brief and easy to understand, although we believe the lengthier notice in paragraph (a)(1) is fairly easy to understand as well.

Comment

A health plan recommended that the Department clarify that these redisclosures do not need to be included in an accounting of disclosures under § 2.25. Requiring a notice to accompany redisclosures would run counter to the general exemption of TPO disclosures under HIPAA's accounting provisions.

Response

With respect to the right to an accounting of redisclosures, the applicability of § 2.25 would depend on the status of the recipient. For example, a covered entity or business associate would be subject to 45 CFR 164.528 for redisclosures. A part 2 program that rediscloses records received from another part 2 program would be subject to § 2.25 for such redisclosures that fall within the scope of § 2.25 in the same manner as for disclosures. The accounting of disclosures requirements under § 2.25 do not distinguish between disclosures and redisclosures, but focus on whether a disclosure is made with consent and the purpose of the disclosure or redisclosure. The § 2.25 requirements are distinct from the required notices to accompany disclosures under § 2.32. Therefore, the accounting of disclosures under § 2.25 would not need to include a separate and distinct list of redisclosures accompanied by a notice under § 2.32.

Comment

A commenter recommended that HHS move proposed item (iv) of the statement in § 2.32(a)(1) to the main text of the statement, so that it does not appear to be one of the exceptions following items (i), (ii), and (iii) of the statement. The commenter also suggested revised language for these provisions.

Response

We retain in the statement in § 2.32(a)(1) the following notification: “[a] general authorization for the release of medical or other information is NOT sufficient to meet the required elements of written consent to further use or redisclose the record (see 42 CFR 2.31).” We have moved this information to the main text which is consistent with the commenter's suggestion.

Comment

An advocacy group opined that proposed changes to this section will cause confusion. The commenter said that at this time all recipients of records are subject to the same redisclosure prohibition: they may only use or disclose the records with patient consent, pursuant to a court order, or subject to one of the other limited exceptions in part 2 that apply to lawful holders. However, according to this commenter, this rulemaking introduces a new standard for some recipients who receive records pursuant to a TPO consent: these recipients may redisclose records pursuant to the HIPAA Privacy Rule, except if the records will be used against the patient in a legal proceeding. A recipient of part 2 records, however, will have no way of knowing which redisclosure standard applies to the records they receive: the standard part 2 redisclosure prohibition, described in proposed item (i) in the statement in § 2.32(a)(1), or redisclosures as permitted by the HIPAA Privacy Rule except for legal proceedings against the patient, described in proposed item (ii) in the statement in § 2.32(a)(1).

Response

We appreciate the comment and agree that with the additional changes to consent in §§ 2.31 and 2.33, the Notice to Accompany Disclosure is insufficient to provide needed information to the recipient about the scope of consent that pertains to the disclosed records. To address this issue, we are also finalizing a new provision in paragraph (b) of this section to require each disclosure made with the patient's written consent to be accompanied by a copy of the consent or a clear explanation of the scope of the consent provided, as discussed below.

Comment

A medical professionals association said that we should require part 2 programs to give health care providers adequate written notice well in advance of sharing any part 2 record, clearly explaining that such records are subject to additional Federal confidentiality regulations and include clear guidance for non-part 2 providers to understand their obligations and options concerning such records once received.

Response

We believe that § 2.32(a) as finalized clearly notifies the recipient of redisclosed records whether the records are subject to part 2. The new requirement in paragraph (b) of this section, discussed below, will provide additional information to recipients about the scope of the consent that applies.

Final Rule

The final rule adopts the proposed language of § 2.32(a) without further substantive modification, and finalizes proposed item (i) of the statement in § 2.32(a)(1) as part of the statement in § 2.32(a)(1).

Copy of Consent To Accompany Disclosure

Request for Comment

Although we did not propose requirements for consent management, we requested comment throughout the NPRM on how proposed changes to consent, revocation, and requests for restrictions could be implemented, the experience of entities that have already operationalized aspects of the proposed changes, potential unforeseen negative consequences from new or changed requirements, and data relating to any of these.

Overview of Comments

We received many comments addressing cross-cutting issues involving data segmentation and segregation of records, use of HIEs for exchange of ePHI and part 2 records, how to track consent and consent revocation, and how to operationalize patients' requests for restrictions on disclosures for TPO. We have responded to these comments throughout the preamble to the final rule in relation to applicable regulatory provisions, and here we respond to comments that pertain to tracking consent (which is required in §§ 2.31 and 2.33), both global ( i.e., TPO consent) and granular (for a specific use and disclosure). Of the commenters that addressed whether the rule should require a copy of consent to be attached with each disclosure of records, a majority opposed such a requirement, several supported it, and a few responded with other viewpoints. A mix of professional associations, SUD providers, and advocacy organizations provided views on both sides of the question; however, all health plans, health IT vendors, and HIE/HIN organizations that weighed in opposed the idea and all government entities that voiced an opinion supported providing a copy of the consent.

Comment

A medical professionals association urged the Department to ensure that, going forward, patient information will be tagged and limited to the purpose of TPO. The agencies can incentivize compliance with these goals through enforcement actions and penalties for noncompliance. The commenter believes that technology can assist physicians with increasing the flow of information while maintaining privacy and a patient's consent. To do so, information should be tagged to identify where the information originated, for what purposes it can be disclosed, and to whom. Another medical professionals' association asked the Department to facilitate collaboration with ONC and health IT vendors to develop technical standards and feasible certification criteria to identify, tag, segregate, and remove specific data based on type of care, provider, and patient consent. The commenter also stated that HHS should provide incentives and support to clinicians, practices, and EHR vendors—particularly those designed for specialty settings or small practices—in designing and adopting health IT that meets these objectives. A provider health system believed that even if HIPAA and part 2 records are treated as PHI for most of the situations, there will still be the need to identify part 2 records due to any directed restrictions and the legal proceedings prohibition. This could become further complicated as part 2 records and PHI are intermingled. While the provider health system supported alignment of HIPAA and part 2, it requested the Department provide guidance about how records will be denoted and differentiated to ensure compliance.

Response

We appreciate input from these commenters, including suggestions to tag or segregate part 2 records. We acknowledge concerns about data segmentation and address it further in the discussion of § 2.12. The continuing prohibition in § 2.12(d) on a recipient's use or disclosure of records in legal proceedings must be effectively operationalized, and it is unclear how that can be accomplished unless the recipient is aware that the records are subject to the prohibition. Although the Department may provide further guidance in relation to data segmentation, tagging, or tracking, we are not requiring specific technology or software solutions.

Comment

A trade association suggested that HHS is maintaining separate underlying regulatory structures for SUD patient records and all other patient data, meaning EHR vendors will need to distinguish between the two types of records. Some SUD patients may not provide consent or revoke their consent throughout the course of their treatment, meaning their record will need to be flagged differently. This is a significant health IT challenge that is not addressed in the NPRM. The commenter stated that HHS should ensure that there is ample time and resources for health IT vendors to update their capabilities and adapt to the evolving operational needs of health care providers.

An academic medical center suggested that information about the scope of consent be included in the notice that is required to accompany disclosures of part 2 records and that this would be the simplest way to communicate the patient's intent and have that intent stay with the actual records downstream.

A health IT vendor recommended that the Department explore further how revocation becomes known, and if it means that the HIE must directly record the status of a revocation (and how this is done) or if the HIE relies on some kind of “polling” of the part 2 program to ascertain if a valid consent remains effective by interrogating the part 2 program electronically for whether a valid consent exists or if an applicable consent has been revoked. In the end, a revocation needs to not only limit future disclosures but also limit disclosures of any part 2 records an HIE already may possess should they store patient records.

Among others, a health IT vendor, a health care provider, and a health insurer believed that part 2 programs should not be required to provide a copy of the written patient consent when disclosing records. They believe the notice to accompany disclosures already required under the § 2.32 is sufficient to alert the recipient of potential restrictions regarding redisclosure and the requirement would not align with disclosures for TPO under HIPAA. A health insurer suggested that allowing a part 2 program to retain the consent for future auditing and use or disclosure needs is sufficient and also helps to share only the minimum necessary PHI. If the Department were to also require provision of the written consent authorizing the disclosure, it would place an unnecessary administrative burden on both the part 2 program and the recipient of records. Even more problematic, such a requirement would create a corresponding duty for the recipient of records to evaluate the legal sufficiency of the consent related to the part 2 program's disclosure. The recipient of records should not be placed in the position of identifying and correcting errors in a part 2 program's disclosure, or assuming any potential downstream liabilities that may result.

An insurance association supported the use of electronic processes whenever feasible. In addition, to reduce the burden on part 2 programs and to ensure that HIPAA entities can act promptly on part 2 data, the association asked that the Department clarify in final regulations that HIPAA entities that receive part 2 data may accept that the data was disclosed pursuant to a TPO consent unless otherwise notified in writing. This is particularly important in industries such as pharmacy benefits management, where data is transmitted in huge volumes in real time, and there is no consistent mechanism currently available to “flag” certain records as containing part 2 data, nor explain the legal basis on which the data were disclosed.

Response

We acknowledge commenter concerns about how to manage consent and any limitations on consent within EHRs and through HIEs and the disadvantages of segmenting data and segregating records. Although we are finalizing a modification to § 2.12 to expressly state that “[a] program, covered entity, or business associate that receives records based on a single consent for all treatment, payment, and health care operations is not required to segregate or segment such records[,]” some means to ensure that records are used and disclosed according to the scope of the consent will be needed. Thus, we look to the consent provided by the patient and the existing requirement to attach a Notice to Accompany Disclosure as solutions and are adding a new requirement in § 2.32(b) to require that a copy of the consent be attached to each disclosure for which consent is required. The attached consent may be combined with the required Notice to Accompany Disclosure in § 2.32(a). This will significantly reduce any administrative burdens associated with the new requirement.

We are finalizing a new requirement in this section to require that each disclosure made with the patient's written consent must be accompanied by a copy of the consent or a clear explanation of the scope of the consent provided. We believe that by putting in regulatory text that the consent must accompany the disclosure or provide a clear description of the scope of the consent, the recipient will be able to accurately use and disclose the part 2 records as the patient intended. Additionally, where feasible, part 2 programs should convey to recipients when a consent has been revoked to ensure that only consented information is exchanged. Combining a copy of the consent with the required Notice to Accompany Disclosures in § 2.32 is one way this requirement may be implemented, though it is not the only potential approach to tracking consent, redisclosure and revocation of consent. Both paragraphs (a) and (b) of this section address concerns about ensuring recipients of records understand whether or not the records are subject to part 2.

We acknowledge that there are technical challenges associated with complying concurrently with HIPAA and part 2 and that time and resources are needed to update technical and procedural capabilities. The recommendation for recipients to assume TPO consent has been provided unless otherwise notified in writing does not address how recipients other than programs, covered entities, and business associates would learn about this assumption. Nor does this recommendation address how a program ( i.e., a discloser) would know in advance whether a recipient is a program, covered entity, or business associate to whom the TPO consent assumption applies. We evaluated this recommendation, but are concerned that the negative requirement ( e.g., not to provide consent unless it is other than for TPO) places undue burden on the disclosing program to decide when and when not to attach a copy of the consent.

We believe the concern that receipt of notice may transfer liability for improper disclosures from the part 2 program to the recipient is misplaced. However, the recipient incurs an obligation for complying with part 2 requirements that apply to them, namely, the prohibition on use or disclosure of the records for use in proceedings against the patient, absent consent or a court order under this part.

Comment

Regarding intermediaries and tracking consent, an HIE association suggested that part 2 providers may need to include in the consent form a place for patients to indicate whether they provide consent for disclosure to the intermediary. For additional information on how an intermediary would accept or track patient consent for data redisclosure, the commenter recommended OCR and SAMHSA consult nationwide HINs, as well as ONC, to understand how current state HINs and the TEFCA could impact this landscape.

Response

We appreciate the comment and the reference to TEFCA. As discussed above in relation to § 2.31 (Consent requirements), a consent to disclose records via an intermediary must contain a general designation as well as additional information about the recipient(s). Thus, we believe the final rule provides for the consent form to have space for an intermediary to be named as the commenter suggests. We note, however, that we are excluding business associates from the final rule definition of “intermediary,” thus HIE business associates will not be subject to the intermediary consent requirements. Instead, HIEs that are business associates will fall within the requirements for a general designation for the TPO consent which does not require specifically consenting to use of an HIE. We received many informative public comments from HIEs/HINs with respect to consent (and revocation) management and will continue to consult with our partner agencies within the Department. OCR, SAMHSA, and others are collaborating to support participation by behavioral health entities in health IT and EHRs, including TEFCA.

Final Rule

This final rule adopts further modifications in § 2.32 by adding a new paragraph (b) providing that each disclosure made with the patient's written consent must be accompanied by a copy of the consent or a clear explanation of the scope of the consent provided.

Section 2.33—Uses and Disclosures Permitted With Written Consent

Proposed Rule

Section 2.33 currently permits part 2 programs to disclose records in accordance with written patient consent in paragraph (a) and permits lawful holders, upon receipt of the records based on consent for payment or health care operations purposes, to redisclose such records to contractors and subcontractors for certain activities, such as those provided as examples in paragraph (b). The Department proposed substantial changes to paragraph (b) to apply the new consent structure in § 2.31 for a single consent for all TPO by: applying HIPAA standards for uses and initial disclosures for TPO, creating two new categories of redisclosure permissions, and revising the existing redisclosure permission. This would align § 2.33 with the statutory authority in 42 U.S.C. 290dd–2(b)(1), as amended by section 3221(b) of the CARES Act. The first change would permit part 2 programs, covered entities, and business associates that have obtained a TPO consent to use and disclose a part 2 record for TPO as allowed by HIPAA. With respect to redisclosures, proposed (b)(1) would permit part 2 programs, covered entities, and business associates that have received a part 2 record with consent for TPO to redisclose the records as permitted by the HIPAA Privacy Rule, except for proceedings against a patient which require written consent or a court order. The second category, in proposed paragraph (b)(2), would permit part 2 programs that are not covered entities or business associates that have received a part 2 record with consent for TPO to further use or disclose the records as permitted by the consent. The third category, in proposed paragraph (b)(3), would apply to lawful holders that are not business associates, covered entities, or part 2 programs and have received part 2 records with written consent for payment and health care operations purposes. This provision would permit the recipient to redisclose the records for uses and disclosures to its contractors, subcontractors, and legal representatives to carry out the intended purpose, also subject to the limitations of proposed subpart E of part 2 pertaining to legal proceedings. A lawful holder under this provision would not be permitted to redisclose part 2 records it receives for treatment purposes before obtaining an additional written consent from the patient.

Paragraph (c) proposed to require lawful holders that are not covered entities or business associates and that receive records based on written consent to have contracts in place if they wish to redisclose the records to contractors and subcontractors. The Department proposed to exclude covered entities and business associates from the requirements of paragraph (c) because they are already subject to the HIPAA Privacy Rule requirements for business associate agreements.

Overview of Comments

Most commenters on the single consent for all future TPO supported the proposal, and all but one of the supportive commenters represented organizations. Supportive organizations included several professional associations, health systems, and state or local governments. A few SUD providers also supported the proposal. The views expressed by these commenters in support of the proposal included the following:

(a) reducing stigma of persons with SUD by integrating SUD treatment and SUD treatment records, respectively, with general health care and PHI;

(b) reducing burdens on the health care system by aligning part 2 requirements more closely with the HIPAA regulations; and

(c) improving care coordination, continuity of care, and patient safety as a result of greater access to complete information to treat patients comprehensively and obtain services to support their recovery.

As an example, a commenter asserted that the proposal may make it easier for the state Medicaid agency to gain input about barriers for patients receiving SUD services such as co-occurring medical or behavioral conditions, or to address social determinants of health that impede treatment or recovery. An association of state hospitals and health systems illustrated what it views as the need for an aligned consent process, citing what it regards as differing regulatory requirements that may “cause confusion, and even fear, among treating providers, at times leading them to withhold information that may be shared.”

Response

We appreciate the comments about the proposed changes to implement the statutory requirements for uses and disclosures with a single consent for all future TPO and permitted redisclosures by certain recipients. The rationales offered in support—reducing stigma, integrating and coordinating behavioral health care, and reducing health care entities' burdens—are key aims of this final rule.

Comment

Commenters favoring the proposal also appreciated the reduction in the number of consents needed for uses and disclosures of part 2 records as well as the reduction in consents required for redisclosures of records. A health plan remarked that “requiring multiple consents . . . adds confusion and distrust to an already underserved population,” and further stated that “[a] single consent will give stakeholders a single reference point to review the patient's permissions and any relevant requested restrictions.”

Response

We agree that the changes to allow a single consent for all future TPO will reduce the number of consents that part 2 programs will need to obtain from patients as well as the number of consents that recipients will need to obtain for redisclosures of part 2 records. We have estimated the amount of that reduction and describe it more fully in the costs-benefits analysis in the RIA for this final rule.

Comment

A health system pointed out that people suffering from untreated SUD are among the highest utilizers of health care services and asserted the importance of reducing barriers to integrated care. The commenter stated its belief that the existing part 2 regulation was written before the current models of care and related best practices were established and that it now is a barrier to coordinated care for patients with SUD.

Response

We appreciate this feedback and recognize the importance of integrated health records for providing integrated and coordinated health care, including for treatment of SUD in a whole person context. This perspective underpins one of the key purposes of section 3221 of the CARES Act that is being implemented in this final rule.

Comment

Several commenters who supported the TPO consent and redisclosure proposal thought that it did not go far enough to align with the HIPAA Privacy Rule and urged the Department to allow for Patient Notice to replace consent for TPO disclosures of part 2 records.

Response

The CARES Act amendments to 42 U.S.C. 290dd–2 did not remove the written consent requirement for disclosure of part 2 records. Thus, the Department lacks authority to replace a patient's written consent with Patient Notice. We anticipate that patient consent will remain as a foundation for protection of part 2 records.

Comment

The commenters that opposed the proposals for a single TPO consent and redisclosure as allowed by HIPAA presented a largely unified set of views developed by a core group of organizations representing addiction treatment professionals, advocacy and policy organizations, and SUD providers. These commenters strongly believed that the current requirement of consent for each disclosure and segregation of part 2 records offers patients the needed confidence to enter and remain in treatment and develop the necessary therapeutic trust to share details of their lives and struggles with SUD. The commenters acknowledged that discrimination is often perpetuated by those outside of the health care system as a result of the criminalization of the use of certain substances and they oppose finalizing the loosened consent provisions until the Department issues the statutorily required antidiscrimination protections. These commenters strongly supported regulatory requirements to ensure patients' trust in the SUD treatment and the health care system. Several other commenters agreed with this set of core comments.

Response

We appreciate these comments and the concerns expressed for access to SUD treatment, patient trust in the relationship with treatment providers, patients' privacy expectations, the societal harms of discrimination against patients with SUD, and the Department's obligations to fully implement section 3221 of the CARES Act. We believe that the changes finalized to § 2.33 herein are necessary and reasonable as a means to implement to 42 U.S.C. 290dd–2(b), as amended by the CARES Act.

Comment

Several commenters addressed whether recipients of records based on a TPO consent (part 2 programs, covered entities, and business associates) should be able redisclose the part 2 information for any purposes permitted by HIPAA or only for TPO purposes. And some of these asserted or recommended that the rule should permit redisclosures as permitted by the HIPAA Privacy Rule (not limited to TPO). A few medical professional associations recommended that redisclosures by recipients under a TPO consent should only be permitted for TPO purposes. This would maintain patient privacy and be consistent with the consent provided. One association suggested this could be accomplished by tagging data associated with the TPO consent. Another suggested that limiting redisclosure to TPO would permit PHI to be integrated into part 2 records systems, thus partially furthering the goal of integrating health information.

Response

The changes to consent finalized in this rule are based on 42 U.S.C. 290dd–2, as amended by the CARES Act. With respect to redisclosures by recipients under a TPO consent, paragraph (b)(1)(B) of the statute states that once records are used and disclosed for TPO they may be further disclosed in accordance with the HIPAA regulations. The clear terms of the statute apply the initial use and disclosure permission to a part 2 program, covered entity, or business associate for TPO as permitted by the HIPAA regulations, and then allow disclosed records to be more broadly redisclosed provided that it is according to the HIPAA regulations. We interpret the broader HIPAA redisclosure permission to apply only to the recipient. Thus, a part 2 program that obtains a TPO consent is limited to using or disclosing the record for TPO purposes—it cannot obtain a TPO consent and “disclose” the records to itself to trigger the permission to redisclose according to the HIPAA regulations and avoid overall compliance with part 2. We believe that a disclosure implies a recipient other than the entity making the disclosure and the only recipients authorized by the statute to redisclose records according to the HIPAA regulations are those that are otherwise subject to HIPAA, which are covered entities (including those that are also part 2 programs), and business associates. The redisclosure permission refers to “in accordance with HIPAA,” and we believe that part 2 programs that are not subject to HIPAA would not be qualified to make such redisclosures in that manner. Such part 2 programs are not subject to the same obligations as covered entities, such as adopting written policies and procedures for handling PHI, training members of the workforce on their policies and procedures, and adhering to the HIPAA Security Rule requirements for safeguarding electronic PHI.

The prohibition on using and disclosing records in civil, criminal, administrative, and legislative proceedings against a patient remains effective once records are disclosed and this raises the issue for recipients of potentially tracking, tagging, or otherwise identifying the part 2 data that must be protected from such uses and disclosures absent written consent or a court order under subpart E of part 2.

The last sentence of paragraph (b)(1)(B) of the statute provides that the patient's right to request restrictions on uses and disclosures for TPO applies to all disclosures under paragraph (b)(1), which includes redisclosures by recipients of records. Thus, a recipient entity that complies with a patient's request for restrictions on disclosures for TPO is acting in accordance with the HIPAA regulations. We believe that Congress intended to emphasize the availability of patient-requested restrictions by the placement of this right in the part 2 statute with the redisclosure permission and including it in both the Rules of Construction and the Sense of Congress in section 3221 of the CARES Act.

Final Rule

The final rule adopts the proposed changes to the header and to paragraph (c) of § 2.33 without modification. For clarity, the final rule further modifies paragraph (a) by adding “use and” before “disclosure” and by redesignating the content of the paragraph as paragraph (a)(1) and adding a new paragraph (a)(2) that provides, “[w]hen the consent provided is a single consent for all future uses and disclosures for treatment, payment, and health care operations, a part 2 program, covered entity, or business associate may use and disclose those records for treatment, payment, and health care operations as permitted by the HIPAA regulations, until such time as the patient revokes such consent in writing.” This new provision clarifies the regulatory permission for use and disclosure for TPO that previously was only implied by a general reference to the consent requirements in § 2.31, and it more explicitly states what the statute provides relating to reliance on the HIPAA standards. As a result of this change, part 2 programs will be able to rely on the HIPAA regulations when using or disclosing part 2 records for TPO in many instances, and covered entities and business associates will not need to silo part 2 records once a TPO consent has been obtained.

This rule also finalizes proposed paragraph (b)(1) with modifications to more closely align with the statutory language by changing “further use and disclose” to “further disclose” and replacing “as permitted by 45 CFR part 164” with “in accordance with the HIPAA regulations.” For clarity, the final rule also removes “a program” from paragraph (b)(1) because part 2 programs that are not covered entities or business associates are separately addressed in paragraph (b)(2). The rule finalizes proposed paragraph (b)(2) with the further modification of changing “further use and disclose” to “further disclose” as in paragraph (b)(1). The rule finalizes proposed paragraph (b)(3) with the further modification of removing the exclusion of “part 2 program.” This has the effect of applying the existing requirements of paragraph (b)(3) to a part 2 program when it is a lawful holder ( i.e., a recipient of part 2 records) and ensures that redisclosure in accordance with HIPAA is limited to covered entities and business associates. We clarify here that paragraph (b)(3) applies in situations where the written consent is only for payment and/or health care operations and does not include treatment.

Section 2.34—Uses and Disclosures To Prevent Multiple Enrollments

Comment

While not proposed in the NPRM, an individual stated that central registries have not been classified as a QSO or a business associate and therefore, there are no safeguards protecting the information exchanged between central registries and non-member treating providers under § 2.34(d). The commenter further stated that the patient consents to the use or disclosure of their SUD information to the central registry but not to a non-member treating prescriber.

Response

We appreciate the suggestion to classify central registries as a QSO or a business associate; however, that suggestion is outside the scope of the current rulemaking.

Final Rule

The final rule adopts the proposed addition of the language in § 2.34(b) of “use of information in records” instead of just “use of information” in this section to make clear that this provision relates to part 2 records. The final rule also adopts the proposed replacement of the phrase “re-disclose or use” to “use or redisclose” as it relates to preventing a registry from using or redisclosing part 2 records, to align the language of this provision with the HIPAA Privacy Rule. A provider health system supported the alignment of “use or redisclose” and there were no other comments on these proposals.

Section 2.35—Disclosures to Elements of the Criminal Justice System Which Have Referred Patients

Proposed Rule

Section 2.35 outlines conditions for disclosures back to persons within the criminal justice system who have referred patients to a part 2 program for SUD diagnosis or treatment as a condition of the patients' confinement or parole. The Department proposed to clarify that the permitted disclosures would be of information from the part 2 record and to replace the term “individual” within the criminal justice system with “persons” consistent with similar changes throughout this rule. The Department also proposed to add the phrase “from a record” after the term “information” to make clear that this section regulates “records.” In addition to requesting comment on the proposed wording changes, the Department invited comments on whether the alternative term “personnel” would more accurately cover the circumstances under which referrals under § 2.35 are made.

Comment

One individual commenter asserted that the alternative term “personnel” was too broad in this context and would create circumstances that could compromise patient confidentiality. This individual also commented that replacing the term “individual” with the term “person” would be more acceptable. Another commenter, a provider health system, expressed support for the term change from “individual” to “person” and stated that the term “person” is preferable to “personnel” since the term “personnel” may inadvertently imply employment status while the term “persons” would accurately reflect referrals from the criminal justice system regardless of status as an employee, independent contractor or other individual on behalf of the criminal justice system.

Response

We agree with these commenters for the reasons discussed in the NPRM.

Comment

Several advocacy organizations and a health IT vendor commented that the Department's proposed changes unnecessarily limit diversion to court based programs. These commenters recommended certain changes to the proposal that, in their opinion, would include pre-arrest diversion as well as other types of law enforcement deflection to avoid the court system and direct the patient into treatment and services. In § 2.35(a), these commenters recommended changing “A part 2 program may disclose information from a record about a patient to those persons within the criminal justice system who have made participation in the part 2 program a condition of the disposition of any criminal proceedings against the patient or of the patient's parole or other release from custody if . . .” to “A part 2 program may disclose information from a record about a patient to those persons within the criminal justice system who have made participation in the part 2 program a condition of the filing, prosecution, or disposition of any criminal proceedings against the patient or of the patient's parole or other release from custody if . . .” (emphasis added).

For § 2.35(a)(1), these commenters recommended changing “( e.g., a prosecuting attorney who is withholding charges against the patient, a court granting pretrial or post-trial release, probation or parole officers responsible for supervision of the patient)” to “( e.g., a police officer or a prosecuting attorney who is withholding charges against the patient, a court granting pretrial or post-trial release, probation or parole officers responsible for supervision of the patient)” (emphasis added).

Response

We appreciate the detailed recommendations for regulatory text in these comments. We also acknowledge the important social policy raised, to promote treatment over referral to courts. However, we believe the consent process is sufficient for the operation of diversion and deflection initiatives, without a need for the Department to loosen confidentiality restrictions, because it allows patients to consent to the release of part 2 records for such initiatives if they wish to do so.

Final Rule

The Department adopts the proposed changes without modification.

Subpart D—Uses and Disclosures Without Patient Consent

Section 2.51—Medical Emergencies

Proposed Rule

In § 2.51(c)(2) the Department proposed for clarity replacing the term “individual” with “person” such that this now requires a part 2 program to document the name of the person making the disclosure in response to a medical emergency.

Comment

An advocacy group recommended that the proposed change to § 2.51 (Medical emergencies), be withdrawn. The commenter suggested that as part of its efforts throughout the rulemaking to standardize regulatory language, HHS proposed to replace the word “individual” with the word “person” in the documentation requirements. HHS proposed to define “person” by reference to the HIPAA Privacy Rule as a “natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.” The commenter said that in its view even though the Department states this change will promote clarity it will actually result in less clarity for patients, who may no longer be able to tell who disclosed their part 2-protected information to 911 and medical personnel. The patient already knows that the part 2 program was the “person” making a disclosure of part 2 records during a medical emergency. For this reason, it is the identity of the individual making the disclosure that is important to document. In general, the organization supported the efforts throughout the rulemaking to streamline language by replacing the phrase “individual or entity” with the word “person,” but in this instance the change will diminish patients' rights and transparency with no clear benefit to impacted patients.

Response

We discuss our changes to definitions, including the term “person” in § 2.11. Commenters generally supported this proposed change as providing clarity and helping to align with HIPAA. However, we acknowledge that in this instance replacing the term “individual” with the term “person” could result in less transparency about who disclosed the patient's record during an emergency; however, under the wording change a part 2 program is not prevented from identifying the individual who disclosed the part 2 information. Further, there may be instances or treatment settings where documenting only the name of the disclosing entity, rather than the individual, is needed to protect the safety of program staff.

Comment

A few health information associations supported the ability for providers, under certain circumstances such as medical emergencies, to access, use, and disclose patient part 2 data when necessary. It is important for providers to have access to all points of decision-making in a medical emergency to ensure patients are protected physically both in the short and the long term. A health care provider and medical professionals' association also supported the proposed changes in this section.

Response

We appreciate the comments on our changes in this section of the rule.

Comment

Another commenter asserted that a workflow obstacle occurs when patients previously treated in their part 2 program present to the emergency department for care. The emergency department personnel are blinded from accessing care notes which can be relevant to the emergency event. In addition, the current part 2 requirements complicate this commenter's ability to meet interoperability requirements included in the CARES Act. Under current regulations, the commenter has not released part 2 patient records, as they view the EHR is an all or nothing proposition; and consenting is unique to the patient.

Response

We acknowledge the commenter's concerns about lack of access to needed information by treating providers. As the Department stated in the 2020 final rule “[a]lthough not a defined term under part 2, a `bona fide medical emergency' most often refers to the situation in which an individual requires urgent clinical care to treat an immediately life-threatening condition (including, but not limited to, heart attack, stroke, overdose), and in which it is infeasible to seek the individual's consent to release of relevant, sensitive SUD records prior to administering potentially life-saving care.” In the 2017 final rule, the Department stated that “[w]ith regard to the request that a `medical emergency' be determined by the treating provider, SAMHSA clarifies that any health care provider who is treating the patient for a medical emergency can make that determination.” While workflow barriers may exist in particular institutions or situations during medical emergencies, patient identifying information may be disclosed to medical personnel to meet the bona fide medical emergency and support patient treatment.

Comment

A medical professionals association opined that the proposed rule does not make any changes to the current part 2 exemption for medical emergencies, which states that SUD treatment records can be disclosed without patient consent in a “bona fide medical emergency.” However, the commenter stated that there are both real and perceived barriers to providing emergency care and coordinating appropriate transitions of care for patients with SUD. For example, patients with SUD can have separate charts that are not visible to physical health clinicians in the EHR that could influence the acute care provided or in some instances even the existence of those behavioral health charts. When information is requested related to emergency treatment, there is often confusion about what type of information can be shared without violating part 2 requirements. Thus, in practice, when there is any amount of uncertainty, part 2 providers and physical health providers trying to provide and coordinate care that falls under part 2 revert to the most restrictive access possible even if not indicated at that time. The commenter provided another potential concern related to methadone dosing. Unless patients disclose that they are taking methadone or it is indicated in prior notes in the physical health EHR, a treating emergency physician would have no way of knowing that the patient is even taking methadone, let alone their dosage.

The commenter believed that aligning the rules governing physical health and behavioral health, as this proposed rule attempts to do, will hopefully reduce stigma and better enable emergency physicians to care for the whole individual, working in parallel with other clinicians.

Response

We acknowledge the commenter's concerns and appreciate that the aims of the changes throughout this regulation are to reduce stigma for patients with SUD and improve integrated care. Additionally, this final rule provides in § 2.12(d) that a part 2 program, covered entity, or business associate that receives records based on a single consent for all TPO is not required to segregate or segment such records, therefore more integrated care may be available for patients who sign a TPO consent.

Final Rule

The final rule adopts the proposed changes to § 2.51(c)(2) without further modification.

Section 2.52—Scientific Research

Proposed Rule

Section 2.52 permits part 2 programs to disclose patient identifying information for research, without patient consent, under limited circumstances. Paragraph (a) sets forth the circumstances for when patient identifying information may be disclosed to recipients conducting scientific research. Paragraph (b) governs how recipients conducting the research may use patient identifying information. In § 2.52(b)(3), any individual or entity conducting scientific research using patient identifying information may include part 2 data in research reports only in non-identifiable aggregate form. Paragraph (c) governs how researchers may use patient identifying information to form data linkages to data repositories, including requirements for how researchers must seek Institutional Review Board approval to ensure patient privacy concerns are addressed.

The Department proposed to change the title of this section from “Research” to “Scientific Research” for consistency with 42 U.S.C. 290dd–2(b)(2)(B) that permits programs to disclose to “qualified personnel for the purpose of conducting scientific research . . . .”

The Department also proposed to change the de-identification standard in § 2.52(b)(3) to more closely align with the HIPAA Privacy Rule de-identification standard. Specifically, the current text for § 2.52(b)(3) permits a person conducting scientific research using patient identifying information that has been disclosed for research to “include part 2 data in research reports only in aggregate form in which patient identifying information has been rendered non-identifiable such that the information cannot be re-identified and serve as an unauthorized means to identify a patient, directly or indirectly, as having or having had a substance use disorder.”

Consistent with proposed changes to § 2.16(a)(1)(v) and (a)(2)(vi) (Security for records and notification of breaches), discussed above, the Department proposed to modify the language in this section related to rendering information non-identifiable so that it also refers to the HIPAA Privacy Rule de-identification standard. Under our proposal, a person conducting scientific research using patient identifying information disclosed for research would have been permitted to “include part 2 data in research reports only in aggregate form in which patient identifying information has been de-identified in accordance with the requirements of the HIPAA Privacy Rule at 45 CFR 164.514(b) such that there is no reasonable basis to believe that the information can be used to identify a patient as having or having had a substance use disorder.”

As explained above in section § 2.16, section 3221(c) of the CARES Act required the Department to apply the HIPAA Privacy Rule de-identification standard for PHI codified in 45 CFR 164.514(b) to part 2 for the purpose of disclosing part 2 records for public health purposes. The change here (and in § 2.16 above) was proposed to further advance alignment with HIPAA and reduce burden on disclosing entities that would otherwise have to apply differing de-identification standards.

The Department also proposed for clarity and consistency to replace several instances of the phrase “individual or entity” with the term “person,” which would encompass both individuals and entities, and to replace the term “individual” with the term “person.”

Comment

As discussed above in connection to § 2.16, commenters that addressed de-identification largely voiced support for adopting a uniform standard in this regulation that aligns with HIPAA, including adopting a de-identification standard applicable to research data. Many of these commenters believed that doing so could facilitate alignment and understanding among covered entities and part 2 programs.

Response

The Department appreciates these comments.

Comment

One commenter questioned whether the Department should define the terms “research” and “researcher” because it is not clear how the terms apply outside a traditional academic or medical research setting. This commenter also urged the Department to clarify whether the definitions of these terms in the HIPAA Privacy Rule at 45 CFR 164.501 be used as the standard in § 2.52.

Response

We appreciate the comment and have not applied the HIPAA definitions of “research” and “researcher” with the final rule because those were not adopted by the CARES Act amendments to 42 U.S.C. 290dd–2. We acknowledge that the HIPAA Privacy Rule definition of “research” is useful and could be applied to research using part 2 records; however, we decline in this rule to require that. Within the Privacy Rule, “research” is defined as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” The HIPAA Privacy Rule does not define the term “researcher” but in guidance the Department has explained when a researcher is considered a covered entity (“[f]or example, a researcher who conducts a clinical trial that involves the delivery of routine health care such as an MRI or liver function test, and transmits health information in electronic form to a third party payer for payment, would be a covered health care provider”). We continue to believe that the purpose behind each term is sufficiently clear without having to incorporate regulatory terms in this part.

Comment

More than half of all commenters that expressed support for the Department's research proposal urged the Department to expressly permit disclosure of part 2 records in limited data sets protected by data use agreements as allowed in the HIPAA Privacy Rule. These commenters asserted that doing so may greatly facilitate the exchange of public health information and research about SUDs. One commenter, a research company that expressed support for the de-identification proposal, believed that it failed to address the creation of limited data sets as defined by HIPAA, including that patient consent should not be required to create limited data sets. The commenter urged recognition in § 2.52(a) of what the commenter referred to as the “right” of part 2 programs or responsible parties conducting scientific research to use identifiable part 2 data for making de-identified data or limited data sets without the need for obtaining individual consent in the same manner as is permitted under 45 CFR 164.514.

Response

We decline to finalize a provision that would incorporate limited data sets into this regulation. We understand that commenters have questions and suggestions regarding the interaction of the HIPAA limited data set requirements and the part 2 research requirements. We did not propose any changes to this regulation to expressly address limited data sets and are not finalizing any such changes in this rule; however, we will take these comments into consideration for potential future rulemaking or guidance.

Comment

One commenter, a research association, perceived a discrepancy in how part 2 and HIPAA would treat de-identified information under the proposal. This commenter argued that under proposed § 2.52(b)(3), part 2 programs must limit the use of de-identified part 2 data in “research reports” to data presented in aggregate form instead of treating it as non-PHI as in the HIPAA Privacy Rule. The commenter asserted that this unnecessarily restricts research without benefiting patients and defeats the CARES Act objective to align part 2 with HIPAA. The commenter recommended that the Department consider alternate language in § 2.52(b)(3) such as: “[m]ay use Part 2 data in research if the patient identifying information (a) has been de-identified in accordance with any of the standards of the HIPAA Privacy Rule at 45 CFR 164.514(b); or (b) is in the format of a limited data set as defined in 45 CFR 164.514(e), which limited data set is used in accordance with all requirements of § 164.514(e), including the requirement for a data use agreement.”

Response

As stated previously, the Department did not propose to incorporate limited data sets into this regulation and is not finalizing such a change in this final rule. Additionally, the statute limits the disclosure of records in reports, not the use of records in conducting research. Section 290dd–2(b)(2)(B) of title 42 provides that records may be disclosed without consent “[t]o qualified personnel for the purpose of conducting scientific research . . . but such personnel may not identify, directly or indirectly, any individual patient in any report [emphasis added] of such research . . .[.]”

Comment

A few individual commenters claimed that researchers consistently demonstrate the ability to re-identify data so de-identification of SUD records offers no protection to this sensitive information and exposes patients to stigmatization.

Response

As noted above in connection to a similar comment regarding the de-identification proposal in § 2.16, the Department is aware of the concerns related to the potential to re-identify data. The Department, however, also recognizes that the HIPAA standard for de-identification incorporated here is largely viewed as workable and understandable. We believe this sentiment is borne out in the much larger set of supportive comments.

Final Rule

Similar to the approach adopted in § 2.16 (Security for records and notification of breaches), above, the final rule incorporates the HIPAA Privacy Rule de-identification standard at 45 CFR 164.514(b) into § 2.52 as proposed, and further modifies this section to more fully align with the complete HIPAA de-identification standard that adopts and includes language from 45 CFR 164.514(a). The final rule deletes the phrase in § 2.52(b)(3), “as having or having had a substance use disorder,” and modifies this language to: “such that there is no reasonable basis to believe that the information can be used to identify a patient.” In so doing, we are aligning with the HIPAA standard in paragraph (a) of 45 CFR 164.514 which refers to “no reasonable basis to believe that the information can be to identify an individual,” and is not limited to removing information about a particular diagnoses or subset of health conditions. In this way, the final standard incorporated here is more privacy protective than the proposed standard. Moreover, as we also stated in connection with the final de-identification standard incorporated in § 2.16 above, our adoption of the same de-identification standard for public health disclosures (new § 2.54) into this provision provides a uniform method for de-identifying part 2 records for all purposes. Finally, we removed the language “the HIPAA Privacy Rule” from regulatory references to 45 CFR 164.514(b) because we believe it to be unnecessary.

Section 2.53—Management Audits, Financial Audits, and Program Evaluation

Proposed Rule

The Department proposed to change the heading of § 2.53 to specifically refer to management audits, financial audits, and program evaluation to more clearly describe the disclosures permitted without consent under 42 U.S.C. 290dd–2(b)(2)(B). The Department also proposed to replace several instances of the phrase “individual or entity” with the term “person”, which would encompass both individuals and entities. The Department also proposed to modify the audit and evaluation provisions at § 2.53 by adding the term “use” where the current language of § 2.53 refers only to disclosure and by adding paragraph (h) (Disclosures for health care operations).

Section 2.53 permits a part 2 program or lawful holder to disclose patient identifying information to an individual or entity in the course of certain Federal, State, or local audit and program evaluation activities. Section 2.53 also permits a part 2 program to disclose patient identifying information to Federal, State, or local government agencies and their contractors, subcontractors, and legal representatives when mandated by law if the audit or evaluation cannot be carried out using de-identified information.

The Department explained in the NPRM that there is significant overlap between activities described as “audit and evaluation” in § 2.53 and health care operations as defined in the HIPAA Privacy Rule at 45 CFR 164.501. For example, the following audit and evaluation activities under part 2 align with the health care operations defined in the HIPAA Privacy Rule, as cited below:

• Section 2.53(c)(1) (government agency or third-party payer activities to identify actions, such as changes to its policies or procedures, to improve care and outcomes for patients with SUDs who are treated by part 2 programs; ensure that resources are managed effectively to care for patients; or determine the need for adjustments to payment policies to enhance care or coverage for patients with SUD);

• Section 2.53(c)(2) (reviews of appropriateness of medical care, medical necessity, and utilization of services); and

• Section 2.53(d) (accreditation).

In addition, activities by individuals and entities (“persons” under the final rule) conducting Medicare, Medicaid, and CHIP audits or evaluations described at § 2.53(e) parallel those defined as health oversight activities in the HIPAA Privacy Rule at 45 CFR 164.512(d)(1). Part 2 programs and lawful holders making disclosures to these persons must agree to comply with all applicable provisions of 42 U.S.C. 290dd–2, ensure that the activities involving patient identifying information occur in a confidential and controlled setting, ensure that any communications or reports or other documents resulting from an audit or evaluation under this section do not allow for the direct or indirect identification ( e.g., through the use of codes) of a patient as having or having had an SUD, and must establish policies and procedures to protect the confidentiality of the patient identifying information consistent with this part. Patient identifying information disclosed pursuant to § 2.53(e) may be further redisclosed to contractor(s), subcontractor(s), or legal representative(s), to carry out the audit or evaluation, but are restricted to only that which is necessary to complete the audit or evaluation as specified in paragraph (e).

We confirm here that nothing in the proposed or final rule is intended to alter the existing use and disclosure permissions for the conduct of audits and evaluations, including for investigative agencies that conduct audits. Thus, an investigative agency that is performing an oversight function may continue to review records under the § 2.53 requirements as they did under the previous rule. At such time within a review that an audit needs to be referred for a criminal investigation or prosecution, that investigative agency would be expected to follow the requirements under subpart E for seeking a court order. In the event an investigative agency fails to seek a court order because it is unaware that it has obtained part 2 records, it may rely on the newly established safe harbor within § 2.3, provided that it first exercised reasonable diligence in trying to ascertain if the provider was providing SUD treatment. In making use of the safe harbor, an investigative agency would then be obligated to follow the new requirements in § 2.66 or § 2.67, as applicable.

Section 3221(b) of the CARES Act amended the PHSA to permit part 2 programs, covered entities, and business associates to use or disclose the contents of part 2 records for TPO after obtaining the written consent of a patient. Covered entities, including those that are also part 2 programs, and business associates are further permitted to redisclose the same information in accordance with the HIPAA Privacy Rule. As the Department noted throughout the NPRM, these new disclosure pathways are permissive, not required.

To implement the new TPO permission that includes the ability of the entities above to use or disclose part 2 records for health care operations with a general consent, the Department proposed to modify the audit and evaluation provisions at § 2.53 by adding the term “use” where the current language of § 2.53 refers only to disclosure and by adding paragraph (h) (Disclosures for health care operations). This new paragraph as proposed would clarify that part 2 programs, covered entities, and business associates are permitted to disclose part 2 records pursuant to a single consent for all future uses and disclosures for TPO when a requesting entity is seeking records for activities described in paragraph (c) or (d) of § 2.53. Such activities are health care operations, but do not include treatment and payment. To the extent that a requesting entity is itself a part 2 program, covered entity, or business associate that has received part 2 records pursuant to a consent that includes disclosures for health care operations, it would then be permitted to redisclose the records for other purposes as permitted by the HIPAA Privacy Rule. Thus, if an auditing entity is a part 2 program, covered entity, or business associate that has obtained TPO consent and is not performing health oversight, it would not be subject to all the requirements of § 2.53 ( e.g., the requirement to only disclose the records back to the program that provided them). Requesting entities that are not part 2 programs, covered entities, or business associates would not have this flexibility but would still use existing permissions in § 2.53 to obtain access to records for audit and evaluation purposes, and they would remain subject to the redisclosure limitations and written agreement requirement therein.

The Department proposed paragraph (h) which would leave intact existing disclosure permissions and requirements for audit and evaluation activities without consent, including health care oversight activities, such as described in paragraph (e). At the same time, the proposal would provide a new mechanism for programs and covered entities to obtain patient consents for all future TPO uses and disclosures (including redisclosures), which in some instances may include audit and evaluation activities.

Comment

We received several comments about audit and evaluation provisions. Most commenters expressed support for our proposed changes to this section. A major health plan expressed support without further comment. Others expressed support and offered additional recommendations or suggestions for further alignment or clarity. A state data center requested clarity on whether there could be other permissible disclosures for licensing proceedings and hearings before an administrative tribunal brought by an agency that provides financial assistance to the part 2 program or is authorized by law to regulate the part 2 program and administratively enforce remedies authorized by law to be imposed as a result of the findings of the administrative tribunal. The commenter suggested adding a new subsection § 2.53(c)(3) to address these issues and add appropriate restrictions.

One state regulatory agency expressed concerns about § 2.53 describing its recent experience with licensed health care facilities significantly disrupting the department's regulatory responsibilities by using 42 CFR part 2 as justification. Specifically, it expressed concern that licensed health care facilities may rely on the proposed public health authority exception to prevent the state from accessing SUD records without patient consent or a court order. This same agency further commented that the final rule should clarify the scope of the “public health authority” exception and affirm the ability of state licensing authorities to access identifiable patient records pursuant to § 2.53 for surveys and investigations.

Response

We appreciate the comments on our proposed changes. We discuss redisclosure provisions in § 2.33. We clarify here that although the new disclosure permission for public health in § 2.54 is limited to records that are de-identified, the existing permission for access to identifiable patient information in § 2.53 remains a valid and viable means for government agencies with audit and evaluation responsibilities to review records without obtaining a court order. We believe that Congress enacted the public health disclosure permission to enhance the ability of part 2 programs and other lawful holders of part 2 records to report to public health authorities. This is distinct from the regulatory and oversight authority over programs and lawful holders that permits them to review records that are not de-identified, providing the conditions of § 2.53 are met. We decline to add a new subsection to § 2.53(c) to clarify other disclosure provisions for use by regulatory agencies with enforcement authority over part 2 programs and lawful holders, but §§ 2.62, 2.63, 2.64, and 2.66 may govern use of audit and evaluation records in criminal and non-criminal proceedings against a program. These provisions also are clear that a court order will not be granted unless other means of obtaining the records are unavailable or would be ineffective. Therefore, use of the disclosure permission under § 2.53 is encouraged as courts are unlikely to grant these orders given the provisions of this rule.

Comment

Several commenters addressed APCDs or MPCDs. One non-profit agency which administrates a state-based APCD commented that the rule should expressly include a permission to disclose to state-mandated APCDs for audit and evaluation purposes required by statute or regulation. It also recommended that the Department clarify that a state mandated APCD housed in a non-state nonprofit entity does not need to be providing oversight and management of a part 2 program as a prerequisite for relying on § 2.53 to conduct an audit or evaluation on behalf of a state agency. It asserted that in many states the APCD is the most comprehensive source of cross-payer data and analytics, and the lack of clarity around APCD authority to hold SUD data is actively hampering the ability to use APCDs to provide information about the current opioid epidemic, to evaluate what and where progress is being made, and to determine if there are populations with inequitable access to the programs and mitigation strategies used across the country. Another non-government agency and a state agency made similar comments and a recommendation for guidance or an express permission to disclose SUD records to a state agency for APCDs.

One commenter remarked that there continues to be confusion within the data submitter community about the ability of health insurance carriers to legally submit data to state health database organizations without patient consent. According to the commenter, there is an opportunity for the Department to expressly identify this use as an authorized release of data to state agencies. Alternatively, the Department could provide guidance for the existing rules with this necessary clarification rather than use the rule-making process. The commenter also suggested that HHS provide clarification to understand better if the limitations in § 2.53(f) apply to audits/evaluations conducted under all of § 2.53 or only those preceding § 2.53(f).

A state agency recommended that restrictions against law enforcement accessing the database and against information in the databases being used for legal proceedings against the patient should accompany the permission to disclose to state APCDs. It further requested clarity on whether it has authority to request SUD data from downstream HIPAA covered entities (such as health plans and non-part 2 providers) and business associates if those entities received part 2 records for TPO purposes with patient consent. The commenter also opined that although, by law, it receives data to determine what actions are needed at a health plan level to improve care and outcomes for patients in part 2 programs, it was not clear if the limitations in § 2.53(f) prohibited another state agency also conducting mandated audit or evaluations under § 2.53(g) from providing or sharing that data. If not, the state agency noted government agencies may not be able to “directly use” its databases, even if they are conducting proper but separate audit or evaluations under § 2.53. Such a result, according to the commenter, could result in lost efficiencies and added burdens on part 2 programs or lawful holders because they would need to provide the data to the requesting government agencies, instead of the government agencies utilizing existing state databases. The commenter also asserted that per § 2.53(g), this data release would only occur in cases where the work could not be carried out using de-identified information (and subject to the government agency recipient accepting privacy and security responsibilities consistent with applicable law).

Response

We appreciate the comments on APCDs or MPCDs and other provisions under this section and may provide additional guidance after this rule is finalized. In preamble to the 2017 Part 2 Final Rule, the Department stated “that MPCDs [. . .] are permitted to obtain part 2 data under the research exception provided in § 2.52, provided that the conditions of the research exception are met. Furthermore, an MPCD [ . . .] that obtains part 2 data in this fashion would be considered a `lawful holder' under these final regulations and would therefore be permitted to redisclose part 2 data for research purposes, subject to the other conditions imposed under § 2.52.”

In the preamble to the 2020 Part 2 Final Rule, the Department explained that under § 2.53, government agencies and third-party payer entities would be permitted to obtain part 2 records without written patient consent to periodically conduct audits or evaluations for purposes such as identifying agency or health plan actions or policy changes aimed at improving care and outcomes for part 2 patients. Such purposes could include, e.g., provider education and recommending or requiring improved health care approaches. The Department also noted that government agencies and private not-for-profit entities granted authority under applicable statutes or regulations may be charged with conducting such reviews for licensing or certification purposes or to ensure compliance with Federal or state laws. The 2019 Part 2 NPRM explained “that the concept of audit or evaluation is not restricted to reviews that examine individual part 2 program performance.”

In this final rule we also provide in this section that a part 2 program, covered entity, or business associate may disclose records in accordance with a consent that includes health care operations to the extent that the audit or evaluation constitutes a health care operation activity, and the recipient may redisclose such records as permitted under the HIPAA Privacy Rule if the recipient is a covered entity or business associate. Health care operations include a broad range of quality improvement and related activities, some of which overlap with the audit and evaluations under § 2.53.

As worded, § 2.53(f) applies to the entirety of § 2.53 and states that “[e]xcept as provided in paragraph (e) of this section, patient identifying information disclosed under this section may be disclosed only back to the part 2 program or other lawful holder from which it was obtained and may be used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by a court order entered under § 2.66.”

Comment

One managed care entity asserted that the proposed rule should fully align the part 2 audit and evaluation provisions with the HIPAA Privacy Rule to avoid distinctions between disclosures that would be permitted as part of health care operations but might not fit within the scope of audits and evaluations. It further commented that such misalignment could be administratively challenging and inadvertently impact the results of audits and evaluations due to incomplete or inaccurate data sets.

A large pharmacy provider commented that it strongly supported alignment of HIPAA and 42 CFR part 2, and to achieve full alignment, the Department should clarify that HIPAA governs all part 2 records that are PHI when in the hands of covered entities and business associates for any TPO purposes, including not applying the audit and evaluation provisions of § 2.53 to covered entities when the subject activities fall within TPO for HIPAA purposes. A major health system commented that the redisclosure permission granted to part 2 providers, covered entities, and business associates for records received under a TPO consent (including for the clarified health care operations provision at § 2.53) may lead to better SUD treatment and payment for such treatment, and a reduction of operational issues between and among providers and their business associates.

Response

The changes to § 2.53 as finalized more closely align with the HIPAA Privacy Rule because this section now expressly addresses disclosures for health care operations that are permitted with a single consent for all future uses and disclosures for TPO under §§ 2.31 and 2.33. However, full alignment of § 2.53 with the HIPAA Privacy Rule is not authorized by the CARES Act because most of this section includes additional protections for part 2 records when used or disclosed for oversight, such as vesting the part 2 program director with discretion to determine whether a requester is qualified, prohibiting redisclosure of the records by the recipient, and requiring the return or destruction of records after completion of the audit and evaluation. We address redisclosures in more depth in the discussion of § 2.32 and TPO disclosures in § 2.33 above.

Comment

Although the CARES Act does not expressly address § 2.53, one commenter believed that leaving out health oversight activities while including the CARES Act provisions for TPO purposes makes SUD patients more vulnerable. This individual commenter further suggested that the general regulatory authority given to the Department by the CARES Act would permit incorporating health oversight into this provision, which the commenter views as an acceptable tradeoff for diminished patient autonomy in terms of consent.

Response

Even though section 3221(e) of the CARES Act does not expressly address audits and evaluations, 42 U.S.C. 290dd–2 continues to reference audits and evaluations. The CARES Act emphasized use and disclosure of records for TPO and restrictions on use and disclosure in civil, criminal, administrative, or legislative proceedings. We note and have discussed in the 2018 and 2020 final rules and 2022 NPRM that § 2.53 is comprised of many activities that many would view as constituting health care oversight, including audits and quality improvement activities. Paragraph (e) specifically concerns Medicare, Medicaid, CHIP, or related audit or evaluation. In addition, § 2.62 expressly precludes records that are obtained under this section from being used and disclosed in proceedings against the patient.

Final Rule

The final rule adopts the proposed changes to § 2.53, with two modifications to paragraph (h). The first is to limit redisclosure to recipients that are covered entities and business associates and the second is to refer to “HIPAA regulations” instead of 45 CFR 164.502 and 164.506. We believe this is consistent with the changes to § 2.33(b) and the addition of the defined term “HIPAA regulations.”

Section 2.54—Disclosures for Public Health

Proposed Rule

The existing part 2 regulations do not permit the disclosure of part 2 records for public health purposes. Section 3221(c) of the CARES Act added paragraph (b)(2)(D) to 42 U.S.C. 290dd–2 to permit part 2 programs to disclose de-identified health information to public health authorities and required the content of such de-identified information to meet the HIPAA Privacy Rule de-identification standard for PHI codified in 45 CFR 164.514(b). Accordingly, the Department proposed to add a new § 2.54 to permit part 2 programs to disclose part 2 records without patient consent to public health authorities provided that the information is de-identified in accordance with the standards in 45 CFR 164.514(b).

We proposed this change in conjunction with 42 U.S.C. 290dd–2(b)(2)(D), as added by CARES Act section 3221(d), which directed the Department to add a new definition of “public health authority” to this part. We also proposed the new definition in § 2.11, as discussed above.

Comment

Most commenters voiced support for the proposal to permit disclosures of de-identified records to public health authorities. Comments included assertions that the proposal may: promote awareness of SUDs; align goals between providers and public health authorities regarding SUD treatment; better help address the drug overdose crisis by ensuring information was available to develop useful tools while not impinging on individuals' privacy; assist with addressing population health matters; improve population health; and assist vulnerable populations by ensuring SUD records are available ( e.g., addressing the COVID–19 pandemic).

Response

The Department appreciates the comments and takes the opportunity to reiterate here that the proposal is consistent with the new authority enacted in the CARES Act.

Comment

Some commenters asserted that while the regulation should allow the disclosure of SUD records for public health purposes, it should permit the disclosure of identifiable information rather than limit it to de-identified data. A few of these commenters acknowledged that the CARES Act modified title 42 to permit disclosure only of health information de-identified to the HIPAA standard in 45 CFR 164.512(b). Despite awareness of the CARES Act, these commenters gave multiple reasons why they thought the Department should promulgate a rule that permits the disclosure of identifiable data to a public health authority. For example, several of these commenters, including an academic medical center, a private SUD recovery center, and a state-affiliated HIE, asserted that state laws often require public health reporting for communicable/infectious disease surveillance. A Tribal consulting firm asserted that part 2 rules for disclosing data to public health authorities contradict state, Tribal, local, and territorial public health laws when other health care providers are required to submit individually identifiable information. A SUD treatment provider cited the potential vulnerability of this patient population to sexually transmitted diseases and the need for individual level data ( e.g., age, address) to accomplish effective disease surveillance and resource allocation. A managed care organization, a health system, and a few state/local health departments commented that the limitation of disclosing only de-identified information could hinder public health efforts. A few HIE/HINs commented that in their role as Health Data Utilities, they regularly share critical health data with public health authorities. They gave examples such as overdose death information, which facilitates public health authorities' provision of appropriate follow-up services and resources to those affected by SUD. The HIE/HINs also have a role in producing public and population health information such as data maps or other rendering showing utilization of SUD facilities and open bed counts for the purpose of referrals. These organizations commented that the differences between HIPAA and the proposed part 2 public health disclosure permission may complicate the IT landscape.

Response

We acknowledge the many good explanations of how identifiable information could be useful for public health purposes that would not involve public reporting of patient identifying information. However, we lack authority to permit disclosures of identifiable information for public health purposes absent patient consent. This limitation is reflected in the amended statute at 42 U.S.C. 290dd–2(b)(2)(D).

Comment

Several other commenters supported the proposal but suggested other modifications or accompanying guidance. For example, one commenter, a regional HIN, asserted that part 2 and HIPAA already permit the disclosure of de-identified data without patient consent, and therefore the revision is a clarification rather than a substantive change. It urged the Department to clarify that the use of a general designation on an authorization form could allow disclosures to public health authorities operating in their state of residence. It also requested the Department to clarify—either in regulation or in guidance—when disclosures to public health authorities may fall into the research or audit and evaluation consent exceptions. A major health plan commented that conducting public health activities using a limited data set would be more useful and could advance important public health goals, as de-identified data lacks dates of service and ages which are often important variables for both research and public health activities. A state commented that the Department should specify what constitutes “public health purposes.” A large health care provider commented that the Department could help clarify the general right to de-identify part 2 records and disclose such de-identified part 2 records by including an explicit right to do so in the regulations as a permitted use, including an express right to use part 2 records for health care operations and to create a de-identified data set without patient consent.

Response

We appreciate these comments but have proposed this provision consistent with statutory authority. With respect to limited data sets, we address this topic in the discussion of § 2.52 above. We decline at this time to issue guidance related to distinctions between public health activities, research activities, and audit and evaluation. We have not received a large number of comments or requests to do so but will monitor for the need to address once this rule is finalized.

Comment

A health information management organization opposed the proposal and commented that the Department should fully understand the realities of de-identified data and should engage patient advocacy focused organizations to understand if transmitting de-identified data to public health entities would jeopardize patient trust in part 2 programs. It further commented that the de-identification standard for data within health care continues to evolve and change overtime as technology and artificial intelligence is better able to reidentify patients.

Response

The CARES Act now requires the Department to finalize a standard that permits disclosure of information that is de-identified according to the HIPAA standard. Although we are obligated to implement the standard, we will monitor developments in accepted de-identification practices and how emerging technology developments may reduce the effectiveness of current standards.

Comment

One commenter, a health system, recommended that the Department ensure the de-identification standard for records conforms with various state reporting requirements and patient expectations. It cited the example of the state being required to track and report certain statistical information. The commenter also believed that adopting the HIPAA standard should be done in a way to allow for continued compliance with these state regulations. Another commenter, a medical professionals association, urged the Department to facilitate coordination between physicians and health IT entities to improve de-identification technology and make it more widely accessible for physician practices. A few other commenters, another medical professional association and a trade association representing health plans, commented that it was important for best practices for de-identification to be adhered to and reflected in regulations, and that regulated entities should specify which de-identification methods are being used for each data set.

Response

We have found that in most cases, state reporting requirements contemplate the disclosure of aggregate data, which may include de-identified records. Similarly, our authority to override state public health report requirements is statutorily limited. We express support for and encourage physicians to work with their respective technology vendors to assure the availability of compliant technology in physician practices.

Final Rule

The final rule adopts the proposed addition of a new § 2.54 into this regulation, and the accompanying definition of “public health authority” discussed in § 2.11. The proposal is adopted with further modification, but we believe it remains within our authority as enacted by the CARES Act. Consistent with the approach adopted above in §§ 2.16 (Security for records and notification of breaches) and 2.52 (Scientific research), we are further modifying the language proposed to align with the full HIPAA de-identification standard, which includes 45 CFR 164.514(a). As such, the final standard here permits a part 2 program to disclose records for public health purposes if made to a “public health authority” and the content has been de-identified in accordance with the requirements of the HIPAA Privacy Rule standard at 45 CFR 164.514(b), “such that there is no reasonable basis to believe that the information can be used to identify a patient.” This final language strikes from the proposal the limiting phrase after this language that is in the existing rule: “as having or having had a substance use disorder.” In addition, we removed the language “the HIPAA Privacy Rule” from the regulatory reference to 45 CFR 164.514(b) because we believe it unnecessary.

We reiterate here that the proposed change should not be construed as extending the protections of part 2 to de-identified information, as such information is outside the scope of § 2.12(a). Thus, once part 2 records are de-identified for disclosure to public health authorities, part 2 no longer applies to the de-identified records.

Subpart E—Court Orders Authorizing Use and Disclosure

The CARES Act enacted significant statutory changes governing how records could be used in legal proceedings. Section 290dd–2(c) (Use of Records in Criminal, Civil, or Administrative Contexts), as amended by section 3221(e) of the Act, newly emphasizes the allowance of written consent as a basis for disclosing records for proceedings. Revised paragraph (c) of 42 U.S.C. 290dd–2, as amended, now provides “[e]xcept as otherwise authorized by a court order under subsection (b)(2)(c) or by the consent of the patient, a record referred to in subsection (a), or testimony relaying the information contained therein, may not be disclosed or used in any civil, criminal, administrative, or legislative proceedings [. . .] against a patient [. . .].” Thus, paragraph (c) of the amended statute also applies restrictions beyond records to “testimony relaying the information contained therein.” In the NPRM, the Department proposed to implement this amended statutory provision across every subpart E section as applicable, and in addition, proposed changes to §§ 2.12(d) and 2.31, discussed above, to more generally address how restrictions on use and disclosure of records apply in legal proceedings, and requirements for the structure of written consents for uses and disclosures of record and information in testimony in legal proceedings.

To properly reflect that subpart E regulates uses and disclosures of records, information, and testimony therein, the Department is finalizing the proposed heading so that it now refers to “Court Orders Authorizing Use and Disclosure.” We received no comments addressing the proposed change in heading. We also note with respect to proposed modifications throughout this subpart, many public comments were intermingled across sections or intended to provide comment related to multiple regulatory sections. To the best of our ability, we responded to such comments in the regulatory section where we believe them most applicable.

Section 2.61—Legal Effect of Order

Section 2.61 includes the requirement that in addition to a court order that authorizes disclosure, a subpoena is required to compel disclosure of part 2 records. The final rule adopts the proposed addition to add the word “use” to paragraphs (a) and (b)(1) and (2) to clarify that the legal effect of a court order with respect to part 2 records would include authorizing the use of part 2 records, in addition to the disclosure of part 2 records. The Department did not propose substantive changes to this section although in relation to other provisions of this rulemaking, a few commenters expressed concern that the rule contemplates the added expense of a subpoena. Those comments are addressed below.

Section 2.62—Order Not Applicable to Records Disclosed Without Consent to Researchers, Auditors, and Evaluators

Proposed Rule

Section 2.62 provides that a court order issued pursuant to part 2 may not authorize “qualified personnel” who have received patient identifying information without consent for conducting research, audit, or evaluation, to disclose that information or use it to conduct any criminal investigation or prosecution of a patient. As we explained in the NPRM, the term “qualified personnel” has a precise meaning but does not have a regulatory definition within 42 CFR part 2 and is used only once within the regulation. For greater clarity, the Department proposed to refer instead to “persons who meet the criteria specified in § 2.52(a)(1)(i) through (iii),” and later in the paragraph to “such persons.” The individual paragraphs of § 2.52(a)(1)(i) through (iii) describe the circumstances by which the person designated as director, managing director, or authoritative representative of a part 2 program or other lawful holder may disclose patient identifying information to a recipient conducting scientific research.

Comment

The Department did not receive comments specific to this section.

Final Rule

The Department adopts the proposed change and additionally inserts “and § 2.53” as a technical correction given that the regulatory text references audit and evaluation but not § 2.53. The final text provides that the court “may not authorize persons who meet the criteria specified in §§ 2.52(a)(1)(i) through (iii) and 2.53, who have received patient identifying information without consent for the purpose of conducting research, audit, or evaluation, to disclose that information or use it to conduct any criminal investigation or prosecution of a patient.”

Section 2.63—Confidential Communications

Proposed Rule

Section 2.63 contains provisions that protect the confidential communications made by a patient to a part 2 program. Paragraph (a) of § 2.63 provides that a court order may authorize disclosure of confidential communications made by a patient to a part 2 program during diagnosis, treatment, or referral only if necessary: (1) to protect against an existing threat to life or of serious bodily injury; (2) to investigate or prosecute an extremely serious crime, such as one that directly threatens loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, or child abuse and neglect; or (3) in connection with litigation or an administrative proceeding in which the patient introduces their own part 2 records. Paragraph (b) of current § 2.63 is reserved.

To implement changes to 42 U.S.C. 290dd–2 that could properly be applied to this section, the Department proposed to specify in § 2.63(a)(3) that civil, as well as criminal, administrative, and legislative proceedings are circumstances under which a court may authorize disclosures of confidential communications made by a patient to a part 2 program. Specifically, the Department proposed in § 2.63(a)(3) to expand the permission's application from “litigation or administrative proceeding” to “civil, criminal, administrative, or legislative proceeding” in which the patient offers testimony or other evidence pertaining to the content of the confidential communications.

Comment

One commenter expressed support for the proposal with the caveat that the part 2 program or covered entity be permitted to use the records, without a requirement that the patient first introduce the records into a legal proceeding, if the purpose of the use is for defense against professional liability claims brought by the patient.

One health plan also expressed unconditional support for this proposal.

Response

We appreciate the comments. We reaffirm here that this regulation is intended to protect those communications that are narrow in scope and limited to those statements made by a patient to a part 2 program in the course of diagnosis, treatment, or referral for treatment. We believe continuing to permit disclosure only under circumstances of serious harm coupled with a patient's own “opening the door” in legal proceedings strikes the right balance against an obvious disincentive to seeking care when such communications are not kept confidential. On the other hand, should an applicant believe it necessary to seek a court order and subpoena authorizing and compelling disclosure, respectively, there is nothing in this section that would restrict the ability of the applicant to attempt to convince a court that the information sought is broader than that governed by § 2.63, such as information contained in records subject to disclosure under § 2.64 and evaluation by a competent court with jurisdiction.

Final Rule

The final rule adopts the proposed changes to this section without further modification.

Section 2.64—Procedures and Criteria for Orders Authorizing Uses and Disclosures for Noncriminal Purposes

Proposed Rule

Section 2.64 describes the procedures and criteria that permit any person having a legally recognized interest in the disclosure of patient records for purposes “other than criminal investigation or prosecution” to apply for a court order authorizing the disclosure of the records.

The current language of § 2.64 refers only to “purposes other than criminal investigation or prosecution” and “noncriminal purposes” in the heading. To implement the changes to 42 U.S.C. 290dd–2(c), the Department proposed to modify paragraph (a) of § 2.64 to expand the forums for which a court order must be obtained, absent written patient consent, to permit use and disclosure of records in civil, administrative, or legislative proceedings. The Department also proposed, consistent with the language of the amended statute, to apply the requirement for the court order to not only records, but “testimony” relaying information within the records.

Comment

One commenter, a state Medicaid Office, sought guidance from the Department on determining the appropriateness of applying redisclosure procedures under HIPAA or part 2 when the underlying disclosure relates to a judicial or administrative proceeding. Specifically, this commenter noted that following a receipt of records pursuant to a TPO consent, proposed § 2.33(b) authorizes subsequent redisclosures under HIPAA regulations. As an example, it described a covered entity that receives an order for part 2 records of a Medicaid recipient as part of a civil, administrative, legislative, or criminal proceeding or criminal investigation. The proceeding in this situation is not against the Medicaid recipient who is instead, a witness, an alternate suspect, or other third-party individual. In these cases, this commenter asked if it should review and respond to the order under 45 CFR 164.512(e) pursuant to the proposed § 2.33(b) or under the procedures required by § 2.64.

Response

As we understand the commenter's example and question, the underlying proceedings are not against the subject of the records or “patient,” and therefore the covered entity would be permitted to redisclose the records in accordance the HIPAA Privacy Rule permission at 45 CFR 164.512(e). This response is consistent with the part 2 statute and with revised § 2.33(b) which provides that “[i]f a patient consents to a use or disclosure of their records consistent with § 2.31, the recipient may further use or disclose such records as provided in subpart E of this part, and as follows . . . [w]hen disclosed for treatment, payment, and health care operations activities [. . .] the recipient may further use or disclose those records in accordance with the HIPAA regulations, except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient [emphasis added].”

Although revisions to § 2.33 permit a covered entity or business associate to redisclose records obtained pursuant to a TPO consent “in accordance with the HIPAA regulations,” any person seeking to redisclose such records or information in a proceeding against the patient is required to comply with the procedures in § 2.64 or § 2.65 to obtain the part 2 court order or a separate consent of the patient that meets the requirements of new § 2.31(d).

Comment

One supportive commenter, a health system, asserted that a reasonable and necessary exception to the rule requiring patient consent or court order is in the case of a health care entity and provider needing access to records to vigorously defend their positions in legal proceedings against a patient, such as with a professional liability claim. This commenter further asserted that redacted records would be inadequate for preparation or case presentation.

Response

We do not believe that a professional liability claim brought by a patient against a provider is a proceeding “against a patient.” If a provider believes that a part 2 record or information is required to mount a defense against a professional liability claim brought by a patient, there is nothing in this regulation which would prevent the provider from seeking relief from a court.

Comment

One commenter did not object to the Department's proposal extending the current provision to apply to administrative and legislative proceedings, but objected to the requirement that a part 2 program or covered entity may incur legal expenses to obtain an instrument that would compel compliance ( i.e., a subpoena, in addition to a court order).

Response

We appreciate the comment but even before this rulemaking, § 2.61 made clear that the sole purpose of a court order issued pursuant to subpart E was to authorize use or disclosure of patient information but not to compel the same. Additionally, under the current § 2.61, a subpoena or a similar legal mandate must be issued in order to compel disclosure. There is nothing in the CARES Act amendments that suggests we should modify these requirements.

Comment

Several commenters expressed support for this proposal, including a county department of public health and several individuals. One individual expressed strong support for restricting disclosures for civil and non-criminal procedures to promote racial equity. Another individual commenter thanked the Department for protecting patients from having records used against them, including the content of records in testimony.

Response

We appreciate the comments, but historically part 2 has always placed some restriction on disclosure of records in both civil and criminal types of proceedings.

Final Rule

The final rule adopts § 2.64 as proposed in the NPRM without further modification.

Section 2.65—Procedures and Criteria for Orders Authorizing Use and Disclosure of Records To Criminally Investigate or Prosecute Patients

Proposed Rule

Section 2.65 establishes procedures and criteria for court orders authorizing the use and disclosure of patient records in criminal investigations or prosecutions of the patient. Under § 2.65(a), the custodian of the patient's records or a law enforcement or prosecutorial official responsible for conducting criminal investigative or prosecutorial activities, may apply for a court order authorizing the disclosure of part 2 records to investigate or prosecute a patient. Paragraph (b) describes the operation of notice to the holder of the records about the application for a court order under this section and opportunity to be heard and present evidence on whether the criteria in paragraph (d) for a court order have been met. Paragraph (d) sets forth criteria for the issuance of a court order under this section, including paragraph (d)(2), which requires a reasonable likelihood that the records would disclose information of substantial value in the investigation or prosecution. Paragraph (e) sets forth requirements for the content of a court order authorizing the disclosure or use of patient records for the criminal investigation or prosecution of the patient. Paragraph (e)(1) requires that such order must limit disclosure and use to those parts of the patient's record as are essential to fulfill the objective of the order, and paragraph (e)(2) requires that the order limit the disclosure to those law enforcement and prosecutorial officials who are responsible for, or are conducting, the investigation or prosecution, and limit their use of the records to investigating and prosecuting extremely serious crimes or suspected crimes specified in the application. Paragraph (e)(3) requires that the order include other measures as are necessary to limit use and disclosure to the fulfillment of only that public interest and need found by the court.

The Department proposed to modify § 2.65 (a) to expand the types of criminal proceedings related to the enforcement of criminal laws to include administrative and legislative criminal proceedings for which a court order is required for uses and disclosures of records, and in paragraphs (a), (d) introductory text, (d)(2), (e) introductory text, and (e)(1) and (2), to include testimony relaying information within the records. The Department also proposed a non-substantive change to move the term “use” before “disclosure” in paragraphs (e) introductory text and (e)(1) and (3). As noted in the NPRM, criminal investigations may be carried out by executive agencies and legislative bodies as well as in criminal prosecutions through the judicial process. These changes implement 42 U.S.C. 290dd–2(c), as amended by section 3221(e) of the CARES Act by widening the scope of confidentiality protections for patients in all of these forums where an investigation or action may be brought against them.

Notably, the statute, as amended by the CARES Act, also expressly permits disclosures and uses of records and testimony in legal proceedings against the patient if a patient consents. To address concerns about consent for use and disclosure of records in proceedings against the patient, the Department is adding a separate consent requirement in § 2.31(d), as discussed above.

Comment

Nearly half of all commenters that addressed subpart E proposals opposed the proposal to allow patients to consent to the use and disclosure of their part 2 records in proceedings against the patient. Many of these commenters contended that permitting disclosures of records and testimony in proceedings against the patient, based on the patient's consent, only makes patients vulnerable to coercion from law enforcement who condition certain outcomes in the matter underlying the dispute on obtaining consent.

While several commenters acknowledged the statutory language that expressly allows consent for court proceedings, most nonetheless urged the Department not to implement the statutory change and instead finalize a regulatory provision that will protect patients from law enforcement seeking to condition outcome in criminal and civil proceedings on signed consent forms. Other commenters expressed alarm that the consent provision would further disincentivize historically vulnerable populations experiencing SUD, including pregnant individuals, from seeking SUD treatment. One commenter asserted that recipients of records released with consent for criminal, civil, administrative, and legislative proceedings are lawful holders under the regulations and recommended they be expressly barred from using these records or patient information in ways that discriminate against the patient.

Response

We appreciate the sentiments expressed by many of these commenters regarding the risks of a consent option. However, the language of the statute, as amended by the CARES Act, is clear and unambiguous and emphasizes the existing ability of patients to consent to the use or disclosure of their records or testimony within such records in legal proceedings against them. We also view patient consent as one of the cornerstones of privacy protection. Consistent with the statute and principle of empowering the patient to control the flow of their own information, the existing rule at § 2.33(a) clearly allows patient consent for disclosure of records for any purpose, which may include investigations and proceedings against the patient. The final rule expands this to encompass consent for use of records as well as disclosures. Additionally, in §§ 2.12 and 2.31 above, we discuss the specific regulatory modifications that refer to consent for legal proceedings and newly require separate consent for use and disclosure of records in civil, criminal, administrative, and legislative proceedings. We reiterate here that we intend for references to such proceedings to also encompass investigations, as stated in 42 U.S.C. 290dd–2.

Comment

One commenter, a mental health advocacy organization, commented that the Department should establish a safe harbor that would protect health plans from civil and criminal penalties when violations arise from good faith redisclosures that comply with the HIPAA Privacy Rule but not part 2. According to this commenter this provision could support sharing information on claims databases since there are disparate state approaches to protecting and administering these records.

Response

We are sympathetic to concerns related to disparate state laws that conflict with or overlap with this Part, and understand the issues faced by plans that consistently interact with or disclose information to state claims databases. However, we believe the extent of our statutory authority is clear in how this regulation only permits use and disclosures of records and information therein, in legal proceedings against patients, when consent or the requisite court order is obtained. Having said that, under the newly promulgated enforcement structure required by statute, criminal liability inures only when a willful or knowing violation occurs. Moreover, the crux of this requirement remains as it did prior to this rulemaking and the CARES Act did nothing to modify the added protection afforded to records that would otherwise be used to prosecute a patient. Given the continuity of this requirement, we anticipate that plans and state claims databases should have already built-in mechanisms to accommodate this regulation.

Comment

Approximately one-third of commenters on this topic supported requiring patient consent or a court order for use and disclosure of part 2 records against a patient or a part 2 program. Some of these commenters expressed appreciation for the expanded protection from use and disclosure in legislative and administrative investigations and proceedings, and express protection of testimony that conveys information from part 2 records within the consent or court order requirements. Some commenters expressed the sentiment that these express and expanded protections would serve as a counterweight to easing the flow of part 2 records for health care-related purposes.

Response

We appreciate these comments. As we've stated above, the revised language of this section, and our revision to § 2.12(d), discussed above, implement key CARES Act statutory modifications. We agree that the expanded protections for testimony arising from information contained in records, and the extension of protection to additional types of legal proceedings could counterbalance, in some respects, the expanded permission to use and disclose of part 2 records under a single consent for all future TPO.

Comment

One commenter, a health system, expressed support for this proposal but suggested that a covered entity should be able to rely and act upon a court order issued by a court of competent jurisdiction without potentially incurring additional legal expenses for an instrument compelling compliance.

Response

Consistent with our response above, the requirement for a subpoena has been firmly enshrined in part 2 and was not proposed for revision in this rulemaking.

Comment

An individual appreciated the emphasis in the § 2.65 NPRM discussion that “the use of an illegal substance does not in itself constitute an extremely serious crime” and recommended reiterating that neither substance use nor engagement in SUD treatment services should in and of themselves be considered evidence of child abuse or neglect, including for people who are pregnant.

Response

We agree and state that the regulation continues to place emphasis on crimes that pose threats to loss of life or serious bodily injury, such as homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, and child abuse and neglect.

Final Rule

The final rule adopts § 2.65 as proposed without further modification.

Section 2.66—Procedures and Criteria for Orders Authorizing Use and Disclosure of Records To Investigate or Prosecute a Part 2 Program or the Person Holding the Records

Proposed Rule

The Department proposed to add a new paragraph (a)(3) that details procedures for investigative agencies to follow in the event they unknowingly obtain part 2 records during an investigation or prosecution of a part 2 program or person holding part 2 records without obtaining a court order as required under subpart E. Section 2.66 specifies the persons who may apply for an order authorizing the disclosure of patient records for the purpose of investigating or prosecuting a part 2 program or “person holding the records (or employees or agents of that part 2 program or person holding the records)” in connection with legal proceedings, how such persons may file the application, and provides that, at the court's discretion, such orders may be granted without notice to the part 2 program or patient.

In conjunction with a new definition of “investigative agency” that the Department proposed and is finalizing in § 2.11 above, the Department modified paragraph (a) to refer only to “investigative agency” as the type of organization that may apply for an order under this section. The new term includes, by definition, the other types of organizations referenced in the current provision ( i.e., state or Federal administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agency having jurisdiction over the activities of part 2 programs or other person holding part 2 records) as well as local, Tribal, and territorial agencies. The Department also proposed a new paragraph (a)(3). The Department's proposed change would require an investigative agency (other than one relying on another disclosure provision, such as § 2.53(e)) that discovers in good faith that it has obtained part 2 records to secure the records consistent with § 2.16 and immediately cease using or disclosing them until it obtains a court order authorizing the use and disclosure of the records and any records later obtained. A court order must be requested within a reasonable period of time, but not more than 120 days after discovering it received the records. As proposed, if the agency does not seek a court order, it must return the records to the part 2 program or person holding the records if it is legally permissible to do so, within a reasonable period of time, but not more than 120 days from discovery; or, if the agency does not seek a court order or return the records, it must destroy the records in a manner that renders the patient identifying information non-retrievable, within a reasonable period of time, but not more than 120 days from discovery. Finally, if the agency's application for a court order is rejected by the court and no longer subject to appeal, the agency must return the records to the part 2 program or person holding the records, if it is legally permissible to do so, or destroy the records immediately after notice of rejection from the court.

The Department proposed in paragraph (b) to provide an option for substitute notice by publication when it is impracticable under the circumstances to provide individual notification of the opportunity to seek revocation or amendment of a court order issued under § 2.66. Additionally, the Department proposed to reorganize paragraph (c) by expressly incorporating the provisions from § 2.64(d) that would require an applicant to obtain a good cause determination from a court and adding the proposed § 2.3(b) requirements as elements of good cause for investigative agencies that apply for a court order under proposed § 2.66(a)(3)(ii).

We note at the outset of the discussion of comments for this section and § 2.67 that some comments were intertwined with comments in response to § 2.3(b), limitation of liability for investigative agency personnel. Those comments are addressed above in the discussion of comments related to § 2.3(b).

Comment

A large health system expressed support for providing a remedy when an investigative agency discovers in good faith that it has received part 2 records, that allows the agency to either seek a court order or return records in lieu of an order.

Response

We appreciate the comments.

Comment

Several commenters, including a Medicaid fraud unit and a large health system, expressed support for the proposal to allow for substitute notice under § 2.66 when individual notice is infeasible or impractical. One commenter, a state-based regional Medicaid fraud unit, asked the Department to consider applying the “substitute notice by publication” requirement retroactively.

Response

We appreciate the comments regarding substitute notice. In consideration of the burden that would inure to part 2 programs and holders of records, we decline to make this requirement retroactive.

Comment

A state Medicaid fraud unit recommended that it not be considered an “investigative agency” as defined in § 2.11 and used in this section and § 2.67, and that it be permitted to access records without a court order. In the alternative, it expressed support for the proposed safe harbor and related procedures proposed in §§ 2.66 and 2.67.

Response

We believe that a state Medicaid fraud unit meets the definition of “investigative agency” in § 2.11. The definition that we are finalizing provides that “[i]nvestigative agency means a Federal, state, Tribal, territorial, or local administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agency having jurisdiction over the activities of a part 2 program or other person holding part 2 records.” We are aware that in some states, Medicaid fraud units are created within state attorney general offices under Federal authority.

Comment

A commenter, a state-based data center requested that language be added to § 2.66(a)(2), (b), and (c) to clarify that an administrative tribunal can issue orders under this section, and that a separate court proceeding is not required.

Response

As we have noted previously, we lack authority to circumvent the statutory requirement in 42 U.S.C. 290dd–2(c) for a court order to authorize use and disclosure of records for civil, criminal, administrative, and legislative proceedings, including administrative tribunals.

Comment

One commenter, a managed care organization, requested that the Department require investigative agencies to notify the program when it unknowingly is in receipt of part 2 records but lacks the required court order and whether it intends to seek a court order, return, or destroy the records. The organization also requested clarification that the rule does not authorize an investigative agency to destroy records unless it has confirmed that they are not originals.

Response

We believe the proposed rule adequately protects the records from misuse by requiring the person holding the records to either return the records in a timely manner or destroy the records in a manner that renders the patient identifying information non-retrievable in a timely manner. We do not believe additional notice to the part 2 program or other holder of the record, as described by this commenter, is necessary and believe such a notice would go beyond the current rule in § 2.66 which does not require notice to be made until such time as a court order is granted. We agree that it is a best practice to confirm with the part 2 program that produced the records whether they are originals before an investigative agency destroys them.

Comment

One commenter, a state Medicaid agency recommended that the Department include language outlining what “good faith” means and what will happen if the standard is not met.

Response

We believe it unnecessary to define in regulation the phrase “good faith,” which is required to support a finding that an investigative agency unknowingly acquired part 2 records in the course of an investigation in § 2.66, § 2.67, or a finding that the safe harbor applies to shield from liability investigators who are holding such records. We believe the phrase is generally understood to mean without malice or without bad intent. We also believe that the operation of this provision is clear, in the event a finding of good faith is not met. First, if investigators are found to have acted in bad faith in obtaining the part 2 records, penalties could result. Second, in §§ 2.66 and 2.67, a finding of good faith is necessary to trigger the ability of the agency to apply for a court order to use records that were previously obtained.

Comment

One commenter, an advocacy organization, requested that additional protections be added to § 2.66 (as well as § 2.3) for cloud service providers (CSPs). Such protections, the commenter believed, would apply to a “person holding the record” who coordinates with the SUD data owner (to the extent permitted by the legal request) and, despite such coordination unknowingly makes a record available in response to an investigatory court order or subpoena. This same commenter further requested that the Department allow CSPs to, at their discretion: (1) require requestors of records to certify or attest that, to the best of the requestor's knowledge, part 2 records are not part of the request or that information sought will not be used as part of proceedings against a patient of a part 2 program; and (2) rely on such certifications or attestations of requestors when making disclosures in response to an investigatory court order or subpoena.

Response

We understand the challenges faced by CSPs and agree that under some circumstances they may be treated as the “person holding the record” under this regulation. However, under many service agreements the person that stores data in a CSP system is the one with the legal capability to disclose the data. We decline to adopt additional rules for CSPs that are different than the rules for other lawful holders of a part 2 record. The rule does not prevent a person holding the record to inquire of the requestor whether they have knowledge as to the nature of the records within the scope of the request. However, we believe that a holder of the record, as a baseline, has some responsibility to know whether they are maintaining records that are PHI or subject to part 2. We also believe that in most cases, a CSP should be acting under the purview of a valid business associate agreement or other contract that specifies the particular protections needed with respect to the type of data being held and disclosed.

Comment

One commenter, a medical professionals association, expressed concern that the patient notification process is insufficient (including under existing policies). In particular, according to this commenter the notification process may be problematic for those patients who lack mailing addresses, and it is not clear that the allowance for substitute notice by publication would increase its effectiveness. Instead, this commenter recommended instituting further notice requirements such as more detailed information provided to part 2 patients regarding the potential for court-ordered disclosure of records, the absence of an initial notice requirement, and the potential for substitute notice by publication. This same commenter recommended such information be included in the HIPAA NPP and included on the part 2 program's website; further, if a part 2 program comes under investigation and receives a court order authorizing disclosure, the part 2 program be required to post information on its website regarding the investigation and court order.

Response

We assume the crux of this comment is that the proposal does not account for an initial notice to a patient upon an application for a court order by a person seeking to use or disclose the patient's record. We disagree that the regulation does not provide for adequate notice to patients and part 2 programs about the entry of court orders. With respect to patients, we have proposed and are finalizing in a revised Patient Notice required by § 2.22 a requirement that part 2 programs include in the Patient Notice a statement such as “[r]ecords shall only be used or disclosed based on a court order after notice and an opportunity to be heard is provided to the patient or the holder of the record, where required by 42 U.S.C. 290dd–2 and this part”. We believe this statement provides adequate notice to the patient such that the patient is made aware that he or she will be provided with some type of notice in the event a court order authorizes a use or disclosure of the patient's records. As we have stated above, the HIPAA Privacy Rule proposed modifications and public comments will be considered in a separate rulemaking.

While we agree with the sentiment that website notice of a court ruling permitting use or disclose of a patient's records is generally reasonable, we decline to adopt this as a regulatory requirement. Given the court involvement in these proceedings, we believe it best left to the discretion of the court to determine the means of substitute notice that is reasonable under the specific circumstances that exist at the time.

Comment

One individual expressed negative views about this section and opined that the Department's proposed new paragraph § 2.66(a)(3) is not related to any requirement in the CARES Act. It is instead, according to this commenter, a means to excuse efforts by investigative agencies that fail to presume, as they should, that an investigation of a part 2 program would result in obtaining part 2 records. This commenter further recommended that the investigative agency be required to seek court authorization prior to any investigation and that the good faith standard is “disingenuous.” Finally, this commenter opined that the proposed option in § 2.66(b) for a substitute notice by publication when it is deemed “impracticable” under the circumstances to provide individual notification of the opportunity to seek revocation or amendment of a court order runs counter to the protection of patients in that an ability to locate a patient should not diminish their right to confidentiality.

Response

We understand the underlying concerns expressed in this comment and in response, are making some additional modifications to the proposed rule as discussed below. Also, in response, we point to the robust requirements that relate to obtaining the court order under paragraph (c) of this section, including that other ways of obtaining the information are not available (or would not be effective or would yield incomplete results), there is a public interest that outweighs potential injury to the patient, and the required diligence that must be exercised on the part of the investigative agency related to determining the application of this part. Additionally, with respect to substitute notice, it is only permitted once it is determined that individual notice is not available. Further, we assume that agencies obtaining a court order under § 2.66 have already complied with the requirement to use a pseudonym for the patient in the application for the court order (or to ensure the court seals the record of the proceedings) and expect them to comply with the requirement not to disclose any patient identifying information in any public mention of the court order, which would include any public form of substitute notice.

Final Rule

We are appreciative of the many comments in response to this section, but as we note above, the requirement of a court order or consent to make uses and disclosures regulated under this section has not changed, despite the widening of application to types of proceedings and testimony contained in records. In addition, as proposed, this change is consistent with the revised statute. The final rule therefore adopts § 2.66 as proposed with one additional modification. We are modifying paragraph (c)(3) to clarify that with respect to an application pursuant to § 2.66(a)(3)(ii), it is not permissible to use information from records obtained in violation of part 2 to support an application for a court order under 42 U.S.C. 290dd–2(b)(2)(C). We adopted this modification in response to commenters' concerns about the potential misuse of the safe harbor established in § 2.3(b) by investigative agencies. We are adding this express prohibition on the use of records obtained in violation of part 2 to counterbalance the latitude provided to investigative agencies and to disincentivize improper uses of information to support applications for court orders.

Section 2.67—Orders Authorizing the Use of Undercover Agents and Informants To Investigate Employees or Agents of a Part 2 Program in Connection With a Criminal Matter

Proposed Rule

Section 2.67 authorizes the placement of an undercover agent in a part 2 program as an employee or patient by law enforcement or a prosecutorial agency pursuant to court order when the law enforcement organization has reason to believe the employees of the part 2 program are engaged in criminal misconduct. Paragraph (a) authorizes the application of an order by law enforcement or prosecutorial agencies for placement of undercover agents or informants in part 2 program based on reason to believe criminal activity is taking place. Paragraph (c) includes the “good cause” criteria by which an order under this section may be entered.

The Department proposed to replace the phrase “law enforcement or prosecutorial” with “investigative” in paragraph (a), and clarify that the good cause criteria for a court order in paragraph (c)(2) includes circumstances when obtaining the evidence another way would “yield incomplete evidence.” The Department also proposed to create a new paragraph (c)(4) addressing investigative agencies' retroactive applications for a court order authorizing placement of an undercover informant or agent to investigate a part 2 program or its employees when utilizing the safe harbor under § 2.3. This provision would require the investigative agency to satisfy the conditions at proposed § 2.3(b) before applying for a court order for part 2 records after discovering that it unknowingly had received such records.

Comment

Several commenters, including a large health system and managed care organization, expressed support for the requirement that an investigative agency placing an undercover agent or informant must seek a court order and promote strict adherence to the requirements, including limitations and restrictions on uses and disclosures of part 2 information, of the court order. One of the commenters asserted that, if finalized, the proposal may ensure appropriate conduct by local and state agencies.

Response

We appreciate the comments.

Comment

One commenter, a regional state-based Medicaid fraud unit, recommended that the Department define or issue guidance about the meaning of “yield incomplete evidence.”

Response

Paragraph (c)(3) addresses one of the criteria under which a court must make a good cause determination for the entry of an order permitting placement of an undercover agent by an investigative agency, and requires a finding that other ways of obtaining information are not available or would “yield incomplete evidence.” We believe the court evaluating the application of this criteria is best situated to determine the facts and whether said facts support this finding.

Comment

An individual commenter expressed strong concern that proposed § 2.67 represents an unnecessary concession to law enforcement. Citing what this individual believes to be a prior concession in the 2020 rulemaking related to an extension of time from six to twelve months in which an undercover agent could be placed in a part 2 program, this commenter expressed the belief that this proposal relies on a second concession, grounded in “convenience” for law enforcement that uses the “good cause” criteria for a court order in paragraph (c)(2) as a justification circumstance when obtaining the evidence another way would “yield incomplete evidence.” This commenter specifically objected to modifying the current in paragraph (c)(2) by adding “or would yield incomplete evidence” after “other ways of obtaining evidence of the suspected criminal activity are not available or would not be effective.”

Response

We appreciate the sentiment expressed in this comment, but believe that the newly imposed statutory civil penalties require us to consider, and finalize, a more workable standard for law enforcement. We also believe that the commenter fails to appreciate the difficulty in determining at times whether a health care entity has records that are subject to part 2. The need for a means for law enforcement to investigate crimes related to activity by part 2 programs or their employees remains a reality, as does the need to keep sensitive records confidential. Overall, we believe that because the standard applied will be adjudicated by a court of competent jurisdiction from which appeals may be taken, the modified criteria is appropriate.

Final Rule

The final rule adopts § 2.67 as proposed with one additional modification to paragraph (c)(4) to clarify that with respect to an application submitted after the placement of an undercover agent or informant has already occurred, the applicant is prohibited from using information from records obtained in violation of part 2 by that undercover agent or informant. We adopt this modification in response to those public comments expressing concern about the potential for misuse of the limitation on liability established in § 2.3(b) to persons who under the purview of investigative agencies, are granted safe harbor for unknowingly and in good faith obtaining part 2 records. Similar to our consideration of comment in response to § 2.66, we believe the express prohibition on the use of records obtained in violation of part 2 will disincentivize improper uses of information to support applications for court orders.

Section 2.68—Report to the Secretary

Proposed Rule

The Department proposed to create a new § 2.68 to require investigative agencies to file an annual report with the Secretary of the applications for court orders filed after obtaining records in an investigation or prosecution of a part 2 program or holder of records under § 2.66(a)(3)(ii) and after placement of an undercover agent or informant under § 2.67(c)(4). The report as proposed would also include the number of instances in which such applications were denied due to findings by the court of violations of this part during the calendar year, and the number of instances in which the investigative agency returned or destroyed part 2 records following unknowing receipt without a court order, in compliance with § 2.66(a)(3)(iii), (iv), or (v), respectively during the calendar year. The Department proposed that such reports would be due within 60 days following the end of the calendar year. The comments and the Department's responses regarding § 2.68 are set forth below.

Comment

A state government asserted that requiring investigative agencies to file an annual report of the number of applications for court orders, the number of requests for court orders denied, and the number of instances of records returned following unknowing receipt without a court order could be extremely time consuming and unduly burdensome. Further, according to this commenter, calendar year reporting of this data does not align with Federal and state fiscal year reporting causing additional burden on investigative agencies.

Response

We appreciate the comment. An investigative agency should file a court order in advance of receiving part 2 records or placing an undercover agent or informant in a part 2 program in accordance with §§ 2.66 and 2.67, respectively. A report is only required for investigative agencies that discover in good faith that they received part 2 records that required a court order in advance and a court order was not initially sought. Additionally, we did not receive data in public comments from investigative agencies about how frequently this occurs, and we will monitor this requirement after the final rule to gain an understanding of how widespread these retroactive discoveries are. To limit the burden, the Department has made this an annual report, rather than per incident reporting, with 60 days to compile the data after the end of the calendar year. And the calendar year reporting aligns with the HIPAA breach reporting requirements for breaches of unsecured PHI affecting fewer than 500 individuals. Also, the Federal, state, and local fiscal year reporting dates may differ across jurisdictions, and it is not feasible for the Department to align all reporting dates.

Comment

The Department received a few supportive comments about the benefits to the annual reporting requirement which may include: assuring appropriate conduct by local and state investigative agencies; assuring ongoing compliance; auditing the use of the limitation on liability within this regulation; and promoting the privacy and security of part 2 information.

Response

We appreciate the comments.

Comment

One commenter asked: (1) how the Department will advise Federal, state, and local law enforcement about the requirement to submit annual reports; (2) what the consequences of failing to submit an annual report will be; (3) what the purpose is and what criteria the Department will apply; and (4) how the Department will use the information in the annual reports to safeguard patient privacy rights and improve law enforcement's understanding of the rule.

Response

We appreciate the comment. A report is only required for investigative agencies that discover in good faith that they have received part 2 records for which a court order was required in advance and that a court order was not initially sought. We do not have data on how frequently this occurs and one purpose of the requirement is to gain an understanding of how widespread these retroactive discoveries are. The consequences of failing to meet the reporting requirement are the same as for other violations of the part 2 rule under the newly established penalties which utilize the four culpability tiers that are applied to HIPAA violations; however, part 2 programs, covered entities, and business associates that create or maintain part 2 records are the primary focus of this regulation. In determining compliance with the safe harbor reporting requirement, the Department would focus on an investigative agency rather than an employee of that agency. The Department will provide guidance or instructions on how to submit the reports to the Secretary on its website and through press releases and OCR listserv announcements. The reporting obligation is not intended to be a public reporting requirement, but for the Department's internal use in evaluating the utility and effectiveness of the safe harbor provision in § 2.3. The Department will review the annual reports and consider what guidance or other resources are needed by investigative agencies that are lawful holders of part 2 records.

Final Rule

The final rule adopts the proposed language of new § 2.68, without modification.

Re-Ordering “Disclosure and Use” to “Use and Disclosure”

Proposal

The Department proposed throughout the NPRM to re-order the terms “disclosure and use” in the part 2 regulation to “use and disclosure.” The new order of these terms is consistent with their usage in the HIPAA Privacy Rule which generally regulates the “use and disclosure” of PHI and relies on the phrase as a term of art.

Comment

The Department received no substantive comments other than a few commenters that expressed general support for re-ordering terms to align with the HIPAA Privacy Rule.

Final Rule

The final rule adopts each proposal to re-order these terms, although not discussed in detail here. As stated in the NPRM, we believe these changes fall within the scope of our regulatory authority and further the intent and implementation of the CARES Act by improving the ability of regulated entities to use and disclose records subject to protection by part 2 and HIPAA.

Inserting “Use” or “Disclose” To Reflect the Scope of Activity

Proposal

The Department also proposed to add the term (or related forms of the term) “use” where only the term “disclose” was present in the part 2 regulation or in some cases the term “disclose” (or related forms) where only the term “use” was present. This proposed change was intended to more accurately describe the scope of the activity that is the subject of the regulatory provision. In the NPRM, the Department described these changes as non-substantive, but we did receive comments opining in some instances that adding the term “use” in particular, changes the scope of part 2. We also explained in the NPRM that we believe these changes are necessary to align with changes made to 42 U.S.C. 290dd–2(b)(1)(A), as amended by section 3221(b) of the CARES Act (providing that part 2 records may be used or disclosed in accordance with prior written consent); to 42 U.S.C. 290dd–2(b)(1)(B) and (b)(1)(C), as amended by section 3221(b) of the CARES Act (providing that the contents of part 2 records may be used or disclosed by covered entities, business associates, or part 2 programs as permitted by the HIPAA regulations for TPO purposes); and to 42 U.S.C. 290dd–2(c), as amended by section 3221(e) of the CARES Act (prohibiting disclosure and use of part 2 records in proceedings against the patient).

Overview of General Comments

The Department requested comment on these proposed modifications and received generally supportive or positive comments in response. Several commenters suggested the Department go further than the proposed changes and the proposed definition of “use” by adopting the HIPAA definitions of “use” and “disclosure” to further align part 2 with the HIPAA regulations. A few HIE associations indicated that they did not believe that the addition of “use” or “uses” to existing regulatory text would substantively expand the scope of requirements and prohibitions where previously the text stated only “disclosure.” One commenter stated the addition of “use” or “uses” may actually narrow the scope for which part 2 data can be obtained, as disclosure does not require the implication that the data is being used for TPO and could just be held by an entity. A state agency said that it would not anticipate adverse consequences to part 2 programs or to its own operations from the revisions throughout the rule that add the terms “use” or “uses” to references to “disclose” or “disclosure.”

A health plan said that these changes may limit confusion around obligations with respect to “use” and “disclose.” The plan said that these words are often considered terms of art in contracts and other privacy-related policies and documents. As such, clarifying when requirements apply to either or both terms by re-ordering or adding such terms to provisions may help covered entities and their business associates better understand their regulatory requirements under a final rule.

Another health plan supported these changes asserting that with this understanding, a part 2 record could be both used and disclosed for purposes related to the provision of care, but also for purposes such as the initiation of a legal proceeding. This change, the commenter said, can be supported by revising the definition within the HIPAA regulations.

An advocacy organization agreed with the Department that these changes are not substantive in nature, given that under part 2 and HIPAA, “use” and “disclosure” can be mutually exclusive, independent actions, and that the proposed definition of “use” is inclusive of the historical definition of “use” related to legal proceedings under part 2. A provider said this change adds clarity and better aligns the proposed rule with HIPAA terminology.

A health IT vendor had no concerns with expanding the focus of the part 2 regulations to make reference to uses in addition to disclosures in the regulatory text in a manner consistent with the HIPAA Privacy Rule construction for how uses and disclosures are defined and used throughout the HIPAA Privacy Rule. The commenter opined that part 2 regulations have not addressed the uses of SUD records for purposes within part 2 programs as they have focused on how disclosure and redisclosure of part 2 records must be handled. However, the proposed changes seem appropriate to this commenter for purpose of parallel structure and regulatory consistency between part 2 and the HIPAA Privacy Rule.

A provider contended that this change is necessary and within the Department's regulatory authority, even if not expressly included in the CARES Act. A health system characterized this proposal as a good basic change that sets the stage for several other proposed changes toward meeting the goal of aligning with HIPAA. This change also may help reduce the existing differences in describing how we manage and protect our patient's health information, across service locations.

Comment on Specific Sections

• A few commenters expressed support for proposed changes to replace the phrase “disclosure and use” by re-ordering the phrase to “use or disclosure” at § 2.2(a) introductory text, (a)(4), and (b)(1), to align the language with that used in the HIPAA Privacy Rule.
• A health plan expressed support for proposed changes to § 2.13 for adding the term “use” to clarify that confidentiality restrictions and safeguards apply to both uses and disclosures.
• A few commenters expressed support for adding the term “disclosure” to § 2.23.

Response

We appreciate the comments about these changes. We decline to adopt the HIPAA formal definitions for the terms “use” or “disclosure” or change the definitions of the terms in the HIPAA Privacy Rule as we believe their application is understood as applied to part 2 records and PHI, respectively. The overall sentiment of the comments is that these modifications bring clarity and the understanding about how the terms are used across the two regulations. The Department disagrees with the suggestion that adding the term “use” in some cases may narrow the scope of activity under part 2. In no regulatory provision are we changing the term “disclose” to “use” and we remind stakeholders that many TPO activities contemplate “uses.”

Overview of Final Rule

The final rule adopts all proposed modifications to add the term “use” or some form of it or “disclose” or some form of it to the scope of certain covered activities under part 2. The Department also defines the term “use” in regulation (discussed above in § 2.11). As discussed in the NPRM, historically, the part 2 regulation associated “use” with the initiation of legal proceedings against a patient and associated “disclosure” with sharing records to an external entity. In contrast, the HIPAA Privacy Rule applies the term “use” to refer to internal use of health information within an entity, such as access by staff members. The part 2 and HIPAA definitions for the term “disclose” are fairly consistent and therefore a part 2 record can be both used and disclosed for purposes related to the provision of health care and for purposes such as the initiation of a legal proceeding. Where made, these changes are also consistent with section 3221(b) of the CARES Act that addresses permissions and restrictions for both uses and disclosures of records for TPO purposes by part 2 programs and covered entities, and proscribes the rules related to certain legal proceedings.

Antidiscrimination Protections, Stigma and Discrimination

Overview

As noted in the NPRM and above, paragraph (g) of section 3221 of the CARES Act, Antidiscrimination, adds a new provision (i)(1) to 42 U.S.C. 290dd–2 to prohibit discrimination against an individual based on their part 2 records. We stated in the NPRM and reiterate that the Department intends to develop a separate rulemaking to implement the CARES Act antidiscrimination prohibitions. Nonetheless, we received several comments on antidiscrimination requirements as well as more general concerns about stigma and discrimination. While these comments are outside the scope of this rulemaking, we briefly summarize and respond to these comments below.

Comments and Response

Comments we received on antidiscrimination issues addressed such topics as:

• Antidiscrimination rulemaking
• Harmful consequences to patients
• Increased reluctance to enter SUD treatment
• Stigma and discrimination in the context of criminalization and racial disparities

• Statistics on stigma and discrimination

• Unwillingness to disclose SUD treatment
• Timing of SUD treatment regulatory framework
• Considering stigma in regulatory updates

Most commenters also addressed issues other than antidiscrimination topics and their comments on other provisions of part 2 were fully considered along with other comments received to the NPRM docket.

Some commenters, including medical professionals associations, advocacy organizations, a trade association, a government agency, a provider-other, a health system, SUD providers, a consultant, a researcher, a law enforcement organization, and individuals urged the Department to expedite the rulemaking implementing the CARES Act antidiscrimination protections, or to put this rulemaking on hold until the antidiscrimination protections are in place. Some commenters such as SUD providers, recovery organizations, individuals, and advocacy organizations also expressed concern about significant stigma associated with SUD and SUD treatment. Several commenters, including advocacy organizations, a professional association, a government agency, and a health plan, cited reports, survey results, and statistics they believed reflect the stigma associated with addiction that continues to influence the perceptions and behaviors of health care professionals and continues to influence patients to avoid SUD treatment.

Commenters described the many potential adverse outcomes that they say privacy protections help prevent, including discrimination in child custody, denial of life insurance, loss of employment, discrimination in health care decision making, and criminal charges, among many others. Some commenters also asserted that under the current regulations there are patients that are unwilling to disclose SUD treatment to caregivers or unwilling to enter treatment due to the concern surrounding stigma and discrimination.

Several commenters, including a mental health provider, medical professionals' associations, and a few individuals, suggested that the proposed rule may increase the reluctance of patients to seek help for SUD. Commenters pointed to such potential issues as patients being unsure of how information will be used or having SUD information used against them. Additionally, several commenters, including an advocacy organization, and individual commenters addressed the effects of stigma and discrimination related to SUD and SUD treatment in the context of criminalization and racial disparities.

Response

We acknowledge and appreciate comments asking us to expedite promulgation of the required antidiscrimination provisions and raising concerns about the continued impacts of discrimination and stigma within health care and other settings. As noted, we intend to issue a separate proposed regulation for part 2 antidiscrimination provisions after this rule is finalized. For that reason, as detailed in the NPRM, we also decline to hold publication of this rule until the antidiscrimination provisions also are proposed and finalized. As explained, comments on the NPRM concerning antidiscrimination requirements are beyond the scope of this rulemaking. However, we will take all comments received into account as we issue the forthcoming antidiscrimination provisions of part 2. We further encourage these commenters and others to provide input on the forthcoming proposed rule containing the antidiscrimination provisions.

V. Regulatory Impact Analysis

A. Executive Orders 12866 and 13563 and Related Executive Orders on Regulatory Review

The Department has examined the impact of the final rule as required by Executive Order (E.O.) 12866 on Regulatory Planning and Review as amended by E.O. 14094, 58 FR 51735 (October 4, 1993); E.O. 13563 on Improving Regulation and Regulatory Review, 76 FR 3821 (January 21, 2011); E.O. 13132 on Federalism, 64 FR 43255 (August 10, 1999); E.O. 13175 on Consultation and Coordination with Indian Tribal Governments, 65 FR 67249 (November 9, 2000); the Congressional Review Act, Public Law 104–121, sec. 251, 110 Stat. 847 (March 29, 1996); the Unfunded Mandates Reform Act of 1995, Public Law 104–4, 109 Stat. 48 (March 22, 1995); the Regulatory Flexibility Act, Public Law 96–354, 94 Stat. 1164 (September 19, 1980); E.O. 13272 on Proper Consideration of Small Entities in Agency Rulemaking, 67 FR 53461 (August 16, 2002); the Assessment of Federal Regulations and Policies on Families, Public Law 105–277, sec. 654, 112 Stat. 2681 (October 21, 1998); and the Paperwork Reduction Act (PRA) of 1995, Public Law 104–13, 109 Stat. 163 (May 22, 1995).

E.O.s 12866 and 13563 direct us to assess all costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety, and other advantages; distributive impacts; and equity). Section 3(f) of E.O. 12866 (as amended by E.O. 14094) defines a “significant regulatory action” as any regulatory action that is likely to result in a rule that may: (1) have an annual effect on the economy of $200 million or more (adjusted every 3 years by the Administrator of the Office of Information and Regulatory Affairs (OIRA) for changes in gross domestic product); or adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or State, local, territorial, or Tribal governments or communities; (2) create a serious inconsistency or otherwise interfere with an action taken or planned by another agency; (3) materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof; or (4) raise legal or policy issues for which centralized review would meaningfully further the President's priorities or the principles set forth in this E.O., as specifically authorized in a timely manner by the Administrator of OIRA in each case.

This final rule is partially regulatory and partially deregulatory. The Department estimates that the effects of the final rule for part 2 programs would result in new costs of $26,141,649 within 12 months of implementing the final rule. The Department estimates these first-year costs would be partially offset by $13,421,556 of first year cost savings, attributable to reductions in the need for part 2 programs to obtain written patient consent for disclosures for treatment, payment, or health care operations (TPO) ($10.3 million); reductions in the need for covered entities, business associates, and part 2 programs to obtain written patient consent for redisclosures ($2.6 million); and reductions in capital expenses for printing consent forms ($0.5 million). This results in an estimated net cost of $12,720,093 in the first year of the rule. This is followed by net savings of approximately $5.2 to $5.4 million annually in years two through five, resulting from a continuation of first-year cost saving of $13.4 million per year, minus varying Federal costs at approximately $2.3 to $2.6 million in years 1 to 5 and the estimated annual costs of $5.7 million primarily attributable to compliance with attaching consent forms with every disclosure and breach notification requirements. This results in overall net cost savings of $8,445,536 over 5 years for changes to 42 CFR part 2.

The Department estimates that the private sector would bear approximately 60 percent of the costs, with state and Federal health plans bearing the remaining 40 percent of the costs. All of the cost savings experienced from the first year through subsequent years would benefit part 2 programs and covered entities. This final rule is a significant regulatory action, under sec. 3(f) of E.O. 12866 (as amended by E.O. 14094). Accordingly, the Office of Management and Budget (OMB) has reviewed this final rule.

The Department presents a detailed analysis below.

Summary of the Final Rule

This final rule modifies 42 CFR part 2 (“part 2”) to implement changes required by section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, to further align part 2 with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules, and for clarity and consistency. Major changes are summarized in the preamble.

The Department estimates that the first-year costs for part 2 programs will total approximately $26.1 million in 2022 dollars. These first-year costs are attributable to part 2 programs training workforce members on the revised requirements ($13.3 million); capital expenses ($0.9 million); compliance with breach notification requirements ($1.6 million); updating Patient Notices ($2.6 million); attaching consent forms for disclosures (2.9 million); updating consent forms ($1.7 million); updating the notice to accompany disclosures ($0.7 million); and costs to the Department for part 2 enforcement and compliance ($2.3 million). It also includes nominal costs for responding to requests for privacy protection, providing accounting of disclosures, $32,238 for receiving complaints, and $61,726 for investigative agencies to file reports to the Secretary. For years 2 through 5, the estimated annual costs of $5.7 million are primarily attributable to compliance with attaching consent forms and breach notification requirements and related capital expenses, on top of variable Federal costs amounting to roughly $2.3 to $2.5 million from years 1 to 5.

The Department estimates annual cost savings of $13.4 million per year, over 5 years, attributable to reductions in the need for part 2 programs to obtain written patient consent for disclosures for TPO ($10.3 million), reductions in the need for covered entities and business associates to obtain written patient consent for redisclosures ($2.6 million), and reductions in capital expenses for printing consent forms ($0.5 million).

The Department estimates net costs for part 2 programs totaling approximately $12.7 million in the first year followed by net savings of approximately $5.4 to $5.2 million in years 2 to 5, resulting in overall net cost savings of approximately $8.4 million over 5 years. The yearly costs, cost-savings and net for part 2 are displayed in Table 1 below.

Need for the Final Rule

On March 27, 2020, Congress enacted the CARES Act as Public Law 116–136. Section 3221 of the CARES Act amended 42 U.S.C. 290dd–2, the statute that establishes requirements regarding the confidentiality and disclosure of certain records relating to SUD, and section 3221(i) of the CARES Act requires the Secretary to promulgate regulations implementing those amendments. With this final rule, the Department changes part 2 to implement section 3221 of the CARES Act, increase clarity, and decrease compliance burdens for regulated entities. The Department believes the changes will reduce the need for data segmentation within entities subject to the regulatory requirements promulgated under part 2.

Significant differences in the permitted uses and disclosures of part 2 records and protected health information (PHI) as defined under the HIPAA Privacy Rule contribute to ongoing operational compliance challenges. For example, under the previous rule, entities subject to part 2 must obtain prior written consent for most uses and disclosures of part 2 records, including for TPO, while the HIPAA Privacy Rule permits many uses and disclosures of PHI without authorization. Therefore, to comply with both sets of regulations, HIPAA covered entities subject to part 2 must track and segregate part 2 records from other health records ( e.g., records that are protected under the HIPAA regulations but not part 2).

In addition, once PHI is disclosed to an entity not covered by HIPAA, it is no longer protected by the HIPAA regulations. In contrast, part 2 strictly limits redisclosures of part 2 records by individuals or entities that receive a record directly from a part 2 program or other “lawful holder” of patient identifying information, absent written patient consent. Therefore, any part 2 records received from a part 2 program or other lawful holder must be segregated or segmented from non-part 2 records. The need to segment part 2 records from other health records created data “silos” that hamper the integration of SUD treatment records into entities' electronic record systems and billing processes, which in turn may impact the ability to integrate treatment for behavioral health conditions and other health conditions. Many stakeholders, including public commenters on the NPRM, have urged the Department to take action to eliminate the need for such data segmentation, and the Department believes this final rule will reduce the need for data segmentation or tracking. Where segmentation may be necessary, we encourage the use of data standards adopted by ONC on behalf of HHS in 45 CFR part 170, subpart B, and referenced in the ONC Health IT Certification Program certification criteria for security labels and segmentation of sensitive health data.

Response to Public Comment

The Department requested public comment on all aspects of the proposed amendments to the regulations at 42 CFR part 2, Confidentiality of Substance Use Disorder Patient Records. Seventy-two commenters, both individuals and organizations, offered views on various aspects related to the Regulatory Impact Analysis (RIA).

Comments from organizations who expressed support for specific issues in the NPRM pointed to a decrease in the administrative burden and cost on providers, an increase in access to care, a decrease in costs for patients, and a general improvement in communication within the industry. One organization suggested that the changes in the rule will allow for streamlining care by decreasing the number of times the provider must ask for consent from the patient. Another organization asserted that the proposed rule changes could help minimize the stigma surrounding SUD treatment and help decrease the technical burdens that the previous rules have caused.

Organizations and government entities who expressed opposition to specific issues in the NPRM asserted that the changes would increase costs and legal liability for both patients and providers, decrease the quality of care, create additional administrative and technical burdens, and be overly time consuming to follow. A government organization asserted that most current electronic health care record systems do not have the ability to give accountings of TPO disclosures, which would force the entities using these systems to manually process the information. This is a burdensome and time-consuming task, according to the organization, as the entities may have to account for disclosures for the previous six years. An organization argued that due to differences in Patient Notice requirements for part 2 and HIPAA, there may be different language for each privacy notice. Multiple organizations asserted that changing the language of the privacy notices is expensive, especially for larger organizations. One organization suggested that the expanded requirement to provide TPO accounting will lead to changes in the health care system and increased costs for patients. Another organization argued that the separation of part 2 data will lead to delays in care and threats to patient health as providers may not be able to see a patient's full medical history, which is necessary to give adequate care. One commenter argued that the proposed change could weaken patient privacy and lead to the information being misused in criminal investigations and court proceedings. This change also may put an additional burden on providers to counsel patients on the ethical and constitutional considerations that will go into signing the form.

Organizations and government entities who expressed mixed views on the issues discussed in the excerpts change agreed with the need for the rule change and the general change itself but provided additional comments on concerns related to specific topics such as TPO disclosures and notices of privacy protections. One organization argued that HHS should take into consideration the time and costs associated with updating changes to the accounting of disclosures requirement and the timeframe to implement these changes. Another organization requested that accounting for TPO disclosures be delayed until regulations pursuant to the HITECH Act are enacted. This commenter asserted that applying the accounting requirement only to TPO disclosures made through an electronic health care record creates a disincentive to adopt electronic health care records, especially for small and rural providers and those serving patients of color and other historically underserved communities. Multiple organizations argued that if discrepancies exist between part 2 and HIPAA, there may be administrative burdens surrounding data segregation. Due to this part 2 and HIPAA need to be aligned as much as possible to minimize impediments to critical care. One organization believed that it is unnecessary for part 2 to include providing a copy of a patient's consent and imposing retention periods on maintaining those consents since other laws, such as HIPAA, CMS regulations, and state licensing requirements already cover these requirements.

After reviewing the comment submissions, the Department is making the following changes to this RIA, some of which result in changes to the RIA analysis presented in the proposed rule. Changes to the RIA also include updating wage rates and other cost factors to 2022 dollars to reflect more recent data, adding small quantitative burdens, and qualitatively discussing changes from the proposed to the final rule when unquantifiable.

• Adding a new quantitative recurring cost for receiving a complaint;
• Adding reference to the changes to the investigative agency definition;
• Adding a qualitative discussion of reasonable diligence steps for the limitation on liability for investigative agencies and their potential impacts on costs;
• Increasing the time required and the number of responses in the quantitative costs for the right to request restrictions;
• Adding a qualitative discussion of requirements for intermediaries;
• Adding a qualitative discussion of the benefit associated with the removal of data segmentation requirements;
• Adding qualitative discussion of SUD counseling notes which the Department does not expect to impose a quantifiable burden;
• Adding a new quantitative recurring cost for the requirement to attach consent with each disclosure or provide clear description of scope of consent;
• Including a clarification that qualified service organizations (QSOs) are also subject to breach notification requirements in the quantification of these costs;
• Qualitatively discussing the impacts of part 2 programs being required to notify recipients of a revocation of consent.

Cost-Benefit Analysis

a. Overview and Methodology

This RIA relies on the same data source used by SAMHSA for the estimated number of part 2 programs in SAMHSA's 2020 Information Collection Request (ICR) (“part 2 ICR”) and uses an updated statistic from that source. The final rule also adopts the estimated number of covered entities used in the Department's 2021 ICR for the HIPAA Privacy Rule NPRM (“2021 HIPAA ICR”), as well as its cost assumptions for many requirements of the HIPAA regulations, including breach notification activities.

Although HIPAA was a component of the proposed rule and is not for the final rule, the HIPAA number of covered entities (774,331) are still used in some calculations of costs from part 2 such as for breach notifications. When applying HIPAA cost assumptions to part 2 programs, the Department multiplies the figures by 2 percent (.02), representing the number of part 2 programs in proportion to the total number of covered entities. In some instances, the estimates historically used by the Department for similar regulatory requirements were developed based on different methodologies, resulting in significantly different fiscal projections for some required activities. This RIA adopts the approach used for HIPAA's projected costs and cost savings.

In addition to the quantitative analyses of the effects of the regulatory modifications, the Department analyzes some benefits and burdens qualitatively; relatedly, there is uncertainty inherent in predicting the actions that a diverse scope of regulated entities might take in response to this final rule.

For reasons explained more fully below, the changes to the consent requirements for part 2 programs and redisclosure permissions for covered entities and business associates would result in economic cost savings of approximately $67,107,778 over 5 years based on the final rule changes. Table 2 presents the undiscounted and discounted costs and cost savings figures over 5 years. All estimates are presented in millions of year-2022 dollars, using 2024 as the base year for discounting.

b. Baseline Assumptions

In developing its estimates of the potential costs and cost savings of the final rule the Department relied substantially on recent prior estimates for modifications to this regulation and the HIPAA Privacy Rule and associated ICRs. Specifically, the part 2 ICR data previously approved under OMB control #0930–0092 informs the Department's estimates with respect to final rule modifications to part 2 provisions. However, for final rule part 2 provisions that are based on provisions of the HIPAA regulations, the Department relies on the HIPAA regulatory ICRs previously approved under OMB control # 0945–0003 and updated consistent with the 2021 HIPAA Privacy Rule NPRM.

Because the Department lacks data to determine the percentage of part 2 programs that are also subject to the HIPAA regulations, the Department assumes for purposes of this analysis that the final rule changes to part 2 would affect all part 2 programs equally—including those programs that are also HIPAA covered entities, and thus already are subject to requirements under the HIPAA regulations ( e.g., breach notification) that the Department incorporates into part 2. Thus, this RIA likely overestimates the overall compliance burden on part 2 programs posed by the final rule. In contrast, this RIA likely underestimates the cost savings of the final rule. The estimated cost savings are primarily attributed to the reduction in the number of written patient consents that would be needed to use or disclose records for TPO and to redisclose them for other purposes permitted by the HIPAA Privacy Rule. Because the Department lacks data to estimate the annual numbers of written patient consents and disclosures to covered entities, this RIA adopts an assumption that only three consents per patient are currently obtained per year (one each for treatment, payment, and health care operations) and only one half of such consents result in a disclosure of records to a HIPAA covered entity or business associate, for which consent would be no longer required to use or redisclose the record under the final rule.

c. Part 2 Programs, Covered Entities, and Patient Population

The Department relies on the same source as the approved part 2 ICR as the basis for its estimates of the total number of part 2 programs and total annual part 2 patient admissions. part 2 programs are publicly (Federal, State, or local) funded, assisted, or regulated SUD treatment programs. The part 2 ICR's estimate of the number of such programs (respondents) is based on the results of the 2020 National Survey of Substance Abuse Treatment Services (N–SSATS), and the average number of annual total responses is based on the results of the average number of SUD treatment admissions from SAMHSA's 2019 Treatment Episode Data Set (TEDS) as the number of patients treated annually by part 2 programs, both approved under OMB Control No. 0930–0335. In the 2020 data from N–SSATS, the number of part 2 respondents was 16,066. The TEDS data for SUD treatment admissions has been updated, so the Department relies on the 2019 statistic, as shown in Table 3 below.

For purposes of calculating estimated costs and benefits the Department relies on mean hourly wage rates for occupations involved in providing treatment and operating health care facilities, as noted in Table 4 below. This final rule updates the proposed rule RIA wages to the most recent year of available data.

d. Qualitative Analysis of Non-Quantified Benefits and Burdens

The Department's analysis focuses on primary areas of changes imposed by the final rule that are likely to have an impact on regulated entities or patients. These are changes to establish or modify requirements with respect to: enforcement and penalties, notification of breaches, consent for uses and disclosures, Patient Notice, notice accompanying disclosure, copy of consent accompanying disclosure, requests for privacy protection, accounting of disclosures, audit and evaluation, disclosures for public health, and use and disclosure of records by investigative agencies. In addition to these changes, the Department believes the modifications to part 2 for clarification, readability, or consistency with HIPAA terminology, would have the unquantified benefits of providing clarity and regulatory certainty. The provisions that fall into this category and for which anticipated benefits are not discussed in-depth, are:

Sections 2.1, 2.2, 2.4, 2.11 Through 2.15, 2.17, 2.19 Through 2.21, 2.23, 2.24, 2.34, 2.35, 2.52, and 2.61 Through 2.65

The Department provides its analysis of non-quantified benefits and burdens for the primary areas of final rule regulatory change below, followed by estimates and analysis of quantified benefits and costs in section (e).

Section 2.3—Civil and Criminal Penalties for Violations

The Department creates limitations on civil and criminal liability for investigative agencies in the event they unknowingly receive part 2 records in the course of investigating or prosecuting a part 2 program or other person holding part 2 records prior to obtaining the required court order under subpart E. This safe harbor promotes public safety by permitting agencies to investigate part 2 programs and persons holding part 2 records in good faith with a reduced risk of HIPAA/HITECH Act penalties. The liability limitations would be available only to agencies that could demonstrate reasonable diligence in attempting to determine whether a provider was subject to part 2 before making a legal demand for records or placement of an undercover agent or informant. The changes benefit SUD providers, part 2 programs, investigative agencies, and the courts by encouraging agencies to seek information about a provider's part 2 status in advance and potentially reduce the number of instances where applications for good cause court orders are denied. Incentivizing investigative agencies to check whether part 2 applies in advance of investigating a provider would benefit the court system, programs public safety, patients, and agencies by enhancing efficiencies within the legal system, promoting the rule of law, and ensuring the part 2 protections for records are utilized when applicable.

The limitations on liability for investigative agencies may result in more disclosures of patient records to such agencies by facilitating investigations and prosecutions of part 2 programs and lawful holders. The Department believes that limiting the application of § 2.3(b) to investigations and prosecutions of programs and holders of records, requiring non-identifying information in the application for the requisite court orders, and keeping patient identifying information under seal will provide strong and continuing protections for patient privacy while promoting public safety.

Section 2.12—Applicability

The final rule removes data segmentation requirements and instead expressly states that segregation of records is not required upon receipt. This results in the final rule neither requiring nor prohibiting data segmentation, leading to a benefit to covered entities, according to public comments on this issue. The Department acknowledges that there is likely a burden reduction from the express statement that segmentation of data or records is not required; however, the Department lacks data on the number of records benefitting from the removal of the data segmentation requirement to quantify this impact.

Section 2.16—Security for Records and Notification of Breaches

The Department adds notification of breaches to § 2.16 so that the requirements of 45 CFR 164.400 through 164.414, apply to breaches of part 2 records programs in the same manner as those requirements apply to breaches of PHI. Notification of breaches is a cornerstone element of good information practices because it permits affected individuals or patients to take steps to remediate harm, such as putting fraud alerts on their credit cards, checking their credit reports, notifying financial institutions, and informing personal contacts of potential scams involving the patient's identity. It is difficult to quantify the value of receiving notification in comparison to the costs incurred in restoring one's credit, correcting financial records, or the cost of lost opportunities due to loss of income or reduced credit ratings.

The benefit to the patient of learning about a breach of personally identifying information includes the opportunity for the patient to take timely action to regain control over their information and identity. The Department does not have data to predict how many patients will sign up for credit monitoring or other identity protections after receiving a notification of breach of their part 2 records; however, the Department believes that the costs to patients of taking these actions will be far outweighed by the savings of avoiding identity theft. Requiring part 2 programs to provide breach notification ensures that patients of such programs are provided the same awareness of breaches as patients that receive other types of health care services from HIPAA covered entities.

Section 2.22 Patient Notice

Patients, part 2 programs, and covered entities are all likely to benefit from final rule changes to more closely align the Patient Notice and HIPAA NPP regulatory requirements, which simplify their compliance with the two regulations. The Department establishes for patients the right to discuss the Patient Notice with a person designated by the program as the contact person and to include information about this right in the header of the Patient Notice as proposed in the HIPAA Coordinated Care and Individual Engagement NPRM. These changes help improve a patient's understanding of the program's privacy practices and the patient's rights with respect to their records. Even for patients who do not request a discussion under this final rule, knowledge of the right may promote trust and confidence in how their records are handled.

Section 2.24 Requirements for Intermediaries

The final rule adopts a definition of “intermediary” that excludes part 2 programs, covered entities, and business associates. Business associates that are HIEs will particularly benefit from being excluded from the definition of “intermediary” because HIEs were the most representative example of an intermediary; therefore, had the most to benefit from burden reduction. They will not be subject to the requirement in § 2.24 to provide a list of disclosures upon request of a patient; they will not be subject to the special consent requirements for intermediaries that many HIEs have found to be a barrier to accepting part 2 records in their systems; and they will be generally included when a patient signs a TPO consent. This will also benefit covered entities that are part 2 programs because they will be able to use an HIE business associate to exchange part 2 data as well as PHI, furthering the integration of behavioral health information with other health information. We believe this will also benefit patients because it will enhance their ability to receive comprehensive care.

Section 2.25 Accounting of Disclosures

Adding a requirement to account for disclosures for TPO through an electronic health record (EHR) benefits patients by increasing transparency about how their records are used and disclosed for those purposes. This requirement could counterbalance concerns about loss of control that patients may experience as a result of the changes to the consent process that would permit all future TPO uses and disclosures based on a single general consent. The data logs that part 2 programs need to maintain to create an accurate and complete accounting of TPO disclosures could also be beneficial for such programs in the event of an impermissible access by enabling programs to identify the responsible workforce member or other wrongful actor.

Section 2.26 Right To Request Privacy Protection for Records

Adding a new right for patients to request restrictions on uses and disclosures of their records for TPO is likely to benefit patients by giving them a new opportunity to assert their privacy interests to part 2 program staff, to address patients' concerns about who may see their records, and to understand what may be done with the information their records contain.

With respect to the right for patients to restrict disclosures to their health plan when patients have self-paid in full for services, patients will benefit by being shielded from potential harmful effects of some health plans' restrictive coverage policies or other potential negative effects, such as employers learning of patients' SUD diagnoses. This right may also improve rates of access to SUD treatment because of patients' increased trust that they have the opportunity to ensure that their records will remain within the part 2 program. A limitation on the benefits of this right is that it is only available to patients with the means to pay privately for SUD treatment.

Part 2 programs may benefit from increased frequency of patients paying in full out of pocket, which could decrease the time spent by staff in billing and claims activities. Part 2 programs also may benefit from increased patient trust in the programs' protection of records.

Section 2.31 Consent Requirements and § 2.33 Uses and Disclosures Permitted With Written Consent

The changes to consent for part 2 records are two-fold: changes to the required elements on the written consent form and a reduction in the instances where a separate written consent is needed (the process of obtaining consent). Changes to the consent form for alignment with the HIPAA authorization form would likely benefit part 2 programs because they would employ more uniform language and concepts related to information use and disclosure. Such changes may particularly benefit part 2 programs that are also subject to the HIPAA regulations, so staff do not have to compare and interpret different terms on forms that request the use or disclosure of similar types of information.

Permitting patients to sign a single general consent for all uses and disclosures of their record for TPO, may carry both burdens and benefits to patients. Patients may benefit from a reduction in the amount of paperwork they must sign to give permission for routine purposes related to the treatment and payment and associated reductions in time spent waiting for referrals, transfer of records among providers, and payment of health insurance claims. At the same time, patients may experience a sense of loss of control over their records and the information they contain when they lose the opportunity to make specific decisions about which uses and disclosures they would permit. In some instances, the reduced ability to make specific use and disclosure decisions could result in a greater likelihood of harm to reputation, relationships, and livelihood.

Part 2 programs would likely benefit from the efficiencies resulting from permitting a general consent for all TPO uses and disclosures by freeing staff from burdensome paperwork. In contrast, clinicians in part 2 programs may find it harder to gain the therapeutic trust needed for patients to divulge sensitive information during treatment if patients become less confident about where their information may be shared and their ability to control those uses and disclosures. Some potential patients may avoid initiating treatment altogether, which would harm both patients and programs.

Covered entities and business associates would benefit markedly from the ability to follow only one set of Federal regulations when making decisions about using and disclosing part 2 records by streamlining processes and simplifying decision making procedures. Additionally, covered entities and business associates would no longer need to segregate SUD treatment data and could improve care coordination and integration of behavioral health with general medical treatment, resulting in comprehensive holistic treatment of the entire patient.

In contrast, this final rule could also create a burden because covered entities and business associates subject to part 2 may need to sort and filter part 2 records for certain uses and disclosures, such as audit and evaluation activities that are health care operations, according to whether or not a patient consent for TPO has been obtained.

Section 2.32 Notice and Copy of Consent To Accompany Disclosure

The revisions to the notice accompanying each disclosure of part 2 records made with written consent benefit patients by ensuring that recipients of part 2 records are notified of the expanded prohibition on use of such records against patients in legal proceedings even though uses and redisclosures for other purposes would be more readily permissible. Due to the final rule changes in redisclosure permissions for recipients of part 2 records that are covered entities and business associates, the importance of the Notice to Accompany Disclosure would increase.

Part 2 programs will benefit from having notice language that accurately reflects statutory changes in the privacy protections for records. Retaining the notice to accompany disclosure requirement would also ensure that certain protections for part 2 records continue to “follow the record,” compared to the HIPAA Privacy Rule whereby protections are limited to PHI held by a covered entity or business associate.

Section 2.53 Management Audits, Financial Audits, and Program Evaluation

Part 2 programs that are also covered entities would benefit from the final rule changes that would clarify that the limits on use and disclosure for audit and evaluation purposes do not apply to covered entities and business associates to the extent these activities fall within the HIPAA Privacy Rule disclosure permissions for health care operations. This benefit provides regulatory flexibility for covered entities when part 2 records are subject to audit or evaluation.

In some instances, a third-party auditor or evaluator may also be a part 2 program or a covered entity or business associate. As recipients of part 2 records, such third parties would be permitted to redisclose the records as permitted by the HIPAA Privacy Rule, with patient consent for TPO. This flexibility would not extend to government oversight audits and evaluations.

Section 2.54 Disclosures for Public Health

The Department creates a new permission to disclose de-identified records without patient consent for public health activities, consistent with statutory changes. This benefits public health by permitting records to be disclosed that would address the opioid overdose crisis and other public health issues related to SUDs, and it protects patient confidentiality because the permission is limited to disclosure of de-identified records.

Section 2.66 Procedures and Criteria for Orders Authorizing Use and Disclosure of Records To Investigate or Prosecute a Part 2 Program or the Person Holding the Records

The Department specifies the actions investigative agencies should take when they discover in good faith that they have received part 2 records without obtaining the required court order, such as securing the records, ceasing to use or disclose the records, applying for a court order, and returning or destroying the records, as applicable to the situation. This final rule would provide the benefit of enabling agencies to move forward with investigations when they have unknowingly sought records from a part 2 program. The final rule limits the liability of investigative agencies that unknowingly obtain records without the necessary court order and increase agencies' effectiveness in prosecuting programs. The minimal burden for exercising reasonable diligence before an unknowing receipt of part 2 records is outweighed by the reduction in risk of a penalty for noncompliance. This analysis applies as well to § 2.67 below.

Section 2.67 Orders Authorizing the Use of Undercover Agents and Informants To Investigate Employees or Agents of a Part 2 Program in Connection With a Criminal Matter

The Department's final rule adds a requirement for investigative agencies that seek a good cause court order after placement of an undercover agent or information in a part 2 program to first meet the reasonable diligence criteria in § 2.3(b). This requirement ensures that agencies take basic actions to determine whether a SUD treatment provider is subject to part 2 before seeking to place an undercover agent or informant with the provider. As discussed above in reference to § 2.66, this final rule also has the benefit of aiding courts to streamline the application process for court orders for the use and disclosure of records.

Section 2.68 Report to the Secretary

The Department created a requirement for annual reports by investigative agencies concerning applications for court orders made after receipt of part 2 records. This new requirement benefits programs, patients, and investigative agencies by making data available about the frequency of investigative requests made “after the fact.” This requirement benefits agencies and programs by highlighting the potential need for increased awareness about part 2's applicability. A program that makes its part 2 status publicly known benefits from the procedural protections afforded within the court order requirements of §§ 2.66 and 2.67 in the event it becomes the target of an investigation. The final rule's reporting requirement could also potentially serve as a deterrent to agencies from overly relying on the ability to obtain belated court orders instead of doing a reasonable amount of research to determine before making an investigative demand whether part 2 applies. Any resulting reduction in unauthorized uses and disclosures of records could be viewed as a benefit by patients and privacy advocates. In contrast, investigative agencies could view the reporting requirement as an administrative burden requiring resources that otherwise could be used to pursue investigations.

e. Estimated Quantified Cost Savings and Costs From the Final Rule

The Department has estimated quantified costs and cost savings likely to result from the final rule modifying three core expense categories (capital expenses, attaching consent forms, and workforce training) and seven substantive regulatory requirements. The remaining regulatory changes are unlikely to result in quantifiable costs or cost savings, as explained following the discussion of projected costs and savings.

i. Capital Expenses

Capital expenses related to compliance with the final rule fall into two categories: notification of breaches and printing forms and notices. The Department's estimates for capital costs related to providing breach notification are based on estimates from the HIPAA ICR multiplied by a factor of 0.02, representing the proportion of part 2 programs compared to covered entities (774,331 × 16,066 = .02). For example, for an estimated 58,482 annual breaches of PHI the Department calculates that there are 1,170 breaches of part 2 records (58,482 × .02 = 1,170), and associated costs. Those costs are estimated on an ongoing annual basis because part 2 programs could experience a breach at any time that would require notification. Capital costs for breach notifications are presented in Table 5 below.

The Department's estimate of the costs for printing revised consent forms is based on SAMHSA's part 2 ICR estimates for total annual patient admissions to part 2 programs at a rate of $0.11 per copy. Programs are already required to print forms and notices on an ongoing basis and no change to the number of such forms and notices is projected, so the Department has not added any new capital costs for printing the revised Patient Notice and Notice to Accompany Disclosures. However, the Department estimates that as a result of changes to the requirement to obtain consent for disclosures related to TPO, part 2 programs and covered entities and business associates would experience cost savings from a significant reduction in the number of needed consent forms. The Department assumes that, on average, each patient's treatment results in a minimum of three written consents obtained by part 2 programs, one each for treatment, payment, and health care operations purposes. The final rule is estimated to result in a decrease in the total number of consents by two-thirds because only one patient consent would be required to cover all TPO uses and disclosures. At an estimated cost of $0.11 per consent, for a total of 1,864,367 annual patient admissions, this would result in an annual cost savings to part 2 programs of 3,728,734 fewer written consents, or $396,222.

Additionally, covered entities and business associates that receive part 2 records will also experience a reduced need to obtain written patient consent or a HIPAA authorization because redisclosure under the HIPAA Privacy Rule does not require patient consent or authorization for TPO and many other purposes. The Department lacks data to make a precise estimate of projected cost savings, but each patient record disclosed to a covered entity or business associate would potentially generate a savings based on eliminating the need for the recipient to obtain additional consent for redisclosure. The Department has adopted a low-cost savings estimate that one-half of part 2 annual admissions would result in receipt of part 2 records by a covered entity or business associate that would no longer be required to obtain specific written patient consent to redisclose such record, representing an annual capital expense savings from printing 932,184 fewer consent forms. At a per-consent cost of $0.11, this would result in annual savings of $99,056. The capital expense savings for printing consent forms are presented in Table 6 below. The savings related to the cost of staff time to obtain the patient consent are estimated and discussed separately in the section on consent below.

ii. Training Costs

Although part 2 does not expressly require training and the final rule does not require retraining, the Department anticipates that all part 2 programs will choose to train their workforce members on the modified part 2 requirements to ensure compliance. The Department estimates costs that all part 2 programs would incur to train staff on the changes to the confidentiality requirements. As indicated in the chart below, only certain staff would need to be trained on specific topics and each program would rely on a training specialist whose preparation time would also be accounted for. Compared to the proposed HIPAA Privacy Rule right to discuss privacy practices, the costs for training part 2 counselors include a higher number of staff per program because part 2 programs have no required Privacy Officer who is already assigned similar duties and are more likely to incur costs for developing a new training regimen. The Department of Labor, BLS last reported statistics for substance use and behavioral disorder counselors separate from mental health counselors in 2016, and substance use and behavioral disorder counselors represented 65 percent of the combined total. The Department thus calculates its estimate for the number of substance use and behavioral disorder counselors as 65 percent of the workers in the BLS occupational category for “substance abuse, behavioral disorder, and mental health counselors” and uses that as a proxy for the number of part 2 program counselors that would require training on the new Patient Notice. The Department estimates that a total of $13.3 million in one-time new training costs would be incurred in the first year of the final rule's implementation, as presented in Table 7 below.

iii. Receiving a Complaint

The Department estimates a new burden in this final rule, for covered entities to receive complaints filed by patients against a program, covered entity, business associate, qualified service organization, or other lawful holder in violation of this part would amount to a total annual labor cost of $38,328. This estimate is derived under the assumption that one in every thousand patients would file a complaint, leading to 1,864 complaints annually. The complaint is also assumed to be received by a manager and take 10 minutes to address. The cost of receiving complaints poses both a recurring annual cost as well as a one-time cost to establish procedures for handling complaints. It is assumed that

the cost for setting up complaint procedures is captured under the training requirement as well as the Patient Notice requirements, laid out in Tables 7 and 10 respectively. Table 8 presents the costs for receiving a complaint.

iv. Notification of Breaches

The Department estimates annual labor costs of $1.6 million to part 2 programs for providing notification of breaches of unsecured records, including notification to the Secretary, affected patients, and the media, consistent with the requirements of the HIPAA Breach Notification Rule. This estimate is derived from calculating two percent of the total estimated breach notification activities for covered entities, business associates, and qualified service organizations under the HIPAA Breach Notification Rule. Costs for the labor spent to provide breach notifications are estimated in Table 9 below. Capital costs for providing breach notification are discussed separately in Table 5 above.

v. Patient Notice

The Department estimates a first-year total of $2.6 million in costs to part 2 programs for updating the Patient Notice, as applicable, and providing patients a right to discuss the program's Patient Notice. Under the final rule's modifications to § 2.22, as under the existing rules, a part 2 program that is also a covered entity only needs to have one notice that meets the requirements of both rules, so the Department's estimates are based on an unduplicated count of part 2 programs, each one needing to update its Patient Notice. The Department's estimate is based on the number of total entities and one hour of a lawyer's time to update the notice(s), as detailed in Table 10. There would be no new costs for providers associated with distribution of the revised notice other than posting it on the entity's website (where available), as providers have an ongoing obligation to provide the notice to first-time patients. The Department bases the estimate on its previous estimates from the 2013 Omnibus Final Rule, in which the Department estimated approximately 613 million first time visits with health care providers annually.

In addition to the costs of updating the Patient Notice, the Department estimates that part 2 programs incur ongoing costs to implement the right to discuss a program's Patient Notice calculated as 1 percent of all patients, or 18,644 requests, at the hourly wage of a substance abuse, behavioral disorder, and mental health counselor, as defined by BLS, for an average of 7 minutes per request or $117,586 total per year. The number of discussions is based on the same percentage of new patients as the parallel proposal in the HIPAA Coordinated Care and Individual Engagement NPRM, which reflects the anticipated number of patients who would ask to speak with the identified contact person or office about the Patient Notice. It does not include the discussion that each counselor may have with a new patient about confidentiality in the clinical context which the Department views as part of treatment. Total costs for the Patient Notice are presented in Table 10 below.

vi. Accounting of Disclosures

The Department's estimate of minimal annual costs to part 2 programs for providing patients an accounting of disclosures is based on the Department's estimates for covered entities to comply with the requirements in 45 CFR 164.528 multiplied by a factor of .02. This represents two percent of the total estimated requests for an accounting of disclosures under the HIPAA Privacy Rule. The Department included this estimate in its calculations (detailed in Table 11), although it is negligible, due to the CARES Act mandate to include the requirement in part 2. In addition, these costs will not constitute an immediate burden since they are contingent on the promulgation of HITECH Act modifications to the accounting of disclosures standard in the HIPAA Privacy Rule at 45 CFR 164.528, which the Department has not yet finalized.

The responses to the Department's 2018 Request for Information on Modifying HIPAA Rules to Improve Coordinated Care indicated that covered entities and their business associates receive very few requests for an accounting of disclosures annually (a high of .00006). Comments received on the part 2 NPRM were consistent with these and suggested that covered entities still receive very few requests; however, one commenter asserted that a request can take approximately 40 hours of labor to address. We believe this figure is an outlier and that most requests cover a narrow time period related to a specific disclosure concern. The Department is unable to estimate the additional burdens, if any, of offering these accountings in a machine readable or other electronic format. Further, the Department lacks specific information about the costs to revise EHR systems to generate a report of disclosures for TPO, other than they could be substantial. We note too that the compliance date for the accounting of disclosures requirement is tolled until modifications to the accounting requirement are finalized in 45 CFR 164.528 of the HIPAA Privacy Rule. Table 11 presents the estimated costs for accounting of disclosures.

vii. Requests for Privacy Protection for Records

The Department estimates that part 2 programs would incur a total of $5,019 in annual costs arising from the right to request restrictions on disclosures. OCR's HIPAA ICR estimate of costs for covered entities to comply with the parallel requirement under 45 CFR 164.522 represents a doubling of previous estimated responses from 20,000 to 40,000. However, costs remain low for compliance with this regulatory requirement, in part because the requirement to accept a patient's request for restrictions is mandatory only for services for which the patient has paid in full; the cost of complying with a request not to disclose records or PHI to a patient's health plan occurs in a context in which providers are saved the labor that would be needed to submit claims to health insurers.

The Department acknowledges that in addition to the handling of restriction requests, providers will likely also incur costs related to the adjustment of their technological capabilities. Comments received on the part 2 NPRM outlined some of the existing shortcomings and potential improvements to the EHR systems. Some of the issues discussed included perceptions regarding the inability of current EHR systems to automatically flag and separate part 2 records, and challenges of granular data segmentation functionality, inability of systems to handle multiple types of information workflows, and difficulties in ensuring that the current systems protect part 2 data adequately from access and redistribution in large patient settings where data is received and redistributed electronically. Commenters suggested, among others, the development of broader interoperability frameworks, and the development of consistent standards as potential remedies for those technical issues, but there was no specific actionable data provided that could inform the cost analysis of such efforts. The Department therefore lacks a basis to formally quantify these costs and does include them in this RIA.

The estimated costs for requests for privacy protection for records is presented in Table 12 below. The estimated number of responses is increased from the proposed rule to 1,200 and the average burden doubled to 6 minutes (0.1 hours) to account for the final rule adding the requirement that covered entities use reasonable effort to accommodate patient's request for restrictions resulting in a slight increase in estimated burden.

viii. Updated Consent Form

The Department estimates that each part 2 program would incur the costs for 40 minutes of a lawyer's time to update its patient consent form for use and disclosure of records. This would result in an estimated total nonrecurring cost of approximately $1.7 million, to be incurred in the first year after publication of a final rule, as detailed in Table 13 below.

ix. Attaching Consent Form

The Department estimates a new cost in this final rule (compared to the proposed rule RIA) for the requirement associated with § 2.32 that each part 2 program would need to attach consent forms with each disclosure. The Department assumes an average of three (3) annual disclosures per patient. The Department assumes consent forms would need to be attached to paper disclosures as well as electronic disclosures and assumes ninety percent (90%) of disclosures are received electronically while the remaining ten percent (10%) would be received in paper format. This would result in a total recurring cost of $2.9 million per year. The estimated costs for attaching consent form are presented in Table 14 below.

x. Updated Notice To Accompany Disclosures

The Department estimates that each part 2 program would incur the costs for 20 minutes of a health care managers' time to update the regulatory notice that is to accompany each disclosure of records with written patient consent. The Department believes that in most cases a manager can accomplish this task, rather than a lawyer, because specific text for the Notice to Accompany Disclosure is required and is included in the final rule. For a total of 16,066 programs this would result in estimated total nonrecurring costs in the first year of the rule's implementation of approximately $0.7 million as detailed in Table 15 below.

xi. New Reporting to the Secretary

The final rule's reporting requirements in § 2.68 are directed to those agencies that investigate and prosecute programs and holders of part 2 records. Part 2 programs are subject, for example, to investigations for Medicare and Medicaid fraud and diversion of opioids used in medications for opioid use disorder (MOUD). Medicaid and Medicare fraud investigations may involve several agencies, such as the Department of Justice (DOJ), HHS Office of the Inspector General (OIG), and state agencies. Investigations involving the use and disclosure of part 2 records include those where SUD providers are the targeted entities as well as where other health care providers are the target and have received records from a part 2 program. The Department has revised its estimates of the number of investigations that involve part 2 records, resulting in an increase of more than 100 percent from the 225 estimated investigations in the NPRM. The Department estimates that approximately 506 investigations, prosecutions, or sanctions involve part 2 programs or records annually, based on FY 2021 statistics. The reported data does not separately track part 2 programs so we based our estimate on the proportion of part 2 programs as compared to covered entities, which is 2 percent, as we have done for other estimates within the analysis for this rule. We acknowledge that this may not capture all the entities subject to investigations that include part 2 records. At the same time, we have added a more extensive list of investigations and actions against health care entities, many of which represent duplicate actions, such as the removal of entities from Medicare participation based on a fraud conviction against the same entity that is also counted within the same year and counting both new fraud investigations and pending cases at the year's end. We included data from FY 2021 for the following actions:

• 831 new criminal health care fraud investigations (DOJ).
• 462 cases of criminal charges filed by Federal prosecutors.
• 805 new civil health care fraud investigations (DOJ).
• 1,432 civil health care fraud matters pending at the end of the fiscal year (DOJ).
• 107 health care fraud criminal enterprises dismantled (FBI).
• 504 criminal actions for Medicare and Medicaid crimes (HHS–OIG).
• 669 civil actions (HHS–OIG).
• 1,689 individuals and entities excluded from participation in Medicare, Medicaid, and other Federal health care programs (HHS–OIG).

• 18,815 open investigations by state Medicaid Fraud Control Units in FY 2021.

This results in a count of 25,314 actions taken by investigative agencies and 506 as the estimated proportion involving use and disclosure of part 2 records. The Department assumes, as an over-estimate, that all 506 cases involve use of the safe harbor under § 2.3 and result in a required report under § 2.68.

The burden on investigative agencies for annual reporting about unknowing receipt of part 2 records prior to a court order includes the labor of gathering data and submitting it to the Secretary. As a proxy for this burden, the Department estimates that the labor would be equal to reporting large breaches of PHI under HIPAA which has been calculated at 1.5 hours per response at an hourly wage rate of $81.28 for a total estimated cost of $121.92 per response. For an estimated 506 annual investigations this would result in a total cost of $61,726. This figure represents an overestimate because it assumes 100 percent of investigations would involve unknowing receipt of part 2 records prior to seeking a court order. The Department assumes that the actual proportion of investigations falling within the reporting requirement would be less than 25 percent of cases, although it lacks data to substantiate this assumption. The final rule also adds to the definition of investigative agencies to include local, territorial, and Tribal agencies. The Department acknowledges the potential for expanding the definition to increase the affected population for investigative agencies; however, the Department lacks sufficient data to quantify the number of additional agencies impacted by the rule. The estimated costs for new reporting to the Secretary are presented in Table 16 below.

f. Summary of First Year Costs

Table 17 presents the total first year part 2 quantified costs presented in the above sections, totaling $23.9 million.

g. Final Rule Changes Resulting in Negligible Fiscal Impact

Sections 2.1 and 2.2 Statutory Authority and Enforcement

While civil enforcement of part 2 by the Department may increase costs for part 2 programs or lawful holders that experience a breach or become the subject of a part 2 complaint or compliance review, the costs of responding to a potential violation are not calculated separately from the costs of complying with new or changed regulatory requirements. Thus, the Department's analysis does not estimate any program costs for the changes to §§ 2.1 and 2.2 of 42 CFR part 2.

Section 2.3 Civil and Criminal Penalties for Violations

The final rule adds local, territorial, and Tribal agencies to the investigative agency definition. In § 2.3(b)(1), investigative agencies that do not use reasonable diligence would be precluded from seeking a court order to use or disclose part 2 records that they later discover in their possession. The Department acknowledges there may be an overall increase in the affected population associated with including local, territorial, and Tribal agencies to investigative agency definition; however, the Department lacks sufficient data on the extent these agencies are involved in investigating part 2 programs to quantify these potential impacts.

Section 2.3 also creates a limitation on civil or criminal liability for persons acting on behalf of investigative agencies when they may unknowingly receive part 2 records without first obtaining the requisite court order. The final rule mandates reasonable diligence steps that mean taking all of the following actions:

Searching for the practice or provider among the SUD treatment facilities in SAMHSA's online treatment locator; searching in a similar state database of treatment facilities where available; checking a practice or program's website, where available, or physical location; viewing the entity's Patient Notice or HIPAA NPP if it is available; and taking all these steps within no more than 60 days before requesting records or placing an undercover agent or informant. The regulatory change encourages investigative agencies to take preventative measures, reducing the need for after-the-fact court orders. The Department acknowledges that the reasonable diligence steps may result in additional burdens for investigative agencies to check websites and visit physical locations; however, the Department lacks sufficient data to quantify the additional burden and expects that it is negligible.

Section 2.11 Definitions

Changes to the regulatory definitions are not likely to create significant increases or decreases in burdens for part 2 programs or covered entities and business associates. These entities, collectively, would benefit from the regulatory certainty resulting from clarification of terms; however, the definitions are generally intended to codify current usage and understanding of the defined terms. One change that has the potential to result in additional burden to part 2 programs but potentially represents a benefit of increased privacy protection for patients would be the inclusion of a new definition of “SUD counseling notes.” The Department has discussed the potential impact to the inclusion of SUD counseling notes in § 2.31. The Department also changes the definition of “investigative agency” to include local, territorial, and Tribal agencies. This change in the definition has the potential to increase the population of investigative agencies. Additional discussion on the potential impact of adding local, territorial, and Tribal agencies is discussed in § 2.3. The final rule adds a new definition on “lawful holder” used in several provisions. The final rule also adds a new definition of “personal representative,” replacing language in § 2.15 describing individuals authorized to act on a patient's behalf, as mentioned under the discussion on § 2.15 below. Another change to the definition of “intermediary” excludes part 2 programs, covered entities, and business associates and may result in burden decreases to these entities, as mentioned under the discussion on § 2.24 below. The Department estimates that these three changes will have a negligible impact.

Section 2.12 Applicability

The final rule change from “Armed Forces” to “Uniformed Services” in paragraphs (b)(1) and (c)(2) of § 2.12 is likely to result in only a negligible change in burden because this terminology is already in use in 42 U.S.C. 290dd–2. Adding “uses” and “disclosures” in several places provides clarity and consistency, but is unlikely to create quantifiable costs or cost savings. Adding the four express statutory restrictions on use and disclosure of records for court proceedings in paragraph (d)(1) of this section will likely result in no significant burden change, as the restrictions on use and disclosure of records for criminal investigations and prosecutions of patients are already stringent and the ability to obtain a court order remains. Excluding covered entities from the restrictions applied to other “third-party payers” in paragraph (d)(2) of this section would reduce burden on covered entities that are health plans because they will be permitted to disclose records for a wider range of health care operations than under the current regulation. However, this burden reduction is similar to that for all covered entities under the final rule, so the Department has not estimated the costs or benefits separately from the effects of § 2.33 (Uses and disclosures permitted with written consent).

Section 2.13 Confidentiality Restrictions and Safeguards

The primary change to this section is to remove paragraph (d) and redesignate it as § 2.24. Additionally, adding the term “use” to the circumstances when disclosures are permitted or prohibited provides clarification, but is unlikely to generate a change in burden associated with this provision.

Section 2.14 Minor Patients

The final rule changes to this section would clarify that a part 2 program director may clinically evaluate whether a minor has decision making capacity, but not issue a legal judgment to that effect. The changes also add “uses” to “disclosures” as the types of activities regulated under this section. None of the changes would be likely to result in quantifiable burdens to part 2 programs.

Section 2.15 Patients Who Lack Capacity and Deceased Patients

The final rule replaces the terms for “guardian or other individual authorized under state law to act on the patient's behalf” with the term “personal representative” under § 2.11, as described above. The Department does not anticipate this to result in any significant burdens or benefits. The Department's final rule will also replace outdated references to incompetence and instead refer to a lack of capacity to make health care decisions and will add “uses” to “disclosures” to describe the activities permitted when certain conditions are met. These clarifications and additions are unlikely to generate a change in burden that can be quantified, and thus they are not included in the Department's calculation of estimated costs and cost savings.

Section 2.17 Undercover Agents or Informants

The final rule adds the phrase “and disclosure” in the heading of paragraph (b) of this section and “or disclosed” after “used” in paragraph (b) for consistency with changes throughout the rule to align with HIPAA language. We do not expect any change in burden as a result of this change.

Section 2.20 Relationship to State Laws

The final rule adds the term “use” to describe activities regulated by this section. Similar to 42 CFR part 2, state laws impose restrictions on uses and disclosures related to SUD and the Department assumes programs subject to regulation by this part would be able to comply with part 2 and the state law. The Department does not anticipate these changes would result in a quantifiable increase or decrease in burden.

Section 2.21 Relationship to Federal Statutes Protecting Research Subjects Against Compulsory Disclosure of Their Identity

The Department replaced “disclosure and use” with “use and disclosure” to align the language of this section with the HIPAA Privacy Rule. The edit does not require any changes to existing part 2 requirements. The Department does not anticipate this change would result in a quantifiable increase or decrease in burden.

Section 2.24 Requirements for Intermediaries

The final rule changes the definition of “intermediary” to exclude part 2 programs, covered entities, and business associates, as noted above. The Department acknowledges that this poses a burden reduction to covered entities and business associates as they are no longer subject to these requirements; however, the Department does not anticipate these changes to have a significant impact.

Section 2.31 Consent Requirements

The final rule adds a new consent requirement at § 2.31(b), requiring separate consent for the use and disclosure of SUD counseling notes. The final rule limits use and disclosure of SUD counseling notes without patient consent in a manner that aligns with the HIPAA Privacy Rule authorization requirements for psychotherapy notes. The Department believes there is a qualitative benefit to patients and clinicians who keep separate SUD counseling notes. Requiring a separate consent for SUD counseling notes offers a means for patients to selectively disclose sensitive information and reduces barriers to clinicians recording treatment information for patients concerned about their confidentiality being protected. The Department acknowledges that there is a potential increase in the administrative burden to part 2 programs for segmenting SUD counseling notes as well as obtaining an additional patient consent; however, a separate consent requirement strikes a balance between heightened protection and an appropriately tailored permission for uses and disclosures that are low risk for abuse or related to requirements in law. The Department lacks sufficient data on the number of SUD counseling notes requiring additional consent and does not expect there to be a large number; and therefore, does not anticipate these changes would result in a quantifiable increase or decrease in burden.

Section 2.34 Uses and Disclosures To Prevent Multiple Enrollments

The final rule adds the term “uses” to the heading and incorporate minor word changes and style edits for clarity. The edits do not require any changes to existing part 2 requirements. The Department does not anticipate these changes would result in a quantifiable increase or decrease in burden.

Section 2.35 Disclosures to Elements of the Criminal Justice System Which Have Referred Patients

The final rule replaces the term “individuals” with “persons,” clarify that permitted redisclosures of information are from part 2 records, and make minor word and style edits for clarity. The edits do not require any changes to existing part 2 requirements. The Department does not anticipate these changes would result in a quantifiable increase or decrease in burden.

Section 2.52 Scientific Research

The Department considered whether the requirement to align the de-identification standard in § 2.52 (and throughout part 2) with the HIPAA Privacy Rule de-identification standard in 45 CFR 164.514 would significantly increase burden for part 2 programs or result in any unintended negative consequences. The Department concluded that the final rule change would not significantly increase burden because a part 2 program would need to follow detailed protocols to ensure that the current standard is met that are similar to the level of work needed to adhere to the HIPAA Privacy Rule standard. Additionally, the final rule ensures that all part 2 programs are following similar standards for de-identification, which would benefit researchers when creating data sets from different part 2 programs, by enabling them to populate the data sets with similar content elements.

Section 2.53 Management Audits, Financial Audits, and Program Evaluation

The final rule clarifies that some audit and evaluation activities may be considered health care operations could be used by part 2 programs, covered entities, and business associates to obtain records based on consent for health care operations and then such entities could redisclose them as permitted by the HIPAA Privacy Rule. The HIPAA Privacy Rule may allow these entities greater flexibility to use or redisclose the part 2 records for permitted purposes compared to the limitations contained in § 2.53 of part 2. For part 2 programs that are covered entities, this change could result in burden reduction because they would not have to track the records used for audit and evaluation purposes as closely; however, the Department is without data to quantify the potential cost reduction. For business associates, there would likely be no change in burden because they are already obligated by contract to only use or disclose PHI (which may be part 2 records) as allowed by the agreement with the covered entity.

As discussed in preamble, the disclosure permission under § 2.53 would continue to apply to audits and evaluations conducted by a health oversight agency without patient consent. The Department does not believe that the text of section 3221(e) of the CARES Act indicates congressional intent to alter the established oversight mechanisms for part 2 programs, including those that provide services reimbursed by Medicare, Medicaid, and Children's Health Insurance Program (CHIP). The Department also intends that a government agency conducting activities that could fall within either § 2.53 or § 2.33 for health care operations would have the flexibility to choose which permission to rely on and would not have to meet the conditions of both sections. In the event that the agency is a covered entity that has received the records based on a consent for TPO, it could further redisclose the records as permitted by the HIPAA Privacy Rule. Further, the Department intends that the availability of the safe harbor under § 2.3 does not affect the ability of government agencies conducting health oversight to continue relying on § 2.53 to access records without a court order.

Section 2.54 Disclosures for Public Health

The Department does not believe that an express permission to disclose records to public health authorities without patient consent will impact burdens to a significant degree. While part 2 programs will likely experience a burden reduction from the lifting of a consent requirement, the permission may cause an increase in disclosures to public health authorities, resulting in a net impact of no change to burdens. Additionally, to the extent these disclosures are required by other law, the compliance burden is not calculated as a change caused by part 2.

Sections 2.61 Through 2.65 Procedures for Court Orders

The Department lacks sufficient data to estimate the number of instances where the expanded scope of protection from use or disclosure of records against the patient in legal proceedings (including in administrative and legislative forums) would result in increased applications for court orders authorizing the disclosure of part 2 records or testimony.

Section 2.66 Procedures and Criteria for Orders Authorizing Use and Disclosure of Records To Investigate or Prosecute a Part 2 Program or the Person Holding the Records

Section 2.66(a)(3) provides specific procedures for investigative agencies to follow upon discovering after the fact that they are holders of part 2 records, such as securing, returning, or destroying the records and optionally seeking a court order under subpart E. Although the existing regulation does not expressly require law enforcement agencies to return or destroy records that it cannot use in investigations or prosecutions against a part 2 program when it does not obtain the required court order, it requires lawful holders to comply with § 2.16 (Security for records). The Department developed the requirements in § 2.66(a)(3) (to return or destroy records that an investigative agency is unable to use or disclose in an investigation or prosecution) to parallel the existing requirements in § 2.16 for programs and lawful holders to establish policies for securing paper and electronic records, removing them, and destroying them. Section 2.66(c) requirements to obtain a court order, obtain information in violation if this part, or to return or destroy the records within a reasonable time (no more than 120 days from discovering it has received part 2 records), would not significantly increase the existing burden for investigative agencies to comply with § 2.16.

Section 2.67 Orders Authorizing the Use of Undercover Agents and Informants To Investigate Employees or Agents of a Part 2 Program in Connection With a Criminal Matter

Section 2.67(c)(4) restricts an investigative agency from seeking a court order authorizing placement of an undercover agent or informant unless it has first exercised reasonable diligence as described by § 2.3(b). This provision serves as a prerequisite that would allow an investigative agency to continue placement of the undercover agent or informant in a part 2 program by correcting an error of oversight if the investigative agency learns after the fact that the undercover agent or informant is in a part 2 program and avoiding the risk of penalties for the violation. The Department anticipates that the added burden for searching SAMHSA's online treatment locator ( FindTreatment.gov) and a similar state database, and a program's website or physical location, including its Patient Notice or HIPAA NPP to ascertain whether the program provides SUD treatment, would be minimal, as these activities would normally be included in the course of investigating and prosecuting a part 2 program. The requirement would merely shift the timing of these actions in some cases so that investigative agencies ensure they are completed prior to requesting court approval of an undercover agent or use of an informant. The primary burden on investigative agencies would be to include a statement in an application for a court order after learning of the program's part 2 status after the fact, that the investigator or prosecutor first exercised reasonable diligence to determine whether the program provided SUD treatment. The burden for including this statement within an application for a court order is minimal and could consist of standard language used in each application. Thus, the Department has not calculated specific quantitative costs for compliance.

h. Costs Borne by the Department

This rule has cost impact on HHS. HHS has the primary responsibility to assess the regulatory compliance of covered entities and business associates and part 2 programs. This final rule would extend those responsibilities to part 2 programs. In addition to promulgating the current regulation, HHS would be responsible for developing guidance and conducting outreach to educate the regulated community and the public. The final rule also requires HHS to investigate and resolve complaints and compliance reviews as part of its expanded responsibility for part 2 compliance and enforcements. The Department estimates that implementing the new part 2 enforcement requirements would require two full-time policy employees (or contractors) at the Office of Personnel Management (OPM) General Schedule (GS) GS–14 or equivalent level who will develop regulation, guidance, and national-level outreach. Additionally, the Department estimates needing eight full-time employees (or contractors) for enforcement at a GS–13 or equivalent level to investigate, train investigators, and provide local outreach to regulated entities. The cost of labor for enforcement of part 2 programs across the ten employees described above amounts to $2,214,100 in the first year and $11,808,508 over all five years from 2024 to 2028, including appropriate step increases expected across years. The Department also estimates costs for hiring a contractor to create a breach portal or a part 2 module for the existing HIPAA breach portal. The Department assumes that the costs of hiring each contractor to maintain the breach portal amounts to 5 percent of the annual operation and management funding for the breach portal. The initial posting of such breaches is automated, and HHS currently pays a contractor approximately $13,814 annually to maintain the database to receive reports of breaches from HIPAA covered entities. Under the same assumptions, the Department estimates approximately $13,814 to hire a second contractor to maintain the database to exclusively receive reports of breaches from part 2 programs. Additionally, HHS drafts and posts summaries of each large breach on the website, using a combination of GS–12, GS–13, GS–14, and GS–15 workers. In total, the Department assumes it will take workers 1.5 hours to summarize each breach and that there will be 267 breaches requiring summaries per year, equaling a labor cost of approximately $32,107 per year. To implement the enforcement requirements, breach portal maintenance, and breach summary reporting, the Department estimates that first year Federal costs will be approximately $2,260,021 million. The Department estimates that based on the GS within grade step increases for each of the GS–13 and GS–14 employees working to enforce part 2 the Federal costs will be approximately $12,038,112 million over 5 years. These costs are presented in Table 18 below. The NPRM had not originally included the cost to the Department in the total cost estimate. However, as these costs to the Department are new to establish an enforcement program for part 2, they have been incorporated into the final costs, presented below.

i. Comparison of Benefits and Costs

The final rule results in costs, cost savings, and benefits as described in the preceding sections. Table 19 presents the 5-year costs and cost savings associated with part 2. Finally, Table 20 provides a narrative description of the non-quantified final rule changes and costs and benefits.

Consideration of Regulatory Alternatives

Upon review of public comments on the NPRM, the Department considered alternatives to several proposals and the provisions that are finalized in this rule as explained below.

Section 2.11 Definitions

Lawful Holder

Although not required by the CARES Act, the Department is finalizing a regulatory definition of the term “lawful holder.” We considered expressly excluding family, friends, and informal caregivers from the definition because we understand that these types of informal caregivers are overwhelmingly not professional entities and would not have the means or other resources necessary to meet obligations that part 2 places upon them. For example, § 2.16 requires part 2 programs or other lawful holders to have in place formal policies and procedures to protect against unauthorized disclosures and a patient's family member who receives a record based on consent could not be reasonably expected to comply.

The description of “lawful holder” as a person who has received a part 2 record based on consent means that any person who receives records pursuant to a valid consent could be considered a lawful holder. We believe maintaining the parameters of the definition so it is confined to those who receive records as specified, is clear and unambiguous. To maintain this clarity, the Department believes it more appropriate to carve out an exception in § 2.16 for certain types of lawful holders ( i.e., family, friends, and informal caregivers) from those obligations to which they should not reasonably be expected to adhere. As we discuss in preamble, we do expect that these informal caregivers will still exercise some level of caution and care when handling these records.

Section 2.12 Exception for Reporting Suspected Abuse and Neglect

The Department considered for a second time expanding the exception under § 2.12(c)(6) for reporting suspected child abuse and neglect to include reporting suspected abuse and neglect of adults. Such an expansion would be consistent with the HIPAA Privacy Rule permission to report abuse, neglect, or domestic violence at 45 CFR 164.512(c), and could be beneficial for vulnerable adults, such as persons who are incapacitated or otherwise are unable to make health care decisions on their own behalf. However, § 2.12(c)(6), under the authority of 42 U.S.C. 290dd–2, limits the reporting of abuse and neglect to reporting child abuse and neglect as required by State or local law. Further, section (c) of the authorizing statute also restricts uses of records in criminal, civil, or administrative contexts, which could include investigations by a protective services agency, for example, unless pursuant to a court order or with the patient's consent. Therefore, the Department determined that expanding the exception under § 2.12(c)(6) to include reporting abuse and neglect of adults would exceed the statutory authority although we believe such reporting is needed.

Section 2.16 Security of Records and Notification of Breaches

The Department considered further harmonizing part 2 and the HIPAA regulations by applying the HIPAA Security Rule, or components of it, to part 2 programs and other lawful holders with respect to electronic part 2 records. A majority of commenters who addressed this issue recommended applying the HIPAA Security Rule to part 2 programs; however, few of these comments were from part 2 programs. Further, the CARES Act did not make the HIPAA Security Rule applicable to part 2 programs. The Department is not finalizing any additional modifications to align the HIPAA Security Rule and part 2 at this time, but will take these comments into consideration in potential future rulemaking.

Breach Notification Obligation for QSOs

The Department considered expressly applying breach notification provisions finalized in paragraph (b) of § 2.16 to qualified service organizations “in the same manner as those provisions apply to a business associate [. . .]”. To the extent that QSOs handle unsecured part 2 records on behalf of part 2 programs, the same policy objectives for requiring breach notification would equally apply. Further, to align with the structure of HIPAA, which imposes breach notification obligations on both covered entities and business associates, the Department considered that finalizing a parallel provision would further align the regulations. However, in analyzing title 42, as amended by the CARES Act, Congress was silent on this issue. In comparison, in section 13402(b) of the HITECH Act, Congress expressly extended the obligation of a business associate to notify covered entity in the event of a breach of PHI. This difference leads us to conclude that the requirement for QSOs to report was not intended. However, we expect that part 2 programs are likely to consider adding such requirements to QSO agreements to enable the programs to meet their breach notification obligations.

Section 2.26 Right To Request Restrictions Based on Ability To Pay

Section 290dd–2 of title 42 of U.S.C., as amended by the CARES Act, applied section 13405(c) of the HITECH Act, including the right of a patient to obtain restrictions on disclosures to health plans for services paid in full similar to how the right is structured in the HIPAA Privacy Rule at 45 CFR 164.522 with respect PHI. In response to public comments, the Department considered a more equitable provision that would require part 2 programs to agree to a requested restriction in the case of those who cannot afford to pay for care in full. The Department determined that the amended statute did not grant such authority. The Sense of Congress in the CARES Act, section 3221(k)(3), provides that: “[c]overed entities should make every reasonable effort to the extent feasible to comply with a patient's request for a restriction regarding a particular use or disclosure.” Although the Sense of Congress did not include part 2 programs in its urging, we encourage these programs to also make every reasonable effort to fulfill requested restrictions on disclosures for TPO.

Sections 2.31 and 2.32 Tracking Consent and Revocation of Consent

The Department considered alternatives to facilitate the new TPO consent and redisclosure permission for recipients of part 2 records and ensure such records are protected from use and disclosure in proceedings against the patient, absent consent or a court order. The Department further considered how other changes to the scope of a patient's consent would be tracked or communicated to recipients, such as patient-requested restrictions on disclosures and revocation of consent. We received many comments offering information about current practices, technology capabilities, and different approaches to tracking consent, revocation, and restrictions, as discussed in the preamble, and considered not imposing any new requirements. However, comments that sought no requirement to track the scope of consent provided were from organizations that did not believe that the prohibition on use of records in proceedings against patients should continue to apply to records received by a covered entity or business associate under a TPO consent. We disagree with this view and further, recognize that patients may still provide a consent for disclosures that is not a TPO consent. We considered requiring a copy of consent to be attached to each disclosure without any other option; however, in consideration of the amount of the burden and the available HIE models used to exchange electronic records, we offer an option in new paragraph (b) of § 2.32 for disclosers to provide a clear explanation of the scope of the consent provided. We believe this offers the flexibility needed for health IT systems to exchange needed information about the consent status of an electronic record.

The Department also analyzed how part 2 programs and recipients of records would effectively implement a patient's revocation of consent and considered adding a requirement for programs to notify recipients when a consent is revoked. Upon consideration of the complexities and burden this would impose we decided not to create a regulatory requirement, but to explain our expectation in preamble that programs would ensure patients' revocation rights are respected.

Section 2.52 Adding a Permission To Disclose Records in Limited Data Sets

The Department considered adding a permission to allow part 2 programs to disclose records in the form of a limited data set. The part 2 requirements for a limited data set would have matched those for limited data sets under the HIPAA Privacy Rule (45 CFR 164.504(e)) and would have responded to public comments requesting such a permission for research and public health disclosures of records. However, title 42 refers only to the disclosure of records de-identified to the HIPAA standard at 45 CFR 164.514(b) for public health purposes and this differs from de-identification allowed for a limited data set under 45 CFR 164.514(e). Although the Department is finalizing new standards for public health and research purposes that align with the 45 CFR 164.514(a) and (b), we are not promulgating a standard for limited data sets at this time.

Subpart E Evidentiary Suppression Remedy for Records Obtained in Violation of Part 2

In response to commenters' concerns about the potential for law enforcement to obtain records through coerced patient consent, we considered creating an express right for patients to request suppression of records obtained in violation of this part for use as evidence in proceedings against them. However, we determined that was unnecessary for two reasons. First, the provision for patients to consent to use and disclosure of records in investigations and proceedings against them is not new—it is covered in § 2.33(a)—thus, newly heightened concern about consent based on changes in this final rule is unwarranted. Second, the prohibition on disclosures based on false consent in § 2.31(c) offers some protection to patients from coerced consent.

Sections 2.66 and 2.67 Preventing Misuse of Records by Investigative Agencies

In response to public comments expressing concern about misuse of records by investigative agencies shielded from liability under the proposed safe harbor, the Department considered describing, in preamble, the expectation that information from records obtained in violation of part 2 cannot be used to apply for a court order for such records. Instead, the Department added language to §§ 2.66(c)(3) and 2.67(c)(4) to expressly prohibit the use of such information, in regulatory text. The Department believes codifying the prohibition in regulatory text creates an enforceable legal prohibition and more strongly deters investigative agencies from misusing records or information obtained in violation of part 2.

HIPAA NPP

The Department considered finalizing modifications to 45 CFR 164.520 in this final rule and decided not to do so, in part, because of limitations on how often modifications may be made to the HIPAA Privacy Rule. Thus, it is necessary to combine changes to the HIPAA NPP with other changes to the HIPAA NPP that are anticipated in the future. Finalizing changes to the HIPAA NPP in this final rule would prevent us from making any further modifications to the HIPAA NPP for one year. We realize this creates a possible gap when covered entities may have changes in policies and procedures that are not reflected in their HIPAA NPP; however, potentially needing to make multiple changes to the HIPAA NPP over a short time span would be equally problematic and confusing to individuals. Additionally, each set of revisions to the HIPAA NPP would add a burden to covered entities for making updates and distributing the HIPAA NPP totaling approximately $45 million as described in the NPRM. As explained in preamble, we intend to align compliance dates for any required changes to the HIPAA NPP and part 2 Patient Notice to enable covered entities to make such changes at the same time.

B. Regulatory Flexibility Act

The Department has examined the economic implications of this final rule as required by the Regulatory Flexibility Act (5 U.S.C. 601–612). If a rule has a significant economic impact on a substantial number of small entities, the Regulatory Flexibility Act (RFA) requires agencies to analyze regulatory options that would lessen the economic effect of the rule on small entities. For purposes of the RFA, small entities include small businesses, nonprofit organizations, and small governmental jurisdictions. The Act defines “small entities” as (1) a proprietary firm meeting the size standards of the Small Business Administration (SBA), (2) a nonprofit organization that is not dominant in its field, and (3) a small government jurisdiction of less than 50,000 population. The Department did not receive any public comments on the NPRM small business analysis assumptions and is therefore making no changes to them for this final rule; however, we have updated this analysis of small entities for consistency with revisions to the regulatory impact analysis relating to the costs and cost savings to part 2 programs and covered entities. The Department has determined that roughly 90 percent or more of all health care providers meet the SBA size standard for a small business or are nonprofit organization. The Department assumes the part 2 program entities have the same size distribution as health care providers. Therefore, the Department estimates there are 14,459 small entities affected by this rule. The SBA size standard for health care providers ranges between a maximum of $9 million and $47 million in annual receipts, depending upon the type of entity.

The projected costs and savings are discussed in detail in the RIA (section 4.e.). This final rule would create cost savings for regulated entities (part 2 programs and covered entities), many of which are small entities. The Department considers a threshold for the size of the impact of 3 to 5 percent of entity annual revenue as a measure of significant economic impact. The Department estimates the annualized 3 percent discounted net savings, excluding Federal Government costs since they do not apply to covered or small entities, of this rule to be $4,921,888. Spread across 14,459 small entities, the average savings per small entity are equal to $340.39. Since even the smallest entities in Sector 62 average over $55,000 in annual receipts, the projected impact for most of them is well below the 3 to 5 percent threshold. Therefore, the Secretary certifies that this final rule would not result in a significant negative impact on a substantial number of small entities.

C. Unfunded Mandates Reform Act

Section 202(a) of The Unfunded Mandates Reform Act of 1995 requires that agencies assess anticipated costs and benefits before issuing any rule whose mandates require spending that may result in expenditures in any one year of $100 million in 1995 dollars, updated annually for inflation. The current threshold after adjustment for inflation is $177 million, using the most current (2022) Implicit Price Deflator for the Gross Domestic Product. The Department does not anticipate that this final rule would result in the expenditure by state, local, and Tribal governments, taken together, or by the private sector, of $177 million or more in any one year. The final rule, however, present novel legal and policy issues, for which the Department is required to provide an explanation of the need for this final rule and an assessment of any potential costs and benefits associated with this rulemaking in accordance with E.O.s 12866 and 13563. The Department presents this analysis in the preceding sections.

D. Executive Order 13132—Federalism

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on state and local governments, preempts state law, or otherwise has federalism implications. The Department does not believe that this rulemaking would have any federalism implications.

The federalism implications of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules were assessed as required by E.O. 13132 and published as part of the preambles to the final rules on December 28, 2000, February 20, 2003, and January 25, 2013. Regarding preemption, the preamble to the final HIPAA Privacy Rule explains that the HIPAA statute dictates the relationship between state law and HIPAA Privacy Rule requirements, and the Privacy Rule's preemption provisions do not raise federalism issues. The HITECH Act, at section 13421(a), provides that the HIPAA preemption provisions shall apply to the HITECH Act provisions and requirements.

The federalism implications of part 2 were assessed and published as part of the preamble to proposed rules on February 9, 2016.

The Department anticipates that the most significant direct costs on state and local governments would be the cost for state and local government-operated covered entities to revise consent forms, policies and procedures, providing notification in the event of a breach of part 2 records and drafting, printing, and distributing Patient Notices for individuals with first-time health encounters. The RIA above addresses these costs in detail.

In considering the principles in and requirements of E.O. 13132, the Department has determined that the final rule would not significantly affect the rights, roles, and responsibilities of the States.

E. Assessment of Federal Regulation and Policies on Families

Section 654 of the Treasury and General Government Appropriations Act of 1999 requires Federal departments and agencies to determine whether a proposed or final policy or regulation could affect family well-being. If the determination is affirmative, then the Department or agency must prepare an impact assessment to address criteria specified in the law. The Department believes that these regulations would positively impact the ability of patients and families to coordinate treatment and payment for health care, particularly for families to participate in the care and recovery of their family members experiencing SUD treatment, by aligning the permission for covered entities and business associates to use and disclose records disclosed to them for TPO purposes with the permissions available in the HIPAA Privacy Rule. The Department does not anticipate negative impacts on family well-being as a result of this regulation or the separate rulemaking as described.

F. Paperwork Reduction Act of 1995

Under the Paperwork Reduction Act of 1995 (PRA) (Pub. L. 104–13), agencies are required to submit to the OMB for review and approval any reporting or recordkeeping requirements inherent in a proposed or final rule, and are required to publish such proposed requirements for public comment. The PRA requires agencies to provide a 60-day notice in the Federal Register and solicit public comment on a proposed collection of information before it is submitted to OMB for review and approval. To fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(A) of the PRA requires that the Department solicit comment on the following issues:

1. Whether the information collection is necessary and useful to carry out the proper functions of the agency;

2. The accuracy of the agency's estimate of the information collection burden;

3. The quality, utility, and clarity of the information to be collected; and

4. Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.

The PRA requires consideration of the time, effort, and financial resources necessary to meet the information collection requirements referenced in this section. The Department did not receive comments related to the previous notice but has adjusted the estimated respondent burden in this request to reflect revised assumptions based on updated information available at the time of the final rule's publication. This revision resulted in adjusted cost estimates that are consistent with the RIA presented in this final rule. The estimates covered the employees' time for reviewing and completing the collections required.

As discussed below, the Department estimates a total part 2 program burden associated with all final rule part 2 changes of 672,663 hours and $50,516,207, including capital costs and one-time burdens, across all 16,066 part 2 programs for 1,864,367 annual patient admissions. On average, this equates to an annual burden of 42 hours and $3,1444 per part 2 program and 0.36 hours and $27 per patient admission. Excluding one-time costs that would be incurred in the first year of the final rule's implementation, the average annual burden would be 27 hours and $1,940 per part 2 program and 0.24 hours and $17 per patient admission. In addition to program burdens, the Department's final rule would increase burdens on investigative agencies for reporting annually to the Secretary in the collective amount of 759 hours of labor and $61,726 in costs. This would result in a total burden for part 2 of 672,663 hours in the first year after the rule becomes effective and 439,880 annual burden hours thereafter.

In this final rule, the Department is revising certain information collection requirements and, as such, is revising the information collection last prepared in 2020 and previously approved under OMB control #0930–0092.

Explanation of Estimated Annualized Burden Hours for 42 CFR Part 2

The Department presents, in separate tables below, revised estimates for existing burdens (Table 21), previously unquantified ongoing burdens (Table 22), new ongoing burdens of the final rule (Table 23), and new one-time burdens of the final rule (Table 24).

As shown in Table 21, the Department is adjusting the currently approved burden estimates to reflect an increase in the number of part 2 programs, from 13,585 to 16,066. The respondents for this collection of information are publicly (Federal, State, or local) funded, assisted, or regulated SUD treatment programs. The estimate of the number of such programs (respondents) is based on the results of the 2020 N–SSATS, which represents an increase of 2,481 program from the 2017 N–SSATS which was the basis for the approved ICR under OMB No. 0930–0335. The average number of annual total responses is based the results of the average number of SUD treatment admissions from SAMHSA's 2019 TEDS as the number of annual patient admissions by part 2 programs (1,864,367 patients). To accurately reflect the number of disclosures, the Department based some estimates on the number of patients (or a multiple of that number) and then divided by the number of programs to arrive at the number of responses per respondent. The Department based other estimates on the number of programs and then multiplied by the estimated number of disclosures to arrive at the total number of responses.

The estimate in the currently approved ICR includes the time spent with the patient to obtain consent and the time for training for counselors. The Department is now estimating the time for obtaining consent separately from the burden of training time and applies an average of 5 minutes per patient admission for obtaining consent.

For §§ 2.31, 2.52, and 2.53, the Department is separating out estimates for each provision which were previously reported together and is also adjusting the estimates. For § 2.31, the Department believes that disclosures with written consent for TPO are made for 100 percent of patients; due to the final rule changes to the consent requirements, the Department assumes that part 2 programs would experience a decreased burden from an average of 3 consents per admission to 1 consent. Table 21 reflects 1 consent for each of the 1,864,367 annual patient admissions (used as a proxy for the estimated number of patients) and a time burden of 5 minutes per consent for a total of 155,364 burden hours. The previously unacknowledged burden of obtaining multiple consents for each patient is shown in Table 22, below.

The Department previously estimated that for §§ 2.31 (consent), 2.52 (research), and 2.53 (audit and evaluation) combined, part 2 programs would need to disclose an average of 15 percent of all patients' records (1,864,367 records × .15 = 279,655 disclosures). The Department is adjusting its estimates to reflect that 15 percent of patients would have records disclosed without consent for research and audits or evaluations and that this would be divided evenly between the two provisions, resulting in 7.5% of 1,864,367 records (or approximately 139,828 disclosures) for § 2.52 disclosures and the same for § 2.53 disclosures. The Department previously estimated that 10 percent of disclosed records would be disclosed in paper form while the remaining 90 percent would be disclosed electronically. The time burden for disclosing a paper record is estimated as 15 minutes and the time for disclosing an electronic record as 5 minutes. For part 2 programs using paper records, the Department expects that a staff member would need to gather and aggregate the information from paper records, and manually track disclosures; for those part 2 programs with a health IT system, the Department expects records and tracking information will be available within the system.

For § 2.36, the Department used the average number of opiate treatment admissions from SAMHSA's 2019 TEDS (565,610 admissions) and assumed the PDMP databases would need to be accessed and reported once initially and quarterly thereafter for each patient (565,610 × 5 = 2,828.050). Dividing the number of opiate treatment admissions by the number of SUD programs results in an average of 35.21 patients per program (565,610 patients ÷ 16,066 programs) and 176.03 PDMP updates per respondent (35.21 patients/program × 5 PDMP updates per patient). Based on discussions with providers, the Department believes accessing and reporting to PDMP databases would take approximately 2 minutes per patient, resulting in a total annual burden of 10 minutes (5 database accesses/updates × 2 minutes per access/update) or 0.166 hours annually per patient. For § 2.51, the time estimate for recordkeeping for a clerk to locate a patient record, record the necessary information and re-file the record is 10 minutes.

As shown in Table 22, for § 2.31 the Department is recognizing for the first time the burden on part 2 programs to obtain multiple consents for each patient annually. The Department estimates that for each patient admission to a program a minimum of 3 consents is needed for disclosures of records: one each for treatment, payment, and health care operations (1,864,367 × 3).

As shown in Table 21, a burden is already recognized for obtaining consent, but the estimate assumed only one consent per admission under the existing regulation and it was combined with estimates for disclosures without consent under §§ 2.52 (research) and 2.53 (audit and evaluation). The Department believes its previous calculations underestimated the numbers of consents obtained annually, and thus the Department views its updated estimate ( i.e., adding two consents per patient annually) as acknowledging a previously unquantified burden. Additionally, recipients of part 2 records that are covered entities or business associates must obtain consent for redisclosure of these records. The Department estimates an average of one-half of patients' records are disclosed to a covered entity or business associate that needs to redisclose the record with consent (1,864,367 × .5), and this also represents a previously unquantified burden. Together, this would result in an increase of 2.5 consents annually per patient. However, this would be offset by the changes in this final rule which is estimated to result in a reduction in the number of consents by 2.5 per patient, thus resulting in no change from the currently approved burden of 1 consent per patient.

In Table 23 above, the Department shows an annualized new hourly burden of approximately 94,781 hours due to final rule requirements for receiving complaints, breach notification, accounting of disclosures of records, responding to patient's requests for restrictions on disclosures, discussing the Patient Notice, attaching consent form with each disclosure, and required reporting by investigative agencies. These burdens would be recurring. The estimates represent 2 percent of the total estimated by the Department for compliance with the parallel HIPAA requirements for covered entities. This percentage was calculated by dividing the total number of covered entities by the number of part 2 programs (16,066/774,331 = .02). The Department recognizes that this is an overestimate because an unknown proportion of part 2 programs are also covered entities. As a result of these calculations, the estimated number of respondents and responses is a not a whole number. The totals were based on calculations that included decimals not shown in the table, resulting in different totals than computed in ROCIS for some line items. For § 2.32, the Department estimates a new burden for attaching a consent or a clear explanation of the scope of the consent to each disclosure. The Department estimates that each part 2 program would make three (3) annual disclosures per patient for 1,864,367 patients yearly. The Department also estimates that consent forms would need to be attached to paper disclosures as well as electronic disclosures and assumes ninety percent (90%) of disclosures are received electronically, totaling 5,033,791 consents or explanations of consent attached to electronic disclosures, while the remaining ten percent (10%) would be received in paper format, totaling 559,310 attached paper disclosures. The Department assumes a receptionist or information clerk would take 5 minutes to attach a consent form for each paper disclosure and 30 second to attach a consent form for each electronic disclosure. This would result in a total recurring burden of 46,609 hours for paper disclosures and 41,948 hours for electronic disclosures.

The total number of responses for the accounting of disclosures has been corrected in the table to show 100, whereas the proposed rule displayed a total of 800. The total in Table 23 also includes the Department's estimates for a recurring annual burden on investigative agencies of 759 hours, relying on previous estimates for the burden of reporting breaches of PHI to the Secretary at 1.5 hours per report.

As shown in Table 24, the Department estimates one-time burden increases as a result of final rule changes to §§ 2.16, 2.22, 2.31, and 2.32 and due to new provisions §§ 2.25 and 2.26. The nonrecurring burdens are for training staff on the final rule provisions and for updating forms and notices. The Department estimates that each part 2 program would need 5 hours of a training specialist's time to prepare and present the training for a total of 80,330 burden hours.

For § 2.16, the Department estimates that each part 2 program would need to train 1 manager on breach notification requirements for 1 hour, for a total of 16,066 burden hours. For § 2.22, the Department estimates that each program will need 1 hour of a lawyer's time to update the content of the Patient Notice (for a total of 16,066 burden hours) and 15 minutes to train 202,072 part 2 counselors on the new Patient Notice and right to discuss the Patient Notice requirements (for 56,058 total burden hours).

For § 2.25, the Department estimates that each part 2 program would need to train a medical records specialist on the requirements of accounting of disclosures requirements for 30 minutes, resulting in a total burden of approximately 8,033 hours. For § 2.26, the Department estimates that each part 2 program would need to train three staff (a front desk receptionist, a medical records technician, and a billing clerk (16,066 part 2 programs x 3 staff)) for 15 minutes each on the right of a patient to request restrictions on disclosures for TPO. The base wage rate is an average of the mean hourly rate for the three occupations being trained. This would total approximately 12,050 burden hours.

For § 2.31, each part 2 program would need 40 minutes of a lawyer's time to update the consent to disclosure form (for a total of approximately 10,711 burden hours) and 30 minutes to train an average of 2 front desk receptionists on the changed requirements for consent (for a total of approximately 16,066 burden hours). For § 2.32, the Department estimates that each part 2 program would need 20 minutes of a health care manager's time to update the content of the Notice to Accompany Disclosure with the changed language provided in the final rule, for a total of approximately 5,355 burden hours. This is likely an over-estimate because an alternative, short form of the notice is also provided in regulation, and the language for that form is unchanged such that part 2 programs that are using the short form notice could continue using the same notice and avoid any burden increase.

Explanation of Estimated Capital Expenses for 42 CFR Part 2

As shown above in Table 25, part 2 programs would incur new capital costs for providing breach notification. The table also reflects existing burdens for printing the Patient Notice, the Notice to Accompany Disclosure, and Consents. The Department has estimated 50 percent of forms used would be printed on paper, taking into account the notable increase in the use of telehealth services for the delivery of SUD treatment and the expectation that the demand for telehealth will continue.

List of Subjects in 42 CFR Part 2

• Administrative practice and procedure
• Alcohol use disorder
• Alcoholism
• Breach
• Confidentiality
• Courts
• Drug abuse
• Electronic information system
• Grant programs—health
• Health
• Health care
• Health care operations
• Health care providers
• Health information exchange
• Health plan
• Health records
• Hospitals
• Investigations
• Medicaid
• Medical research
• Medicare
• Patient rights
• Penalties
• Privacy
• Reporting and recordkeeping requirements
• Security measures
• Substance use disorder

Final Rule

For the reasons stated in the preamble, the U.S. Department of Health and Human Services amends 42 CFR part 2 as set forth below:

Title 42—Public Health

PART 2—CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS

1. Revise the authority citation for part 2 to read as follows:

Authority: 42 U.S.C. 290dd–2; 42 U.S.C. 290dd–2 note.

2. Revise § 2.1 to read as follows:

3. Revise § 2.2 to read as follows:

4. Revise § 2.3 to read as follows:

5. Revise § 2.4 to read as follows:

6. Amend § 2.11 by:

a. Adding in alphabetical order definitions of “Breach”, “Business associate”, “Covered entity”, “Health care operations”, “HIPAA”, and “HIPAA regulations”;

b. Revising the introductory text in the definition of “Informant”;

c. Adding in alphabetical order definitions of “Intermediary”, “Investigative agency”, and “Lawful holder”;

d. Revising the definition of “Part 2 program director”;

e. Adding a sentence at the end of the definition of “Patient”;

f. Revising the definition of “Patient identifying information”;

g. Adding in alphabetical order the definition of “Payment”;

h. Revising the definition of “Person”;

i. Adding in alphabetical order the definition of “Personal representative”;

j. Revising paragraph (1) in the definition of “Program”;

k. Adding in alphabetical order the definition of “Public health authority”;

l. Revising the introductory text and paragraph (2) introductory text and adding paragraph (3) in the definition of “Qualified service organization”;

l. Revising the definitions of “Records” and “Substance use disorder”;

m. Adding in alphabetical order the definition of “Substance use disorder (SUD) counseling notes”;

n. Revising the definitions of “Third-party payer”, “Treating provider relationship”, and “Treatment”;

o. Adding in alphabetical order definitions of “Unsecured protected health information”, “Unsecured record”, and “Use”.

The revisions and additions read as follows:

7. Amend § 2.12 by:

a. Revising paragraphs (a)(1) introductory text, (a)(1)(ii), and (a)(2);

b. Revising paragraph (b)(1);

c. Revising paragraphs (c)(2), (c)(3) introductory text, (c)(4), (c)(5) introductory text, and (c)(6);

d. Revising paragraphs (d)(1) and (2); and

e. Revising paragraphs (e)(3), (e)(4) introductory text, and (e)(4)(i).

The revisions read as follows:

8. Amend § 2.13 by:

a. Revising paragraphs (a), (b), and (c)(1); and

b. Removing paragraph (d).

The revisions read as follows:

9. Amend § 2.14 by revising paragraphs (a), (b)(1), (b)(2) introductory text, (b)(2)(ii), and (c) to read as follows:

10. Amend § 2.15 by revising the section heading and paragraphs (a) and (b)(2) to read as follows:

11. Revise § 2.16 to read as follows:

12. Amend § 2.17 by revising paragraph (b) to read as follows:

13. Amend § 2.19 by:

a. Revising paragraphs (a)(1) and (2);

b. Adding paragraph (a)(3);

c. Revising paragraphs (b)(1) introductory text, (b)(1)(i) introductory text, (b)(1)(i)(A), and (b)(2).

The addition and revisions read as follows:

14. Revise § 2.20 to read as follows:

15. Amend § 2.21 by revising paragraph (b) to read as follows:

16. Revise § 2.22 to read as follows:

17. Amend § 2.23 by revising the section heading and paragraph (b) to read as follows:

18. Add § 2.24 to subpart B to read as follows:

19. Add § 2.25 to subpart B to read as follows:

20. Add § 2.26 to subpart B to read as follows:

21. Revise the heading of subpart C to read as follows:

Subpart C—Uses and Disclosures With Patient Consent

a. Revising paragraphs (a) introductory text and (a)(2) through (8);

b. Adding paragraph (a)(10);

c. Redesignating paragraph (b) as paragraph (c);

d. Adding a new paragraph (b);

e. Revising newly redesignated paragraph (c); and

f. Adding paragraph (d).

The revisions and additions read as follows:

23. Revise § 2.32 to read as follows:

24. Revise § 2.33 to read as follows:

25. Amend § 2.34 by revising the section heading and paragraph (b) to read as follows:

26. Amend § 2.35 by revising paragraphs (a) introductory text, (a)(1), (b)(3), and (d) to read as follows:

27. Revise the heading of subpart D to read as follows:

Subpart D—Uses and Disclosures Without Patient Consent

29. Amend § 2.52 by:

a. Revising the section heading and paragraphs (a) introductory text, (a)(1) introductory text, (a)(1)(i), (a)(2), (b) introductory text, (b)(2) and (3), and (c)(1) introductory text;

b. Adding paragraph (c)(1)(iii); and

c. Removing the second paragraph (c)(2).

The revisions and addition read as follows:

30. Amend § 2.53 by:

a. Revising the section heading and paragraphs (a) introductory text, (a)(1)(ii), (b) introductory text, (b)(1)(iii), (b)(2)(ii), (c)(1) introductory text, (c)(1)(i), (e)(1) introductory text, (e)(1)(iii), (e)(5) and (6), and (f) heading; and

b. Adding paragraph (h).

The revisions and addition read as follows:

31. Add § 2.54 to subpart D to read as follows:

32. Revise the heading of subpart E to read as follows:

Subpart E—Court Orders Authorizing Use and Disclosure

33. Revise § 2.61 to read as follows:

34. Revise § 2.62 to read as follows:

35. Amend § 2.63 by revising paragraph (a)(3) to read as follows:

36. Amend § 2.64 by revising the section heading and paragraphs (a), (b) introductory text, (d)(2), and (e) to read as follows:

37. Amend § 2.65 by revising the section heading and paragraphs (a), (b) introductory text, (d) introductory text, (d)(2), and (e) to read as follows:

38. Amend § 2.66 by

a. Revising the section heading and paragraph (a)(1);

b. Adding paragraph (a)(3);

c. Revising paragraphs (b), (c), and (d).

The revisions and addition read as follows:

39. Amend § 2.67 by revising paragraphs (a), (c), (d)(3), and (e) to read as follows:

40. Add § 2.68 to subpart E to read as follows: