Confidentiality of Substance Use Disorder Patient Records

Download PDF
Federal RegisterJan 18, 2017
82 Fed. Reg. 6052 (Jan. 18, 2017)

AGENCY:

Substance Abuse and Mental Health Services Administration, HHS.

ACTION:

Final rule.

SUMMARY:

The Department of Health and Human Services (HHS) is issuing this final rule to update and modernize the Confidentiality of Alcohol and Drug Abuse Patient Records regulations and facilitate information exchange within new health care models while addressing the legitimate privacy concerns of patients seeking treatment for a substance use disorder. These modifications also help clarify the regulations and reduce unnecessary burden.

DATES:

Effective date: This final rule is effective February 17, 2017.

FOR FURTHER INFORMATION CONTACT:

Danielle Tarino, Telephone number: (240) 276-2857, Email address: PrivacyRegulations@samhsa.hhs.gov.

SUPPLEMENTARY INFORMATION:

Preamble Table of Contents

I. Executive Summary

A. Purpose of the Regulatory Action

B. Summary of the Major Provisions

C. Summary of Impacts

II. Background

A. Significant Technology Changes

B. Statutory and Rulemaking History

III. Overview of the Final Rule

IV. Effective Date

V. Discussion of Public Comments and Final Modifications to 42 CFR part 2

A. General Comments on the Proposed Rule

1. General Feedback on the Proposed Rule

a. General Support for the Proposed Rule

b. General Opposition to the Proposed Rule

2. The Proposed Rule Did Not Go Far Enough To Facilitate Information Exchange

3. Final Rule Should Balance Patient Protections With Enhanced Information Exchange

4. Part 2 Should Align With the Health Insurance Portability and Accountability Act

B. Statutory Authority (§ 2.1)

C. Reports of Violations (§ 2.4)

D. Definitions (§ 2.11)

1. New Definitions

a. Part 2 Program

b. Part 2 Program Director

c. Substance Use Disorder

d. Treating Provider Relationship

e. Withdrawal Management

2. Existing Definitions

a. Central Registry

b. Disclose or Disclosure

c. Maintenance Treatment

d. Member Program

e. Patient

f. Patient Identifying Information

g. Person

h. Program

i. Qualified Service Organization

j. Records

k. Treatment

3. Terminology Changes

4. Other Comments on Definitions

E. Applicability (§ 2.12)

F. Confidentiality Restrictions and Safeguards (§ 2.13)

1. Delayed Implementation of List of Disclosures Provision

2. Responsibilities Under the List of Disclosures Process

3. Technological Challenges and Burden of the List of Disclosures Provision

4. Recommendations to Further Protect Patient Privacy

5. Other Comments and Recommendations on the List of Disclosures Provision

G. Security for Records (§ 2.16)

H. Disposition of Records by Discontinued Programs (§ 2.19)

I. Notice to Patients of Federal Confidentiality Requirements (§ 2.22)

J. Consent Requirements (§ 2.31)

1. General Comments on Consent Requirements

a. General

b. Consent Form Validity Period

c. Technical Challenges to Proposed Consent Requirements

d. Requests for Exemptions and Exceptions

e. Commenter Recommendations

2. To Whom

a. General

b. Determination of Treating Provider Relationship

c. Requests for Clarification

d. Commenter Recommendations

e. Proposed Alternative Approach for “To Whom” Section

3. Amount and Kind

a. General

b. Impact of the Amount and Kind Requirement on Providers and Patients

c. Required Substance Use Disorder Information on Consent Forms

d. Requests for Clarification

4. From Whom

5. New Requirements

K. Prohibition on Re-Disclosure (§ 2.32)

1. General

2. Impact of Re-Disclosure Prohibition on Patient Privacy and Patient Choice

3. Disclosure of Information that May Indicate a Substance Use Disorder

4. Technical Challenges in Preventing Unauthorized Re-Disclosure

5. Requests for Clarification of the Re-Disclosure Prohibition

6. Recommendations to Improve the Prohibition on Re-Disclosure

L. Disclosures to Prevent Multiple Enrollments (§ 2.34)

M. Medical Emergencies (§ 2.51)

1. General

2. Definition of “Bona Fide Medical Emergency”

3. Documentation of Medical Emergency

4. Other Comments on Medical Emergency

N. Research (§ 2.52)

1. General

2. Suggestions for Improvement of the Research Provisions

3. HIPAA and HHS Common Rule Requirements

4. Data Linkages

5. Multi-Payer Claims Database

O. Audit and Evaluation (§ 2.53)

P. Other Public Comments on the Proposed Rule

1. Requests to Extend the Public Comment Period

2. Rulemaking Process

3. Implementation Timeline and Other Barriers to Implementation

4. Educational Opportunities

5. Increased Enforcement

6. Other Miscellaneous Comments on the Proposed Rule

VI. Rulemaking Analyses

A. Paperwork Reduction Act

B. Regulatory Impact Analysis

C. Regulatory Flexibility Act

D. Unfunded Mandates Reform Act

E. Federalism (Executive Order 13132)

Acronyms

ACO Accountable Care Organization

ABAM American Board of Addiction Medicine

ADAMHA Alcohol, Drug Abuse and Mental Health Administration

APCD All Payer Claims Database

ARRA American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5)

ASAM American Society of Addiction Medicine

ATR Access to Recovery

C-CDA Consolidated-Clinical Document Architecture

CCD Continuity of Care Document

CCLF Claim and Claim Line Feed

CCO Coordinated Care Organization

CFR Code of Federal Regulations

CHIP Children's Health Insurance Program

CMS Centers for Medicare & Medicaid Services

CPCMH Certified Patient-Centered Medical Home

DS4P Data Segmentation for Privacy

EHR Electronic Health Record

EQRO External Quality Review Organization

FAQ Frequently Asked Question

FAX Facsimile

FDA Food and Drug Administration

FR Federal Register

HHS Department of Health and Human Services

HIE Health Information Exchange

HIO Health Information Organization

HIPAA Health Insurance Portability and Accountability Act of 1996 (Pub. L. 104-191)

HITECH Health Information Technology for Economic and Clinical Health Act of 2009 (Pub. L. 111-5, title XIII of division A and title IV of division B)

HITPC Health Information Technology Privacy Committee

IG Implementation Guide

IRB Institutional Review Board

IT Information Technology

MCO Managed Care Organization

MPCD Multi-Payer Claims Database

NCQA National Committee for Quality Assurance

NPRM Notice of Proposed Rulemaking

N-SSATS National Survey of Substance Abuse Treatment Services

OHRP Office for Human Research Protections

OMB Office of Management and Budget

ONC Office of the National Coordinator for Health Information Technology

PDMP Prescription Drug Monitoring Program

PPS Performing Provider System

QE Qualified Entity

QSO Qualified Service Organization

QSOA Qualified Service Organization Agreement

RFA Regulatory Flexibility Act

RHIO Regional Health Information Organization

SAMHSA Substance Abuse and Mental Health Services Administration

SBIRT Screening, Brief Intervention, and Referrals for Treatment

S&I Standards and Interoperability

TEDS Treatment Episode Data Set

U.S.C. United States Code

USAO United States Attorney's Office

VA Department of Veterans Affairs

I. Executive Summary

A. Purpose of the Regulatory Action

The laws and regulations governing the confidentiality of substance use disorder records were written out of great concern about the potential use of substance use disorder information against individuals, causing individuals with substance use disorders not to seek needed treatment. The disclosure of records of individuals with substance use disorders has the potential to lead to a host of negative consequences, including: Loss of employment, loss of housing, loss of child custody, discrimination by medical professionals and insurers, arrest, prosecution, and incarceration. The purpose of the regulations at title 42 of the Code of Federal Regulations (CFR) part 2 (42 CFR part 2) is to ensure that a patient receiving treatment for a substance use disorder in a part 2 program is not made more vulnerable by reason of the availability of their patient record than an individual with a substance use disorder who does not seek treatment. Now, more than 29 years since the part 2 regulations were last substantively amended, this final rule makes policy changes to the regulations to better align them with advances in the U.S. health care delivery system while retaining important privacy protections.

Need for Regulatory Action

The last substantive update to these regulations was in 1987. Over the last 29 years, significant changes have occurred within the U.S. health care system that were not envisioned by the current (1987) regulations, including new models of integrated care that are built on a foundation of information sharing to support coordination of patient care, the development of an electronic infrastructure for managing and exchanging patient information, and a new focus on performance measurement within the health care system. SAMHSA wants to ensure that patients with substance use disorders have the ability to participate in, and benefit from health system delivery improvements, including from new integrated health care models while providing appropriate privacy safeguards. These new integrated models are foundational to HHS's delivery system reform goals of better care, smarter spending, and healthier people.

Legal Authority for Regulatory Action

This final rule revises 42 CFR part 2, Confidentiality of Alcohol and Drug Abuse Patient Records regulations. The authorizing statute, Title 42, United States Code (U.S.C.) 290dd-2, protects the confidentiality of the records containing the identity, diagnosis, prognosis, or treatment of any patient that are maintained in connection with the performance of any federally assisted program or activity relating to substance abuse (now referred to as substance use disorder) education, prevention, training, treatment, rehabilitation, or research. Title 42 of the CFR part 2 was first promulgated in 1975 (40 FR 27802) and last substantively updated in 1987 (52 FR 21796).

B. Summary of the Major Provisions

Proposed modifications to 42 CFR part 2 were published as a Notice of Proposed Rulemaking (NPRM) on February 9, 2016 (81 FR 6988). After consideration of the public comments received in response to the NPRM, SAMHSA is issuing this final rule amending 14 major provisions of 42 CFR part 2, as follows:

Statutory authority for confidentiality of substance use disorder patient records (§ 2.1) combines old § 2.1 (Statutory authority for confidentiality of drug abuse patient records), and § 2.2 (Statutory authority for confidentiality of alcohol abuse patient records) and deleting references to 42 U.S.C. 290ee-3 and 42 U.S.C. 290dd-3, as these U.S.C. sections were omitted by Public Law 102-321 and combined and renamed into Section 290dd-2, Confidentiality of records. Because SAMHSA combined former §§ 2.1 and 2.2 into § 2.1, we redesignated §§ 2.2 through 2.5 accordingly.

Reports of violations (§ 2.4) revises the requirement for reporting violations of these regulations by methadone programs (now referred to as opioid treatment programs) to the Food and Drug Administration (FDA) because the authority over these programs was transferred from the FDA to the Substance Abuse and Mental Health Services Administration (SAMHSA) in 2001.

Definitions (§ 2.11) revises some existing definitions, adds new definitions of key terms that apply to 42 CFR part 2, and consolidates all but one of the definitions that are currently in other sections into § 2.11 (e.g., the definition of “Minor” previously found in § 2.14(a)). We revised the definitions of “Central registry,” “Disclose or disclosure,” “Maintenance treatment,” “Member program,” “Patient,” “Patient identifying information,” “Person,” “Program,” “Qualified service organization (QSO),” “Records,” and “Treatment.” We also added definitions of “Part 2 program,” “Part 2 program director,” “Substance use disorder,” “Treating provider relationship,” and “Withdrawal management,” some of which replaced existing definitions. In addition, SAMHSA revised the regulatory text to use terminology in a consistent manner. The following definitions were not revised substantively: “Diagnosis,” “Informant,” “Minor,” “Third-party payer,” and “Undercover agent.”

Applicability (§ 2.12) continues to apply the 42 CFR part 2 regulations to a program that is federally assisted and holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment. Most changes to the applicability of the part 2 regulations result from SAMHSA's decision not to finalize one of its proposed changes to the definition of “Program” (see § 2.11, Definitions). Whereas the NPRM definition of “Program” included, under certain conditions, “general medical practices” in addition to “general medical facilities,” the definition in this final rule is limited to “general medical facilities.” However, consistent with the NPRM, the definition of “Program” continues to use the term “general medical facility” rather than both “general medical facility” and “general medical care facility” that were used interchangeably in the 1987 final rule definition of “Program.” For example, an identified unit within a general medical facility is subject to part 2 if it holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment. In addition, if the primary function of medical personnel or other staff in a general medical facility is the provision of such services and they are identified as providing such services, they are considered a “Program” and, thus, subject to part 2. This final rule revises § 2.12(d)(2)(i)(C) so that restrictions on disclosures also apply to individuals or entities who receive patient records from other lawful holders of patient identifying information, such that patient records subject to the part 2 regulations include substance use disorder records maintained by part 2 programs, as well as those records in the possession of “other lawful holders of patient identifying information.”

Confidentiality restrictions and safeguards (§ 2.13) adds a requirement that, upon request, patients who have included a general designation in the “To Whom” section of their consent form (see § 2.31) must be provided a list of entities (referred to as a List of Disclosures) to which their information has been disclosed pursuant to the general designation.

Security for records (§ 2.16) clarifies that this section requires both part 2 programs and other lawful holders of patient identifying information to have in place formal policies and procedures addressing security, including sanitization of associated media, for both paper and electronic records.

Disposition of records by discontinued programs (§ 2.19) addresses both paper and electronic records. SAMHSA also added requirements for sanitizing associated media.

In Section I., Notice to Patients of Federal Confidentiality Requirements (§ 2.22), SAMHSA clarifies that the written summary of federal law and regulations may be provided to patients in either paper or electronic format. SAMHSA also revised § 2.22 to require the statement regarding the reporting of violations include contact information for the appropriate authorities.

Consent requirements (§ 2.31) permits, in certain circumstances, a patient to include a general designation in the “To Whom” section of the consent form, in conjunction with requirements that the consent form include an explicit description of the amount and kind of substance use disorder treatment information that may be disclosed. SAMHSA decided not to finalize its proposed changes to the “From Whom” section, but did make minor updates to the terminology in the text. SAMHSA also revised § 2.31 to require the part 2 program or other lawful holder of patient identifying information to include a statement on the consent form when using a general designation in the “To Whom” section of the consent form that patients have a right to obtain, upon request, a list of entities to which their information has been disclosed pursuant to the general designation (see § 2.13). In addition, SAMHSA revised § 2.31 to permit electronic signatures to the extent that they are not prohibited by any applicable law.

In Section K., Prohibition on Re-disclosure (§ 2.32), SAMHSA clarifies that the prohibition on re-disclosure only applies to information that would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment for a substance use disorder, such as indicated through standard medical codes, descriptive language, or both, and allows other health-related information shared by the part 2 program to be re-disclosed, if permissible under other applicable laws.

Disclosures to prevent multiple enrollments (§ 2.34) modernizes the terminology and definitions and moves the definitions to § 2.11 (Definitions).

Medical emergencies (§ 2.51) revises the medical emergency exception to make it consistent with the statutory language and to give providers more discretion to determine when a “bona fide medical emergency” exists.

Research (§ 2.52) revises the research exception to permit data protected by 42 CFR part 2 to be disclosed to qualified personnel for the purpose of conducting scientific research by a part 2 program or any other individual or entity that is in lawful possession of part 2 data if the researcher provides documentation of meeting certain requirements related to other existing protections for human research. SAMHSA also revised § 2.52 to address data linkages to enable researchers holding part 2 data to obtain linkages to other datasets, provided that appropriate safeguards are in place as outlined in section 2.52.

Audit and evaluation (§ 2.53) modernizes the requirements to include provisions governing both paper and electronic patient records. SAMHSA also revised § 2.53 to permit an audit or evaluation necessary to meet the requirements of a Centers for Medicare & Medicaid Services (CMS)-regulated accountable care organization (CMS-regulated ACO) or similar CMS-regulated organization (including a CMS-regulated Qualified Entity (QE)), under certain conditions.

The other sections in 42 CFR part 2 that are not referenced above are not addressed in this final rule nor were they discussed in the NPRM because SAMHSA is maintaining their content substantively unchanged from the 1987 final rule.

C. Summary of Impacts

In the first year that the final rule is in effect, we estimate that the total costs associated with updates to 42 CFR part 2 will be roughly $70,691,000. In year two we estimate that costs will be $17,680,000, and increase annually as a larger share of entities implement List of Disclosures requirements and respond to disclosure requests. Over the 10-year period of 2016-2025, the total undiscounted cost of the part 2 changes will be about $241 million in 2016 dollars. When future costs are discounted at 3 percent or 7 percent per year, the total costs become approximately $217,586,000 or $193,098,000, respectively. These costs are presented in the tables below.

Costs associated with the 42 CFR part 2 final rule, include: updates to health IT system costs, costs for staff training and updates to training curricula, costs to update patient consent forms, costs associated with providing patients a list of entities to which their information has been disclosed pursuant to a general designation on the consent form (i.e., the List of Disclosures requirement), and implementation costs associated with the List of Disclosures requirements. We assumed that costs associated with modifications to existing health IT systems, staff training costs associated with updating staff training materials, and costs to update consent forms will be one-time costs the first year the final rule is in effect and will not carry forward into future years. Staff training costs other than those associated with updating training materials are assumed to be ongoing annual costs to part 2 programs, also beginning in the first year that the final rule is in effect. The List of Disclosures costs are assumed to be ongoing annual costs to entities named on a consent form that disclose patient identifying information to their participants under the general designation. Costs associated with the List of Disclosures provision are limited to implementation costs for entities that chose to upgrade their health IT systems in order to comply with the List of Disclosures requirements. Several provisions in the final rule reference other lawful holders of patient identifying information in combination with part 2 programs. These other lawful holders must comply with part 2 requirements with respect to information they maintain that is covered by part 2 regulations. However, because this group is not clearly defined with respect to the range of organizations it may include, we are unable to include estimates regarding the number and type of these organizations and are only including part 2 programs in this analysis.

The benefits of modernizing the part 2 regulations is to increase opportunities for individuals with substance use disorders to participate in new and emerging health and health care models and health information technology (IT). The final rule will facilitate the sharing of information within the health care system to support new models of integrated health care which, among other things, improve patient safety while maintaining or strengthening privacy protections for individuals seeking treatment for substance use disorders. Moreover, as patients are allowed, in certain circumstances, to include a general designation in the “To Whom” section of the consent form, we anticipate there will be more individuals with substance use disorders participating in organizations that facilitate the exchange of health information (e.g., health information exchanges (HIEs)) and organizations that coordinate care (e.g., ACOs and coordinated care organizations (CCOs)), leading to increased efficiency and quality in the provision of health care for this population. In addition, the revisions to the research provision (§ 2.52) will allow additional scientific research to be conducted that will facilitate continual quality improvement of part 2 programs and the important services they offer.

II. Background

A. Significant Technology Changes

Since the promulgation of 42 CFR part 2, significant technology changes have impacted the delivery of health care. The Office of the National Coordinator for Health Information Technology (ONC) was established as an office within HHS under Executive Order 13335 on April 27, 2004. Subsequently, on February 17, 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5) expanded the Department's health IT work, including the expansion of ONC's authority and the provision of federal funds for ONC's activities consistent with the development of a nationwide health IT infrastructure. This work included the certification of health IT; the authorization of CMS' Electronic Health Record (EHR) Incentive Program, including payments to eligible providers for the adoption and meaningful use of certified EHR technology; and numerous other federal agencies' programs—all of which served the objective of ensuring patient health information is secure, private, accurate, and available where and when needed. SAMHSA's role in encouraging the use of health IT by behavioral health (substance use disorder and mental health) providers, included: (1) Collaborating with ONC to develop two sets of Frequently Asked Questions (FAQs) and convening a number of stakeholder meetings to provide guidance on the application of 42 CFR part 2 to HIE models; (2) a one-year pilot project with five state HIEs to support the exchange of health information among behavioral health and physical health providers; and (3) the Data Segmentation for Privacy (DS4P) initiative within ONC's Standards and Interoperability (S&I) Framework facilitated:

  • The development of standards to improve the interoperability of EHRs containing sensitive information that must be protected to a greater degree than other health information due to 42 CFR part 2 and similar state laws,
  • six DS4P Implementation Guide (IG) use case pilot projects including the Department of Veterans Affairs (VA)/SAMHSA Pilot that implemented all the DS4P use cases and passed all conformance tests, and
  • the development of the application branded Consent2Share, an open-source health IT solution based on DS4P which assists in consent management and data segmentation. Consent2Share is currently being used by the Prince Georges County (Maryland) Health Department to manage patient consent directives while sharing substance use disorder information with an HIE.

Despite SAMHSA's efforts, some stakeholders continued to request modernization of 42 CFR part 2 out of concern that part 2, as written in the current (1987) regulation, continues to be a barrier to the integration of substance use disorder treatment and physical health care. As noted below, SAMHSA plans to release shortly an updated version of Consent2Share with improved functionality and ability to meet List of Disclosures requirements.

B. Statutory and Rulemaking History

The Confidentiality of Alcohol and Drug Abuse Patient Records regulations, 42 CFR part 2, implement Section 543 of the Public Health Service Act, 42 U.S.C. 290dd-2, as amended by Section 131 of the Alcohol, Drug Abuse and Mental Health Administration Reorganization Act (ADAMHA Reorganization Act), Public Law 102-321 (July 10, 1992). The regulations were promulgated as a final rule on July 1, 1975 (40 FR 27802). In 1980, the Department invited public comment on 15 substantive issues arising out of its experience interpreting and implementing the regulations (45 FR 53). More than 450 public responses to that invitation were received and taken into consideration in the preparation of a 1983 NPRM (48 FR 38758). Approximately 150 comments were received in response to the NPRM and were taken into consideration in the preparation of the final rule released on June 9, 1987 (52 FR 21798).

The Department published an NPRM again in the Federal Register (FR) on August 18, 1994 (59 FR 42561), which proposed a clarification of the definition of “Program” in the regulations. Specifically, the Department proposed to clarify that, as to general medical care facilities, these regulations cover only specialized individuals or units in such facilities that hold themselves out as providing and provide alcohol or drug abuse (now referred to as substance use disorder) diagnosis, treatment, or referral for treatment and which are federally assisted, directly or indirectly. On May 5, 1995, the final rule was released (60 FR 22296).

SAMHSA posted a document in the FR on May 12, 2014, (79 FR 26929) announcing a public Listening Session planned for June 11, 2014, to solicit feedback on the Confidentiality of Alcohol and Drug Abuse Patient Records regulations, 42 CFR part 2. SAMHSA accepted written comments until June 25, 2014. The Listening Session comments are posted on the SAMHSA Web site at http://www.samhsa.gov/about-us/who-we-are/laws-regulations/public-comments-confidentiality-regulations .

Prompted by the need to update and modernize the Confidentiality of Alcohol and Drug Abuse Patient Records regulations at 42 CFR part 2, on February 9, 2016, SAMHSA published an NPRM that proposed revisions to the part 2 regulations and requested public input on the proposed changes during a 60-day public comment period (81 FR 6988). Although raised in the Listening Session public comments, SAMHSA decided not to address issues pertaining to e-prescribing and Prescription Drug Monitoring Programs (PDMPs) in the NPRM because they were not ripe for rulemaking at the time due to the state of technology and because the majority of part 2 programs are not prescribing controlled substances electronically. As noted in the NPRM, SAMHSA intends to monitor developments in this area to see whether further action may be warranted in the future. SAMHSA received 376 public comment submissions on the part 2 NPRM. The comments received were detailed, thoughtful, and reflective of the complex issues addressed and balanced in the part 2 regulations. This final rule reflects SAMHSA's thorough consideration of all substantive issues raised in the public comments in response to its proposals in the NPRM.

III. Overview of the Final Rule

In this final rule, the Department finalizes the modifications to the Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR part 2, including renaming it “Confidentiality of Substance Use Disorder Patient Records.” The modifications modernize the rule by facilitating electronic exchange of substance use disorder information for treatment and other legitimate health care purposes while ensuring appropriate confidentiality protections for records that might identify an individual, directly or indirectly, as having or having had a substance use disorder.

Overview of Public Comments

We received 376 public comments from medical health care providers; behavioral health care providers; combined medical/behavioral health care providers; HIEs, ACOs, CCOs, and certified patient-centered medical homes (CPCMHs), sometimes called health homes; third-party payers; privacy/consumer advocates; medical health care provider associations; behavioral health care provider associations; accrediting organizations; researchers; individuals (with no stated affiliation); attorneys (with no stated affiliation); HIT vendors; and state/local governments. The comments ranged from general support or opposition to the proposed provisions to very specific questions or comments regarding the proposed rules.

Some comments were outside the scope of or inconsistent with SAMHSA's legal authority regarding the confidentiality of substance use disorder patient records. Likewise, other comments did not pertain to specific proposals made by SAMHSA in the NPRM. In some instances, commenters raised policy or operational issues that are best addressed through subregulatory guidance that SAMHSA will consider issuing subsequent to this final rule. Consequently, SAMHSA did not address these comments in this final rule.

Commenters have also provided SAMHSA with informative feedback on how lawful holders, including third-party payers and others within the healthcare industry, use health data or hire others to use health data on their behalf to provide operational services such as independent auditing, legal services, claims processing, plan pricing and other functions that are key to the day-to-day operation of entities subject to this rule. We have previously clarified in responses to particular questions that contracted agents of individuals and/or entities may be treated as the individual/entity. Questions raised by commenters during this rulemaking have, however, highlighted varying interpretations of the current (1987) rule's restrictions on lawful holders and their contractors' and subcontractors' use and disclosure of part 2-covered data for purposes of carrying out payment, health care operations, and other health care related activities. In consideration of this feedback and given the critical role that third-party payers, other lawful holders, and their contractors and subcontractors play in the provision of health care services, SAMHSA is issuing a supplemental notice of proposed rulemaking (SNPRM) to seek further comments and information on this matter.

IV. Effective Date

In this final rule, SAMHSA has established a single effective date of 30 days after the publication of the final rule, or February 17, 2017. On this date, the revised 42 CFR part 2 will replace the 1987 version of part 2 in the CFR and all part 2 programs and other lawful holders of patient identifying information must comply with all aspects of the regulations. In the NPRM, SAMHSA proposed that, with the exception of § 2.13(d), part 2 programs and other lawful holders of patient identifying information would have to comply with applicable requirements of the revised part 2 regulations beginning 30 days after the publication of the final rule. See Section V.D.3 below for a discussion of “other lawful holders.” We proposed that entities would not have to comply with the List of Disclosures requirements of § 2.13(d) until two-years after the effective date of the final rule. As explained below, because the right to obtain, upon request, a List of Disclosures is only available to patients who use a general designation in the “To Whom” section of the consent form, entities must only have the technical capability to provide the List of Disclosures if they take advantage of the general designation provision. Therefore, SAMHSA has revised the effective date from that proposed to avoid confusion. However, signed consent forms in place prior to the effective date of this final rule will be valid until they expire. Nonetheless, part 2 programs may update signed consent forms consistent with the final rule, prior to the effective date of the final rule if they so choose. Consents obtained after the effective date will need to comply with the final rule, regardless of whether the consents involve patient identifying information obtained prior to or after the effective date of this final rule.

Public Comments

One commenter urged that the final rule allow for implementation of the research provision (§ 2.52) immediately or shortly after the rule takes effect. Several commenters raised concerns about how to interpret the two-year delayed implementation of List of Disclosures and whether the general designation will be used during that period.

SAMHSA Response

SAMHSA acknowledges commenters' confusion regarding the proposed two-year delayed compliance date for the List of Disclosures requirements. After considering the public comments received on this point, SAMHSA realized that such a two-year delayed compliance date for the requirements of § 2.13(d) is not helpful. As explained in the “To Whom” section of the part 2-compliant consent requirements (see Section V.J.2 below), an entity that serves as an intermediary (e.g., HIE, ACO, CCO) must comply with the List of Disclosures provision in order to disclose information pursuant to a general designation provided on the consent form (see § 2.31(a)(4)(iii)(B)(3)(i)). Therefore, an entity that serves as an intermediary would be prohibited from electing to disclose information pursuant to a general designation without the ability to comply with the List of Disclosures requirement. It would not make sense to implement a two-year delayed compliance date for the List of Disclosures requirements at § 2.13(d) because the only reason an entity that serves as an intermediary would have to comply with the List of Disclosures requirements would be if they wanted to disclose information pursuant to general designations that have been included in the “To Whom” section of the patient consent form, which requires alerting patients to the fact that they have a right to request a list of entities to which their information has been disclosed (per § 2.13(d)). Thus, an entity that serves as an intermediary is prohibited from disclosing information pursuant to a general designation without having the capability to comply with the List of Disclosures requirements. For these reasons, it is not advisable to include a two-year delayed compliance date for the List of Disclosures provision. Some entities that serve as intermediaries as described by § 2.31(a)(4)(iii)(B) may elect never to disclose information pursuant to a general designation and, thus, would not need to comply with the List of Disclosures requirement. Those that choose to disclose information pursuant to general designations must ensure the capability to comply with the List of Disclosures requirements at § 2.13(d) before they disclose the information pursuant to a general designation. But there is no timeframe in which they need to comply; only the condition that if they choose to have the option of disclosing information pursuant to a general designation on a consent form, they must also be capable of providing a List of Disclosures upon request per § 2.13(d).

Regarding the suggestion to allow for implementation of the Research provision § 2.52 immediately after the final rule takes effect, SAMHSA declines to make this change. For clarity regarding part 2 compliance, the 1987 part 2 final rule remains in effect until the effective date for the 2016 part 2 regulations established in this final rule. Because of the revised definitions that impact the research provision, it would create unnecessary confusion to make effective § 2.52 before the rest of the final rule.

V. Discussion of Public Comments and Final Modifications to 42 CFR Part 2

In this section of the final rule, SAMHSA explains the finalized revisions to the part 2 regulations and responds to public comments received. If a part 2 CFR section is not addressed below, it is because SAMHSA did not propose changes to that part 2 provision and that this final rule maintains the existing language in that section. However, SAMHSA notes that in addition to the revisions discussed below, SAMHSA has made other technical, non-substantive, and nomenclature changes to various part 2 provisions. Those changes are reflected in the regulatory text at the end of this rule.

A. General Comments on the Proposed Rule

1. General Feedback on the Proposed Rule

a. General Support for the Proposed Rule

Public Comments

Many commenters expressed general support for the proposed rule, with some noting that the proposed rule would preserve the confidentiality rights of substance use disorder patients while facilitating the sharing of health information; would ensure that patients with a substance use disorder participate in, and benefit from, new integrated health care models without fear of putting themselves at risk of adverse consequences; would help reduce the stigma associated with substance use disorder; and would provide patients comfort in knowing they have control of their record.

Several commenters expressed general support for the NPRM's proposed part 2 changes to enhance integrated care and information exchange. Multiple commenters, with some stressing the need for patient privacy protections, suggested that integrated networks of care between medical and behavioral health services is current best practice and will benefit patients. Two commenters implied general support. The first of these two commenters stated that the current practice of keeping paper substance use records separate from the EHR system increases work required to maintain records, creates redundancies, and could contribute to providers missing critical information needed for treating patients. The second commenter stated that the current (1987) part 2 regulations are out of step with the health care system's rapid adoption of EHRs, its capacity to quickly exchange information (e.g., HIEs), the federal privacy and security regulations (Health Insurance and Portability and Accountability Act [HIPAA] and HITECH) governing these EHRs and exchanges, and the increasing treatment of patients' substance use in health care systems not covered by existing part 2 regulations, but by HIPAA.

Another commenter expressed support for the facilitation of electronic exchange of substance use disorder treatment information where the confidentiality protections historically afforded patients by part 2 are maintained.

A few commenters stated that the proposal would help patients with substance use disorders benefit from emerging care models that require enhanced health information exchange for better care coordination (e.g., CPCMHs, ACOs).

SAMHSA Response

SAMHSA appreciates the support for updating the regulations. This final rule is intended to modernize the part 2 regulations by facilitating the electronic exchange of substance use disorder information for treatment and other legitimate health care purposes while ensuring appropriate confidentiality protections for records that might identify an individual, directly or indirectly, as having or having had a substance use disorder. Many new integrated care models rely on interoperable health IT and these proposed changes are expected to support the integration of substance use disorder treatment into primary and other specialty care, improving the patient experience, clinical outcomes, and patient safety while at the same time ensuring patient choice, confidentiality, and privacy. Due to its targeted population, part 2 provides more stringent federal protections than most other health privacy laws, including HIPAA.

b. General Opposition to the Proposed Rule

Public Comments

Some commenters expressed general opposition to the proposed rule, with some arguing that it would eliminate the right of patients to protect and control personal health information; would introduce complexity, not simplification; and would maintain the stigma surrounding drug use. One commenter warned the proposed rule would create concessions to institutional stakeholders, both providers and researchers, who find the consent requirements inconvenient and burdensome.

Many commenters requested that part 2 remain unchanged, with some stating that loosening part 2 regulations would dissuade substance use disorder patients from seeking help out of fear of how their information could be used against them or that the proposed regulations would not offer the intended protection.

Some commenters asserted that maintaining a separate set of confidentiality restrictions aimed solely at substance use disorder providers and patients perpetuates the discrimination associated with substance use disorder and ultimately negatively impacts patients and the care they receive, suggesting that issues of substance use disorder information confidentiality should be part of the broader general medical care confidentiality regulations. Others argued that the fear of discrimination is a real problem for many individuals suffering from a substance use disorder and being able to receive treatment without worrying that personal information will be leaked is crucial in helping these people get the help they need so that they can return to their communities as contributing members of society.

SAMHSA Response

SAMHSA wants to ensure that patients with substance use disorders have the ability to participate in, and benefit from, new and emerging health care models that promote integrated care and patient safety while respecting the legitimate privacy concerns of patients seeking treatment for a substance use disorder due to the potential for discrimination, harm to their reputations and relationships, and serious civil and criminal consequences. This approach is consistent with the intent of the governing statute (42 U.S.C. 290dd-2) and regulations at 42 CFR part 2, which is to protect the confidentiality of substance use disorder patient records. SAMHSA has added more flexibility to some of the consent provisions, including a range of “To Whom” consent options that includes the current (1987) “To Whom” consent requirement, but still retained core part 2 protections, including the prohibition on re-disclosure as well as requiring the “Amount and Kind” section of the consent form to include how much and what kind of information is to be disclosed, including an explicit description of the substance use disorder information that may be disclosed. Changes to the research provision also enable patients to benefit from advanced research protocols while still complying with part 2 protections regarding patient confidentiality. However, with these conflicting comments, as well all other comments, SAMHSA was guided by the governing statute in developing the final rule, which restricts disclosure without consent other than under a small number of exceptions

2. The Proposed Rule Did Not Go Far Enough To Facilitate Information Exchange

Public Comments

Several commenters suggested that the proposed part 2 revisions did not go far enough to facilitate information exchange and data sharing. For example, some commenters asserted that the proposed regulations would maintain previous barriers and create additional barriers that impede the sharing of information exchange and care coordination necessary to effectively treat patients who seek care in a variety of settings. A few commenters said the proposed part 2 revisions go beyond the protections intended by the statutory requirements in 42 U.S.C. 290dd-2 and suggested that the proposed changes would continue to decrease access to substance use disorder treatment and the achievement of positive health outcomes.

Citing concerns about people with substance use disorders who visit multiple health care providers to obtain medication, one commenter advocated that substance use disorder health care records should be accessible to all health care facilities for the sole purpose of better treating and rehabilitating these patients.

Other commenters requested further clarification on the regulations to ensure that coordination of care happens smoothly for all patients, especially those at the highest need of coordination, without unnecessary barriers. Citing a 2010 report from the President's Council of Advisors on Science and Technology, a couple of commenters urged SAMHSA to initiate a broad conversation among other HHS agencies to develop a granular data specification standard that enables patients to be in full control of all their health data, not just part 2 data.

Citing technological barriers, a commenter asserted that additional changes to part 2 are necessary to allow for technological solutions for sharing data. One commenter said new funding for HIEs permitted by recent CMS guidance could be maximized by more substantial revisions to part 2 that would encourage the inclusion of substance use disorder providers in HIEs. Expressing uncertainty as to whether data segmentation can be implemented effectively absent clear standards, a commenter expressed concern the result would be a two-tier system of how substance use disorder data are defined both by payers and by local and state jurisdictions that has the effect of having substance use disorder data exchanged differently depending on if the patient received services within or beyond the veil of part 2 regulation.

Some commenters suggested that the current (1987) part 2 regulation and the proposed revisions maintain a status quo of segregated substance use disorder information with minimal benefits to patients, high compliance costs, and deterrence for organizations to provide substance use treatment. Some of these commenters said the part 2 regulations keep the substance use disorder treatment system isolated from general health care providers and reduce access to substance use disorder treatment being added by general health care organizations, which, due to administrative burden and liability fears, are less likely to add substance use disorder treatment. A few of these commenters asserted that the part 2 regulations have unintended consequences, including disadvantaging persons with a substance use disorder and treatment providers because of the burdens associated with constantly updating expiring consents. One of these commenters said that the burdens caused by the part 2 regulations are particularly costly because patients with substance use disorder are among the highest cost utilizers in the health care system.

Some commenters asserted that maintaining a separate set of confidentiality restrictions aimed solely at substance use disorder providers and patients perpetuates the stigma associated with substance use disorder and ultimately negatively impacts patients and the care they receive, suggesting that issues of substance use disorder information confidentiality should be part of the broader general medical care confidentiality regulations.

Some commenters expressed concern that the proposed part 2 revisions did not address information exchange issues associated with specific types of health care services delivery, including integrated delivery systems operating with a behavioral health organization unit or department; organizations that include affiliated entities, such as jointly held and operated hospital-based systems and health insurance plans; risk-based Medicaid managed care; social service programs integrated with publicly financed health delivery systems; and combined behavioral health service delivery.

One commenter urged SAMHSA to include the release of previous substance use disorder treatment information from insurance companies to part 2 programs as disclosure permitted without consent under part 2. Another commenter expressed concern that SAMHSA did not propose an allowance under part 2 regarding appropriate disclosures by a health plan for the coordination of a health plan member's care.

Expressing concern that the proposed part 2 revisions do not address many of the issues on which SAMHSA has issued guidance with respect to health information networks, a commenter asserted that such guidance is outdated and creates unintended obstacles to the desired exchange of information on patients with substance use disorders.

SAMHSA Response

The governing statute (42 U.S.C. 290dd-2) and regulations at 42 CFR part 2 protect the confidentiality of substance use disorder patient records. Consistent with the governing statute, SAMHSA wants to ensure that patients with substance use disorders have the ability to participate in, and benefit from new and emerging health care models which promote integrated care and patient safety while respecting the legitimate privacy concerns of patients seeking treatment for a substance use disorder due to the potential for discrimination, harm to their reputations and relationships, and serious civil and criminal consequences. Toward that end, SAMHSA held a Listening Session on June 11, 2014, to solicit feedback on the Confidentiality of Alcohol and Drug Abuse Patient Records regulations. All the feedback received from the Listening Session was considered and helped to inform the development of the proposed and final rules. In addition, SAMHSA collaborated with its federal partner experts in developing this final rule.

Information exchange is addressed in both the applicability provision (§ 2.12) and the consent requirements provision (§ 2.31), among other places in this final rule. SAMHSA has added more flexibility to the “To Whom” section of the consent form, which will give patients the option to release their records to past, current, and/or future treating providers. In addition, § 2.13 requires a part 2-compliant consent form must list the date, event, or condition upon which the consent will expire, if not revoked before. Thus, it is not sufficient under part 2 for a consent form to merely state that that disclosures will be permitted until the consent is revoked by the patient. It is, however, permissible for a consent form to specify the event or condition that will result in revocation, such as having its expiration date be “upon my death.” The Applicability provision includes: “The restrictions on disclosure in these regulations do not apply to communications of information between or among personnel having a need for the information in connection with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment of patients with substance use disorders if the communications are within a part 2 program; or between a part 2 program and an entity that has direct administrative control over the program.”

With this rulemaking, SAMHSA has attempted to facilitate the electronic exchange of substance use disorder treatment records while ensuring patient privacy. SAMHSA acknowledges that many EHRs and HIEs are experiencing technical barriers to segmenting or redacting substance use disorder treatment data. As a result, SAMHSA has spent several years supporting the continued development of the Consent2Share application, an open-source health IT solution based on DS4P, which assists in both consent management and data segmentation. It is designed to integrate with existing EHR and HIE systems via the developed standards. Consent2Share enables electronic implementation of various sensitive health information disclosure policies by applying the information-sharing rules needed to constrain the disclosure of sensitive data according to patient preferences. SAMHSA, in conjunction with ONC and other federal partners, also continues to support the development of data standards and IGs to further reduce technical barriers in the field.

Finally, SAMHSA has added additional information from previously issued FAQ guidance to the preamble discussion in this final rule, such as information about medical emergencies and “holds itself out,” and plans to issue additional subregulatory guidance after publication of the final rule.

3. Final Rule Should Balance Patient Protections With Enhanced Information Exchange

Public Comments

Numerous commenters emphasized that the part 2 revisions must balance patient protections with enhanced information exchange and data sharing.

Some commenters suggested that patient confidentiality should not be compromised by any updates to the part 2 regulations, reasoning that the stigma associated with having or having had a substance use disorder and the fear that this information may be used against an individual would lead them to not seek treatment. To this end, a few of these commenters cautioned SAMHSA to remain diligent in the oversight of these regulations to ensure that the information is only being conveyed to the appropriate parties with the sole intent to improve patient care. Other commenters emphasized that sharing patient information should be solely for necessary medical purposes. Another commenter argued that the interest in integrating mental health care with physical health care should not result in the erosion or elimination of the heightened privacy protections that are essential for effective mental health treatment.

A few commenters urged SAMHSA to ensure that the final rule respects patient choice for privacy in the treatment of sensitive information like substance use disorder treatment records, including the right to control how their records are disclosed, even for health and payment purposes. A commenter said the proposed part 2 changes have substantially weakened the privacy protections surrounding the sharing of a patient's substance use treatment data. One commenter stated that before an individual's health data can be accessed, there should be a specific, legitimate reason, and a careful review of the patient's set of permissions. In addition to suggesting that mental health and substance abuse records be blocked from view by any providers or staff not directly involved in the care and treatment of a patient, a commenter asserted that a patient has the right to have substance abuse and/or mental health treatment records blocked from view by even their primary care provider or nurses.

A couple of commenters asserted that it is both necessary and technologically possible to integrate substance use disorder and other health care information and effectively exchange substance use treatment data while maintaining the core protections of part 2, including consent requirements and the prohibition on re-disclosure.

Emphasizing the importance of patient confidentiality and privacy, a few commenters asserted that sacrificing the dignity and well-being of a person seeking help for a substance use disorder in the name of convenience, administrative efficiency, and research is a poor way to achieve the well-being of either the person in need or the community. One of these commenters recommended that SAMHSA delay the part 2 changes until the technology is available to protect persons with substance use disorder.

Another commenter encouraged a cautious, step-wise approach to making substance use treatment records more integrated with general medical records. This commenter expressed concern that making treatment records more accessible to other providers would exacerbate the stigmatization of substance use disorder, particularly among pregnant women, which could lead to these individuals not seeking treatment for their substance use disorder or prenatal care.

SAMHSA Response

SAMHSA reiterates its intent to ensure that patients with substance use disorders have the ability to participate in, and benefit from new and emerging health care models which promote integrated care and patient safety while respecting the legitimate privacy concerns of patients seeking treatment for a substance use disorder due to the potential for discrimination, harm to their reputations and relationships, and serious civil and criminal consequences. This approach is consistent with the intent of the governing statute (42 U.S.C. 290dd-2) and regulations at 42 CFR part 2, which is to protect the confidentiality of substance use disorder patient records.

In response to the commenters who cautioned SAMHSA to remain diligent in the oversight of these regulations, SAMHSA has the statutory authority to promulgate 42 CFR part 2, but the Department of Justice retains the authority for enforcing 42 CFR part 2. Reports of violation of these regulations may be directed to the United States Attorney for the judicial district in which the violation occurs. The report of any violations of these regulations by an opioid treatment program may be directed to United States Attorney for the judicial district in which the violation occurs as well as the SAMHSA office for opioid treatment program oversight. SAMHSA has oversight of opioid treatment programs through 42 CFR part 8. Related to oversight and compliance education, SAMHSA expects to issue FAQs as it has done in the past and develop other subregulatory guidance such as education and outreach materials.

SAMHSA has added more flexibility to some of the consent provisions but still retained core part 2 protections, including prohibition on re-disclosure as well as consent options that would continue to give patients significant control. For example, the “To Whom” section of the consent form includes an option permitting a general designation under certain circumstances. However, SAMHSA retained the option of listing the name(s) of the individual(s) to whom a disclosure is made. In addition, any disclosure made under these regulations must comply with the “Amount and Kind” of information to be disclosed and the purpose of the disclosure, as provided on a part 2-compliant consent form. Furthermore, § 2.13(a) limits the information to be disclosed to that information which is necessary to carry out the purpose of the disclosure. Moreover, a patient has the option to withhold consent to disclosure of any of their substance use disorder information.

SAMHSA is aware that technology adoption is an ongoing process and that many behavioral health providers have yet to adopt electronic health records as incentive payments have been unavailable for such purposes for these providers under the HITECH Meaningful Use Program. In addition, paper records are still used today in some part 2 programs and shared through facsimile (FAX). Therefore, in spite of advances in technology, some stakeholders are concerned that part 2, as currently written, continues to be a barrier to the integration of substance use disorder treatment and physical health care. Rather than waiting for the development and adoption of technology, SAMHSA decided to issue these final regulations to ensure that patients with substance use disorders have the ability to participate in, and benefit from new and emerging health care models which promote integrated care and patient safety while respecting the legitimate privacy concerns of patients seeking treatment for a substance use disorder due to the potential for discrimination, harm to their reputations and relationships, and serious civil and criminal consequences. SAMHSA understands the importance of not compromising patient protection, and has, in § 2.13(d) of these final regulations, required an entity that serves as an intermediary (upon request) to provide a List of Disclosures made pursuant to the general designation option. Further, as discussed later in this preamble, the general designation option may not be used until there is technical capability to provide the required List of Disclosures.

4. Part 2 Should Align With the Health Insurance Portability and Accountability Act

Public Comments

Many commenters expressed that part 2 should be aligned with HIPAA. Some commenters specifically mentioned various areas for HIPAA alignment, including the consent form; Business Associate Agreement standards; treatment, payment, and health care operations; patient-requested restrictions on disclosure; de-identification standards, medical emergencies; research; the definition of “Patient identifying information;” HIPAA penalties contained in the HITECH Act; and re-disclosure provisions. Many commenters asserted that aligning the regulations with HIPAA would help to strike an appropriate balance between protecting sensitive patient health information while providing coordinated, quality care. Many commenters urged SAMHSA to align part 2 with HIPAA to broaden the allowable sharing of data for purposes of care coordination and patient safety.

Numerous commenters urged that substance use disorder records and treatments should be held to the same level of privacy as all other health records. Other commenters raised the concern of equal access, stating that individuals with substance use disorder should have the same access to the benefits of increased care coordination as individuals without substance use disorder.

Commenters encouraged the broader harmonization of part 2, HIPAA, and HITECH into a single uniform set of standards applicable for all personal health information, including substance use disorder treatment and payment.

Some commenters asserted that HIPAA is sufficient to protect patient privacy and part 2 is no longer necessary. Some commenters also asserted that part 2 also predates the development of EHR and HIEs, and there is pressing need to reconsider these rules in light of more recent technological and legal developments. Some commenters expressed concern that complying with both part 2 and HIPAA would lead to undue administrative burden and management issues across the continuum of patient care.

A commenter recommended that SAMHSA should add the same release requirements for substance use disorder treatment as is required for psychotherapy notes under HIPAA, which are restricted from release without the client's consent. According to the commenter, this would give substance use disorder patients protections with Business Associates Agreements (instead of additional rules and forms for Qualified Service Organization Agreements [QSOAs]), notification upon breach requirements, and other rights already afforded persons receiving medical and mental health care.

Several commenters said part 2 should be as consistent as possible with HIPAA, except for the prohibition on use for investigation, prosecution, or criminal charges.

SAMHSA Response

SAMHSA noted the many comments from a wide range of commenters that requested that SAMHSA align part 2 provisions with HIPAA where possible. In some instances, SAMHSA has attempted to do so in this final rule to the extent the change was permissible under 42 U.S.C. 290dd-2. At the same time, part 2 and its governing statute are separate and distinct from HIPAA and its implementing regulations. Because of its targeted population, part 2 provides more stringent federal protections than most other health privacy laws, including HIPAA.

In response to comments about alignment of this regulation with HIPAA, SAMHSA has aligned the interpretation the definition of “Patient identifying information” with HIPAA to the extent feasible. In addition, SAMHSA revised Security for records (§ 2.16) to more closely align with HIPAA.

B. Statutory Authority (§ 2.1)

SAMHSA is adopting this section as proposed. SAMHSA has combined what was §§ 2.1 (Statutory authority for confidentiality of drug abuse patient records) and 2.2 (Statutory authority for confidentiality of alcohol abuse patient records) and renamed the new § 2.1, Statutory authority for confidentiality of substance use disorder patient records. We have re-designated §§ 2.2 through 2.5 accordingly. In the new § 2.1, SAMHSA has deleted references to 42 U.S.C. 290ee-3 and 42 U.S.C. 290dd-3. Sections 290dd-3 and 290ee-3 were omitted by Public Law 102-321 and combined and renamed into Section 290dd-2, Confidentiality of records. In addition, we have deleted references to laws and regulations that have been repealed in § 2.21.

Public Comments

One commenter urged SAMHSA to assess whether existing statutory authority is adequate to modernize part 2 regulatory requirements to keep pace with existing laws and industry developments while also protecting privacy, and to discuss necessary statutory changes in the final rule. Further, the commenter recommended that SAMHSA encourage Congress to convene public hearings to evaluate proposals for statutory changes and delay issuing a final rule if pending legislative proposals are enacted that change the legal landscape for substance use disorder information and related protections.

A commenter urged SAMHSA to address the congressional action that may be needed to effectively expand the ability to provide coordinated services, such as including health and human services agencies' field staff clearly into the definition of treatment terms. A few commenters suggested that the statutory authority underlying the part 2 regulations (42 U.S.C. 290dd-2) should be revised. Another commenter asserted that the 1992 confidentiality statute should be reformed to afford patients greater protections against unlawful disclosure of their substance use disorder treatment, limit the use of information shared for non-health purposes, provide meaningful enforcement and penalties, and more effectively prevent discrimination. Another commenter recommended that modifications should be made to HIPAA to incorporate special protections and limitations for substance use information and that the part 2 regulations should be rescinded. If the intent of the part 2 changes is to prevent inappropriate adverse consequences from the disclosure of substance use disorder health data, a commenter suggested that those specific adverse consequences should be targeted with legislation reform, rather than providing a blanket privacy allowance that hides medical information from providers.

SAMHSA Response

SAMHSA does not have the authority to repeal or revise the governing statute for the regulations codified at 42 CFR part 2 nor any other statute, as that power is given to Congress. The part 2 authorizing statute, 42 U.S.C. 290dd-2, gives the Secretary broad authority to carry out the confidentiality provisions therein, but to promulgate requirements to: (1) Carry out the purposes of the legislation; (2) prevent its circumvention or evasion; and (3) facilitate its compliance. These part 2 revisions were drafted to further these three purposes while, to the extent allowable under the legislation, permitting disclosure and use to increase access to treatment and improve treatment services. The intent of the part 2 regulations and its governing statute (42 U.S.C. 290dd-2) is to protect the confidentiality of substance use disorder patient records. Because individuals seeking treatment for substance use disorders may experience a host of negative consequences, including discrimination, harm to their reputations and relationships, and possibly serious civil and criminal consequences should information regarding their treatment be improperly disclosed, there is a specific need for strong privacy protections for substance use disorder records.

C. Reports of Violations (§ 2.4)

SAMHSA is adopting this section as proposed. We have revised the requirement of reporting violations of these regulations by a methadone program to the FDA (§ 2.5(b)). The authority over methadone programs (now referred to as opioid treatment programs) was transferred from the FDA to SAMHSA in 2001 (66 FR 4076). Suspected violations of 42 CFR part 2 by opioid treatment programs may be reported to the U.S. Attorney's Office for the judicial district in which the violation occurred, as well as the SAMHSA office responsible for opioid treatment program oversight.

Public Comments

SAMHSA received no public comments on this section. This section of the final rule is adopted as proposed.

D. Definitions (§ 2.11)

SAMHSA has consolidated all of the definitions in 42 CFR part 2, with the exception the definition of the term “Federally assisted,” into a single section at § 2.11. SAMHSA has retained the definition of the term “Federally assisted” in § 2.12 (Applicability) for the purpose of clarity because it is key to understanding the applicability of the part 2 regulations. SAMHSA is adopting these structural changes as proposed in the NPRM. Specific definitions are discussed in the sections below. If a part 2 definition is not addressed below, it is because SAMHSA did not propose or make substantive changes to that definition. However, as discussed below, SAMHSA updated the terms in those definitions, as appropriate (e.g., to replace “program” with “part 2 program,” and when “alcohol abuse” and “drug abuse” were used collectively to replace it with “substance use disorder”). The definitions in the regulatory text of this final rule reflect these changes.

1. New Definitions

a. Part 2 Program

SAMHSA is adopting this definition as proposed. SAMHSA defines a “Part 2 program” as “a federally assisted program (federally assisted as defined in § 2.12(b) and program as defined in § 2.11). See § 2.12(e)(1) for examples.” We have retained the examples provided in § 2.12(e)(1) of the current (1987) regulations, with minor clarifications in § 2.12(e)(1), because they explain the part 2 applicability and coverage. SAMHSA has replaced the term “program” with “part 2 program,” where appropriate. For example, we have revised the definition of QSO, including replacing “program” with “part 2 program,” which is discussed in depth below (see Section V.D.2.i., Existing Definitions). We also replaced “program” with “part 2 program” in several other definitions, while making no additional changes.

While a couple of commenters purported to address the proposed definition of “Part 2 program,” the nature of their comments made clear that their underlying concern was how SAMHSA defined “Program” for purposes of part 2. For this reason, these comments are addressed in the discussion of the definition of “Program” below (see Section V.D.2.h).

b. Part 2 Program Director

SAMHSA is adopting this definition as proposed, except for a non-substantive technical edit. Because of the addition of the “Part 2 program” definition, we have defined a “Part 2 program director” as:

  • In the case of a part 2 program that is an individual, that individual; and
  • In the case of a part 2 program that is an entity, the individual designated as director or managing director, or individual otherwise vested with authority to act as chief executive officer of the part 2 program.

We have deleted the definition of “Program Director.”

Public Comments

SAMHSA received no public comments on this definition. This section of the final rule is adopted as proposed.

c. Substance Use Disorder

SAMHSA is adopting this definition as proposed, except to remove the final sentence, “Also referred to as substance abuse.” Throughout this rule, SAMHSA made revisions to refer to alcohol abuse and drug abuse collectively as “substance use disorder” but, when referring to the part 2 governing statute, we use “substance abuse” since that is the term used in 42 U.S.C. 290dd-2. SAMHSA also uses the term “substance abuse” when discussing public comments and other publications that use that term. For consistency, SAMHSA also revised the title of 42 CFR part 2 from “Confidentiality of Alcohol and Drug Abuse Patient Records” to “Confidentiality of Substance Use Disorder Patient Records.” SAMHSA has replaced “alcohol or drug abuse” with “substance use disorder” in several definitions.

While SAMHSA has deleted the definitions of “Alcohol abuse” and “Drug abuse,” we continued to use the terms “alcohol abuse” and “drug abuse” when referring to 42 U.S.C. 290dd-3 and 42 U.S.C. 290ee-3 (omitted by Pub. L. 102-321 and combined and renamed into Section 290dd-2), respectively, because they are the terms used in the statutes.

SAMHSA is defining the term “Substance use disorder” in such a manner as to cover substance use disorders that can be associated with altered mental status that has the potential to lead to risky and/or socially prohibited behaviors, including, but not limited to, substances such as, alcohol, cannabis, hallucinogens, inhalants, opioids, sedatives, hypnotics, anxiolytics, and stimulants. In addition, the “Substance use disorder” definition clarifies that, for the purposes of these regulations, the term excludes both tobacco and caffeine.

Public Comments

Several commenters expressed support for the newly defined term “substance use disorder” to replace references to alcohol and drug abuse. One commenter requested that SAMHSA clarify the scope of substance use disorder and what constitutes substance use treatment. Another commenter suggested that, in the definition of substance use disorder, protected data should be directly related to an objective measure, such as information related to specific payment or clinical diagnosis codes submitted in connection with reimbursement for services.

SAMHSA Response

The final rule adopts the definition of substance use disorder as proposed, except that the parenthetical of the proposed definition is not adopted in the final rule. Use of the term is consistent with recognized classification manuals, current diagnostic lexicon, and commonly used descriptive terminology. Moreover, SAMHSA declines to define substance use disorder treatment by specific billing or diagnostic codes in in the final rule as these codes are subject to frequent revision.

d. Treating Provider Relationship

SAMHSA is modifying the proposed definition of “Treating provider relationship” slightly to account for the situation of involuntary commitment and other situations where a patient is diagnosed, evaluated and/or treated, but may not have actually consented to such care, as discussed in greater detail below. In summary, a treating provider relationship means that, regardless of whether there has been an actual in-person encounter:

  • A patient is, agrees to, or is legally required to be diagnosed, evaluated, and/or treated, or agrees to accept consultation, for any condition by an individual or entity, and;
  • The individual or entity undertakes or agrees to undertake diagnosis, evaluation, and/or treatment of the patient, or consultation with the patient, for any condition.

As explained in the NPRM, the term “agrees” as used in the definition does not necessarily imply a formal written agreement. An agreement might be evidenced, among other things, by making an appointment or by a telephone consultation.

It is also important to note that, based on the definition of treating provider relationship, SAMHSA considers an entity to have a treating provider relationship with a patient if the entity employs or privileges one or more individuals who have a treating provider relationship with the patient.

Public Comments

A few commenters expressed support for the proposed definition of “treating provider relationship.” One commenter supported the definition and added that this type of relationship could be a result of any action taken to schedule, refer, or order services that are related to health services to be provided in the future.

Other commenters provided suggestions to improve the definition, including specifying entities involved in identifying, evaluating, and referring for treatment any persons in need of substance use disorder services; adding related services, including social services, and consultation; accounting for patients who cannot agree or consent to the relationship; and clarifying that an individual's designated treating provider is also a treating provider for part 2 purposes, even before the patient's first appointment. A few commenters requested that HIEs, health plans, and organizations that provide care coordination be added to the definition, or that comparable definitions be provided for these entities.

A few commenters objected to the consent requirements limiting recipients to entities with a “treating provider relationship,” and suggested that the requirement be eliminated, or the term be redefined to include entities that provide care management. A few commenters also disagreed with the interpretation that equates making an appointment with an agreement to diagnose or treat.

Some commenters raised a number of questions about the definition, including whether the definition applies to each hospital in a system or to the system as a whole; whether the definition applies to Medicaid managed care programs with mandatory enrollment; whether a care coordination entity can form a treating provider relationship with an individual; and whether ancillary providers, such as laboratories, pharmacies, therapists, counselors, or mental health specialists, fall within the definition of treating provider relationship.

SAMHSA Response

A treating provider relationship, as defined in this final rule, begins when an individual seeks or receives health-related assistance from an individual or entity who may provide assistance. However, the relationship is clearly established when the individual or entity agrees to undertake diagnosis, evaluation, and/or treatment of the patient, or consultation with the patient, and the patient agrees to be treated, whether or not there has been an actual in-person encounter between the individual or entity and the patient. When a patient is not regarded as being legally competent under the laws of their jurisdiction, such as when a patient is subject to an involuntary commitment (i.e., formally committed for behavioral health treatment by a court, board, commission, or other legal authority), a treating provider relationship may be established when a patient is, agrees to, or is legally required to be provided consultation, diagnosis, evaluation, and/or treatment by an individual or entity. A treating provider relationship may be established whether or not there has been an actual in-person encounter between the individual or entity and patient. A treating provider relationship with a patient may be established by any member of the health care team as long as the relationship meets the definition of “Treating provider relationship.” SAMHSA believes that further specification in this definition is unnecessary.

e. Withdrawal Management

SAMHSA is adopting this definition as proposed. SAMHSA has removed the definition of “Detoxification treatment” and replaced it with the definition of the currently acceptable term “Withdrawal management” as indicated in the American Society of Addiction Medicine (ASAM) Principles of Addiction Medicine, 5 edition.

ASAM Principles of Addiction Medicine, 5th edition, 2014, Richard Ries et al., editor. http://www.asam.org/quality-practice/essential-textbooks/principles-of-addiction-medicine (last accessed Aug. 1, 2016).

Public Comments

One commenter supported replacing the term “Detoxification treatment” with the term “Withdrawal management.”

SAMHSA Response

SAMHSA appreciates this support.

2. Existing Definitions

a. Central Registry

SAMHSA is adopting this definition as proposed. SAMHSA has updated the definition of “Central registry” to incorporate currently accepted terminology.

Public Comments

One commenter stated that the NPRM preamble described the proposed revisions to the definition of “central registry” as changes to “update terminology to make the definition clearer,” rather than detailing the proposed changes to the definition, so there was insufficient information for public comment.

SAMHSA Response

Exact language for the definition of “central registry” was provided in the NPRM regulation text and is being adopted as proposed.

b. Disclose or Disclosure

SAMHSA is modifying the proposed definition of “Disclose” to specifically cover diagnosis, treatment, and referral for treatment for substance use disorder, as follows: “Disclose means to communicate any information identifying a patient as being or having been diagnosed with a substance use disorder, having or having had a substance use disorder, or being or having been referred for treatment of a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person.” We have updated terminology and made the definition clearer. SAMHSA has defined only one word, “Disclose,” since it is implied that the same definition applies to other forms of the word.

Public Comments

A commenter encouraged SAMHSA to develop guidance and promote standards adoption for the identification of part 2 data so that the implementation and applicability of concrete restrictions and obligations can be applied to the disclosure of such data. Another commenter urged coordination between the definitions of “disclosure” of a substance use disorder and a current or former “patient,” because someone may have a past substance use disorder but may not have been a former patient. A commenter stated that the NPRM preamble described the proposed revisions to the definition of “disclosure” as changes to “update terminology and make the definition clearer,” rather than detailing the proposed changes to the definition, so there was insufficient information for public comment.SAMHSA Response

With regard to developing subregulatory guidance and promoting standards adoption, SAMHSA is an organizational member of Health Level 7 (HL7) and is working to ensure that health IT standards support the needs of behavioral health treatment patients and providers. SAMHSA has supported the creation of several HL7 standards, including the Composite Privacy Consent Directive Domain Analysis Model to capture the requirement of states and federal agencies. Those requirements were reflected in the IG for Clinical Document Architecture Release 2 (CDA R2) to provide a standard-based electronic representation of a consent to support the management of consent directives and policies.

In response to comments urging coordination between the definition of “disclosure” and a current or former patient, SAMHSA has expanded the definition of “disclose” to include any information identifying a patient as “being or having been diagnosed with a substance use disorder, having or having had a substance use disorder, or being or having been referred for treatment of a substance use disorder.” Exact language for the definition of “disclosure” was provided in the NPRM regulatory text and is being adopted as proposed. We note that to the extent an individual may have had a past substance use disorder diagnosis, but never sought or received diagnosis, treatment, or referral for substance use disorder treatment, the definition of patient would not cover such individual and the part 2 regulations would not apply to that individual's health information unless and until the individual is a patient as defined in these regulations.

c. Maintenance Treatment

SAMHSA is modifying this definition from what was proposed by replacing the term “pharmacotherapy” with the phrase “long-term pharmacotherapy” for purposes of clarity to read as follows: “Maintenance treatment means long-term pharmacotherapy for individuals with substance use disorders that reduces the pathological pursuit of reward and/or relief and supports remission of substance use disorder-related symptoms.” As compared to the 1987 final rule definition of “Maintenance treatment,” SAMHSA updated terminology in the definition and moved it from § 2.34 to § 2.11.

Public Comments

A commenter stated that the NPRM preamble described the proposed revisions to the definition of “maintenance treatment” as changes to “update terminology and make the definition clearer,” rather than detailing the proposed changes to the definition, so there was insufficient information for public comment.

SAMHSA Response

Exact language for the proposed definition of “maintenance treatment” was provided in the NPRM regulation text at 81 FR 7014.

d. Member Program

In response to comments received, SAMHSA has revised the definition of “Member program,” by replacing a reference to a specific geographic distance, so it reads as follows: “Member program means a withdrawal management or maintenance treatment program which reports patient identifying information to a central registry and which is in the same state as that central registry or is in a state that participates in data sharing with the central registry of the program in question.”

Public Comments

A commenter asserted that the 125-mile distance to a state border limitation contained within the definition of “member program” does not adequately recognize the geographic realities of states with significant rural and frontier areas, and the commenter strongly suggested that it be eliminated.

SAMHSA Response

In response to the comment, SAMHSA has removed the distance from the definition to address the concerns about rural areas and replaced it with “is in a state that participates in data sharing with the central registry of the program in question.” We removed the distance requirement from the definition of “Member program” to reflect that in some states (e.g., with rural areas) the distance from the border of the state in which the central registry is located may exceed 125 miles.

e. Patient

SAMHSA is adopting this definition as proposed. To emphasize that the term “Patient” refers to both current and former patients, SAMHSA has revised the definition as follows: “Patient means any individual who has applied for or been given diagnosis, treatment, or referral for treatment for a substance use disorder at a part 2 program. Patient includes any individual who, after arrest on a criminal charge, is identified as an individual with a substance use disorder in order to determine that individual's eligibility to participate in a part 2 program. This definition includes both current and former patients.”

Public Comments

One comment opposed the inclusion of former patients in the definition because retrospective outcome studies would be difficult to conduct because many patients relocate or their contact information becomes otherwise unobtainable for purposes of obtaining consent to disclose and use patient identifying information. One commenter opposed including in the definition individuals who “applied for” but did not receive a diagnosis and also asked who makes the identification of an individual with a substance use disorder. Another commenter suggested that the definition should include individuals participating in prevention programs and recovery support programs. A commenter asked whether the definition includes an individual who has been involuntarily committed to a program for treatment and suggested that the final rule clarify that such an individual is considered a patient and entitled to part 2's protections.

SAMHSA Response

Regarding the opposition to including former patients in the definition of “Patient” because retrospective outcome studies would be difficult to conduct, this concern appears to be based on a misunderstanding that a consent requires a specific expiration date. A part 2-compliant consent form must list the date, event, or condition upon which the consent will expire, if not revoked before. Therefore, it would be permissible for a consent form to specify the event or condition that will result in revocation, such as having its expiration date be “upon my death.” Consequently, it is possible for researchers to obtain consents that would permit retrospective outcome studies.

Regarding the inclusion of “applied for” in the definition of “Patient,” this definition has not changed from that included in the 1987 final rule except to replace “alcohol and drug abuse” with “substance use disorder.” SAMHSA declines to make the recommended change since no other concerns regarding the inclusion of “applied for” have been received in over 29 years. Patients who are involuntarily committed to participating in or receiving substance use disorder services from a part 2 program are covered by the definition. SAMHSA declines to accept the suggestion that the definition should be expanded to cover patients in prevention programs as such programs are not covered by the definition of a part 2 program.

f. Patient Identifying Information

SAMHSA is modifying the definition as proposed to: (1) Clarify that SAMHSA intends for the identifiers listed in the HIPAA Privacy Rule at 45 CFR 164.514(b)(2)(i) that are not already included in the definition of patient identifying information to meet the “or similar information” standard; (2) delete the word “publicly” from the phrase “can be determined with reasonable accuracy either directly or by reference to other publicly available information”; and (3) to revise the last sentence as follows: for internal use only by the part 2 program, if that number does not consist of, or contain numbers (such as a social security, or driver's license number) that could be used to identify a patient with reasonable accuracy from sources external to the part 2 program.”

SAMHSA intends for the identifiers listed in the HIPAA Privacy Rule at 45 CFR 164.514(b)(2)(i) that are not already included in the definition of “Patient identifying information” to meet the following clause: “or similar information.” Those HIPAA Privacy Rule identifiers are:

(1) Name;

(2) All geographic subdivisions smaller than a [s]tate, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

(i) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(ii) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;

(3) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(4) Telephone numbers;

(5) Fax numbers;

(6) Electronic mail addresses;

(7) Social security numbers;

(8) Medical record numbers;

(9) Health plan beneficiary numbers;

(10) Account numbers;

(11) Certificate/license numbers;

(12) Vehicle identifiers and serial numbers, including license plate numbers;

(13) Device identifiers and serial numbers;

(14) Web Universal Resource Locators (URLs);

(15) Internet Protocol (IP) address numbers;

(16) Biometric identifiers, including finger and voice prints;

(17) Full face photographic images and any comparable image; or

(18) Any other unique identifying number, characteristic, or code.

Public Comments

A few commenters urged that the definition of “Patient identifying information” be aligned with the “protected health information,” including the patient identifiers, under HIPAA. One commenter recommended that telephone numbers and email addresses should be mentioned because they are accessible by electronic means. Another commenter suggested that SAMHSA delete the reference to publicly available information; use a phrase such as, “information with respect to which there is a reasonable basis to believe that the information can be used to identify the individual”; and mention other identifiers assigned to an individual, including credit card numbers, driver's license numbers, and automobile license numbers.

SAMHSA Response

The HIPAA Privacy Rule, at 45 CFR 164.514(b)(2)(i), enumerates 18 identifiers that make health information individually identifiable. SAMHSA considers any of these identifiers to be patient identifying information either because SAMHSA has explicitly listed the identifier in the definition of patient identifying information in 42 CFR part 2 or because SAMHSA considers the identifier to be `similar information' (See § 2.11 Definitions). Also as suggested, SAMHSA has deleted the word “publicly” from the phrase “can be determined with reasonable accuracy either directly or by reference to other publicly available information;”

g. Person

SAMHSA is adopting this definition as proposed. SAMHSA has revised the definition of “Person” to clearly indicate that “Person” is also referred to as individual or entity.

Public Comments

A commenter urged SAMHSA to recognize an “Affiliated Covered Entity” under HIPAA as an “entity” in the definition of “Person.” Another commenter asked that the definition specify that it includes limited liability companies. A commenter suggested removing the redundant parenthetical at the end of the proposed definition.

SAMHSA Response

SAMHSA has determined that no change is needed in response to the comments; the definition covers any legal entity. SAMHSA declines to delete the clarifying parenthetical at the end of the definition since the terms “individual” and “entity” are more intuitive than the term “person,” as defined in these regulations.

h. Program

SAMHSA decided not to finalize its proposed changes to the definition of “Program,” but did make minor updates to the terminology in the text. We are, however, finalizing certain other minor changes to the proposed definition to update terminology so that it is consistent with current best practice.

First, SAMHSA moved the reference to examples from the definition of “Program” to the definition of “Part 2 program.”

Second, we retain the language changes from drug and/or alcohol abuse to substance use disorder.

Finally, as stated in the NPRM, SAMHSA clarifies that paragraph (1) of the definition of “Program” would not apply to “general medical facilities”. However, paragraphs (2) and (3) of the definition of “Program” would apply to “general medical facilities.”

Public Comments

A few commenters expressed support for the revised definition of “Program.”

However, many commenters generally opposed the proposed revision to the definition of “Program.” The reasons primarily related to interpretations that SAMHSA did not intend to imply. Many commenters asked that SAMHSA not call out general medical practices as a separate category of provider excluded from paragraph one but included in paragraphs two and three of the definition of program.

Some commenters requested clarification in various areas, including the meaning and examples of “holds itself out;” determining “primary function;” treatment of behavioral health clinics and community mental health centers; roles of general medical or dental practices that engage in screening, brief intervention, and referrals for treatment (SBIRT) activities, and co-located substance abuse/mental health counselors; whether covered part 2 facilities provide some, primarily provide, or only provide substance use disorder diagnosis, treatment, and referral to treatment; physicians who prescribe buprenorphine products and pharmacies that fill those prescriptions; a general psychiatric unit that also provides substance use disorder treatment; and offering patients integrated behavioral health care in a primary care setting.

Some commenters suggested limiting programs to those that meet a minimum standard, are specifically licensed, credentialed, or accredited, such as state licensure. Several commenters asked that SAMHSA provide an exception for pharmacists and pharmacies or dentists. Lastly, a commenter said the rule should include rehabilitation centers as medical facilities.

SAMHSA Response

Based on the number and type of comments received regarding including general medical practices in the Program definition, SAMHSA has decided not to finalize the general medical practices language in the final rule. The number and type of comments led SAMHSA to believe separating out general medical practices from general medical facilities was more confusing than clarifying. Most commenters indicated a belief that SAMHSA was expanding the definition of program to include individuals and entities that had not previously been covered. As we've previously noted in our publicly available FAQ guidance, a practice comprised of primary care providers could be considered a “general medical facility and be subject to 42 CFR part 2 if they are both “federally assisted” and meet the definition of a program under 42 CFR 2.11. Nevertheless, consistent with the definition of a “program”:

1. If a provider is not a general medical care facility, then the provider meets the part 2 definition of a “Program” if it is an individual or entity who holds itself out as providing, and provides substance use disorder diagnosis, treatment, or referral for treatment.

2. If the provider is an identified unit within a general medical facility, it is a “Program” if it holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment.

3. If the provider consists of medical personnel or other staff in a general medical facility, it is a “Program” if its primary function is the provision of substance use disorder diagnosis, treatment, or referral for treatment and is identified as such specialized medical personnel or other staff by the general medical facility.

SAMHSA's FAQ guidance further addresses the issue of what constitutes a general medical facility. This FAQ guidance clarifies that, while the term “general medical care facility” is not defined in the definitions section of 42 CFR 2.11, hospitals, trauma centers, or federally qualified health centers would generally be considered “general medical care” facilities. Therefore, primary care providers who work in such facilities would only meet part 2's definition of a program if (1) they work in an identified unit within such general medical facility that holds itself out as providing, and provides, substance use disorder diagnosis, treatment or referral for treatment, or (2) the primary function of the provider is substance use disorder diagnosis, treatment or referral for treatment and they are identified as providers of such services. In addition, a practice comprised of primary care providers could be considered a “general medical facility.” As such, only an identified unit within that general medical care facility which holds itself out as providing and provides substance use disorder diagnosis, treatment or referral for treatment would be considered a “program” under the definition in the part 2 regulations. Medical personnel or staff within that facility whose primary function is the provision of those services and who are identified as such providers would also qualify as a “program” under the definition in the part 2 regulations. Other units or practitioners within that general medical care facility would not meet the definition of a part 2 program unless such units or practitioners also hold themselves out as providing and provide substance use disorder diagnosis, treatment or referral for treatment.

SAMHSA also clarifies that the program definition does not categorically exclude buprenorphine providers. However, holding a waiver to prescribe buprenorphine or holding a waiver and prescribing buprenorphine as part of primary care practice also does not lead to categorical inclusion of providers in the definition of a part 2 program; such determinations are fact-specific. Also, a health care provider that does not otherwise meet the definition of a part 2 program would not become a program simply because they provided screening, brief intervention, and/or referral to treatment within the context of general health care. SBIRT is discussed in further detail under Section V.E (Applicability) below.

Regarding comments on the meaning of “primary function,” SAMHSA did not propose a definition of “primary function” because it has not historically received many, if any, questions on its meaning.

Consistent with previously published FAQ guidance, we reiterate that “Holds itself out” means any activity that would lead one to reasonably conclude that the individual or entity provides substance use disorder diagnosis, treatment, or referral for treatment, including but not limited to:

  • Authorization by the state or federal government (e.g. licensed, certified, registered) to provide, and provides, such services,
  • Advertisements, notices, or statements relative to such services, or
  • Consultation activities relative to such services.

i. Qualified Service Organization

SAMHSA is adopting the definition of “Qualified Service Organization” as proposed. SAMHSA has revised the definition of QSO to include population health management in the list of examples of services a QSO may provide. SAMHSA also revised the term “medical services” as listed in the examples of permissible services offered by a QSO to clarify that it is limited to “medical staffing services.” SAMHSA made this revision to emphasize that QSOAs should not be used to avoid obtaining patient consent.

Public Comments

A large number of commenters supported the proposed QSO definition, particularly the addition of “population health management.” Many commenters requested a clarification or a narrow definition of “population health management.”

SAMHSA Response

SAMHSA provided guidance in the NPRM preamble regarding what constitutes population health management services. Specifically, population health management refers to increasing desired health outcomes and conditions through monitoring and identifying individual patients within a group. To achieve the best outcomes, providers must supply proactive, preventive, and chronic care to all of their patients, both during and between encounters with the health care system. For patients with substance use disorders, who often have comorbid conditions, proactive, preventive, and chronic care is important to achieving desired outcomes. Any QSOA executed between a part 2 program and an organization providing population health management services would be limited to the office(s) or unit(s) responsible for population health management in the organization (e.g., the ACO, CCO, CPCMH, or managed care organization [MCO]), not the entire organization and not its participants (e.g., case managers, physicians, addiction counselors, hospitals, and clinics). However, the presence of a QSOA does not preclude disclosures of patient identifying information to other individuals within these organizations based on a valid part 2-compliant consent.

Public Comments

Some commenters requested clarification about the definition, such as whether an HIE could be considered a QSO; whether the definition, which includes “an individual,” can include members of the covered entity's workforce; and whether public health management staff can share part 2 information with case managers.

A few commenters expressed opposition to the proposed definition of QSO, asserting that patient consent should be obtained before making a disclosure of substance use disorder information to multiple entities. Another commenter warned that under the definition, it would be difficult to track which part 2 patients may or may not be within a population health program at any given time.

SAMHSA Response

The NPRM as well as the current (1987) definition of QSO uses the term person. Person is defined in the current (1987) regulations as: “Person means an individual, partnership, corporation, federal, state or local government agency, or any other legal entity.” The NPRM definition proposed a parenthetical: “(also referred to as individual or entity).” Because both the 1987 regulations and the NPRM definition of person includes both individuals and entities, the definition of the term QSO has always included both individual and entities, the definition of the term QSO has always included individuals, as well as entities.

Whether the QSO definition applies to members of an entity's workforce and case managers depends on whether they meet the definition of QSO as defined in § 2.11 because such determinations are fact-specific. An individual or entity who does not meet the definition of a QSO may, however, meet the definition of “Treating provider relationship” for the purposes of obtaining consent. Likewise, care coordination was not added to the list of examples of permissible services offered by a QSO because care coordination has a patient treatment component.

Under the part 2 governing statute, patient records pertaining to the patient's substance use disorder may be shared only with the prior written consent of the patient or as permitted under the part 2 statute, regulations, or guidance. However, the regulations may contain such definitions, and may provide for such safeguards and procedures, including procedures and criteria for the issuance and scope of orders, as in the judgment of the Secretary are necessary or proper to effectuate the purposes of this statute, to prevent circumvention or evasion thereof, or to facilitate compliance therewith.

Regarding the concern about disclosing to multiple entities under a QSOA, as noted above, any QSOA executed between a part 2 program and an organization providing population health management services would be limited to the office(s) or unit(s)/entity(ies) responsible for population health management for the organization (e.g., the ACO, CCO, CPCMH, or MCO), not the entire organization and not its participants (e.g., case managers, physicians, addiction counselors, hospitals, and clinics).

Public Comments

Commenters provided various suggestions to improve the definition. Several commenters said the definition should be expanded to permit a multi-party agreement for multi-directional sharing of information. Commenters said the description of the provision should address overlapping requirements of HIPAA and part 2 with respect to contractual agreements and services such as data processing and billing. A commenter said facilitating entities should be able to enter into QSO agreements with participating providers to perform quality improvement activities. Another commenter said the QSO exception to restrictions on disclosure should apply to third-party payers and other holders of part 2 information, and the definition should include other functions to support improved care delivery.

SAMHSA Response

Part 2 and its implementing statute are much more restrictive than HIPAA. Because 42 CFR part 2 and its governing statute are separate and distinct from HIPAA, the part 2 regulations use different terminology than used in HIPAA. However, SAMHSA aligned policy with HIPAA where possible.

Because a QSOA is a two-way agreement between a part 2 program and the entity providing the part 2 program and an individual or entity providing a service to a part 2 program, agreements between more than those two parties (e.g. multi-party agreements) are prohibited. A QSOA cannot be used to avoid obtaining patient consent in the treatment context.

As stated previously in this preamble, SAMHSA is issuing an SNPRM to seek further comments and information on the disclosure to and use of part 2 information by the contractors and subcontractors of third-party payers and other lawful holders for purposes of payment, health care operations, and other health care related activities before establishing any appropriate restrictions on disclosures to them.

Public Comments

Commenters generally expressed opposition to the change of “medical services” to “medical staffing services” in the definition. A commenter expressed opposition to the interpretation that the QSO agreement executed between a part 2 program and an organization that provided population health management services would be limited to a specific office(s) or unit(s) within the organization that is/are tasked with carrying out such services.

SAMHSA Response

SAMHSA has revised the term “medical services” as listed in the examples of permissible services offered by a QSO to clarify that it is limited to “medical staffing services.” SAMHSA proposed to make this revision to emphasize that QSOAs should not be used to avoid obtaining patient consent. Accordingly, a QSOA could be used by a part 2 program to contract with a provider of on-call coverage services (previously clarified in FAQ guidance) or other medical staffing services but could not be used to disclose John Doe's patient identifying information to his primary care doctor for the purpose of treatment (other than that provided under a QSOA for medical staffing services). However, an individual or entity who is prohibited from providing treatment to an individual patient under a QSOA may still meet the requirements of having a treating provider relationship (as that term is defined in § 2.11) with respect to the consent requirements in § 2.31.

With respect to the comment regarding an organization providing population health management services, a QSOA is a two-way agreement between a part 2 program and the entity providing the service. We reiterate that disclosures by a QSO pursuant to a QSOA executed between a part 2 program and an organization that provides population health management services would be limited to a specific office(s) or unit(s)/entity(ies) that is/are tasked with carrying out such services for the organization. SAMHSA believes this is a needed safeguard to limit disclosures to that which is reasonably necessary to carry out services under the QSOA.

Public Comments

Many commenters expressed opposition to the exclusion of “care coordination” from the QSO definition or requested clarification for the meaning of “care coordination.” Some commenters specifically requested adding care coordination to the list of services a QSO may provide, reasoning that it would facilitate integrated substance use disorder, health, and mental health services. The commenters asserted that the addition would benefit patients' health, safety, and quality of life while maintaining confidentiality protections.

SAMHSA Response

In the NPRM, SAMHSA clarified that an individual or entity is prohibited from providing treatment to an individual patient under a QSOA. SAMHSA has revised the term “medical services” as listed in the examples of permissible services offered by a QSO to clarify that it is limited to “medical staffing services.” SAMHSA proposed to make this revision to emphasize that QSOAs should not be used to avoid obtaining patient consent. Accordingly, a QSOA could be used by a part 2 program to contract with a provider of on-call coverage services (previously clarified in FAQ guidance) or other medical staffing services, but could not be used to disclose John Doe's patient identifying information to his primary care doctor for the purpose of treatment (other than that provided under a QSOA for medical staffing services). For this reason, care coordination and medication management, both of which have a treatment component, were not added to the list of examples of permissible services offered by a QSO. However, an individual or entity who is prohibited from providing treatment to an individual patient under a QSOA may still meet the requirements of having a treating provider relationship (as that term is defined in § 2.11) with respect to the consent requirements in § 2.31.

Regarding the request to clarify the meaning of “care coordination” and how it differs from “population health management,” because SAMHSA decided not to include care coordination in the examples of permissible services under the definition of a QSO, we did not define the term “care coordination” in the NPRM and, therefore, decline to do so in this final rule. Population health management refers to increasing desired health outcomes and conditions through monitoring and identifying patients within a group.

j. Records

SAMHSA has revised the proposed definition. As suggested by commenters, SAMHSA has modified the definition of “Records” by adding “created by” and a parenthetical with examples to read as follows: “Records means any information, whether recorded or not, created by, received, or acquired by a part 2 program relating to a patient (e.g., diagnosis, treatment and referral for treatment information, billing information, emails, voice mails, and texts). For the purpose of these regulations, records include both paper and electronic records.” SAMHSA revised the definition of “Records” to include any information, whether recorded or not, which includes verbal communications, created, received or acquired by a part 2 program relating to a patient. The revised definition makes clear that, for the purpose of the part 2 regulations, records include both paper and electronic records.

Public Comments

A commenter remarked that the proposed definition of “records” does not address “identifiability,” asserting that information that is not individually identifiable, that is not reasonably capable of being re-identified, or that is aggregate may not need to be covered by the definition of record. Regarding the phrase “whether recorded or not” in the proposed definition, a couple of commenters requested guidance on what constitutes “unrecorded information.”

SAMHSA Response

SAMHSA clarifies that unrecorded information includes verbal communications and is still considered part of the record. To add further clarity to the definition, SAMHSA has revised the definition of “Records” from the proposed language by adding examples (e.g., diagnosis, treatment and referral for treatment information, billing information, emails, voice mails, and texts). SAMHSA also added the phrase “created by” to clarify that “records” includes information received, acquired, or created by a part 2 program relating to a patient. Regarding “identifiability,” identification is addressed in the term “Patient identifying information,” not in the definition of “Record.” The definition of records is just that and does not address information that may be disclosed.

k. Treatment

SAMHSA is adopting the proposed definition of “Treatment.” SAMHSA has deleted the term “management” from the “Treatment” definition.

Public Comments

A few commenters opposed the proposed removal of the term “management” from the definition of “treatment” because the narrower definition would decrease information sharing and have a chilling effect on care coordination. A couple of commenters urged that “treatment” should be limited to care of the substance use disorder and not be extended to include care of other medical conditions secondary to or that arose because of the substance use disorder. One commenter suggested that “care” should be defined as it is used in the definition of “treatment.”

SAMHSA Response

SAMHSA removed the term “management” from the definition of “Treatment” because in today's health care environment, “management” has a much broader meaning than it did when the regulations were last revised. Treatment is not limited to care of the substance use disorder because patients with a substance use disorder often have comorbid conditions.

3. Terminology Changes

SAMHSA is adopting the changes proposed in this section, as described in the NPRM. In addition to changes to several definitions, SAMHSA is also implementing several terminology changes intended to ensure consistency in the use of terms throughout the regulations and to increase the understandability of the rule. First, we made revisions to consistently refer to law enforcement as “law enforcement agencies or officials.” Secondly, SAMHSA revised the part 2 regulations to use the term “entity” instead of “organization” wherever possible. Thirdly, SAMHSA clarifies that, for the purposes of this regulation, the term “written” includes both paper and electronic documentation. Fourthly, we use the phrase “part 2 program or other lawful holder of patient identifying information” to refer to a part 2 program or other individual or entity that is in lawful possession of patient identifying information. A “lawful holder” of patient identifying information is an individual or entity who has received such information as the result of a part 2-compliant patient consent (with a prohibition on re-disclosure notice) or as a result of one of the exceptions to the consent requirements in the statute or implementing regulations and, therefore, is bound by 42 CFR part 2.

Public Comments

One commenter requested clarification about what entities are considered “lawful holders” of patient identifying information in the context of complex health care systems. For example, would the parent company of a health care system, each specific hospital, or each entity affiliated with the health care system be considered a “lawful holder”?

Another commenter urged that the term “other lawful holder” should be clearly defined in the final rule.

SAMHSA Response

A “lawful holder” of patient identifying information is an individual or entity who has received such information as the result of a part 2-compliant patient consent (with a prohibition on re-disclosure notice) or as permitted under the part 2 statute, regulations, or guidance and, therefore, is bound by 42 CFR part 2. SAMHSA cannot determine what entities are “lawful holders” because such determinations are fact-specific. In addition, SAMHSA determined that it was not feasible to define all lawful holders of information so has not included a definition in the rule. As explained in the NPRM, examples of “lawful holders” include a patient's treating provider, a hospital emergency room, an insurance company, an individual or entity performing an audit or evaluation, or an individual or entity conducing scientific research. This list provided in the NPRM was intended only as an illustrative example of who could be a lawful holder.

4. Other Comments on Definitions

Public Comments

Many commenters expressed general support for the proposed clarification of definitions. Some commenters sought new definitions for terms including HIE; recipient; population health management and care coordination; population health; re-disclosure; law enforcement agency or official; repository; and scientific research.

Several commenters addressed the “alternative approach” discussed in the NPRM for allowing disclosure to treating providers by requesting the addition of a definition for “organization” to § 2.11. Commenters generally supported a clear definition of “organization” to allow for the exchange of part 2 information. One commenter, however, opposed relying upon a definition rather than specifying the process for consent in the rule itself.

SAMHSA Response

SAMHSA did not propose definitions for the terms suggested and has decided not to pursue the “alternative approach” since that approach as written received no support and only 2 commenters supported the “alternative approach with suggested revisions.” Based on comments received, the agency has addressed disclosures to treating providers within this rule's consent requirements.

E. Applicability (§ 2.12)

SAMHSA is adopting this section as proposed. In addition to the revisions to the definition of “Program” and the addition of a definition for “Part 2 program” mentioned above, SAMHSA has revised § ;2.12(d)(2)(i)(C) so that restrictions on disclosures also apply to individuals or entities who receive patient records from other lawful holders of patient identifying information (see § 2.11, Terminology Changes). Patient records subject to these regulations include patient records maintained by part 2 programs, as well as those records in the possession of “other lawful holders of patient identifying information.” SAMHSA may issue additional subregulatory guidance addressing the applicability section, as deemed necessary, after publication of the final rule.

Public Comments

A few commenters supported the proposed applicability provisions. Some commenters cited relevant preamble language but remained uncertain about who qualifies as a part 2 provider. Several commenters requested greater clarification in identifying part 2 coverage, including whether the provisions apply to various models of integrated behavioral health and primary care; mixed-use facilities that provide primary care and behavioral health services or mental health and substance use treatment; certified community behavioral health centers that do not necessarily “primarily” furnish substance abuse services but rather provide a comprehensive approach to care; embedded behavioral health information within an acute care record; a medical facility providing several distinct books of business, of which only one receives federal assistance; pharmacies; dentists; Drug Addiction Treatment Act (DATA 2000)-waived physicians; employee assistance programs that may include substance use assessment and counseling; a provider who bills Medicaid and Medicare but is not otherwise a “federally assisted program;” and confidential information related to safety and incident reporting. A commenter requested clarification about the definition of “direct administrative control” in the proposed provision related to exceptions for communications within a part 2 program. A commenter urged consideration for reporting by programs to a public health registry and suggested advantages of such a requirement.

Some commenters requested applicability exemptions. Some commenters requested exclusions for employee assistance programs; Medicaid overutilization control programs; and plans with integrated care delivery models. Some commenters requested exemptions to consent for communications between a QSO and a part 2 program or third-party payer (e.g., Medicaid) and between a part 2 program. One commenter requested clarification that consent and disclosure requirements would not apply when the patient directs electronic disclosure for a consumer health application. A commenter requested clarification that services are only covered under part 2 if the personnel are identified as providing substance use disorder treatment outside the organization to the general public. Commenters favored an exception for reporting of child abuse and elder abuse. A few commenters mentioned certain concerns related to the proposed rule. A commenter argued that the proposed rule would do little to simplify requirements for providers, and this may result in providers not documenting substance use disorder-related information in medical records. Other commenters opposed the lack of protections in the proposal and warned that the rule would impose constraints and burdens on providing a patient's behavioral health data and impede information sharing. A commenter stated that general health care organizations that hire an employee with substance use disorder expertise would be considered a covered entity, so they may be discouraged from integrating substance use disorder services into their operation. Similarly, hospital emergency departments may be discouraged from hiring staff with specialized experience in substance use disorders. One commenter expressed concern that the rule may extend protection not just to records for substance use disorder treatment, but also to medical conditions and medications that allow an inference that the patient has a substance use disorder. One commenter argued that any substance use record should be protected from unauthorized disclosure for criminal justice investigations. Expressing support for the continued protection of substance use disorder records from disclosure and use in criminal investigations except under certain conditions, a commenter said that while HIPAA and other laws also provide similar protections, part 2 has more stringent due process and court order provisions.

One commenter argued that the proposed rule exceeds the underlying statutory requirements in 42 U.S.C. 290dd-2 by expanding protections of substance use information and establishing penalties. Another commenter mentioned that the HITECH revisions to HIPAA already require general medical facilities to utilize enhanced security measures to protect the confidentiality and privacy of patient's health records.

A few commenters advocated that the safeguards applied to protected health information (as defined under HIPAA) for all other health conditions could apply for substance use disorder-related information.

One commenter urged a focus on the actual information that requires protection, as opposed to the origin of the treatment records. Similarly, another commenter expressed disappointment that SAMHSA rejected the option to redefine the applicability of part 2 based on the type of substance use disorder treatment services, rather than the type of provider.

Several commenters suggested exceptions to the applicability of part 2 regulations. One commenter said SAMHSA should create a due diligence exception to allow a part 2 program's records to be reviewed in the event of a proposed sale of the part 2 facility. Another commenter said SAMHSA should include an exception to allow disclosure of part 2 records in connection with the seeking of a grant or much needed funding for substance abuse patients. A commenter said SAMHSA should create a payment exception that would allow part 2 programs to submit information to governmental or commercial payers without the patient's prior authorization.

Other commenters stated that exceptions should be added for the purpose of seeking involuntary commitment of an individual who poses a likelihood of serious harm to self or others by reason of a substance use disorder, in accordance with applicable provisions of state law and subject to appropriate terms regarding the continued confidentiality of such data. Another commenter stated that the rule should specifically permit continued data collection of substance use disorder by state agencies. Another commenter stated that an exception limited disclosures to law enforcement and other appropriate parties in the event a committed patient escapes from a treatment facility, and to other part 2 programs and appropriate state agencies as necessary for purposes of discharge planning or transferring a patient without consent.

SAMHSA Response

With respect to the comments recommending aligning with HIPAA, SAMHSA has attempted to do so in this final rule to the extent the change was permissible under 42 U.S.C. 290dd-2. At the same time, part 2 and its governing statute are separate and distinct from HIPAA and its implementing regulations. Because of its targeted population, part 2 provides more stringent federal protections than most other health privacy laws, including HIPAA.

As stated in the preamble discussion of the applicability (§ 2.12) in the NPRM, SAMHSA considered options for defining what information is covered by part 2, including defining covered information based on the type of substance use disorder treatment services provided instead of the type of facility providing the services. SAMHSA however, rejected that approach because more substance use disorder treatment services are occurring in general health care and integrated care settings, which typically are not covered under the current (1987) regulations. Providers who in the past offered only general or specialized health care services (other than substance use disorder services) now, on occasion, provide substance use disorder treatment services, but only as incident to the provision of general health.

The definitions of “Part 2 program” and “Program” are critical to applicability. These terms are defined in § 2.11. The response to comments on the definition of program in this final rule further clarifies coverage. Holding a waiver to prescribe buprenorphine or holding a waiver and prescribing buprenorphine as part of primary care practice does not lead to categorical inclusion of providers in the definition of a part 2 program; such determinations are fact-specific. The same concept applies whenever determining applicability.

With respect to comments on part 2 coverage, although the statute may not be explicit with regard to certain provisions in 42 CFR part 2, the statute directs the Secretary to prescribe regulations to carry out the purpose of the statute, which may include definitions and may provide for such safeguards and procedures that in the judgment of the Secretary are necessary or proper to effectuate the purposes of this section, to prevent circumvention or evasion thereof, or to facilitate compliance therewith. For various models of integrated behavioral health, SAMHSA strives to facilitate information exchange within new health care models while addressing the legitimate privacy concerns of patients seeking treatment for a substance use disorder. These concerns include, but are not limited to, the potential for loss of employment, loss of housing, loss of child custody, discrimination by medical professionals and insurers, arrest, prosecution, and incarceration.

The response to comments on the definition of program in this final rule further clarifies coverage.

SBIRT is a cluster of activities designed to identify people who engage in risky substance use or who might meet the criteria for a formal substance use disorder. Clinical findings indicate that the overwhelming majority of individuals screened in a general medical setting do not have a substance use disorder and do not need substance use disorder treatment. A health care provider that does not otherwise meet the definition of a part 2 program would not become a part 2 program simply because they provide SBIRT within the context of general health care.

For behavioral health facilities, SAMSHA notes that federally qualified health centers, community mental health centers, and behavioral health clinics meeting the definition of a part 2 program must comply with 42 CFR part 2 and those that do not meet the definition of part 2 program do not have to comply with 42 CFR part 2 unless they become a lawful holder of patient identifying information because they received patient identifying information via consent (along with a notice of prohibition on re-disclosure) or as permitted under the part 2 statute, regulations, or guidance. Rather than offer definitions or outline an exhaustive list of entities that could meet the definition of a part 2 program, we prefer to offer illustrative examples in the explanation of applicability provision of these regulations (see § 2.12(e)(1)). SAMHSA has not received questions in the past concerning the definition of general medical facility.

Regarding the question of part 2 applicability when a patient directs electronic disclosure for a consumer health application, the NPRM preamble discussion of lawful holder in the Terminology Changes section stated: “A patient who has obtained a copy of their records or a family member who has received such information from a patient would not be considered a `lawful holder' of patient identifying information in this context.” Information disclosed by a part 2 program or a lawful holder of patient identifying information is covered by 42 CFR part 2 and requires patient consent unless disclosure is otherwise permitted under the part 2 statute or regulations. Therefore, it is permissible for a patient to disclose information to a personal health record or similar consumer health application but if a part 2 program or lawful holder of patient identifying information discloses that information to the personal health record or other similar consumer application on behalf of the patient, consent would be required.

Regarding patient records and Medicaid overutilization control programs, the prohibition on re-disclosure (§ 2.32) applies to information that would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment for a substance use disorder, such as indicated through standard medical codes, descriptive language, or both, and allows other health-related information shared by the part 2 program to be re-disclosed, if not prohibited by any other applicable laws. Under the current statutory authority, patient records pertaining to substance use disorder may be shared only with the prior written consent of the patient or as permitted under the part 2 statute and implementing regulations. In addition, the authorizing statute specifically enumerates the areas of non-applicability, which includes the reporting under state law of incidents of suspected child abuse and neglect to appropriate state and local authorities. Therefore, SAMHSA did not adopt this requested change. Regarding elder abuse, if a program determines it is important to report elder abuse, disabled person abuse, or a threat to someone's health or safety, or if the laws in a program's state require such reporting, the program must make the report anonymously, or in a way that does not disclose that the person making the threat is a patient in the program or has a substance use disorder, or obtain a court order if time allows.

Some commenters asked about the applicability of the part 2 regulations to various facilities or entities, such as rehabilitation facilities, dentists, and pharmacies. In summary, if a provider is not a general medical facility or does not hold itself out as providing, and provides, substance use disorder diagnosis, treatment or referral for treatment, it would not meet the first section of the definition of “Program.” If the provider is either not an identified unit within a general medical facility that holds itself out as providing, or does not provide, substance use disorder diagnosis, treatment, or referral for treatment, it does not meet the second section of the definition of “Program.” If the provider either does not consist of medical personnel or other staff in a general medical facility whose primary function is the provision of substance use disorder diagnosis, treatment, or referral for treatment or is not identified as such specialized medical personnel or other staff by the general medical facility, it does not meet the third section of the definition of “Program.” Whether embedded behavioral health information is covered by 42 CFR part 2 depends on several factors: First, only patient identifying information is subject to part 2 protections. If the acute care facility meets the definition of a part 2 program and the information would identify, directly or indirectly an individual as having been diagnosed, treated, or referred for treatment for a substance use disorder, the information is subject to part 2 protections; and if the acute care facility received the patient identifying information via a valid part 2 consent (with a notice of prohibition on re-disclosure) or as otherwise permitted under the part 2 statute or regulations, the information is subject to part 2 protections.

With respect to pharmacies, when they receive prescriptions directly from part 2 programs, the patient identifying information related to those prescriptions is subject to 42 CFR part 2 confidentiality restrictions (as indicated by the accompanying prohibition on re-disclosure notice). Pharmacies that receive paper prescriptions directly from patients (and do not receive a prohibition on re-disclosure notice) are, therefore, not subject to the part 2confidentiality restrictions. However, if the pharmacy or pharmacist meets the definition of a part 2 program, they must comply with the part 2 regulations.

In response to the commenter's request for clarification that services are only covered under part 2 if the personnel are identified as providing substance use disorder treatment outside the organization to the general public, the third section of the definition of program uses the term “personnel” to state that medical personnel or other staff in a general medical facility whose primary function is the provision of substance use disorder diagnosis, treatment or referral for treatment and who are identified as such providers. This section of the definition of program does not include the phrase “holds itself out” as do the first two sections of the definition of program. In the third section of the definition, the medical personnel or other staff must be identified as such specialized medical personnel or other staff by the general medical facility.

Although commenters requested an exclusion for employee assistance programs, the regulation text at § 2,12(d)(1) states: “Coverage includes, but is not limited to, those treatment or rehabilitation programs, employee assistance programs, programs within general hospitals, school-based programs, and private practitioners who hold themselves out as providing, and provide substance use disorder diagnosis, treatment, or referral for treatment.

Commenters requested an exemption for communications between a part 2 program and another entity under common ownership or control, but SAMHSA declines to make the requested change. However, as stated in the regulatory text (§ 2.12(c)(3) restrictions on disclosure in these regulations do not apply to communications of information between or among personnel having a need for the information in connection with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment of patients with substance use disorders if the communications are:

(i) Within a part 2 program; or

(ii) Between a part 2 program and an entity that has direct administrative control over the program.”

SAMHSA declines to add the various suggested exceptions to the applicability of the part 2 regulations, and encourages all stakeholders to consult with legal counsel to ensure compliance with 42 CFR part 2, as well as any other applicable federal, state, or local laws or regulations. SAMHSA is limited by statute to the specific exceptions listed in the law; it cannot, therefore, add exceptions. As stated previously, SAMHSA is authorized to promulgate regulations and to provide such safeguards and procedures necessary to carry out the purposes of the authorizing statute. SAMHSA has endeavored to strike an appropriate balance between the important privacy protections afforded patients with substance use disorders and the necessary exchange of information to improve treatment outcomes for these individuals.

F. Confidentiality Restrictions and Safeguards (§ 2.13)

SAMHSA is modifying this section slightly from that proposed in the NPRM by adding a paragraph clarifying responsibility for the List of Disclosures requirement. As discussed in the proposal, because SAMHSA is revising the consent requirements to allow a general designation in certain circumstances, we have revised § 2.13 by adding a paragraph (d), which requires that, upon request, patients who have included a general designation in the “To Whom” section of their consent form must be provided, by the entity that serves as an intermediary, a list of entities to which their information has been disclosed pursuant to the general designation (List of Disclosures).

The new § 2.13(d) specifies that patient requests for a list of entities to which their information has been disclosed must be in writing. Consistent with the NPRM, we consider “written” to include both paper and electronic documentation. The list is limited to disclosures made within the past 2 years.

Further, entities named on the consent form that disclose information pursuant to a patient's general designation (entities that serve as intermediaries as described in § 2.31(a)(4)(iii)(B)) must respond to requests for a List of Disclosures in 30 or fewer days of receipt of the request.

1. Delayed Implementation of List of Disclosures Provision

Public Comments

Several commenters raised concerns about how to interpret the two-year delayed implementation of List of Disclosures and whether the general designation will be used during that period. A commenter expressed concern about the immediate implementation of the general designation while the right of patients to obtain a List of Disclosures is postponed for two years.

Other commenters stated that, based on the NPRM language, HIEs will not be able to take advantage of a general designation on the consent form until they have the ability to comply with the List of Disclosures requirement.

Commenters said SAMHSA needs to clarify that the duty to begin collecting and storing disclosures under the general designation begins two years after the effective date of the final rule and not before.

A commenter recommended that the right to obtain a list of those who have received the patient's information should be implemented simultaneously with any other revisions to the part 2 regulation. Another commenter said SAMSHA should implement the List of Disclosures requirement within 90 days.

SAMHSA Response

SAMHSA clarifies that the general designation on a consent form may not be used until entities have the ability to comply with the List of Disclosures provision. However, SAMHSA has removed the two-year delayed compliance date for the List of Disclosures provision for the reasons discussed in Section IV above.

2. Responsibilities Under the List of Disclosures Process

Public Comments

Commenters said SAMHSA should allow non-treating entities, that do not have a treating provider relationship with the patient whose information is being disclosed and serve as intermediaries named on the consent form, to release the List of Disclosures to the facility where the patient receives care (or the part 2 program), rather than to the patient directly. One commenter said because this process, in which the patient/consumer requests and receives the List of Disclosures from the site where they receive care/part 2 program, rather than from the HIE, resembles the process currently being used to meet HIPAA disclosure requirements, it could be implemented without requiring additional burdens on HIEs. Since most HIEs are not patient-facing, commenters stated that there are typically not policies or procedures in place for interacting with patients directly, particularly for patient authentication, and suggested it be done at the provider level, and that the patient communication be maintained at the part 2 program level.

Other commenters said SAMHSA does not specify what responsibility, if any, the part 2 program has to coordinate or verify the compliance of the CCO or HIE with the List of disclosures. One commenter said if SAMHSA intends for the part 2 program to have any responsibilities beyond this, then it should obtain additional feedback from part 2 programs before proposing any new obligations. Some commenters appeared to assume the part 2 program was responsible for the List of Disclosures and requested that SAMHSA modify the requirement to impose the duty directly upon the HIE, ACO, CCO, or research institution to provide the listing to the patient, rather than the part 2 program.

A commenter said SAMSHA should clarify what entities must be included on the List of Disclosures when the entity is part of a complex healthcare system.

Another commenter said the absence of requiring disclosure of individual names undermines the intent of the List of Disclosures and undermines the purpose of expanding the “To Whom” provision and the patient's incentive or willingness to consent to a general designation. The commenter said the provision must be very explicit in disclosing those agencies or individuals that will receive the patients' medical information.

SAMHSA Response

Regarding the suggestion to allow entities that serve as intermediaries as described by § 2.31(a)(4)(iii)(B) to release the List of Disclosures to the facility where the patient receives care (or the part 2 program) or with the providers to whom the disclosure was made, rather than directly to the patient, SAMHSA has decided to retain the NPRM language and proposed responsibilities because the party making the disclosure under the general designation should be accountable for that disclosure. SAMHSA has clarified in paragraph § 2.31(d)(3) that the part 2 program is not responsible for complying with the List of Disclosures requirement; the entity that serves as an intermediary, as described in § 2.31(a)(4)(iii)(B), is responsible for compliance with the List of Disclosures requirement.

SAMHSA plans to issue subregulatory guidance that clarifies how the patient may request the List of Disclosures from intermediaries as described by § 2.31(a)(4)(iii)(B).

On the responsibility of part 2 providers to comply with the List of Disclosures requirement, SAMHSA agrees with the commenters that more clarity is needed. In the circumstance in which a patient provides a general designation in the “To Whom” part of a consent form, the part 2 program may not know to whom the disclosures have been made by the entity that serves as an intermediary. As such, the List of Disclosures provision requires that: The entity named on the consent form that discloses information pursuant to a patient's general designation (the entity that serves as an intermediary, as described in § 2.31(a)(4)(iii)(B)) must: (i) Respond in 30 or fewer days of receipt of the written request; and (ii) Provide, for each disclosure, the name(s) of the entity(ies) to which the disclosure was made, the date of the disclosure, and a brief description of the patient identifying information disclosed. Further, paragraph (d)(3) clarifies that the part 2 program is not responsible for complying with § 2.13(d).

In response to the request for clarification on what entities must be listed on the List of Disclosures and suggestion that individuals (rather than entities with whom such individuals are affiliated) must be listed, SAMHSA clarifies that the List of Disclosures must include a list of the entities to which the information was disclosed pursuant to a general designation. Individuals who received patient identifying information pursuant to the general designation on a consent form should be included on the List of Disclosures based on an entity affiliation, such as the name of their practice or place of employment. However, if entities that are required to comply with the List of Disclosures requirement wish to include individuals on the List of Disclosures, in addition to the required data elements which are outlined in § 2.13(d)(2)(ii), nothing in this rule prohibits it.

SAMHSA considered requiring both individuals and entities to be included on the List of disclosures but, after reviewing the Health Information Technology Privacy Committee's (HITPC's) recommendations ( https://www.healthit.gov/sites/faca/files/PSTT_Transmittal010914.pdf ), decided to require, at a minimum, a list of entities. These recommendations addressed the HITECH requirement that HIPAA covered entities and business associates account for disclosures for treatment, payment, and health care operations made through an EHR. The Transmittal Letter recommended, “that the content of the disclosure report be required to include only an entity name rather than a specific individual as proposed in the NPRM.” In addition, the Transmittal Letter noted that the Organization for Economic Cooperation and Development (OECD) principles, the Fair Credit Reporting Act, and the Privacy Act of 1974 do not require that the names of individuals be provided. The HITPC, a committee established by the American Recovery and Reinvestment Act of 2009 in accordance with the Federal Advisory Committee Act (FACA), provides recommendations on health IT policy issues to the ONC for consideration. The HITPC gave a broad charge to its Privacy & Security Tiger Team (Tiger Team) “to provide recommendations on how to implement the requirements of the HITECH Act of 2009 for covered entities and business associates to account for disclosures for treatment, payment and health care operations made through an EHR. In the referenced Transmittal Letter, the HITPC did not focus on 42 CFR part 2, however, given the similarities of the issues and the importance of the lessons the Tiger Team learned, SAMHSA was persuaded by the Tiger Team's discussion.

3. Technological Challenges and Burden of the List of Disclosures Provision Public Comments

Public Comments

Many commenters argued that entities may not be equipped to maintain and provide a List of Disclosures. A few commenters expressed general concern about the burden associated with the List of Disclosures provision. Several commenters added that the burden is disproportionate to the anticipated benefit. Other commenters specified areas of burden, including administering consents; developing a tracking system; manually reviewing or auditing all records; and transmitting information by U.S. mail. Some comments mentioned the operational impact of the provision, including the impact on existing business practices; uncertainty about interoperability with additional systems; and operationalizing a different approach for HIPAA. One commenter argued that HIPAA already provides sufficient protections through the requirement for tracking and providing an accounting of certain disclosures. Another commenter expressed concern that there are varying levels of technical resources available for compliance with the rule.

A commenter warned that one component of the Affordable Care Act is its focus on sharing of certain medical information and the proposed regulation may prevent realization of that goal. Similarly, another commenter said, if HIEs are included in the disclosure request, entities would be left with the choice of either not sending this information, which would then not be available in emergent situations, or not complying with this requirement. Another commenter said creating additional accounting requirements, without further clarification on the interoperability of such EHR systems, can create a state of continuous uncertainty and flux, deterring investment into substance use disorder treatment programs within integrated care networks.

Some commenters stated that the proposed provision conflicts with existing HIPAA accounting of disclosure requirements or state laws. Other commenters said it would be administratively burdensome to implement, particularly in light of the fact that the health information technology industry is still waiting for OCR to determine how it will address the HITECH changes to HIPAA accounting of disclosures.

For the above reasons, some commenters urged SAMHSA not to include the List of Disclosures provision in the final rule; delay promulgating until OCR decides how it will approach the HITECH provisions concerning the HIPAA accounting of disclosures requirement; and engage with OCR, providers, and vendors to fully understand the implications of such a requirement before establishing an implementation date for the List of Disclosures requirement.

SAMHSA Response

SAMHSA is including the List of Disclosures requirement in the final rule to balance the flexibility of allowing a general designation in the “To Whom” section of the consent form against the protection of patient privacy. We understand commenter concerns about the technical feasibility of implementing the List of Disclosures requirement. However, there is no timeframe in which part 2 programs and lawful holders need to comply with the List of Disclosures requirements; only the condition that if they choose to have the option to disclose information pursuant to a general designation on the “To Whom” part of the consent form, they must also be capable of providing a List of Disclosures upon request per § 2.13(d). Because the general designation is not mandated on a consent form, this allows entities time to develop and test the technology needed for compliance with the List of Disclosures requirements or to decide not to disclose information pursuant to a general designation and not implement technology needed for compliance with the List of Disclosures provision.

Public Comments

A commenter said the List of Disclosures will impose a complex burden upon all parties involved in the disclosure and receipt of substance use disorder treatment, asserting that the disclosing party—if it is not a part 2 program—would need to know that the information being disclosed is subject to the part 2 requirements. The commenter said there may be a question of whether this type of disclosure would be prohibited per the Prohibition on re-disclosure provision, and this becomes more complex if further disclosures or re-disclosures take place.

SAMHSA Response

SAMHSA responds that the entity that serves as an intermediary should be provided a copy of the part 2-compliant consent form or the pertinent information on the consent form necessary for the intermediary to comply with the signed consent. The providers with a treating provider relationship with the patient whose information is being disclosed would be aware of the part 2 protections because the disclosure would also be accompanied by the prohibition on re-disclosure notice.

Public Comments

A commenter said SAMHSA has not addressed whether there will be a cost to the patient for obtaining a List of Disclosures. If patients will be required to pay a fee for this list of disclosures, the commenter said SAMHSA should establish a reasonable fee for the provision of the List of Disclosures.

SAMHSA Response

SAMHSA strongly encourages entities to provide the List of Disclosures at no charge to the patient.

4. Recommendations To Further Protect Patient Privacy

Public Comments

A commenter said SAMHSA should require the List of Disclosures to include all disclosures of the patient's health information, whether such disclosure was made pursuant to a consent form, QSOA, medical emergency, or any other means. Similarly, another commenter stated that, when a record of all uses and disclosures already exists, a program should be required to make that record available to a patient upon request. Other commenters asserted that the List of Disclosures should be presented to the patient at the time the consent is signed, rather than after the disclosures have been made. A commenter said patients should also be given the option, at the time of signing, to cross out entities to whom they do not want their information disclosed. Also, a commenter said patients should be informed of changes to the list that may now have access to their information.

Some commenters expressed concern that the List of Disclosures would be limited to disclosures made within the past two years, which does not allow the patient to learn about past data breaches. Some commenters recommended expanding the time period to five years or not including a time limit.

SAMHSA Response

In response to these concerns and recommendations about increasing patient privacy rights, SAMHSA clarifies that the List of Disclosures provision was proposed in the NPRM as a way to balance the revision to the consent form allowing a more general designation in the “To Whom” section, which is optional. The List of Disclosures provision is limited to information disclosed pursuant to the general designation by the entity that serves as the intermediary, but these entities as well as part 2 programs are not prohibited from providing patients with all available information. Patients will have the right to request this List of Disclosures and have it produced in a timely fashion; however, SAMHSA has chosen not to require entities to provide this information at the time of patient consent as this would be impossible because disclosure of the patient's information has not occurred at that point. SAMHSA also emphasizes that patients are not required to use a general designation in the “To Whom” section of the consent form. Therefore, patients can limit disclosures by a more concrete specification (i.e., named individual(s)).

In response the comments on expanding the time period that the List of Disclosures covers, this final rule's provision to limit the List of Disclosures to those made within the last two years does not preclude an entity that serves as an intermediary from providing the patient with a list covering disclosures made for periods greater than two years.

Public Comments

A commenter said SAMHSA should not include the sample language for a request for a List of Disclosures under the general designation in the final rule because HIPAA has shown that entities construe such sample language as mandates to use the sample language, thereby making it more difficult for an individual to request such information, and hindering their ability to obtain such information contrary to the intent of the proposed rule. The commenter suggested that SAMHSA, as part of this rule or in subregulatory guidance at a later date, recommend that certain criteria be included as part of an individual's request for such disclosures.

SAMHSA Response

SAMHSA did not intend for the sample language for a request for a list of disclosures provided in the NPRM to be construed as a requirement for requesting a List of Disclosures, but rather to assist patients in making such a request. SAMHSA is retaining the sample language in this rule.

Public Comments

A commenter asserted that states can set a higher standard than part 2, but the NPRM language would lead the patient to think that they could get information via unencrypted email. The commenter suggested the provision be modified to indicate that responses sent to the patient electronically may be sent by unencrypted email at the request of the patient “so long as it is not prohibited by applicable law.” In addition, the commenter said the final rule should require patients to be notified that there may be some level of risk that the information in an unencrypted email could be read by a third party. In addition, the commenter said the rule should state that, if patients are notified of the risks and still prefer unencrypted email, the patient has the right to receive the information in that way, and entities are not responsible for unauthorized access of the information while in transmission to the patient based on the patient's request.

SAMHSA Response

The language regarding unencrypted email transmissions appears in the NPRM preamble only and acknowledges both encrypted and unencrypted email as acceptable modes of transmission. The language goes on to say: “Responses sent to the patient electronically may be sent by encrypted transmission (e.g., encrypted email or portal), or by unencrypted email at the request of the patient, so long as the patient has been informed of the potential risks associated with unsecured transmission. Patients should be notified that there may be some level of risk that the information in an unencrypted email could be read by a third party. If patients are notified of the risks and still prefer unencrypted email, the patient has the right to receive the information in that way, and entities are not responsible for unauthorized access of the information while in transmission to the patient based on the patient's request. Before using an unsecured method to respond to a request for a list of disclosures, an entity should take certain precautions, such as checking an email address for accuracy before sending it or sending an email alert to the patient for address confirmation to avoid unintended disclosures.” SAMHSA does not intend to be prescriptive regarding how the information is relayed to the patient or to preempt applicable state law that may prohibit unencrypted transmission (see § 2.20).

Public Comments

A commenter said the NPRM abandoned the current statement that the rule does not restrict a disclosure that “an identified individual is not and has never been a patient.” The commenters said the new approach militates against fishing by third parties.

SAMHSA Response

SAMHSA agrees with the commenter that prohibiting a disclosure that “an identified individual is not and has never been a patient” mitigates against fishing by third parties. In the NPRM, SAMHSA proposed to remove the concept from § 2.13(c)(2) that the regulations do not restrict a disclosure that an identified individual is not and never has been a patient and has retained this position in the final rule.

Public Comments

Commenters made other recommendations relating to the proposed List of Disclosures requirement focused on generally improving patients' rights, including suggestions to keep information confidential; notify when a treating provider has accessed the patient's confidential information; ensure patient-approved information sharing; provide a process by which an individual can raise a complaint; and disclose to patients in plain language.

SAMHSA Response

SAMHSA acknowledges and shares the commenters' concerns with patient privacy. We believe that the List of Disclosures requirement as proposed in the NPRM is adequate to inform patients of how their information has been shared in the event that they provided a general designation in the “To Whom” portion of their consent. SAMHSA encourages entities to provide the information associated with a List of Disclosures in plain language and with sufficient specificity so that patients understand the List of Disclosures, including the brief description of the patient identifying information disclosed.

5. Other Comments and Recommendations on the List of Disclosures Provision

Public Comments

One commenter recommended that SAMHSA allow consent to include a description of HIE as a function to support patient care, and exclude this function from the information disclosure accounting [List of Disclosure] requirement.

A commenter recommended that SAMHSA offer additional guidance on best practices and make infrastructure grants available to create the necessary modifications within providers' EHRs or other consent tracking systems.

Some commenters made other suggestions. For example, a commenter requested that SAMHSA define “in writing” and “written requests” as those terms are used in the List of Disclosures provision (§ 3.13(d)). Another commenter urged SAMHSA to explore options to reduce the cost of the List of Disclosures provision and further clarify how the enhanced protection of substance use disorder treatment information can be consistent and interoperable with other health systems.

SAMHSA Response

As for the request to define “in writing” and “written requests” as those terms are used in the List of Disclosures provision, in the NPRM preamble discussion of Terminology Changes, SAMHSA explained that for the purposes of this regulation, we also propose that the term “written” include both paper and electronic documentation.

The consent requirements (§ 2.31) include the option of including in the “To Whom” section of the consent form the name of an entity that does not have a treating provider relationship with the patient whose information is being disclosed (and is not a third-party payer that requires patient identifying information for the purposes of reimbursement for the services rendered by the part 2 program) and either the name(s) of an individual participant(s); or the name(s) of an entity participant(s) that has a treating provider relationship with the patient whose information is being disclosed; or a general designation of an individual or entity participant(s) or class of participant(s) who has a treating provider relationship with the patient whose information is being disclosed. Any HIE that serves as an intermediary is subject to the List of Disclosures requirement regardless of its other “functions.” Regarding the requests for guidance, SAMHSA may issue additional subregulatory guidance on this provision after this final rule is published.

G. Security for Records (§ 2.16)

SAMHSA is adopting this section as proposed except for some non-substantive, technical changes to the language in proposed § 2.16(a)(2)(i). SAMHSA is modernizing this section to address both paper and electronic records. First, SAMHSA revised the heading by deleting the word “written” so that it now reads: Security for Records. Secondly, SAMHSA clarified that this section requires both part 2 programs and other lawful holders of patient identifying information to have in place formal policies and procedures for the security of both paper and electronic records. Finally, SAMHSA has replaced language in other sections of part 2 with a reference to the policies and procedures established under § 2.16, where applicable. As noted above, SAMHSA has made some technical changes to the language in proposed § 2.16(a)(2)(i). In particular, to more closely align with the HIPAA Security Rule, SAMHSA has revised § 2.16(a)(2)(i) to require that part 2 program security for electronic records policies must include “creating, receiving, maintaining, and transmitting such records.” The proposed language was “copying, downloading, forwarding, transferring, and removing such records.”

Public Comments

Some commenters supported the proposed provisions on security and stated that they provide appropriate protections. However, many commenters asserted that the security provisions of HIPAA should be followed and that those requirements should satisfy the part 2 provisions.

A commenter also supported the use of internal confidentiality agreements.

A commenter expressed concern that the rule does not address what a non-part 2 provider who receives part 2 data must do to ensure adequate safeguards are in place. Similarly, another commenter expressed concern about security obligations that would be placed on other lawful holders, such as courts, law firms, family members, or other private citizens who are often not the types of providers subject to the current (1987) part 2.

One commenter recommended an expiration date for electronic records. Another commenter recommended that the use of secure, certified HIT be added as a requirement for part 2 program providers, as well as any services provided that conduct audits and evaluations related to transition of patient information.

SAMHSA Response

SAMHSA appreciates the support of commenters on this issue. On the issue of HIPAA, covered entities must comply with all regulations that are applicable to them. Because some entities subject to this rule are not subject to HIPAA, SAMHSA may provide subregulatory guidance after the rulemaking on the extent to which compliance with HIPAA security requirements, for those subject to them, will satisfy § 2.16. SAMHSA emphasizes that if an entity already has security practices and policies in place that meet the requirements of this rule, whether those practices were developed to meet the regulatory requirements or simply as a matter of good practice, the entity may not need to take additional action on this issue. In the NPRM, SAMHSA suggested resources for part 2 programs and other lawful holders for developing formal policies and procedures including materials from the HHS Office for Civil Rights (e.g., Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule), and the National Institute of Standards and Technology (NIST) (e.g., the most current version of the Special Publication 800-88, Guidelines for Media Sanitization).

On the issue of use of internal confidentiality agreements and the required use of secure, certified Health IT, § 2.16 provides requirements for formal policies and procedures to reasonably protect against unauthorized uses and disclosure of patient identifying information and to protect against reasonably anticipated threats or hazards to the security of patient identifying information. A part 2 program or other lawful holder of patient identifying information may impose any additional requirements that they feel will enhance protections.

With regard to security of the records lawfully obtained by non-part 2 programs, § 2.16 applies equally to these entities (referred to as lawful holders of patient identifying information). The required formal policies and procedures are intended to ensure protection of patient identifying information when electronic records are exchanged electronically using health IT, as well as when they are exchanged using paper records. In addition, the formal policies and procedures will have to address, among other things, the sanitization of hard copy and electronic media, which is addressed in the NPRM discussion of Disposition of Records by Discontinued Programs (§ 2.19). On the concern raised that § 2.16 places an unreasonable burden on courts, law firms, family members, or other private citizens who may obtain the information, a patient who has obtained a copy of his or her records or a family member or private citizen who has received such information from a patient would not be considered a lawful holder of patient identifying information in this context. Generally, consents and permissible disclosures are initiated by a lawful holder who desires the information and, therefore, the lawful holder would already be familiar with part 2.

H. Disposition of Records by Discontinued Programs (§ 2.19)

SAMHSA is modifying this section from that proposed in the NPRM in response to public comments, as discussed below. In this section, SAMHSA addresses the disposition of both paper and electronic records by discontinued programs, including added requirements for sanitizing paper and electronic media, which is distinctly different from deleting electronic records and may involve clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) the information from the electronic media. If circumstances warrant the destruction of the electronic media prior to disposal, destruction methods may include disintegrating, pulverizing, melting, incinerating, or shredding the media. SAMHSA expects the process of sanitizing paper media (including printer and facsimile (FAX) ribbons, drums, etc.) or electronic media to be permanent and irreversible, so that there is no reasonable risk that the information may be recovered. For the purpose of this rule, SAMHSA makes a distinction between electronic devices (something that has computing capability, such as a laptop, tablet, etc.) and electronic media (something that can be read on an electronic device, such as a CD/DVD, flash drive, etc.).

Public Comments

A commenter expressed support for the proposal related to disposition of records by discontinued programs. Another commenter recommended that the rule allow for “selective sanitizing,” using methods that will not require overwriting the entire electronic media. Two commenters asked about patient records when a program is acquired by another program. A commenter suggested that the rule should address situations in which a patient cannot be located or is deceased and cannot give consent. The commenter provided multiple suggestions relating to disposition of records, including permit more flexible means of storage; permit scanning and electronic storage of records; do not require transfer to a portable device; offer an option to store records in a production encrypted network storage device. This commenter also asserted that sanitation of electronic communications would not be feasible in organizations storing millions of electronic records; requiring storage of a portable electronic device in a sealed container does not add additional security if it is already encrypted; and deleting substance use information from records does not conceal the fact that someone has a substance use disorder but instead highlights the fact.

SAMHSA Response

SAMHSA acknowledges the support for the proposed provision. With regard to the issue of multiple sources of records, we have revised the language in the final rule to allow one year to complete the process of sanitizing paper or electronic media (see § 2.19(b)(2)(iii)). This change should allow for select patient records to be removed from both the specific site and any operational sources without disrupting other patient records. Regarding acquisition of one program by another, the § 2.19(a) regulatory text outlines the exceptions to removing patient identifying information from its records or destroying its records.

If the patient cannot be located or is deceased and cannot give consent, the part 2 program that has discontinued operations or is taken over or acquired by another program, must remove the patient's identifying information from its records, including sanitizing any associated hard copy or patient records or patient identifying information residing on electronic media, to render the patient identifying information non-retrievable in a manner consistent with policies and procedures under § 2.16.

Regarding comments on more flexible means of electronic record storage, SAMHSA has revised § 2.19(b)(2) to allow for more flexibility. The revised language allows for electronic records to be transferred to a portable electronic device with implemented encryption to encrypt the data at rest so that there is a low probability of assigning meaning without the use of a confidential process or key and implemented access controls for the confidential process or key (see § 2.19(b)(2)(i)); or transferred, along with a backup copy, to separate electronic media, so that both the records and the backup have implemented encryption to encrypt the data at rest so that there is a low probability of assigning meaning without the use of a confidential process or key and implemented access controls for the confidential process or key (see § 2.19(b)(2)(ii)). For electronic storage of the records, if the records are scanned, they would have to be maintained consistent with § 2.19(b)(2) and the paper records would have to be destroyed consistent with § 2.16. Regarding portable device storage, the final § 2.19 language specifies that the portable electronic device or the original and backup electronic media must be sealed in a container along with any equipment needed to read or access the information. The sealed container prevents the portable electronic device or the original and backup electronic media from being separated from the equipment needed to read or access the information.

I. Notice to Patients of Federal Confidentiality Requirements (§ 2.22)

SAMHSA is adopting this section as proposed. Consistent with the NPRM, SAMHSA considers the term “written” to include both paper and electronic documentation. Accordingly, the notice to patients may be either on paper or in an electronic format. SAMHSA also revised § 2.22(b)(2) to require the statement regarding the reporting of violations to include contact information for the appropriate authorities.

Public Comments

Several commenters expressed support for the proposed provisions, particularly the allowing of electronic notice, and they encouraged the use of plain language and notices in languages other than English. Several commenters recommended that SAMHSA should make a sample notice or language available to covered entities. One commenter asked how written notice can be provided for encounters that are not in person.

Other commenters suggested that the patient be given copies rather than written summaries of state and federal law; a paper report, if requested; the right to request and obtain restrictions; and a description of how patient information may be disclosed for scientific research.

SAMHSA Response

The final rule requires that the notice include contact information for the appropriate authorities for reporting violations. SAMHSA believes this change will make it easier for patients to identify to whom they should file a complaint of a potential violation of part 2. Therefore, SAMHSA declines to include a sample complaint form at this time but may consider whether to issue one outside of this rulemaking process. SAMHSA also declines to require copies rather than summaries of state and federal law because the notice to patients of federal confidentiality requirements is required to provide citations to the federal law and regulations that protect the confidentiality of patient records and including information concerning state laws and regulations is optional. The notice must also be provided in writing but as was discussed in Terminology Changes (§ 2.11), the term “in writing” includes both paper and electronic documentation. Because the purpose of the notice is to communicate to the patient the federal law and regulations that protect the confidentiality of patient records, SAMHSA declines to require anything additional. However, if a part 2 program wishes to provide additional information, nothing in this provision prohibits them from doing so.

J. Consent Requirements (§ 2.31)

SAMHSA is finalizing the consent requirements in this section, with certain modifications as described in greater detail below. In summary, SAMHSA is adopting all proposed changes to § 2.31 except for two at this time. In the “From Whom” section of the consent requirements (§ 2.31(a)(2)), SAMHSA decided not to finalize its proposal to remove the general designation option, but did make minor updates to the terminology in the current (1987) regulatory text. As explained in greater detail below, the final “From Whom” provision of the consent requirements specifies that a written consent to a disclosure of part 2 information must include the specific name(s) or general designation(s) of the part 2 program(s), entity(ies), or individual(s) permitted to make the disclosure. SAMHSA also decided not to finalize the proposed requirement that a part 2 program or other lawful holder of patient identifying information obtain written confirmation from the patient that they understand the terms of the consent.

SAMHSA has revised the section heading from “Form of written consent” to “Consent requirements.” SAMHSA also made revisions to the two other sections of the consent form requirements: the “To Whom” section and the “Amount and Kind” section. SAMHSA also revised § 2.31 to require a part 2 program or other lawful holder of patient identifying information to include on the consent form that patients, when using a general designation in the “To Whom” section of the consent form, have the right to obtain, upon request, a List of Disclosures (see § 2.13). In addition, SAMHSA revised § 2.31 to permit electronic signatures to the extent that they are not prohibited by any applicable law.

1. General Comments on Consent Requirements

a. General

Public Comments

SAMHSA received many comments on the proposed rule's updated consent requirements. Some commenters generally supported the new consent requirements. Other commenters listed various reasons for their support, including increased facilitation of informed patient decisions, increased patient choice with regard to protection of their health information, and increased sharing of health care records among providers. One commenter supported the use of paper and electronic forms of written consent.

Many commenters, however, expressed general opposition to the proposed consent requirements. Several commenters argued that the proposed rule created unnecessary burdens for providers, such as staff training, constant updates to consent forms, and expensive updates to provider EHRs. Several commenters argued the proposed consent rules would create obstacles to information sharing and integrated care. Specifically, a commenter argued that the “To Whom” and “From Whom” format restricts who within organizations can view a patient's records, further hampering coordinated care. Another commenter argued that the proposed consent form requirements would make it difficult for many HIEs to exchange part 2 information, and that the new requirements do little to promote a patient's informed consent. A couple of commenters argued that the proposed regulations would reduce access to substance use disorder treatment being added by general health care organizations, due to administrative burden and liability fears. General health care providers are less likely to add substance use disorder treatment, or partner or undertake projects with substance use disorder treatment providers. Another commenter stated this rule may result in providers not screening patients for substance use disorders and not documenting substance use disorder related information.

According to a few commenters, the current part 2 regulations exceed the statutory requirements that led to the regulations. One commenter suggested that 42 U.S.C 290dd-2 requires consent to share information and does not allow any shared information to be used for prosecution. The commenter goes on to state that nothing in Title 42, U.S.C. 290dd-2 requires an explicit description of what information can be released, or requires time limits on consent. The commenter suggested that SAMHSA could reduce confusion and administrative burden by proposing revisions that are much more consistent with HIPAA than its current proposal.

SAMHSA Response

Regarding the comments on statutory authority, we do not agree that the regulations in 42 CFR part 2 exceed the authority provided for in 42 U.S.C. 290dd-2. The statute specifies that patient identifying information may be disclosed in accordance with prior written patient consent, “but only to such extent under such circumstances, and for such purposes as may be allowed under regulations prescribed” by the Secretary.

Regarding concerns about unnecessary burdens for providers, such as staff training, constant updates to consent forms, and expensive updates to provider EHRs, these burdens might be offset by the benefits of increased in flexibility in the consent requirements. With respect to obstacles to information sharing, one of SAMHSA's goals for this rulemaking is to ensure that patients with substance use disorders have the ability to participate in and benefit from new integrated health care models without fear of putting themselves at risk of adverse consequences.

Public Comments

Some commenters stressed that consent forms should be easy to read, accessible to limited English proficiency patients, and should meet HIPAA's plain language requirements. Commenters stated that language and literacy concerns could be barriers to actual understanding of the form's contents. Similarly, suggesting that SAMHSA take into account the reading level standards in other health programs, including Medicare and Medicaid, one commenter asserted that the proposed regulations do not provide adequate options for an individual to easily and simply determine who can or cannot access their substance use disorder records.

SAMHSA Response

SAMHSA agrees with the commenters that the consent form should be written clearly so that the patient can easily understand the form. SAMHSA is considering issuing subregulatory guidance in the future to provide examples of forms that comply with the basic consent requirements in 2.31(a). In addition, SAMHSA encourages part 2 programs to be sensitive to the cultural and linguistic composition of their patient population when considering whether the consent form should also be provided in a language(s) other than English (e.g., Spanish).

b. Consent Form Validity Period

Public Comments

Several commenters stated that a two-year time limit for the validity of consent is insufficient, with some commenters suggesting that consent forms be valid indefinitely or until death. For example, one commenter asked why SAMHSA would deny a person who has received substance use disorder treatment the right to decide that they want any and all information regarding their treatment shared with any and all of their health care providers indefinitely as needed for coordination of care. Another commenter stressed the language of § 2.31(a) was confusing and requested clarification on the permissible length of time a consent is valid.

SAMHSA Response

Under § 2.31, a part 2-compliant consent form must list the date, event, or condition upon which the consent will expire, if not revoked before. Thus, it is not sufficient under part 2 for a consent form to merely state that that disclosures will be permitted until the consent is revoked by the patient. It is, however, permissible for a consent form to specify the event or condition that will result in revocation, such as having its expiration date be “upon my death.” The rule does not set a two-year time limit for consents, as some commenters thought.

c. Technical Challenges to Proposed Consent Requirements

Public Comments

Commenters expressed concern about the technical challenges providers would face in complying with the proposed consent requirements. Generally, commenters expressed concern that few, if any, EHR systems and/or HIEs have the capability to segregate substance use disorder patient information in a way that could fully support the rule by reflecting the patient's consent choices, and many providers would have to expend significant amounts of funds to create or acquire a compliant system. Commenters argued that if providers do not have data segmentation capability, they may simply exclude substance use disorder patient data from their systems, thus adversely impacting system integration and patient care.

A couple of commenters asserted that EHR, HIE, and other electronic records systems have no way of selecting different levels of consent for treating providers. Specifically, a commenter stated that SAMHSA should remove requirements for varied levels of consent within a given organization (e.g., between departments or individuals), instead limiting such variation to HIEs that share information between or across organizations. A commenter stated that it is not feasible to do individual exclusionary consents in an HIE, especially for an entity that has thousands of employees across multiple states.

A commenter stated that providers in an integrated care network may be precluded from performing important quality improvement checks because no set of clinically integrated network officials can be expected to have a direct treatment relationship with every patient in the large data pools necessary to drive these important public health efforts.

A commenter stated that the confidentiality of a substance use disorder patient's information should not be compromised if some electronic systems were poorly designed and without regard for part 2. Similarly, another commenter stated that technology should be regarded as a tool and should not diminish a patient's privacy rights.

SAMHSA Response

SAMHSA acknowledges the concerns regarding technical challenges to the consent requirements and data segmentation more broadly. As stated above, SAMHSA has played a significant role in encouraging the use of health IT by behavioral health (substance use disorders and mental health) providers and towards minimizing technical burdens through a variety of activities. SAMHSA actively participates in the development and stewarding of data standards to promote data segmentation and interoperability. Specifically, the Data Segmentation for Privacy (DS4P) initiative within ONC's Standards and Interoperability (S&I) Framework facilitated the development of standards to improve the interoperability of EHRs containing sensitive information that must be protected to a greater degree than other health information due to 42 CFR part 2 and similar state laws. The DS4P standards were used in several pilot projects, including the Department of Veterans Affairs (VA)/SAMHSA Pilot, which implemented all the DS4P use cases and passed all conformance tests; and SAMHSA's Opioid Treatment Program (OTP) Service Continuity Pilot that connected OTPs to an HIE to facilitate continuity of care during disasters or other unexpected disruptions in service. Additionally, DS4P standards were adopted in ONC's 2015 Edition final rule (80 FR 62702, Oct. 16, 2015) as part of the 2015 Edition Health IT Certification Criteria (2015 Edition). See 45 CFR 170.315(b)(7) and (8). SAMHSA has also supported the development of the application branded Consent2Share, an open-source health IT solution based on DS4P, which assists in consent management and data segmentation and is currently being used by the Prince Georges County (Maryland) Health Department to manage patient consent directives while sharing substance use disorder information with an HIE. SAMHSA is currently updating Consent2Share, slated for release in late 2016, with the aim that its streamlined data stack and improved functionality will lower barriers to implementation in the field. SAMHSA is considering issuing subregulatory guidance in the future to address other technical solutions to complying with the regulation.

Regarding the comment that it is not feasible to do individual exclusionary consents in an HIE, the HIE does not have to give the patient the option to do individual level consent. SAMHSA has provided more flexibility in the consent provisions in an effort to ensure that patients with substance use disorders have the ability to participate in and benefit from new integrated health care models while, at the same time, maintaining core confidentiality protections.

d. Requests for Exemptions and Exceptions

Public Comments

Several commenters requested various exemptions or exceptions from the part 2 consent requirements, including a public health exception similar to that of the HIPAA Privacy Rule (see http://www.hhs.gov/hipaa/for-professionals/special-topics/public-health/index.html ), an exemption for CCOs who have a treating relationship with a patient, an exemption for ACOs who have integrated delivery systems, an exception for state health data organizations that collect data under legislative authority and collection of substance use disorder data by state agencies, and in instances where part 2 data may be used to improve patient care coordination, ensure interoperability, and ensure patient safety. One commenter requested an exception for care coordination purposes for valid and vital clinical reasons.

Regarding § 2.20 (Relationship to state laws), a commenter said SAMHSA should include an exception under part 2, subpart D (Disclosures Without Patient Consent) allowing disclosures of substance use disorder treatment information based on state laws that authorize or compel such disclosures (e.g., for public health or medical assistance reasons). Another commenter, noting the role of multi-payer claims databases or MPCDs (also known as all payer claims databases (APCDs)), suggested that SAMHSA add a new section to include state health data organizations that collect data under a legislative authority, reasoning that these states have decades of experience in collecting and managing sensitive data with strict legal and policy controls.

A commenter said SAMHSA should permit oral consent with documentation and specific information to be shared.

SAMHSA Response

SAMHSA appreciates the perspectives expressed by those who seek additional exceptions or exemptions from part 2 consent requirements, as well as the suggestion that SAMHSA permit oral consents that are documented in writing.

The part 2 underlying statute, 42 U.S.C. 290dd-2, and this rule require a written patient consent to disclose part 2 information unless the disclosure is otherwise permitted under the part 2 statute or regulations. The statute, for instance, does not provide a general exception to the consent requirement for the purpose of sharing information with public health officials. In certain circumstances, disclosures of part 2 information may be authorized by court order to protect against an existing threat to life or of serious bodily injury (see § 2.63, Confidential communications) or to the extent necessary to meet a bona fide medical emergency in which the patient's prior informed consent cannot be obtained (see § 2.51, Medical emergencies). SAMHSA may in the future consider issuing subregulatory guidance to further describe medical emergencies under § 2.51 and how such emergencies may relate to public health emergencies declared at the federal, state, local, and/or tribal levels. SAMHSA does not, however, have the statutory authority to authorize routine disclosure of part 2 information for public health reporting, surveillance, investigation or intervention purposes.

With respect to § 2.20 (Relationship to state laws), in the proposed and final rules SAMHSA maintains current language regarding preemption. As discussed above, SAMHSA cannot develop a new general exception for public health or medical assistance purposes in light of the statute. Likewise, SAMHSA cannot develop a specific new exception for APCDs (hereinafter referred to as MPCDs). The role of MPCDs is discussed in the section of this preamble concerning research (§ 2.52). SAMHSA disagrees with the recommendations to consider a specific exemption to the consent requirements for ACOs that have integrated delivery systems, except as described in § 2.53 for the purposes of audits and evaluations. Similarly, SAMHSA is not accepting the suggestion to provide a specific exemption from the part 2 consent requirements for CCOs that have a treating provider relationship with a patient (i.e., that meet the definition of having a treating provider relationship with the patient whose information is being disclosed). SAMHSA believes that the final changes to the consent requirements will facilitate care coordination and information exchange. Improving the quality of substance use disorder care depends on effective collaboration of mental health, substance use disorder, general health care, and other service providers in coordinating patient care. However, the composition of a health care team varies widely among entities. Because SAMHSA wants to ensure that patient identifying information is only disclosed to those individuals and entities on the health care team with a need to know this sensitive information, we are limiting a general designation in the “To Whom” section of the consent requirements to those individuals or entities with a treating provider relationship. Patients may further designate their treating providers as “past,” “current,” and/or “future” treating providers. In addition, the consent form can include multiple authorizations in the “To Whom” section. A consent may allow a patient to designate, by name, one or more individuals with whom they do not have a treating provider relationship, that they authorize to receive or access their health care data.

While we are not establishing specific additional exemptions or exclusions from the consent requirements at this time in response to commenters' suggestions, in light of the longstanding role that contractors and subcontractors play in the health care system and their handling of part 2 data, we are issuing an SNPRM related to lawful holders' use of contractors and subcontractors.

e. Commenter Recommendations

Public Comments

Some commenters said SAMHSA should expand the list of persons who could view the patient's medical record without the patient's written consent to include clergy, social workers, psychologists and family members if in their professional opinion they were necessary for the patient's recovery and progress. Another commenter recommended expanding the list to include all types of professionals involved in the treatment of individuals receiving substance use treatment into the respective definitions, including those employed in social services that are members of the treatment team.

SAMHSA Response

The definition of “treating provider relationship” is sufficiently broad to cover the necessary components of a patient's care team. The statute, 42 U.S.C. 290dd-2, does not provide an exception to the consent requirement for the purpose of sharing information with family members. Part 2, therefore, requires a part 2-compliant consent to disclose patient identifying information unless disclosure is otherwise permitted under the statute or regulations.

Public Comments

Many commenters said SAMHSA should provide a sample consent form. Some commenters stated that any sample consent form should not be mandated to allow stakeholders flexibility.

SAMHSA Response

SAMHSA may, after publication of this rule, issue subregulatory guidance that includes a sample consent form that meets the specifications of the final rule. SAMHSA has never and has no intention of mandating the use of a specific consent form.

Public Comments

Several commenters generally supported the use of electronic signatures. Several commenters only supported electronic signatures when also authorized under state law. A couple of commenters requested guidance on what steps the provider would need to take to verify identity, provide the required prefatory information and to obtain a substance use disorder patient's electronic signature. A commenter requested guidance from SAMHSA on the areas modified by SAMHSA. A commenter said SAMHSA should identify the signatory and enforceability consideration of electronic consent through reference to other laws.

SAMHSA Response

Because there is no single federal law on electronic signatures and there may be variation in state laws, SAMHSA recommends that stakeholders consult their attorneys to ensure they are in compliance with all applicable laws.

Public Comments

Some commenters made recommendations for patient privacy protection. One commenter noted that the use of secure, certified health IT, networks, and devices, especially for the transmission of patient records, does not appear to be included in the proposed provisions. Another commenter said meaningful consents could only be achieved by adding statements that inform the patient of the unprecedented risks of making highly sensitive substance use disorder information accessible throughout integrated health care systems or electronic health information systems that cannot be made secure.

A commenter stated the proposed rule did not address revocation or refusal of consent. Similarly, another commenter recommended adding language that makes clear that revocation of consent prevents unauthorized access but does not remove the information from the electronic record.

SAMHSA Response

Section 2.16 addresses security for records and requires formal policies and procedures to reasonably protect against unauthorized use and disclosures of patient identifying information and to protect against reasonably anticipated threats or hazards to the security of patient identifying information. Whereas this provision does not specifically address the use of certified health IT networks, and devices, they may be used as long as the requirements of section 2.16 are met. Regarding revocation of consent, § 2.31(a)(6) requires: “A statement that the consent is subject to revocation at any time except to the extent that the part 2 program or other lawful holder of patient identifying information that is permitted to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance on a valid consent to disclose information to a third-party payer.” To the extent an individual refuses to consent to the disclosure of their patient identifying information, part 2 prohibits such disclosure unless otherwise permitted under the statute or regulations (e.g., audit or evaluation, or scientific research).

2. To Whom

SAMHSA is adopting this aspect of the proposal. SAMHSA has moved the former § 2.31(a)(2), “To Whom” provision, to § 2.31(a)(4). The following table provides an overview of the options permitted when completing the designation in the “To Whom” section of the consent form.

Table 1—Designating Individuals and Organizations in the “To Whom” Section of the Consent Form

42 CFR 2.31 Individual or entity to whom disclosure is to be made Treating provider relationship with patient whose information is being disclosed Primary designation Required additional designation
(a)(4)(i) Individual Yes Name of individual(s) (e.g., Jane Doe, MD) None.
(a)(4)(i) Individual No Name of individual(s) (e.g., John Doe) None.
(a)(4)(ii) Entity Yes Name of entity (e.g., Lakeview County Hospital) None.
(a)(4)(iii)(A) Entity No Name of entity that is a third-party payer as specified under § 2.31(a)(4)(iii)(A) (e.g., Medicare) None.
(a)(4)(iii)(B) Entity No Name of entity that is not covered by § 2.31(a)(4)(iii)(A) (e.g., HIE, or research institution) At least one of the following: 1. The name(s) of an individual participant(s) (e.g., Jane Doe, MD, or John Doe). 2. The name(s) of an entity participant(s) with a treating provider relationship with the patient whose information is being disclosed (e.g., Lakeview County Hospital). 3. A general designation of an individual or entity participant(s) or a class of participants limited to those participants who have a treating provider relationship with the patient whose information is being disclosed (e.g., my current and future treating providers).

If a general designation is used, the entity must have a mechanism in place to determine whether a treating provider relationship exists with the patient whose information is being disclosed. Patients may further designate their treating providers as “past,” “current,” and/or “future” treating providers. In addition, a patient may designate, by name, one or more individuals on their health care team with whom they do not have a treating provider relationship.

a. General

Public Comments

Several commenters generally agreed with the proposed “To whom” section of the consent requirements, stating that it allows patients to disclose substance use disorder information to past, current, or future treating providers; would improve information and data sharing for health care, especially for entities that are continually adding new members; allow patients to remain in control of their substance use disorder information and understand who had access to their data. One commenter supported the express permission to designate the name of the entity for third-party payers that require patient identifying information for purposes of reimbursement of services rendered to the patient.

Many commenters offered general support for the proposed rule's general designation. Some commenters stated that the general designation creates a balance between patient privacy and operational functions, facilitates internal communication within an integrated delivery system, streamlines the consent process, reduces administration burdens, creates new flexibility, may help facilitate increased behavioral health participation in some HIEs around the country, and would help improve the quality and continuity of care within integrated delivery models. A commenter supported the expansion of the use of a general designation when there is a treating provider relationship, but said it is unworkable to require an updated consent form every time new entities are added to the “umbrella” consent.

Some commenters generally disagreed with the proposed “To Whom” provision of the consent requirements. Several commenters argued that the proposal was burdensome, would create additional complexity, would reduce information sharing, and would not improve patient privacy protections or facilitate informed consent. Commenters stated it is unnecessary and impractical to require the consent form to name every HIE and other intermediaries that may assist in transmitting or providing access to the patient's information. A couple of commenters stated the proposed rule would restrict the ability of patients to specifically name an entity or to authorize part 2 programs to send their information to entities that do not have a treatment relationship [treating provider relationship]. Another commenter said the regulatory preface mentions a number of very specific drivers of this purported need for broader sharing (such as HIEs), but the regulatory language itself contains no such limitation and offers HIE only as an illustrative example.

Many commenters specifically did not support the general designation in the “To Whom” section. Some commenters claimed that the proposal presumes each person entering a treatment process has the ability to understand the longer-term consequences, or that substance use disorder patients, who are under tremendous stress, would simply choose the general designation because it was easiest. A commenter said the general designation does not guarantee that a HIE or other organizations will send all patient data, which could be a critical source of information in the case of an emergency.

SAMHSA Response

A patient may consent to designate, for example, an HIE (an entity that does not have a treating provider relationship with the patient whose information is being disclosed) and “all my treating providers” (a general designation of an individual or entity participant(s) or a class of individual or entity participants that must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being disclosed). Using the same concept, an ACO, pursuant to a general designation, may disclose information described in the “Amount and Kind” section of a consent form (explained further in 3. Amount and Kind) to “all my entity treating providers.” If a general designation is used, the entity must have a mechanism in place to determine whether a treating provider relationship exists with the patient whose information is being disclosed (e.g., an attestation). In the HIE and ACO examples above, the entity that does not have a treating provider relationship with the patient whose information is being disclosed and serves as the intermediary may not further disclose the patient identifying information except to those providers who have a treating provider relationship with the patient whose information is being disclosed that can be verified by the intermediary. The prohibition on re-disclosure notice must be provided with the disclosure because it also applies to the treating provider(s) who receive the information from the entity that serves as an intermediary. In addition, a copy of the part 2-compliant consent form or the pertinent information on the consent form necessary for the treating provider(s) to comply with the signed consent should be provided with the disclosure.

The patient retains the ability to name only specific individuals or entities to whom their records will be disclosed. Patients have the option to use a general designation to designate entities with which they have a treating provider relationship, but are not required to do so. Although SAMHSA received comments suggesting that the proposed rule makes it more difficult to disclose necessary information to an organization that does not have a treating provider relationship with the patient whose information is being disclosed other than a 3rd party payer, the commenters did not provide examples of such entities. The final rule permits the “To Whom” section of the consent form to designate disclosure of information to an entity that does not have a treating provider relationship with the patient whose information is being disclosed, as long as the consent also includes one of three options specified in § 2.31(a)(4)(iii)(B), for example, include the name(s) of an individual participant(s).

If the patient designates all my current treating providers, and another of the patient's treating providers becomes a participant in the entity that does not have a treating provider relationship with the patient and serves as the intermediary, a new consent form would not be required. For example, if a patient designates an HIE (an entity that does not have a treating provider relationship with the patient whose information is being disclosed and serves as an intermediary) and “my current treating providers,” and subsequently another of the patient's treating providers becomes a participant in the HIE, a new consent form would not be required. In addition, more than one HIE or other intermediary may be listed on the consent form. With respect to burden, SAMHSA acknowledges that there may be burdens associated with the revised consent requirements. SAMHSA made these changes based on comments from stakeholders in the field and SAMHSA strongly believes that the changes to “To Whom” will increase flexibility for patients and providers.

b. Determination of Treating Provider Relationship

Public Comments

A commenter agreed with SAMHSA's suggestion that entities must have an established mechanism for determining whether a treating provider relationship exists. However, several commenters stated that determining who has a treating provider relationship would be difficult. Commenters expressed concern that entities do not currently have mechanisms in place to determine whether a treating provider relationship exists with the patient whose information is being disclosed. Another commenter asked how an HIE would be able to determine which participants have a past/present/future treating provider relationship with the patient. A commenter stated that creating this mechanism would require additional resources and would discourage entities from sharing necessary data. Another commenter recommended a provision that exempts the provider from liability when relying in good faith on an attestation or representation from an outside treating provider.

Several commenters expressed concern that once a consent reflecting a general designation of recipients with a treating provider relationship has been executed and relied upon by the part 2 program, there is no method by which the program can ensure that the recipients are properly authenticated by the HIE or research institution. Commenters suggested the proposed rule should specify that the HIE, ACOs, CCOs or research institution, as well as the recipient that has a treating provider relationship with the patient, be responsible for ensuring that the recipient is actually a treating provider and that the disclosure is appropriate under part 2.

A commenter requested clarification on whether care managers would be included as having a “treating provider relationship.” Another commenter requested clarification as to whether care coordinating entities that have a treating provider relationship may assign additional designees under the general designation (e.g., treatment providers with different levels of care or recovery services).

Commenters recommended the language in the “To Whom” clause state “my treating providers” or “my service providers.” A commenter recommended “my substance use disorder providers” or “my treating providers except Dr. John Doe.” Another commenter recommended “my treating providers and transferring HIEs”

SAMHSA Response

Although SAMHSA understands the concerns about further clarifying when an entity is considered a treating provider, it respectfully declines to provide more specificity in the final rule than was included in the NPRM. The arrangements between treating providers and other entities evolve too rapidly to be comprehensively addressed in regulations. Although, SAMHSA has not revised the proposed text, SAMHSA may provide additional subregulatory guidance in the future if further clarification is needed. In addition, only individuals and entities that meet the definition of having a treating provider relationship with a patient are considered treating providers. The determination is fact-specific. Consistent with the NPRM, SAMHSA continues to encourage innovative solutions to implement this provision. For example, an HIE could have a policy in place requiring their participant providers to attest to have a treating provider relationship with a patient, or provide a patient portal where patients designate their treating providers.

c. Requests for Clarification

Public Comments

Some commenters requested clarification regarding the patient's role in consent, including the patient's ability to alter their consent, how patients can authorize disclosures to non-health entities other than third-party payers, and what the impact would be if a patient failed to designate past, present, and future disclosures. One commenter stated that, if a patient designates an entity without a treating provider relationship and “my treating providers” without further specifying “past, present, or future,” it should be assumed that the intent is to designate “current” treating providers.

SAMHSA Response

Patients may designate on the consent form a specific individual(s) with whom they either have or do not have a treating provider relationship and/or a specific entity(-ies) with whom they have a treating provider relationship. Consents for disclosures to entities that do not have a treating provider relationship (other than third-party payers) require at least one of the following: (1) The name(s) of an individual participant(s); (2) the name(s) of an entity participant(s) that has a treating provider relationship with the patient whose information is being disclosed; or (3) a general designation of an individual or entity participant(s) or a class of participants that must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being disclosed.

If a patient uses a general designation and lists “my treating providers” without further specifying “past, current, or future,” it should be presumed that the intent is to designate “current” treating providers. Finally, a patient can revoke a consent at any time, except to the extent that the part 2 program or other lawful holder of patient identifying information that is permitted to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance on a valid consent to disclose information to a third-party payer.

Public Comments

Other commenters requested clarification regarding entity roles, including whether a CCO can request a single consent for multiple purposes (e.g., care coordination, treatment, and payment); whether providers need to maintain the variety of forms to meet the requirements of § 2.31(a)(4); what limitations (if any) would be placed on HIE entities or research institutions using substance use disorder information received via the new consent process, specifically whether the disclosure would not be limited to treatment purposes; and whether an HIE-to-HIE disclosure is permissible and, if so, for what purposes. A few commenters asked whether it would be permissible to list multiple HIEs on a consent form. Similarly, another commenter recommended SAMHSA adopt a broad definition of an HIE to allow a “network of networks,” such as the statewide health information network to be considered an HIE. A commenter requested clarification as to whether 42 CFR part 2 information can flow through other HIEs not designated on the consent form to transfer the information to the recipient.

A few commenters requested clarification on how the proposed changes would impact multi-party consent forms that allow disclosure “among and between” all the parties listed on the form. Similarly, a commenter requested clarification regarding the “To Whom” and “From Whom” definitions and how they would apply between two providers to whom a patient has independently given consent to receive information, urging that the definitions be general and consistent so that they allow for bi-directional flow of information.

A commenter said SAMHSA should clarify that the provision of general consent to disclosure of substance use disorder treatment also applies to disclosure of information between those responsible for treatment in the community and those responsible for treatment in correctional settings.

SAMHSA Response

Under the changes to the consent requirements, an entity that does not have a treating provider relationship with the patient may further disclose, with a part 2-compliant consent, to a named individual who does not have a treating provider relationship with the patient.

Section 2.31(a)(4) of the consent requirements may be completed with one or more recipients. Section 2.31(a)(5) of the consent requirements requires that the consent form include the purpose of the disclosure. Part 2 allows the use of a single consent form authorizing the disclosure of part 2 patient information to different recipients for different purposes. However, part 2 also requires a consent form to specify the amount and kind of information that can be disclosed, including an explicit description of the substance use disorder information that may be disclosed, to each of the recipients named in the consent. The amount of information to be disclosed “must be limited to that information which is necessary to carry out the purpose of the disclosure (see § 2.13(a)). This will vary depending on the different purposes for which different recipients are being allowed to access or receive the information. Thus the consent form would have to be structured to make it clear what information may be given to each of the recipients, and for which purposes.

Disclosure of patient identifying information made with the patient's written consent must be accompanied by a written notice regarding the prohibition on re-disclosure (see § 2.32). This notice informs them that 42 CFR part 2 prohibits the recipients of the patient identifying information from re-disclosing it to any individual or organization not specified in the consent form unless otherwise permitted under the part 2 statute or regulations.

The rule includes an additional patient safeguard, in which patients who have included a general designation in the “To Whom” section of their consent form (see § 2.31) must be provided, upon request, a list of entities to which their information has been disclosed pursuant to the general designation.

With respect to multi-party consent, SAMHSA is not finalizing the “From Whom” provision (2.31(a)(2)) as proposed for the reasons discussed in 4. “From Whom.” Therefore, consents may authorize disclosures “among and between” the parties designated in the “To Whom” and “From Whom” sections of the consent form.

Public Comments

Some commenters requested clarification regarding aspects of the “To Whom” provision, such as what would happen if a person does not want to give a general designation; how the process of designating past, present, and future treating providers would work in practice; whether a Performing Provider System (PPS) could be assigned in the “To Whom” section of the consent form; and whether a health care organization would be an appropriate entity to be named for disclosure.

With regard to third-party payers, a commenter asked whether a general designation for third-party payers could be used for other purposes, such as care coordination, population health, or other services that may fall under the definition of health care operations within the meaning of HIPAA. Some commenters recommended that third-party payers should not have to be listed in the “To Whom” section of the consent form.

SAMHSA Response

With regard to third-party payers, the regulations require written consent for disclosure of patient identifying information to third-party payers. The statute does not provide an exception to this consent requirement. However, with respect to patients who have both a substance use disorder and a mental illness, § 2.15 of the regulations states that, in the case of a patient, other than a minor or one who has been adjudicated incompetent, that for any period suffers from a medical condition that prevents knowing or effective action on their own behalf, the part 2 program director may exercise the right of the patient to consent to a disclosure under subpart C of this part for the sole purpose of obtaining payment for services from a third-party payer. In addition, in the case of minor patients, § 2.14 of the regulations states the regulations do not prohibit a part 2 program from refusing to provide treatment until the minor patient consents to the disclosure necessary to obtain reimbursement, but refusal to provide treatment may be prohibited under a state or local law requiring the program to furnish the service irrespective of ability to pay.

If an individual does not want to use a general designation, they have several other options, which are enumerated in § 2.31(a)(4) of this final rule.

If a patient does not designate “current, past, and/or future” treating provider(s), the presumption is that the patient means “current treating provider(s).” SAMHSA may, after publication of this final rule, also provide further clarification on this process of designating past, present, and future treating providers in subregulatory guidance.

Whether a PPS or a health care organization may be listed in the “To Whom” section of the consent form depends upon whether they have a treating provider relationship with the patient whose information is being disclosed. If an entity does have a treating provider relationship with the patient, the entity name may be listed on the consent (see § 2.31(a)(4)(ii)). However, if the entity does not have a treating provider relationship with the patient whose information is being disclosed, and is not a third-party payer, the entity name may be listed on the consent form as long as one or more of the following is also listed: (1) The name(s) of an individual participant(s); (2) the name(s) of an entity participant(s) that has a treating provider relationship with the patient whose information is being disclosed; or (3) a general designation of an individual or entity participant(s) or a class of participants that must be limited to those participants who have a treating provider relationship with the patient whose information is being disclosed.

SAMHSA plans to address issues concerning third-party payer use and disclosure of part 2 information in greater detail in an SNPRM.

d. Commenter Recommendations

Public Comments

Commenters recommended more flexibility in the “To Whom” section. Commenters recommended that SAMHSA expand the general designation to include all of the various participants in the modern health care system and their respective activities: Providers, care managers, health plans and ACOs, MCO services, CCOs, and similar integrated health care networks. One commenter said the general designation should include those who do not have a treating provider relationship with the patient but who/which require access to the patient's information solely in relation to fulfilling a specific function for the benefit of the individual or entity that has the treating provider relationship with specific patients. Another commenter requested that SAMHSA allow patients to generally consent to disclose information to any company assisting in processing their insurance claims. Another commenter suggested that patients be able to name as many treating providers as they wish under the general designation. One commenter said patients should be permitted to provide a generalized consent for all of their previous providers to disclose information. One commenter said generic consent (i.e., disclosure through an HIE) is all that should be required because SAMHSA has previously provided guidance that HIEs may have access to part 2 information under a QSO agreement without patient consent. A commenter said the rule should allow for the general designation of certain types of non-treating providers, rather than require a listing of the name of each entity.

In contrast, other commenters suggested increased limitations on the “To Whom” designation. A commenter proposed excluding health information networks and health information organizations (HIOs) from being specifically identified on patient consent form because they are not true recipients of patient health information and simply facilitate electronic exchange of information. One commenter recommended that SAMHSA preserve the patient's right of consent to disclosures only to specifically identified practitioners involved in their mental health treatment.

Regarding third-party payers, several commenters recommended allowing third-party payers to act as intermediaries for purposes of sharing substance use disorder information, allowing them to share information with all of the patient's treating providers. Another commenter requested general designation for third-party payers. To accommodate the operational realities of Medicaid, a commenter stressed that the rule should explicitly provide that consent to disclose covered data to Medicaid constitutes consent to release such data to Medicaid or to the payer's contracted entity (e.g. the MCO) to apply to both entities as a third-party payer. Similarly, another commenter recommended that the rule consider a designation to the name of the state agency, the MCO, or simply Medicaid as consent that applies to the state and its contracted delivery system, reasoning that not all Medicaid beneficiaries understand their health care system.

SAMHSA Response

SAMHSA acknowledges the commenters' concerns related to the recommendations above. SAMHSA has concluded that the proposed changes to the consent requirements would facilitate care coordination and information exchange. Improving the quality of substance use disorder care depends on effective collaboration of mental health, substance use disorder, general health care, and other service providers in coordinating patient care. However, the composition of a health care team varies widely among entities. Because SAMHSA wants to ensure that patient identifying information is only disclosed to those individuals and entities on the health care team with a need to know this sensitive information, we are limiting a general designation to those individuals or entities with a treating provider relationship. Patients may further designate their treating providers as “past,” “current,” and/or “future” treating providers. In addition, a patient may designate, by name, one or more individuals on their health care team with whom they do not have a treating provider relationship. SAMHSA clarifies that a QSO can be used to share part 2 information with the HIE when the HIE is a service provider to the part 2 program, but the QSO cannot be used to share information with the members of an HIE without patient consent.

As for third-party payers and others, SAMHSA must balance the need for and benefits of care coordination with the need for consent and the requirements of the part 2 governing statute. SAMHSA declines to adopt commenter recommendations to allow third-party payers to serve as intermediaries that could share information with all the patient's treating providers because we conclude that the “To Whom” consent requirements are sufficiently broad to cover the necessary components of a patient's care team. For purposes of payment-related activities, to the extent that federal or state law authorizes or requires that the Medicaid or Medicare agency or program share data or enter into a contractual arrangement or other formal agreements to do so, consent to disclose patient identifying information to the agencies or programs (as a third-party payer) under section 2.31(a)(4)(iii)(A) is considered to extend to the contractors and subcontractors of the agencies or programs.

Commenters have provided SAMHSA with informative feedback on how lawful holders, including third-party payers and others within the healthcare industry, use health data or hire others to use health data on their behalf to provide operational services such as independent auditing, legal services, claims processing, plan pricing and other functions that are key to the day-to-day operation of entities subject to this rule. Those comments indicate that there may be varying interpretations of the part 2 rule's restrictions on lawful holders and their contractors' and subcontractors' use and disclosure of part 2-covered data for purposes of carrying out payment, health care operations, and other health care related activities. In consideration of this feedback and given the critical role third-party payers, other lawful holders, and their contractors and subcontractors play in the provision of health care services, SAMHSA is issuing an SNPRM to seek further comments and information on this matter before establishing any appropriate restrictions.

Public Comments

Instead of listing organizations in the “To Whom” section, a commenter recommended that a consent form should specify the reasons for disclosure (e.g. care coordination, management of benefits).

SAMHSA Response

In addition to the “To Whom” section, the consent form is required to include how much and want kind of information is to be disclosed, including an explicit description of the substance use disorder information that may be disclosed. In addition, the consent form must include the purpose of the disclosure. All the required elements must be included on the consent form. SAMHSA declines to make the suggested change to allow the “Purpose” of the consent to dictate the recipients of the patient identifying information. The intent of SAMHSA's approach to the “To Whom” section of the consent form is to provide the patient options for the degree to which they will be able to identify, at the point of consent, who they are authorizing to receive their information.

Public Comments

A commenter stated that SAMHSA should explicitly recognize and include health plan care services, such as managed care, care coordination, case management and other integrated care activities as part of the required elements for written consent for entities that do not have a treating provider relationship with the patient under proposed § 2.31(a)(4)(iv).

A commenter stated any privacy concerns could be fixed by requiring (1) a general designation of a class of participants with a treating provider relationship; and (2) that the disclosing organization provide patients, upon request, a list entities to which their information has been disclosed.

A commenter proposed that § 2.31(a)(4) be revised to allow a general designation to be used whenever there is a “treating provider relationship” or a “care management relationship.” The commenter stated the “care management relationship” should be defined to include the concepts of assistance in obtaining appropriate care, care coordination, and assistance in the implementation of a plan of medical care.

A couple of commenters suggested SAMHSA revise proposed § 2.31(a)(4)(iv)(C) to read: “. . . to a participant(s) who has a treating provider relationship with the patient at the time the disclosure is made.” (Note, the relevant text is now found at § 2.31(a)(4)(iii)(B)(3) due to renumbering of the final regulation.) The commenters stated this would make it clear that participants who develop a treatment relationship with the patient after the date the consent can gain access.

Commenters recommended that the general authorization mirror the authorization under HIPAA to ease the transition and reduce compliance issues.

A commenter recommended SAMHSA work with other federal entities that are exploring parity enforcement to ensure that the proposed rule changes would not create barriers for states working on enforcement of the parity law.

If a patient notes their information may be shared with current and future health care providers, one commenter said the specific name of the ACO or other provider should not be required.

SAMHSA Response

SAMHSA declines to explicitly recognize and include health plan care services, such as managed care, care coordination, case management and other integrated care activities as part of the required elements for written consent for entities that do not have a treating provider relationship with the patient under proposed § 2.31(a)(4)(iv), or broaden the “treating provider relationship” to also include a “care management relationship.” The definition of “Treating provider relationship” is sufficiently broad to cover the necessary components of a patient's care team.

A commenter stated any privacy concerns could be fixed by requiring (1) a general designation of a class of participants with a treating provider relationship; and (2) that the disclosing organization provide patients, upon request, a list of entities to which their information has been disclosed. Another commenter wanted to delete the requirement of naming the entity without a treating provider relationship with the patient whose information is being disclosed. SAMHSA is retaining the consent requirements discussed in this section of the preamble because we believe it balances increased flexibility with necessary privacy protections.

SAMHSA declines to mirror the authorization under HIPAA to ease the transition and reduce compliance issues, as a commenter suggested, because, due to its targeted population, part 2 provides more stringent federal protections than most other health privacy laws, including HIPAA.

SAMHSA may, after publication of this final rule, provide further subregulatory guidance on specific concerns, such as states working on enforcement of the parity law.

Public Comments

Several commenters recommended splitting proposed § 2.31(a)(4)(iv) into two sections. The first would contain special provisions governing disclosures made through HIEs and would retain the references to “individual participants” and “entity participants.” The second would cover all entities that do not fall into any of the other categories in proposed paragraph (a)(4)(iv); in these cases, the specific entity to which disclosure is made would have to be specified.

SAMHSA Response

SAMHSA proposed § 2.31(a)(4)(iv) to apply to an entity (1) that does not have a treating provider relationship with the patient whose information is being disclosed, and (2) is not a third-party payer. Therefore, SAMHSA declines to make the recommended changes. We note, however, that due to re-numbering the proposed § 2.31(a)(4)(iv) provision is found in the final regulation at § 2.31(a)(4)(iii)(B).

Public Comments

A commenter recommended that the use of multi-party consents be permissible even when the “To Whom” section contains a general designation, and that the party(ies) named in the “To Whom” section be permitted to re-disclose patient information if the patient has consented to such re-disclosures in order to allow patients' treating providers to communicate with each other (pursuant to patient consent) within networks like HIE and integrated care organizations. Another commenter stated that the general designation is a step in the right direction but the proposed rule would add a burdensome accounting, which is not required for disclosures pursuant to a valid authorization under HIPAA.

SAMHSA Response

On the issue of multi-party consent, a multi-party consent can be achieved by allowing for bi-directional communication using the general designation in both the “To Whom” and “From Whom” sections of the consent. It can also be created by naming multiple individuals with or without a treating provider relationship with the patient whose information is being disclosed or entities with a treating provider relationship with the patient whose information is being disclosed in the “To Whom” and “From Whom” sections of the consent. The key is to make sure the consent form authorizes each party to disclose to the other ones the information specified and for the purpose specified, in the consent. The “To Whom” and “From Whom” sections of the consent provisions of the final rule will permit multi-party consents.

With respect to the comment regarding the additional burden of the List of Disclosures associated with the use of a general designation on the consent form, SAMHSA addressed this issue in Section F.3, in the preamble discussion of Confidentiality Restrictions and Safeguards (§ 2.3). That discussion emphasizes the fact that there is no timeframe in which part 2 programs and lawful holders need to comply with the List of Disclosures systems requirements; the final rule only requires that if they choose to disclose information pursuant to a general designation on the “To Whom” part of the consent form, they must also be capable of providing a List of Disclosures upon request per § 2.13(d).

e. Proposed Alternative Approach for “To Whom” Section

SAMHSA is not finalizing the alternative approach to the “To Whom” consent provision. In the NPRM, SAMHSA proposed an alternative approach for the “To Whom” aspect of a consent form that attempted to reflect the same policy goal as the proposed regulation text while attempting to simplify the language that would appear on the consent form. This alternative approach would not change the existing language in the “To Whom” section of the consent form. Under this alternative approach, SAMHSA proposed to add a definition of “organization” to § 2.11. Organization would mean, for purposes of § 2.31, (a) an organization that is a treating provider of the patient whose information is being disclosed; or (b) an organization that is a third-party payer that requires patient identifying information for the purpose of reimbursement for services rendered to the patient by a part 2 program; or (c) an organization that is not a treating provider of the patient whose information is being disclosed but that serves as an intermediary in implementing the patient's consent by providing patient identifying information to its members or participants that have a treating provider relationship, as defined in § 2.11, or as otherwise specified by the patient.

Public Comments

No commenters expressed support for the proposed rule's alternative approach to required elements as stated. One commenter said the alternative approach would impose fewer burdens on patients and part 2 entities but did not agree with the restriction on dissemination to only treating entities. Another commenter supported the proposed alternative if it results in only the name of the HIE and not its participants being listed on the consent form.

Several commenters expressed general opposition to the proposed alternative approach. One commenter stated that redefining “organization” to make it more expansive would lead to erosion of trust and would have a chilling effect on the communications necessary for effective treatment. Another commenter stated that a more expansive definition of “organization” may defeat a patient's intent because a patient would have less notice that their information could be disclosed to an entity not specifically named on the consent form.

SAMHSA Response

Based on the comments, SAMHSA has not adopted the alternate approach. Although a few commenters supported the adoption of the broad definition of “organization,” none provided sufficient information to determine how that definition could be implemented to protect the patient's information from disclosure to parties without a need to know. It is also unclear how the List of Disclosures requirement would be applied under a broader definition of “organization.” SAMHSA, therefore, has not adopted a definition of “organization.” SAMHSA disagrees with the recommendation that disclosure to a wider range of entities should be allowed without the patient's specific consent.

3. Amount and Kind

SAMHSA is adopting this aspect of the proposal. SAMHSA has moved the former § 2.31(a)(5), “Amount and Kind” provision, to § 2.31(a)(3) and revised the provision to require the consent form to explicitly describe the substance use disorder-related information to be disclosed. The designation of the “Amount and Kind” of information to be disclosed must have sufficient specificity to allow the disclosing program or other entity to comply with the request.

a. General

Public Comments

Many commenters provided feedback on the proposed rule's “Amount and Kind” requirements on a patient's consent form. A few commenters generally supported the provision. However, several commenters generally disagreed with the proposed provision because it would either decrease or fail to improve the sharing of patient information; would hamper integrated care; would result in consent forms routinely becoming outdated; patients should not decide what information is disclosed; and the current (1987) rule language is adequate for protection of patient privacy.

Some commenters said the rule should continue to allow a general description of the type of information being disclosed. Other commenters asked SAMHSA to clarify why the revision of the regulatory language was necessary and why specific information is preferable to simply stating that the consent form covers all the records maintained by the part 2 program.

SAMHSA Response

The designation of the “Amount and Kind” of information to be disclosed must explicitly describe the substance use disorder-related information to be disclosed and have sufficient specificity to allow the disclosing program or other entity to comply with the request. However, the entity creating the consent form may provide options by including free text space, or choices based on a generally accepted architecture (e.g. the Consolidated-Clinical Document Architecture (C-CDA)), or document (e.g. the Summary of Care Record as defined by CMS for the EHR Incentive Programs). It is permissible to include “all my substance use disorder information” as long as more granular options are also included.

Nothing in the rule would prevent the development and use of broad categories of the substance use disorder-related information on the Amount and Kind section of the consent form. The types of information that might be requested include diagnostic information, medications and dosages, lab tests, allergies, substance use history summaries, trauma history summary, elements of a medical record such as clinical notes and discharge summary, employment information, living situation and social supports, and claims/encounter data. If options are provided, it is also permissible to provide check boxes next to each option.

b. Impact of the Amount and Kind Requirement on Providers and Patients

Public Comments

Commenters expressed concern that the proposed “Amount and Kind” provision would be unduly burdensome for providers, thus obstructing communications. Several commenters stated that the proposed rule would require both patients and providers to have an in-depth understanding of the precise terms used for substance use disorder information. Some commenters thought this would put undue burden on patients. Other commenters argued that the “Amount and Kind” requirement would place an additional burden on patients to anticipate future care and/or continually update their consent forms. Similarly, commenters stated that patients do not know what information is necessary to support their treatment, which could lead to important information being omitted. Commenters argued that the “Amount and Kind” provision would require requesting health providers to know the format, titling, and nomenclature used for substance use disorder information in the part 2 program.

A commenter argued that many patients would want all of their substance use disorder information disclosed if it would improve the quality and coordination of their care. Many commenters recommended that patients should be able to sign a consent to sharing their entire record (i.e., a global consent), with some arguing that the form should include a statement that covers “all my records,” “all my substance abuse records,” “entire record” and/or “full record.” Other commenters said patients should be able to choose via a check box “substance abuse treatment information” or authorize the entire medical record and list what cannot be disclosed. Several commenters stated that an exhaustive list of check boxes on the consent form would be confusing for many patients.

Some commenters said patients should be able to designate an option for overall record release with an option for further specification of dates and materials to be released from the substance use disorder record. However, another commenter said selections should be “all or nothing” to enable providers to exchange information with HIE, ACO, CCO or a similar entity according to the patient's consent directive with other providers.

SAMHSA Response

The patient will be aware that they have substance use disorder information and can make a determination whether they want that information disclosed. The 1987 final rule part 2 regulations require the patient to list “how much and what kind of information is to be disclosed” (§ 2.31(a)(5)). SAMHSA has revised the provision to require that the consent form explicitly describe the substance use disorder information to be disclosed to ensure patients understand they are disclosing the specified substance use disorder information. The amount of specificity patients wish to include in the “Amount and Kind” section of the consent form is left to them, as long as it has sufficient specificity to allow the disclosing program or other entity to comply with the request. As such, this section does not prohibit a patient from listing “all my substance use disorder information” or “none of my substance use disorder information.” However, the Amount and Kind section of a consent form must accommodate more specific options. As stated previously, nothing in the rule would prohibit the inclusion on a consent form of broad categories of the substance use disorder-related information that would generally appear in patient records to assist patients in identifying the information they wish to disclose. In developing broad categories of information to be included on the consent form, part 2 programs and other lawful holders of patient identifying information would need to take into consideration reading level standards and the concepts of plain language. The rule does not require further consent when new information is added to the substance use disorder record if the new information is covered by the “Amount and Kind” section on the consent form. If the “Amount and Kind” section does include specificity that the patient doesn't understand, the party obtaining the consent should explain it to the patient. SAMHSA may, after publication of this final rule, issue in subregulatory guidance information for educating staff and patients. We are reliant on the provider to be clear to patient, which has always been the case.

c. Required Substance Use Disorder Information on Consent Forms

Public Comments

Some commenters said the level of detail required in the “Amount and Kind” section of the consent form was unrealistic, unnecessary, and confusing. A commenter argued that the level of detail required by the rule was at odds with the general designations necessary for information exchange. A commenter stated that EHR infrastructure may not be able to categorize and segregate information as described in proposed § 2.31(a)(3).

Some commenters urged SAMHSA to simplify or otherwise revise this section of the consent form. A commenter recommended that the list could be simplified by including standardized fields on the consent form that align with information commonly found on a Continuity of Care Document (CCD). Commenters recommended narrowing the list to several broad categories (e.g. employment information, living situation, social supports). A commenter stated that if more specific categories were needed, the patient could write in their own terms. Some commenters said the elements and extent of the consent should be the same under part 2 as it is in HIPAA. Other commenters said SAMHSA should use the required elements of a Summary of Care Record as defined by CMS for the EHR Incentive Program as a basis for the “kind” and “type” of information able to be disclosed. Another commenter said SAMHSA should defer to the expertise of health plans to determine what is necessary for a treating provider to know about substance use disorder.

SAMHSA Response

The types of information that might be requested include diagnostic information, medications and dosages, lab tests, allergies, substance use history summaries, trauma history summary, employment information, living situation and social supports, and claims/encounter data. However, the entity creating the consent form may provide options to include free text space, or choices based on a generally accepted architecture or document such as the C-CDA, or Summary of Care Record, as defined by CMS for the EHR Incentive Program. It is permissible to include “all my substance use disorder information” as long as more granular options are also included. If options are provided, it is also permissible to provide check boxes next to each option. The designation of the “Amount and Kind” of information to be disclosed must have sufficient specificity to allow the disclosing program or other entity to comply with the request.

d. Requests for Clarification

Public Comments

A couple of commenters asked SAMHSA to clarify whether the “Amount and Kind” section is to inform the patient or the providers. A commenter requested clarification on whether multiple patient consents would be necessary when the contents of a record changes over time. Some commenters requested that SAMHSA provide more specific examples of adequate descriptions of the type of information being disclosed. Another commenter recommended SAMHSA create a sample consent form.

SAMHSA Response

The “amount and kind” section informs both the patient and the providers. It allows patients the opportunity to specify whether all of their substance use disorder treatment information or only some may be disclosed and sets the limits on what a part 2 program or other lawful holders may disclose. The amount and kind section will generally cover classes of information so that changes to the record should not trigger the need for re-consents for the same classes of information. SAMHSA may provide examples or a sample consent form in subregulatory guidance following the publication of the final rule.

4. From Whom

SAMHSA is not finalizing the substantive changes that were proposed for the “From Whom” provision in § 2.31(a)(2). In the NPRM, SAMHSA proposed to move the 1987 § 2.31(a)(1) “From Whom” language of the consent requirements provision to § 2.31(a)(2). In addition, because SAMHSA was also proposing, in certain instances, to permit a general designation in the “To Whom” section of the consent form, SAMHSA proposed to require the “From Whom” section of the consent form to specifically name the part 2 program(s) or other lawful holder(s) of the patient identifying information permitted to make the disclosure.

Public Comments

SAMHSA received comments on the “From Whom” section of the consent form from a group of commenters representing a broad spectrum of stakeholder organizations. The overwhelming majority of these commenters were opposed to the proposed change and many suggested withdrawing the proposal in § 2.31(a)(2) and retaining the 1987 “From Whom” language (§ 2.31(a)(1)).

Commenters expressed concern that the proposed § 2.31(a)(2) could decrease the sharing of health information; would add complexity with little or no benefit to patient privacy; would unnecessarily limit the use of a consent; and may accidentally cause the patient to omit a provider whom they want or need to see their data; would negatively impact certain HIE models. A significant majority of the comments regarding the “From Whom” section of the consent form voiced strong opposition to the proposal. A few commenters said the proposed change would unnecessarily limit the positive step SAMHSA took in permitting, in certain circumstance, a general designation in the “To Whom” section of the consent form. One commenter suggested revising the requirements on the basis that the proposed changes do not modernize the regulation.

SAMHSA Response

SAMHSA was persuaded by the overwhelming opposition to the proposed “From Whom” language and, with the exception of minor technical revisions, will retain in this final rule the language in the current (1987) regulation. SAMHSA made this decision for several reasons. First, the existing “From Whom” requirements have been in effect for nearly 30 years and were based on the Department's prior determination that, even with a general designation option, the provision did not jeopardize patient privacy. The fact that SAMHSA is not aware of any reports of the current (1987) “From Whom” requirement resulting in unintended consequences further supports this position.

Second, in the NPRM, SAMHSA supported the elimination of the general designation option in the “From Whom” section of the consent form based on concerns that “[t]he patient may be unaware of possible permutations of combining the two broad designations (i.e., in the “To Whom” and “From Whom” sections) to which they are consenting, especially if these designations include future unnamed treating providers.” Based on the comments received, we believe this concern may have been overstated. Commenters generally did not agree that the “unintended consequences” the NPRM postulated were likely to occur. Commenters also asserted that SAMHSA's proposal shifted the burden from the receiver to the sender of health information and would be burdensome both to providers and patients. In addition, the proposed change could undermine new models to streamline consent.

While the option of using a general designation in either the “To Whom” or the “From Whom” sections (or both) provides the patient greater flexibility, and may result in two broad designations, it is still ultimately the patient's decision whether to use these options or to specifically name both the disclosing and receiving parties on the consent form. We agree with the remarks of one commenter that the proposed change to the “From Whom” section potentially undermines, rather than supports, patient choice, which was not SAMHSA's intent. Another commenter suggested that SAMHSA's proposed revisions may restrict multi-party consents and disclosures, such as consents that authorize disclosures “between and among” the parties. These types of consents are an important option for part 2 programs and patients, which SAMHSA believes would be eliminated if it were to finalize the proposal articulated in the NPRM. Another characterized the proposed change as adding greater complexity to the consent process for patients with little or no benefit to patient privacy.

Third, leaving the 1987 “From Whom” section essentially unchanged may reduce the burden on providers and IT vendors to accommodate this final regulation. HIE consortiums/associations and state governments were particularly concerned about the impact of the proposed revisions on consent-to-access HIE models (sometimes referred to as a community-wide consent-to-access model). As several commenters said, the only way for the participant to comply with the NPRM “From Whom” requirement would be for the participant to list the name of every part 2 program in the relevant state in the “From Whom” section of the consent form in order to inform the patient that there is a possibility that one of these programs might be the source of the information being accessed. Not only would this require the listing of hundreds of providers on the face of a consent form—effectively transforming the document into a provider directory—but it would also require the listing of part 2 programs that are not participating in the HIE, which would be misleading and likely draw objections from these programs.

Moreover, the identities of part 2 programs that may be sources of information are constantly changing as new programs are licensed or join the HIE. This would mean that every time a participant sought to access a patient's information in an HIE, it would have to provide the patient with a consent form listing all of these new providers, and the participant would constantly need to print new forms with updated lists of part 2 programs in the state. This would even apply in the vast majority of cases where no part 2 information would be exchanged, since a participant in a consent-to-access model often does not know whether the sought-after information contains part 2 information and, therefore, needs to assume that it does. Requiring participants to print lengthy consent forms with an updated list of part 2 programs every time a new part 2 program is licensed in the relevant state (and developing a system to inform every participant about such updates) is simply not feasible. The community consent-to-access model was implemented specifically in order to meet the spirit and letter of the 1987 part 2 regulations. In addition, federal and state governments have invested hundreds of millions of dollars to build statewide health information networks in reliance on the 1987 part 2 regulations, which allow consent forms to have a general designation of “From Whom” the records are being disclosed. Theoretically, it is possible for part 2 programs to switch to a consent-to-disclose model while all other participants continue to operate under a consent-to-access model.

Fourth, the flexibility provided in the “To Whom” and “From Whom” sections of the consent form are balanced by the specificity in the “Amount and Kind” and “Purpose” sections of the consent form. SAMHSA has revised the “Amount and Kind” element on the consent form to require the consent form to explicitly describe the substance use disorder-related information to be disclosed so that patients will be aware of the substance use disorder information they are authorizing to disclose when they sign the consent form. In addition, under the current (1987) regulation, consent forms are required to include the purpose of the disclosure. Any disclosure made under these regulations must be limited to that information which is necessary to carry out the purpose of the disclosure.

5. New Requirements

SAMHSA is modifying this aspect of the proposal. SAMHSA proposed to add two new requirements related to the patient's signing of the consent form. First, SAMHSA proposed a provision that would have required the part 2 program or other lawful holder of patient identifying information to include a statement on the consent form that the patient understands the terms of their consent. For the reasons explained below, SAMHSA is not incorporating this requirement into § 2.31 in this final rule. Second, SAMHSA revised § 2.31 to require the part 2 program or other lawful holder of patient identifying information to include a statement on the consent form that the patient understands their right, pursuant to § 2.13(d), to request and be provided a list of entities to which their information has been disclosed when the patient includes a general designation on the consent form. SAMHSA is including this requirement in the final rule (see § 2.31(a)(4)(iii)(B)(3)(i)).

Public Comments

A few commenters supported the additional statement clarifying that the patient understands the terms of consent and their rights. One commenter suggested expanding the statement to include language about the potential consequences of utilizing a general designation in the “To Whom” and “From Whom” fields, which would address concerns about the use of two general designations, while preserving the flexibility allowed in the “From Whom” section of the current (1987) regulation.

However, other commenters opposed updating the consent requirements because doing so would require providers to update consent forms or would require a separate substance use disorder consent form. Several commenters questioned the purpose of the additional signed statement. A commenter criticized the proposed language and argued that it was an attempt to avoid liability.

Several commenters argued that patients would not have the capacity to understand what they are signing. Furthermore, another commenter stated that a signed statement saying that the patient has read the terms of the consent does not mean the patient actually read and understood the consent. A commenter recommended a provision to allow the treating physician to sign a consent for substance use disorder records for patients who may lack the cognitive ability to sign a waiver.

SAMHSA Response

SAMHSA agrees with the commenters that the requirement that the part 2 program or other lawful holder of patient identifying information must include a statement on the consent form that the patient understands the terms of their consent is unnecessary. As commenters stated, a signature on a confirmation statement does not assure that the patient has, in fact, read or understood it. It is also the case, as commenters stated, that some patients may not have the capacity, at the time they are admitted, to provide an informed consent. Therefore, SAMHSA has eliminated this requirement.

K. Prohibition on Re-Disclosure (§ 2.32)

SAMHSA is adopting this section as proposed except for a clarifying revision to § 2.32(a). As discussed in the NPRM preamble, the prohibition on re-disclosure provision only applies to information that would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment for a substance use disorder and allows other health-related information shared by the part 2 program to be re-disclosed, if permissible under the applicable law. SAMHSA also clarified in the NPRM preamble that, if data provenance (the historical record of the data and its origins) reveals information that would identify, directly or indirectly, an individual as having or having had a substance use disorder, the information is prohibited from being re-disclosed. In addition, SAMHSA revised § 2.32 to clarify that the federal rules restrict any use of the information to criminally investigate or prosecute any patient with a substance use disorder, except as provided in §§ 2.12(c)(5) and 2.65.

1. General

Public Comments

Several commenters generally supported the prohibition on re-disclosure, with some stating that the prohibition ensured the confidentiality of the patient's information and would facilitate broader sharing of information among providers and programs in support of integrated care, thus increasing quality of care. A commenter supported the delineation between substance use disorder data and other health-related data, particularly the flexibility to share portions of a patient's record that do not fall under part 2 requirements. Another commenter supported application of the prohibition on re-disclosure to individuals or entities that receive confidential identifying information from lawful holders.

However, many commenters generally disagreed with the prohibition on re-disclosure. Commenters argued that the prohibition created unnecessary barriers and challenges for health care providers and would jeopardize patient treatment and care coordination (e.g., due to over-restriction of medical records). One commenter argued that the prohibition would prevent the inclusion of substance use disorder treatment information within HIE, ACOs, CCOs, and research institutions. Another commenter stated the prohibition would prevent substance use disorder treatment clinics from being incorporated into integrated care networks. A commenter said the prohibition on re-disclosure would prohibit providers or payers from correcting or supplementing knowledge of another provider based on fear of violating the law. Lastly, a commenter said the proposed rules prohibition on re-disclosure was not different from the current (1987) regulation and therefore no clarification was necessary.

SAMHSA Response

SAMHSA is adopting § 2.32 as proposed except for a minor clarification in § 2.32(a). As discussed elsewhere in this final rule, SAMHSA is attempting to balance the facilitation of information exchange within new health care models that promote integrated care with the continued need for confidentiality protections that encourage patients to seek treatment without fear of compromising their privacy. SAMHSA acknowledges the legitimate concerns of commenters regarding how care coordination relates to patient safety. However, SAMHSA must consider the intent of the governing statute (42 U.S.C. 290dd-2), which is to protect the confidentiality of substance use disorder patient records. SAMHSA believes that the prohibition on the re-disclosure of information that would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment for a substance use disorder comports with its statutory mandate. SAMHSA notes that the revisions to § 2.32 clarify that the prohibition on re-disclosure only applies to information that would identify an individual as having been diagnosed, treated, or referred for treatment for a substance use disorder, but does not apply to health information unrelated to the substance use disorder, such as treatment for an unrelated health condition. These revisions should minimize decisions by part 2 programs to protect an entire patient record.

Public Comments

Several commenters argued that the original statute for the substance use disorder regulations did not prohibit re-disclosure. Another commenter argued that HIPAA did not exist when the original regulations regarding substance use disorder data were promulgated and that the re-disclosure prohibition was not needed in today's legal environment. Another commenter stated that the re-disclosure prohibition is at odds with the goals of The Mental Health Parity and Addiction Equity Act and the Affordable Care Act.

SAMHSA Response

While the statute may not be explicit with regard to certain provisions in 42 CFR part 2, the statute directs the Secretary to prescribe regulations to carry out the purpose of the statute, which may include definitions and may provide for such safeguards and procedures that in the judgment of the Secretary are necessary or proper to effectuate the purposes of this section, to prevent circumvention or evasion thereof, or to facilitate compliance therewith.

Because 42 CFR part 2 and its governing statute are separate and distinct from HIPAA and due to its targeted population, part 2 provides more stringent federal protections than most other health privacy laws, including HIPAA. However, SAMHSA aligned policy with HIPAA where possible.

SAMHSA strives to facilitate information exchange within new health care models while addressing the legitimate privacy concerns of patients seeking treatment for a substance use disorder. These concerns include: The potential for loss of employment, loss of housing, loss of child custody, discrimination by medical professionals and insurers, arrest, prosecution, and incarceration.

2. Impact of Re-Disclosure Prohibition on Patient Privacy and Patient Choice

Public Comments

Several commenters expressed concerns that the prohibition on re-disclosure did not improve patient privacy protections. A commenter stated that the proposed changes allowed more disclosures without patient notice, undermining the goal of protecting a patient's privacy. A commenter argued that any information given by a substance use disorder treatment program, including a refusal to provide information, could identify an individual as having a substance use disorder (whether or not the patient actually does) or having received treatment for a substance use disorder. Another commenter argued against expanding the scope of part 2 to non-substance use disorder conditions which may unfairly suggest the presence of a substance use disorder.

Several commenters expressed concern that the prohibition on re-disclosure interfered with a patient's choice on whether to disclose their medical record. Commenters argued that the prohibition on re-disclosure imposed an unnecessary burden on substance use disorder patients who wish to have the same level of quality coordinated care as other patients. Several commenters expressed concern that the prohibition on re-disclosure required patients to anticipate future care. Several commenters argued that a patient should be allowed to consent to or otherwise control the re-disclosure of their information.

SAMHSA Response

Patients may permit re-disclosures of their information via written consent. Part 2-compliant consent forms can authorize an exchange of information between multiple parties named in the consent form. The key is to make sure the consent form authorizes each party to disclose to the other ones the information specified and for the purpose specified, in the consent. In addition, the revised consent requirements allow patients, under certain circumstances, to authorize disclosure of their information via a general designation (e.g., to “all my current and future treating providers”) rather than to specifically name each recipient.

As SAMHSA has stated in this regulation, the “To Whom” section of the consent form can authorize a disclosure of patient identifying information to an entity that does not have a treating provider relationship with the patient whose information is being disclosed and acts as an intermediary for its participants, such as an HIO, and a general designation of individual and entities with a treating provider relationship with the patient whose information is being disclosed that are participants. The required statement prohibiting re-disclosure should accompany the information disclosed through consent along with a copy of the part 2-compliant consent form (or the pertinent information on the consent form necessary for the intermediary to comply with the signed consent), so that each subsequent recipient of that information is notified of the prohibition on re-disclosure.

3. Disclosure of Information that May Indicate a Substance Use Disorder

Public Comments

Several commenters argued that determining which conditions and medications would “identify a patient as having or having had a substance abuse order” would be a burden on providers. Commenters said most staff within an HIE do not have the qualifications (e.g., clinical knowledge regarding medical conditions and medications) to distinguish which information could indicate an individual's substance use disorder and would thus need to be trained accordingly. Commenters stressed that the difficulty in determining what patient information would indicate a patient had a substance use disorder would discourage providers and health plans from exchanging information, further inhibiting coordinated care and enforcing differential treatment of individuals with substance use disorders.

Several commenters expressed concern that the language of the proposed rule was too broad. A commenter said the provision was problematic because many medications are frequently related to substance use disorder or other physical or mental conditions, so there is a risk of indicating a patient had a substance use disorder whether or not the patient actually did have a substance use disorder. Similarly, commenters argued that preventing disclosure of information that suggests a substance use disorder is too broad and would overly restrict the information available to health care providers, thus endangering patient safety. A commenter recommended that SAMHSA interpret “identifies a patient as having or having had a substance use disorder” to mean only information that actually identifies a patient as having a substance use disorder, rather than including information that merely suggests that a person might have an substance use disorder. A commenter recommended that the provision be interpreted as written in the rule language, not as expansively considered in the NPRM preamble.

One commenter argued that a prescription for a certain drug is not enough to identify a person as having a substance use disorder, let alone indicate the person is receiving care from a substance use disorder program. The commenter stated that this ambiguity is sufficient to be able to say that the information does not “identify” the person as having a substance use disorder or, moreover, that they are being treated in a program.

A commenter stated that, when the data sharing of the records are redacted to remove all evidence of substance use disorder they become worthless in terms of ensuring improved client care. Further, this commenter said that there is no way to ensure such redaction would be done effectively and that there is a high risk of inadvertent disclosure, which cannot be made private again.

SAMHSA Response

Comments received by SAMHSA suggest that the discussion in the NPRM of re-disclosure regarding medications and examples provided were not clear. Both the proposed rule and this final rule prohibit re-disclosure of part 2 information that would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment for a substance use disorder, such as indicated through standard medical codes, descriptive language, or both, unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or is otherwise permitted by the part 2 statute or regulations. Such information could, in some circumstances, include part 2 information concerning a patient's prescription for a medication typically used for medication-assisted treatment or a disease or condition frequently associated with substance use disorders. While certain medical information in and of itself may not identify a patient as having a substance use disorder and approved medications may be used for various purposes, the context of this preamble and § 2.32 concerns the re-disclosure of information that is directly related to the patient's undergoing treatment for substance use disorders. Therefore, it is considerably more likely that the re-disclosure of such information would result in identifying the patient as receiving treatment for a substance use disorder. By contrast, a patient who is not receiving such treatment (and, therefore, whose health information is not covered by this rule) would not face such risks even if their medication or condition is frequently associated with substance use disorders. It is also important to note that in some cases, patients may expressly consent to further re-disclosure and that such re-disclosure may in some cases be allowed under other provisions of this rule. SAMHSA understands that this is an important topic and may provide additional subregulatory guidance on this issue after the publication of this final rule.

4. Technical Challenges in Preventing Unauthorized Re-Disclosure

Public Comments

Commenters expressed concern that, due to how information is exchanged electronically, it may be technically difficult for the medical industry to prevent re-disclosure. Commenters argued that providers do not have the technical ability to segregate substance use disorder content and redact that information from being sent to new providers who use or review the record. More specifically, a commenter argued that EHR currently have the ability to contribute patient data to an HIE or a Regional Health Information Organization (RHIO) at the patient level, not at the services rendered level. A commenter stated that this capability was five to ten years away. A commenter argued that if the outputs of the DS4P's pilots were refined and required under the federal health IT certification program, there would have been solution for the re-disclosure of substance use disorder information.

Several commenters expressed concern about the lack of technical standards. A commenter recommended that SAMHSA adopt clear technical methods and standards for recipients of disclosures, by which part 2 providers and programs would be able to identify which records are not part 2 sensitive and can be incorporated directly into recipient's EHR. Similarly, a commenter stated there needed to be standards for all EHR Vendors and HIEs to address the re-disclosure prohibition.

Some commenters expressed concern about the burden of upgrading their record system to comply with the prohibition on re-disclosure. Commenters stated that the re-disclosure prohibition would require upgrades and modifications to EHR and HIEs. A commenter stated that SAMHSA should provide funding to upgrade HIE systems or HIEs would be likely to refuse to accept substance use disorder data.

Many commenters said the prohibition on re-disclosure and the technical limitations many providers faced in preventing re-disclosure would have adverse impacts on sharing of information and patient care. A commenter stated that, due to the technical limitations, some providers would continue to prohibit re-disclosure of the patient's entire medical record. Other commenters argued that the technical limitations would result in substance use disorder information being kept out of the electronic health care environment, leaving gaps that could contribute to poor patient outcomes. A commenter stated that part 2 programs would be unable to participate in integrated care delivery models because their system was not equipped to segregate substance use disorder data.

A commenter stated that SAMHSA should encourage the expansion of meaningful use to allow behavioral health care providers to adopt data segmentation technology. A commenter stated that, in light of the EHR requirements under meaningful use, SAMHSA should consider ways to reduce the burden on entities using EHR with respect to disclosure statements under § 2.32. Another commenter argued that SAMHSA should simply issue consent recommendations and incorporate more complex structures, such as data segmentation, in a broader mandate or on other requirements in order to allow sufficient time for implementation.

SAMHSA Response

SAMHSA actively supports the continued development of data standards to support the integration of substance use disorder treatment in emerging health care models. The Data Segmentation for Privacy (DS4P) initiative within ONC's Standards and Interoperability (S&I) Framework facilitated the development of standards to improve the interoperability of EHRs containing sensitive information that must be protected to a greater degree than other health information due to 42 CFR part 2 and similar state laws. The DS4P standard allows a provider to tag a C-CDA document with privacy metadata that expresses the data classification and possible re-disclosure restrictions placed on the data by applicable law. This aids in the electronic exchange of sensitive health information. In October 2015, ONC adopted the DS4P standard as part of the 2015 Edition health IT certification criteria. The DS4P certification criteria require health IT to demonstrate the ability to send and received summary care records that are document-level tagged. SAMHSA will continue to work with ONC to further refine the DS4P standard so that it can be applied to segment data at the data element level in the manner described in ONC's “Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap—Version 1.0 Final (Roadmap),” and to accelerate the adopting of the DS4P send and receive standards.

Regarding re-disclosure, the primary advantage of continuing the prohibition on re-disclosure by recipients of a disclosure with patient consent is that it assures a greater measure of confidentiality for patient identifying information. SAMHSA strives to facilitate information exchange within new health care models while addressing the legitimate privacy concerns of patients seeking treatment for a substance use disorder. These concerns include: The potential for loss of employment, loss of housing, loss of child custody, discrimination by medical professionals and insurers, arrest, prosecution, and incarceration.

The prohibition on re-disclosure predates this rulemaking and providers were already required to comply with the existing provision. SAMHSA proposed only minor changes to the provision for clarity, which should not necessitate system upgrades. Therefore, SAMHSA declines to respond to comments regarding the burdens of system upgrades to comply with the prohibition on re-disclosure.

Finally, SAMHSA works closely with its federal colleagues to improve the integration of substance use disorder treatment providers and their data. Although the part 2 authorizing statute does not give SAMHSA authority to mandate data segmentation, as noted above, DS4P was included in the ONC 2015 Edition Health IT Certification Criteria (2015 Edition). SAMHSA has also supported the development of the application branded Consent2Share, an open-source health IT solution based on DS4P which assists in consent management and data segmentation and will continue to work to improve the granularity of how the DS4P standard operates.

5. Requests for Clarification of the Re-Disclosure Prohibition

Public Comments

Commenters requested clarification on various aspects of the re-disclosure prohibition. Some commenters asked for clarification on what records were subject to the re-disclosure prohibition (e.g., the actual record, or the part 2-compliant record that is now incorporated into the physician's notes at the receiving institution). The commenters requested examples of how data may, or may not, be disclosed after lawful receipt of part 2 data.

A commenter suggested that SAMHSA confirm that only records that originated at a part 2 program are subject to the prohibition on re-disclosure.

SAMHSA Response

Once patient identifying information has been initially disclosed (with or without patient consent), no re-disclosure is permitted without the patient's express consent to re-disclose or unless otherwise permitted by the part 2 statute or regulations. Only disclosure of patient identifying information made with the patient's written consent must be accompanied by a written notice regarding the part 2 prohibition on re-disclosure. Although there is no requirement to provide such written notice to individuals and entities who receive information through other means under the part 2 program, all lawful holders must comply with the part 2 program requirements, including, but not limited to the limitations on re-disclosure.

Regarding requested confirmation that only records originated at a part 2 program are subject to the prohibition on re-disclosure, SAMHSA clarifies that individuals and entities that are not covered by part 2 that possess substance use disorder data that did not originate in a part 2-covered provider are not subject to the part 2 program requirements. However, if those individuals and entities received that information that is subject to part 2 via patient consent (with or without the notice of prohibition on re-disclosure) or through any other means under the part 2 program (i.e., through means that made them a lawful holder), they would be required to comply with part 2.

Public Comments

Several commenters asked for clarification with regard to disclosing prescription medications. A few commenters asked whether prescription medications could be disclosed without consent if the prescriber states that the prescription is not for substance use disorder treatment. Another commenter asked what the requirements were for medications that are used “off label” to treat substance use disorder and medications that treat withdrawal. A commenter asked for clarification on whether providers in part 2 programs, who do not reveal their part 2 program affiliation, would be prohibited from disclosing information about substance use disorder prescriptions that are also prescribed for non-substance use disorder purposes, unless the patient has consented to the disclosure.

SAMHSA Response

SAMHSA agrees that part 2 would permit the disclosure of information without patient consent relative to a medication that is used for both substance use disorder and non-substance use disorder purposes, even when it is being prescribed for the purpose of substance use disorder treatment. In disclosing the information, both the provider and the data provenance must not identify the provider as being affiliated with a part 2 program or prescribing the substance use disorder medication for substance use disorder treatment.

Public Comments

Regarding the prohibition on re-disclosure, a commenter requested that SAMHSA provide clarification on what impact a court order has on sharing information otherwise deemed confidential under the part 2 regulations.

SAMHSA Response

SAMHSA has previously stated in FAQ guidance concerning re-disclosures that when information is disclosed pursuant to an authorizing court order, part 2 requires that steps be taken to protect patient confidentiality. In a civil case, part 2 requires that the court order authorizing a disclosure include measures necessary to limit disclosure for the patient's protection, which could include sealing from public scrutiny the record of any proceeding for which disclosure of a patient's record has been ordered [42 CFR 2.64(e)(3)]. In a criminal case, such order must limit disclosure to those law enforcement and prosecutorial officials who are responsible for or are conducting the investigation or prosecution, and must limit their use of the record to cases involving extremely serious crimes or suspected crimes [42 CRF § 2.65(e)(2)].

Public Comments

A commenter asked how a mixed-use mental health and substance use treatment facility should handle re-disclosure and how SBIRT would be addressed under this section.

SAMHSA Response

Only the substance use disorder information is covered by part 2. The mental health information is not. The prohibition on re-disclosure only applies to information that would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment for a substance use disorder, such as indicated through standard medical codes, descriptive language, or both, and allows other health-related information shared by the part 2 program to be re-disclosed, if permissible under other applicable laws.

6. Recommendations To Improve the Prohibition on Re-Disclosure

Public Comments

Several commenters recommended exclusions to the prohibition on re-disclosure of substance use disorder patient data. A commenter said patients should be able to consent to the disclosure of substance use disorder information to a covered entity and such information would be protected by HIPAA, but would be free from the re-disclosure prohibition. Some commenters said SAMHSA should permit re-disclosure of substance use disorder treatment information for the purpose of treatment and/or care coordination. Another commenter suggested an exemption for providers within a given PDMP, CCO, ACO or HIE, for the purposes of treatment, payment, or health care operations. A commenter said SAMHSA should allow re-disclosures without patient consent for public health purposes to prevent disease or control injury or disability. Lastly, a commenter said SAMHSA should add a category under subpart D “Disclosures without Patient Consent” to include state health data organizations that collect data under a legislative authority.

SAMHSA Response

Due to its targeted population, part 2 provides more stringent federal protections than most other health privacy laws, including HIPAA. In light of the statute, SAMHSA declines to create the specific suggested exclusions from the use and disclosure restrictions. SAMHSA will specifically address disclosures to subcontractors and contractors for health care purposes in the SNRPM.

Public Comments

Commenters requested that SAMHSA provide guidance in several areas, including the type of permissible information that can be disclosed; applicability to co-occurring disorders; and applicability to multi-use organizations. A commenter said SAMHSA should publish the medical codes (e.g., ICD-10s) that are affected by this provision.

SAMHSA Response

As for the type of permissible information that can be disclosed, the proposed clarifications to § 2.32 clarify that the prohibition on re-disclosure only applies to information that would identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment for a substance use disorder, such as indicated through standard medical codes, descriptive language, or both, and allows other health-related information shared by the part 2 program to be re-disclosed, if permissible under other applicable laws.

Regarding the re-disclosure of information related to co-occurring disorders, only the substance use disorder information is covered by part 2. The mental health information in a patient record is not. However, part 2 programs must ensure adequate confidentiality protections for mental health patient data that are applicable based on any relevant federal or state law.

Public Comments

Commenters proposed many other recommendations to improve the re-disclosure provision. One commenter said the rule should specify the consequences part 2 providers will face if they violate the proposed rule's prohibition on re-disclosure. A commenter said non-part 2 programs that prescribe substance use disorder medication should not be forbidden from disclosing such prescriptions, nor required to state the purpose of the medication. A commenter said the rule should continue to prohibit information being shared with law enforcement for criminal prosecution. A commenter said SAMHSA should include an updated sample Notice of Prohibition of Re-disclosure in the final rule. One commenter said patients should have the ability to remove their substance use disorder history from their medical record after ten years. A commenter said SAMHSA should rescind the proposed prohibition on re-disclosure relative to general designations and advocate for the medical community to do more within their industry to recognize and provide appropriate, comprehensive care for those living with substance use disorders.

SAMHSA Response

Regarding the consequences for violation of the re-disclosure prohibition, each disclosure made with the patient's written consent must be accompanied by the notice of prohibition on re-disclosure. Under 42 U.S.C. 290dd-2 (f), any person who violates any provision of this section or any regulation issued pursuant to this section shall be fined in accordance with Title 18.

Regarding the comment on non-part 2 prescribers, prescribers that are not covered by part 2 are not prohibited from disclosing such prescriptions nor required to specify the purpose of such prescriptions.

On prohibition of information being shared with law enforcement for criminal prosecution, this prohibition remains in effect. Specifically, SAMHSA has clarified § 2.32(a) to state “[t]he federal rules restrict any use of the information to criminally investigate or prosecute any patient with a substance use disorder, except as provided at §§ 2.12(c)(5) and 2.65.”

Public Comments

A commenter stated that individuals or entities who are not part 2 programs may not be familiar with the specific consent requirements of part 2, so the next-to-last sentence of § 2.32 should include a citation to § 2.31.

SAMHSA Response

SAMHSA appreciates the suggestion and has revised § 2.32 to add a reference to the § 2.31 to the penultimate sentence in paragraph (a).

L. Disclosures to Prevent Multiple Enrollments (§ 2.34)

SAMHSA is adopting this section as proposed. SAMHSA has modernized § 2.34 by updating terminology and revising corresponding definitions. SAMHSA also consolidated definitions by moving definitions from this section to the part 2 definitions provision (§ 2.11), as discussed in Section III.D.

Public Comments

A few commenters supported disclosures to prevent multiple enrollments. Some urged the proposed regulations to go further and specifically allow registries in the form of HIEs or PDMPs to share controlled substance prescriptions in the same manner that it would allow withdrawal management or maintenance treatment programs. The aim would be to prevent multiple prescribing of prescription drugs that can be abused. Other commenters argued that the registry should be available to check enrollment beyond 200 miles. Asserting that the requirement to list every site that may be contacted in the consent document is an unusual burden, one of these commenters suggested that the concern can be better addressed by indicating “any licensed treatment center within the state when a patient presents for treatment.” One commenter requested clarification as to what type of “central registry” is being considered for disclosure of patient records. Another suggested language that allows for multiple payments to providers in situations where clients are enrolled in multiple programs and where programs may be obtaining multiple payments for multiple services.

SAMHSA Response:

Central registries, defined as “an organization that obtains from two or more member programs patient identifying information about individuals applying for withdrawal management or maintenance treatment for the purpose of avoiding an individual's concurrent enrollment in more than one treatment program,” serve a different purpose than HIEs or PDMPs. According to the Centers for Disease Control and Prevention, PDMPs are state-run electronic databases used to track the prescribing and dispensing of controlled prescription drugs to patients. They are designed, in part, to monitor this information for suspected abuse or diversion (i.e., channeling drugs into illegal use), and can give a prescriber or pharmacist critical information regarding a patient's controlled substance prescription history. Although PDMPs may serve many valuable purposes, SAMHSA decided not to address issues pertaining to e-prescribing and PDMPs in the final rule because, as stated in the NPRM, they were not ripe for rulemaking at the time due to the state of technology and because the majority of part 2 programs are not prescribing controlled substances electronically.

Under § 2.34(a)(3)(ii), the consent may authorize a disclosure to any withdrawal management or maintenance treatment program established within 200 miles of the program after the consent is given without naming any such program. Regarding comments on the 200-mile limit, SAMHSA declines to make any changes to the 200-mile limit because it is unlikely that a patient would be enrolled in multiple programs greater than 200 miles from each other. The regulations do not confine the 200-mile limit to within a state.

As for the request to allow a consent for disclosure to “any licensed treatment center within the state where a patient presents for treatment,” SAMHSA has concluded that the proposed specificity is needed. Section 2.34 requires that the consent must list the name and address of each central registry and each known withdrawal management or maintenance treatment program to which a disclosure will be made. This specificity was retained because the purpose of the section is to prevent multiple enrollments that would result in a patient receiving substance use disorder treatment medication from more than one provider, thereby increasing the likelihood for an adverse event or diversion.

Regarding the request to allow for multiple payments to providers in situations where clients are enrolled in multiple programs and where programs may be obtaining multiple payments for multiple services, SAMHSA has determined that this request it outside of the scope of the proposed part 2 changes in the NPRM.

M. Medical Emergencies (§ 2.51)

SAMHSA is adopting this section as proposed. SAMHSA has revised the medical emergency exception to give providers more discretion to determine when a “bona fide medical emergency” (42 U.S.C. 290dd-2(b)(2)(A)) exists. The revised language states that patient identifying information may be disclosed to medical personnel to the extent necessary to meet a bona fide medical emergency in which the patient's prior informed consent cannot be obtained. SAMHSA continues to require the part 2 program to immediately document, in writing, specific information related to the medical emergency.

1. General

Public Comments

Many commenters expressed support for the proposed change in language of the medical emergency exception to provide medical personnel with increased discretion to determine a “bona fide medical emergency.” Some commenters expressly supported aligning the regulatory language with the statutory language for medical emergencies. A commenter supported the special rule that would allow the disclosure of patient identifying information to medical personnel at the FDA who provide reason to believe that the health of any individual may be threatened by a product under the FDA's jurisdiction and that the information used solely for notifying the patient or their physicians of the potential dangers.

However, several commenters warned that part 2 programs should not be expected to assume the unrealistic burden of liability for a HIE's capability to comply with all part 2 requirements. Another commenter argued the current medical emergency exception is clear under current (1987) law and providers are already making the determination as to what constitutes an emergency.

SAMHSA Response

SAMHSA appreciates the support of commenters on this issue. With regard to the comment about the burden of liability, SAMHSA asserts that the treating provider must make the determination as to whether a bona fide medical emergency exists. However, concern alone about potential drug interaction may not be sufficient to meet the standard of a medical emergency. Thus, based on the circumstances of the presenting situation, SAMHSA recommends that health care providers obtain consent from the patient where feasible.

2. Definition of “Bona Fide Medical Emergency”

Public Comments

Commenters provided various suggestions for expanding the definition to include disclosure of records for mental health involuntary commitment evaluations and other psychiatric emergencies; to detoxification centers; when there is “risk of serious harm” to self or others by reason of an substance use disorder; in order to save a life or prevent further injury of a person who is not able to make a rational decision due to mental impairment; and to prevent suicide. Several commenters asserted the revisions should include an exception for disclosure without consent in order to prevent medical emergencies from occurring in the first place. Other commenters suggested not limiting this section to only medical emergencies, but allowing disclosures for treatment, payment, and operation purposes. A few commenters supported adding a duty to warn exception where a substance use disorder patient discloses intent, plan, or means to inflict harm onto another individual or the public.

SAMHSA Response

On the request to expand the definition, while the statute authorizes an exception for a bona fide medical emergency, broadening this provision to include non-emergency situations would be inconsistent with the statutory scheme. With respect to warnings, part 2 does not impose a duty to warn—or a duty to disclose any information. It only governs when disclosures may be made, not when they must be made. SAMHSA has previously provided FAQ guidance on when a part 2 program may make a disclosure without divulging patient identifying information. SAMHSA will monitor this issue and may consider whether additional subregulatory guidance in the future may be helpful.

Regarding involuntary commitment, patient identifying information may be disclosed to medical personnel to the extent necessary to meet a bona fide medical emergency in which the patient's prior informed consent cannot be obtained. This may include situations in which the patient is not regarded as being legally competent under the laws of their jurisdiction. Such circumstances may apply when a patient is subject to an involuntary commitment (i.e., formally committed for behavioral health treatment by a court, board, commission, or other lawful authority). Consistent with § 2.51, during the period of time a patient is not regarded as being legally competent, any previously established, unrevoked, or unmodified general designation remains valid for their current treating providers until such time as the individual's competency is restored. The treating provider(s) would, in such circumstances, be expected to follow provisions of this rule pursuant to medical emergencies, including all documentation requirements. Importantly, at any time when a patient is legally competent, they may modify their general designation consistent with the provisions of this final rule.

Public Comments

Other commenters suggested restrictions on the definition of “bona fide medical emergency” or other limitations to the medical emergency exception. Several recommended that the final rule explicitly state that the medical emergency exception continues to be limited to circumstances in which an individual needs immediate medical care and the patient's consent cannot be obtained. The medical emergency exception does not apply to situations where the patient could but will not consent, since the exception should not be used to avoid obtaining consent. A commenter urged that a “bona fide medical emergency” be limited to circumstances in which an individual needs immediate medical care because of an immediate (not future) threat to a person's health.

A commenter asserted that it be specified that a “medical emergency” is determined by the treating provider.

A commenter asserted that the information disclosed in a “bona fide medical emergency” should be more clearly limited and the rule should require the provider to affirmatively share the required documentation of the disclosure with the patient.

A commenter stated that part 2 information disclosed in a medical emergency should not be re-disclosed for criminal investigation or prosecution.

A few commenters advocated for emergency care providers to be permitted to access only limited part 2 information available through a HIE.

SAMHSA Response

On situations in which the patient could but will not consent, SAMHSA has not revised the regulatory language, but agrees that “patient consent could not be obtained” refers to the fact that the patient was incapable of providing consent, not that the patient refused consent.

With regard to the request that a “medical emergency” be determined by the treating provider, SAMHSA clarifies that any health care provider who is treating the patient for a medical emergency can make that determination.

On limiting the information disclosed, § 2.13(a) of the rule indicates that the amount of information to be disclosed “must be limited to that information which is necessary to carry out the purpose of the disclosure.”

With regard to the comment on re-disclosure, SAMHSA will address re-disclosure of part 2 information obtained during a medical emergency in subregulatory guidance rather than in the rule, as it has in the past.

Public Comments

Several commenters asserted that automated or pre-determinations for medical emergencies should be allowed. A commenter suggested that pre-defining the criteria for medical emergency would enable HIEs to automate the decisions about whether a patient visit is a medical emergency. The commenter said such criteria could be defined by each individual hospital or could be based on national standards. Another commenter argued that Level of Care Utilization System (LOCUS) scores and the ASAM levels could be used as clinical standards for determining “bona fide emergency” situations where behavioral health information should be more broadly shared.

SAMHSA Response

Automated electronic health information systems can be programmed to flag specific patient information for medical personnel to use in determining whether a bona fide medical emergency exists and may be programmed to provide alerts to authorized providers. However, as SAMHSA has explained in previous FAQ guidance, one may not automate the determination of a medical emergency.

Public Comments

Many commenters requested examples of emergency situations in order to minimize confusion among providers and organizations as to the circumstances under which medical emergencies would be valid. Many of these commenters provided their own instances requesting clarification if disclosure would be necessary.

SAMHSA Response

SAMHSA plans to provide the requested examples in subregulatory guidance after the publication of this final rule.

3. Documentation of Medical Emergency

Public Comments

Many commenters argued for removal of the requirement that a part 2 program immediately document a disclosure pursuant to a medical emergency. A commenter stated that SAMHSA should simplify the existing onerous documentation requirements that impede vital sharing of information. Another commenter suggested part 2 programs should rely on other functionalities that retain disclosure and specific information related to the medical emergency, such as audit reports.

A commenter suggested the language be modified to allow the part 2 program to document the disclosure “promptly” rather than “immediately.”

Other commenters suggested eliminating the requirement to provide “the name of the medical personnel to whom disclosure was made.”

Another commenter asserted that the rule should allow an HIE to maintain documentation of disclosures for the part 2 program and provide ongoing access to such information.

A commenter suggested that a “list of the information disclosed” be added to the list of information that must be entered into the patient record at the time of the emergency disclosure.

SAMHSA Response

SAMHSA is not convinced of the benefit of replacing “immediately” with “promptly,” particularly since neither term is defined in the final rule. With regard to the suggestion to eliminate the requirement to provide “the name of the medical personnel to whom disclosure was made,” the current (1987) part 2 regulations (as well as the regulatory language in the NPRM) require part 2 programs to document the name of the medical personnel to whom disclosure was made and their affiliation with any health care facility because it is important for that information to be available to the part 2 program and the patient.

4. Other Comments on Medical Emergencies

Public Comments

Some commenters suggested that SAMHSA expand who is authorized to access emergency records. Some commenters requested the definition of “medical personnel” include any professional who provides health-related services, including behavioral health services, rather than being limited to medical doctors, nurses, and emergency medical technicians. Other commenters suggested the language be changed so that “non-medical personnel” who are currently working with clients in an emergency situation have access to the patient emergency record. A commenter argued that substance use disorder patients commonly face medical emergencies and therefore it is prudent for an emergency department be named or identified under the “general disclosure” provision.

SAMHSA Response

Part 2 allows patient identifying information to be disclosed to medical personnel in a medical emergency. Part 2 does not define the term “medical personnel” but merely provides that information can be given to medical personnel who have a need for information about a patient in a bona fide medical emergency. It is up to the health care provider or facility treating the emergency to determine the existence of a medical emergency and which personnel are needed to address the medical emergency. The name of the medical personnel to whom the disclosure was made, their affiliation with any health care facility, the name of the individual making the disclosure, the date and time of the disclosure, and the nature of the medical emergency must be documented in the patient's records by the part 2 program disclosing the information. SAMHSA does not have the authority to permit information to be disclosed to “non-medical personnel” pursuant to a medical emergency because the authorizing statute for the regulations codified at 42 CFR part 2 limits disclosures to “medical personnel.”

With regard to identifying emergency departments under the “general disclosure” provision, the medical emergency exception requires that a provider determine that a bona fide medical emergency exists and that a patient's visit to an emergency room does not automatically constitute such an emergency. SAMHSA reiterates that there is a difference between refusal to consent and being incapable of consenting to disclosure.

Public Comments

Commenters requested clarification on which entity, the receiving emergency department or HIE, would be obligated to maintain part 2-compliance with information received through a declared patient emergency. A commenter argued the rule should state that a hospital emergency room or other health care provider that obtains program information under the medical emergency exception would not be subject to part 2 rules with respect to such program information.

SAMHSA Response

Part 2 requires that when a disclosure is made in connection with a medical emergency, the part 2 program must document in the patient's record the name and affiliation of the recipient of the information, the name of the individual making the disclosure, the date and time of the disclosure, and the nature of the emergency. Thus, data systems must be designed to ensure that the part 2 program is notified when a “break the glass” disclosure occurs and part 2 records are released pursuant to a medical emergency. The notification must include all the information that the part 2 program is required to document in the patient's records. The information about emergency disclosures should also be kept in the HIE's electronic system. Regarding the requests for clarification on part 2 applicability to information disclosed pursuant to a medical emergency, SAMHSA understands the importance of these questions. However, because these issues are not related to specific proposals made in the NPRM, SAMHSA plans to address them in subregulatory guidance after the publication of the final rule.

Public Comments

A commenter warned that emergency disclosures for requesting of part 2 records can occur by means other than solely through an HIE.

SAMHSA Response

The EHR is the vehicle for the disclosure of the part 2 record but not the decision-maker. The name of the person who makes the determination to disclose and discloses the information electronically through an EHR system should be recorded. SAMHSA clarifies that the example used of an HIE was not meant to be exhaustive to include all potential sources of disclosures.

N. Research (§ 2.52)

SAMHSA is modifying this section from the regulatory text proposed, as described in detail below. SAMHSA is implementing several changes to the research provision. First, we have revised the section heading by deleting the word “activities.” In addition, SAMHSA has revised the research exception to permit data protected by 42 CFR part 2 to be disclosed by any individual or entity that is in lawful possession of part 2 data (lawful holder of part 2 data) under certain conditions.

SAMHSA also addressed data linkages because the process of linking two or more streams of data opens up new research opportunities and potential risks. In the NPRM, SAMHSA proposed to permit researchers to request to link data sets that include patient identifying information if (1) the data linkage uses data from a federal data repository, and (2) the project, including a data protection plan, is reviewed and approved by an Institutional Review Board (IRB) registered with the Office for Human Research Protections (OHRP) in accordance with 45 CFR part 46. SAMHSA requested comments in the NPRM on whether to expand the data linkages provision beyond federal data repositories. After considering the public comments received on this topic, as discussed in greater detail below, SAMHSA has revised the data linkages provision to permit researchers to link to federal and non-federal data repositories provided certain conditions are met.

The revised § 2.52 permits a researcher to include part 2 data in reports only in aggregate form. SAMHSA clarified in this final rule that, with respect to these types of reports, the patient identifying information has been rendered non-identifiable such that the information cannot be re-identified and serve as an unauthorized means to identify a patient, directly or indirectly as having or having had a substance use disorder. SAMHSA requires any individual or entity conducting scientific research using patient identifying information to meet additional requirements to ensure compliance with confidentiality provisions under part 2. Note that de-identified information can be shared for the purposes of research; this was the status quo under the previous part 2 regulations, and this final rule does not change that.

Finally, § 2.52 addresses, in addition to the maintenance of part 2 data, the retention and disposal of such information used in research. SAMHSA expanded the provisions in § 2.16 (Security for records) and references the policies and procedures established under § 2.16 in revised § 2.52. The NPRM language in (a)(1) only referenced “the HIPAA privacy rule at 45 CFR 164.512(i) ” while the final rule regulatory language in (a)(1) now says: “consistent with the HIPAA Privacy Rule at 45 CFR 164.508 or 164.512(i), as applicable”.

1. General

Public Comments

Many commenters expressed support for revising the research exception to permit data protected by part 2 to be disclosed to qualified personnel for the purpose of conducting scientific research by a part 2 program or any other individual or entity that is in lawful possession of part 2 data (lawful holder of part 2 data). Many commenters expressed general support for expanding the circumstances in which research may be conducted with part 2 data. Many commenters supported disclosure of data from other lawful holders of substance use disorder records with researchers. Commenters supported the prevention of data scrubbing of records and other data suppression related to substance use disorders. Some commenters specified support to stop “suppression” of Medicare and Medicaid data from any records associated with substance use disorder.

SAMHSA Response

SAMHSA's revisions to the research provision address these concerns regarding access to substance use disorder information from CMS claims/encounter data disclosed for research purposes. First, the research provision permits part 2 programs and other lawful holders of patient identifying information (not just part 2 program directors) to disclose data protected by 42 CFR part 2 to qualified personnel for the purpose of conducting scientific research if the researcher provides documentation of meeting certain requirements related to other existing protections for human research. Second, SAMHSA also addressed data linkages to enable researchers holding part 2 data to link to data sets from federal and non-federal data repositories provided certain conditions are met as spelled out in section 2.52.

Public Comments

Another commenter supported the use of data use agreements for all research transfers of part 2 information and requested the proposed regulation provide examples of these agreements. A commenter stated that the agency should allow research of additional administrative data sets such as those held by HIEs, ACOs, state Medicaid agencies, commercial insurance companies, and Medicare Advantage plans with appropriate IRB reviews.

SAMHSA Response

Although not required by § 2.52, the regulation would permit any lawful holder of patient identifying information to require a researcher sign a data use agreement spelling out these requirements.

SAMHSA is adopting its proposal regarding the research exception to permit data protected by 42 CFR part 2 to be disclosed to qualified personnel for the purpose of conducting scientific research by a part 2 program or any other individual or entity that is in lawful possession of part 2 data if the researcher provides documentation of meeting certain requirements related to other existing protections for human research. If an entity meets the requirements of an “other lawful holder of patient identifying information,” as described in the preamble of this final rule, the entity would be authorized to disclose part 2 data for research purposes in accordance with § 2.52.

Public Comments

Another commenter asked a series of questions related to the release of data by lawful holders that are not part 2 programs (e.g., HIEs). The commenter asked how these HIEs, third-party payers, etc., will be able to determine that a researcher will maintain the confidential patient identifying information in accordance with the security requirements set out in § 2.52(a)(2); how will the “lawful holders” be able to assess whether the potential benefits of the research outweighs any risks to confidentiality as required by § 2.52(a)(3); and what individual at these various “lawful holders” will be the equivalent of a part 2 program director and have the authority to make these decisions. The commenter stated that it is almost certain that these “lawful holders” will not sufficiently know the confidentiality regulations so as to ensure the researchers are aware of, and will comply with the prohibition against re-disclosure specified in § 2.52(b).

SAMHSA Response

SAMHSA examined the existing regulations that protect human subjects in research and concluded that, if those requirements were fulfilled, 42 CFR part 2 would ensure confidentiality protections consistent with the statute, while providing the expanded authority for disclosing patient identifying information. Requirements that ensure compliance with HIPAA and the Common Rule (e.g., IRB and/or privacy board review) with respect to research provide these assurances, including that the researcher has a plan to protect and destroy identifiers and to not re-disclose the information in an unauthorized manner. The individual who would make the determination to disclose part 2 data on behalf of a part 2 program or other lawful holder would be the individual designated as director or managing director, or individual otherwise vested with authority to act as chief executive officer or their designee. In addition, there is nothing in the regulation that requires this individual to disclose the data, even if the researcher provides documentation of compliance with the requirements under § 2.52.

Public Comments

A commenter stated that the proposed rule adopted an overly narrow approach to disclosures for scientific research, by limiting part 2 disclosures only to entities or individuals subject to the HIPAA Privacy Rule or the HHS Common Rule. The commenter stated that because the commenter is not a HIPAA covered entity or business associate under HIPAA, and is not currently subject to the Common Rule, the commenter does not appear to meet the conditions required for disclosure for scientific research. The commenter stated that limiting disclosures for research purposes only to entities or individuals subject to the HIPAA Privacy Rule and/or Common Rule is inconsistent with the language and intent of the governing statute, which broadly authorizes disclosures to qualified personnel for the purposes of conducting scientific research.” (42 U.S.C. 290dd-2(b)(2)(B)). The commenter urged SAMHSA to interpret research broadly to include state analytic activities to identify patterns and variations in the cost, quality and delivery of health care, similar to the approach adopted by CMS for the release of CMS claims/encounter data to state agencies.

SAMHSA Response

The revised research exception will now permit data protected by 42 CFR part 2 to be disclosed for research purposes by part 2 programs and other lawful holders of patient identifying information not just by part 2 program directors as the 1987 final rule regulations require. Because SAMHSA is expanding the authority for disclosing patient identifying information beyond part 2 program directors, it was necessary to establish a mechanism to ensure that confidentiality protections consistent with the statute were fulfilled in all cases. SAMHSA determined that the existing regulations that protect human subjects in research would accomplish this, and, therefore, decided to limit the permitted disclosures for research purposes under part 2 to instances in which the researchers would meet the requirements governing their receipt of protected health information from a covered entity under the HIPAA privacy rule and/or the requirements governing research on human subjects under the HHS Common Rule. Under this expanded authority, the HIPAA standards would be applied as a test regardless of whether the data source for the disclosure was a HIPAA covered entity.

Under 42 CFR part 2, the research provision provides clear policies on conducting research and protecting the confidentiality of patient identifying information, including their obligations to comply with requirements under 42 CFR 2.16, Security for Records.

Public Comments

A commenter stated that SAMHSA, in coordination with state regulators, should work together to issue guidance related to the application of the federal part 2 requirements to substance use disorder information that may be requested by states for public health and other purposes.

SAMHSA Response

The statute authorizing part 2 contains specific limited exceptions to the consent requirement, and making a change to exempt states from this requirement, under certain conditions, would be inconsistent with the statutory scheme.

Public Comments

One commenter stated that the expansion of the disclosure of patient identifying information should be limited to CMS and/or state governmental agencies that have authority over substance use disorder treatment services. The commenter stated that an unintended consequence of implementing the potential of wide-spread disclosure of previously protected information is that the protections the confidentiality regulations afforded patients will be eviscerated as essentially all the recipients of protected information, for the last 40 years will no longer be bound by the prohibition of re-disclosure, subjecting the patient's information to re-disclosure, without the patient's consent, to any individual or entity representing that they are conducting scientific research. The commenter argued that SAMHSA should limit the number of entities who can release patient identifying information to those who actually have the resources to verify that such disclosure to a researcher is for a valid research purpose; can ensure proper research protections are in place; and affirm the patient will not be more vulnerable as a result of the disclosure. The vast majority of lawful holders cannot adequately perform this analysis and therefore cannot protect the patient's interest as required under the part 2 regulations.

SAMHSA Response

SAMHSA declines to narrow the scope of the research provision as suggested. In developing the proposed rule, SAMHSA examined the existing regulations that protect human subjects in research and concluded that, if those requirements were fulfilled, 42 CFR part 2 would ensure confidentiality protections consistent with the statute, while providing the expanded authority for disclosing patient identifying information. Specifically, IRBs determine that, when appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data before approving the research (45 CFR 46.111(a)(7)). SAMHSA is interested in affording patients protected by 42 CFR part 2 the same opportunity to benefit from advanced research protocols while continuing to safeguard their privacy, and narrowing the scope of lawful holders that may disclose part 2 data for research purposes, as suggested by the commenter would limit the ability of patients to benefit from these research efforts.

Public Comments

Other commenters expressed concern about the expanded research exception. A commenter stated that the proposed provision would create a wide opportunity for data sharing with increased risk of adverse impact. Similarly, a commenter warned that the research exception revision poses unnecessary risk of data breach of patient's confidentiality.

SAMHSA received a large number of comments, particularly from researchers, expressing support for the revised research provision. These commenters expressed concern that, without this revised provision, researchers' access to substance use disorder-related data in Medicare and Medicaid claims/encounter databases would be limited to instances in which consent could be obtained. A number of commenters cited a study by K. Rough et al. published in the March 15, 2016, issue of the Journal of the American Medical Association that found the exclusion of part 2 data from Medicare and Medicaid claims/encounter data in research contexts coincided with decreases in the rates of diagnoses for certain conditions commonly co-occurring with substance use disorder. Commenters reiterated a point made in the article that underestimating diagnoses has the potential to bias health services research studies and epidemiological analyses. Some commenters also stated that implementing appropriate data safeguards can protect patient privacy while still allowing researchers access to critical data.

SAMHSA Response

SAMHSA agrees with the commenters' assertions regarding how the exclusion of this substance use disorder data hampers vital public health research, particularly in light of the growing national opioid epidemic and is finalizing the research data access proposal in the final rule.

With respect to concerns about privacy and the expansion of the research exception, SAMHSA clarifies that the research exception is intended to permit data protected by 42 CFR part 2 to be disclosed to qualified personnel for the purpose of conducting scientific research by a part 2 program or any other individual or entity that is in lawful possession of part 2 data (lawful holder of part 2 data).

The research provision (§ 2.52(b)) already includes a requirement that the researcher receiving the part 2 data is fully bound by 42 CFR part 2. Although not required by § 2.52, the regulation would permit any lawful holder of patient identifying information to require a researcher to sign a data use agreement spelling out these requirements. Lawful holders of patient identifying information may disclose part 2 data without patient consent for research purposes only under the specified circumstances under the research provision.

Public Comments

A commenter requested clarification as to whether “lawful holders” may disclose part 2 data to third parties to conduct research or whether the “lawful holder” has to conduct the research itself.

Citing the HIPAA tracking criteria for disclosures outside the entity pursuant to a waiver of authorization, another commenter asked SAMHSA to clarify what tracking requirements would apply to disclosure of part 2 data for purposes of research. This commenter also asked SAMHSA to clarify whether disclosure for purposes of research means sharing the data with anyone for research purposes or only applies when part 2 data is shared with an outside entity.

SAMHSA Response

The research provision permits part 2 programs and other lawful holders of patient identifying information to disclose data protected by 42 CFR part 2 to qualified personnel for the purpose of conducting scientific research if the researcher provides documentation of meeting certain requirements related to other existing protections for human research. “Qualified personnel” is a statutory term and SAMHSA has clarified that this term includes those individuals who meet the requirements specified in the research provision to receive part 2 data for the purpose of conducting scientific research.

The proposed rule did not include a tracking requirement for information disclosed under the research exception and so we are declining to include such a requirement in the final rule.

Public Comments

Another commenter reasoned that municipalities should be able to receive and match patient identifying information and then use the de-identified data for planning and analysis purposes (e.g., determining how many criminal justice-involved defendants have a previous history of substance use disorder treatment).

SAMHSA Response

SAMHSA declines to make the recommended expansion to the research provision. SAMHSA is revising the research exception to permit data protected by 42 CFR part 2 to be disclosed to qualified personnel for the purpose of conducting scientific research by a part 2 program or any other individual or entity that is in lawful possession of part 2 data (lawful holder of part 2 data).”Qualified personnel” is a statutory term and SAMHSA has clarified that this term includes those individuals who meet the requirements specified in the research provision to receive part 2 data for the purpose of conducting scientific research. This term would not preclude researchers from conducting such research efforts on behalf of a municipality. However, part 2 prohibits researchers from re-disclosing patient identifying information except back to the individual or entity from whom that patient identifying information was obtained or as permitted under § 2.52(c) of this section, and permits researchers to include part 2 data in reports only in aggregate form in which patient identifying information has been rendered non-identifiable such that the information cannot be re-identified and serve as an unauthorized means to identify a patient, directly or indirectly, as having or having had a substance use disorder.

Public Comments

A commenter expressed support for the strengthened proposed research provision whereby patient identifying information may be released only after the program director has determined the research recipient has obtained appropriate IRB and/or privacy board approval and consent. Another commenter asserted that information that is de-identified and presented in aggregate should be permitted to be more readily used in research. The commenter stated that this was another area where SAMHSA can promote greater alignment with HIPAA, which provides allowances for covered information that is de-identified and presented in the aggregate.

SAMHSA Response

Part 2 only applies to information that would identify a patient as having or having had a substance use disorder. The revised research provision allows researchers to include part 2 data in reports only in aggregate form in which patient identifying information has been rendered non-identifiable such that the information cannot be re-identified and serve as an unauthorized means to identify a patient, directly or indirectly, as having or having had a substance use disorder. The revised § 2.52 also requires researchers to maintain and destroy patient identifying information in accordance with the security policies and procedures established under § 2.16. SAMHSA aligned policy with HIPAA where possible. However, 42 CFR part 2 and its governing statute are separate and distinct from HIPAA, and the part 2 regulations use different terminology than used in HIPAA.

Public Comments

A commenter requested clarification on whether data disclosed to qualified personnel under § 2.52 would include “identifiable information.” For example, this commenter asked why a name would be relevant if the data and information would be used for research. Another commenter stated that certain patient identifying information such as social security numbers should not be included, as it serves no purpose to researchers. The commenter stated that this can easily be mitigated by data segmentation and consent management, but until then the rule should be maintained in that the part 2 program director is the only individual authorized to release of information.

SAMHSA Response

The part 2 data that may be disclosed for research purposes include patient identifying information, as that term is defined in § 2.11. One reason researchers would need identifiable information is to link part 2 data to other data sets, or for conducting data linkages. SAMHSA also proposed to address data linkages, which requires identifiable information, because the process of linking two or more streams of data opens up new research opportunities and potential risks. For example, the practice of requesting data linkages from other data sources to study the longitudinal effects of treatment is becoming widespread. SAMHSA is interested in affording patients protected by 42 CFR part 2 the same opportunity to benefit from these advanced research protocols while continuing to safeguard their privacy. Likewise, SAMHSA revised the research provision to enable part 2 data to be disclosed for research purposes by part 2 programs and other lawful holders of patient identifying information so that patients may benefit from the additional scientific research that will be conducted and that will facilitate continual quality improvement of part 2 programs and the important services they offer. This additional research would not be able to be conducted if SAMHSA were to continue to maintain the existing part 2 research provision, as suggested.

2. Suggestions for Improvement of the Research Provisions

Public Comments

Some commenters made suggestions to improve privacy protections as it relates to research. A commenter suggested that the research provision require a certificate of confidentiality as a prerequisite to researcher access to part 2 information.

SAMHSA Response

The research provision (§ 2.52(b)) already includes a requirement that the researcher receiving the part 2 data is fully bound by 42 CFR part 2. Although not required by § 2.52, the regulation would permit any lawful holder of patient identifying information to require a researcher sign a data use agreement spelling out these requirements.

According to NIH, certificates of confidentiality do not take the place of good data security or clear policies and procedures for data protection, which are essential to the protection of research participants' privacy. Under 42 CFR part 2, the research provision provides clear policies on conducting research and protecting the confidentiality of patient identifying information, including their obligations to comply with requirements under 42 CFR 2.16, Security for Records.

Public Comments

A commenter concluded that the number of entities who could release patient identifying information should be limited to those who have the resources to verify the research is valid and the patient will not become more vulnerable as result of disclosure. A commenter suggested that strict policies be in place at all levels of research organizations to assure that prohibited re-disclosure of patient information does not occur. A commenter asserted that aligning part 2's requirements for a valid written consent with those applicable under the HIPAA Privacy Rule would avoid confusion. One commenter suggested that the filing of conflict of interest statements by the primary investigators and co-investigators be required. A commenter suggested a change in language to clarify that researchers will resist any judicial demand for access to patient records, except as permitted by these regulations.

SAMHSA Response

SAMHSA examined the existing regulations that protect human subjects in research and concluded that, if those requirements were fulfilled, 42 CFR part 2 would ensure confidentiality protections consistent with the statute, while providing the expanded authority for disclosing patient identifying information. Requirements that ensure compliance with HIPAA and the Common Rule (e.g., IRB and/or privacy board review) with respect to research provide these assurances, including that the researcher has a plan to protect and destroy identifiers and to not re-disclose the information in an unauthorized manner. Disclosure of part 2 data also would be allowable for research that qualifies for exemption under the Common Rule due to the lower risk to subjects in the circumstances where exemptions apply, and this has been clarified in § 2.52(a)(2). The individual who would make the determination to disclose part 2 data on behalf of a part 2 program or other lawful holder would be the individual designated as director or managing director, or an individual otherwise vested with authority to act as chief executive officer or their designee. In addition, there is nothing in the regulation that requires this individual to disclose the data, even if the researcher provides documentation of compliance with the requirements under § 2.52.

SAMHSA declines to make the recommended change regarding conflicts of interest to the research section (§ 2.52). The revised research provision requires reviews, either by an IRB and/or privacy board, for the specific purpose of minimizing risk to patients and their privacy. The research provision also requires researchers requesting data linkages, as described in § 2.52(c), to have the request reviewed and approved by an IRB registered with the Department of Health and Human Services, Office for Human Research Protections in accordance with 45 CFR part 46 to ensure that patient privacy is considered and the need for identifiable data is justified. In addition, HHS has issued subregulatory guidance that, to the extent financial interests may affect the rights and welfare of human subjects in research, IRBs, institutions, and investigators need to consider what actions regarding financial interests may be necessary to protect those subjects.

SAMHSA proposed to require any individual or entity conducting scientific research using patient identifying information to meet additional requirements to ensure compliance with confidentiality provisions under part 2. Among these are a provision (§ 2.52(b)(1)) that “requires researchers to be fully bound by these regulations and, if necessary, to resist in judicial proceedings any efforts to obtain access to patient records except as permitted by these regulations.”

Public Comments

Another commenter suggested that the rule allow an extended disclosure period specific to research that could be included in the initial disclosure approval.

SAMHSA Response

The part 2 regulations do not specify a disclosure period in the research provision.

Public Comments

A commenter said that it would bring clarity and aid entities seeking to comply with the proposed rule if it included a definition of “repository” and of “scientific research.” The commenter stated that the HHS Common Rule provisions, referenced repeatedly in the proposed rule, apply only to activities which meet the definition of research involving human subjects. It is not clear whether SAMHSA intends to adopt Common Rule definitions or create a separate scheme.

SAMHSA Response

SAMHSA did not propose a regulatory definition for these terms in the NPRM and respectfully declines to define the terms in the final rule as suggested. “Scientific research” is a statutory term that is not defined. Researchers requesting part 2 data for the purposes of conducting scientific research and whose research is subject to the Common Rule would need to comply with requirements for the Common Rule as well as those of part 2. SAMHSA refers to the term “repository” in the context of the data linkages provision, and intended the term to broadly refer to data that is stored and managed. SAMHSA may address undefined terms that require further elaboration in subregulatory guidance or in subsequent rulemaking.

Public Comments

One commenter supported provisions that allow states to work with outside entities, which are HIPAA and Common Rule compliant, to conduct research that will improve care and drive quality outcomes for Medicaid beneficiaries with a substance use disorder.

SAMHSA Response

SAMHSA supports the efforts of part 2 stakeholders to work together collaboratively and in compliance with the law. Part 2 prohibits researchers from re-disclosing patient identifying information except back to the individual or entity from whom that patient identifying information was obtained or as permitted under the data linkages provision. Researchers may include part 2 data in reports only in aggregate form in which patient identifying information has been rendered non-identifiable such that the information cannot be re-identified and serve as an unauthorized means to identify a patient, directly or indirectly, as having or having had a substance use disorder.

3. HIPAA and HHS Common Rule Requirements

Public Comments

Many commenters expressed support for aligning requirements for disclosure of information for conducting research with existing requirements for research as regulated by the HHS Common Rule (45 CFR part 46). A commenter remarked that an alternate approach would be to create a single category of consent for research purposes.

SAMHSA Response

In this part 2 final rule, SAMHSA has implemented certain revisions that are predicated on the current version of the Common Rule (45 CFR part 46, Protection of Human Subjects, promulgated in 1991). Should conflicting policies be created in the future, SAMHSA will take appropriate action (e.g., issue an NPRM or technical correction). With respect to creating a single category of consent for research, the existing consent requirements permit patient consent for the disclosure of patient identifying information for the purpose of scientific research.

4. Data Linkages

SAMHSA revised § 2.52 from the proposed regulatory text by separating out the data linkages provisions into its own paragraph, § 2.52(c) for purposes of clarity and readability. In addition, the final § 2.52 addresses data linkages to enable researchers holding part 2 data to link to data sets from federal and non-federal data repositories as explained in greater detail below. SAMHSA proposed to permit researchers to request to link data sets that include patient identifying information under certain conditions. We proposed to limit the data repositories from which a researcher may request data for data linkages purposes to federal data repositories because federal agencies that maintain data repositories have policies and procedures in place to protect the security and confidentiality of the patient identifying information that must be submitted by a researcher in order to link the data sets. SAMHSA sought input from the public regarding whether to expand the data linkages provision beyond federal data repositories; what confidentiality, privacy, and security safeguards are in place for those non-federal data repositories; and whether those safeguards are sufficient to protect the security and confidentiality of the patient identifying information.

Public Comments

Several commenters suggested that researchers be allowed to perform data linkages between data sets containing substance use disorder data. However, some warned that the proposed rule was unclear regarding data linkages. One commenter said SAMHSA should clarify that researchers have the option to submit data to a federal data repository, like CMS, for linking of federal data, but are not required to do so. Other commenters argued that proposed § 2.52 should explicitly allow researchers to perform their own data linkages between data sets containing substance use disorder records. A commenter asserted that non-profit entities who engage in research should be distinct from for-profit organizations and that for-profit organizations should not be allowed access to large linked data sets.

Many commenters expressed support for permitting linkage with non-federal repositories where adequate, flexible safeguards are in place to protect the security and confidentiality of part 2 data. A commenter asserted that only allowing researchers to combine 42 CFR part 2 records received without patient consent with records from a federal repository is not consistent with the goal of enhancing research conducted with data protected by part 2. In particular, commenters pointed out that many state, local, tribal, and corporate data repositories with hospital emergency department and discharge, trauma registry, and birth and death records would not be covered by the federal data linkages language in the proposed rule, thereby hampering important research and evaluation activities. Additionally, commenters supported the expansion of data linkages in order to better support the analysis required by evolving health care delivery and payment models, such as Accountable Care Organizations.

Commenters urged that appropriate privacy and security protections are in place, to include physical security and disposition of data if SAMHSA permits linkages to non-federal data repositories. One commenter remarked that protections imposed by federal repositories that are not imposed by other repositories should be identified and considered as requirements, so as not to lose the insight offered through additional linkage opportunities. Another suggested implementation of data use agreement language to non-federal repositories. A commenter reasoned IRBs or privacy officers could ensure other repositories are in compliance with part 2 requirements.

However, a few commenters did not support expansion of data linkage to non-federal repositories. Some commenters expressed concerns about the security of data in both federal and non-federal data repositories citing examples of healthcare data breaches. One commenter concluded data linkage to any data repositories be withdrawn from the proposed language citing the federal agencies as well as health care data repositories inability to adequately safeguard personal information. Another commenter suggested data repositories performing the data linkages, if outside of part 2 entity, not be given information subject to part 2.

SAMHSA Response

SAMHSA would like to clarify that the data linkages provision is not intended to prohibit a researcher from linking a data set in the researcher's possession that contains part 2 data with a data set from a third party source, so long as the part 2 data is not further disclosed in the data linkage process and the researcher adheres to any applicable confidentiality, privacy, and security requirements and safeguards. Regarding the comment on for-profit organizations, whether the researcher is a for-profit or not-for-profit organization, the researcher would be required to have IRB approval and/or privacy board review of their research, and, additionally, IRB approval of the research project that contains the data linkage component, to ensure risks to the patient and their privacy are minimized. In addition, part 2 prohibits researchers from re-disclosing patient identifying information except back to the individual or entity from whom that patient identifying information was obtained or as permitted under the data linkages provision. Researchers may include part 2 data in reports only in aggregate form in which patient identifying information has been rendered non-identifiable such that the information cannot be re-identified and serve as an unauthorized means to identify a patient, directly or indirectly, as having or having had a substance use disorder.

In response to public comments, SAMHSA has decided in the final rule to permit data linkages to both federal and non-federal data repositories subject to the conditions explained below. SAMHSA believes that these changes will enhance research while still ensuring the protection of part 2 patient identifying information. SAMHSA agrees with commenters that many non-federal data repositories, as well as federal data repositories, contain data that is critical to research and, therefore, SAMHSA is expanding data linkages provisions.

In the data linkages provision of this final rule (§ 2.52(c)), SAMHSA revises its proposal to enable researchers holding part 2 data to link to data sets from any repository, including non-federal repositories, provided that the linkage has been reviewed and approved by an Institutional Review Board registered with the Department of Health and Human Services, Office for Human Research Protections in accordance with 45 CFR part 46 to ensure that patient privacy is considered and the need for identifiable data is justified. In addition to having the request reviewed and approved by an IRB, the researcher must ensure that patient identifying information obtained under the rule's research provisions is not provided to law enforcement agencies or officials. SAMHSA states in the final rule that the data repository is fully bound by the provisions of part 2 upon receipt of the patient identifying data and must, after providing the researcher with the linked data, destroy or delete the linked data from its records, including sanitizing any associated hard copy or electronic media, to render the patient identifying information non-retrievable in a manner consistent with the policies and procedures established under § 2.16 Security for records. In addition, the data repository must ensure that any data obtained pursuant to part 2's research provisions is not provided to law enforcement agencies or officials.

Public Comments

One commenter recommended that SAMHSA expand data linkages beyond research to the broader need for it to be inclusive of coordinated care. The commenter stated that this is another area where SAMHSA could look to existing HIPAA provisions and align the part 2 provisions accordingly.

SAMHSA Response

SAMHSA declines to make the revision suggested by the commenter. The transfer of part 2 information for the purposes of research, as allowed under § 2.52, is an exception to patient consent, and, therefore, the data linkages provision cannot be expanded to other parts of the regulation. Because of its targeted population, part 2 provides more stringent federal protections than most other health privacy laws, including HIPAA. However, SAMHSA aligned policy with HIPAA where possible.

5. Multi-Payer Claims Database

Public Comments

Many commenters urged the final rule to explicitly include a statement on the authority granted to MPCDs (also referred to as APCDs) that maintain adequate safeguards to collect, link, and disseminate substance use disorder records without patient consent for research purposes. Several commenters argued that many states have established state-sponsored MPCD systems and urged the proposed rule to specifically ensure substance use disorder data are not systematically excluded from state MPCD systems, allowing part 2 data to be collected, linked, and disseminated without patient consent for research purposes. A commenter requested specific guidance as to whether MPCDs could be lawful holders of part 2 data with the same disclosure requirements as those for HIEs. A commenter stated that the rule should authorize state data repositories such as an MPCD to link part 2 data to other data for research purposes.

SAMHSA Response

For an MPCD or any entity to disclose part 2 data for research purposes under the rule's research exception to consent requirements (§ 2.52), the entity must be a “lawful holder of patient identifying information.” Under the research provision, any lawful holder of part 2 data may disclose the data to qualified researchers that meet the requirements under the HHS Common Rule or HIPAA Privacy Rule. As SAMHSA discussed in the NPRM preamble, a “lawful holder” of patient identifying information is an individual or entity who has received such information in accordance with the part 2 requirements, and, therefore, is bound by 42 CFR part 2. Examples of potential “lawful holders” of patient identifying information include a patient's treating provider, a hospital emergency room, an insurance company, an individual or entity performing an audit or evaluation, or an individual or entity conducting scientific research. As permitted by the authorizing statute and under these regulations, any lawful holder of patient identifying information may disclose part 2 data without patient consent for research purposes under the circumstances specified under the research provision.

Regarding the specific scenario raised by commenters, SAMHSA wishes to clarify that MPCDs and other data intermediaries are permitted to obtain part 2 data under the research exception provided in § 2.52, provided that the conditions of the research exception are met. Furthermore, an MPCD or data intermediary that obtains part 2 data in this fashion would be considered a “lawful holder” under these final regulations and would therefore be permitted to redisclose part 2 data for research purposes, subject to the other conditions imposed under § 2.52. The final rule edits the language under paragraph 2.52(a) to clarify that the regulations do not prohibit such a disclosure.

Except as provided in paragraph 2.52(c), a researcher may not redisclose patient identifying information for data linkages purposes. SAMHSA's data linkages provision permits researchers to request to link data sets that include patient identifying information if the data linkages component is reviewed and approved by an IRB registered with OHRP in accordance with 45 CFR part 46 and certain other conditions are met. The data linkages provision is not intended to prohibit a researcher from linking a data set in the researcher's possession that contains part 2 data with a data set from a third-party source, so long as the part 2 data is not further disclosed in the data linkage process and any applicable confidentiality, privacy, and other conditions as specified in this rule are adhered to.

O. Audit and Evaluation (§ 2.53)

SAMHSA is modifying the proposed language as discussed below. SAMHSA has revised the section heading by deleting the word “activities.” SAMHSA modernized this section to include provisions governing both paper and electronic patient records. In addition, we revised the requirements for destroying patient identifying information by citing the expanded Security for Records section (§ 2.16). Furthermore, we updated the Medicare or Medicaid audit or evaluation paragraph title to include Children's Health Insurance Program (CHIP) and, in subsequent language, refer to Medicare, Medicaid, and CHIP.

The § 2.53 revisions permit the part 2 program, not just the part 2 program director, to determine who is qualified to conduct an audit or evaluation of the part 2 program. The revised language also permits an audit or evaluation necessary to meet the requirements of a CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE), under certain conditions, by better aligning the criteria in this section with those set forth in the Affordable Care Act (regulating ACOs, in part, at 42 U.S.C. 1395jjj). We have specified that such ACO or similar CMS-regulated entities must have in place administrative and/or clinical systems. While the NPRM indicated both types of systems were required, it has been noted that some ACO or similar CMS-regulated entities will not have both clinical and administrative systems. We also have clarified in the final rule that the ACO or similar CMS-regulated organization (including a CMS-regulated QE) is subject to periodic evaluations by, or receives patient identifying information from, CMS or its agents. To ensure that patient identifying information is protected, the ACO or similar CMS-regulated organization (including a CMS-regulated QE) that is the subject of, or is conducting, the audit or evaluation must have a signed Participation Agreement with CMS or similar documentation that demonstrates that the organization and its auditors or evaluators must conduct the audit and evaluation activities in full compliance with all applicable provisions of 42 U.S.C. 290dd-2 and 42 CFR part 2.

Public Comments

Several commenters provided comments with regard to § 2.53, Audit and Evaluation. A few commenters discussed the application of this section to Medicare and Medicaid. A couple of commenters recommended clarifying that Medicaid agencies are permitted under the QSO exception to disclose part 2 information to third-party payers for audit or evaluation purposes. These commenters also suggested that Medicaid and other third-party payers may use (third-party) contractors and vendors to assist beneficiaries and perform such activities as program integrity activities. The commenters argued that the QSO exception described above should include communications between third-party payers such as Medicaid agencies and other holders of part 2 data and QSOs to help ensure “operational efficiency.” Another commenter suggested that the revisions concerning the auditing process and Participation Agreements would be too burdensome, and would be inconsistently applied because Medicare and Medicaid do not have to comply with the auditing requirements, whereas providers do. Further, a couple of commenters stated that part 2 programs would be confused in attempting to decipher which organizations have Participating Agreements with CMS in place, further exacerbating the existing compliance issues with part 2. A commenter requested that SAMHSA clarify whether Medicaid program ACOs and external quality review organizations (EQRO) are considered “CMS-regulated” for the purposes of permitted disclosures. The commenter suggested that Medicaid program entities should be considered CMS-regulated entities.

SAMHSA Response

A QSO is an individual or entity that provides a service to a part 2 program consistent with a QSOA (see §§ 2.11, Definitions; 2.12(c)(4), Applicability). A QSOA is a two-way agreement between a part 2 program and the individual or entity providing the desired service. Therefore, to be a QSO, the contracted entity must be providing the service to a part 2 program. The QSOA authorizes communication only between the part 2 program and QSO. Third-party payers, such as Medicaid, are not considered part 2 programs as defined in this rule, and are not eligible to have QSO through a QSOA. That said, comments to the proposed rule raised questions that indicate that there may be varying interpretations of the current (1987) part 2 rule's restrictions regarding the use of contractors/subcontractors in contexts other than the QSO context, such as the sharing of part 2 information by third-party payers with contractors and subcontractors to carry out activities related to audit and evaluation and program integrity, and we intend to address such scenarios with greater clarity in an SNPRM.. As stated under § 2.12(a)(1), Restrictions on disclosures, the restrictions on disclosures in these regulations apply to any information, whether recorded or not, which would identify a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such information by another person. Patient identifying information that has been rendered non-identifiable in a manner that creates a very low risk of re-identification may be disclosed.

With regard to the concern that the proposed revisions to § 2.53 would be burdensome and create confusion when part 2 programs have to determine who has a Participation Agreement or similar documentation in place, CMS-regulated entities that, among other requirements, are subject to periodic evaluations by CMS or its agents, or are required by CMS to evaluate participants in the ACO or similar CMS-regulated organization (including a CMS-regulated QE) relative to CMS-defined or approved quality and/or cost measures should be able to produce evidence that they have Participation Agreements or similar documentation in place with CMS if requested by a part 2 program.

As to whether Medicaid program ACOs and EQROs are considered “CMS-regulated,” this rule explicitly states that ACOs and similar organizations regulated by CMS may, subject to certain conditions, disclose or require participants in the organization to disclose part 2-covered information in order for the organization to meet CMS audit and evaluation requirements. Other entities may also be considered “CMS-regulated” depending on the particular circumstances, for example, as a result of their direct supervision by CMS, the establishment by CMS of regulations governing their conduct or qualification, or, in the case of Medicaid and CHIP-related entities, CMS' approval of state plans or waivers and supervision of the state agencies. Medicaid program ACOs and EQROs do fit within the entities covered by the audit and evaluation provisions of the part 2 program. SAMHSA may further elaborate on this topic in subregulatory guidance issued following the publication of the final rule.

Public Comments

A few commenters provided input on SAMHSA's proposal to permit audit or evaluation necessary to meet the requirements of a CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE), under certain conditions. A couple of commenters recommended that SAMHSA modify part 2 to permit CMS to provide all claims with substance use disorder treatment information through the Claim and Claim Line Feed (CCLF) file so patients can receive comprehensive, quality treatment and programs can operate more efficiently and effectively. The commenters suggested that because 42 U.S.C. 290dd-2(b)(2)(B) permits substance use disorder treatment program to disclose treatment records without the consent of the patient for the purpose of audits or evaluation; § 2.53 of the proposed rule also permits substance use disorder treatment programs to disclose treatment records to ACOs or other CMS-regulated organizations to allow the organizations to meet CMS's audit and evaluation requirements for participation; therefore the provision could be expanded, or clarified, to also permit CMS to disclose substance use disorder treatment information to ACOs and bundled payment participants for audit and evaluation activities. Another commenter expressed concern about the expansion of the part 2 audit and evaluation exception to include ACOs, because ACOs are continually “auditing” programs as a continual process of evaluating and monitoring and part 2's language makes clear that an audit or evaluation is a time-limited activity that is not intended to permit ongoing access to program records. This commenter asserted that the part 2 audit and evaluation exception should not be allowed to result in a practice that circumvents the need to obtain a patient's consent to access their information.

One commenter noted that CMS's application of part 2 in its removal of substance use disorder treatment information from the monthly CCLF, in which CMS redacts any claim submitted by any provider where a substance use disorder is either the principal or secondary diagnosis, causes CMS to remove claims from the CCLF file that are not produced by federally assisted substance use disorder treatment programs. The commenter urged SAMHSA to work with CMS to develop a pathway to include substance use disorder treatment information in the CCLF data file.

SAMHSA Response

CMS may disclose patient identifying information to a CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) for Medicare audit and evaluation purposes pursuant to § 2.53(c), which provides that “[p]atient identifying information, as defined in § 2.11, may be disclosed under paragraph (c) of this section to any individual or entity for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation. . . .” Neither the statute nor the part 2 regulations define audit or evaluation. However, under this section of the audit and evaluation exception, the purpose of the disclosure must be to conduct a Medicare, Medicaid, or CHIP audit or evaluation. This may include audit or evaluation activities, such as reviews of financial performance or the quality of health care services delivered, undertaken by the CMS-regulated organization itself to review its own performance. The exception does not cover any activities conducted by ACOs that may not be reasonably construed as being related to such a purpose.

Public Comments

Commenters provided other recommendations related to this section. A commenter suggested that § 2.53(d) should be revised to permit disclosure of patient information to entities that have administrative control over auditors. Another commenter suggested that SAMHSA consider allowing “lawful holders” the ability to share information for audit and evaluation services, with the agreement that the service provider must adhere to part 2.

Another commenter recommended that SAMHSA convene a group of state, local, and provider representatives to develop draft guidance.

SAMHSA Response

Regarding the suggestion that § 2.53(d) should be revised to permit disclosure of patient information to entities that have administrative control over auditors, except as provided in § 2.53(c), patient identifying information disclosed under this section may be disclosed only back to the program from which it was obtained and used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by a court order entered under § 2.66.

As recommended by a commenter, SAMHSA plans to develop and publish subregulatory guidance regarding the application of § 2.53 audit and evaluation disclosures after publication of this final rule.

P. Other Public Comments on the Proposed Rule

1. Requests To Extend the Public Comment Period

Public Comments

Several commenters requested extension to the public comment period. Commenters stated the complexity and importance of the rule warranted additional time for reflection and comment. A few commenters requested that the comment period be extended for one year to allow for a more open process. A couple of commenters suggested that in addition to extending the comment period for one year, public hearings also be held across the county.

SAMHSA Response

While SAMHSA recognizes that the issues addressed in the part 2 NPRM are complex and important, we concluded that the 60-day comment period was sufficient to provide the public a meaningful opportunity to comment, and this conclusion is supported by the hundreds of complex and thoughtful comments received. Additionally, the NPRM was available to the public for a preliminary review on the Federal Register Web site upon submission of the NPRM to the Federal Register, which was several days prior to publication, thereby providing stakeholders additional time prior to the publication date. Finally, on June 11, 2014, SAMHSA held a public listening session and, invited through a Federal Register notice, general comments, as well as comments on six key provisions of 42 CFR part 2.

2. Rulemaking Process

Public Comments

One commenter expressed concern that SAMHSA did not summarize or address specific comments from stakeholders who participated in the public listening sessions.

Another commenter said that the part 2 changes should move forward but should be monitored and modified accordingly over the next two to three years.

SAMHSA Response

SAMHSA will undertake further rulemaking as necessary and intends to respond to issues raised with respect to the part 2 regulations, as they have in the past, through subregulatory guidance.

SAMHSA considered all comments received in the June 2014 public Listening Session on the part 2 regulations. As explained in the NPRM, feedback from the Listening Session was considered and helped to inform the development of the February 2016 NPRM (see 81 FR 6988, 6993). SAMHSA posted all comments received in response to the Listening Session Federal Register Notice on its Web site: http://www.samhsa.gov/about-us/who-we-are/laws-regulations/public-comments-confidentiality-regulations .

3. Implementation Timeline and Other Barriers to Implementation

Public Comments

To allay privacy concerns, a commenter said that SAMHSA should delay the proposed part 2 changes to further develop its Consent2Share application and encourage wider adoption. Similarly, a commenter recommended further testing and evaluation on IT solutions before issuing part 2 changes. This commenter further urged SAMHSA to address these issues in the final rule by specifically detailing a process for updating the Consent2Share tool so that its design specifications remain compatible with the rapidly advancing and very fluid EHR design landscape.

SAMHSA Response

SAMHSA declines to accept these recommendations to delay publication of a final rule pending technology developments or Congressional action. Technology adoption is an ongoing process, and the majority of current EHR and HIE applications may not have the capability to support the DS4P initiative. In addition, paper records are still used today in some part 2 programs and shared through facsimile (FAX). In addition, SAMHSA's publication of a final rule would not prevent further Congressional action with respect to part 2.

Public Comments

One commenter expressed concern that applying electronic data segmentation in conjunction with patient privacy preferences can significantly increase the complexity of the workflow process and have unintended consequences on system performance and response times at the point of care. The commenter recommended that SAMHSA, in conjunction with other federal agencies, advisory bodies, such as the National Committee on Vital and Health Statistics (NCVHS), and public and private stakeholders should convene public discussions to evaluate the possibility of data segmentation standards in electronic systems, the benefits and potential unintended consequences that may result, along with the associated costs and anticipated consumer uses of such standards and processes.

In addition to the technical challenges, a commenter said that SAMHSA should recognize other barriers to implementation of part 2 changes, including complexity in navigating individual state regulations, challenges around mapping to clinical codes, and lack of a standardized service discovery mechanism to ensure capability of exchanging systems to evaluate the ability to receive and interpret a tagged document.

SAMHSA Response

SAMHSA recognizes the concerns expressed by the commenter; however, SAMHSA's jurisdiction is limited to those regulations over which it has authority. We note that the part 2 regulations permit, but do not require, data segmentation.

4. Educational Opportunities

Public Comments

Some commenters urged SAMHSA to provide trainings/webinars and technical assistance after the final rule is adopted so that substance use disorder providers, other health care providers, and patients will understand the changes to ensure compliance with the rule. Expressing concern that many people will not understand the idea of an HIE or a registry, one commenter suggested creating paid space for a nurse visit to walk a consumer through the consent.

A few commenters encouraged SAMHSA to invest in provider and patient education efforts on the value of integrated care, the role of information sharing in enabling integrated care, how the consent process works, patient rights under 42 CFR part 2, and the implications of providing consent to share personal health information.

A commenter encouraged SAMHSA to continue its efforts to provide guidance as to how part 2's requirements can be incorporated into HIE systems, suggesting that many of the perceived part 2 issues can be resolved by proper education regarding the actual requirements and how information can be exchanged pursuant to part 2 with little, if any, additional effort if proper operational practices are utilized by health care providers and management organizations.

One commenter suggested that SAMHSA establish a consumer engagement committee or seek input from an existing national consumer advisory council to support part 2 programs in complying with certain areas of the rule, such as developing user-friendly consent forms and crafting educational materials for patients. One commenter suggested that SAMHSA contract with the Legal Action Center to create a webinar or FAQ to provide guidance to community health centers and other “multi-use” organizations as to the applicability of part 2.

Another commenter recommended that SAMHSA develop educational materials targeted at pharmacists because of the pharmacy profession's growing role in substance use disorder treatment.

SAMHSA Response

SAMHSA appreciates these comments on educational opportunities and plans to address specific commenter requests in subregulatory guidance after the publication of the final rule. SAMHSA will consider additional educational activities, such as trainings, webinars, and establishing engagement committees, should SAMHSA determine the need during implementation of the final rule.

5. Increased Enforcement

Public Comments

Some commenters urged SAMHSA to ensure that part 2 provides for meaningful enforcement and penalties, with a few reasoning that the rule would create new avenues for the exchanges of patients' substance use disorder information, especially to other parts of the health care system that may have little to no experience treating substance use disorder or complying with part 2. One of these commenters asserted that fines imposed for part 2 violations are so minimal that they are not a deterrent to intentional or accidental violations. A commenter suggested that SAMHSA adopt the HIPAA penalties contained in the HITECH Act and specify that any disclosures of information in violation of this statute must be excluded from evidence and deemed inadmissible for use in any administrative, civil, or criminal proceeding.

Urging SAMHSA to review and correct the enforcement concerns of the underlying statute, one commenter argued that the current confidentiality obligations have questionable enforcement authority because there is no express provision in Title 18 pertaining to the confidentiality of drug and alcohol treatment records. Although the original part 2 underlying statute set forth specific fines, the commenter explained that a subsequent revision (by Pub. L. 102-321) eliminated the fines leaving only a reference to Title 18. Moreover, the commenter said that by the proposed transfer of the existing enforcement authority from FDA to SAMHSA, the proposed rule appears to remove enforcement authority that actually exists to a potential state of unenforceability. Similarly, another commenter stated that SAMHSA does not have legislative authority to impose penalties for disclosure. No mention of privacy law violation fines, penalties, or offenses exist in Title 18. Thus, the current confidentiality obligations have no enforcement authority. The commenter stated that entities receiving unauthorized information would likely not be subject to penalties unless a common law breach of privacy lawsuit is filed.

SAMHSA Response

The Department of Justice is responsible for enforcing violations of 42 CFR part 2 in accordance with Title 18 of the United States Code. Title 42 U.S.C. 290dd-2 provides that “[a]ny person who violates any provision of [the] section or any regulation issued pursuant to [the] section shall be fined in accordance with title 18.” Reports of violation of the regulations may be directed to the United States Attorney's Office (USAO) for the judicial district in which the violation occurs or may be directed to SAMHSA for possible referral to the relevant USAO. A report of any violation of these regulations by an opioid treatment program may be directed to the relevant USAO as well as the SAMHSA office for opioid treatment program oversight, pursuant to 42 CFR part 8.

6. Other Miscellaneous Comments on the Proposed Rule

Public Comments

A commenter suggested that SAMHSA revise the title of part 2 to “Confidentiality of Patient Records Relevant to Substance Use Disorders and Associated Behavioral Diagnoses,” to ensure person-centered language is used.

SAMHSA Response

To be consistent with recognized classification manuals, current diagnostic lexicon, and commonly used descriptive terminology, SAMHSA proposed to refer to alcohol abuse and drug abuse collectively as “substance use disorder,” and, for consistency, proposed to revise the title of 42 CFR part 2 from “Confidentiality of Alcohol and Drug Abuse Patient Records” to “Confidentiality of Substance Use Disorder Patient Records.”

Public Comments

Some commenters made specific suggestions or requested clarification regarding parts of the part 2 regulations that were not the subject of the proposed changes in the NPRM. For example, commenters addressed §§ 2.14 (Minor patients), 2.20 (Relationship to state laws), and 2.21 (Relationship to federal statutes protecting research subjects against compulsory disclosure of their identity).

SAMHSA Response

SAMHSA acknowledges commenters' questions and suggestions relating to all aspects of the part 2 regulations. However, for purposes of this final rule, SAMHSA generally considered comments submitted on provisions for which changes were not proposed in the February 2016 NPRM to be outside of the scope of this rulemaking. SAMHSA will take such comments and recommendations under advisement and may issue subregulatory guidance in the future to address some of these issues brought up by commenters.

Public Comments

Another commenter also urged SAMHSA to work with CMS to ensure that when proper criteria are met, such as through a QSOA and/or a signed consent form, patient substance use claim information is available to ACOs through their CCLF files. Asserting that it is a major blind spot in the ability of an ACO to manage total care if it does not have data on substance use disorder data, a commenter encouraged SAMHSA to work with CMS on ways to effectively manage substance use disorder care within the administration of the ACO program. One commenter suggested that SAMHSA work with federal agencies, states, localities, and providers to identify the cost/burden of the rule on entities and professionals. The commenter also recommended that SAMHSA work with the CMS and the Office of the National Coordinator for Health Information Technology (ONC) to align the rule with guidance permitting the HITECH enhanced funding for administrative costs to other providers.

SAMHSA Response

SAMHSA will continue to work with CMS and its other federal partners to ensure the effective and timely implementation of the part 2 final rule.

Public Comments

Because a state provides health care, including federally funded substance use disorder treatment programs, to inmates in the state jail system, a commenter stated that the part 2 regulations impact the methods by which care is coordinated for inmates and urged SAMHSA to consider part 2's impact on incarcerated populations.

SAMHSA Response

SAMHSA considered how the regulations would impact part 2 programs and lawful holders of patient identifying information, as well as other stakeholders. All part 2 programs and other lawful holders of patient identifying information must comply with part 2. If a jail or prison meets the definition of a part 2 program, it would be required to comply with part 2.

Public Comments

One commenter stated that there should be an option for the patient to have the ability to remove their substance use disorder history from their medical record after a ten-year minimum time period.

SAMHSA Response

Although SAMHSA is not prescribing any specific retention period, the expectation is the both paper and electronic records would comply with applicable federal, state, and local retention laws.

Public Comments

A commenter requested that SAMHSA provide a description of 42 CFR part 2-covered entities similar to the designation under HIPAA.

SAMHSA Response

SAMHSA may address applicability in subregulatory guidance or in subsequent rulemaking.

VI. Rulemaking Analyses

A. Paperwork Reduction Act

Under the Paperwork Reduction Act of 1995 (PRA), agencies are required to provide a 60-day notice in the FR and solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. We provided for this comment period as part of the NPRM. The part 2 information collections are approved under OMB Control No. 0930-0092, and SAMHSA will shortly submit the changes associated with this rule to OMB for review.

This rule includes changes to information collection requirements, that is, reporting, recordkeeping or third-party disclosure requirements, as defined under the PRA (5 CFR part 1320). Some of the provisions involve changes from the information collections set out in the previous regulations. Information collection requirements are: (1) Section 2.13(d)—Disclosure: Requires entities named by patients using general designation under § 2.31(a)(4)(iv)(C) to provide a list of entities to which the patient's information has been disclosed to participants pursuant to the general designation, (2) Section 2.22—Disclosure: Requires each program notify each patient that federal law and regulations protect the confidentiality of substance use disorder patient records and provide a written summary of the effect of this law and these regulations, (3) Section 2.51—Recordkeeping: This provision requires the program to document a disclosure of a patient record to authorized medical personnel in a bona fide medical emergency as defined in § 2.51. The regulation is silent on retention period for keeping these records as this will vary according to state laws. It is expected that these records will be kept as part of the patients' health records. The major change from current (1987) regulations is the list of disclosures requirement at Section 2.13(d). SAMHSA proposed that entities named on a consent form that disclose patient identifying information to their participants under the general designation must provide patients, upon request, a list of entities to which their information has been disclosed pursuant to a general designation (i.e., list of disclosures). Impact of this provision is noted below. SAMHSA notes that entities are not required to use the general designation permitted under § 2.31(a)(4)(iii)(B)(3)(i).

Under the PRA, the time, effort, and financial resources necessary to meet the information collection requirements referenced in this section are to be considered in rulemaking. The NPRM solicited comments on PRA issues. Commenters did not raise concerns regarding the burden for information collection requirements for the recordkeeping and notification provisions above. Though commenters expressed concern about some aspects of the list of disclosures requirements, these comments did not suggest that the burden of information collection would increase for 42 CFR part 2-compliant entities. Indeed, one commenter noted that current practice for many facilities to maintain both paper and electronic records may be both burdensome and inefficient. By promoting use of EHRs, changes in this rule may help to improve efficiency for providers. Some commenters also hypothesized that complying with the list of disclosures requirement would require such steps as developing a tracking system; or manual review or audit of all records; and mailing of letters through U.S. mail. Entities should already be collecting and retaining information needed to comply with the list of disclosures requirement. The final rule does not impose requirements to manually review all records, mail letters using the U.S. Postal Service or develop a tracking system specifically to comply with the list of disclosures provisions. For instance, we note below that entities could comply with the List of Disclosures requirement by either collecting this information electronically by using audit logs to obtain the required information or by keeping a paper record. Similarly, we point out that list of disclosures may be transmitted through such methods as mail or email or through other means preferred by the patient. We discuss the list of disclosures requirements further in the impact analysis section below.

Annual burden estimates for these requirements are summarized in the table below:

Table 2—Annual Burden Estimates

42 CFR 2.13 (d)42 CFR 2.2242 CFR 2.51
Annual number of respondents Responses per respondent Total responses Hours per response Total hour burden Hourly wage cost Total cost
Disclosures
19,548 1 19,548 4.15 81,124 $36.9175 $2,995,000
12,034 155 1,861,693 .20 372,338.6 40.26 14,990,000
Recordkeeping
12,034 2 24,068 .167 4,019 34.16 137,000
Total 31,582 1,905,309 457,482 18,123,000
The number of entities required to generate a list of disclosures based on the number of estimated patient requests. Patient requests are based the total number of annual treatment admissions from SAMHSA's 2010-2012 Treatment Episode Data Set (TEDS) (see footnote 5). The estimated patient requests equal the average of the total number of requests for a 0.1 percent request rate and a 2 percent request rate. SAMHSA notes that this estimate reflects the number of patient requests rather than the number of impacted entities as some entities may receive more than one request.
The estimated time for developing a list of disclosures is 4 hours for entities collecting the information electronically using an audit log and 3 hours for entities that produce such a list from paper records. Because 90 percent of entities are estimated to collect the information electronically using an audit log and 10 percent are estimated to use paper records, the average weighted time to develop a list of disclosures is 3.9 hours [(0.9 × 4 hours) + (0.1 × 3 hours)]. Including the estimated 15 minutes to prepare each list of disclosures for mailing or transmitting, the total estimated time for providing a patient a list of disclosures is 4.15 hours (3.9 hours + 0.25 hours).
The weighted hourly rate for health information technicians, medical technicians and administrative staff who will be preparing the list of disclosures. The hourly rate is weighted to reflect the fact that health information and medical technicians, who will be generating the list of disclosures, have a higher wage rate than administrative staff and will contribute more hours to generating the list of disclosures. Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed June 3, 2015], Standard Occupations Classification codes (29-2071, 31-9092) [ www.bls.gov/oes/ ]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
The number of publicly funded alcohol and drug facilities based on SAMHSA's 2013 National Survey of Substance Abuse Treatment Services (N-SSATS). The estimated annual number of respondents, 12,034, is based on N-SSATS data and reflects facilities receiving federal funding. However, under N-SSATS an organization may complete survey responses for multiple facilities.
The average number of annual treatment admissions from SAMHSA's 2010-2012 TEDS.
Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations Classification code (21-1011) [ www.bls.gov/oes/ ]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations Classification code (43-0000) [ www.bls.gov/oes/ ]. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs.
The combined total of the number of publicly funded alcohol and drug facilities and the number of entities required to generate a list of disclosures.

As described in greater detail in Section VI.B, Regulatory Impact Analysis, the respondents for the collection of information under § 2.22 and 2.51 are publicly (federal, state, or local) funded, assisted, or regulated substance use disorder treatment programs. The estimate of the number of such programs (respondents) is based on the results of the 2013 N-SSATS, and the average number of annual total responses is based on 2010-2012 information on patient admissions reported to the Treatment Episode Data Set (TEDS), approved under OMB Control No. 0930-0106 and OMB Control No. 0930-0335.

The respondents for the collection of information under § 2.13(d) are entities named on the consent form that disclose information to their participants pursuant to the general designation. These entities primarily would be organizations that facilitate the exchange of health information (e.g., HIEs) or coordinate care (e.g., ACOs, CCOs, and CPCMHs), but other organizations, such as research institutions, also may disclose patient identifying information to their participants (e.g., clinical researchers) pursuant to the general designation on the consent form. Because there are no definitive data sources for this potential range of organizations, we are not associating requests for a list of disclosures with any particular type of organization. Consequently, the number of organizations that must respond to list of disclosures requests is based on the total number of requests each year.

B. Regulatory Impact Analysis

1. Public Comments on Notice of Proposed Rulemaking Regulatory Impact Analysis

a. Support for Cost Estimates

Public Comments

SAMHSA received roughly 376 comments on the proposed rule. However, relatively few comments focused on the Regulatory Impact Analysis. We respond to these comments below and have made changes in our analysis, when appropriate, to reflect these comments.

A few commenters suggested that the estimated costs outlined by SAMHSA in the proposed rule are in line with actual costs. For instance, one commenter suggested that the estimated total cost of $239 million over 10 years would not be unduly burdensome and would improve patient care and safety. A commenter stated that costs would be minimal for integrating the requirement properly to sanitize and dispose of records into training and instruction. Another commenter stated that the costs related to modifying release forms and training staff would be absorbed by organizations and would not impact business processes. Explaining that in order to reflect the revision in title of 42 CFR part 2, a modification of the printed and on-line versions of applicable CFR Titles would be necessary, a commenter concluded that because of regular updates to CFRs, the incorporation of amendments made as part of this rule should not result in a significant economic impact.

SAMHSA Response

SAMHSA acknowledges and appreciates the comments received that expressed support for the cost estimates in the NPRM. Though SAMSHA does not attempt in this rule to quantify benefits, it is important to note that updates to 42 CFR part 2 may result in long-term cost savings as well due to improved care coordination and integration and more efficient use of data for research and performance improvement purposes.

b. Assertions That SAMHSA Underestimated Costs

Public Comments

Some commenters generally asserted that the compliance and implementation costs were underestimated. One commenter suggested that cost effectiveness of complying with the proposed regulation will impact members and patients because of the additional costs associated with implementation (e.g., outreach and education, changes to consent forms), which undermines care coordination and effective delivery of services. Another commenter suggested that the projected costs of complying with part 2 should include costs for other institutions that are affected with re-disclosure of the provision; costs to individual practitioners or health organizations with few clinicians that fall under part 2; vendor-related costs; costs for software development and upgrades should be added to the costs of electronic record purchase and maintenance; cost to HIE; and costs to hire administrative staff.

A few commenters suggested that the estimated $8,000 cost per facility to implement consent management was too low, failing to reflect fully development, testing and process costs. One commenter suggested that the estimated $8,000 cost per facility to implement consent management likely does not consider vendor-related costs such as development, testing, training, adoption and process modifications that may need to occur, only the cost of the infrastructure investment. Commenters urged SAMHSA and federal partners to consider funding HIT adoption by behavioral health providers. Another commenter stated that the proposed rule underestimated the cost of scaling efforts to integrate DS4P and Consent2Share, including upgrades and iterations across EHR products. Commenters also suggested SAMHSA modify its DS4P efforts to reflect updated 42 CFR part 2 requirements. Lastly, a commenter suggested that the estimate of $8,000 to comply with the proposal underestimates the costs for existing pharmacy management systems to add new functionality and applications and does not include other software or security requirements, training, or other implementation costs associated with the proposed rule. Another commenter generally suggested that the estimated cost burden of transitioning to a new consent form will be greater than proposed in the proposed rule.

Several commenters mentioned other specific areas in which SAMHSA underestimated costs. One commenter suggested that the costs estimated related to EHR customizations are underestimated because there is no current standard interoperability within EHRs that address part 2 information. Another commenter also shared their own experience in which they estimated a cost of $30,000 to comply with 42 CFR part 2 when including 2 substance use specialists as part of an integrated treatment model using an electronic health record. This commenter asserted based on their own experience that if small entities attempt to develop integrated substance use disorder treatment programs they may face similar costs, including information technology time and efforts to modify EHRs to include restrictions on sharing of 42 CFR part 2 information in an integrated setting prohibitive. Another commenter stated that time, resources and training would be required to implement proposed changes to §§ 2.12, 2.31, and 2.32, and that personnel and financial constraints are common within the health care industry. The commenter estimated that the ability to adapt currently used electronic health records to segregate certain patient information will also take considerable effort and time. A commenter stated that the proposed cost analysis associated with staff training is inaccurate because it assumes that only substance use disorder counselors would need training when, in actuality, other fields would also need to be trained because they could potentially become lawful holders of the patient information (e.g., social work, psychology, medicine, managed care, HIE, research organizations). The commenter added that additional work will be needed to redact patient records to be in compliance with the data sharing elements related to information that could identify a patient as a substantive abuse disorder patient. A commenter stated that the cost to organizations to comply with the requirement for U.S. mail transmissions will be significant.

SAMHSA Response

Though commenters suggested anecdotally that SAMHSA underestimated the burden of 42 CFR part 2-compliance, SAMHSA notes the availability of data segmentation tools such as Consent2Share, an open source tool for consent management that is compliant with 42 CFR part 2. As noted above (in Section V.J.1.c), SAMHSA will be shortly releasing an updated version of Consent2Share with improved functionality and ability to meet the list of disclosures requirements. Provided that a facility already is using electronic health records and can partner with a health information exchange using Consent2Share or similar software, SAMHSA believes based on current efforts to pilot an updated version of Consent2Share that a cost of between $6,000 and $10,000 is reasonable. At the individual clinic level, initial set-up, training and testing are expected to constitute the main expenses. D4SP, Consent2Share, and similar tools make it feasible for entities to comply with updated 42 CFR part 2 requirements at reasonable cost.

While we acknowledge comments that entities other than those directly subject to this rule may be impacted by its provisions, including vendors of EHR products, such impacts are outside the scope of the regulation. We do not mandate vendors to perform additional activities. Nonetheless, SAMHSA will monitor such impacts and, to the extent feasible, work with stakeholders and federal partners to develop fact sheets and other materials to assist in outreach to patients and others about changes made in this rule. Likewise, while SAMHSA is unable to directly fund updates to EHRs, SAMHSA continues to work closely with ONC and others to ensure inclusion of behavioral health providers in ongoing information technology programs (See http://www.samhsa.gov/health-information-technology/samhsas-efforts ; https://www.healthit.gov/policy-researchers-implementers/behavioral-health ).

We acknowledge that the cost of updating consent forms may be greater than we had proposed and have made changes to our cost estimates in this final rule to reflect the need to update forms to meet new requirements. We note that most of these costs may only need to be incurred once and in the past some organizations have made sample template forms and materials available (See e.g., http://lac.org/resources/substance-use-resources/confidentiality-resources/sample-forms-confidentiality/ ). SAMHSA may, at a future time, develop sample templates and forms to ease compliance costs.

c. Other Comments on Costs

Public Comments

Some commenters said existing functionalities within EHR systems and consent management tools do not easily separate or redact substance use disorder information from general medical information when such systems are shared across an integrated health system. Similarly, commenters expressed concern that the proposed rule could have the opposite effect of its intended purpose by causing HIEs to exclude part 2 information from information exchanges entirely since most HIEs and EHRs today do not support data segmentation. Asserting that the proposed part 2 changes would require HIEs to create an architecture for data management that provides for the segmentation of substance use disorder and general behavioral health data from physical health care data, including a way to have consent operate differently in each of the environments, one commenter asserted that this is a costly challenging administrative burden that does nothing to promote the sharing of information between all necessary providers for the integration of coordination of care.

A commenter suggested that the financial burden of the proposed rule would vary depending on the size or complexity of the covered entity.

Another commenter asserted that the rule should not be adopted because it would result in increased health care costs. The commenter stated that SAMHSA is not able to estimate additional costs that are likely to occur when adding sensitive substantive abuse disorder treatment information of patients to electronic health information systems without patient consent (e.g., additional security, costs related to breaches, class action lawsuits for breached information, and loss of business due to breaches). The commenter concluded that, because these costs do not provide additional substance use disorder or health care services, and instead remove dollars from health care services, the proposed rule is in conflict with SAMHSA's proposed goal of reducing unnecessary health care costs.

SAMHSA Response

SAMHSA agrees that costs may vary based on an institution's size, complexity and patient population served. However, we anticipate that over time compliance costs will drop significantly as institutions implement initial compliance efforts. SAMHSA notes that EHRs already are widely used in many health care settings with no evidence of class action lawsuits, loss of business or other speculative impacts (see e.g., http://dashboard.healthit.gov/quickstats/quickstats.php ). Though SAMHSA is concerned about health care costs, the use of EHRs is likely both to improve care and reduce costs over time. Changes made in this rule will help to support EHR adoption and integration of care. Though in general EHR adoption among behavioral health providers lags behind that of other health care providers, forthcoming N-SSATS data reflect that more than 25 percent of surveyed substance use disorder treatment facilities used EHRs only and more than half use EHRs and paper-based records. Such growing adoption by substance use disorder treatment facilities reflects that EHR use is consistent with good quality of care and 42 CFR part 2 compliance.

2. Statement of Need

This final rule reflects changes in the health care system and behavioral health, such as the increasing use of electronic health records and drive toward greater integration of physical and behavioral health care. Despite efforts to enhance integration and coordination of care, however, it remains important to ensure persons seeking treatment for substance use disorders can remain confident as to the safeguarding of their medical information. This rule updates 42 CFR part 2 to balance these important needs.

3. Overall Impact

SAMHSA examined the impacts of this final rule as required by Executive Order 12866 on Regulatory Planning and Review (September 30, 1993), Executive Order 13563 on Improving Regulation and Regulatory Review (January 18, 2011), the Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96-354), Section 1102(b) of the Social Security Act, section 202 of the Unfunded Mandates Reform Act of 1995 (March 22, 1995; Pub. L. 104-4), Executive Order 13132 on Federalism (August 4, 1999) and the Congressional Review Act (5 U.S.C. 804(2)). Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Section 3(f) of Executive Order 12866 defines a “significant regulatory action” as an action that is likely to result in a rule: (1) Having an annual effect on the economy of $100 million or more in any one year, or adversely and materially affecting a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or state, local or tribal governments or communities (also referred to as “economically significant”); (2) creating a serious inconsistency or otherwise interfering with an action taken or planned by another agency; (3) materially altering the budgetary impacts of entitlement grants, user fees, or loan programs or the rights and obligations of recipients thereof; or (4) raising novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order.

A regulatory impact analysis must be prepared for major rules with economically significant effects ($100 million or more in any one year). This rule does not reach the economic threshold and thus is not considered to be an economically significant rule. However, because this rule raises novel policy issues arising out of legal mandates, the rule is considered “a significant regulatory action,” this regulatory impact analysis has been prepared, and the rule has been reviewed by OMB.

When estimating the total costs associated with changes to the 42 CFR part 2 regulations, we assumed five sets of costs: updates to health IT systems costs, costs for staff training and updates to training curriculum, costs to update patient consent forms, costs associated with providing patients a list of entities to which their information has been disclosed pursuant to a general designation on the consent form (i.e., the List of Disclosures requirement), and implementation costs associated with the List of Disclosures requirements. We assumed that costs associated with modifications to existing health IT systems, staff training costs associated with updating staff training materials, and costs to update consent forms would be one-time costs the first year the final rule is in effect and would not carry forward into future years. Staff training costs other than those associated with updating training materials were assumed to be ongoing annual costs to part 2 programs, also beginning in the first year that the final rule is in effect. The List of Disclosures costs were assumed to be ongoing annual costs to entities named on a consent form that disclose patient identifying information to their participants under the general designation. In the NPRM, SAMHSA proposed to require non-treating providers to implement the List of Disclosures requirement at any time, but they cannot use the general designation without being able to provide a List of Disclosures. Therefore, we assumed that starting in year 1 ten percent of entities would decide to implement each year, resulting in 100 percent of entities implementing by year 10. We note that it is possible that some entities will never implement this requirement and choose to forego use of the general designation.

We estimated, therefore, that in the first year that the final rule is in effect, the total costs associated with updates to 42 CFR part 2 will be about $70,691,000. In year two, we estimate that costs will be roughly $17,680,000 and increase annually as a larger share of entities implement List of Disclosures requirements and respond to disclosure requests. Over the 10-year period of 2016-2025, the total undiscounted cost of the part 2 changes will be about $241 million in 2016 dollars. When future costs are discounted at 3 percent or 7 percent per year, the total costs become approximately $217,586,000 or $193,098,000, respectively. These costs are presented in the tables below.

Table 3—Total Cost of 42 CFR Part 2 Revisions

[Note: Numbers may not add due to rounding]

[Note that all costs presented in this analysis are rounded to avoid communicating inaccurate levels of precision]

Year Staff training costs Consent form updates List of disclosures Health IT costs Total costs
[2016 dollars]
(A) (B) (C) (D) (E)
2016 $15,521,000 $2,104,000 $4,930,000 $48,136,000 $70,691,000
2017 12,438,000 0 5,242,000 0 17,680,000
2018 12,438,000 0 5,554,000 0 17,992,000
2019 12,438,000 0 5,866,000 0 18,304,000
2020 12,438,000 0 6,178,000 0 18,616,000
2021 12,438,000 0 6,490,000 0 18,928,000
2022 12,438,000 0 6,802,000 0 19,240,000
2023 12,438,000 0 7,114,000 0 19,552,000
2024 12,438,000 0 7,426,000 0 19,864,000
2025 12,438,000 0 7,738,000 0 20,176,000
Total 127,463,000 2,104,000 63,338,000 48,136,000 241,040,000

Table 4—Total Cost of 42 CFR Part 2 Revisions—Annual Discounting

[Note: Numbers may not add due to rounding]

Year Total costs Total with 3% annual discounting Total with 7% annual discounting
[2016 dollars]
(E) (F) (G)
2016 $70,691,000 $70,691,000 $70,691,000
2017 17,680,000 17,165,000 16,523,000
2018 17,992,000 16,959,000 15,715,000
2019 18,304,000 16,751,000 14,941,000
2020 18,616,000 16,540,000 14,202,000
2021 18,928,000 16,327,000 13,495,000
2022 19,240,000 16,113,000 12,820,000
2023 19,552,000 15,897,000 12,176,000
2024 19,864,000 15,681,000 11,561,000
2025 20,176,000 15,463,000 10,974,200
Total 241,040,000 217,586,000 193,098,000
Annualized 25,507,717.01 27,492,811.02
Note: Numbers may not add due to rounding.

The costs associated with the proposed revisions stem from staff training and updates to training curriculum, updates to patient consent forms, compliance with the List of Disclosures requirement (including implementation costs), and updates to health IT infrastructure for information exchange. Based on data from the 2013 N-SSATS, we estimated that 12,034 hospitals, outpatient treatment centers, and residential treatment facilities are covered by part 2. N-SSATS is an annual survey of U.S. substance use disorder treatment facilities. Data is collected on facility location, characteristics, and service utilization. Not all treatment providers included in N-SSATs are believed to be under the jurisdiction of the part 2 regulations. The 12,034 number is a subset of the 14,148 substance use disorder treatment facilities that responded to the 2013 N-SSATS, and includes all federally operated facilities, facilities that reported receiving public funding other than Medicare and Medicaid, facilities that reported accepting Medicare, Medicaid, TRICARE, and/or Access to Recovery (ATR) voucher payments, or were SAMHSA-certified Opioid Treatment Programs. If a facility did not have at least one of these conditions, it was interpreted not to have received any federal funding and, therefore, not included in the estimate. The estimated annual number of respondents, 12,034, is based on N-SSATS data and reflects facilities receiving federal funding. However, under N-SSATS an organization may complete survey responses for multiple facilities it oversees. Thus, an organization with three facilities may complete three separate surveys.

If an independently practicing clinician does not meet the requirements of paragraph (1) of the definition of Program they may be subject to 42 CFR part 2 if they constitute an identified unit within a general medical facility which holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment or if their primary function in the facility or practice is the provision of such services and they are identified as providing such services. Due to data limitations, it was not possible to estimate the costs for independently practicing providers covered by part 2 that did not participate in the 2013 N-SSATS. For example, data from American Board of Addiction Medicine (ABAM) provides the number of physicians since 2000 who have active ABAM certification. However, there is no source for the number of physicians who have not participated in the ABAM certification process. In addition, it is not possible to determine which ABAM-certified physicians practice in a general medical setting rather than in a specialty treatment facility that was already counted in the N-SSATS data.

Several provisions in the NPRM referenced “other lawful holders of patient identifying information” in combination with part 2 programs. These other lawful holders must comply with part 2 requirements with respect to information they maintain that is covered by part 2 regulations. However, because this group could encompass a wide range of organizations, depending on whether they received part 2 data via patient consent or as a result of one of the limited exceptions to the consent requirement specified in the regulations, we are unable to include estimates regarding the number and type of these organizations and only included part 2 programs in this analysis.

In addition to the part 2 programs described above, SAMHSA proposed that entities named on a consent form that disclose patient identifying information to their participants under the general designation must provide patients, upon request, a list of entities to which their information has been disclosed pursuant to a general designation (i.e., list of disclosures). These entities primarily would include organizations that facilitate the exchange of health information (e.g., HIEs), and may also include organizations responsible for care coordination (e.g., ACOs, CCOs, and CPCMHs). The most recent estimates of these types of entities are 67 functional, publicly funded HIEs and 161 functional, privately funded HIEs in 2013.1 As of January 2015, there were an estimated 744 ACOs covering approximately 23.5 million individuals.2 Finally, the National Committee for Quality Assurance (NCQA) recently noted that there are now more than 10,000 NCQA-recognized CPCMHs.3 While these types of organizations were the primary focus of this provision on the consent form, other types of entities, such as research institutions, may also disclose patient identifying information to their participants (e.g., clinical researchers) pursuant to the general designation on the consent form. Because there are no definitive data sources for this potential range of organizations, we are not associating requests for lists of disclosures with any particular type of organization. We, instead, estimate the number of organizations that must respond to list of disclosures requests based on the total number of requests each year.

a. Direct Costs of Implementing the Proposed Regulations

There is no known baseline estimate of the current costs associated with 42 CFR part 2-compliance. However, as reflected by commenters who requested alignment between HIPAA and 42 CFR part 2, HIPAA authorization and notification requirements have similarities to requirements of 42 CFR part 2 (see http://www.hhs.gov/hipaa/for-professionals/privacy/index.html ). Instead, therefore, in the absence of data and studies specifically focused on compliance with 42 CFR part 2, SAMHSA has estimated these costs based on a range of published costs associated with HIPAA implementation and compliance.4 5

i. Staff Training

Because SAMHSA lacks specific data regarding the cost of staff training to comply with 42 CFR part 2, SAMHSA has examined analogous HIPAA implementation costs. A Standard HIPAA training that meets or exceeds the federal training requirements is, on average, one hour long.6 Therefore, we also estimated one hour of training per staff to achieve proficiency in the 42 CFR part 2 regulations. To estimate the labor costs associated with staff training, we averaged the average hourly costs for counseling staff in specialty treatment centers ($20.33 7), hospital treatment centers ($21.80 8), and solo practice offices ($24.67 [9] ). The resulting average wage rate was $22.27 per hour. In order to account for benefits and overhead costs associated with staff time, we multiplied the average hourly wage rate by two. These estimates were only for training costs associated with counseling staff, who we assume will have primary responsibility for executing the functions associated with the part 2 revisions.

It is important as well to note that many current staff already have familiarity with current (1987) 42 CFR part 2 requirements. With regard to training materials, most part 2 programs are assumed to already have training curricula in place that covers current (1987) 42 CFR part 2 regulations, and, therefore, these facilities would only need to update existing training materials rather than develop new materials. Part 2 entities may determine the content of this training. The American Hospital Association estimated that the costs for the development of Privacy and Confidentiality training, which would include the development of training materials and instructor labor costs, was $16 per employee training hour in 2000. [10] Because we assumed that part 2 programs would be updating existing rather than developing entirely new training materials, we estimated the cost of training development to be one-half of the cost of developing new materials, or $8 per employee. Adjusted for inflation, [11] training development costs in 2016 would be $11.04 per employee.

Using SAMHSA's 2010-2012 TEDS average annual number of treatment admissions (n=1,861,693) as an estimate of the annual number of patients at part 2 programs and calculated staffing numbers based on a range of counseling staff-to-client ratios (i.e., 1 to 10 [12] and 1 to 5 [13] ). Based on these assumptions, staff training costs associated with part 2 patient consent procedures were projected to range from $10.3 million to $20.7 million in 2016. We averaged the two estimated costs for staff training to determine the final overall estimate of $15,521,000. We assumed the costs associated with updating training materials will be a one-time cost. Therefore, in subsequent years, we assumed the costs associated with staff training would be a function of the average hourly wage rate (multiplied by two to account for benefits and overhead costs) and the estimated number of staff (developed based on the same two staff-to-client ratios described above multiplied by estimated patient counts). Staff training costs associated with part 2 revisions were projected to range from $8.3 million to $16.6 million after 2016. We averaged the two estimated costs for staff training to determine the final overall estimate of $12,438,000.

ii. Updates to Consent Forms

Updates to the 42 CFR part 2 regulations will need to be reflected in patient consent forms. As there is no literature to date on costs to update forms for 42 CFR part 2, we examined results from a 2008 study from the Mayo Clinic Health Care Systems[14] that reported actuarial costs for HIPAA implementation activities. These costs were about $1 per patient visit. Adjusted for inflation, costs associated with updating the patient consent forms in 2016 would be $1.13 per patient visit. We used the average number of substance abuse treatment admissions from SAMHSA's 2010-2012 TEDS as our estimate of the number of clients treated on an annual basis by part 2 facilities. The total cost burden associated with updating the consent forms to reflect to the updated 42 CFR part 2 regulations would be approximately $2,104,000 (1,861,693 * $1.13). [14]

iii. List of Disclosures Costs

The proposed part 2 regulations allow patients who have consented to disclose their identifying information using a general designation to request a list of entities to which their information has been disclosed pursuant to the general designation. Under this final rule, entities named on a consent form that disclose patient identifying information to their participants under the general designation will be required to provide a list of disclosures after receiving a patient request. Under the List of Disclosures requirements, a patient could make a request, for example, to an organization that facilitates the exchange of health information (e.g., an HIE) or an organization responsible for coordinating care (e.g., an ACO) for a list of disclosures that would include the name of the entity to whom each disclosure was made, the date of the disclosure, and a brief description of the patient identifying information disclosed, and include this information for all entities to whom the patient identifying information has been disclosed pursuant to the general designation in the past two years.

For purposes of the analysis, we assumed that entities disclosing patient identifying information to their participants pursuant to a patient's general designation on a consent form are already collecting the information necessary to comply with the List of Disclosures requirement, in some form, either electronically or using paper records. We also assumed that these entities could comply with the List of Disclosures requirement by either collecting this information electronically by using audit logs to obtain the required information or by keeping a paper record. However, to address possible concerns about technical feasibility and other implementation issues, SAMHSA finalizes its proposal that the List of Disclosures requirement may be implemented at any time, but non-treating providers cannot use the general designation without being able to provide a List of Disclosures to allow entities collecting this information time to review their operations and business processes and to decide whether technological solutions are needed to enable them to more efficiently comply with the requirement.

In order to make preliminary estimates of the implementation costs, we first estimated the number of potentially impacted entities based on the anticipated number of patient requests for a disclosure report in a calendar year. We used the average number of substance use disorder treatment admissions from SAMHSA's 2010-2012 TEDS (n = 1,861,693) as the number of patients treated annually by part 2 programs. We then used the average of a 0.1 and 2 percent patient request rate as our estimate of the number of impacted entities (n = 19,548).

From there, we assumed 10 percent of the impacted entities would use paper records to comply with the disclosure reporting requirements (n = 1,995) and would have minimal implementation costs. Among the remaining entities, many may be able to comply with the disclosure reporting requirements without developing or implementing new technologies. For entities that do choose to either update their existing capabilities or develop and implement new technologies to facilitate compliance, we assumed two sets of costs: (1) Planning and policy development costs and (2) system update costs. SAMHSA notes that the Office of the National Coordinator for Health Information Technology and other organizations are encouraging adoption of electronic health records to allow providers to access patient records remotely, improve communication with patients and other providers and reduce errors ( https://www.healthit.gov/providers-professionals/benefits-electronic-health-records-ehrs )). For these reasons, we believe that the trend toward adoption of electronic health records will continue.

Absent any data on the number of facilities that would require new technology or the type of technology to be implemented, we assumed that twenty-five percent (n = 4,398) of the remaining entities would choose to upgrade their existing health IT systems. The actual system upgrade costs will vary considerably based on the type of upgrades that are required. Some entities may only require minor system updates to streamline the reporting requirements, while others may choose to implement an entirely new system. Given these data limitations, we assumed an average, per-entity cost, of $2,500 for planning development costs and an average, per-entity cost, of $8,000 for system upgrades for a total cost of $10,500. We assume that ten percent of entities will implement each year, resulting in 100 percent of the 4,398 entities having implemented the system planning and upgrades by year 10. The implementation costs for List of Disclosures reporting compliance in year 1, and each year thereafter, are estimated to be approximately $4,618,000 ([4,398*0.10] * [8,000+2,500]). We acknowledge that without better data on the number of facilities that may require new technology and the number of facilities that would use the general designation and therefore be required to comply with the list of disclosures requirement, this approach may overestimate or underestimate the costs.

As entities begin to comply with the disclosure reporting requirements, we assumed that the majority of the costs associated with the List of Disclosures requirement would primarily come from staff time needed to prepare a list of disclosures upon a patient's request. We also assumed that the information would need to be converted to a format that is accessible to patients.

For those entities with a health IT system, we expected that disclosure information would be available in the system's audit log. We also assumed that, unless the audit log has some sort of electronic filtering system, it would contain information above and beyond the requirements for complying with a request for a list of disclosures. We had also assumed that the staff accessing and filtering an audit log to compile the information for lists of disclosures would be health information technicians. The average hourly rate for health information technicians is $19.44 an hour. [15] In order to account for benefits and overhead costs associated with staff time, we multiplied the hourly wage rate by two. Absent any existing information on the amount of time associated with producing a list of disclosures from an audit log, we assumed it would take a health information technician half a day (or 4 hours) on average, to produce the list from an audit log.

For entities using paper records to track disclosures, we expected that a staff member would need to gather and aggregate the requested list of disclosures from paper records. We assumed medical record technicians would be the staff with the primary responsibility for compiling the information for a list of disclosures. The average hourly rate for medical record technicians is $19.44 an hour an hour. [16] In order to account for benefits and overhead costs associated with staff time, we multiplied the hourly wage rate by two. Absent any existing information on the amount of time associated with producing a list of disclosures from paper records, we assumed it would take a medical record technician 3 hours, on average, to produce the list from paper records. [17]

The number of requests for a list of disclosures will determine the overall burden associated with the List of Disclosures reporting requirements. However, because this is a new requirement, there were no data on which to base an estimated number of requests per year. We expected that the rate of requests will be relatively low. We therefore calculated the total costs for two rates, 0.1 percent and 2 percent of patients per year.

We used the average number of substance use disorder treatment admissions from SAMHSA's 2010-2012 TEDS as the number of patients treated annually by part 2 programs. Assuming that 10 percent of patients making requests (n = 186.17 to n = 3,723.39) would request a list of disclosures from entities that track disclosures through paper records and 90 percent of patients making requests (n = 1,675.52 to n = 33,510.47) would make such a request of entities that track disclosures through health IT audit logs, the estimated costs to develop lists of disclosures range from roughly $21,700 to $434,300 for entities using paper records, and $261,000 to $5,212,000 for entities using audit logs. (These ranges reflect the costs based on the two estimated patient rates of request referenced above (i.e., 0.1 percent and 2 percent of patients per year)).

Once a list of disclosures has been produced, it can be returned to the patient either by email or mail. Since the method of sending the list of disclosures depends on patient preference, we assumed that 50 percent of the lists of disclosures would be sent by email and 50 percent by first-class mail. We assumed that mailing and supply costs related to list of disclosures notifications were $0.10 supply cost per notification and $0.49 postage cost per mailing. We also estimated that it would take an administrative staff member 15 minutes to prepare each list of disclosures for mailing and/or transmitting, and that staff preparing the letters earn $15.34 [18] per hour. In order to account for benefits and overhead costs associated with staff time, we multiplied the hourly wage rate by two. The estimated costs for list of disclosures notifications range from approximately $7,700 to $154,000 for notifications sent by first-class mail, and $7,140 to $143,000 for notifications sent by email.

To produce the final overall cost estimate, we took the average of the minimum and maximum estimated costs to develop lists of disclosures by entities collecting the information electronically by using an audit log, and the average of the minimum and maximum estimated costs to develop lists of disclosures by entities using paper records. We then added the averages together to produce our estimate of the total cost to entities to develop lists of disclosures. Next we took the average of the minimum and maximum estimated costs for list of disclosures notifications sent via email and the minimum and maximum estimated costs for such notifications sent via first-class mail. We then added these two averages together to produce our estimate of the total cost to entities for list of disclosures notifications. Finally, the development and notification costs for these lists of disclosures were added together for the final estimate of costs associated with complying with List of Disclosures reporting requirements. The total cost for List of Disclosures reporting compliance across all entities was roughly $3,120,000 in 2016 dollars. Complying with List of Disclosures requirements is assumed to be an ongoing, annual activity for entities that have completed the system upgrade and comply with the disclosure requirements. Since we assume 10 percent of entities begin to comply with the requirements each year, year 1 reporting compliance costs is roughly $312,000 (3,120,000*0.10) and $624,000 (3,120, 000*0.20) in year 2, and continues to increase each year until year 10 all entities are complying and have annual compliance costs of $3,120,000

Table 5—Total Estimated Disclosure Reporting Costs in 2018

[Note: Numbers may not add due to rounding]

Minimum estimated cost Maximum estimated cost Average estimated cost
Facilities with a Health IT System $261,000 $5,212,000 $2,736,000
Facilities without a Health IT System 21,700 434,300 228,000
Total Costs 2,964,000
Average Number of Facilities 19,548

Table 6—Total Estimated Disclosure Notification Costs in 2018

[Note: Numbers may not add due to rounding]

Minimum estimated cost Maximum estimated cost Average estimated cost
Email Notification $7,100 $143,000 $75,000
First Class Mail Notification 7,700 154,000 81,000
Total Costs 156,000

iv. IT Updates

SAMHSA, in collaboration with ONC and federal and community stakeholders, has developed Consent2Share which is an open source tool for consent management and data segmentation that is designed to integrate with existing EHR and HIE systems. SAMHSA plans to release shortly an updated version of Consent2Share with improved functionality and ability to meet list of disclosures requirements.

The Consent2Share architecture has a front-end, patient facing system known as Patient Consent Management and a backend control system known as Access Control Services. Communications with EHR vendors indicated that the cost to facilities of purchasing and installing additional functionality to existing electronic medical records applications, such as Consent2Share, typically range from $2,500 to $5,000. Because the add-on systems for part 2 programs may be more complex than standard patient monitoring systems, we estimated that the cost of adding the new functionality would be approximately $8,000 per facility. We also assumed that this would be a one-time expense, rather than a recurring cost, for each provider. SAMHSA acknowledges that there may be fluctuation in costs among affected entities from the average cost. However, though costs could possibly be higher for some entities, information shared by commenters was largely anecdotal and it is unclear how such data could be broadly extrapolated to a wide range of entities.

Furthermore, national estimates indicated that no more than 50 percent of substance use disorder treatment facilities have an operational “computerized administrative information system.” [19] We, therefore, estimated that only half of the 12,034 part 2 programs (i.e., 6,017 facilities) would have operational health IT systems that would require modifications to account for the changes to 42 CFR part 2. With 6,017 part 2 programs with operational information systems, we estimated that each facility would need to spend $8,000 to modify their health IT system, which would lead to a total burden for updating health IT systems of $48.1 million. Updating health IT systems would be a one-time cost, and maintenance costs should be part of general health IT maintenance costs in later years. The final rule does not require that part 2 programs adopt health IT systems so there are no health IT costs associated with substance use disorder treatment facilities that continue to use paper records.

C. Regulatory Flexibility Act (RFA)

The RFA requires agencies to analyze options for regulatory relief of small entities. For purposes of the RFA, small entities include small businesses, nonprofit organizations, and small governmental jurisdictions. Most hospitals and most other providers are small entities, either by nonprofit status or by having revenues of less than $7.5 million to $38.5 million in any one year. Individuals and states are not included in the definition of a small entity. We are not preparing an analysis for the RFA because we have determined, and the Secretary certifies, that this final rule will not have a significant economic impact on a substantial number of small entities. While the changes in the regulations will apply to all part 2 programs, the impact on these entities would be quite small. Specifically, as described in the Overall Impact section, the cost to part 2 programs associated with updates to 42 CFR part 2 in the first year that the final rule is in effect will be $76.1 million, a figure that due to a number of one-time updates, is the highest for any of the 10 years estimated. The per-entity economic impact in the first year will be approximately $6,300 ($76,100,000 ÷ 12,034), a figure that is unlikely to represent 3 percent of revenues for 5 percent of impacted small entities. Consequently, it has been determined that the final rule will not have a significant economic impact on small entities.

In addition, Section 1102(b) of the Act requires us to prepare a regulatory impact analysis if a rule may have a significant impact on the operations of a substantial number of small rural hospitals. This analysis must conform to the provisions of Section 603 of the RFA. For purposes of Section 1102(b) of the Act, we defined a small rural hospital as a hospital that is located outside of a Metropolitan Statistical Area for Medicare payment regulations and has fewer than 100 beds. We are not preparing an analysis for Section 1102(b) of the Act because we have determined, and the Secretary certifies, that this final rule will not have a significant impact on the operations of a substantial number of small rural hospitals.

D. Unfunded Mandates Reform Act

Section 202 of the Unfunded Mandates Reform Act of 1995 also requires that agencies assess anticipated costs and benefits before issuing any rule whose mandates require spending in any one year of $100 million in 1995 dollars, updated annually for inflation. In 2016, that threshold is approximately $146 million. This rule will have no consequential effect on state, local, or tribal governments or on the private sector.

E. Federalism (Executive Order 13132)

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on state and local governments, preempts state law, or otherwise has Federalism implications. Since this rule does not impose any costs on state or local governments, the requirements of Executive Order 13132 are not applicable.

SAMHSA is modernizing 42 CFR part 2. With respect to our revisions to the part 2 regulations, we do not believe that this final rule will have a significant impact as it gives more flexibility to individuals and entities covered by 42 CFR part 2 but also adds privacy protections within the consent requirements for the patient. We are revising the part 2 regulations in response to concerns that 42 CFR part 2 was outdated and burdensome.

Executive Order 13132 on Federalism (August 4, 1999) establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on state and local governments, preempts state law, or otherwise has Federalism implications. We have reviewed this final rule under the threshold criteria of Executive Order 13132, Federalism, and have determined that it will not have substantial direct effects on the rights, roles, and responsibilities of states, local or tribal governments.

Conclusion

SAMHSA is enacting changes to modernize 42 CFR part 2. With respect to our revisions to the regulations, we do not believe that this final rule will have a significant impact as it gives more flexibility to individuals and entities covered by 42 CFR part 2 but also increases privacy protections within the consent requirements and adds an additional confidentiality safeguard for patients. This final rule does not reach the threshold for requiring a regulatory impact analysis by Executive Orders 12866 and 13563 and thus is not considered an economically significant rule. This rule will not have a significant economic impact on a substantial number of small entities. This rule will not have a significant impact on the operations of a substantial number of small rural hospitals. Since this rule does not impose any costs on state or local governments, the requirements of Executive Order 13132 on federalism are not applicable.

Footnotes

1. Trends in Health Information Exchanges (Trends in Health Information Exchanges) https://innovations.ahrq.gov/perspectives/trends-health-information-exchanges#3.

2. Muhlestein, D. (2015). Growth and Dispersion of Accountable Care Organizations in 2015. Health Affairs Blog, 19.

3. National Committee for Quality Assurance. A Victory Lap . . . For Patients. Blog, May 15, 2015. http://blog.ncqa.org/a-victory-lap-for-patients/ .

4. Kilbridge, P. (2003). The cost of HIPAA compliance. New England Journal of Medicine, 348(15), 1423-1477.

5. Williams, A.R., Herman, D.C., Moriarty, J.P., Beebe, T.J., Bruggeman, S.K., Klavetter, E.W. & Bartz, J.K. (2008). HIPAA costs and patient perceptions of privacy safeguards at Mayo Clinic. Joint Commission Journal on Quality and Patient Safety, 34 (1), 27-35.

6. 65 FR 82462, 82770 (Dec. 28, 2000) (Standards for Privacy of Individually Identifiable Health Information).

7. Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics, [accessed May 2, 2015] Outpatient Mental Health and Substance Abuse Centers (NAICS code 621420), Standard Occupations Classification code (211011) [ www.bls.gov/oes/ ].

8. Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics, [accessed May 2, 2014] Psychiatric and Substance Abuse Hospitals (NAICS code 622200), Standard Occupations Classification code (211011) [ www.bls.gov/oes/ ].

9. Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics, [accessed September 23, 2014] Offices of Mental Health Practitioners (except Physicians) (NAICS code 621330), Standard Occupations Classification code (211011) [ www.bls.gov/oes/ ].

10. These estimates are not HHS estimates nor are they HHS-endorsed cost estimates of HIPAA implementation and compliance.

11. Calculated using the Consumer Price Index.

12. North Carolina NC Administrative Code [accessed September 23, 2014]. [ http://reports.oah.state.nc.us/ncac/title%2010a%20-%20health%20and%20human%20services/chapter%2013%20-%20nc%20medical%20care%20commission/subchapter%20b/10a%20ncac%2013b%20.5203.pdf .]

13. Commonwealth of Pennsylvania—Department of Health Staffing Requirements for Drug and Alcohol Treatment Activities [accessed September 23, 2014]. [ http://www.pacode.com/secure/data/028/chapter704/s704.12.html .]

14. Williams, A.R., Herman, D.C., Moriarty, J.P., Beebe, T.J., Bruggeman, S.K., Klavetter, E.W. & Bartz, J.K. (2008). HIPAA costs and patient perceptions of privacy safeguards at Mayo Clinic. Joint Commission Journal on Quality and Patient Safety, 34 (1), 27-35.

15. Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics, Standard Occupations Classification code (29-2071) [ www.bls.gov/oes/ ].

16. IBID.

17. For facilities that maintain paper records, consent forms would indicate who has been given access to the record. By contrast, our understanding of health IT audit logs is that they include a record of all instances in which a record has been accessed. The audit log will include a record of who accessed the system, the date the record was accessed, and what operations were performed. The audit logs, therefore, will include considerably more data than what we would anticipate finding in paper records. Unless the audit log has an electronic filtering system, we are assuming that a health information technician will need to manually review all records in an audit log in order to compile the necessary information for a list of disclosures.

18. Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics, [accessed June 3, 2015], Standard Occupations Classification code (31-9092) [ www.bls.gov/oes/ ].

19. McLellan, A.T., Kathleen Meyers, K., Contemporary addiction treatment: A review of systems problems for adults and adolescents, Biological Psychiatry, Volume 56, Issue 10, 15 November 2004, Pages 764-770, ISSN 0006-3223, http://dx.doi.org/10.1016/j.biopsych.2004.06.018 .

List of Subjects in 42 CFR Part 2

  • Alcohol abuse
  • Alcoholism
  • Drug abuse
  • Grant programs-health
  • Health records
  • Privacy
  • Reporting, and Recordkeeping requirements

For the reasons stated in the preamble of this final rule, SAMHSA revises 42 CFR part 2 to read as follows:

PART 2—CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS

Subpart A—Introduction
2.1
Statutory authority for confidentiality of substance use disorder patient records.
2.2
Purpose and effect.
2.3
Criminal penalty for violation.
2.4
Reports of violations.
Subpart B—General Provisions
2.11
Definitions.
2.12
Applicability.
2.13
Confidentiality restrictions and safeguards.
2.14
Minor patients.
2.15
Incompetent and deceased patients.
2.16
Security for records.
2.17
Undercover agents and informants.
2.18
Restrictions on the use of identification cards.
2.19
Disposition of records by discontinued programs.
2.20
Relationship to state laws.
2.21
Relationship to federal statutes protecting research subjects against compulsory disclosure of their identity.
2.22
Notice to patients of federal confidentiality requirements.
2.23
Patient access and restrictions on use.
Subpart C—Disclosures with Patient Consent
2.31
Consent requirements.
2.32
Prohibition on re-disclosure.
2.33
Disclosures permitted with written consent.
2.34
Disclosures to prevent multiple enrollments.
2.35
Disclosures to elements of the criminal justice system which have referred patients.
Subpart D—Disclosures without Patient Consent
2.51
Medical emergencies.
2.52
Research.
2.53
Audit and evaluation.
Subpart E—Court Orders Authorizing Disclosure and Use
2.61
Legal effect of order.
2.62
Order not applicable to records disclosed without consent to researchers, auditors and evaluators.
2.63
Confidential communications.
2.64
Procedures and criteria for orders authorizing disclosures for noncriminal purposes.
2.65
Procedures and criteria for orders authorizing disclosure and use of records to criminally investigate or prosecute patients.
2.66
Procedures and criteria for orders authorizing disclosure and use of records to investigate or prosecute a part 2 program or the person holding the records.
2.67
Orders authorizing the use of undercover agents and informants to criminally investigate employees or agents of a part 2 program.

Authority: 42 U.S.C. 290dd-2.

Subpart A—Introduction

§ 2.1
Statutory authority for confidentiality of substance use disorder patient records.

Title 42, United States Code, Section 290dd-2(g) authorizes the Secretary to prescribe regulations. Such regulations may contain such definitions, and may provide for such safeguards and procedures, including procedures and criteria for the issuance and scope of orders, as in the judgment of the Secretary are necessary or proper to effectuate the purposes of this statute, to prevent circumvention or evasion thereof, or to facilitate compliance therewith.

§ 2.2
Purpose and effect.

(a) Purpose. Pursuant to 42 U.S.C. 290dd-2(g), the regulations in this part impose restrictions upon the disclosure and use of substance use disorder patient records which are maintained in connection with the performance of any part 2 program. The regulations in this part include the following subparts:

(1) Subpart B of this part: General Provisions, including definitions, applicability, and general restrictions;

(2) Subpart C of this part: Disclosures with Patient Consent, including disclosures which require patient consent and the consent form requirements;

(3) Subpart D of this part: Disclosures without Patient Consent, including disclosures which do not require patient consent or an authorizing court order; and

(4) Subpart E of this part: Court Orders Authorizing Disclosure and Use, including disclosures and uses of patient records which may be made with an authorizing court order and the procedures and criteria for the entry and scope of those orders.

(b) Effect. (1) The regulations in this part prohibit the disclosure and use of patient records unless certain circumstances exist. If any circumstance exists under which disclosure is permitted, that circumstance acts to remove the prohibition on disclosure but it does not compel disclosure. Thus, the regulations do not require disclosure under any circumstances.

(2) The regulations in this part are not intended to direct the manner in which substantive functions such as research, treatment, and evaluation are carried out. They are intended to ensure that a patient receiving treatment for a substance use disorder in a part 2 program is not made more vulnerable by reason of the availability of their patient record than an individual with a substance use disorder who does not seek treatment.

(3) Because there is a criminal penalty for violating the regulations, they are to be construed strictly in favor of the potential violator in the same manner as a criminal statute (see M. Kraus & Brothers v. United States, 327 U.S. 614, 621-22, 66 S. Ct. 705, 707-08 (1946)).

§ 2.3
Criminal penalty for violation.

Under 42 U.S.C. 290dd-2(f), any person who violates any provision of this section or any regulation issued pursuant to this section shall be fined in accordance with Title 18 of the U.S. Code.

§ 2.4
Reports of violations.

(a) The report of any violation of the regulations in this part may be directed to the United States Attorney for the judicial district in which the violation occurs.

(b) The report of any violation of the regulations in this part by an opioid treatment program may be directed to the United States Attorney for the judicial district in which the violation occurs as well as to the Substance Abuse and Mental Health Services Administration (SAMHSA) office responsible for opioid treatment program oversight.

Subpart B—General Provisions

§ 2.11
Definitions.

For purposes of the regulations in this part:

Central registry means an organization which obtains from two or more member programs patient identifying information about individuals applying for withdrawal management or maintenance treatment for the purpose of avoiding an individual's concurrent enrollment in more than one treatment program.

Diagnosis means any reference to an individual's substance use disorder or to a condition which is identified as having been caused by that substance use disorder which is made for the purpose of treatment or referral for treatment.

Disclose means to communicate any information identifying a patient as being or having been diagnosed with a substance use disorder, having or having had a substance use disorder, or being or having been referred for treatment of a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person.

Federally assisted—see § 2.12(b).

Informant means an individual:

(1) Who is a patient or employee of a part 2 program or who becomes a patient or employee of a part 2 program at the request of a law enforcement agency or official; and

(2) Who at the request of a law enforcement agency or official observes one or more patients or employees of the part 2 program for the purpose of reporting the information obtained to the law enforcement agency or official.

Maintenance treatment means long-term pharmacotherapy for individuals with substance use disorders that reduces the pathological pursuit of reward and/or relief and supports remission of substance use disorder-related symptoms.

Member program means a withdrawal management or maintenance treatment program which reports patient identifying information to a central registry and which is in the same state as that central registry or is in a state that participates in data sharing with the central registry of the program in question.

Minor, as used in the regulations in this part, means an individual who has not attained the age of majority specified in the applicable state law, or if no age of majority is specified in the applicable state law, the age of 18 years.

Part 2 program means a federally assisted program (federally assisted as defined in § 2.12(b) and program as defined in this section). See § 2.12(e)(1) for examples.

Part 2 program director means:

(1) In the case of a part 2 program that is an individual, that individual.

(2) In the case of a part 2 program that is an entity, the individual designated as director or managing director, or individual otherwise vested with authority to act as chief executive officer of the part 2 program.

Patient means any individual who has applied for or been given diagnosis, treatment, or referral for treatment for a substance use disorder at a part 2 program. Patient includes any individual who, after arrest on a criminal charge, is identified as an individual with a substance use disorder in order to determine that individual's eligibility to participate in a part 2 program. This definition includes both current and former patients.

Patient identifying information means the name, address, social security number, fingerprints, photograph, or similar information by which the identity of a patient, as defined in this section, can be determined with reasonable accuracy either directly or by reference to other information. The term does not include a number assigned to a patient by a part 2 program, for internal use only by the part 2 program, if that number does not consist of or contain numbers (such as a social security, or driver's license number) that could be used to identify a patient with reasonable accuracy from sources external to the part 2 program.

Person means an individual, partnership, corporation, federal, state or local government agency, or any other legal entity, (also referred to as “individual or entity”).

Program means:

(1) An individual or entity (other than a general medical facility) who holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or

(2) An identified unit within a general medical facility that holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or

(3) Medical personnel or other staff in a general medical facility whose primary function is the provision of substance use disorder diagnosis, treatment, or referral for treatment and who are identified as such providers.

Qualified service organization means an individual or entity who:

(1) Provides services to a part 2 program, such as data processing, bill collecting, dosage preparation, laboratory analyses, or legal, accounting, population health management, medical staffing, or other professional services, or services to prevent or treat child abuse or neglect, including training on nutrition and child care and individual and group therapy, and

(2) Has entered into a written agreement with a part 2 program under which that individual or entity:

(i) Acknowledges that in receiving, storing, processing, or otherwise dealing with any patient records from the part 2 program, it is fully bound by the regulations in this part; and

(ii) If necessary, will resist in judicial proceedings any efforts to obtain access to patient identifying information related to substance use disorder diagnosis, treatment, or referral for treatment except as permitted by the regulations in this part.

Records means any information, whether recorded or not, created by, received, or acquired by a part 2 program relating to a patient (e.g., diagnosis, treatment and referral for treatment information, billing information, emails, voice mails, and texts). For the purpose of the regulations in this part, records include both paper and electronic records.

Substance use disorder means a cluster of cognitive, behavioral, and physiological symptoms indicating that the individual continues using the substance despite significant substance-related problems such as impaired control, social impairment, risky use, and pharmacological tolerance and withdrawal. For the purposes of the regulations in this part, this definition does not include tobacco or caffeine use.

Third-party payer means an individual or entity who pays and/or agrees to pay for diagnosis or treatment furnished to a patient on the basis of a contractual relationship with the patient or a member of the patient's family or on the basis of the patient's eligibility for federal, state, or local governmental benefits.

Treating provider relationship means that, regardless of whether there has been an actual in-person encounter:

(1) A patient is, agrees to, or is legally required to be diagnosed, evaluated, and/or treated, or agrees to accept consultation, for any condition by an individual or entity, and;

(2) The individual or entity undertakes or agrees to undertake diagnosis, evaluation, and/or treatment of the patient, or consultation with the patient, for any condition.

Treatment means the care of a patient suffering from a substance use disorder, a condition which is identified as having been caused by the substance use disorder, or both, in order to reduce or eliminate the adverse effects upon the patient.

Undercover agent means any federal, state, or local law enforcement agency or official who enrolls in or becomes an employee of a part 2 program for the purpose of investigating a suspected violation of law or who pursues that purpose after enrolling or becoming employed for other purposes.

Withdrawal management means the use of pharmacotherapies to treat or attenuate the problematic signs and symptoms arising when heavy and/or prolonged substance use is reduced or discontinued.

§ 2.12
Applicability.

(a) General—(1) Restrictions on disclosure. The restrictions on disclosure in the regulations in this part apply to any information, whether or not recorded, which:

(i) Would identify a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person; and

(ii) Is drug abuse information obtained by a federally assisted drug abuse program after March 20, 1972 (part 2 program), or is alcohol abuse information obtained by a federally assisted alcohol abuse program after May 13, 1974 (part 2 program); or if obtained before the pertinent date, is maintained by a part 2 program after that date as part of an ongoing treatment episode which extends past that date; for the purpose of treating a substance use disorder, making a diagnosis for that treatment, or making a referral for that treatment.

(2) Restriction on use. The restriction on use of information to initiate or substantiate any criminal charges against a patient or to conduct any criminal investigation of a patient (42 U.S.C. 290dd-2(c)) applies to any information, whether or not recorded, which is drug abuse information obtained by a federally assisted drug abuse program after March 20, 1972 (part 2 program), or is alcohol abuse information obtained by a federally assisted alcohol abuse program after May 13, 1974 (part 2 program); or if obtained before the pertinent date, is maintained by a part 2 program after that date as part of an ongoing treatment episode which extends past that date; for the purpose of treating a substance use disorder, making a diagnosis for the treatment, or making a referral for the treatment.

(b) Federal assistance. A program is considered to be federally assisted if:

(1) It is conducted in whole or in part, whether directly or by contract or otherwise by any department or agency of the United States (but see paragraphs (c)(1) and (2) of this section relating to the Department of Veterans Affairs and the Armed Forces);

(2) It is being carried out under a license, certification, registration, or other authorization granted by any department or agency of the United States including but not limited to:

(i) Participating provider in the Medicare program;

(ii) Authorization to conduct maintenance treatment or withdrawal management; or

(iii) Registration to dispense a substance under the Controlled Substances Act to the extent the controlled substance is used in the treatment of substance use disorders;

(3) It is supported by funds provided by any department or agency of the United States by being:

(i) A recipient of federal financial assistance in any form, including financial assistance which does not directly pay for the substance use disorder diagnosis, treatment, or referral for treatment; or

(ii) Conducted by a state or local government unit which, through general or special revenue sharing or other forms of assistance, receives federal funds which could be (but are not necessarily) spent for the substance use disorder program; or

(4) It is assisted by the Internal Revenue Service of the Department of the Treasury through the allowance of income tax deductions for contributions to the program or through the granting of tax exempt status to the program.

(c) Exceptions— (1) Department of Veterans Affairs. These regulations do not apply to information on substance use disorder patients maintained in connection with the Department of Veterans Affairs' provision of hospital care, nursing home care, domiciliary care, and medical services under Title 38, U.S.C. Those records are governed by 38 U.S.C. 7332 and regulations issued under that authority by the Secretary of Veterans Affairs.

(2) Armed Forces. The regulations in this part apply to any information described in paragraph (a) of this section which was obtained by any component of the Armed Forces during a period when the patient was subject to the Uniform Code of Military Justice except:

(i) Any interchange of that information within the Armed Forces; and

(ii) Any interchange of that information between the Armed Forces and those components of the Department of Veterans Affairs furnishing health care to veterans.

(3) Communication within a part 2 program or between a part 2 program and an entity having direct administrative control over that part 2 program. The restrictions on disclosure in the regulations in this part do not apply to communications of information between or among personnel having a need for the information in connection with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment of patients with substance use disorders if the communications are:

(i) Within a part 2 program; or

(ii) Between a part 2 program and an entity that has direct administrative control over the program.

(4) Qualified service organizations. The restrictions on disclosure in the regulations in this part do not apply to communications between a part 2 program and a qualified service organization of information needed by the qualified service organization to provide services to the program.

(5) Crimes on part 2 program premises or against part 2 program personnel. The restrictions on disclosure and use in the regulations in this part do not apply to communications from part 2 program personnel to law enforcement agencies or officials which:

(i) Are directly related to a patient's commission of a crime on the premises of the part 2 program or against part 2 program personnel or to a threat to commit such a crime; and

(ii) Are limited to the circumstances of the incident, including the patient status of the individual committing or threatening to commit the crime, that individual's name and address, and that individual's last known whereabouts.

(6) Reports of suspected child abuse and neglect. The restrictions on disclosure and use in the regulations in this part do not apply to the reporting under state law of incidents of suspected child abuse and neglect to the appropriate state or local authorities. However, the restrictions continue to apply to the original substance use disorder patient records maintained by the part 2 program including their disclosure and use for civil or criminal proceedings which may arise out of the report of suspected child abuse and neglect.

(d) Applicability to recipients of information— (1) Restriction on use of information. The restriction on the use of any information subject to the regulations in this part to initiate or substantiate any criminal charges against a patient or to conduct any criminal investigation of a patient applies to any person who obtains that information from a part 2 program, regardless of the status of the person obtaining the information or whether the information was obtained in accordance with the regulations in this part. This restriction on use bars, among other things, the introduction of that information as evidence in a criminal proceeding and any other use of the information to investigate or prosecute a patient with respect to a suspected crime. Information obtained by undercover agents or informants (see § 2.17) or through patient access (see § 2.23) is subject to the restriction on use.

(2) Restrictions on disclosures—(i) Third-party payers, administrative entities, and others. The restrictions on disclosure in the regulations in this part apply to:

(A) Third-party payers with regard to records disclosed to them by part 2 programs or under § 2.31(a)(4)(iii)(A);

(B) Entities having direct administrative control over part 2 programs with regard to information that is subject to the regulations in this part communicated to them by the part 2 program under paragraph (c)(3) of this section; and

(C) Individuals or entities who receive patient records directly from a part 2 program or other lawful holder of patient identifying information and who are notified of the prohibition on re-disclosure in accordance with § 2.32.

(ii) [Reserved]

(e) Explanation of applicability— (1) Coverage. These regulations cover any information (including information on referral and intake) about patients receiving diagnosis, treatment, or referral for treatment for a substance use disorder created by a part 2 program. Coverage includes, but is not limited to, those treatment or rehabilitation programs, employee assistance programs, programs within general hospitals, school-based programs, and private practitioners who hold themselves out as providing, and provide substance use disorder diagnosis, treatment, or referral for treatment. However, the regulations in this part would not apply, for example, to emergency room personnel who refer a patient to the intensive care unit for an apparent overdose, unless the primary function of such personnel is the provision of substance use disorder diagnosis, treatment, or referral for treatment and they are identified as providing such services or the emergency room has promoted itself to the community as a provider of such services.

(2) Federal assistance to program required. If a patient's substance use disorder diagnosis, treatment, or referral for treatment is not provided by a part 2 program, that patient's record is not covered by the regulations in this part. Thus, it is possible for an individual patient to benefit from federal support and not be covered by the confidentiality regulations because the program in which the patient is enrolled is not federally assisted as defined in paragraph (b) of this section. For example, if a federal court placed an individual in a private for-profit program and made a payment to the program on behalf of that individual, that patient's record would not be covered by the regulations in this part unless the program itself received federal assistance as defined by paragraph (b) of this section.

(3) Information to which restrictions are applicable. Whether a restriction applies to use or disclosure affects the type of information which may be disclosed. The restrictions on disclosure apply to any information which would identify a patient as having or having had a substance use disorder. The restriction on use of information to bring criminal charges against a patient for a crime applies to any information obtained by the part 2 program for the purpose of diagnosis, treatment, or referral for treatment of patients with substance use disorders. (Note that restrictions on use and disclosure apply to recipients of information under paragraph (d) of this section.)

(4) How type of diagnosis affects coverage. These regulations cover any record of a diagnosis identifying a patient as having or having had a substance use disorder which is initially prepared by a part 2 provider in connection with the treatment or referral for treatment of a patient with a substance use disorder. A diagnosis prepared for the purpose of treatment or referral for treatment but which is not so used is covered by the regulations in this part. The following are not covered by the regulations in this part:

(i) Diagnosis which is made solely for the purpose of providing evidence for use by law enforcement agencies or officials; or

(ii) A diagnosis of drug overdose or alcohol intoxication which clearly shows that the individual involved does not have a substance use disorder (e.g., involuntary ingestion of alcohol or drugs or reaction to a prescribed dosage of one or more drugs).

§ 2.13
Confidentiality restrictions and safeguards.

(a) General. The patient records subject to the regulations in this part may be disclosed or used only as permitted by the regulations in this part and may not otherwise be disclosed or used in any civil, criminal, administrative, or legislative proceedings conducted by any federal, state, or local authority. Any disclosure made under the regulations in this part must be limited to that information which is necessary to carry out the purpose of the disclosure.

(b) Unconditional compliance required. The restrictions on disclosure and use in the regulations in this part apply whether or not the part 2 program or other lawful holder of the patient identifying information believes that the person seeking the information already has it, has other means of obtaining it, is a law enforcement agency or official or other government official, has obtained a subpoena, or asserts any other justification for a disclosure or use which is not permitted by the regulations in this part.

(c) Acknowledging the presence of patients: Responding to requests. (1) The presence of an identified patient in a health care facility or component of a health care facility which is publicly identified as a place where only substance use disorder diagnosis, treatment, or referral for treatment is provided may be acknowledged only if the patient's written consent is obtained in accordance with subpart C of this part or if an authorizing court order is entered in accordance with subpart E of this part. The regulations permit acknowledgement of the presence of an identified patient in a health care facility or part of a health care facility if the health care facility is not publicly identified as only a substance use disorder diagnosis, treatment, or referral for treatment facility, and if the acknowledgement does not reveal that the patient has a substance use disorder.

(2) Any answer to a request for a disclosure of patient records which is not permissible under the regulations in this part must be made in a way that will not affirmatively reveal that an identified individual has been, or is being, diagnosed or treated for a substance use disorder. An inquiring party may be provided a copy of the regulations in this part and advised that they restrict the disclosure of substance use disorder patient records, but may not be told affirmatively that the regulations restrict the disclosure of the records of an identified patient.

(d) List of disclosures. Upon request, patients who have consented to disclose their patient identifying information using a general designation pursuant to § 2.31(a)(4)(iii)(B)(3) must be provided a list of entities to which their information has been disclosed pursuant to the general designation.

(1) Under this paragraph (d), patient requests:

(i) Must be made in writing; and

(ii) Are limited to disclosures made within the past two years;

(2) Under this paragraph (d), the entity named on the consent form that discloses information pursuant to a patient's general designation (the entity that serves as an intermediary, as described in § 2.31(a)(4)(iii)(B)) must:

(i) Respond in 30 or fewer days of receipt of the written request; and

(ii) Provide, for each disclosure, the name(s) of the entity(-ies) to which the disclosure was made, the date of the disclosure, and a brief description of the patient identifying information disclosed.

(3) The part 2 program is not responsible for compliance with this paragraph (d); the entity that serves as an intermediary, as described in § 2.31(a)(4)(iii)(B), is responsible for compliance with the list of disclosures requirement.

§ 2.14
Minor patients.

(a) State law not requiring parental consent to treatment. If a minor patient acting alone has the legal capacity under the applicable state law to apply for and obtain substance use disorder treatment, any written consent for disclosure authorized under subpart C of this part may be given only by the minor patient. This restriction includes, but is not limited to, any disclosure of patient identifying information to the parent or guardian of a minor patient for the purpose of obtaining financial reimbursement. These regulations do not prohibit a part 2 program from refusing to provide treatment until the minor patient consents to the disclosure necessary to obtain reimbursement, but refusal to provide treatment may be prohibited under a state or local law requiring the program to furnish the service irrespective of ability to pay.

(b) State law requiring parental consent to treatment. (1) Where state law requires consent of a parent, guardian, or other individual for a minor to obtain treatment for a substance use disorder, any written consent for disclosure authorized under subpart C of this part must be given by both the minor and their parent, guardian, or other individual authorized under state law to act in the minor's behalf.

(2) Where state law requires parental consent to treatment, the fact of a minor's application for treatment may be communicated to the minor's parent, guardian, or other individual authorized under state law to act in the minor's behalf only if:

(i) The minor has given written consent to the disclosure in accordance with subpart C of this part; or

(ii) The minor lacks the capacity to make a rational choice regarding such consent as judged by the part 2 program director under paragraph (c) of this section.

(c) Minor applicant for services lacks capacity for rational choice. Facts relevant to reducing a substantial threat to the life or physical well-being of the minor applicant or any other individual may be disclosed to the parent, guardian, or other individual authorized under state law to act in the minor's behalf if the part 2 program director judges that:

(1) A minor applicant for services lacks capacity because of extreme youthor mental or physical condition to make a rational decision on whether to consent to a disclosure under subpart C of this part to their parent, guardian, or other individual authorized under state law to act in the minor's behalf; and

(2) The minor applicant's situation poses a substantial threat to the life or physical well-being of the minor applicant or any other individual which may be reduced by communicating relevant facts to the minor's parent, guardian, or other individual authorized under state law to act in the minor's behalf.

§ 2.15
Incompetent and deceased patients.

(a) Incompetent patients other than minors—(1) Adjudication of incompetence. In the case of a patient who has been adjudicated as lacking the capacity, for any reason other than insufficient age, to their own affairs, any consent which is required under the regulations in this part may be given by the guardian or other individual authorized under state law to act in the patient's behalf.

(2) No adjudication of incompetency. In the case of a patient, other than a minor or one who has been adjudicated incompetent, that for any period suffers from a medical condition that prevents knowing or effective action on their own behalf, the part 2 program director may exercise the right of the patient to consent to a disclosure under subpart C of this part for the sole purpose of obtaining payment for services from a third-party payer.

(b) Deceased patients—(1) Vital statistics. These regulations do not restrict the disclosure of patient identifying information relating to the cause of death of a patient under laws requiring the collection of death or other vital statistics or permitting inquiry into the cause of death.

(2) Consent by personal representative. Any other disclosure of information identifying a deceased patient as having a substance use disorder is subject to the regulations in this part. If a written consent to the disclosure is required, that consent may be given by an executor, administrator, or other personal representative appointed under applicable state law. If there is no such applicable state law appointment, the consent may be given by the patient's spouse or, if none, by any responsible member of the patient's family.

Security for records.

(a) The part 2 program or other lawful holder of patient identifying information must have in place formal policies and procedures to reasonably protect against unauthorized uses and disclosures of patient identifying information and to protect against reasonably anticipated threats or hazards to the security of patient identifying information. These formal policies and procedures must address:

(1) Paper records, including:

(i) Transferring and removing such records;

(ii) Destroying such records, including sanitizing the hard copy media associated with the paper printouts, to render the patient identifying information non-retrievable;

(iii) Maintaining such records in a secure room, locked file cabinet, safe, or other similar container, or storage facility when not in use;

(iv) Using and accessing workstations, secure rooms, locked file cabinets, safes, or other similar containers, and storage facilities that use or store such information; and

(v) Rendering patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers).

(2) Electronic records, including:

(i) Creating, receiving, maintaining, and transmitting such records;

(ii) Destroying such records, including sanitizing the electronic media on which such records are stored, to render the patient identifying information non-retrievable;

(iii) Using and accessing electronic records or other electronic media containing patient identifying information; and

(iv) Rendering the patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers).

(b) [Reserved]

§ 2.17
Undercover agents and informants.

(a) Restrictions on placement. Except as specifically authorized by a court order granted under § 2.67, no part 2 program may knowingly employ, or enroll as a patient, any undercover agent or informant.

(b) Restriction on use of information. No information obtained by an undercover agent or informant, whether or not that undercover agent or informant is placed in a part 2 program pursuant to an authorizing court order, may be used to criminally investigate or prosecute any patient.

§ 2.18
Restrictions on the use of identification cards.

No person may require any patient to carry in their immediate possession while away from the part 2 program premises any card or other object which would identify the patient as having a substance use disorder. This section does not prohibit a person from requiring patients to use or carry cards or other identification objects on the premises of a part 2 program.

§ 2.19
Disposition of records by discontinued programs.

(a) General. If a part 2 program discontinues operations or is taken over or acquired by another program, it must remove patient identifying information from its records or destroy its records, including sanitizing any associated hard copy or electronic media, to render the patient identifying information non-retrievable in a manner consistent with the policies and procedures established under § 2.16, unless:

(1) The patient who is the subject of the records gives written consent (meeting the requirements of § 2.31) to a transfer of the records to the acquiring program or to any other program designated in the consent (the manner of obtaining this consent must minimize the likelihood of a disclosure of patient identifying information to a third party); or

(2) There is a legal requirement that the records be kept for a period specified by law which does not expire until after the discontinuation or acquisition of the part 2 program.

(b) Special procedure where retention period required by law. If paragraph (a)(2) of this section applies:

(1) Records, which are paper, must be:

(i) Sealed in envelopes or other containers labeled as follows: “Records of [insert name of program] required to be maintained under [insert citation to statute, regulation, court order or other legal authority requiring that records be kept] until a date not later than [insert appropriate date]”;

(A) All hard copy media from which the paper records were produced, such as printer and facsimile ribbons, drums, etc., must be sanitized to render the data non-retrievable; and

(B) [Reserved]

(ii) Held under the restrictions of the regulations in this part by a responsible person who must, as soon as practicable after the end of the required retention period specified on the label, destroy the records and sanitize any associated hard copy media to render the patient identifying information non-retrievable in a manner consistent with the discontinued program's or acquiring program's policies and procedures established under § 2.16.

(2) Records, which are electronic, must be:

(i) Transferred to a portable electronic device with implemented encryption to encrypt the data at rest so that there is a low probability of assigning meaning without the use of a confidential process or key and implemented access controls for the confidential process or key; or

(ii) Transferred, along with a backup copy, to separate electronic media, so that both the records and the backup copy have implemented encryption to encrypt the data at rest so that there is a low probability of assigning meaning without the use of a confidential process or key and implemented access controls for the confidential process or key; and

(iii) Within one year of the discontinuation or acquisition of the program, all electronic media on which the patient records or patient identifying information resided prior to being transferred to the device specified in (i) above or the original and backup electronic media specified in (ii) above, including email and other electronic communications, must be sanitized to render the patient identifying information non-retrievable in a manner consistent with the discontinued program's or acquiring program's policies and procedures established under § 2.16; and

(iv) The portable electronic device or the original and backup electronic media must be:

(A) Sealed in a container along with any equipment needed to read or access the information, and labeled as follows: “Records of [insert name of program] required to be maintained under [insert citation to statute, regulation, court order or other legal authority requiring that records be kept] until a date not later than [insert appropriate date];” and

(B) Held under the restrictions of the regulations in this part by a responsible person who must store the container in a manner that will protect the information (e.g., climate controlled environment); and

(v) The responsible person must be included on the access control list and be provided a means for decrypting the data. The responsible person must store the decryption tools on a device or at a location separate from the data they are used to encrypt or decrypt; and

(vi) As soon as practicable after the end of the required retention period specified on the label, the portable electronic device or the original and backup electronic media must be sanitized to render the patient identifying information non-retrievable consistent with the policies established under § 2.16.

§ 2.20
Relationship to state laws.

The statute authorizing the regulations in this part (42 U.S.C. 290dd-2) does not preempt the field of law which they cover to the exclusion of all state laws in that field. If a disclosure permitted under the regulations in this part is prohibited under state law, neither the regulations in this part nor the authorizing statute may be construed to authorize any violation of that state law. However, no state law may either authorize or compel any disclosure prohibited by the regulations in this part.

§ 2.21
Relationship to federal statutes protecting research subjects against compulsory disclosure of their identity.

(a) Research privilege description. There may be concurrent coverage of patient identifying information by the regulations in this part and by administrative action taken under section 502(c) of the Controlled Substances Act (21 U.S.C. 872(c) and the implementing regulations at 21 CFR part 1316); or section 301(d) of the Public Health Service Act (42 U.S.C. 241(d) and the implementing regulations at 42 CFR part 2a). These research privilege statutes confer on the Secretary of Health and Human Services and on the Attorney General, respectively, the power to authorize researchers conducting certain types of research to withhold from all persons not connected with the research the names and other identifying information concerning individuals who are the subjects of the research.

(b) Effect of concurrent coverage. These regulations restrict the disclosure and use of information about patients, while administrative action taken under the research privilege statutes and implementing regulations protects a person engaged in applicable research from being compelled to disclose any identifying characteristics of the individuals who are the subjects of that research. The issuance under subpart E of this part of a court order authorizing a disclosure of information about a patient does not affect an exercise of authority under these research privilege statutes.

§ 2.22
Notice to patients of federal confidentiality requirements.

(a) Notice required. At the time of admission to a part 2 program or, in the case that a patient does not have capacity upon admission to understand his or her medical status, as soon thereafter as the patient attains such capacity, each part 2 program shall:

(1) Communicate to the patient that federal law and regulations protect the confidentiality of substance use disorder patient records; and

(2) Give to the patient a summary in writing of the federal law and regulations.

(b) Required elements of written summary. The written summary of the federal law and regulations must include:

(1) A general description of the limited circumstances under which a part 2 program may acknowledge that an individual is present or disclose outside the part 2 program information identifying a patient as having or having had a substance use disorder;

(2) A statement that violation of the federal law and regulations by a part 2 program is a crime and that suspected violations may be reported to appropriate authorities consistent with § 2.4, along with contact information;

(3) A statement that information related to a patient's commission of a crime on the premises of the part 2 program or against personnel of the part 2 program is not protected;

(4) A statement that reports of suspected child abuse and neglect made under state law to appropriate state or local authorities are not protected; and

(5) A citation to the federal law and regulations.

(c) Program options. The part 2 program must devise a notice to comply with the requirement to provide the patient with a summary in writing of the federal law and regulations. In this written summary, the part 2 program also may include information concerning state law and any of the part 2 program's policies that are not inconsistent with state and federal law on the subject of confidentiality of substance use disorder patient records.

§ 2.23
Patient access and restrictions on use.

(a) Patient access not prohibited. These regulations do not prohibit a part 2 program from giving a patient access to their own records, including the opportunity to inspect and copy any records that the part 2 program maintains about the patient. The part 2 program is not required to obtain a patient's written consent or other authorization under the regulations in this part in order to provide such access to the patient.

(b) Restriction on use of information. Information obtained by patient access to his or her patient record is subject to the restriction on use of this information to initiate or substantiate any criminal charges against the patient or to conduct any criminal investigation of the patient as provided for under § 2.12(d)(1).

Subpart C—Disclosures With Patient Consent

§ 2.31
Consent requirements.

(a) Required elements for written consent. A written consent to a disclosure under the regulations in this part may be paper or electronic and must include:

(1) The name of the patient.

(2) The specific name(s) or general designation(s) of the part 2 program(s), entity(ies), or individual(s) permitted to make the disclosure.

(3) How much and what kind of information is to be disclosed, including an explicit description of the substance use disorder information that may be disclosed.

(4)(i) The name(s) of the individual(s) to whom a disclosure is to be made; or

(ii) Entities with a treating provider relationship with the patient. If the recipient entity has a treating provider relationship with the patient whose information is being disclosed, such as a hospital, a health care clinic, or a private practice, the name of that entity; or

(iii) Entities without a treating provider relationship with the patient.

(A) If the recipient entity does not have a treating provider relationship with the patient whose information is being disclosed and is a third-party payer, the name of the entity; or

(B) If the recipient entity does not have a treating provider relationship with the patient whose information is being disclosed and is not covered by paragraph (a)(4)(iii)(A) of this section, such as an entity that facilitates the exchange of health information or a research institution, the name(s) of the entity(-ies); and

(1) The name(s) of an individual participant(s); or

(2) The name(s) of an entity participant(s) that has a treating provider relationship with the patient whose information is being disclosed; or

(3) A general designation of an individual or entity participant(s) or class of participants that must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being disclosed.

(i) When using a general designation, a statement must be included on the consent form that the patient (or other individual authorized to sign in lieu of the patient), confirms their understanding that, upon their request and consistent with this part, they must be provided a list of entities to which their information has been disclosed pursuant to the general designation (see § 2.13(d)).

(ii) [Reserved]

(5) The purpose of the disclosure. In accordance with § 2.13(a), the disclosure must be limited to that information which is necessary to carry out the stated purpose.

(6) A statement that the consent is subject to revocation at any time except to the extent that the part 2 program or other lawful holder of patient identifying information that is permitted to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance on a valid consent to disclose information to a third-party payer

(7) The date, event, or condition upon which the consent will expire if not revoked before. This date, event, or condition must ensure that the consent will last no longer than reasonably necessary to serve the purpose for which it is provided.

(8) The signature of the patient and, when required for a patient who is a minor, the signature of an individual authorized to give consent under § 2.14; or, when required for a patient who is incompetent or deceased, the signature of an individual authorized to sign under § 2.15. Electronic signatures are permitted to the extent that they are not prohibited by any applicable law.

(9) The date on which the consent is signed.

(b) Expired, deficient, or false consent. A disclosure may not be made on the basis of a consent which:

(1) Has expired;

(2) On its face substantially fails to conform to any of the requirements set forth in paragraph (a) of this section;

(3) Is known to have been revoked; or

(4) Is known, or through reasonable diligence could be known, by the individual or entity holding the records to be materially false.

§ 2.32
Prohibition on re-disclosure.

(a) Notice to accompany disclosure. Each disclosure made with the patient's written consent must be accompanied by the following written statement: This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR part 2). The federal rules prohibit you from making any further disclosure of information in this record that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 CFR part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose (see § 2.31). The federal rules restrict any use of the information to investigate or prosecute with regard to a crime any patient with a substance use disorder, except as provided at §§ 2.12(c)(5) and 2.65.

(b) [Reserved]

§ 2.33
Disclosures permitted with written consent.

If a patient consents to a disclosure of their records under § 2.31, a program may disclose those records in accordance with that consent to any person identified in the consent, except that disclosures to central registries and in connection with criminal justice referrals must meet the requirements of §§ 2.34 and 2.35, respectively.

§ 2.34
Disclosures to prevent multiple enrollments.

(a) Restrictions on disclosure. A part 2 program, as defined in § 2.11, may disclose patient records to a central registry or to any withdrawal management or maintenance treatment program not more than 200 miles away for the purpose of preventing the multiple enrollment of a patient only if:

(1) The disclosure is made when:

(i) The patient is accepted for treatment;

(ii) The type or dosage of the drug is changed; or

(iii) The treatment is interrupted, resumed or terminated.

(2) The disclosure is limited to:

(i) Patient identifying information;

(ii) Type and dosage of the drug; and

(iii) Relevant dates.

(3) The disclosure is made with the patient's written consent meeting the requirements of § 2.31, except that:

(i) The consent must list the name and address of each central registry and each known withdrawal management or maintenance treatment program to which a disclosure will be made; and

(ii) The consent may authorize a disclosure to any withdrawal management or maintenance treatment program established within 200 miles of the program, but does not need to individually name all programs.

(b) Use of information limited to prevention of multiple enrollments. A central registry and any withdrawal management or maintenance treatment program to which information is disclosed to prevent multiple enrollments may not re-disclose or use patient identifying information for any purpose other than the prevention of multiple enrollments unless authorized by a court order under subpart E of this part.

(c) Permitted disclosure by a central registry to prevent a multiple enrollment. When a member program asks a central registry if an identified patient is enrolled in another member program and the registry determines that the patient is so enrolled, the registry may disclose:

(1) The name, address, and telephone number of the member program(s) in which the patient is already enrolled to the inquiring member program; and

(2) The name, address, and telephone number of the inquiring member program to the member program(s) in which the patient is already enrolled. The member programs may communicate as necessary to verify that no error has been made and to prevent or eliminate any multiple enrollments.

(d) Permitted disclosure by a withdrawal management or maintenance treatment program to prevent a multiple enrollment. A withdrawal management or maintenance treatment program which has received a disclosure under this section and has determined that the patient is already enrolled may communicate as necessary with the program making the disclosure to verify that no error has been made and to prevent or eliminate any multiple enrollments.

§ 2.35
Disclosures to elements of the criminal justice system which have referred patients.

(a) A part 2 program may disclose information about a patient to those individuals within the criminal justice system who have made participation in the part 2 program a condition of the disposition of any criminal proceedings against the patient or of the patient's parole or other release from custody if:

(1) The disclosure is made only to those individuals within the criminal justice system who have a need for the information in connection with their duty to monitor the patient's progress (e.g., a prosecuting attorney who is withholding charges against the patient, a court granting pretrial or post-trial release, probation or parole officers responsible for supervision of the patient); and

(2) The patient has signed a written consent meeting the requirements of § 2.31 (except paragraph (a)(8) which is inconsistent with the revocation provisions of paragraph (c) of this section) and the requirements of paragraphs (b) and (c) of this section.

(b) Duration of consent. The written consent must state the period during which it remains in effect. This period must be reasonable, taking into account:

(1) The anticipated length of the treatment;

(2) The type of criminal proceeding involved, the need for the information in connection with the final disposition of that proceeding, and when the final disposition will occur; and

(3) Such other factors as the part 2 program, the patient, and the individual(s) within the criminal justice system who will receive the disclosure consider pertinent.

(c) Revocation of consent. The written consent must state that it is revocable upon the passage of a specified amount of time or the occurrence of a specified, ascertainable event. The time or occurrence upon which consent becomes revocable may be no later than the final disposition of the conditional release or other action in connection with which consent was given.

(d) Restrictions on re-disclosure and use. An individual within the criminal justice system who receives patient information under this section may re-disclose and use it only to carry out that individual's official duties with regard to the patient's conditional release or other action in connection with which the consent was given.

Subpart D—Disclosures Without Patient Consent

§ 2.51
Medical emergencies.

(a) General rule. Under the procedures required by paragraph (c) of this section, patient identifying information may be disclosed to medical personnel to the extent necessary to meet a bona fide medical emergency in which the patient's prior informed consent cannot be obtained.

(b) Special rule. Patient identifying information may be disclosed to medical personnel of the Food and Drug Administration (FDA) who assert a reason to believe that the health of any individual may be threatened by an error in the manufacture, labeling, or sale of a product under FDA jurisdiction, and that the information will be used for the exclusive purpose of notifying patients or their physicians of potential dangers.

(c) Procedures. Immediately following disclosure, the part 2 program shall document, in writing, the disclosure in the patient's records, including:

(1) The name of the medical personnel to whom disclosure was made and their affiliation with any health care facility;

(2) The name of the individual making the disclosure;

(3) The date and time of the disclosure; and

(4) The nature of the emergency (or error, if the report was to FDA).

§ 2.52
Research.

(a) Notwithstanding other provisions of this part, including paragraph (b)(2) of this section, patient identifying information may be disclosed by the part 2 program or other lawful holder of part 2 data, for the purpose of conducting scientific research if the individual designated as director or managing director, or individual otherwise vested with authority to act as chief executive officer or their designee makes a determination that the recipient of the patient identifying information:

(1) If a HIPAA-covered entity or business associate, has obtained and documented authorization from the patient, or a waiver or alteration of authorization, consistent with the HIPAA Privacy Rule at 45 CFR 164.508 or 164.512(i), as applicable; or

(2) If subject to the HHS regulations regarding the protection of human subjects (45 CFR part 46), either provides documentation that the researcher is in compliance with the requirements of the HHS regulations, including the requirements related to informed consent or a waiver of consent (45 CFR 46.111 and 46.116) or that the research qualifies for exemption under the HHS regulations (45 CFR 46.101(b) and any successor regulations; or

(3) If both a HIPAA covered entity or business associate and subject to the HHS regulations regarding the protection of human subjects, has met the requirements of paragraphs (a)(1) and (2) of this section; and

(4) If neither a HIPAA covered entity or business associate or subject to the HHS regulations regarding the protection of human subjects, this section does not apply.

(b) Any individual or entity conducting scientific research using patient identifying information obtained under paragraph (a) of this section:

(1) Is fully bound by the regulations in this part and, if necessary, will resist in judicial proceedings any efforts to obtain access to patient records except as permitted by the regulations in this part.

(2) Must not re-disclose patient identifying information except back to the individual or entity from whom that patient identifying information was obtained or as permitted under paragraph (c) of this section.

(3) May include part 2 data in research reports only in aggregate form in which patient identifying information has been rendered non-identifiable such that the information cannot be re-identified and serve as an unauthorized means to identify a patient, directly or indirectly, as having or having had a substance use disorder.

(4) Must maintain and destroy patient identifying information in accordance with the security policies and procedures established under § 2.16.

(5) Must retain records in compliance with applicable federal, state, and local record retention laws.

(c) Data linkages—(1) Researchers. Any individual or entity conducting scientific research using patient identifying information obtained under paragraph (a) of this section that requests linkages to data sets from a data repository(-ies) holding patient identifying information must:

(i) Have the request reviewed and approved by an Institutional Review Board (IRB) registered with the Department of Health and Human Services, Office for Human Research Protections in accordance with 45 CFR part 46 to ensure that patient privacy is considered and the need for identifiable data is justified. Upon request, the researcher may be required to provide evidence of the IRB approval of the research project that contains the data linkage component.

(ii) Ensure that patient identifying information obtained under paragraph (a) of this section is not provided to law enforcement agencies or officials.

(2) Data repositories. For purposes of this section, a data repository is fully bound by the provisions of part 2 upon receipt of the patient identifying data and must:

(i) After providing the researcher with the linked data, destroy or delete the linked data from its records, including sanitizing any associated hard copy or electronic media, to render the patient identifying information non-retrievable in a manner consistent with the policies and procedures established under § 2.16 Security for records.

(ii) Ensure that patient identifying information obtained under paragraph (a) of this section is not provided to law enforcement agencies or officials.

(2) Except as provided in paragraph (c) of this section, a researcher may not redisclose patient identifying information for data linkages purposes.

§ 2.53
Audit and evaluation.

(a) Records not copied or removed. If patient records are not downloaded, copied or removed from the part 2 program premises or forwarded electronically to another electronic system or device, patient identifying information, as defined in § 2.11, may be disclosed in the course of a review of records on the part 2 program premises to any individual or entity who agrees in writing to comply with the limitations on re-disclosure and use in paragraph (d) of this section and who:

(1) Performs the audit or evaluation on behalf of:

(i) Any federal, state, or local government agency which provides financial assistance to the part 2 program or is authorized by law to regulate its activities; or

(ii) Any individual or entity who provides financial assistance to the part 2 program, which is a third-party payer covering patients in the part 2 program, or which is a quality improvement organization performing a utilization or quality control review; or

(2) Is determined by the part 2 program to be qualified to conduct an audit or evaluation of the part 2 program.

(b) Copying, removing, downloading, or forwarding patient records. Records containing patient identifying information, as defined in § 2.11, may be copied or removed from a part 2 program premises or downloaded or forwarded to another electronic system or device from the part 2 program's electronic records by any individual or entity who:

(1) Agrees in writing to:

(i) Maintain and destroy the patient identifying information in a manner consistent with the policies and procedures established under § 2.16;

(ii) Retain records in compliance with applicable federal, state, and local record retention laws; and

(iii) Comply with the limitations on disclosure and use in paragraph (d) of this section; and

(2) Performs the audit or evaluation on behalf of:

(i) Any federal, state, or local government agency which provides financial assistance to the part 2 program or is authorized by law to regulate its activities; or

(ii) Any individual or entity who provides financial assistance to the part 2 program, which is a third-party payer covering patients in the part 2 program, or which is a quality improvement organization performing a utilization or quality control review.

(c) Medicare, Medicaid, Children's Health Insurance Program (CHIP), or related audit or evaluation. (1) Patient identifying information, as defined in § 2.11, may be disclosed under paragraph (c) of this section to any individual or entity for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation, including an audit or evaluation necessary to meet the requirements for a Centers for Medicare & Medicaid Services (CMS)-regulated accountable care organization (CMS-regulated ACO) or similar CMS-regulated organization (including a CMS-regulated Qualified Entity (QE)), if the individual or entity agrees in writing to comply with the following:

(i) Maintain and destroy the patient identifying information in a manner consistent with the policies and procedures established under § 2.16;

(ii) Retain records in compliance with applicable federal, state, and local record retention laws; and

(iii) Comply with the limitations on disclosure and use in paragraph (d) of this section.

(2) A Medicare, Medicaid, or CHIP audit or evaluation under this section includes a civil or administrative investigation of a part 2 program by any federal, state, or local government agency with oversight responsibilities for Medicare, Medicaid, or CHIP and includes administrative enforcement, against the part 2 program by the government agency, of any remedy authorized by law to be imposed as a result of the findings of the investigation.

(3) An audit or evaluation necessary to meet the requirements for a CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must be conducted in accordance with the following:

(i) A CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must:

(A) Have in place administrative and/or clinical systems; and

(B) Have in place a leadership and management structure, including a governing body and chief executive officer with responsibility for oversight of the organization's management and for ensuring compliance with and adherence to the terms and conditions of the Participation Agreement or similar documentation with CMS; and

(ii) A CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must have a signed Participation Agreement or similar documentation with CMS, which provides that the CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE):

(A) Is subject to periodic evaluations by CMS or its agents, or is required by CMS to evaluate participants in the CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) relative to CMS-defined or approved quality and/or cost measures;

(B) Must designate an executive who has the authority to legally bind the organization to ensure compliance with 42 U.S.C. 290dd-2 and this part and the terms and conditions of the Participation Agreement in order to receive patient identifying information from CMS or its agents;

(C) Agrees to comply with all applicable provisions of 42 U.S.C. 290dd-2 and this part;

(D) Must ensure that any audit or evaluation involving patient identifying information occurs in a confidential and controlled setting approved by the designated executive;

(E) Must ensure that any communications or reports or other documents resulting from an audit or evaluation under this section do not allow for the direct or indirect identification (e.g., through the use of codes) of a patient as having or having had a substance use disorder; and

(F) Must establish policies and procedures to protect the confidentiality of the patient identifying information consistent with this part, the terms and conditions of the Participation Agreement, and the requirements set forth in paragraph (c)(1) of this section.

(4) Program, as defined in § 2.11, includes an employee of, or provider of medical services under the program when the employee or provider is the subject of a civil investigation or administrative remedy, as those terms are used in paragraph (c)(2) of this section.

(5) If a disclosure to an individual or entity is authorized under this section for a Medicare, Medicaid, or CHIP audit or evaluation, including a civil investigation or administrative remedy, as those terms are used in paragraph (c)(2) of this section, then a quality improvement organization which obtains the information under paragraph (a) or (b) of this section may disclose the information to that individual or entity but only for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation.

(6) The provisions of this paragraph do not authorize the part 2 program, the federal, state, or local government agency, or any other individual or entity to disclose or use patient identifying information obtained during the audit or evaluation for any purposes other than those necessary to complete the audit or evaluation as specified in paragraph (c) of this section.

(d) Limitations on disclosure and use. Except as provided in paragraph (c) of this section, patient identifying information disclosed under this section may be disclosed only back to the program from which it was obtained and used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by a court order entered under § 2.66.

Subpart E—Court Orders Authorizing Disclosure and Use

§ 2.61
Legal effect of order.

(a) Effect. An order of a court of competent jurisdiction entered under this subpart is a unique kind of court order. Its only purpose is to authorize a disclosure or use of patient information which would otherwise be prohibited by 42 U.S.C. 290dd-2 and the regulations in this part. Such an order does not compel disclosure. A subpoena or a similar legal mandate must be issued in order to compel disclosure. This mandate may be entered at the same time as and accompany an authorizing court order entered under the regulations in this part.

(b) Examples. (1) A person holding records subject to the regulations in this part receives a subpoena for those records. The person may not disclose the records in response to the subpoena unless a court of competent jurisdiction enters an authorizing order under the regulations in this part.

(2) An authorizing court order is entered under the regulations in this part, but the person holding the records does not want to make the disclosure. If there is no subpoena or other compulsory process or a subpoena for the records has expired or been quashed, that person may refuse to make the disclosure. Upon the entry of a valid subpoena or other compulsory process the person holding the records must disclose, unless there is a valid legal defense to the process other than the confidentiality restrictions of the regulations in this part.

§ 2.62
Order not applicable to records disclosed without consent to researchers, auditors and evaluators.

A court order under the regulations in this part may not authorize qualified personnel, who have received patient identifying information without consent for the purpose of conducting research, audit or evaluation, to disclose that information or use it to conduct any criminal investigation or prosecution of a patient. However, a court order under § 2.66 may authorize disclosure and use of records to investigate or prosecute qualified personnel holding the records.

§ 2.63
Confidential communications.

(a) A court order under the regulations in this part may authorize disclosure of confidential communications made by a patient to a part 2 program in the course of diagnosis, treatment, or referral for treatment only if:

(1) The disclosure is necessary to protect against an existing threat to life or of serious bodily injury, including circumstances which constitute suspected child abuse and neglect and verbal threats against third parties;

(2) The disclosure is necessary in connection with investigation or prosecution of an extremely serious crime allegedly committed by the patient, such as one which directly threatens loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, or child abuse and neglect; or

(3) The disclosure is in connection with litigation or an administrative proceeding in which the patient offers testimony or other evidence pertaining to the content of the confidential communications.

(b) [Reserved]

§ 2.64
Procedures and criteria for orders authorizing disclosures for noncriminal purposes.

(a) Application. An order authorizing the disclosure of patient records for purposes other than criminal investigation or prosecution may be applied for by any person having a legally recognized interest in the disclosure which is sought. The application may be filed separately or as part of a pending civil action in which the applicant asserts that the patient records are needed to provide evidence. An application must use a fictitious name, such as John Doe, to refer to any patient and may not contain or otherwise disclose any patient identifying information unless the patient is the applicant or has given written consent (meeting the requirements of the regulations in this part) to disclosure or the court has ordered the record of the proceeding sealed from public scrutiny.

(b) Notice. The patient and the person holding the records from whom disclosure is sought must be provided:

(1) Adequate notice in a manner which does not disclose patient identifying information to other persons; and

(2) An opportunity to file a written response to the application, or to appear in person, for the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of the court order as described in § 2.64(d).

(c) Review of evidence: Conduct of hearing. Any oral argument, review of evidence, or hearing on the application must be held in the judge's chambers or in some manner which ensures that patient identifying information is not disclosed to anyone other than a party to the proceeding, the patient, or the person holding the record, unless the patient requests an open hearing in a manner which meets the written consent requirements of the regulations in this part. The proceeding may include an examination by the judge of the patient records referred to in the application.

(d) Criteria for entry of order. An order under this section may be entered only if the court determines that good cause exists. To make this determination the court must find that:

(1) Other ways of obtaining the information are not available or would not be effective; and

(2) The public interest and need for the disclosure outweigh the potential injury to the patient, the physician-patient relationship and the treatment services.

(e) Content of order. An order authorizing a disclosure must:

(1) Limit disclosure to those parts of the patient's record which are essential to fulfill the objective of the order;

(2) Limit disclosure to those persons whose need for information is the basis for the order; and

(3) Include such other measures as are necessary to limit disclosure for the protection of the patient, the physician-patient relationship and the treatment services; for example, sealing from public scrutiny the record of any proceeding for which disclosure of a patient's record has been ordered.

§ 2.65
Procedures and criteria for orders authorizing disclosure and use of records to criminally investigate or prosecute patients.

(a) Application. An order authorizing the disclosure or use of patient records to investigate or prosecute a patient in connection with a criminal proceeding may be applied for by the person holding the records or by any law enforcement or prosecutorial officials who are responsible for conducting investigative or prosecutorial activities with respect to the enforcement of criminal laws. The application may be filed separately, as part of an application for a subpoena or other compulsory process, or in a pending criminal action. An application must use a fictitious name such as John Doe, to refer to any patient and may not contain or otherwise disclose patient identifying information unless the court has ordered the record of the proceeding sealed from public scrutiny.

(b) Notice and hearing. Unless an order under § 2.66 is sought in addition to an order under this section, the person holding the records must be provided:

(1) Adequate notice (in a manner which will not disclose patient identifying information to other persons) of an application by a law enforcement agency or official;

(2) An opportunity to appear and be heard for the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of the court order as described in § 2.65(d); and

(3) An opportunity to be represented by counsel independent of counsel for an applicant who is a law enforcement agency or official.

(c) Review of evidence: Conduct of hearings. Any oral argument, review of evidence, or hearing on the application shall be held in the judge's chambers or in some other manner which ensures that patient identifying information is not disclosed to anyone other than a party to the proceedings, the patient, or the person holding the records. The proceeding may include an examination by the judge of the patient records referred to in the application.

(d) Criteria. A court may authorize the disclosure and use of patient records for the purpose of conducting a criminal investigation or prosecution of a patient only if the court finds that all of the following criteria are met:

(1) The crime involved is extremely serious, such as one which causes or directly threatens loss of life or serious bodily injury including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, and child abuse and neglect.

(2) There is a reasonable likelihood that the records will disclose information of substantial value in the investigation or prosecution.

(3) Other ways of obtaining the information are not available or would not be effective.

(4) The potential injury to the patient, to the physician-patient relationship and to the ability of the part 2 program to provide services to other patients is outweighed by the public interest and the need for the disclosure.

(5) If the applicant is a law enforcement agency or official, that:

(i) The person holding the records has been afforded the opportunity to be represented by independent counsel; and

(ii) Any person holding the records which is an entity within federal, state, or local government has in fact been represented by counsel independent of the applicant.

(e) Content of order. Any order authorizing a disclosure or use of patient records under this section must:

(1) Limit disclosure and use to those parts of the patient's record which are essential to fulfill the objective of the order;

(2) Limit disclosure to those law enforcement and prosecutorial officials who are responsible for, or are conducting, the investigation or prosecution, and limit their use of the records to investigation and prosecution of the extremely serious crime or suspected crime specified in the application; and

(3) Include such other measures as are necessary to limit disclosure and use to the fulfillment of only that public interest and need found by the court.

§ 2.66
Procedures and criteria for orders authorizing disclosure and use of records to investigate or prosecute a part 2 program or the person holding the records.

(a) Application. (1) An order authorizing the disclosure or use of patient records to investigate or prosecute a part 2 program or the person holding the records (or employees or agents of that part 2 program or person holding the records) in connection with a criminal or administrative matter may be applied for by any administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agency having jurisdiction over the program's or person's activities.

(2) The application may be filed separately or as part of a pending civil or criminal action against a part 2 program or the person holding the records (or agents or employees of the part 2 program or person holding the records) in which the applicant asserts that the patient records are needed to provide material evidence. The application must use a fictitious name, such as John Doe, to refer to any patient and may not contain or otherwise disclose any patient identifying information unless the court has ordered the record of the proceeding sealed from public scrutiny or the patient has provided written consent (meeting the requirements of § 2.31) to that disclosure.

(b) Notice not required. An application under this section may, in the discretion of the court, be granted without notice. Although no express notice is required to the part 2 program, to the person holding the records, or to any patient whose records are to be disclosed, upon implementation of an order so granted any of the above persons must be afforded an opportunity to seek revocation or amendment of that order, limited to the presentation of evidence on the statutory and regulatory criteria for the issuance of the court order in accordance with § 2.66(c).

(c) Requirements for order. An order under this section must be entered in accordance with, and comply with the requirements of, paragraphs (d) and (e) of § 2.64.

(d) Limitations on disclosure and use of patient identifying information. (1) An order entered under this section must require the deletion of patient identifying information from any documents made available to the public.

(2) No information obtained under this section may be used to conduct any investigation or prosecution of a patient in connection with a criminal matter, or be used as the basis for an application for an order under § 2.65.

§ 2.67
Orders authorizing the use of undercover agents and informants to investigate employees or agents of a part 2 program in connection with a criminal matter.

(a) Application. A court order authorizing the placement of an undercover agent or informant in a part 2 program as an employee or patient may be applied for by any law enforcement or prosecutorial agency which has reason to believe that employees or agents of the part 2 program are engaged in criminal misconduct.

(b) Notice. The part 2 program director must be given adequate notice of the application and an opportunity to appear and be heard (for the limited purpose of providing evidence on the statutory and regulatory criteria for the issuance of the court order in accordance with § 2.67(c)), unless the application asserts that:

(1) The part 2 program director is involved in the suspected criminal activities to be investigated by the undercover agent or informant; or

(2) The part 2 program director will intentionally or unintentionally disclose the proposed placement of an undercover agent or informant to the employees or agents of the program who are suspected of criminal activities.

(c) Criteria. An order under this section may be entered only if the court determines that good cause exists. To make this determination the court must find all of the following:

(1) There is reason to believe that an employee or agent of the part 2 program is engaged in criminal activity;

(2) Other ways of obtaining evidence of the suspected criminal activity are not available or would not be effective; and

(3) The public interest and need for the placement of an undercover agent or informant in the part 2 program outweigh the potential injury to patients of the part 2 program, physician-patient relationships and the treatment services.

(d) Content of order. An order authorizing the placement of an undercover agent or informant in a part 2 program must:

(1) Specifically authorize the placement of an undercover agent or an informant;

(2) Limit the total period of the placement to six months;

(3) Prohibit the undercover agent or informant from disclosing any patient identifying information obtained from the placement except as necessary to investigate or prosecute employees or agents of the part 2 program in connection with the suspected criminal activity; and

(4) Include any other measures which are appropriate to limit any potential disruption of the part 2 program by the placement and any potential for a real or apparent breach of patient confidentiality; for example, sealing from public scrutiny the record of any proceeding for which disclosure of a patient's record has been ordered.

(e) Limitation on use of information. No information obtained by an undercover agent or informant placed in a part 2 program under this section may be used to investigate or prosecute any patient in connection with a criminal matter or as the basis for an application for an order under § 2.65.

Dated: December 20, 2016.

Kana Enomoto,

Acting Deputy Assistant Secretary for Mental Health and Substance Use.

Sylvia M. Burwell,

Secretary.

[FR Doc. 2017-00719 Filed 1-13-17; 11:15 am]

BILLING CODE 4162-20-P