eLaws | eCases | United States Code | Federal Courts |
 Code of Federal Regulations (Last Updated: November 8, 2024)
 Title 42 - Public Health
 Chapter I—Public Health Service, Department of Health and Human Services
 SubChapter A—General Provisions
 Part 2 - Confidentiality of Substance Use Disorder Patient Records
 Subpart C - Uses and Disclosures With Patient Consent

  § 2.33 - Uses and disclosures permitted with written consent.  

Latest version.

  • § 2.33 Disclosures Uses and disclosures permitted with written consent.

    Cross Reference
    Link to an amendment published at 89 FR 12627, Feb. 16, 2024.

    (a) If a patient consents to a use or disclosure of their records under consistent with § 2.31, a the following uses and disclosures are permitted, as applicable:

    (1) A part 2 program may use and disclose those records in accordance with that consent to any person or category of persons identified or generally designated in the consent, except that disclosures to central registries and in connection with criminal justice referrals must meet the requirements of §§ 2.34 and 2.35, respectively.

    (

    b) If a patient consents to a disclosure of their records under § 2.31 for payment or health care operations activities, a lawful holder who receives such records under the terms of the written consent may further disclose those records as may be necessary for its contractors, subcontractors, or legal representatives to carry out payment and/or health care operations on behalf of such lawful holder. In accordance with § 2.13(a), disclosures under this section must be limited to that information which is necessary to carry out the stated purpose of the disclosure. Examples of permissible payment or health care operations activities under this section include:

    (1) Billing, claims management, collections activities, obtaining payment under a contract for reinsurance, claims filing, and/or related health care data processing;

    (2) Clinical professional support services (e.g., quality assessment and improvement initiatives; utilization review and management services);

    (3) Patient safety activities;

    (4) Activities pertaining to:

    (i) The training of student trainees and health care professionals;

    (ii) The assessment of practitioner competencies;

    (iii) The assessment of provider or health plan performance; and/or

    (iv) Training of non-health care professionals;

    (5) Accreditation, certification, licensing, or credentialing activities;

    (6) Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and/or ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care;

    (7) Third-party liability coverage;

    (8) Activities related to addressing fraud, waste and/or abuse;

    (9) Conducting or arranging for medical review, legal services, and/or auditing functions;

    (10) Business planning and development, such as conducting cost management and planning-related analyses related to managing and operating, including formulary development and administration, development or improvement of methods of payment or coverage policies;

    (11) Business management and general administrative activities, including management activities relating to implementation of and compliance with the requirements of this or other statutes or regulations;

    (12) Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers;

    (13) Resolution of internal grievances;

    (14) The sale, transfer, merger, consolidation, or dissolution of an organization;

    (15) Determinations of eligibility or coverage (e.g., coordination of benefit services or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;

    (16) Risk adjusting amounts due based on enrollee health status and demographic characteristics;

    (17) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;

    (18) Care coordination and/or case management services in support of payment or health care operations; and/or

    (19) Other payment/health care operations activities not expressly prohibited in this provision.

    (c) Lawful holders who wish to disclose

    2) When the consent provided is a single consent for all future uses and disclosures for treatment, payment, and health care operations, a part 2 program, covered entity, or business associate may use and disclose those records for treatment, payment, and health care operations as permitted by the HIPAA regulations, until such time as the patient revokes such consent in writing.

    (b) If a patient consents to a use or disclosure of their records consistent with § 2.31, the recipient may further disclose such records as provided in subpart E of this part, and as follows:

    (1) When disclosed for treatment, payment, and health care operations activities to a covered entity or business associate, such recipient may further disclose those records in accordance with the HIPAA regulations, except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient.

    (2) When disclosed with consent given once for all future treatment, payment, and health care operations activities to a part 2 program that is not a covered entity or business associate, the recipient may further disclose those records consistent with the consent.

    (3) When disclosed for payment or health care operations activities to a lawful holder that is not a covered entity or business associate, the recipient may further disclose those records as may be necessary for its contractors, subcontractors, or legal representatives to carry out the payment or health care operations specified in the consent on behalf of such lawful holders.

    (c) Lawful holders, other than covered entities and business associates, who wish to redisclose patient identifying information pursuant to paragraph (b)(3) of this section must have in place a written contract or comparable legal instrument with the contractor or voluntary legal representative, which provides that the contractor, subcontractor, or voluntary legal representative is fully bound by the provisions of this part 2 upon receipt of the patient identifying information. In making any such disclosuresredisclosures, the lawful holder must furnish such recipients with the notice required under § 2.32; require such recipients to implement appropriate safeguards to prevent unauthorized uses and disclosures; and require such recipients to report any unauthorized uses, disclosures, or breaches of patient identifying information to the lawful holder. The lawful holder may only disclose redisclose information to the contractor or subcontractor or voluntary legal representative that is necessary for the contractor or , subcontractor, or voluntary legal representative to perform its duties under the contract or comparable legal instrument. Contracts may not permit a contractor or , subcontractor, or voluntary legal representative to re-disclose redisclose information to a third party unless that third party is a contract agent of the contractor or subcontractor, helping them provide services described in the contract, and only as long as the agent only further discloses the information back to the contractor or lawful holder from which the information originated.

    [83 89 FR 25112627, JanMar. 3, 2018, as amended at 85 FR 43037, July 15, 202016, 2024]