-
Start Preamble
Start Printed Page 74216
AGENCY:
Office for Civil Rights (OCR), Office of the Secretary, Department of Health and Human Services; Substance Abuse and Mental Health Services Administration (SAMHSA), Department of Health and Human Services.
ACTION:
Notice of proposed rulemaking.
SUMMARY:
The Department of Health and Human Services (HHS or “the Department”) is issuing this notice of proposed rulemaking (NPRM) to solicit public comment on its proposal to modify its regulations to implement section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act.
DATES:
Comments due on or before January 31, 2023.
ADDRESSES:
Written comments may be submitted through any of the methods specified below. Please do not submit duplicate comments.
• Federal eRulemaking Portal: You may submit electronic comments at http://www.regulations.gov by searching for the Docket ID number HHS-OCR-0945-AA16. Follow the instructions at http://www.regulations.gov for submitting electronic comments. Attachments should be in Microsoft Word or Portable Document Format (PDF).
• Regular, Express, or Overnight Mail: You may mail written comments (one original and two copies) to the following address only: U.S. Department of Health and Human Services, Office for Civil Rights, Attention: SUD Patient Records, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue SW, Washington, DC 20201.
Inspection of Public Comments: All comments received by the accepted methods and due date specified above may be posted without change to content to http://www.regulations.gov, which may include personal information provided about the commenter, and such posting may occur after the closing of the comment period. However, the Department may redact certain content from comments before posting, including threatening language, hate speech, profanity, graphic images, or individually identifiable information about a third-party individual other than the commenter.
Because of the large number of public comments normally received on Federal Register documents, OCR is not able to provide individual acknowledgments of receipt.
Please allow sufficient time for mailed comments to be received timely in the event of delivery or security delays.
Please note that comments submitted by fax or email and those submitted after the comment period will not be accepted. In addition, comments that are labeled as confidential business information or whose disclosure to the public is restricted by statute will not be accepted.
Docket: For complete access to background documents or posted comments, go to http://www.regulations.gov and search for Docket ID number HHS-OCR-0945-AA16.
Start Further InfoFOR FURTHER INFORMATION CONTACT:
Lester Coffer at (800) 368-1019 or (800) 537-7697 (TDD).
End Further Info End Preamble Start Supplemental InformationSUPPLEMENTARY INFORMATION:
The discussion below includes an Executive Summary and overview describing the need for the proposed rules, a description of the statutory and regulatory background of the proposed rules, a section-by-section description of the proposed modifications, and the impact statement and other required regulatory analyses. The Department solicits public comment on all aspects of the proposed rules. Persons interested in commenting on the provisions of the proposed rules can assist the Department by preceding discussion of any particular provision or topic with a citation to the section of the proposed rule being discussed.
Table of Contents
I. Executive Summary
A. Overview
B. Effective and Compliance Dates
C. Summary of Major Proposals
II. Background and Need for Proposed Rule
A. Statutory and Regulatory Background
B. Earlier Efforts To Align Part 2 With the HIPAA Rules
C. Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act
III. Section-by-Section Description of Proposed Amendments to 42 CFR Part 2
A. § 2.1—Statutory Authority for Confidentiality of Substance Use Disorder Patient Records
B. § 2.2—Purpose and Effect
C. § 2.3—Civil and Criminal Penalties for Violations (Proposed Heading)
D. § 2.4—Complaints of Violations (Proposed Heading)
E. § 2.11—Definitions
F. § 2.12—Applicability
G. § 2.13—Confidentiality Restrictions and Safeguards
H. § 2.14—Minor Patients
I. § 2.15—Patients Who Lack Capacity and Deceased Patients (Proposed Heading)
J. § 2.16—Security for Records and Notification of Breaches (Proposed Heading)
K. § 2.17—Undercover Agents and Informants
L. § 2.19—Disposition of Records by Discontinued Programs
M. § 2.20—Relationship to State Laws
N. § 2.21—Relationship to Federal Statutes Protecting Research Subjects Against Compulsory Disclosure of Their Identity
O. § 2.22— Notice to Patients of Federal Confidentiality Requirements; and 45 CFR 164.520—Notice of Privacy Practices for Protected Health information
P. § 2.23 —Patient Access and Restrictions on Use and Disclosure (Proposed Heading)
Q. § 2.24—Requirements for Intermediaries (Redesignated and Proposed Heading)
R. § 2.25—Accounting of Disclosures (Proposed Heading)
S. § 2.26—Right To Request Privacy Protection for Records (proposed Heading)
T. Subpart C—Uses and Disclosures With Patient Consent (Proposed Heading)
U. § 2.31—Consent Requirements
V. § 2.32—Notice To Accompany Disclosure (Proposed Heading)
W. § 2.33—Uses and Disclosures Permitted With Written Consent (Proposed Heading)
X. § 2.34 —Uses and Disclosures To Prevent Multiple Enrollments (Proposed Heading)
Y. § 2.35—Disclosures to Elements of the Criminal Justice System Which Have Referred Patients
Z. Subpart D—Uses and Disclosures Without Patient Consent (Proposed Heading)
AA. § 2.51—Medical Emergencies
BB. § 2.52—Scientific Research (Proposed Heading)
CC. § 2.53—Management Audits, Financial Audits, and Program Evaluation (Proposed Heading)
DD. § 2.54—Disclosures for Public Health (Proposed Heading)
EE. Subpart E—Court Orders Authorizing Use and Disclosure (Proposed Heading)
FF. § 2.61—Legal Effect of Order
GG. § 2.62— Order Not Applicable to Records Disclosed Without Consent to Researchers, Auditors and Evaluators
HH. § 2.63—Confidential Communications
II. § 2.64—Procedures and Criteria for Orders Authorizing Uses and Disclosures for Noncriminal Purposes (Proposed Heading)
JJ. § 2.65—Procedures and Criteria for Orders Authorizing Use and Disclosure of Records To Criminally Investigate or Prosecute Patients (Proposed Heading)
KK. § 2.66—Procedures and Criteria for Orders Authorizing Use and Disclosure of Records To Investigate or Prosecute a Part 2 Program or Person Holding the Records (Proposed Heading) Start Printed Page 74217
LL. § 2.67—Orders Authorizing the Use of Undercover Agents and Informants To Investigate Employees or Agents of a Part 2 Program in Connection With a Criminal Matter
MM. § 2.68—Report to the Secretary (Proposed Heading)
IV. Request for Comments
V. Public Participation
VI. Regulatory Impact Analysis
A. Executive Orders 12866 and 13563 and Related Executive Orders on Regulatory Review
1. Summary of the Proposed Rule
2. Need for the Proposed Rule
3. Cost-Benefit Analysis
4. Consideration of Regulatory Alternatives
5. Request for Comments on Costs and Benefits
B. Regulatory Flexibility Act
C. Unfunded Mandates Reform Act
D. Executive Order 13132—Federalism
E. Assessment of Federal Regulation and Policies on Families
F. Paperwork Reduction Act of 1995
1. Explanation of Estimated Annualized Burden Hours for 42 CFR Part 2
2. Explanation of Estimated Capital Expenses for 42 CFR Part 2
3. Explanation of Estimated Annualized Burden Hours for 45 CFR 164.520
Executive Summary
Overview
In this Notice of Proposed Rulemaking (NPRM), the Department proposes to modify certain provisions of part 2 of title 42 of the Code of Federal Regulations (42 CFR part 2 or “Part 2”) [1] to implement statutory amendments to section 290dd-2 of title 42 United States Code (42 U.S.C. 290dd-2) enacted in section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act.[2]
Part 2 currently imposes different requirements for substance use disorder (SUD) treatment records protected by Part 2 (“Part 2 records”) [3] than the Health Insurance Portability and Accountability Act of 1996 (HIPAA) [4] Privacy, Security, Breach Notification, and Enforcement Rules (“HIPAA Rules”) [5] apply to protected health information (PHI).[6] The statutory and regulatory schemes apply to different types of entities and create dual obligations and compliance challenges for HIPAA covered entities [7] and business associates [8] that maintain PHI and Part 2 records, and thus are subject to both sets of rules.[9] Treatment providers have also expressed concerns that they lack access to complete information when treating patients.[10] Section 290dd-2, as amended by section 3221 of the CARES Act, aligns certain Part 2 requirements more closely to requirements of the HIPAA Rules to improve the ability of entities that are subject to Part 2 to use and disclose Part 2 records and makes other changes to Part 2, as described in this preamble.
Paragraphs (b), (c), and (f) of section 290dd-2, as amended by section 3221 of the CARES Act, contain modified or new requirements for patient consent and redisclosure of Part 2 records; [11] new rights to obtain an accounting of disclosures made with consent [12] and to request restrictions on disclosures; [13] greater restrictions against the use and disclosure of records in civil, criminal, administrative, and legislative proceedings against patients; [14] and new civil money penalties (CMPs) for violations of Part 2.[15] Paragraphs (i), (j), and (k) of section 290dd-2, as amended by section 3221 of the CARES Act, add new requirements to prohibit discrimination,[16] impose breach notification obligations,[17] and incorporate definitions from the HIPAA Rules into Part 2.[18] Finally, section 3221(i) of the CARES Act requires the Department to update its Notice of Privacy Practices (NPP) requirements in the HIPAA Privacy Rule (“Privacy Rule”) at 45 CFR 164.520 to address uses and disclosures of Part 2 records and individual rights with respect to those records.[19] This NPRM contains proposals to implement the CARES Act provisions relating to health information privacy; the Department intends to develop a separate rulemaking to implement the CARES Act antidiscrimination prohibitions.
In addition to changes mandated by the CARES Act, the Department proposes to address concerns about potential unintended consequences for government agencies of the change in enforcement authority and penalties for violations of Part 2. Specifically, the Department proposes to create a limitation on liability for agencies and persons acting on their behalf, that investigate and prosecute Part 2 programs (to be defined as “investigative agencies”) and unknowingly receive records subject to Part 2 before applying for the requisite Start Printed Page 74218 court order, provided they first exercise reasonable diligence by attempting to determine if the targeted provider is a Part 2 program. The proposal would permit investigative agencies to seek a court order after obtaining records in such situations. An additional proposal would require agencies using this safe harbor to report annually to the Secretary.
Effective and Compliance Dates
The proposed effective date of a final rule would be 60 days after publication and the compliance date would be 22 months after the effective date. Entities subject to a final rule would have until the compliance date to establish and implement policies and practices to achieve compliance.
Part 2 does not contain a standard compliance period for changes to the regulations; however, the HIPAA Rules generally require covered entities and business associates to comply with new or modified standards or implementation specifications no later than 180 days from the effective date of any such standards or implementation specifications, except as otherwise provided ( e.g., in a specific rulemaking).[20] While the proposed rule would make only minor modifications to the Privacy Rule, the Department proposes to provide the same, substantial compliance period for both the proposed modifications to 45 CFR 164.520 and the more extensive Part 2 modifications. Accordingly, the Department would begin enforcement of the new and revised standards, in both regulations, 24 months after publication of a final rule. This compliance period would allow Part 2 programs to revise existing policies and practices, complete other implementation requirements, and train their workforce members on the changes, as well as minimize administrative burdens on entities subject to the Privacy Rule.
The Department requests comment on whether the 22-month compliance period is an appropriate length of time for entities subject to a final rule to come into compliance and any benefits or unintended adverse consequences for entities or individuals of a shorter or longer compliance period.
Additionally, for the proposed accounting of disclosures requirements, the Department proposes to toll the compliance date for Part 2 programs until the effective date of a final rule on the HIPAA accounting of disclosures standard, 45 CFR 164.528. This would ensure that Part 2 programs do not incur new compliance obligations before covered entities and business associates under the Privacy Rule are obligated to comply.
Summary of Major Proposals
The Department proposes the following changes to 42 CFR part 2 that revise, delete, replace, or add sections to implement statutory requirements enacted pursuant to section 3221 of the CARES Act. The Department also proposes to amend 42 CFR part 2 to reflect applicable standards in the HIPAA Rules, reflect language used in the HIPAA Rules, align regulatory text with statutory spelling,[21] and improve clarity or readability. Additionally, the Department proposes to modify the NPP requirements in 45 CFR 164.520 consistent with section 3221(i) of the CARES Act.
This section summarizes major proposals in this NPRM. Additional proposed revisions are not listed here because they are not considered major.[22] All proposed changes are discussed in detail in section III of this NPRM:
1. § 2.1—Statutory authority for confidentiality of substance use disorder patient records.
Revise § 2.1 to more closely reflect the authority granted in 42 U.S.C. 290dd-2(g), especially with respect to court orders authorizing the disclosure of records.
2. § 2.2—Purpose and effect.
Amend paragraph (b) of § 2.2 to reflect that § 2.3(b) compels disclosures to the Secretary that are necessary for enforcement of this rule, using language adapted from the Privacy Rule at 45 CFR 164.502(a)(2)(ii). Add a new paragraph (b)(3) to this section to prohibit any limits on a patient's right to request restrictions on use of records for treatment, payment, or health care operations (TPO) or a covered entity's choice to obtain consent to use or disclose records for TPO purposes as provided in the Privacy Rule.
3. § 2.3—Civil and criminal penalties for violations (proposed heading).
Amend the heading and replace title 18 U.S.C. enforcement with references to the HIPAA enforcement authorities in the Social Security Act at sections 1176 (civil enforcement, including the CMP tiers established by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009) and 1177 (criminal penalties),[23] as implemented in the Enforcement Rule.[24] Create a limitation on civil or criminal liability under Part 2 for investigative agencies that act with reasonable diligence before making a demand for records in the course of an investigation or prosecution of a Part 2 program or person holding the record, provided that certain conditions are met.[25]
4. § 2.4—Complaints of violations (proposed heading).
Amend the heading and insert requirements consistent with those applicable to HIPAA complaints under 45 CFR 164.530(d), (g), and (h), including: a requirement to establish a process for the Part 2 program to receive complaints, a prohibition against taking adverse action against patients who file complaints, and a prohibition against requiring individuals to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.
5. § 2.11—Definitions.
Add new terms and definitions to align with the following statutory and regulatory HIPAA terms: Breach, Business associate, Covered entity, Health care operations, HIPAA, HIPAA regulations, Payment, Person, Public health authority, Treatment, Unsecured protected health information, and Use. Create new defined terms Intermediary, Investigative agency, and Unsecured record, and modify the definitions of Informant, Part 2 program director, Patient, Program, Records, Third-party payer, Treating provider relationship, and Qualified service organization.
6. § 2.12—Applicability.
Replace “Armed Forces” with “Uniformed Services” in paragraph (c)(2) of § 2.12. Incorporate four Start Printed Page 74219 statutory examples of restrictions on the use or disclosure of Part 2 records to initiate or substantiate any criminal charges against a patient or to conduct any criminal investigation of a patient. Add language to qualify the term third-party payer with the phrase “as defined in this part.” Revise paragraph (e)(4)(i) to clarify when a diagnosis is not covered by Part 2.
7. § 2.13—Confidentiality restrictions and safeguards.
Redesignate § 2.13(d) requiring a list of disclosures as new § 2.24 and modify the text for clarity. Amend the heading to distinguish the right to a list of disclosures made by intermediaries from the proposed new right to an accounting of disclosures made by a Part 2 program.
8. § 2.14—Minor patients.
Change the verb “judges” to “determines” to describe a program director's evaluation and decision that a minor lacks decision making capacity.
9. § 2.15—Patients who lack capacity and deceased patients (proposed heading).
Replace outdated language, clarify that paragraph (a) of this section refers to an adjudication by a court of a patient's lack of capacity to make health care decisions while paragraph (b) refers to a patient's lack of capacity to make health care decisions without court adjudication, and add health plans to the list of entities to which a program may disclose records without consent.
10. § 2.16—Security for records and notification of breaches (proposed heading).
Apply the HITECH Act breach notification provisions [26] that are currently implemented in the Breach Notification Rule to breaches of records by Part 2 programs and retitle the provision to include breach notification to implement CARES Act provisions. Modify the provision to refer to the Privacy Rule de-identification standard at 45 CFR 164.514.
11. § 2.19—Disposition of records by discontinued programs.
Add an exception to clarify that these provisions do not apply to transfers, retrocessions, and reassumptions of Part 2 programs pursuant to the Indian Self-Determination and Education Assistance Act (ISDEAA), in order to facilitate the responsibilities set forth in 25 U.S.C. 5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C. 5324(e), 25 U.S.C. 5330, 25 U.S.C. 5386(f), 25 U.S.C. 5384(d), and the implementing ISDEAA regulations. Modernize the language to refer to “non-electronic” records and include “paper” records as an example of non-electronic records.
12. § 2.22—Notice to patients of federal confidentiality requirements.
Modify the Part 2 confidentiality notice requirements (hereinafter, “Patient Notice”) to align with the NPP and address protections required by 42 U.S.C. 290dd-2, as amended by section 3221 of the CARES Act, for entities that create or maintain Part 2 records.
13. § 2.23—Patient access and restrictions on use and disclosure (proposed heading).
Add the term “disclosure” to the heading and body of this section to clarify that information obtained by patient access to their record may not be used or disclosed for purposes of a criminal charge or criminal investigation.
14. § 2.24—Requirements for intermediaries (redesignated and proposed heading).
Retitle the redesignated section (to be moved from § 2.13(d)) as “Requirements for intermediaries” to clarify the responsibilities of recipients of records received under a consent with a general designation, such as health information exchanges, research institutions, accountable care organizations, and care management organizations.
15. § 2.25—Accounting of disclosures (proposed heading).
Add this section to implement 42 U.S.C. 290dd-2(b)(1)(B), as amended by the section 3221 of the CARES Act, to incorporate into Part 2 the HITECH Act right to an accounting of certain disclosures of records for up to three years prior to the date the accounting is requested and add a right to an accounting of disclosures of records that mirrors the standard in the Privacy Rule at 45 CFR 164.528.
16. § 2.26—Right to request privacy protection for records (proposed heading).
Add this section to implement 42 U.S.C. 290dd-2(b)(1)(B), as amended by the section 3221 of the CARES Act, to incorporate into Part 2 the HITECH Act rights implemented in the Privacy Rule at 45 CFR 164.522, namely: (1) a patient right to request restrictions on disclosures of records otherwise permitted for TPO purposes, and (2) a patient right to obtain restrictions on disclosures to health plans for services paid in full by the patient.
17. Subpart C—Uses and Disclosures With Patient Consent (proposed heading).
Change the heading of subpart C to “Uses and Disclosures With Patient Consent” to reflect changes made to the provisions of this subpart related to the consent to use and disclose Part 2 records, consistent with 42 U.S.C. 290dd-2(b), as amended by the section 3221(b) of the CARES Act.
18. § 2.31—Consent requirements.
Align the content requirements for Part 2 written consent with the content requirements for a valid HIPAA authorization and clarify how recipients may be designated in a consent to use and disclose Part 2 records for TPO.
19. § 2.32—Notice to accompany disclosure (proposed heading).
Change the heading of this section and align the content requirements for the required notice that accompanies a disclosure of records (hereinafter “notice to accompany disclosure”) with the requirements of 42 U.S.C. 290dd-2(b), as amended by section 3221(b) of the CARES Act.
20. § 2.33—Uses and disclosures permitted with written consent (proposed heading).
To align this provision with the statutory authority in 42 U.S.C. 290dd-2(b)(1), as amended by section 3221(b) of the CARES Act, replace the provisions requiring consent for uses and disclosures for payment and certain health care operations with permission to use and disclose records for TPO with a single consent given once for all such future uses and disclosures, until such time as the patient revokes the consent in writing. Create redisclosure permissions for two categories of recipients of Part 2 records pursuant to a written consent: (1) Permit a Part 2 program, covered entity, or business associate that receives Part 2 records pursuant to a written consent for TPO purposes to redisclose the records in any manner permitted by the Privacy Rule, except for certain proceedings against the patient; [27] and (2) Permit a lawful holder that is not a covered entity, business associate, or Part 2 program to redisclose Part 2 records for payment and health care operations to its contractors, subcontractors, or legal representatives as needed to carry out the activities in the consent.
21. § 2.35—Disclosures to elements of the criminal justice system which have referred patients.
For clarity, replace “individuals” with “persons” and clarify that permitted redisclosures of information are from Part 2 records.
22. Subpart D—Uses and Disclosures Without Patient Consent (proposed heading).
Change the heading of subpart D to “Uses and Disclosures Without Patient Consent” to reflect changes made to the Start Printed Page 74220 provisions of this subpart related to the consent to use and disclose Part 2 records, consistent with 42 U.S.C. 290dd-2 as amended by the CARES Act.
23. § 2.51—Medical emergencies.
For clarity in § 2.51(c)(2), replace the term “individual” with the term “person.”
24. § 2.52—Scientific research (proposed heading).
Revise the heading of § 2.52 to reflect statutory language. To further align Part 2 with the Privacy Rule, replace the requirements to render Part 2 data in research reports non identifiable with the Privacy Rule's de-identification standard in 45 CFR 164.514.
25. § 2.53—Management audits, financial audits, and program evaluation (proposed heading).
Revise the heading of § 2.53 to reflect statutory language. To support implementation of 42 U.S.C. 290dd-2(b)(1), as amended by section 3221(b) of the CARES Act, add a provision to acknowledge the permission for use and disclosure of records for health care operations purposes based on written consent of the patient and the permission to redisclose such records as permitted by the HIPAA Privacy Rule if the recipient is a Part 2 program, covered entity, or business associate.
26. § 2.54—Disclosures for public health (proposed heading).
Add a new § 2.54 to implement 42 U.S.C. 290dd-2(b)(2)(D), as amended by section 3221(c) of the CARES Act, to permit disclosure of records without patient consent to public health authorities provided that the records disclosed are de-identified according to the standards established in section 45 CFR 164.514.
27. Subpart E—Court Orders Authorizing Use and Disclosure (proposed heading).
Change the heading of subpart E to reflect changes made to the provisions of this subpart related to the uses and disclosure of Part 2 records in proceedings consistent with 42 U.S.C. 290dd-2(b) and (2)(c), as amended by sections 3221(b) and (e) of the CARES Act.
28. § 2.61—Legal effect of order.
Add the term “use” to clarify that the legal effect of a court order would include authorizing the use and disclosure of records, consistent with 42 U.S.C. 290dd-2(b) and (c), as amended by section 3221(e) of the CARES Act.
29. § 2.62—Order not applicable to records disclosed without consent to researchers, auditors, and evaluators.
For clarity, replace the term “qualified personnel” with a reference to the criteria that define such persons.
30. § 2.63—Confidential communications.
Revise paragraph (c) of § 2.63 to expressly include civil, criminal, administrative, and legislative proceedings as forums where the requirements for a court order under this part would apply, to implement 42 U.S.C. 290dd-2(c), as amended by section 3221(c) of the CARES Act.
31. § 2.64—Procedures and criteria for orders authorizing uses and disclosures for noncriminal purposes (proposed heading).
Expand the types of forums where restrictions on use and disclosure of records in civil proceedings against patients apply [28] to expressly include administrative and legislative proceedings and also restrict the use of testimony conveying information in a record in civil proceedings against patients, absent consent or a court order. Add the term “uses” to the heading and in this section to align it with current statutory authority.
32. § 2.65—Procedures and criteria for orders authorizing use and disclosure of records to criminally investigate or prosecute patients (proposed heading).
Expand the types of forums where restrictions on uses and disclosure of records in criminal proceedings against patients apply [29] to expressly include administrative and legislative proceedings and also restrict the use of testimony conveying information in a Part 2 record in criminal proceedings against patients, absent consent or a court order.
33. § 2.66—Procedures and criteria for orders authorizing use and disclosure to investigate or prosecute a part 2 program or the person holding the records (proposed heading).
Create requirements for investigative agencies to follow in the event they discover in good faith that they received Part 2 records during an investigation or prosecution of a Part 2 program or the person holding the records before seeking a court order as required under § 2.66.
34. § 2.67—Orders authorizing the use of undercover agents and informants to investigate employees or agents of a part 2 program in connection with a criminal matter.
Add new criteria for issuance of a court order in instances where an application is submitted after the placement of an undercover agent or informant has already occurred, requiring an investigative agency to satisfy the conditions at § 2.3(b).
35. § 2.68—Report to the Secretary (proposed heading).
Create new requirements for investigative agencies to file annual reports about the instances in which they applied for a court order after receipt of Part 2 records or placement of an undercover agent or informant as provided in § 2.66 and § 2.67.
36. 45 CFR 164.520—Notice of privacy practices for protected health information.
Revise 45 CFR 164.520 to implement updates to the NPP to address Part 2 confidentiality requirements, as required by section 3221(i)(2) of the CARES Act.
Background and Need for Proposed Rule
There are approximately 16,066 publicly funded SUD treatment facilities [30] and 1.8 million HIPAA covered entities and business associates, with an unknown percentage of entities subject to both HIPAA and Part 2. Part 2 records often also meet the definition of PHI when maintained by HIPAA covered entities (or their business associates on the covered entities' behalf). To ensure compliance with both sets of regulatory requirements, dually regulated entities subject to both Part 2 and the HIPAA Rules ( i.e., covered entities that also are Part 2 programs) must track and segregate the records that are subject to Part 2 from the records that are subject only to the HIPAA Rules and obtain specific written consent for most uses and disclosures of Part 2 records (including uses and disclosures for non-emergency treatment purposes). The Department has been urged by many stakeholders to change Part 2 to eliminate the need for data segmentation.[31]
Start Printed Page 74221The preamble to the 2000 Final Privacy Rule explained how entities subject to the Privacy Rule and Part 2 could comply with both rules because in most cases the rules do not conflict. The Privacy Rule permits, but does not require, some disclosures that are not permitted by Part 2. Complying with Part 2's prohibitions on such disclosures would not be a violation of the Privacy Rule. And in instances where Part 2 permits disclosures that would otherwise be restricted by the Privacy Rule, an entity that is subject to both sets of regulations would be able to comply with the Privacy Rule's restrictions without violating Part 2.[32]
Although the Department intended to facilitate compliance by entities subject to both regulatory schemes, significant differences in the statutorily permitted uses and disclosures of Part 2 records and PHI contributed to ongoing operational compliance challenges. For example, once a HIPAA covered entity or business associate disclosed PHI to a person who was not a covered entity or business associate, the information was no longer protected by the Privacy Rule, and thus the Privacy Rule's limitations on uses and disclosures did not apply. In contrast, Part 2 strictly limited the redisclosure of Part 2 records by any individual or entity that received a Part 2 record directly from a Part 2 program or other “lawful holder” of patient identifying information, absent written patient consent or as otherwise permitted under the regulations.[33 34]
Regarding Part 2 records, a treating provider that is not a Part 2 program could record information about the treatment of an individual's SUD in its non-Part 2 records, even if it gleaned the information from a Part 2 record, and the information in the non-Part 2 records would not be subject to Part 2; however, any Part 2 records received from a Part 2 program or other lawful holder would need to be segregated or segmented.[35] Previously, the need to segment Part 2 records from other health records created data “silos” that hampered the integration of SUD treatment records into covered entities' electronic record systems and billing processes. Some lawmakers have argued that these silos perpetuated negative stereotypes about persons with SUD and inhibited coordination of care [36 37] during the opioid epidemic.[38] In 2019, the National Association of Attorneys General (NAAG) urged Congress to update the 40-year-old Part 2 regulation that was created in a time of “intense stigma” surrounding SUD treatment because it now serves to “perpetuate that stigma, as the principle underlying these rules is that [SUD] treatment is shameful and records of it should be withheld from other treatment providers in ways that we do not withhold records of treatment of other chronic diseases.” [39] In that same year “nearly 50,000 people in the United States died from opioid-involved overdoses.” [40] During a congressional hearing, “The Opioid Crisis: The Role of Technology and Data in Preventing and Treating Addiction,” Senator Patty Murray (D-WA) observed that, “[t]echnology and data offer important opportunities to address the opioid crisis, to prevent addi[c]tion, and avoid the tragedy so many families are facing.” [41]
To address these concerns, Congress enacted the CARES Act, which requires the Department to promulgate regulations modifying the confidentiality requirements for Part 2 records.[42] This rulemaking proposes modifications to 42 CFR part 2 and the Privacy Rule that are necessary to implement the statutory amendments made to 42 U.S.C. 290dd-2, and additional modifications to Part 2 to better align certain provisions of Part 2 to the Privacy Rule and address concerns about potential liability for government agencies in the course of investigating and prosecuting Part 2 programs under the new penalties and enforcement scheme.
A. Statutory and Regulatory Background
Congress enacted the first federal confidentiality protections for SUD records in section 333 of the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970.[43] The statute authorized “persons engaged in research on, or treatment with respect to, alcohol abuse and alcoholism to protect the privacy of individuals who [were] the subject of such research or treatment” from persons not connected with the conduct of the research or treatment by withholding identifying information.
Section 408 of the Drug Abuse Office and Treatment Act of 1972 [44] applied confidentiality requirements to records relating to drug abuse prevention authorized or assisted under any provision of the Act. Section 408 permitted disclosure, with a patient's written consent, for diagnosis or treatment by medical personnel and to government personnel for obtaining patient benefits to which the patient is entitled. The 1972 Act also established exceptions to the consent requirement to permit disclosures for bona fide medical emergencies; to qualified personnel for conducting certain activities, such as scientific research or financial audit or program evaluation, as long as the patient is not identified in any reports; and as authorized by court Start Printed Page 74222 order granted after application showing good cause.[45]
The Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act Amendments of 1974 [46] expanded the types of records protected by confidentiality restrictions to include records relating to alcoholism, alcohol abuse, and drug abuse prevention, maintained in connection with any program or activity conducted, regulated, or directly or indirectly federally assisted by any United States agency. The 1974 Act also permitted the disclosure of records based on prior written patient consent only to the extent such disclosures were allowed under Federal regulations. Additionally, the 1974 Act excluded the interchange of records within the Armed Forces or components of the U.S. Department of Veterans Affairs (VA), then known as the Veterans' Administration, from the confidentiality restrictions.[47]
In 1992, section 131 of the Alcohol, Drug Abuse, and Mental Health Administration Reorganization Act (ADAMHA Reorganization Act) [48] added section 543, Confidentiality of Records, to the Public Health Service Act (PHSA) (codified at 42 U.S.C. 290dd-2) (“Part 2 statute”), which narrowed the grounds upon which a court could grant an order permitting disclosure of such records from “good cause” ( i.e., based on weighing the public interest in the need for disclosure against the injury to the patient, physician patient relationship and treatment services) [49] to “the need to avert a substantial risk of death or serious bodily harm.” [50] Congress also established criminal penalties for Part 2 violations under title 18 of the United States Code, Crimes and Criminal Procedure.[51] Finally, section 543 granted broad authority to the Secretary to prescribe regulations to carry out the purposes of section 543 and provide for safeguards and procedures, including criteria for the issuance and scope of court orders to authorize disclosure of SUD records, “as in the judgment of the Secretary are necessary or proper to effectuate the purposes of this section, to prevent circumvention or evasion thereof, or to facilitate compliance therewith.” [52]
In 1975, the Department, promulgated the first federal regulations implementing statutory SUD confidentiality provisions at 42 CFR part 2.[53] In 1987, the Department published a final rule making substantive changes to the scope of Part 2 to clarify the regulations and ease the burden of compliance by Part 2 programs within the parameters of the existing statutory restrictions.[54] After the 1992 enactment of the ADAMHA Reorganization Act (Pub. L. 102-321), the Department later clarified the definition of “program” in a 1995 final rule to narrow the scope of Part 2 regulations pertaining to medical facilities to cover only those entities or units within a general medical facility that hold themselves out as providing diagnosis, treatment, or referral for treatment, or specialized personnel (who are identified as providing such services as a primary function) and which directly or indirectly receive federal assistance.[55]
HIPAA and the HITECH Act
In 1996, Congress enacted HIPAA,[56] which included Administrative Simplification provisions requiring the establishment of national standards [57] to protect the privacy and security of individuals' health information and establishing civil money and criminal penalties for violations of the requirements, among other provisions.[58] The Administrative Simplification provisions and implementing regulations apply to covered entities, which are health care providers who conduct covered health care transactions electronically, health plans, and health care clearinghouses.[59] Certain provisions of the HIPAA Rules also apply directly to business associates of covered entities.[60]
The Privacy Rule, including provisions implemented as a result of the HITECH Act,[61] regulates the use and disclosure of PHI by covered entities and business associates, requires covered entities to have safeguards in place to protect the privacy of PHI, and requires covered entities to obtain the written authorization of an individual to use and disclose the individual's PHI unless otherwise permitted by the Privacy Rule.[62] The Privacy Rule includes several use and disclosure permissions that are relevant to this NPRM, including the permissions for covered entities to use and disclose PHI without written authorization from an individual for TPO; [63] to public health authorities for public health purposes; [64] and for research in the form of a limited data set [65] or pursuant to a waiver of authorization by a Privacy Board or Institutional Review Board.[66] The Privacy Rule also establishes the rights of individuals with respect to their PHI, including the rights to: receive adequate notice of a covered entity's privacy Start Printed Page 74223 practices; to request restrictions of certain uses and disclosures; to access ( i.e., to inspect and obtain a copy of) their PHI; to request an amendment of their PHI; and to receive an accounting of certain disclosures of their PHI.[67] Finally, the Privacy Rule specifies standards for de-identification of PHI such that, when applied, the information is no longer individually identifiable health information and subject to the HIPAA Rules.[68]
The Security Rule, codified at 45 CFR parts 160 and 164, subparts A and C, requires covered entities and their business associates to implement administrative, physical, and technical safeguards to protect electronic PHI (ePHI). Specifically, covered entities and business associates must ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit; [69] protect against reasonably anticipated threats or hazards to the security or integrity of the information [70] and reasonably anticipated impermissible uses or disclosures; [71] and ensure compliance by their workforce.[72]
The Breach Notification Rule, codified at 45 CFR parts 160 and 164, subparts A and D, implements HITECH Act requirements [73] for covered entities to provide notification to affected individuals, the Secretary, and in some cases the media, following a breach of unsecured PHI. The Breach Notification Rule also requires a covered entity's business associate that experiences a breach of unsecured PHI to notify the covered entity of the breach. A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of “unsecured” PHI, subject to three exceptions: [74] (1) the unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority; (2) the inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate, or organized health care arrangement (OHCA) in which the covered entity participates; and (3) the covered entity or business associate making the disclosure has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
The Breach Notification Rule provides that a covered entity may rebut the presumption that such impermissible use or disclosure constituted a breach by demonstrating that there is a low probability that PHI has been compromised based on a risk assessment of at least four required factors: (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated.[75]
The Enforcement Rule, codified at 45 CFR part 160, subparts C, D, and E, includes standards and procedures relating to investigations into complaints about noncompliance with the HIPAA Rules, compliance reviews, the imposition of (CMPs), and procedures for hearings. The Enforcement Rule states generally that the Secretary will impose a CMP upon a covered entity or business associate if the Secretary determines that the covered entity or business associate violated a HIPAA Administrative Simplification provision.[76] However, the Enforcement Rule also provides for informal resolution of potential noncompliance,[77] which occurs through voluntary compliance by the regulated entity, corrective action, or a resolution agreement with the payment of a settlement amount to OCR.
The Department promulgated or modified key provisions of the HIPAA Rules as part of the 2013 Omnibus Final Rule, in which the Department implemented applicable provisions of the HITECH Act, among other modifications. For example, the Department strengthened privacy and security protections for PHI, finalized breach notification requirements, and enhanced enforcement by increasing potential CMPs for violations, including establishing tiers of penalties based on entities' level of culpability.[78] The Secretary of HHS delegated authority to OCR to make decisions regarding the implementation and interpretation of the Privacy, Security, Breach Notification, and Enforcement Rules.[79] [80]
Earlier Efforts To Align Part 2 With the HIPAA Rules
Prior to amendment by the CARES Act, section 290dd-2 provided that records could be disclosed only with the patient's specific written consent for each disclosure, with limited exceptions.[81] The exceptions related to records maintained by VA or the Armed Forces and, for example, disclosures for continuity of care in emergency situations or between personnel who have a need for the information in connection with their duties that arise out of the provision of the diagnosis, treatment, or referral for treatment of patients with SUD.[82] The exceptions did not include, for example, a disclosure of Part 2 records by a Part 2 program to a third-party medical provider to treat a condition other than SUD absent an emergency situation. Therefore, the current Part 2 implementing regulations require specific patient consent for most uses and disclosures of Part 2 records, including for non-emergency treatment purposes. In contrast, the Privacy Rule permits covered entities to use and disclose an individual's PHI for TPO without the individual's valid HIPAA authorization.[83]
The Department has modified and clarified Part 2 several times to align certain provisions more closely with the Privacy Rule,[84] address changes in health information technology, and provide greater flexibility for disclosures of patient identifying information within the health care system, while continuing to protect the confidentiality of Part 2 records.[85] For example, the Department clarified in a 2017 final rule that the definition of “patient identifying information” in Part 2 includes the individual identifiers listed in the Privacy Rule at Start Printed Page 74224 45 CFR 164.514(b)(2)(i) for those identifiers that are not already listed in the Part 2 definition.[86]
In 2018, the Department issued a final rule clarifying the circumstances under which lawful holders and their legal representatives, contractors, and subcontractors could use and disclose Part 2 records related to payment and health care operations in § 2.33(b) and for audit or evaluation-related purposes. The Department clarified that previously listed types of payment and health care operations uses and disclosures under the lawful holder permission in § 2.33(b) were illustrative, and not necessarily definitive so as to be included in regulatory text.[87] The Department also acknowledged the similarity of the list of activities to those included in the Privacy Rule definition of “health care operations” but declined to fully incorporate that definition into Part 2.[88] The Department specifically excluded care coordination and case management from the list of payment and health care operations activities permitted without patient consent under Part 2 based on a determination that these activities are akin to treatment. The Department also codified in regulatory text language for an abbreviated notice to accompany disclosure of Part 2 records.[89] Although the rule retained the requirement that a patient must consent before a lawful holder may redisclose Part 2 records for treatment,[90] the Department explained that the purpose of the Part 2 regulations is to ensure that a patient is not made more vulnerable by reason of the availability of a treatment record than an individual with a SUD who chooses not to seek treatment. The Department simultaneously recognized the legitimate needs of lawful holders to obtain payment and conduct health care operations as long as the core protections of Part 2 are maintained.[91]
In a final rule published July 15, 2020,[92] the Department retained the requirement that programs obtain prior written consent before disclosing Part 2 records in the first instance (outside of recognized exceptions). At the same time the Department reversed its previous exclusion of care coordination and case management from the list of payment and health care operations in § 2.33(b) for which a lawful holder may make further disclosures to its contractors, subcontractors, and legal representatives.[93] The Department based this change on comments received on the proposed rule in 2019 and on section 3221(d)(4) of the CARES Act, which incorporated the Privacy Rule definition of health care operations, including care coordination and case management activities, into paragraph (k)(4) of 42 U.S.C. 290dd-2.[94] The July 2020 final rule also modified the consent requirements in § 2.31 by establishing special requirements for written consent [95] when the recipient of Part 2 records is a health information exchange (HIE) (as defined in 45 CFR 171.102 [96] ). In this NPRM, the Department now proposes a definition for the term “intermediary” [97] to further facilitate the exchange of Part 2 records in new models of care, including those involving an HIE, a research institution providing treatment, an accountable care organization, or a care management organization.
The Department again modified Part 2 on December 14, 2020,[98] by amending the confidential communications section of § 2.63(a)(2), which enumerated a basis for a court order authorizing the use of a record when “the disclosure is necessary in connection with investigation or prosecution of an extremely serious crime allegedly committed by the patient.” The December 2020 final rule removed the phrase “allegedly committed by the patient,” explaining that the phrase was included in previous rulemaking by error, and clarifying that a court has the authority to permit disclosure of confidential communications when the disclosure is necessary in connection with investigation or prosecution of an extremely serious crime that was allegedly committed by either a patient or an individual other than the patient.
Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act
On March 27, 2020, Congress enacted the CARES Act [99] to provide emergency assistance to individuals, families, and businesses affected by the COVID-19 pandemic. Section 3221 of the CARES Act, Confidentiality and Disclosure of Records Relating to Substance Use Disorder, substantially amended 42 U.S.C. 290dd-2 to more closely align federal privacy standards applicable to Part 2 records with HIPAA and HITECH Act privacy use and disclosure standards, breach notification standards, and enforcement authorities that apply to PHI, among other modifications.
The requirements in sections 42 U.S.C. 290dd-2(b), (c), and (f), as amended by section 3221 of the CARES Act, with respect to patient consent and redisclosures of SUD records, now align more closely with Privacy Rule provisions permitting uses and disclosures for TPO and establish certain patient rights with respect to their Part 2 records consistent with provisions of the HITECH Act; restrict the use and disclosure of Part 2 records in legal proceedings; and set civil and criminal penalties for violations, respectively. Section 3221 also amended 42 U.S.C. 290dd-2j) and (k) by adding HITECH Act breach notification requirements and new terms and definitions consistent with the HIPAA Rules and the HITECH Act, respectively. Finally, section 3221 requires the Department to modify the NPP [100] requirements at 45 CFR 164.520 so that covered entities and Part 2 programs provide notice to individuals regarding privacy practices related to Part 2 records, including patients' rights and uses and disclosures that are permitted or required without authorization.
Paragraph (b) of section 3221, Disclosures to Covered Entities Consistent with HIPAA, adds a new paragraph (1), Consent, to section 543 of the PHSA [101] and expands the ability of covered entities, business associates, and Part 2 programs to use and disclose Part 2 records for TPO. The text of section 3221(b) adding paragraph (1)(B) to 42 U.S.C. 290dd-2 states that once Start Printed Page 74225 prior written consent of the patient has been obtained, those contents may be used or disclosed by a covered entity, business associate, or a program subject to this section for the purposes of treatment, payment, and health care operations as permitted by the HIPAA regulations. Any disclosed information may then be redisclosed in accordance with the HIPAA regulations.
To the extent that 42 U.S.C. 290dd-2(b)(1) now provides for a general written consent covering all future uses and disclosures for TPO “as permitted by the HIPAA regulations,” and expressly permits the redisclosure of Part 2 records received for TPO “in accordance with the HIPAA regulations,” the Department believes that this means that the entity receiving the records based on such general consent, and then redisclosing the records, must be a covered entity, business associate, or Part 2 program. The Department's proposals throughout this NPRM are premised on its reading of section 3221(b) as applying to redisclosures of Part 2 records by covered entities, business associates, and Part 2 programs, including those covered entities that are Part 2 programs.
In addition to the provisions of section 3221 described above, paragraph (g) of section 3221, Antidiscrimination, adds a new provision (i)(1) to 42 U.S.C. 290dd-2 to prohibit discrimination against an individual based on their Part 2 records in: (A) admission, access to, or treatment for health care; (B) hiring, firing, or terms of employment, or receipt of worker's compensation; (C) the sale, rental, or continued rental of housing; (D) access to Federal, State, or local courts; or (E) access to or maintenance of social services and benefits provided or funded by Federal, State, or local governments.[102] Further, the new paragraph (i)(2) prohibits discrimination by any recipient of Federal funds against individuals based on their Part 2 records.[103] As a recent legal analysis noted, “The decision to protect individuals whose disclosed patient records reveal or appear to reveal current illegal use of drugs is also consistent with Section 3221's specific purpose to remove well-founded fear of discrimination as a barrier to treatment.”[104] Patients with SUD who are currently using illegal drugs are not protected from discrimination on the basis of their illegal drug use under existing law of the Rehabilitation Act of 1973,[105] Americans with Disabilities Act (ADA),[106] the Affordable Care Act,[107] and the Fair Housing Act.[108] The CARES Act nondiscrimination provision, in conjunction with the newly applicable HITECH Act penalty tiers, will serve to protect the treatment records of all patients with SUD, whether or not they are currently using illicit drugs. The Department intends to implement the CARES Act antidiscrimination provisions in a separate rulemaking.
Section-by-Section Description of Proposed Amendments to 42 CFR Part 2
Below, the Department describes the proposals in this NPRM to amend 42 CFR part 2 and 45 CFR 164.520 to implement changes made to 42 U.S.C. 290dd-2, as amended by section 3221 of the CARES Act. Some of the Department's proposals are not expressly required by the CARES Act, but are proposed to align the language of this part with that in the Privacy Rule and to clarify already-existing Part 2 permissions or restrictions. The Department believes these additional proposals fall within the Department's scope of regulatory authority and are necessary to facilitate implementation of the CARES Act. For example, consistently throughout this NPRM, the Department proposes to re-order the terms “disclosure and use” to “use and disclosure” [109] to better align the language of Part 2 with the Privacy Rule which generally regulates the “use and disclosure” of PHI.[110] The Department does not believe these proposed changes are substantive, but requests comment on this assumption. In another example, the Department proposes to add the term “use” to where only the term “disclose” exists in regulatory text, or in some cases to add the term “disclose” to an existing “use” because it more accurately describes the scope of the activity that is the subject of the regulatory provision or could be within the scope of the activity. These changes are aligned with changes made to 42 U.S.C. 290dd-2 paragraph (b)(1)(A) by section 3221(b) of the CARES Act (providing that Part 2 records may be used or disclosed in accordance with prior written consent); to 42 U.S.C. 290dd-2(b)(1)(B) and (b)(1)(C) by section 3221(b) of the CARES Act (providing that the contents of Part 2 records may be used or disclosed by covered entities, business associates, or programs in accordance with the HIPAA Rules for TPO purposes); and to paragraph 42 U.S.C. 290dd-2(c) by section 3221(e) of the CARES Act (prohibiting disclosure and use of Part 2 records in proceedings against the patient). The Department describes these proposed additions of terms in each section of this NPRM where applicable.[111] The Department requests Start Printed Page 74226 comment on its proposals to reorder the terms “use” and “disclosure” as described, and to add the term “use” to clarify these regulations as described above.
In addition, the Department proposes changes to subpart E, Court Orders Authorizing Use and Disclosure, relying on both the Secretary's broad rulemaking authority under section 543 of the PHSA and on the authority granted in section 3221 of the CARES Act. The Department proposes to heighten protections against use or disclosure of records in proceedings against patients by aligning the regulatory language regarding the scope of proceedings to which subpart E applies with the amended statute to expressly include administrative and legislative proceedings [112] and to expressly include testimony that relays information contained in records.[113] Additionally, the Department is adopting the HIPAA phrasing of “use and disclosure” in most instances where only one of those terms is used in the current regulation, including throughout subpart E.
The Department also proposes additional changes to facilitate compliance by investigative agencies when they seek records for investigations and prosecutions of Part 2 programs pursuant to applicable authorities. In particular, the Department proposes to limit liability for violations when an investigative agency unknowingly receives Part 2 records in the course of investigating a Part 2 program or person holding Part 2 records, provided the agency takes certain actions, and to require annual reporting to the Secretary by investigative agencies about the use of the proposed safe harbor. The Department is proposing these changes because the Department believes the proposals are a necessary consequence of the new enforcement penalties for violations of Part 2 [114] pursuant to 42 U.S.C. 290dd-2(f) as amended by section 3221 (f) and the expanded scope of proceedings where a court order is required [115] pursuant to 42 U.S.C. 290dd-2(c) as amended by section 3221(e). In particular, the Department understands that investigative agencies could potentially become subject to the new penalties for violations in the event that they are unaware that a provider under investigation is subject to Part 2 and as a result they fail to follow the requirements of subpart E before obtaining the provider's records. The Department requests comment on these additional proposed changes.
The Department further requests comment on all proposals described in the following paragraphs of this NPRM, including those expressly implementing CARES Act amendments to section 290dd-2, those the Department describes as necessary to further align this part with the Privacy Rule, and those proposals described as necessary to clarify the full scope of activities that it is regulating in this part. The Department also requests comment on all aspects of the Regulatory Impact Analysis, including the assumptions and estimates about the costs and benefits of the proposed changes, and the alternatives the Department considered when developing the proposals in this NPRM. The Department proposes the following amendments to this part:
A. § 2.1—Statutory Authority for Confidentiality of Substance Use Disorder Patient Records
The Department proposes to revise § 2.1 to more closely align this section with the statutory text of 42 U.S.C. 290dd-2(g) and add references to subsection 290dd-2(b)(2)(C) related to the issuance of court orders authorizing disclosures of Part 2 records.
§ 2.2—Purpose and Effect
Section 2.2 of 42 CFR part 2 establishes the purpose and effect of regulations imposed in this part upon the use and disclosure of Part 2 records. The Department proposes to add language to paragraph (b) of § 2.2 to conform that paragraph to changes proposed to § 2.3(b) that would compel disclosures to the Secretary that are necessary for enforcement of this rule. The new language is adapted from a similar provision of the Privacy Rule at 45 CFR 164.502(a)(2)(ii).
The Department also proposes to replace the phrase “disclosure and use” by re-ordering the phrase to “use or disclosure” at §§ 2.2(a), (a)(4), and 2.2(b)(1), to align the language with that used in the Privacy Rule.
The Department proposes several changes in § 2.2 that would facilitate implementation of the CARES Act in general. For example, in §§ 2.2(a)(2), (a)(3), and (b)(1), the Department proposes to add the phrase “uses and” in front of the existing term “disclose” or “disclosures.” The Department proposes these additions in §§ 2.2(a)(2) and (3), which list subparts C and D of this part, to conform to changes the Department proposes to the heading titles of subparts C and D. In those heading titles, the Department proposes to refer to “Uses and Disclosures with Patient Consent” and “Uses and Disclosures without Patient Consent” respectively.
In § 2.2(b)(1), Effect, the Department proposes to refer to “use and disclosure” instead of only “disclosure” to better describe how the regulations in this part, as modified by the CARES Act, prohibit the “use and disclosure” of Part 2 records. The Department proposes to modify the end of § 2.2(b)(1) to provide that the regulations generally do not generally require the use or disclosure of Part 2 records under any circumstance except when disclosure is required by the Secretary to investigate or determine a person's compliance with this part pursuant to § 2.3(b), now proposed for modification to reflect newly required civil and criminal penalties for violations of this part.
Finally, the Department proposes to add a new paragraph (b)(3) to § 2.2 to incorporate the rules of construction in section 3221(j)(1) and (2) of the CARES Act. Accordingly, the proposed paragraphs would provide that nothing in this part shall be construed to limit a patient's right to request restrictions on use of records for TPO or a covered entity's choice to obtain consent to use or disclose records for TPO purposes as provided in the Privacy Rule.
In addition to the above-described proposed amendments to § 2.2, the Department proposes minor wording changes to improve readability or conform the use of terms to newly proposed definitions. These proposals are reflected in proposed regulatory text and may be reflected throughout this NPRM and include:
- Inserting a parenthetical reference to “records” to reflect how the Department proposes to refer to SUD records; and
- Striking the word “patient” from in front of the term “record”.
The Department requests comments on all proposed changes to this section. Start Printed Page 74227
§ 2.3—Civil and Criminal Penalties for Violations (Proposed Heading)
Section 2.3 of 42 CFR part 2 currently requires that any person who violates any provision of the Part 2 regulations be criminally fined in accordance with title 18 U.S.C. As amended by section 3221(f) of the CARES Act, 42 U.S.C. 290dd-2(f) applies the provisions of §§ 1176 and 1177 of the Social Security Act to a Part 2 program for a violation of 42 CFR part 2 in the same manner as they apply to a covered entity for a violation of part C of title XI of the Social Security Act. Therefore, the Department proposes to replace title 18 criminal enforcement with civil and criminal penalties under §§ 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d-5, 1320d-6), respectively, as implemented in the Enforcement Rule.
Specifically, the Department proposes to rename § 2.3 as Civil and criminal penalties for violations and reorganize § 2.3 into section paragraphs 2.3(a), (b), and (c). Proposed § 2.3(a) would incorporate the penalty provisions of 42 U.S.C. 290dd-2(f), which apply the civil and criminal penalties of §§ 1176 and 1177 of the Social Security Act, respectively, to violations of Part 2.
After consultation with the Department of Justice, the Department proposes in § 2.3(b) to create a limitation on civil or criminal liability for persons acting on behalf of investigative agencies when, in the course of investigating or prosecuting a Part 2 program or other person holding Part 2 records, they may unknowingly receive Part 2 records without first obtaining the requisite court order, provided that specified conditions are met. Such a safe harbor, as proposed, would be limited to only instances where records are obtained for the purposes of investigating a program or person holding the record, not a patient. Investigative agencies are required to follow Part 2 requirements for obtaining, using, and disclosing Part 2 records as part of an investigation or prosecution; such requirements include seeking a court order, filing protective orders, maintaining security for records, and ensuring that records obtained in program investigations are not used in legal actions against patients who are the subjects of the records. Investigative agencies' potential liability for violating Part 2 has increased due to the expanded application of HIPAA/HITECH Act penalties for violations, codified at 42 U.S.C. 1320d-5 (CMPs) and 1320d-6 (criminal penalties), to violations of Part 2. In addition, the need for investigation and prosecution of bad actors has increased in accordance with the intensity and duration of the opioid overdose epidemic.[116] The Department solicits comments on the need for investigation of Part 2 programs and holders of Part 2 records and a related safe harbor for law enforcement due to proposed changes in enforcement of Part 2 requirements.
To address concerns about potential liability for Part 2 violations arising from investigators who, in good faith, unknowingly receive Part 2 records, the Department proposes at § 2.3(b) to create a limitation on civil or criminal liability for persons acting on behalf of investigative agencies if they unknowingly receive Part 2 records without first obtaining the required court order while investigating or prosecuting a Part 2 program or other person holding Part 2 records (or their employees or agents). The limitation on liability would be available for uses or disclosures inconsistent with Part 2 when the person acted with reasonable diligence to determine in advance whether Part 2 applied to the records or program. Paragraph (b)(1) would also clarify what constitutes “reasonable diligence” in determining whether Part 2 applies to a record or program before an investigative agency makes an investigative demand or places an undercover agent with the program or person holding the records. Reasonable diligence would require acting within a reasonable period of time, but no more than 60 days prior to, the request for records or placement of an undercover agent or informant. Reasonable diligence would include taking the following actions to determine whether a health care practice or provider (where it is reasonable to believe that the practice or provider provides SUD diagnostic, treatment, or referral for treatment services) provides such services by:
(1) checking a prescription drug monitoring program in the state where the provider is located, if available and accessible to the agency under state law; or
(2) checking the website or physical location of the provider.
In addition, § 2.3(b) would require an investigative agency to meet any other applicable requirements within Part 2 for any use or disclosure of the records that occurred, or will occur, after the investigative agency knew, or by exercising reasonable diligence would have known, that it received Part 2 records. The Department has added applicable requirements in § 2.66 and § 2.67, discussed below, and requests comment on the impact of the proposed safe harbor on patient privacy and access to SUD treatment.
The proposed safe harbor could promote public safety by permitting government agencies to investigate or prosecute Part 2 programs and persons holding Part 2 records for suspected criminal activity, in good faith without risk of HIPAA/HITECH Act penalties. The current rule contains no mechanism for an investigative agency to correct an error if it unknowingly obtains Part 2 records and as a result fails to obtain the required court order in advance. By proposing a pathway for investigative agencies to seek the required court order after the fact (a pathway that is only available for agencies that have first exercised reasonable diligence to determine in advance whether Part 2 applies), the proposal creates an incentive for investigative agencies to take steps that should reduce the need for “after the fact” court orders. Thus, investigative agencies that follow the proposed reasonable diligence steps and yet unknowingly receive Part 2 records and then seek a court order would be less likely to be denied on the basis of a procedural shortcoming and would not risk incurring HIPAA/HITECH Act penalties. Investigative agencies that do not use reasonable diligence as proposed at § 2.3(b)(1) would be precluded from seeking a court order to use or disclose Part 2 records that they later discover in their possession.
The Department acknowledges that proposed § 2.3(b) may be viewed as a reduction in privacy protection, but believes that the exclusive application to investigations and prosecution of programs and holders of records affords an overall benefit without harming patient confidentiality when the proposed additional protections in §§ 2.66 and 2.67 are applied.[117] The Department has limited the proposed safe harbor to investigative agencies that unknowingly obtain Part 2 records and relies on the CMP tiers to allow appropriate flexibility when a Part 2 program has unknowingly violated Part 2. However, the Department solicits comments on situations for which a safe harbor should be considered for SUD providers that unknowingly hold Part 2 records and unknowingly disclose them Start Printed Page 74228 in violation of Part 2. As mentioned above, the Department also solicits comments on the impact of this proposed safe harbor to patient privacy and access to SUD treatment.
The Department does not intend to modify the applicability of § 2.12 or § 2.53 for investigative agencies, but to make the proposed safe harbor available in those situations where a court order would otherwise be required for a government agency to use or disclose records under these regulations. Thus, under § 2.12(c) an agency with direct administrative control over a Part 2 program still would not be subject to the Part 2 limits on communications between the program and the agency for purposes of diagnosis, treatment, or referral of patients, although the agency is also an investigative agency due to its supervisory role. Similarly, the disclosure permission under § 2.53 would continue to apply to audits and evaluations conducted by a health oversight agency without patient consent. The Department does not believe that the text of section 3221(e) of the CARES Act indicates congressional intent to alter the established oversight mechanisms for Part 2 programs, including those that provide services reimbursed by Medicare, Medicaid, and Children's Health Insurance Program (CHIP).
Proposed § 2.3(c) would specify that the Enforcement Rule [118] shall apply to violations of Part 2 in the same manner as they apply to covered entities and business associates for violations of part C of title XI of the Social Security Act and its implementing regulations with respect to PHI.[119] The Department requests comment on the likely benefits and costs of these proposed changes.
§ 2.4—Complaints of Violations (Proposed Heading)
Paragraphs (a) and (b) of this section currently provide that reports of violations of the Part 2 regulations may be directed to the U.S. Attorney for the judicial district in which the violation occurs and reports of any violation by an opioid treatment program may be directed to the U.S. Attorney and also to the Substance Abuse and Mental Health Services Administration (SAMHSA). Section 290dd-2(f), as amended by section 3221(f) of the CARES Act, grants civil enforcement authority to the Department, which currently exercises its HIPAA enforcement authority under 1176 of the Social Security Act in accordance with the Enforcement Rule. To implement the change from U.S. Attorney enforcement, the Department proposes to re-title the heading to this section, replacing “Reports of violations” with “Complaints of violations,” and to replace the existing provisions about directing reports of Part 2 violations to the U.S. Attorney's Office and to SAMHSA with provisions about filing complaints of potential violations with a Part 2 program or the Secretary. The Department notes that SAMHSA continues to regulate opioid treatment programs (OTPs) and may receive reports of alleged violations by OTPs of federal opioid treatment standards, including privacy and confidentiality requirements.
Specifically, the Department proposes to add § 2.4(a) to require a Part 2 program to have a process to receive complaints concerning the program's compliance with the Part 2 regulations. Proposed § 2.4(b) would provide that a program may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any patient for the exercise of any right established, or for participation in any process provided for, in Part 2, including the filing of a complaint. The Department also proposes to add § 2.4(c) to prohibit a program from requiring patients to waive their right to file a complaint as a condition of the provision of treatment, payment, enrollment, or eligibility for any program subject to Part 2.
The proposed changes to § 2.4 would align Part 2 with Privacy Rule provisions concerning complaints. Section 2.4(a) is consistent with the administrative requirements in 45 CFR 164.530(d), Standard: Complaints to the covered entity. Proposed § 2.4(b) would align with the Privacy Rule provision at 45 CFR 164.530(g), Standard: Refraining from intimidating or retaliatory acts. The proposed § 2.4(c) would be consistent with the Privacy Rule provision at 45 CFR 164.530(h), Standard: Waiver of rights. Thus, Part 2 programs that are also covered entities already have these administrative requirements in place, but programs that are not covered entities would need to adopt new policies and procedures.
The Department requests comment on these proposed changes, including any concerns about potential unintended negative consequences on programs or patients of aligning § 2.4 with the cited provisions of the Privacy Rule.
§ 2.11—Definitions
Section 2.11 includes definitions for key regulatory terms in 42 CFR part 2. The Department proposes to add thirteen defined regulatory terms and modify the definitions of ten existing terms. The proposed new or modified definitions would be: Breach, Business associate, Covered entity, Health care operations, HIPAA, HIPAA regulations, Informant, Intermediary, Investigative agency, Part 2 program director, Patient, Payment, Person, Program, Public health authority, Qualified service organization, Records, Third-party payer, Treating provider relationship, Treatment, Unsecured protected health information, Unsecured record, and Use. Most of these terms and definitions would be added or modified by referencing existing HIPAA regulatory terms in 45 CFR parts 160 and 164, either in accordance with the adoption of such definitions by section 3221(d) of the CARES Act, which added paragraph (k) (containing definitions) to 42 U.S.C. 290dd-2, or as a logical outgrowth of CARES Act amendments. Several other definitions would be modified for clarity and consistency, as described below. The Department requests comment on all proposals to add new or modify existing definitions to this part. Breach. The proposed definition of Breach would adopt the Breach Notification Rule definition by reference to 45 CFR 164.402, but as applied to Part 2 records rather than to PHI. The Department proposes this definition to implement paragraph (k) of 42 U.S.C. 290dd-2, added by section 3221(d) of the CARES Act, requiring that the term in this part be given the same meaning of the term for the purposes of the HIPAA regulations. Because the CARES Act requires Part 2 programs to comply with HITECH Act breach notification requirements, a Part 2 regulatory definition of breach is necessary to implement and enforce these requirements.
Business associate. The Department proposes to adopt the same meaning of this term as is used in the HIPAA Rules. This proposal would implement the new paragraph (k) of 42 U.S.C. 290dd-2, added by section 3221(d) of the CARES Act, requiring the term in this part be given the same meaning of the term for the purposes of the HIPAA regulations.
Covered entity. The Department proposes to adopt the same meaning of this term as is used in the HIPAA Rule. This proposal would implement the new paragraph (k) of 42 U.S.C. 290dd- Start Printed Page 74229 2, added by section 3221(d) of the CARES Act, requiring the term in this part be given the same meaning of the term for the purposes of the HIPAA regulations.
Health care operations. The proposal would incorporate the HIPAA Privacy Rule definition for health care operations.[120]
HIPAA. Although not required by the CARES Act, the Department proposes to add a definition of HIPAA that encompasses the statutory and regulatory provisions pertaining to the privacy, security, breach notification, and enforcement standards with respect to PHI. This definition would exclude other components of the HIPAA statute, such as insurance portability, and other HIPAA regulatory standards, such as the standard electronic transactions regulation, which are not relevant to this proposed rule. The Department proposes this definition to make clear the specific components of the relevant statutes that would be incorporated into this part.
HIPAA regulations. The current rule does not define HIPAA regulations. The proposed definition is based on the statutory definition added by the CARES Act and has the same meaning as “HIPAA Rules,” which refers to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, when used in this document, OCR rulemaking, and OCR's guidance and other materials. For purposes of this rulemaking, the term does not include Standard Unique Identifiers, Standard Electronic Transactions, and Code Sets, 42 CFR part 162—Administrative Requirements.
Informant. Within the definition of “informant,” the Department proposes to replace the term “individual” with the term “person” as is used in the HIPAA Rules and discussed below.
Intermediary. The current rule uses the term intermediary in § 2.13(d)(2) [121] without providing a definition. To improve understanding of the requirements for intermediaries, and to distinguish those requirements from the proposed accounting of disclosure requirements, the Department proposes to establish a definition of intermediary.
Examples of an intermediary include, but are not limited to, a health information exchange, a research institution that is providing treatment, an accountable care organization, or a care management organization. In contrast, a research institution that is not providing treatment or a health app that is providing individual patients with access to their records would not be considered an intermediary. Member participants of an intermediary refers to health care provider practices or health-related organizations. It does not include individual health plan subscribers or workforce members who share access to the same electronic health record system.
In the current rule, if a patient provides a written consent that is specific to treatment, the general designation of a recipient entity who is an intermediary may be used and the patient would have a right to obtain a list of recipients to whom the intermediary has disclosed their record.
Under section 3221 of the CARES Act, a patient consent may contain a general designation of recipients for treatment, payment, and health care operations. Without regulatory clarification this could result in the recipients exchanging health information through an HIE/HIN or other means without triggering the intermediary requirements. To avoid this unintended consequence, the Department proposes additional changes to § 2.31(a)(4) to ensure that intermediaries continue to be named whenever they are used to exchange Part 2 records.
Under this proposal, an intermediary would be a person who has received records, under a general designation in a written patient consent, for the purpose of disclosing the records to one or more of its member participants who has a treating provider relationship with the patient. The term intermediary is based on the function of the person—receiving records and disclosing them to other providers as a key element of its role—rather than on a title or category of an organization or business. For example, an electronic health record vendor that enables entities at two different health systems to share records likely would be an intermediary. That same vendor would not be an intermediary when used by employees in different departments of a hospital to access the same patient's records. Where an intermediary is also a business associate under the HIPAA Rules, it would be subject to the requirements of both an intermediary and a business associate.
The requirements for intermediaries would remain unchanged but would be redesignated from § 2.13(d), Lists of disclosures, to new § 2.24, Requirements for intermediaries. These proposed modifications are discussed separately below.
Investigative agency. The Department proposes to create a new definition for “investigative agency” to describe those government agencies with responsibilities for investigating and prosecuting Part 2 programs and persons holding Part 2 records, such that they would be required to comply with subpart E when seeking to use or disclose records against a Part 2 program or lawful holder. In conjunction with proposed changes to subpart E pertaining to use and disclosure of records by law enforcement, the Department proposes to define an investigative agency as “A state or federal administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agency having jurisdiction over the activities of a part 2 program or other person holding part 2 records.” By creating a definition of investigative agency, the Department does not intend to change the applicability of § 2.53 or subpart E, but only to establish a limitation on liability for such agencies in certain circumstances when a court order is otherwise required by these regulations.
Part 2 program director. Within the definition of “part 2 program director,” the Department proposes to replace the first instance of the term “individual” with the term “natural person” and the other instances of the term “individual” with the term “person” as used in the HIPAA Rules and discussed below.
Patient. The Department proposes to add language to the existing definition to clarify that when the HIPAA regulations apply to Part 2 records, a patient is an individual as that term is defined in the HIPAA regulations.
Payment. The Department proposes to adopt the same definition for this term as in the HIPAA Rules. This proposal would implement the new paragraph (k) of 42 U.S.C. 290dd-2, added by section 3221(d) of the CARES Act, requiring the term in this part be given the same meaning of the term for the purposes of the HIPAA regulations.
Person. The term “person ” is currently defined as “an individual, partnership, corporation, federal, state or local government agency, or any other legal entity, (also referred to as “individual or entity”).” Thus, the current Part 2 regulation uses the term “individual” in reference to someone who is not the patient and therefore not the subject of the Part 2 record. In contrast, the HIPAA Rules at 45 CFR 160.103 define the term “individual” to refer to the subject of PHI, and “person” to refer to “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.” To further the alignment of Part 2 and the Start Printed Page 74230 HIPAA Rules and provide clarity for programs and entities that must comply with both sets of requirements, the Department proposes to replace the Part 2 definition of “person” with the HIPAA definition in 45 CFR 160.103. As an extension of this clarification, the Department also proposes to replace the term “individual” with “patient” when the regulation refers to someone who is the subject of Part 2 records, to use the term “person” when it refers to someone who is not the subject of the records at issue, and to modify the definition of “patient” in Part 2 to include an “individual” as that term is used in the HIPAA Rules. The Department believes that this combination of modifications would promote the understanding of both Part 2 and the HIPAA Rules and requests comment on whether this or other approaches would provide more clarity.
Program. Within the definition of “program,” the Department proposes to replace the term “individual or entity” with the term “person” as is used in the HIPAA Rules and discussed above.
Public health authority. The Department proposes to adopt the same meaning for this term as in the Privacy Rule. This proposal would implement the new paragraph (k) of 42 U.S.C. 290dd-2, added by section 3221(d) of the CARES Act, requiring the term in this part be given the same meaning of the term for the purposes of the HIPAA regulations.
Qualified service organization. The Department proposes to modify the definition of Qualified service organization (QSO) by adding HIPAA business associates to the regulatory text to clarify that they are QSOs in circumstances when Part 2 records also meet the definition of PHI ( i.e., when a Part 2 program is also a covered entity). The Department believes this proposal would facilitate the implementation of the CARES Act with respect to disclosures to QSOs. The HIPAA Rules generally permit disclosures from a covered entity to a person who meets the definition of a business associate ( i.e., a person who works on behalf of or provides services to the covered entity) [122] without individual authorization, when based on a business associate agreement that incorporates certain protections.[123] Similarly, the use and disclosure restrictions of this part do not apply to the communications between a Part 2 program and QSO when the information is needed by the QSO to provide services to the Part 2 program. This definition is proposed in conjunction with a proposal to modify § 2.12, Applicability, to clarify that QSOs also use Part 2 records received from programs to work “on behalf of” the program.
The Department also proposes a wording change to replace the phrase “individual or entity” with the term “person” as now proposed to comport with the HIPAA meaning of the term.
Records. The definition of records specifies the scope of information that Part 2 protects. The Department proposes to remove the last sentence of the definition as unnecessary.[124] In the five decades since the promulgation of the Part 2 regulation, health information technology has become widely adopted and it is evident that records include both paper and electronic formats. The Department does not intend to change the meaning or understanding of records with this proposed modification, but only to streamline the description.
The Department offers clarification here about how the definition of Part 2 records operates in relation to the HIPAA definitions of PHI, designated record set, and psychotherapy notes.
These issues are most pertinent with respect to the right individuals have to access their records under the HIPAA Rules, as explained below (Part 2 does not contain a parallel patient right of access to records).
Generally, the HIPAA Privacy Rule gives individuals the right to access all of their PHI in a designated record set.[125] A designated record set is a group of records maintained by or for a covered entity that are a provider's medical and billing records, a health plan's enrollment, payment, claims adjudication, and case or medical management record systems, and any other records used, in whole or in part, by or for the covered entity to make decisions about individuals.[126] A covered entity's Part 2 records usually fall into these categories, and thus are part of the designated record set. This is true when a Part 2 program is a covered entity, as well as when a covered entity receives Part 2 records but is not a Part 2 program. In the latter situation, the Part 2 records become PHI when they are received by or for the covered entity, and part of a designated record set. As such, they are subject to the Privacy Rule's right of access requirements.
However, the Privacy Rule right of access excludes psychotherapy notes.[127] If SUD treatment is provided by a mental health professional that is a Part 2 program and a covered entity, and the provider creates notes of counseling sessions that are kept separate from the individual's medical record, those notes would be psychotherapy notes as well as Part 2 records. In this case, the individual would not have a Privacy Rule right of access to those records, but a provider may voluntarily provide access upon request by the individual patient. Additionally, psychotherapy notes created by a Part 2 program that is a covered entity could only be disclosed with a separate written authorization or consent.
The Department is considering whether to create a new definition similar to psychotherapy notes that is specific to the notes of SUD counseling sessions by a Part 2 program professional. Such notes would be Part 2 records, but could not be disclosed based on a general consent for TPO. They could only be disclosed with a separate written consent that is not combined with a consent to disclose any other type of health information. The Department solicits comments on the benefits and burdens of creating such additional privacy protection for SUD counseling notes that are maintained primarily for use by the originator of the notes, similar to psychotherapy notes as defined in the Privacy Rule. Under consideration is a definition such as this:
SUD counseling notes means notes recorded (in any medium) by a Part 2 program provider who is a SUD or mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the patient's record. SUDcounseling notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
As with psychotherapy notes under the Privacy Rule, the separate consent requirement, if adopted, would not apply to SUD counseling notes in the following situations:
1. Use by the originator of the SUD counseling notes for treatment; Start Printed Page 74231
2. Use or disclosure by the program for its own training programs in which students, trainees, or practitioners in SUD treatment learn under supervision to practice or improve their skills in group, joint, family, or individual counseling;
3. For the program to defend itself in a legal action or other proceeding brought by the patient;
4. Required for the reporting of child abuse or neglect;
5. Required by law;
6. Required for oversight of the originator of the SUD counseling notes;
7. To a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law; or
8. When necessary to lessen a serious and imminent threat to the health or safety of a person or the public and is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.
Third-party payer. The term third-party payer refers to an entity with a contractual obligation to pay for a patient's Part 2 services and includes some health plans, which by definition are covered entities. The current regulation, at § 2.12, limits disclosures by third-party payers to a shorter list of purposes than the Privacy Rule allows for health plans. The Department proposes to exclude covered entities from the definition of third-party payer to facilitate implementation of 42 U.S.C. 290dd-2(b)(1)(B), as amended by section 3221(b) of the CARES Act, which enacted a permission for certain recipients of Part 2 records to redisclose them according to the HIPAA standards. The result of this proposed change would be that the current Part 2 disclosure restrictions continue to apply to a narrower set of entities, such as grant-funded programs. The Department believes that this approach would carry out the intent of the CARES Act, while preserving the privacy protections that apply to payers that are not covered entities. The Department also proposes a wording change to replace the phrase “individual or entity” with the term “person” as now proposed to comport with the HIPAA meaning of the term.
The Department welcomes comments on the number and type of third-party payers that would not be considered health plans.
Treating provider relationship. The Department proposes to modify the Part 2 definition of “treating provider relationship” by replacing the phase “individual or entity” with “person,” in accordance with the proposed changes to the definition of “person” described above.
Treatment. The Department proposes to modify the Part 2 definition of “treatment” by adopting the Privacy Rule definition by reference. This proposal would implement the new paragraph (k) of 42 U.S.C. 290dd-2, added by section 3221(d) of the CARES Act, requiring that the term in this part be given the same meaning of the term for the purposes of the HIPAA regulations. By replacing the existing language, the Department does not intend to change the scope of activities that constitute treatment. Thus, it remains true, as provided in the prior definition, that treatment includes the care of a patient suffering from an SUD, a condition which is identified as having been caused by the SUD, or both, in order to reduce or eliminate the adverse effects upon the patient.
Unsecured protected health information. The Department proposes to adopt the same meaning of this term as used in the HIPAA Rules. This proposal would implement the new paragraph (k) of 42 U.S.C. 290dd-2, added by section 3221(d) of the CARES Act, requiring that the term in this part be given the same meaning as the term in the purposes of the HIPAA regulations.
Unsecured record. To align with the definition of “unsecured protected health information” at 45 CFR 164.402, the Department proposes to apply a similar concept to records, as defined in this part. Thus, an unsecured record would be one that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under Public Law 111-5, 13402(h)(2).[128] The Department believes this proposal is necessary to implement the newly required breach notification standards for Part 2 records and requests comment on this approach.
Use. The Department proposes to add a definition for this term that is consistent with that in the HIPAA Rules at 45 CFR 160.103, and as the term is applied to the conduct of proceedings specified in statute at 42 U.S.C. 290dd-2(c). The Department believes this proposal is necessary to more fully align this part with the HIPAA Rules use of the language “use and disclosure”, as well as make clear, where applicable, that many of the activities regulated by this part involve not only disclosures but internal uses of Part 2 records by programs or recipients of Part 2 records. The Department also proposes this definition to make clear that in this part, the term “use” has a secondary meaning in accordance with the statutory requirements at 42 U.S.C. 290dd-2(c) for “use” of records in proceedings. The Department discusses in greater detail the addition of the term “use” to specific provisions throughout this NPRM, and in particular, in connection to § 2.12 below.
§ 2.12—Applicability
Section 2.12 includes five provisions outlining the scope of the rule's requirements. Paragraph (a) of § 2.12 describes which records are protected and describes the restrictions on use and disclosure of Part 2 records; paragraph (b) outlines what constitutes federal assistance for purposes of the regulation's applicability; paragraph (c) specifies exceptions for certain disclosures; paragraph (d) provides restrictions that apply to: (1) any recipient of Part 2 records, and (2) third-party payers and administrators; and paragraph (e) details the types of records and diagnoses to which the restrictions in this regulation apply.
The Department proposes to amend the Part 2 regulation in paragraph (c)(2) of § 2.12, which excludes from Part 2 requirements certain interchanges of information within the Armed Forces and between the Armed Forces and the Department of Veterans Affairs, by replacing “Armed Forces” with “Uniformed Services.” This change would align the regulatory text with the statutory language at 42 U.S.C. 290dd-2(e). The change also would create consistency with the Department's proposal to expand the Privacy Rule permission for covered entities, at 45 CFR 164.512(k), to use or disclose the PHI of Armed Services personnel when deemed necessary by certain military command authorities to all Uniformed Services, which would then include the U.S. Public Health Service (USPHS) and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps.[129] As the Department noted in that NPRM to modify the Privacy Rule, the USPHS and NOAA Commissioned Corps share responsibility with the Armed Services for certain critical missions, support military readiness and maintain medical fitness for deployment in response to urgent and emergency public health crises, and maintain fitness for deployment onto Start Printed Page 74232 U.S. Coast Guard manned aircraft and shipboard missions. Because this Part 2 proposal with respect to the Uniformed Services is consistent with the underlying statute, the Department does not believe the modification will change how SUD treatment records are treated for USPHS and NOAA Commissioned Corps personnel, but requests comment on this assumption.
The Department also proposes to add the term “use” to paragraphs (a)(1), (c)(3), (c)(4), and (d)(2) of this section, and the term “disclosure” to paragraphs (a)(2) and (d)(1), to make clear that as amended by CARES Act section 3221(b), these provisions include both uses and disclosures that are restricted by Part 2. The Department also proposes to add “use” to the second sentence of paragraph (e)(3). Historically, the Part 2 regulation associated “use” with the initiation of legal proceedings against a patient and associated “disclosure” with sharing records to an external entity. In contrast, the Privacy Rule applies the term “use” to refer to internal use of health information within an entity, such as access by staff members. With this understanding, a Part 2 record could be both used and disclosed for purposes related to the provision of health care, but also for the purposes such as the initiation of a legal proceeding. To align Part 2 with the Privacy Rule, the Department proposes to adopt the “use and disclosure” terminology throughout the regulation when both actions could apply. The Department requests comment on this approach.
The Department also proposes in paragraph (d)(1) of § 2.12 to expand the restrictions on the use of records as evidence in criminal proceedings against the patient by incorporating the four prohibited actions specified in 42 U.S.C. 290dd-2(c), as amended by the CARES Act, and expanding the regulatory prohibition to cover civil, administrative, or legislative proceedings in addition to criminal proceedings.[130] Absent patient consent or a court order, the proposed prohibitions are: (1) the introduction into evidence of a record or testimony in any criminal prosecution or civil action before a Federal or State court, (2) reliance on the record or testimony to form part of the record for decision or otherwise be taken into account in any proceeding before a Federal, State, or local agency, (3) the use of such record or testimony by any Federal, State, or local agency for a law enforcement purpose or to conduct any law enforcement investigation, and (4) the use of such record or testimony in any application for a warrant.
The proposed narrowing of the definition of third-party payer in § 2.11 would exclude covered entity health plans from the limits on redisclosure of Part 2 records in paragraph (d)(2) of § 2.12. To clarify the modified scope of this paragraph, the Department proposes to insert qualifying language in § 2.12(d)(2) to refer to third-party payers, “as defined in this part.” This approach implements the CARES Act changes in a manner that preserves the existing redisclosure limitations for any third-party payers that are not covered entities. The Department seeks comment and data on the number and types of third-party payers, as defined in the proposed rule, to which the redisclosure limitations would continue to apply. The Department especially seeks comment on how this provision would apply to grant-funded programs.
The Department proposes to conform paragraph (e)(3) of § 2.12 to 42 U.S.C. 290dd-2(c), as amended by section 3221(e) of the CARES Act, by expanding the restrictions on the use of Part 2 records in criminal proceedings against the patient to expressly include disclosures of Part 2 records [131] and to add civil and administrative proceedings as additional types of forums where use and disclosure of Part 2 records is prohibited, absent written patient consent or a court order. Additionally, the Department proposes to clarify the language in subparagraph (e)(4)(i) of § 2.12, which excludes from Part 2 those diagnoses of SUD that are created solely to be used as evidence in a legal proceeding. The proposed change would narrow the exclusion to diagnoses of SUD made “on behalf of and at the request of a law enforcement agency or official or a court of competent jurisdiction” to be used as evidence “in legal proceedings.” The Department believes the proposed clarification would tighten the nexus between a law enforcement or judicial request for the diagnosis and the use or disclosure of the SUD diagnosis based on that request, and requests comment on this approach.
The Department proposes to substitute the term “person” for the term “entity” and the phrase “individuals and entities” in § 2.12(d)(2)(i)(B) and (C), respectively. As discussed above in relation to § 2.11, Definitions, the Department does not intend this to be a substantive change, but rather an alignment with the term as it is defined in the Privacy Rule at 45 CFR 160.103.
§ 2.13—Confidentiality Restrictions and Safeguards
The current provisions of this section apply confidentiality restrictions and safeguards to how Part 2 records may be “disclosed and used” in this part, and specifically provide that Part 2 records may not be disclosed or used in any civil, criminal, administrative, or legislative proceedings. The current provisions also provide that unconditional compliance with the part is required by programs and lawful holders and restrict the ability of programs to acknowledge the presence of patients at certain facilities.
To more accurately describe how the regulations of this part apply to the activities of programs after the amendment of 42 U.S.C. 290dd-2 by section 3221 of the CARES Act, and to align the language throughout this section with language in the Privacy Rule, the Department proposes to modify paragraphs (a) and (b) of this section by replacing the phrase “disclosed or used” with “used or disclosed”, and in paragraph (a), adding the term “use” in front of the term “disclosure.” The Department proposes to add the term “use” in paragraph (a) of this section because sections 3221(b) and (e) of the CARES Act amends key provisions of 42 U.S.C. 290dd-2 so that confidentiality restrictions and safeguards apply to both uses and disclosures.
Paragraph (d) of § 2.13, List of disclosures, includes a requirement for intermediaries to provide patients with a list of entities to which an intermediary, such as a health information exchange (HIE), has disclosed the patient's identifying information pursuant to a general designation. The Department proposes to remove § 2.13(d) and redesignate the content as § 2.24, change the heading to Start Printed Page 74233 Requirements for Intermediaries, and in § 2.11 create a regulatory definition of the term “intermediary,” as discussed above. The Department's proposal to redesignate § 2.13(d) as 2.24 would move the section toward the end of Subpart B—General Provisions, to be grouped with the newly proposed §§ 2.25 and 2.26 about patient rights and disclosure. The Department's proposed change to the heading is intended to distinguish the right to a list of disclosures made by intermediaries from the proposed new right to an accounting of disclosures made by a part 2 program.
In addition to these proposed structural changes, the Department also proposes wording changes to paragraphs (a) through (c) of § 2.13 to clarify who is subject to the restrictions and safeguards with respect to Part 2 records. The Department solicits comment on the extent to which Part 2 programs look to the HIPAA Security Rule as a guide for safeguarding Part 2 electronic records. The Department also requests comment on whether it should modify Part 2 to apply the same or similar safeguards requirements to electronic Part 2 records as the Security Rule applies to ePHI or whether other safeguards should be applied to electronic Part 2 records.
§ 2.14—Minor Patients
Current § 2.14 establishes the consent requirements for the disclosure of records of minor patients. To align the description of these requirements with 42 U.S.C. 290dd-2(b), as amended by section 3221(b) of the CARES Act, and to align the language of this provision with the Privacy Rule, the Department proposes to add the term “use” in paragraphs (a) and (b) to clarify that requirements related to consent given by minor patients would apply to both uses and disclosures of records. For example, as amended by section 3221(b) of the CARES Act, 42 U.S.C. 290dd-2(b)(1)(A) and (B) require a program or covered entity to obtain the appropriate consent, as determined by this section, to use or disclose the Part 2 records of the minor, and to use or disclose the same records for TPO purposes in accordance with the Privacy Rule. Subsection (c) of this section addresses when a minor's application for treatment may be disclosed to the minor's parents. The Department proposes to change the verb “judges” to “determines” to describe a program director's evaluation and decision that a minor lacks decision making capacity that could trigger a disclosure to the patient's parents. This change is intended to distinguish between the evaluation by a program director about patient decision making capacity and an adjudication of incompetence made by a court, which is addressed in § 2.15. The Department also proposes a technical edit to § 2.14(c)(1) to correct a typographical error from “youthor” to “youth or.”
The Department also proposes to substitute the term “person” for the term “individual” in § 2.14(b)(1), (b)(2), (c), (c)(1), and (c)(2), respectively. As discussed above in relation to § 2.11, Definitions, the Department does not intend this to be a substantive change, but rather an alignment with the term as it is defined in the Privacy Rule at 45 CFR 160.103.
§ 2.15—Patients Who Lack Capacity and Deceased Patients (Proposed Heading)
Section 2.15 of 42 CFR part 2 addresses who may consent to a disclosure of records when a patient lacks capacity to make health care decisions or is deceased. The Department proposes to replace the outdated term “incompetent” and refer instead to patients who lack capacity to make health care decisions. This modification is not intended as a substantive change, but would replace a term that may be considered derogatory. The rule clearly distinguishes between situations involving an adjudication and those without adjudication. Consistent with 42 U.S.C. 290dd-2, as amended by section 3221(b) of the CARES Act, the Department proposes to clarify, by referring to the “use” of records in addition to disclosures of records in paragraphs (a)(2) and (b), that confidentiality requirements related to the records of patients who lack the capacity to make health care decisions and deceased patients apply to both uses and disclosures. The Department also proposes to substitute the term “person” for the term “individual” as discussed above in relation to § 2.11, Definitions. The Department further proposes to clarify that paragraph (a) of this section refers to lack of capacity to make health care decisions as adjudicated by a court while paragraph (b) refers to lack of capacity to make health care decisions that is not adjudicated, and to add health plans to the list of entities to which a program may disclose records without consent to obtain payment during a period when the patient has an unadjudicated inability to make decisions. Finally, the Department proposes in paragraphs (b)(1) and (b)(2) of this section to clearly identify that the restriction on the ability to use or disclose patient identifying information applies to the Part 2 program.
§ 2.16—Security for Records and Notification of Breaches (Proposed Heading)
Section 2.16, Security for records, currently includes a set of requirements for securing records. Specifically, § 2.16(a) requires a Part 2 program or other lawful holder of patient identifying information to maintain formal policies and procedures to protect against unauthorized uses and disclosures of such information, and to protect the security of this information. Sections 2.16(a)(1)-(2) set forth minimum requirements for what these policies and procedures must address with respect to paper and electronic records, respectively, including, for example, transfers of records, maintaining records in a secure location, and appropriate destruction of records. Section 2.16(a)(1)(v) requires part 2 programs to implement formal policies and procedures to address removing patient identifying information to render it non-identifiable in a manner that creates a low risk of re-identification.
The Department proposes to change the requirements in § 2.16(a) to more closely align them with the Privacy Rule de-identification standard. Specifically, the Department proposes to modify § 2.16(a)(1)(v) (for paper records) and § 2.16(a)(2)(iv) (for electronic records), as follows: “Rendering patient identifying information de-identified in accordance with the requirements of the Privacy Rule at 45 CFR 164.514(b), such that there is no reasonable basis to believe that the information can be used to identify a patient as having or having had a substance use disorder.” The Department requests comment on the extent to which Part 2 programs render patient identifying information de-identified under § 2.16(a)(1)(v) and § 2.16(a)(2)(iv) in a manner that differs from the Privacy Rule de-identification standard, such that conforming the Part 2 requirements to the Privacy Rule standard would create unintended adverse consequences for Part 2 programs or patients. In addition, the Department requests comment on examples of situations in which Part 2 programs or covered entities render Part 2 information not readily identifiable but the information is not de-identified in accordance with the Privacy Rule.
The Department's proposals would increase the alignment of regulatory requirements for Part 2 with the Privacy Rule [132] and Breach Notification Rule.[133] The same public policy Start Printed Page 74234 objectives of the Breach Notification Rule as applied to covered entities would be furthered by establishing analogous requirements for Part 2 programs, namely: (1) greater accountability for Part 2 programs through requirements to maintain written policies and procedures to address breaches and document actions taken in response to a breach; (2) enhanced oversight and public awareness through notification of the Secretary, affected patients, and in some cases the media; (3) greater protection of patients through obligations to mitigate harm to affected patients resulting from a breach; and (4) improved measures to prevent future breaches as Part 2 programs timely resolve the causes of a breach of records.
The Department proposes to modify the heading of § 2.16 to add “and notification of breaches” and add a new paragraph § 2.16(b) to require Part 2 programs to establish and implement policies and procedures for notification of breaches of unsecured part 2 records, consistent with the requirements of 45 CFR parts 160 and 164, subpart D, as mandated by section 3221(h) of the CARES Act. In the event of a breach, Part 2 programs would be required to notify the Secretary, affected patients, and in some cases the media, consistent with the Breach Notification Rule.
Section 2.16 applies security requirements for Part 2 records to both Part 2 programs and “lawful holders.” The term “lawful holder” is enshrined in several Part 2 regulatory provisions [134] but not defined in regulation. Generally, the term refers to “an individual or entity who has received such information as the result of a part 2-compliant consent (with a prohibition on redisclosure) or as a result of one of the exceptions to the consent requirements in the statute or implementing regulations and, therefore, is bound by 42 CFR part 2.” [135]
However, the Department believes that the requirements of this section do not currently apply uniformly across all persons who receive Part 2 records pursuant to consent and therefore qualify as “lawful holders”, such that a failure to have “formal policies and procedures” or to “protect” against threats would result in the imposition of civil or criminal penalties. The Department does not propose to expand the existing scope of persons who are liable for noncompliance with requirements that are applicable only to Part 2 programs and lawful holders. Instead, due to the variety of persons that could receive Part 2 records based on a valid written Part 2 consent, the Department would determine the extent of the duty and ability of a particular person to “reasonably protect against unauthorized uses” and against “reasonably anticipated threats or hazards” based on the facts and circumstances.
The Department requests comment on its assumptions, and examples of persons who are lawful holders under the existing regulation, but who may not be appropriately held liable for compliance with the administrative requirements for protecting Part 2 records they have received ( e.g., policies and procedures to protect against unauthorized use or disclosure) or providing breach notification, such as a patient's family members. The Department also requests comment on whether it would be helpful to create a regulatory definition of “lawful holder” and what persons such definition should encompass.[136]
The Department further requests public comment regarding the estimated burden of notification, potential regulatory flexibilities for Part 2 programs to minimize burdens during their initial implementation of the policies and procedures required by the breach notification proposal, and the characteristics of programs to which any suggested flexibilities should apply. In addition, the Department welcomes comments from Part 2 programs that are not covered entities on whether they look to the Security Rule generally for guidance on protecting electronic Part 2 records or otherwise voluntarily attempt to follow the requirements of the Security Rule. For any programs that may do so, the Department requests comment on what their experience has been, including any implementation costs.
§ 2.17—Undercover Agents and Informants
The current provision prohibits, absent court order, a Part 2 program from knowingly employing or enrolling a patient as an undercover agent and restricts the use of information obtained by an undercover agency in any criminal investigation against any patient. To fully implement 42 U.S.C. 290dd-2(c)(3), as amended by section 3221(e) of the CARES Act, The Department proposes to add “or disclosed” behind “used” in this section so that the use and disclosure of Part 2 records is prohibited by this section pursuant to the statutory authority.
§ 2.19—Disposition of Records by Discontinued Programs
Current § 2.19 requires a Part 2 program to remove patient identifying information or destroy the records when a program discontinues services or is acquired by another program, unless patient consent is obtained or another law requires retention of the records. The Department proposes to create a third exception to this general requirement to clarify that these provisions do not apply to transfers, retrocessions, and reassumptions of Part 2 programs pursuant to the Indian Self-Determination and Education Assistance Act (ISDEAA), in order to facilitate the responsibilities set forth in 25 U.S.C. 5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C. § 5324(e), 25 U.S.C. 5330, 25 U.S.C. 5386(f), 25 U.S.C. 5384(d), and the implementing ISDEAA regulations. For example, in the event the Department needs to take over operations of a such a program on short notice, the program records would remain intact, permitting the Department to ensure continuation of services. Without this provision, program records would be destroyed if patient consent is unavailable at the time services are transferred to the Department, which could occur without sufficient opportunity to seek consent from all current or former patients. The Department also proposes wording changes to improve readability and modernize the regulation, such as by referring to “non-electronic” records instead of “paper” records, and structural changes to the numbering of paragraphs.
§ 2.20—Relationship to State Laws
Current § 2.20 establishes the relationship of state laws to Part 2 and provides that Part 2 does not preempt the field of law which it covers to the exclusion of all applicable state laws, but that no state law may either authorize or compel a disclosure prohibited by Part 2. The Department proposes to add the term “use” to § 2.20 to clarify that this section applies to both uses and disclosures under Part 2 and state law. The Department believes this proposal is consistent with 42 U.S.C. 290dd-2, as amended by section 3221(b) CARES Act, which imposes requirements related to the use and disclosure of Part 2 records. Start Printed Page 74235
Records subject to regulation by Part 2 frequently are also subject to regulation by various state laws. For example, similar to Part 2, state laws impose restrictions to varying degree on uses and disclosures of records related to SUD [137] (and often other issues commonly considered sensitive, such as reproductive health, HIV, or serious mental illness).[138] The Department assumes that, to the extent state laws address SUD records, Part 2 programs generally are able to comply with Part 2 and state law. The Department requests comment on this assumption and examples of any circumstances in which a state law compels a use or disclosure that is prohibited by Part 2, such that Part 2 preempts such state law.
§ 2.21—Relationship to Federal Statutes Protecting Research Subjects Against Compulsory Disclosure of Their Identity
The current language of § 2.21 recognizes the potential for concurrent coverage of certain federal laws that regulate patient identifying information. The Department proposes to reorder “disclosure and use” to read “use and disclosure” to better align the wording of this section with language used in the Privacy Rule.
§ 2.22—Notice to Patients of Federal Confidentiality Requirements; and 45 CFR 164.520—Notice of Privacy Practices for Protected Health Information
Section 3221(i) of the CARES Act directs the Secretary to modify or “update” the HIPAA NPP requirements at 45 CFR 164.520 [139] to specify new requirements for covered entities and Part 2 programs with respect to Part 2 records that are PHI ( i.e., records of SUD treatment by a Part 2 program that are transmitted or maintained by or for covered entities). The CARES Act notice requirements would therefore apply to entities that are subject to both Part 2 and HIPAA, which include covered entities that are Part 2 programs as well as covered entities that receive Part 2 records from a Part 2 program.
The Privacy Rule, at 45 CFR 164.520, establishes an individual right to receive an NPP, written in plain language, providing adequate notice of a covered entity's privacy practices and obligations with respect to individuals' PHI. Health care clearinghouses, correctional institutions that are covered entities, and certain group health plans [140] are excepted from the requirement, but other covered health plans and covered health care providers that maintain a direct treatment relationship [141] with an individual must provide the individual with adequate notice about how the covered entity may use and disclose the individual's PHI, as well as the individual's rights and the covered entity's obligations with respect to the individual's PHI.
To implement section 3221(i)(2) of the CARES Act, the Department proposes to modify both the Patient Notice requirements at § 2.22 and the NPP requirements at 45 CFR 164.520 to provide notice requirements for all Part 2 records. While the CARES Act only expressly requires the modification of the NPP requirements at 45 CFR 164.520, the Department proposes to also modify the Part 2 Patient Notice at § 2.22 to align more closely with the NPP requirements. The proposal to modify § 2.22 would ensure that patients of Part 2 programs that are not covered by HIPAA are afforded as much notice and transparency as is provided to individuals in the NPP. Accordingly, the Department proposes to modify § 2.22 pursuant to the Secretary's authority under 42 U.S.C. 290dd-2(g) to prescribe regulations to carry out the purposes of that section.
The Department also believes there is a statutory mandate to modify the NPP requirements for some HIPAA covered entities that are not Part 2 programs, namely, those covered entities that receive and maintain Part 2 records, and thus are obligated to comply with certain Part 2 requirements with respect to such records. Covered entities that receive and maintain Part 2 records would need to add a provision to their NPP that references the restrictions on use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings against the individual. The current NPP requirements would continue to apply, without change, to covered entities that do not receive or maintain Part 2 records. The proposed changes to § 2.22, notice of federal confidentiality requirements, for Part 2 programs that are not covered entities, followed by proposed changes to 45 CFR 164.520 for covered entities that are dually subject to HIPAA and Part 2, and for other covered entities that receive and maintain Part 2 records, are described below.
Consistent with the requirements of section 3221(i)(2) of the CARES Act, the Department proposes to revise the Patient Notice at § 2.22 of this part, and to update NPP requirements using plain language that is easily understandable and parallel to changes proposed in the NPRM modifying the Privacy Rule published on January 21, 2021.[142] The Department specifically requests comment from legal, clinical, privacy, and civil rights experts on whether the below proposals achieve this goal.
1. Modifying the § 2.22 Patient Notice
Because the HIPAA Rules and Part 2 cover different, but often overlapping, sets of regulated entities, and because the NPP currently offers more robust notice requirements than the Patient Notice, the Department proposes to modify § 2.22 to provide the same information to individuals under the Privacy Rule as to patients of Part 2 programs. The Department's proposed modifications to the Patient Notice would also restructure it to substantially mirror the structure of the NPP. As discussed below, instead of the Patient Notice containing elements described as a “summary” of the federal law that applies to protect Part 2 records, the Patient Notice would address the same key elements of the HIPAA NPP such as a required Header, Uses and Disclosures, Individual Rights, and Duties of Part 2 Programs. As further discussed below, the Department proposes to add to the Patient Notice key features of the NPP, such as explaining to patients that they may file a complaint when they believe their privacy rights have been violated, and that they have the right to revoke their consent for Part 2 programs to disclose records in certain circumstances. The Department believes this approach would best implement the intent of Congress to apply NPP protections to these records and requests comment on this approach, including any burdens associated with this approach.
Part 2 programs should be mindful that federal civil rights laws require certain entities, including recipients of federal financial assistance and public Start Printed Page 74236 entities, to take appropriate steps to ensure that communications with individuals with disabilities are as effective as communications with others, including by providing appropriate auxiliary aids and services where necessary.[143] In addition, recipients of federal financial assistance must take reasonable steps to ensure meaningful access to their programs and activities for individuals with limited English proficiency, including through language assistance services when necessary.[144]
Section 2.22, Notice to patients of federal confidentiality requirements, requires a Part 2 program, at the time of admitting a patient to the program,[145] to give written notice of and summarize the federal law and regulations that protect the confidentiality of SUD records. Section 2.22(b) requires that the notice include five elements: (1) a general description of the limited circumstances in which a Part 2 program may share information that would identify the patient as having or having had a SUD; (2) a statement informing the patient that violation of the federal law and regulations is a crime and contact information for the appropriate authorities; (3) a statement that information related to a patient's commission of a crime on the premises is not protected as confidential; (4) a statement that reports of suspected child abuse and neglect made under state law to appropriate state or local authorities are not protected; and (5) a citation to the federal law and regulations. Finally, § 2.22 gives the option to a Part 2 program to include information about applicable state law and its own local policies. Although § 2.22 does not expressly apply to covered entities and PHI, any covered entity that uses or discloses Part 2 SUD records would be subject to the notice requirements of § 2.22 in addition to the NPP requirements in 45 CFR 164.520. Conversely, Part 2 programs that are not covered entities and not subject to HIPAA would only be obligated to comply with § 2.22.
The Department proposes to modify § 2.22 by incorporating most of the notice requirements in the HIPAA NPP at 45 CFR 164.520, and then excluding those that are non-applicable or pose special privacy risks, and separately addressing certain provisions that have special requirements or differences between application to covered entities and part 2 programs as specified in 42 U.S.C. 290dd-2, as amended by the CARES Act. The Department proposes the following with respect to the Patient Notice at § 2.22.
Header. The Department proposes to require Part 2 programs to include a header in the Patient Notice. The header would be nearly identical to the header required in the NPP (and as proposed for amendment above) at 45 CFR 164.520(b)(1)(i) [146] except where necessary to distinguish components of the notice not applicable to 42 CFR part 2. For example, the Patient Notice that would be provided pursuant to this part would not include notice that patients could exercise the right to get copies of records at limited costs or in some cases, free of charge, nor would it provide notice that patients could inspect or get copies of records under HIPAA.
Uses and Disclosures. The Department proposes to require a Part 2 program to include in the Patient Notice descriptions of uses and disclosures that are permitted for TPO, permitted without written consent, or will only be made with written consent. Consistent with the current set of NPP requirement for covered entities, the Department proposes to add a requirement that a covered entity that creates or maintains Part 2 records include sufficient detail in its Patient Notice to place the patient on notice of the uses and disclosures that are permitted or required. Although the Department believes section 3221(k)(4) of the CARES Act—stating that certain de-identification and fundraising activities should be excluded from the definition of health care operations—has no legal effect as a Sense of Congress, the Department believes it prudent to propose new § 2.22(b)(1)(iii). This proposal would require that a program provide notice to patients that the program must obtain written consent before it may use or disclose records for fundraising on behalf of the program. This new notice requirement is consistent with a newly proposed consent requirement at § 2.31(a)(5) in which a program must obtain a patient's permission for such uses and disclosures.
Before proposing the approach above, the Department first considered whether to propose a consent requirement for both de-identification and fundraising and whether to structure it as an opt-in or an opt-out. The Department believes that an opt-in requirement would afford patients a greater amount of control over their records and best fulfill patients' expectations about how their Part 2 information would be protected. However, the Department believes that requiring patient consent for de-identification activities would be inconsistent with the new permission to disclose de-identified information for public health purposes as provided in section 3221(c) of the CARES Act. Such a requirement also would create a barrier to de-identification that may negatively affect patient privacy by increasing permissible but unnecessary uses and disclosures of identifiable Part 2 records in circumstances when de-identified records would serve the intended purpose. As noted above, the Department believes uses and disclosures for fundraising warrant this added privacy protection, consistent with congressional intent as expressed in the Sense of Congress.
Individual Rights. The Department proposes to require that a Part 2 program include in the Patient Notice statements of patients' rights with respect to Part 2 records. The structure would mirror the statements of rights required in the NPP for covered entities and PHI but, based on amended 42 U.S.C. 290dd-2, would include:
- Right to request restrictions of disclosures made with prior consent for purposes of TPO, as provided in 42 U.S.C. 290dd-2(b)(1)(C) and when a Part 2 program must agree to a request.
- Right to request and obtain restrictions of disclosures of Part 2 records to the patient's health plan for those services for which the patient has paid in full, in the same manner as 45 CFR 164.522 applies to restrictions of disclosures of PHI.
- Right to an accounting of disclosures of electronic Part 2 records for the past 3 years, as provided in 42 U.S.C. 290dd-2(b)(1)(B) and right to an accounting of disclosures of Part 2 records that mirrors the right in the Privacy Rule at 45 CFR 164.528.
- Right to obtain an electronic or non-electronic copy of the notice from the program upon request.
- Right to discuss the notice with a designated contact person identified by the program pursuant to paragraph 45 CFR 164.520(b)(1)(vii).
Part 2 program's duties. The Department proposes to incorporate into the Patient Notice statements describing Start Printed Page 74237 the duties of Part 2 programs with respect to Part 2 records that parallel the statements of duties of covered entities required in the NPP with respect to PHI. Although this change is not required by 42 U.S.C. 290dd-2, the statement of duties would put patients on notice of the obligations of Part 2 programs to maintain the privacy and security of Part 2 records, abide by the terms of the Patient Notice, and inform patients that it may change the terms of a Patient Notice. The Patient Notice also would include a statement of the new duty under 42 U.S.C. 290dd-2(j) to notify affected patients following a breach of Part 2 records.
Complaints. The Department proposes to require that a Part 2 program inform patients, in the Patient Notice, that the patients may complain to the Part 2 program and Secretary when they believe their privacy rights have been violated, as well as a brief description of how the patient may file the complaint and a statement that the patient will not be retaliated against for filing a complaint. These statements would support the implementation of the CARES Act enforcement provisions, which apply the civil enforcement provisions of section 1176 of the Social Security Act to violations of 42 U.S.C. 290dd-2.[147]
Contact and Effective Date. The Department proposes to require that the Patient Notice provide the name or title, telephone number, and email address of a person a patient may contact for further information about the Part 2 Notice, and information about the date the Patient Notice takes effect. These provisions would parallel requirements for the NPP.
Optional Elements. The Department proposes to incorporate into the Patient Notice the optional elements of an NPP, which a Part 2 program could include in its Patient Notice. This provision permits a program that elects to place more limits on its uses or disclosures than required by Part 2 to describe its more limited uses or disclosures in its notice, provided that the program may not include in its notice a limitation affecting its ability to make a use or disclosure that is required by law or permitted to be made for emergency treatment.
Revisions to the Patient Notice. The Department proposes to require that a Part 2 program must promptly revise and distribute its Patient Notice when there has been a material change and provide that, except when required by law, such material change may not be implemented prior to the effective date of the Patient Notice. These provisions would parallel requirements for the NPP.
Implementation Specifications. The Department proposes to require that a Part 2 program provide the Patient Notice to anyone who requests it and provide it to a patient not later than the date of the first service delivery, including where first service is delivered electronically, after the compliance date for the Patient Notice. This provision also would require that the Patient Notice be provided as soon as reasonably practicable after emergency treatment. Finally, if the Part 2 program has a physical delivery site, the Patient Notice would have to be posted in a clear and prominent location at the delivery site where a patient would be able to read the notice in a manner that does not identify the patient as receiving SUD treatment, and the Patient Notice would need to be included on a program's website, if it has one. These provisions would parallel the requirements for provision of the NPP by covered health care providers.[148]
The Department requests comment on each Patient Notice proposal, including information on how incorporating NPP elements into the Patient Notice requirements would increase or alleviate burdens for Part 2 programs.
2. Modifying 45 CFR 164.520
Applying the NPP requirements to certain entities. Section 3221(i)(2) of the CARES Act requires the Department to update the NPP to provide notice of privacy practices with respect to Part 2 records being created or maintained by “covered entities and entities creating or maintaining the records described in subsection (a)” (referring to section 543(a) of the PHSA, 42 U.S.C. 290dd-2(a), specifying and defining Part 2 records). The Department proposes all of the following changes to 45 CFR 164.520 to update it in accordance with the CARES Act and to ensure adequate notice is given to patients who are the subject of these records.
The Department proposes to modify 45 CFR 164.520(a) by adding a new paragraph (2) to expressly apply the NPP provisions to covered entities using and disclosing Part 2 records. The proposed change would further align the Patient Notice requirements for Part 2 records with NPP requirements with respect to PHI.
The Department also proposes to remove paragraph (3) of 45 CFR 164.520(a), Exception for inmates. The Department no longer believes it is appropriate to withhold notice from an incarcerated individual with respect to their health information privacy rights and a covered entity's practices. When the Department finalized the exception, it stated “[n]o person, including a current or former inmate, has the right to notice of such a covered entity's privacy practices” seeming to distinguish correctional facilities that are covered entities from other covered entities. The Department is unable to discern a safety or security risk associated with providing inmates notice concerning the covered entity correctional institute's privacy practices for PHI. This proposal would ensure that regulated entities provide an NPP to inmates consistent with what is provided to other individuals and retains the limitation on the right of access due to security concerns.
Content of Notice requirements apply to all covered entities, including those that are also subject to Part 2. The Department proposes to amend the required Header at 45 CFR 164.520(b)(1) to specifically reference covered entities maintaining or receiving Part 2 records. In addition, the proposed regulatory text at 45 CFR 164.520(b)(1)(i) reflects the changes to 45 CFR 164.520 previously proposed in the NPRM to Modify the Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement, published in 2021.[149] Further, in 45 CFR 164.520(b)(1)(i) and in § 2.22, the Department proposes to change the word “Medical” to “Health” to refer to the type of information covered by the NPP. This change is not intended to modify substantive requirements, but instead is proposed to more accurately reflect and clarify that the information covered by the notice is not limited to the information a covered entity places in an individual's medical record.
Description of Uses and Disclosures. Section 3221(i)(2)(B) of the CARES Act requires the updated NPP for Part 2 records to include descriptions for every purpose for which the covered entity is permitted or required to use or disclose PHI without the patient's written authorization, “as required by subsection (b)(2) of such section 164.520.” However, 45 CFR 164.520(b)(2) sets out optional elements for the NPP and does not address uses or disclosures that are permitted or required without the individual's authorization. Therefore, the Start Printed Page 74238 Department believes that the drafters of the CARES Act provision intended to refer instead to 45 CFR 164.520(b)(1)(ii), which requires that the NPP include descriptions of Uses and Disclosures, including a description of each use or disclosure that is permitted or required without the individual's written authorization.[150]
The Department proposes to add to the description in 45 CFR 164.520(b)(1)(ii)(C) and (D) the language “such as 42 CFR part 2” to ensure that covered entities understand their specific obligation to address restrictions placed on the use and disclosure of Part 2 records.
Section 164.520(b)(1)(iii) includes requirements for Separate statements for certain uses or disclosures. In the introductory paragraph of this sub-section, the Department proposes to add “or (B)” to include sub-paragraph (B) in the list of descriptions that require a separate statement to describe TPO uses and disclosures under 45 CFR 164.520(b)(1)(ii)(A) or those made without authorization under 45 CFR 164.520(b)(1)(ii)(B). The Department also proposes to add new sub-paragraph (D) providing notice that Part 2 records or testimony relaying the content of such records shall not be used or disclosed in certain proceedings against the individual without written consent or court order, and new sub-paragraph (E) providing notice that if a covered entity that is a Part 2 program intends to engage in activities addressed in the Sense of Congress in section 3221(k)(4) of the CARES Act,[151] the program must first obtain the patient's express written consent. This provision would support the implementation of 42 U.S.C. 290dd-2(c).
Statement of Rights. Section 3221(i)(2)(A) of the CARES Act requires the NPP for Part 2 records to include a statement of the patient's rights with respect to PHI and how the individual may exercise such rights as required by 45 CFR 164.520(b)(1)(iv). The statement must address the rights of patients who self-pay ( i.e., cash or other payment not billed to a third-party payer or health plan).
Current 45 CFR 164.520(b)(1)(iv) requires a covered entity to include in its NPP a statement of an individual's rights with respect to PHI. To implement the CARES Act requirements related to a Statement of Rights, the Department proposes to revise 45 CFR 164.520(b)(1)(iv)(C), to require a covered entity, when providing notice about the right of access, to include notice about the right to inspect and obtain a copy of PHI, the right to do so at limited cost or free of charge, and the right to direct a covered health care provider to transmit an electronic copy of PHI in an electronic health record to a third party. The Department also proposes to add a new § 164.520(b)(1)(iv)(G) to require a covered entity to provide notice of the right to discuss the NPP with a designated contact person identified by the covered entity. These changes are made to reflect the changes to the NPP provisions proposed by the Department in the NPRM to Modify the Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement.[152]
Covered entity's duties. The Department proposes, at 45 CFR 164.520(b)(1)(v)(A), to remove the second reference to “protected health information” to expand the requirement that a covered entity provide individuals with notice of the covered entity's legal duties and privacy practices to information beyond that of PHI ( i.e., to Part 2 records). The Department proposes to modify 45 CFR 164.520(b)(1)(v)(C), a provision that addresses a covered entity's right to change the terms of its NPP, to simplify the text, remove the reference to the administrative requirements of the Privacy Rule ( i.e., so that it also applies to Part 2), and insert a limitation that any new terms must not be material or contrary to law.
Other proposed updates to the NPP. The Department proposes other changes to conform the NPP requirements at 45 CFR 164.520 to changes required by the CARES Act. For example, the Department proposes to modify 45 CFR 164.520(b)(1)(iii) to address the Sense of Congress expressed at 42 U.S.C. 290dd-2(k)(4). Although the Sense of Congress does not give legal effect to the exclusion of fundraising and the creation of de-identified health information and limited data sets as permissible disclosures under “health care operations”, the Department believes that fundraising is far enough outside an individual's reasonable expectation of how their Part 2 records will be used or disclosed that entities should obtain written consent. This means that the NPP provision at 45 CFR 164.520(b)(1)(iii) would still give notice to individuals that a covered entity may use or disclose the individual's PHI for fundraising with an option to opt out of such communications. However, in the case of a covered entity that is also a Part 2 program, it would also provide notice that a covered entity may use or disclose the individual's Part 2 records for fundraising on behalf of the covered entity only with the written consent of the individual. The Department also proposes to incorporate changes proposed to the NPP requirements in the NPRM to Modify the Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement.[153] These proposals include adding a requirement, at 45 CFR 164.520(b)(1)(vii), that a covered entity's NPP include the email address for a designated person who would be available to answer questions about the covered entity's privacy practices; adding a permission for a covered entity to provide information, in its NPP, concerning the right to direct copies of PHI to third parties when the PHI is not in an EHR and the ability to request the transmission using an authorization; and removing the existing requirement for a covered entity to obtain a written acknowledgement of receipt of the NPP. Finally, the Department proposes a new paragraph at 45 CFR 164.520(d)(4) to prohibit construing the permissions for OHCAs to disclose PHI between participants as negating obligations related to Part 2 records.
The Department is mindful of the compliance burden imposed on all entities due to NPP requirements. The Department carefully considered how to accomplish the CARES Act mandate to update the NPP and believes that the proposed changes to 45 CFR 164.520 implements the statutory requirement to inform individuals in a manner that places the least burden on regulated entities. The Department requests comment on this assumption.
§ 2.23—Patient Access and Restrictions on Use and Disclosure (Proposed Heading)
The Department proposes to add the term “disclosure” to the heading of this section and throughout paragraphs (a) and (b) to clarify that a patient is not required to provide written consent or authorization in order to access their own Part 2 records. The Department proposes additional wording changes to this section to improve readability and to replace the word “information” to “records,” which more accurately describes the scope of the information to which the regulation applies. Start Printed Page 74239
§ 2.24—Requirements for Intermediaries (Redesignated and Proposed Heading)
Under § 2.13(d), a patient has a right to request a list of disclosures made by an intermediary; the intermediary must provide the patient with information regarding disclosures made within the past two years. As described above in §§ 2.11 Definitions and 2.13 Confidentiality restrictions and safeguards, the Department proposes to remove paragraph (d) of § 2.13 and redesignate it as § 2.24; change the subheading from Lists of disclosures to a heading titled Requirements for intermediaries; and in § 2.11 create a regulatory definition of the term “intermediary”. The Department proposes modifications to clarify the newly designated § 2.24 without intending to change the obligations of intermediaries, other than the time period covered by the list of disclosures.
Specifically, the Department proposes to replace the description of intermediaries with a new regulatory definition and to move the statement of responsibility for complying with the applicable requirements from the end of the provision to the beginning. The intent is to clarify what types of entities would be considered intermediaries— e.g., HIEs, research institutions, accountable care organizations, and care management organizations—and their responsibilities for providing patients with a list of disclosures made to member or participant treating providers. An intermediary may be a business associate when a Part 2 program is also a covered entity under HIPAA; in such situations, the intermediary would be subject to requirements of intermediaries as well as those for business associates. The Department proposes to extend the period covered by a list of disclosures from two years to three years to align with the new right to an accounting of disclosures as proposed in § 2.25(b) for disclosures made for purposes of treatment, payment, and health care operations, discussed below. The Department also proposes modifications to the redesignated section to improve clarity and understanding without intending any substantive change.
§ 2.25—Accounting of Disclosures (Proposed Heading)
Except for disclosures made by intermediaries, the existing Part 2 regulation does not include a right for patients to obtain an accounting of disclosures of Part 2 records.[154] Section 290dd-2(b)(1)(B) of 42 U.S.C., as amended by section 3221(b) of the CARES Act, applies section 13405(c) of the HITECH Act, 42 U.S.C. 17935(c), Accounting of Certain Protected Health Information Disclosures Required if Covered Entity Uses Electronic Health Record, to Part 2 disclosures for TPO with prior written consent. Therefore, the Department proposes to add a new § 2.25, Accounting of disclosures, to establish the patient's right to receive, upon request, an accounting of disclosures of Part 2 records made with written consent for up to three years prior to the date the accounting is requested.
This proposal would apply to the individual right to an accounting of disclosures in the HITECH Act.[155] The first paragraph of the section, (a), would generally require an accounting of disclosures made with patient consent, and the second paragraph, (b), would limit the requirement with respect to disclosures made with consent for TPO purposes, which would only be required for TPO disclosures made from an electronic health record system. In both instances, the proposed changes would be contingent on the promulgation of HITECH Act modifications to the accounting of disclosures standard in the Privacy Rule at 42 CFR 164.528.[156]
The Department believes this approach is consistent with section 3221(b) of the CARES Act, 42 U.S.C. 290dd-2(b)(1)(B), as amended. The Department notes that the CARES Act applied the HITECH Act timelines and structure for accounting of disclosures to “all disclosures” and not just those disclosures of PHI contained in an EHR. From a policy perspective the Department believes it is appropriate apply the regulatory framework to all accountings.
Because the Department has not yet finalized the HITECH Act accounting of disclosures modifications within the Privacy Rule, the Department does not intend to apply requirements similar to 45 CFR 164.528 before finalizing the Privacy Rule provision. The Department seeks comment on this approach to aligning the accounting of disclosures requirements of the Privacy Rule and Part 2 by incorporating a general requirement for an accounting of disclosures and a limited requirement with respect to TPO disclosures, and by tolling the effective date of the accounting of disclosures proposals in this rule until the effective date of the modified Privacy Rule accounting provision. Additionally, the Department requests data from Part 2 programs that are also covered entities or business associates on the number and type of requests for an accounting of disclosures of PHI received annually and to what extent such covered entities are providing an accounting of disclosures for TPO disclosures through an electronic health record based on the HITECH Act statutory requirement, even absent regulations. For Part 2 programs that are covered entities, the Department requests comments concerning the staff time and other costs involved in responding to an individual's request for an accounting of disclosures of PHI.
§ 2.26—Right to Request Privacy Protection for Records (Proposed Heading)
The existing Part 2 regulation does not expressly provide a patient the right to request restrictions on disclosures of Part 2 records. Section 3221(b) of the CARES Act amended the PHSA to apply section 13405(a) of the HITECH Act, Restricted restrictions on certain disclosures of health information, to all disclosures of Part 2 records for TPO purposes with prior written consent. Therefore, the Department proposes to codify in § 2.26 patient rights to: (1) request restrictions on disclosures of Part 2 records for TPO purposes, and (2) obtain restrictions on disclosures to health plans for services paid in full. The proposed provision would align with the individual right in the HITECH Act,[157] as implemented in the Privacy Rule at 45 CFR 164.522. As with the Privacy Rule right to request restrictions, a covered entity that denies a request for restrictions still would be Start Printed Page 74240 subject to any applicable state or other law that imposes greater restrictions on disclosures than Part 2 requires.
In addition to applying the HITECH Act requirements to Part 2, the CARES Act emphasized the importance of the right to request restrictions in three provisions, including:
(1) A rule of construction that the CARES Act should not be construed to limit a patient's right under the Privacy Rule to request restrictions on the use or disclosure of Part 2 records for TPO; [158]
(2) A Sense of Congress that patients have the right to request a restriction on the use or disclosure of a Part 2 record for TPO; [159] and
(3) A Sense of Congress that encourages covered entities to make every reasonable effort to the extent feasible to comply with a patient's request for a restriction regarding TPO uses or disclosures of Part 2 records.[160]
The Department requests comments and data on the extent to which covered entities currently receive requests from patients to restrict disclosures of patient identifying information for TPO purposes, how covered entities document such requests, and the procedures and mechanisms used by covered entities to ensure compliance with patient requests to which they have agreed or that they are otherwise required to comply with by law.
Subpart C—Uses and Disclosures With Patient Consent (Proposed Heading)
The Department proposes to modify the heading of Subpart C from “Disclosures with Patient Consent” to “Uses and Disclosures with Patient Consent” to make the heading consistent with the changes the Department proposes to this subpart.
§ 2.31—Consent Requirements
The Part 2 consent provision in current § 2.31 specifies in paragraph (a) the required elements of a valid written patient consent for the disclosure of Part 2 records, and in paragraph (b) what constitutes a deficient consent upon which a disclosure of Part 2 records is not permitted. To further align Part 2 with the Privacy Rule and implement the requirements of section 3221(b) of the CARES Act, the Department proposes numerous changes to the consent requirements in paragraph (a). Specifically, the Department proposes to change requirements concerning:
- Identity of the discloser
- Description of the information to be disclosed
- Designation of the recipient
- Purpose of the disclosure
- Right to revoke consent
- Expiration of consent
In addition, the Department proposes new required statements as part of a consent for use and disclosure for TPO and a new required statement about the consequences to the patient of a failure to sign a consent.
The Department also proposes to add the phrase “use or” in § 2.31(a), and “used or” in § 2.31(a)(4)(ii)(B), to clarify that the elements of a written consent would address both use and disclosure of records. The Department believes these proposals are consistent with section 3221(b) of the CARES Act, which addresses permissions and restrictions for both uses and disclosures of records for TPO by programs and covered entities. The Department also proposes a wording change to replace the phrase “individual or entity” and the term “individual” with the term “person” as now proposed to comport with the meaning of the term in the HIPAA Rules. The Department does not believe that as amended, 42 U.S.C. 290dd-2 diminishes the ability of a patient to only grant consent for disclosure of specific types of information contained in the Part 2 record or for specific TPO purposes. Additionally, the proposed change to the designation of a recipient would continue to permit patients to, for example, name a government agency to receive records when applying for public benefits and not require the name of a specific employee within the agency.
The Department notes the permission enacted in 42 U.S.C. 290dd-2(b)(1)(B), as amended by section 3221(b) of the CARES Act, allows that the contents of Part 2 records “may,” and are not required, to be used or disclosed in accordance with the Privacy Rule for TPO (after prior written consent is obtained). The Department believes therefore, that the revised statute still permits the disclosing entity to employ more granular consent provisions. Further, the rules of construction in section 3221(j)(1) of the CARES Act support the continued ability of covered entities to obtain consent by stating that nothing in the Act shall be construed to limit “a covered entity's choice, as described in section 164.506 of title 45, Code of Federal Regulations, or any successor regulation, to obtain the consent of the individual to use or disclose a record referred to in such section 543(a) to carry out treatment, payment, or health care operation.”
The Department also notes that its proposal to modify § 2.31(a)(3) would still require the consent form to include a description of the information to be used or disclosed that identifies the information “in a specific and meaningful fashion.” [161] This language mirrors that in the Privacy Rule standard for written authorization requiring that a valid authorization pursuant to 45 CFR 164.508 contain “at least . . . [a] description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.” [162] The Department believes that its treatment of consent requirements here remains consistent with that of SAMHSA's prior expressed guidance.[163] The Department requests comment on this assumption.
Several of the proposed changes to the language of the required consent elements are not intended to create substantive changes, but merely to align with the wording of similar requirements in the Privacy Rule. This includes, for example, the identity of the discloser, the description of the information to be disclosed, the right to revoke consent, and the expiration of consent.
To fully accomplish the aims of the right to revoke consent, the Department expects that Part 2 programs would need to ensure that any ongoing or automatic disclosure mechanisms are halted upon receipt of a request for revocation. The CARES Act redisclosure permission for a covered entity, business associate, and Part 2 program recipients of Part 2 records limits the ability to “pull back” Part 2 information from those entities once it is disclosed. Thus, once a Part 2 program discloses a record for TPO purposes to a Part 2 program, covered entity, or business associate with prior written consent, a revocation would only be effective to prevent additional disclosures to those entities. It would not prevent a recipient Part 2 program, covered entity, or business associate from using the record for TPO, or redisclosing the record as permitted by the Privacy Rule.
Another set of proposals in this section address general designations of the recipient of Part 2 records for TPO, which may be an intermediary or a Part 2 program, covered entity or business associate. To accommodate TPO written consents, the recipient may be a class of Start Printed Page 74241 persons, rather than only an identified person. In addition, for a single consent for all future uses and disclosures for TPO, the recipient may be described as “my treating providers, health plans, third-party payers, and people helping to operate this program” or a similar statement.
The proposed changes to the requirements for general designation of an intermediary would clarify and simplify the subheading and remove the required statement of the patient's right to a list of disclosures made by the intermediary for the prior two years. These changes are proposed in conjunction with the proposal to add a regulatory definition of intermediary that includes as examples the types of entities listed in § 2.31 and described in previous Part 2 rulemaking preamble discussions.[164] Additionally, the Department proposes to add consent requirements that are similar to the Privacy Rule authorization elements at 45 CFR 164.508, with modifications to address the Part 2 requirement to obtain prior written consent for TPO uses and disclosures. Specifically, the Department proposes to require Part 2 programs to inform patients in the written consent of the potential for their Part 2 records that are disclosed to a Part 2 program, covered entity, or business associate pursuant to the patient's written consent for treatment, payment, and health care operations to be further used or disclosed by the recipient to the extent permitted by the Privacy Rule and no longer protected by this regulation.
However, the Department does not propose to require, similar to the Privacy Rule at 45 CFR 164.522 that a written consent inform patients of the ability, under certain circumstances, to condition treatment on signing a consent for the use or disclosure of Part 2 records, because Part 2 does not prohibit the conditioning of treatment. For example, a Part 2 program may condition the provision of treatment on the patient's consent to disclose information as needed, for example, to make referrals to other providers, obtain payment from a health plan (unless the patient has paid in full), or conduct quality review of services provided.
The Department is aware of public uncertainty about when a patient consent is considered “written” under § 2.31. In previous guidance, SAMHSA clarified that an electronic signed consent form is allowable.[165] The Department reaffirms the previous guidance concerning signatures and further clarifies that, where the Department has issued regulations adopting electronic standards to be used for patient consent management,[166] and Part 2 programs have implemented such standards, the information conveyed using those standards would constitute a “written” patient consent where the individual provides all of the information required for a valid patient consent under § 2.31.
Regarding revocation of consent, the proposed changes reflect the text of the CARES Act with respect to TPO consent and also parallels the language of 45 CFR 164.508(c)(2)(i) for the core elements of a HIPAA authorization, which requires a statement about “[t]he individual's right to revoke the authorization in writing.” The intent in this section is to align the Part 2 consent requirements with the HIPAA authorization core elements to the extent feasible by establishing written revocation as a patient right. However, a Part 2 program still may accept an oral revocation of consent. Consistent with HIPAA, if an entity receives a revocation orally, the entity “knows” that the consent has been revoked and can no longer treat the consent as valid under Part 2 and must consider it deficient under § 2.31(b)(3).[167] For oral revocations, the Department recommends the program obtaining the revocation document the revocation in the patient's record.
The Department's proposal to replace an “expiration date, event, or condition” with an “expiration date or an expiration event that relates to the individual patient or the purpose of the use or disclosure” is not intended to create substantive change, but only to align with the HIPAA authorization required elements. The Department believes that a “condition” may be considered an event that relates to the individual patient. Further, the Department believes the modified language would continue to serve an aim of both the HIPAA and Part 2 expiration elements, which is to ensure that the consent or authorization will last no longer than necessary to accomplish the purpose of the use(s) or disclosure(s).
The Department requests comments on its proposals that would implement changes to § 2.31. Specifically, the Department requests comment on whether there are other changes that it should make to further align § 2.31 with the Privacy Rule using its general regulatory authority in § 3221(i)(1) of the CARES Act to “make such revisions to regulations as may be necessary for implementing and enforcing the amendments.” In particular, the Department seeks comment from the public, including routine requestors of Part 2 records, on whether and to what extent the Department should require Part 2 programs to inform requestors when a preexisting consent exists for disclosure and the scope of such consent for disclosure. This input would be helpful as the Department considers how to facilitate covered entities' abilities to use the new permissions for TPO disclosures and related redisclosures under the Privacy Rule and Part 2. The Department also seeks comments on the extent to which Part 2 programs accept or rely on oral revocations of consent, and if so, whether and how this is documented or tracked.
§ 2.32—Notice To Accompany Disclosure (Proposed Heading)
The Department proposes to change the heading of this section from “Prohibition on re-disclosure” to “Notice to accompany disclosure” because § 2.32 is wholly a notice requirement, while other provisions (§ 2.12(d)) prohibit recipients of Part 2 records from redisclosing the records without obtaining a separate written patient consent. To ensure that recipients of Part 2 records comply with the prohibition at § 2.12(d), § 2.32(a) requires that Part 2 programs attach a notice whenever Part 2 records are disclosed with patient consent, notifying the recipient of the prohibition on redisclosure and of the prohibition on use of the records in civil, criminal, administrative, and legislative proceedings against the patient.
The Department proposes to modify paragraph (a)(1) of § 2.32 to reflect the expanded prohibition on use and disclosure of Part 2 records in certain proceedings against the patient, which includes testimony that relays information in a Part 2 record and the Start Printed Page 74242 use or disclosure of such records or testimony in civil, criminal, administrative, and legislative proceedings, absent consent or a court order. The Department intends for “proceedings” to be understood broadly, to encompass investigations as in the existing regulation. Thus, investigative agencies should understand the continuing expectation that the requirement to seek a court order applies at the early stages of a proceeding where Part 2 records are sought to be used and disclosed.
In addition, the proposal would list exceptions to the general rule prohibiting further use or disclosure of the Part 2 records by recipients of such records, which would include an exception for covered entities, business associates, and Part 2 programs who receive Part 2 records for TPO based on a patient's consent and now may redisclose the records as permitted by the Privacy Rule. This exception also would apply to entities that received Part 2 records from a covered entity or business associate under the Privacy Rule disclosure permissions although the legal proceedings prohibition would still apply to covered entities and business associates that receive these Part 2 records. These changes are necessary to conform § 2.32 with 42 U.S.C. 290dd-2(b)(1)(B), as amended by section 3221(b) of the CARES Act concerning redisclosure permissions for covered entity, business associate, and Part 2 program recipients of Part 2 records.
The Department also proposes a change to the simplified alternative language in paragraph (a)(2) of § 2.32. The Department would add the term “use” to make clear that authorized uses and disclosures are prohibited by this part. The Department notes that a Part 2 program or other person holding of Part 2 records could still choose whether to adopt the more detailed revised notice or to use the simple notice.
The Department requests comment on the proposed approach to the notice to accompany disclosure, including whether the alternative simplified notice in paragraph (a)(2) is sufficient to inform recipients of Part 2 records and whether the revised notice in paragraph (a)(1) should include different elements.
§ 2.33—Uses and Disclosures Permitted With Written Consent (Proposed Heading)
Section 2.33 of 42 CFR part 2 currently permits Part 2 programs to disclose Part 2 records in accordance with written patient consent in paragraph (a); and permits lawful holders, upon receipt of the records based on consent for payment or health care operations purposes, to redisclose such records to contractors and subcontractors for certain activities, such as those provided as examples in paragraph (b).
To implement sections 3221(b) and (k)(4) of the CARES Act, the Department proposes to amend the heading of this section to refer to “Uses and disclosures permitted with written consent” instead of solely “disclosures.” The Department further proposes to add “use” to refer to “use or disclosure” instead of only “disclosure” in paragraphs (a) and (b) and (b)(2), as modified. The Department believes these changes would align this section with proposed §§ 2.31 and 2.32 as discussed above. The Department further believes these proposals are consistent with the congressional intent expressed in 42 U.S.C. 290dd-2(b)(1), as amended by section 3221(b) of the CARES Act, which aligns Part 2 with the Privacy Rule for purposes of TPO uses and disclosures.
The Department also proposes to revise paragraph (b) by removing the list of permitted payment and health care operations uses and disclosures, adding language to paragraphs (b) and (b)(1), re-designating paragraph (2) as paragraph (3), and adding a new paragraph (b)(2).[168] Specifically, the Department proposes to create two categories of redisclosure permissions. The first category would apply to Part 2 programs, covered entities, and business associates that have received a Part 2 record with consent for TPO and would permit the recipient to redisclose the records for uses and disclosures as permitted by the Privacy Rule, subject to the limitations of proposed subpart E of Part 2 pertaining to legal proceedings. The second category would apply to lawful holders that are not business associates, covered entities, or Part 2 programs and have received Part 2 records with written consent for payment and health care operations purposes. This category would permit the recipient to redisclose the records for uses and disclosures to its contractors, subcontractors, and legal representatives to carry out the intended purpose, also subject to the limitations of proposed subpart E of part 2 pertaining to legal proceedings. A lawful holder under this provision would not be permitted to redisclose Part 2 records it receives for treatment purposes before obtaining an additional written consent from the patient. The Department has not proposed to define the terms “contractors, subcontractors, and legal representatives” because it does not intend to change the accepted understanding of these business relationships between the recipient of Part 2 records under a written patient consent and the entities that it uses to carry out its business activities. The Department requests comment on whether it would be helpful to define these terms and, if so, what definitions would appropriately retain the existing accepted understanding of the business relationships.
The proposed changes would implement section 3221 of the CARES Act by permitting covered entities and business associates to use and redisclose Part 2 records in accordance with the standards that apply to PHI in the Privacy Rule and permitting Part 2 programs to use, disclose, and redisclose Part 2 records for TPO purposes when the records are obtained under a written consent given once for all future TPO uses and disclosures. The expanded ability to use and disclose Part 2 records would facilitate greater integration of SUD treatment information with other PHI. The Department believes this change would improve communication and care coordination between providers and with other elements of the health care system, such as the ability of payers to share SUD treatment claims information with alternative payment model providers for population health management, and enhance the ability to comprehensively diagnose and treat the whole patient. It would also facilitate the exchange of Part 2 records between Part 2 programs and reduce burdens on such exchanges by allowing a written consent to be given once for all future TPO uses and disclosures. The Department supports the sharing of Part 2 records among health care entities and patients for continuity of care purposes and has proposed to align the Part 2 consent requirements and disclosure permissions with the Privacy Rule to the extent possible for such purposes within the legal authority granted by Congress.
Only redisclosures for legal proceedings by covered entities or business associates would be subject to the more stringent Part 2 restrictions, as discussed below in relation to §§ 2.64 and 2.65. Finally, the Department proposes to exclude covered entities and business associates from the requirements of paragraph (c) because they are already subject to the Privacy Rule requirements for business associate agreements. The Department welcomes comments concerning the extent to which the proposed changes to § 2.33 would result in reduction of patient Start Printed Page 74243 trust that their Part 2 records will be kept confidential and thus affect the ability to provide treatment to patients with SUD. The Department requests comment on how Part 2 programs and recipients of Part 2 records would identify records for which a patient has given consent for TPO uses and disclosures generally as compared to consent for one purpose or a consent limited to certain segments of Part 2 information. In addition, the Department seeks comment on the ways to increase coordination amongst not only amongst Part 2 programs or recipients of Part 2 records and providers of other healthcare services but also with the health IT developer and HIE communities to protect privacy for Part 2 records within EHRs. Finally, the Department requests comment on how the proposed revisions to § 2.33 might affect the future data segregation practices of Part 2 programs and recipients of Part 2 records.
§ 2.34—Uses and Disclosures To Prevent Multiple Enrollments (Proposed Heading)
Section 2.34 permits a Part 2 program to disclose patient records to certain central registries to prevent multiple enrollments of a patient to withdrawal management or maintenance treatment programs when conditions are met. The Department proposes to replace the phrase “re-disclose or use” with “use or redisclose” at § 2.34(b), as it relates to preventing a registry from using or redisclosing Part 2 records, to align the language of this provision with the Privacy Rule as discussed above. The Department also proposes a minor wording change to refer to “use of information in records” instead of just “use of information” to make clear that this provision relates to Part 2 records.
§ 2.35—Disclosures to Elements of the Criminal Justice System Which Have Referred Patients
Section 2.35 of 42 CFR part 2 outlines conditions for disclosures back to persons within the criminal justice system who have referred patients to a Part 2 program for SUD diagnosis or treatment as a condition of the patients' confinement or parole. The Department proposes to clarify that the permitted disclosures would be of information from the Part 2 record and to replace the term “individual” within the criminal justice system with “persons.” As discussed above, the term “individual” is defined in the HIPAA Rules to refer to natural persons who are the subject of PHI,[169] while the analogous term in Part 2 for the subjects of Part 2 records is “patient.”
To avoid potential misunderstanding due to different terminology, the Department proposes to use “persons” when referring to someone other than the individual patient. In conjunction with this proposed change in usage, the Department proposes to replace the Part 2 definition of “person” with the HIPAA regulatory definition at 45 CFR 160.103. This definition includes both natural persons and legal entities. The Department also proposes to add the phrase “from a record” after the term “information” to make clear that this section regulates “records”, and replaces “disclosure and use” with “use and disclosure” in several places to parallel the Privacy Rule.
The Department welcomes comment on its approach to identifying “persons” within the criminal justice system who have referred patients to a Part 2 program, including whether the alternative term “personnel” would more accurately cover the circumstances under which referrals under § 2.35 are made.
Subpart D—Uses and Disclosures Without Patient Consent (Proposed Heading)
The Department proposes to modify the heading of subpart D by adding the term “uses” so it reads “Uses and Disclosures Without Patient Consent” to clarify that some of the regulated activities in this subpart—including research in § 2.52(b) ( e.g., conducting scientific research using patient identifying information), preparing research reports in § 2.52(b)(3), and Audit and evaluation (now proposed as “Management audits, financial audits, and program evaluation”)—include internal uses of Part 2 records by regulated entities.
§ 2.51—Medical Emergencies
Section 2.51 of 42 CFR part 2 permits Part 2 programs to disclose patient identifying information to medical personnel in certain circumstances. In § 2.51(c)(2), the Department proposes to replace the term “individual” with the term “person” as discussed above in § 2.11, Definitions.
§ 2.52—Scientific Research (Proposed Heading)
Section 2.52 of 42 CFR part 2 permits Part 2 programs to disclose patient identifying information for research, without patient consent, under limited circumstances. The Department proposes to update the title of this section for consistency with the statute and to add the term “use” to § 2.52(a). In § 2.52(b)(3), any individual or entity conducting scientific research using patient identifying information may include part 2 data in research reports only in non-identifiable aggregate form. The Department proposes to change the standard in § 2.52(b)(3) to more closely align with the Privacy Rule de-identification standard. Specifically, for § 2.52(b)(3), the Department proposes changes to the text to read: “. . . patient identifying information has been de-identified in accordance with the requirements of the Privacy Rule at 45 CFR 164.514(b) such that there is no reasonable basis to believe that the information can be used to identify a patient as having or having had a substance use disorder.” The Department requests comment on any benefits, costs, and potential unintended adverse consequences that may result from this proposed change. The Department also proposes to replace several instances of the phrase “individual or entity” with the term “person”, which would encompass both individuals and entities, and to replace the term “individual” with the term “person.”
§ 2.53—Management Audits, Financial Audits, and Program Evaluation (Proposed Heading)
The Department proposes to change the heading of § 2.53 to specifically refer to management audits, financial audits, and program evaluation to more clearly describe the disclosures permitted without consent under 42 U.S.C. 290dd-2(b)(2)(B). The Department also proposes to replace several instances of the phrase “individual or entity” with the term “person”, which would encompass both individuals and entities.
Section 2.53 of 42 CFR part 2 permits a Part 2 program or lawful holder to disclose patient identifying information to any individual or entity in the course of certain Federal, State, or local audit and program evaluation activities. Section 2.53 also permits a Part 2 program to disclose patient identifying information to Federal, State, or local government agencies and their contractors, subcontractors, and legal representatives when mandated by law, if the audit or evaluation cannot be carried out using de-identified information.
There is significant overlap between activities described as “audit and evaluation” in § 2.53 and health care operations as defined in the Privacy Start Printed Page 74244 Rule at 45 CFR 164.501. For example, the following audit and evaluation activities under Part 2 align with the health care operations defined in the Privacy Rule, as cited below:
• § 2.53(c)(1) (government agency or third-party payer activities to identify actions, such as changes to its policies or procedures, to improve care and outcomes for patients with SUDs who are treated by part 2 programs; ensure that resources are managed effectively to care for patients; or determine the need for adjustments to payment policies to enhance care or coverage for patients with SUD); [170]
• § 2.53(c)(2) (reviews of appropriateness of medical care, medical necessity, and utilization of services).[171]
• § 2.53(d) (accreditation).[172]
In addition, activities by individuals and entities conducting Medicare, Medicaid, and CHIP audits or evaluations described at § 2.53(e) parallel those defined as health oversight activities in the Privacy Rule at 45 CFR 164.512(d)(1). Part 2 programs and lawful holders making disclosures to these individuals and entities must agree to comply with all applicable provisions of 42 U.S.C. 290dd-2, ensure that the activities involving patient identifying information occur in a confidential and controlled setting, ensure that any communications or reports or other documents resulting from an audit or evaluation under this section do not allow for the direct or indirect identification ( e.g., through the use of codes) of a patient as having or having had an SUD; and must establish policies and procedures to protect the confidentiality of the patient identifying information consistent with this part. Patient identifying information disclosed pursuant to § 2.53(e) may be further redisclosed to contractor(s), subcontractor(s), or legal representative(s), to carry out the audit or evaluation, but are restricted to only that which is necessary to complete the audit or evaluation as specified in paragraph (e).[173]
Section 3221(b) of the CARES Act amended the PHSA to permit Part 2 programs, covered entities, and business associates to use or disclose the contents of Part 2 records for TPO after obtaining the written consent of a patient.[174] Covered entities, business associates, and Part 2 programs are further permitted to redisclose the same information in accordance with the Privacy Rule. As the Department has noted throughout this NPRM, these new disclosure pathways are permissive, not required.
To implement the new TPO permission that includes the ability of such entities to use or disclose Part 2 records for health care operations with a general consent, the Department proposes to modify the audit and evaluation provisions at § 2.53 by adding the term “use” where the current language of § 2.53 refers only to disclosure and by adding paragraph (h), Disclosures for health care operations. This new provision would clarify that Part 2 programs, covered entities, and business associates are permitted to disclose Part 2 records pursuant to a consent for all future TPO uses and disclosures when a requesting entity is seeking records for activities described in paragraphs (c) or (d) of § 2.53. Such activities are health care operations, but do not include treatment and payment. To the extent that a requesting entity is itself a Part 2 program, covered entity, or business associate that has received Part 2 records pursuant to a consent that includes disclosures for health care operations, it would then be permitted to redisclose the records for other purposes as permitted by the Privacy Rule. Thus, if an auditing entity is a Part 2 program, covered entity, or business associate that has obtained consent and is not performing health oversight, it would not be subject to all the requirements of § 2.53 ( e.g., the requirement to only disclose the records back to the program that provided them). Requesting entities that are not Part 2 programs, covered entities, or business associates would not have this flexibility but would still use existing permissions in § 2.53 to obtain access to records for audit and evaluation purposes, and they would remain subject to the redisclosure limitations therein.
The CARES Act does not expressly address § 2.53; however, there is overlap between the audit and evaluation activities contemplated in § 2.53 and some activities defined as health care operations and health oversight activities in the Privacy Rule. The Department has consistently subjected its health oversight uses and disclosures to the requirements of § 2.53, and it does not believe that Congress intended differently when it amended section 290dd-2(b)(1)(B) of 42 U.S.C.
As under the existing regulation, a person performing applicable audit and evaluation activities may rely instead on patient consent for health care operations as a means of obtaining the needed records. The Department believes that in many instances this would not be feasible because it would require tracking and segregating records with consent from those without consent, and would reduce the overall number of records available for auditing and evaluation. However, the Department requests comment on whether the new redisclosure permission for Part 2 programs, covered entities, and business associates may create incentives for such recipients to rely on patient consent more frequently when performing audit and evaluation of records made available by Part 2 programs. Proposed paragraph (h) would leave intact existing disclosure permissions and requirements for audit and evaluation activities without consent, including health care oversight activities, such as described in paragraph (e). At the same time, the proposal would provide a new mechanism for programs and covered entities to obtain patient consents for all future TPO uses and disclosures (including redisclosures), which in some instances may include audit and evaluation activities.
The Department proposes this approach because it believes there is no basis to fully align the Part 2 audit and evaluation provisions with the Privacy Rule, given that the CARES Act consent provisions specifically incorporated only uses and disclosures for TPO purposes, not for health oversight activities. The Department requests comment on this interpretation and any anticipated benefits or costs of treating some audit and evaluation activities under Part 2 differently than others based on whether the activities would constitute health care operations or health oversight activities.
§ 2.54—Disclosures for Public Health (Proposed Heading)
The existing Part 2 regulations do not permit the disclosure of Part 2 records for public health purposes. The CARES Act, section 3221(c), added paragraph (b)(2)(D) to 42 U.S.C. 290dd-2 to permit Part 2 programs to disclose de-identified health information to public health authorities. Therefore, the Department proposes to add § 2.54 to permit Part 2 programs to disclose Part 2 records without patient consent to public health authorities provided that the information is de-identified in accordance with the standards in 45 CFR 164.514(b). This change is proposed in conjunction with the Department's proposed definitions for public health authority as described Start Printed Page 74245 above. Further, the proposed change should not be construed as extending the protections of Part 2 to de-identified information, as such information is outside the scope of 2.12(a). Thus, once Part 2 records are de-identified for disclosure to public health authorities, Part 2 no longer applies to the de-identified records.
The Department requests comment on any benefits or costs that may result from this proposed change.
Subpart E—Court Orders Authorizing Use and Disclosure (Proposed Heading)
The Department proposes to modify the heading of subpart E to reflect changes made to the provisions of this subpart related to the use and disclosure of Part 2 records in proceedings consistent with 42 U.S.C. 290dd-2(b) and (2)(c), as amended by the section 3221(b) and (e) of the CARES Act.
§ 2.61—Legal Effect of Order
Current § 2.61 includes the requirement that beyond a court order, a subpoena must be issued to a Part 2 program in order to compel disclosure of Part 2 records. In addition to non-substantive wording edits reflected in the proposed regulatory text, the Department proposes to add the word “use” to paragraphs (a), (b)(1) and (b)(2) to clarify that the legal effect of a court order with respect to Part 2 records would include authorizing the use of Part 2 records, in addition to the disclosure of Part 2 records. The Department believes this approach is consistent with the CARES Act amendments to 42 U.S.C. 290dd-2.
§ 2.62—Order Not Applicable to Records Disclosed Without Consent to Researchers, Auditors and Evaluators
Currently, § 2.62 provides that a court order may not authorize qualified personnel who have received patient identifying information without consent for research, audit, or evaluation, to disclose the information or use it to conduct a criminal investigation of the patient. In addition to wording changes to improve readability, and reordering the phrase “disclosure and use” to “use and disclosure” for the same reasons described in other sections, the Department proposes to replace the term “qualified personnel” with a description of who falls within the term. The term “Qualified personnel” has a precise meaning but does not have a regulatory definition within 42 CFR part 2 and is used only once within the regulation. For greater clarity, the Department proposes to refer instead to “persons who meet the criteria specified in § 2.52(a)(1)(i)-(iii) of this part,” and later in the paragraph to “such persons.”
§ 2.63—Confidential Communications
Section 2.63(a) of 42 CFR part 2 currently provides that a court order may authorize disclosure of confidential communications made by a patient to a Part 2 program during diagnosis, treatment, or referral only if necessary: (1) to protect against a threat of serious bodily injury; (2) to prosecute the patient for a serious crime; or (3) in connection with litigation or an administrative proceeding in which the patient introduces their own Part 2 records. Paragraph (c) of 42 U.S.C. 290dd-2, as amended by section 3221(e) CARES Act, provides that Part 2 records may be disclosed in noncriminal legal proceedings only with patient consent or a court order, and added civil litigation and administrative proceedings to the list of proceedings for which Part 2 records cannot be used or disclosed by a government authority against a patient, absent a court order. To implement the changes to 42 U.S.C. 290dd-2, the Department proposes to specify in § 2.63(a)(3) that civil, as well as criminal, administrative, and legislative proceedings are circumstances under which a court may authorize disclosures of confidential communications made by a patient to a Part 2 program in Part 2 records when the patient opens the door by introducing their records or testimony that relays information in their records as evidence.
§ 2.64—Procedures and Criteria for Orders Authorizing Uses and Disclosures for Noncriminal Purposes (Proposed Heading)
Section 2.64 of 42 CFR part 2 governs court orders authorizing the disclosure of patient records for noncriminal investigations or prosecutions. Paragraph (a) of this section provides that any person with a legally recognized interest may apply for a court order authorizing the disclosure of patient records in noncriminal proceedings, and such person may file the application separately or as part of a pending civil action in which they assert the evidentiary need for the records. A court order under this section (or any section within subpart E) would be limited to the circumstances specified in § 2.63, discussed above. Section 3221(e) of the CARES Act expanded privacy protections by prohibiting the use of Part 2 records for these purposes, or disclosure or use of testimony relaying the contents of a patient's records. To implement this change, the Department proposes to modify the heading, paragraph (a), and paragraph (e) to include use, not only disclosure, of Part 2 records, and the use or disclosure of testimony relaying the information in such records.
The Department further proposes to modify § 2.64(a) by adding administrative, or legislative proceedings to the types of noncriminal proceedings for which a use or disclosure of Part 2 records must be authorized by a court order, absent patient consent or the application of § 2.53(e). Section 290dd-2(c) of 42 U.S.C., as amended, requires a court order, even when the disclosure or use is sought in an administrative, or legislative proceeding. Thus, when disclosure or use of Part 2 records or testimony relaying information in a record is sought in a non-judicial proceeding, the application would be filed separately in court.
Paragraph (e) of § 2.64 sets forth limitations for court orders authorizing the disclosure of patient records in noncriminal proceedings, limiting such disclosures to the portions of the patient's record that are essential to fulfill the purpose of the order. The Department proposes to add the word “only” to clarify the extent of the limitation. The disclosure must also be limited to those persons whose need for the information is the basis for the order and must include necessary measures to limit the use or disclosure.
The Department also proposes to modify subparagraphs (e)(1) through (e)(3) to include the use of patient records and the use or disclosure of testimony relaying the information in patient records. The Department proposes these modifications to align with 42 U.S.C. 290dd-2(c)(1) through (c)(3), as amended by section 3221(e) of the CARES Act (expanding privacy protection by prohibiting the use or disclosure of patient records or testimony relaying the contents of a patient's records).
§ 2.65—Procedures and Criteria for Orders Authorizing Use and Disclosure of Records To Criminally Investigate or Prosecute Patients (Proposed Heading)
Section 2.65 of 42 CFR part 2 establishes procedures and criteria for court orders authorizing the use and disclosure of patient records in criminal investigations or prosecutions of the patient. Under § 2.65(a), the custodian of the patient's records, or a law enforcement or prosecutorial official responsible for conducting investigative or prosecutorial activities with respect to the enforcement of criminal laws, may apply for a court order authorizing the disclosure of Part 2 records to Start Printed Page 74246 criminally investigate or prosecute a patient of a Part 2 program. The Department proposes the change, as discussed above, to refer to “use and disclosure” throughout this section instead of “disclosure and use.”
Parallel to the proposed changes to § 2.64, discussed above, the Department proposes to modify § 2.65(a) to include the use and disclosure of testimony relaying the information in patient records because the current provision is limited to disclosure of records and does not address the CARES Act expanded privacy protection which also prohibits the use or disclosure of testimony relaying the contents of a patient's records. The Department further proposes to modify § 2.65(a) to add administrative, and legislative criminal proceedings to the criminal proceedings for which the use or disclosure of Part 2 patient records may be authorized by a court order, consistent with the CARES Act. In addition to criminal prosecutions brought as part of the judicial process, criminal investigations may be carried out by executive agencies and legislative bodies and the CARES Act has widened the confidentiality protections for patients in all of these forums where there may be a risk of exposure and liability.
Subparagraph (d) of § 2.65 sets forth criteria for the issuance of a court order authorizing the disclosure and use of patient records to conduct a criminal investigation or prosecution of a patient. Specifically, § 2.65(d)(2) requires a reasonable likelihood that the records would disclose information of substantial value in the investigation or prosecution.
The Department proposes to modify §§ 2.65(d) and (d)(2) in a manner similar to proposed § 2.65(a), discussed above, to include the use or disclosure of testimony relaying the information in Part 2 records. Under the proposed modification, the criteria in § 2.65(d) would apply to court orders authorizing not only the use and disclosure of Part 2 records, but also the use and disclosure of testimony relaying the information in those records, consistent with 42 U.S.C. 290dd-2(c), as amended section 3221(c) of the CARES Act.
Subparagraph (e) of § 2.65 sets forth requirements for the content of a court order authorizing the use or disclosure of patient records for the criminal investigation or prosecution of the patient. Specifically, § 2.65(e)(1) requires that such order must limit the use or disclosure to those parts of the patient's record as are essential to fulfill the objective of the order. Section 2.65(e)(2) requires that the order limit the disclosure to those law enforcement and prosecutorial officials who are responsible for, or are conducting, the investigation or prosecution, and limit their use of the records to investigation and prosecution of the extremely serious crime or suspected crime specified in the application. The existing rule, at § 2.63(1) and (2), specifies that the type of crime for which an order could be granted would be one “which directly threatens loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, or child abuse and neglect.” [175] Thus, the use of an illegal substance does not in itself constitute an extremely serious crime.
The Department proposes to modify §§ 2.65(e) and (e)(1) through (e)(2) in a manner similar to §§ 2.65(a) and 2.65(d) and (d)(2), discussed above, to include the use and disclosure of testimony relaying the information in patient records. The proposed modification would apply the same limitations on a court order authorizing the use or disclosure of a patient's records to court orders authorizing not only the use or disclosure of testimony relaying the information in those records. The proposed modification to § 2.65(e)(1) would limit uses and disclosures to those parts of a patient's records or testimony relaying the information in those records which are essential to fulfill the objective of the order. Likewise, the proposed modification to § 2.65(e)(2) would limit disclosures to those law enforcement and prosecutorial officials who are responsible for, or are conducting, the investigation or prosecution, and limit their use of the records or testimony to investigation and prosecution of the extremely serious or suspected crime specified in the application and as limited by § 2.63.
The above-noted proposed modifications to §§ 2.65(d) and (d)(2), 2.65(e), and 2.65(e)(1) and (e)(2), each would add the use and disclosure of testimony relaying the information in patient records to the protections already afforded Part 2 records under the regulations.
§ 2.66—Procedures and Criteria for Orders Authorizing Use and Disclosure of Records To Investigate or Prosecute a Part 2 Program or Person Holding the Records (Proposed Heading)
Section 2.66 specifies the persons who may apply for an order authorizing the disclosure of patient records for the purpose of investigating or prosecuting a Part 2 program in connection with legal proceedings, how such persons may file the application, and provides that, at the court's discretion, such orders may be granted without notice to the Part 2 program or patient.
The Department proposes a new paragraph (a)(3) that details procedures for investigative agencies to follow in the event they unknowingly obtain Part 2 records during an investigation or prosecution of a Part 2 program or person holding Part 2 records. Specifically, the Department would require an investigative agency (other than one proceeding under § 2.53(e)) that discovers in good faith that it has obtained Part 2 records to secure the records according to § 2.16 and cease using or disclosing them until it obtains a court order authorizing the use and disclosure of the records and any records later obtained, within a reasonable period of time, but not more than 120 days after discovering it received the records. If the agency does not seek a court order, it must return the records to the Part 2 program or person holding the records if it is legally permissible to do so, within a reasonable period of time, but not more than 120 days from discovery; or, if the agency does not seek a court order or return the records, it must destroy the records in a manner that renders the patient identifying information non-retrievable, within a reasonable period of time, but not more than 120 days from discovery. Finally, if the agency's application for a court order is rejected by the court and no longer subject to appeal, the agency must return the records to the Part 2 program or person holding the records, if it is legally permissible to do so, or destroy the records immediately after notice of rejection from the court.
The Department proposes in paragraph (b) to provide an option for substitute notice by publication when it is impracticable under the circumstances to provide individual notification of the opportunity to seek revocation or amendment of a court order issued under § 2.66. Additionally, the Department proposes to reorganize paragraph (c) by expressly incorporating the provisions from § 2.64(d) that would require an applicant to show a court the good cause requirement and criteria, and adding the proposed § 2.3(b) requirements as elements of good cause for investigative agencies that apply for a court order under proposed § 2.66(a)(3)(ii).
The Department proposes to replace the phrase “disclosure and use” with “use and disclosure” to align the language of this section with the Privacy Start Printed Page 74247 Rule in paragraphs (a) through (d). The Department also proposes minor wording changes to improve readability, viewable in proposed regulatory text.
§ 2.67—Orders Authorizing the Use of Undercover Agents and Informants To Investigate Employees or Agents of a Part 2 Program in Connection With a Criminal Matter
Current § 2.67 authorizes the placement of an undercover agent in a Part 2 program as an employee or patient by law enforcement or prosecutorial agency pursuant to court order when the law enforcement organization has reason to believe the employees of the Part 2 program are engaged in criminal misconduct.
The Department proposes to clarify that the good cause criteria for a court order in paragraph (c)(2) includes circumstances when obtaining the evidence another way would “yield incomplete evidence.” The Department also proposes to create a new paragraph (c)(4) addressing investigative agencies' belated applications for a court order authorizing placement of an undercover informant or agent to investigate a Part 2 program or its employees. The provision would require the investigative agency to satisfy the conditions at proposed § 2.3(b) before applying for a court order for Part 2 records after discovering that it unknowingly had received such records.
Finally, the Department proposes to replace the phrase “law enforcement or prosecutorial” with “investigative” in paragraph (a) and to add the words “using or” in front of “disclosing” in paragraph (d)(3) of this section and “and disclosure” after the term “use” in paragraph (e) of this section to implement 42 U.S.C. 290dd-2(c), as amended by section 3221(e) of the CARES Act, which prohibits the use or disclosure of Part 2 records in these circumstances.
§ 2.68—Report to the Secretary (Proposed Heading)
The Department proposes to create a new § 2.68 to require investigative agencies to file an annual report with the Secretary of the applications filed for court orders after use or disclosure of records in an investigation or prosecution of a program or holder of records under § 2.66(a)(3)(ii) and after placement of an undercover agent or informant under § 2.67(c)(4). The report would also include the number of instances in which such applications were denied due to findings by the court of violations of this part during the calendar year, and the number of instances in which the investigative agency returned or destroyed Part 2 records following unknowing receipt without a court order, in compliance with § 2.66(a)(3)(iii), (iv), or (v), respectively during the calendar year. The Department proposes that such reports would be due within 60 days following the end of the calendar year.
Request for Comments
The Department requests public comment on all aspects of the proposed amendments to the regulations at 42 CFR part 2, Confidentiality of Substance Use Disorder Patient Records (Part 2), and 45 CFR 164.520, Notice of Privacy Practices for Protected Health Information, and on the specific questions below. The Department welcomes public comment on any benefits or drawbacks of the proposed amendments set forth above in this proposed rule.
1. § 2.2 Purpose and Effect. The Department requests comment on whether the Department's proposals adding the terms “use” or “uses” to existing regulatory text that currently only state “disclose” or “disclosure,” would substantively expand the scope of the applicable requirements and prohibitions in a manner not intended. The Department seeks input and specific examples of where the proposed insertion of new terms could result in any unintended adverse consequences for regulated entities.
2. § 2.3 Civil and Criminal Penalties for Violations. The Department requests comment on its proposals at § 2.3(b) to create a limitation on civil or criminal liability for persons acting on behalf of investigative agencies if they unknowingly receive Part 2 records while investigating a program or other person holding Part 2 records without first obtaining the requisite court order, and on the proposed conditions to qualify for the limitation. Specifically, the Department requests comment on the potential impact on patient privacy and access to SUD treatment if investigative agencies can utilize a safe harbor when they unknowingly are in receipt of Part 2 records after first checking whether the program actually provides SUD services. Additionally, the Department requests comment on whether the listed activities should be the only ways an investigative agency may establish reasonable diligence. If there should be additional ways, what should they be and should they be included in regulatory text as an exclusive list?
3. § 2.11 Definitions.
Business associate. The Department solicits comment on the proposal to adopt the definition of “business associate” that is used in the HIPAA Privacy Rule.
Health care operations. The Department requests comment on the proposed definition of “health care operations”, including the proposed approach in the consent requirements to offer an opt-in for fundraising, but not for de-identification and creating a designated record set.
Intermediary. The Department requests comment on the proposed definition of intermediary and whether, in light of the new permission to disclose records for TPO based on a single prior consent, the requirements for an intermediary should be retained or removed.
Investigative agency. The Department requests comment on the proposed definition of “investigative agency” and any concerns about including local agencies in the term, such as lack of uniform procedures, inconsistency across a state, or examples of local investigative agencies involvement in investigating Part 2 programs. The Department also requests comment on whether to interpret state (or local, if it is added) to include Tribal agencies or whether to expressly include Tribal agencies within the regulatory definition. The existing Part 2 regulation does not reference the term “Tribal.”
Lawful holder. Additionally, the Department requests comment on whether a definition of “lawful holder” is needed to properly enforce § 2.16 as discussed above and in the regulatory alternatives considered. The Department also requests comment on whether, with respect to § 2.33, there are types of recipients of Part 2 records by way of a consent that should be excluded from a definition of “lawful holder”.
Personal representative. With respect to persons who are authorized to make health care decisions on behalf of a minor, a patient who lacks capacity to make their own decisions, or a patient who is deceased, the Department requests comment on any benefits or drawbacks of adopting the Privacy Rule term “personal representative,” and the description of the term in 45 CFR 164.502(g)(2), as a defined term within this part. If adopted, this term would replace the phrase “guardian or other persons authorized under state law to act on the patient's behalf” and “executor, administrator, or other personal representative appointed under applicable state law.”
Records. With respect to the consideration of newly defining SUD counseling notes that would be part of a record, the Department requests comment on the benefits and burdens of adopting such a definition, similar to Start Printed Page 74248 the psychotherapy notes provision under HIPAA. Additionally, the Department requests comment on the scope of SUD personnel who could potentially create SUD counseling notes and utilize the additional patient privacy protections they afford and whether a regulatory definition for SUD professional should be created.
Use. With respect to the proposed definition of “use”, the Department requests comment on whether to retain the specific reference to the use of records in certain proceedings against the patient, addressed at §§ 2.61-2.67, or whether it would be clearer to adopt only the definition of the term “use” from the HIPAA Rules at 45 CFR 160.103.
4. § 2.16 Security for records and notification of breaches. The Department requests public comment regarding the estimated burden for Part 2 programs that are not covered entities to comply with the proposed breach notification requirements. The Department also requests comment regarding the application of the Privacy Rule de-identification standard to rendering Part 2 records non-identifiable, as provided in the proposed modifications to § 2.16(a)(1)(v) and (a)(2)(iv), including any unintended adverse consequences that may result from these proposed changes. The Department requests comment regarding whether the Security Rule or similar requirements should apply to Part 2 programs that maintain electronic records but are not covered entities in the same manner as the Security Rule applies to covered entities and business associates. The Department requests comment on whether breach notification requirements that apply to business associates pursuant to the Privacy Rule should apply to QSOs as they are similarly situated. In addition, the Department requests comments from Part 2 programs that are not covered entities on whether they look to the HIPAA Security Rule generally for guidance on protecting electronic Part 2 records or otherwise voluntarily attempt to follow the requirements of the Security Rule. For any programs that may do so, the Department requests comment on what their experience has been, including any implementation costs. Finally, the Department requests comment on whether the requirements of this section that apply to a lawful holder should in any way depend on the level of sophistication of a lawful holder who is in receipt of Part 2 records by written consent, or should depend on whether the lawful holder is acting in some official or professional capacity connected to or related to the Part 2 records.
5. § 2.22 Notice to patients of Federal confidentiality requirements and 45 CFR 164.520 Notice of privacy practices for protected health information. The Department requests comment on ways to make the proposed notices more easily understandable, including examples of possible approaches, such as requiring the document to be at a particular reading grade level, maximum number of pages, or other suggestions. The Department specifically requests comment from legal, clinical, privacy, and civil rights experts on this matter.
6. § 2.24 Requirements for intermediaries. The Department solicits comment on the proposed reorganization and clarification of requirements for entities that facilitate health information exchange and whether there is a continued need for these requirements in light of the accounting of disclosures proposed in § 2.25. Specifically, the Department solicits comment on how Part 2 programs have been implementing the existing requirements for intermediaries in § 2.13(d) and § 2.31(a)(4)(ii) and examples of how those requirements have affected the ability of Part 2 programs to utilize HIEs.
7. § 2.25 Accounting of disclosures. The Department requests comment on the proposals to add a requirement for an accounting of disclosures for non-TPO disclosures and an accounting of disclosures through an electronic health record for TPO. The Department welcomes data from Part 2 programs that are also covered entities on the number and type of requests for an accounting of disclosures of PHI received annually, whether and how frequently they receive requests for an accounting of disclosures for TPO, and to what extent such covered entities are choosing to provide individuals with an accounting of TPO disclosures made through an electronic health record based on the HITECH Act statutory requirement, even absent an implementing regulation. The Department also welcomes comment on the provider burden and costs to respond to a request for an accounting for both TPO disclosures and non-TPO disclosures.
8. § 2.26 Right to request privacy protection for records. The Department requests comment and data on the extent to which covered entities and Part 2 programs receive requests from patients to restrict disclosures of patient identifying information for TPO purposes, how entities and programs track such requests, and the procedures and mechanisms used to comply with patient requests to which they have agreed or that they are otherwise required to comply with by law.
9. § 2.31 Consent requirements. The Department requests comments on its proposals that would implement changes to § 2.31. Specifically, the Department requests comment on whether there are other changes that it should make to further align § 2.31 with the Privacy Rule using its general regulatory authority in section 3221(i)(1) of the CARES Act “to make such revisions to regulations as may be necessary for implementing and enforcements the amendments.” For example, the Department requests comment on the extent to which Part 2 programs segment out SUD treatment records considered “SUD counseling notes.” The Department requests comment on whether to propose special protection for SUD counseling notes to add a layer of regulatory protection that equates to the protection granted to psychotherapy notes in the Privacy Rule by requiring a separate written consent for their disclosure.[176]
The Department also solicits comment on the proposed changes to the consent requirements for entities that facilitate health information exchanges ( i.e., intermediaries), particularly how they would affect the implementation of proposed changes to consent for TPO. The Department requests comment on whether, and to what extent, Part 2 programs currently act on an oral revocation of consent, and if so, whether and how this is documented or tracked.
10. § 2.32 Notice to accompany disclosure. The Department welcomes comment from Part 2 programs that are covered entities, and recipients of Part 2 records that are covered entities or business associates, on whether and how the proposed changes to the redisclosure permissions in § 2.32 are likely to reduce data segregation and positively affect the ability to provide treatment to patients with SUD and perform other beneficial activities. Specifically, the Department seeks comment on whether the proposed changes alone would be sufficient to implement section 3221 of the CARES Act, or whether different or additional modifications to Part 2 would be more effective to promote integration of Part 2 records with PHI, reduce stigma for patients with SUD, and improve access Start Printed Page 74249 to SUD treatment while maintaining the confidentiality of Part 2 records as required by 42 U.S.C. 290dd-2.
11. § 2.33 Uses and disclosures permitted with written consent. The Department requests comment on whether or how recipients of Part 2 records are informed that the records have been disclosed based on patient consent and the scope of the consent that is provided. Specifically, the Department welcomes data on how Part 2 programs and recipients of Part 2 records communicate information about the purpose of a disclosure or set of disclosures and the extent of the information communicated about the purpose or the scope of the disclosure permission, authorization, or mandate. Should the Department consider requiring Part 2 programs to provide a copy of the written patient consent when disclosing records? Should the Department consider requiring Part 2 programs, covered entities, and business associates to retain a copy of the written patient consent for a minimum period of time so that they can provide documentation of the consent to future recipients, or to the Secretary for purposes of investigating compliance with Part 2? Are programs already doing this? To what extent would such requirements be useful to recipients of Part 2 records or impose a burden on programs? Additionally, should the Department require programs to inform an HIE when a patient revokes consent for TPO so that additional uses and disclosures by the HIE would not be imputed to the programs that have disclosed Part 2 records to the HIE? The Department also welcomes comments on the potential unintended negative effects on confidentiality and privacy from the combined application of the proposed disclosure permissions for TPO with consent under § 2.33, and the removal of § 2.53 protections for audit and evaluation activities that fall within the definition of health care operations, and suggested regulatory approaches.
12. § 2.52 Scientific research. The Department requests public comment on whether any Part 2 programs conduct research using their own Part 2 records. The Department also requests public comment regarding the application of the HIPAA de-identification standard to Part 2 records disclosed for research, as provided in the proposed modifications to § 2.52(a)(3), including any unintended adverse consequences that may result from this proposed change.
13. § 2.53 Management audits, financial audits, and program evaluation. The Department requests comment on its proposal to acknowledge within this section the applicable permission for use and disclosure of records for health care operations purposes based on written consent of the patient for all future uses and disclosures for TPO and the permission for the third party conducting such audit or evaluation activities to redisclose the records as permitted by the HIPAA Privacy Rule if the third-party recipient is a Part 2 program, covered entity, or business associate that is not acting as a health oversight agency.
14. Section 2.54 Disclosures for public health. The Department requests comment on its proposal to permit disclosures only of de-identified records for public health purposes without patient consent.
15. Subpart E. The Department seeks comment on the set of proposals in §§ 2.3, 2.66, 2.67, and 2.68 to create a limitation on civil and criminal liability for investigative agencies that in good faith discover they have received Part 2 records before obtaining the required court order in the course of investigating or prosecuting a program, and the related requirement for agencies that make use of these provisions to submit a report to the Secretary.
Public Participation
The Department seeks comment on all issues raised by the proposed regulation, including any unintended adverse consequences. Because of the large number of public comments normally received on Federal Register documents, the Department is not able to acknowledge or respond to them individually. In developing the final rule, the Department will consider all comments that are received by the date and time specified in the DATES section of the Preamble.
Because mailed comments may be subject to security delays due to security procedures, please allow sufficient time for mailed comments to be timely received in the event of delivery delays. Any attachments submitted with electronic comments on www.regulations.gov should be in Microsoft Word or Portable Document Format (PDF). Please note that comments submitted by fax or email and those submitted after the comment period will not be accepted.
Regulatory Impact Analysis
The Department has examined the impact of the proposed rule as required by Executive Order 12866 on Regulatory Planning and Review, 58 FR 51735 (October 4, 1993); Executive Order 13563 on Improving Regulation and Regulatory Review, 76 FR 3821 (January 21, 2011); Executive Order 13132 on Federalism, 64 FR 43255 (August 10, 1999); Executive Order 13175 on Consultation and Coordination with Indian Tribal Governments, 65 FR 67249 (November 9, 2000); the Congressional Review Act, Public Law 104-121, sec. 251, 110 Stat. 847 (March 29, 1996); the Unfunded Mandates Reform Act of 1995, Public Law 104-4, 109 Stat.48 (March 22, 1995); the Regulatory Flexibility Act, Public Law 96-354, 94 Stat. 1164 (September 19, 1980); Executive Order 13272 on Proper Consideration of Small Entities in Agency Rulemaking, 67 FR 53461 (August 16, 2002); the Assessment of Federal Regulations and Policies on Families, Public Law 105-277, sec. 654, 112 Stat. 2681 (October 21, 1998); and the Paperwork Reduction Act of 1995, Public Law 104-13, 109 Stat. 163 (May 22, 1995).
A. Executive Orders 12866 and 13563 and Related Executive Orders on Regulatory Review
Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects; distributive impacts; and equity). Executive Order 13563 is supplemental to, and reaffirms the principles, structures, and definitions governing regulatory review as established in, Executive Order 12866.
This proposed rule is partially regulatory and partially deregulatory. The Department estimates that the effects of the proposed requirements for Part 2 programs would result in new costs of $19,364,667 within 12 months of implementing the final rule. The Department estimates these first-year costs would be partially offset by $12,755,378 of first year cost savings, attributable to reductions in the need for Part 2 programs to obtain written patient consent for disclosures for treatment, payment, or health care operations (TPO) ($9.8 million); reductions in the need for covered entities, business associates, and Part 2 programs to obtain written patient consent for redisclosures ($2.5 million); and reductions in capital expenses for printing consent forms ($0.5 million). This is followed by net savings of $10,240,622 annually in years two through five, resulting from a continuation of first-year cost saving of $12.8 million per year, minus the estimated annual costs of $2.5 million primarily attributable to compliance with breach notification requirements. This results in overall net cost savings of $34,353,198 over 5 years for changes Start Printed Page 74250 to 42 CFR part 2. In addition, the Department estimates that changes to 45 CFR 164.520 would result in new nonrecurring costs for covered entities that receive or maintain Part 2 records in the amount of $44,935,225. Combined, the proposed regulatory changes to Part 2 and the Privacy Rule would result in estimated total costs of $64,299,891 in the first year (approximately $19 million from Part 2 programs and $45 million from 45 CFR 164.520), followed by $2,514,756 of recurring annual costs in years two through five (from Part 2 programs), for a total of $74,358,914. This would be offset by an estimated annual savings of $12,755,378 for a total of $63,776,888 over five years. The combined result would be a net cost of $51,544,514 in the first year following the rule's effective date, followed by annual net savings of $10,240,622, resulting in 5-year net cost of $10,582,027 for HIPAA covered entities and Part 2 programs.
The Department estimates that the private sector would bear approximately 60 percent of the costs, with state and federal health plans bearing the remaining 40 percent of the costs. All of the cost savings experienced from the first year through subsequent years would benefit Part 2 programs and covered entities. As a result of the economic impact, the Office of Management and Budget (OMB) has determined that this proposed rule is not an economically significant regulatory action within the meaning of section (3)(f)(1) of E.O. 12866; however, it is a significant regulatory action because it presents novel legal and policy issues. Accordingly, OMB has reviewed this proposed rule.
The Department presents a detailed analysis below.
Summary of the Proposed Rule
This Notice of Proposed Rulemaking (NPRM) proposes to modify 42 CFR part 2 (“Part 2”) and 45 CFR 164.520 to implement changes required by section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, to further align Part 2 with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules, and for clarity and consistency. Major proposals are summarized below:
(1) § 2.1—Statutory authority for confidentiality of substance use disorder patient records.
Revise § 2.1 to more closely reflect the authority granted in 42 U.S.C. 290dd-2(g), especially with respect to court orders authorizing the disclosure of records.
(2) § 2.2—Purpose and effect.
Amend paragraph (b) of § 2.2 to reflect that § 2.3(b) compels disclosures to the Secretary that are necessary for enforcement of this rule, using language adapted from the Privacy Rule at 45 CFR 164.502(a)(2)(ii). Add a new paragraph (b)(3) to this section to prohibit any limits on a patient's right to request restrictions on use of records for treatment, payment, or health care operations (TPO) or a covered entity's choice to obtain consent to use or disclose records for TPO purposes as provided in the Privacy Rule.
(3) § 2.3—Civil and criminal penalties for violations (proposed heading).
Amend the heading and replace title 18 U.S.C. enforcement with references to the HIPAA enforcement authorities in the Social Security Act at sections 1176 (civil enforcement, including the CMP tiers established by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and 1177 (criminal penalties),[177] as implemented in the Enforcement Rule.[178] Create a limitation on civil or criminal liability for investigative agencies that act with reasonable diligence before making a demand for records in the course of an investigation of a program or other person holding Part 2 records by taking certain steps to determine whether a provider is subject to Part 2.
(4) § 2.4—Complaints of violations. (proposed heading)
Amend the heading and insert requirements consistent with those applicable to HIPAA complaints under 45 CFR 164.530(d), (g), and (h), including: a requirement to establish a process for the Part 2 program to receive complaints, a prohibition against taking adverse action against patients who file complaints, and a prohibition against requiring individuals to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.
(5) § 2.11—Definitions.
Add new terms and definitions to align with the following statutory and regulatory HIPAA terms: Breach, Business associate, Covered entity, Health care operations, HIPAA, HIPAA regulations, Payment, Person, Public health authority, Treatment, Unsecured protected health information, and Use. Create new definitions for the terms Intermediary, Investigative agency, and Unsecured record, and modify the definitions of Informant, Part 2 program director, Patient, Program, Records, Third-party payer, Treating provider relationship, and Qualified service organization.
(6) § 2.12—Applicability.
Replace “Armed Forces” with “Uniformed Services” in paragraph (c)(2) of § 2.12. Incorporate four statutory examples of restrictions on the use or disclosure of Part 2 records to initiate or substantiate any criminal charges against a patient or to conduct any criminal investigation of a patient. Add language to qualify the term third-party payer with the phrase “as defined in this part.” Revise paragraph (e)(4)(i) to clarify when a diagnosis it not covered by Part 2.
(7) § 2.13—Confidentiality restrictions and safeguards.
Redesignate § 2.13(d) requiring a list of disclosures as new § 2.24 and modify the text for clarity. Amend the heading to distinguish the right to a list of disclosures made by intermediaries from the proposed new right to an accounting of disclosures made by a Part 2 program.
(8) § 2.14—Minor patients.
Change the verb “judges” to “determines” to describe a program director's evaluation and decision that a minor lacks decision making capacity.
(9) § 2.15—Patients who lack capacity and deceased patients. (proposed heading)
Revise to replace outdated language and refer instead to a lack of capacity to make health care decisions and add health plans to the list of entities to which a program may disclose records without consent.
(10) § 2.16—Security for records and notification of breaches. (proposed heading)
Apply the HITECH Act breach notification provisions [179] that are currently implemented in the Breach Notification Rule to breaches of records by Part 2 programs and retitle the provision to include breach notification to implement CARES Act provisions. Modify the provision to refer to the Privacy Rule de-identification standard at 45 CFR 164.514.
(11) § 2.19—Disposition of records by discontinued programs.
Add an exception to clarify that these provisions do not apply to transfers, retrocessions, and reassumptions of Part 2 programs under the Indian Self-Determination and Education Start Printed Page 74251 Assistance Act (ISDEAA), in order to facilitate the responsibilities set forth in 25 U.S.C. 5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C 5324(e), 25 U.S.C. 5330, 25 U.S.C. 5386(f), 25 U.S.C. 5384(d), and the implementing ISDEAA regulations. Modernize the language to refer to “non-electronic” records and include “paper” records as an example of non-electronic records.
(12) § 2.22—Notice to patients of federal confidentiality requirements.
Modify the Part 2 confidentiality notice requirements (hereinafter, “Patient Notice”) to align with the Notice of Privacy Practices (NPP) and address protections required by 42 U.S.C. 290dd-2, as amended by section 3221 of the CARES Act, for entities that create or maintain Part 2 records.
(13) § 2.23—Patient access and restrictions on use and disclosure. (proposed heading)
Add the term “disclosure” to the heading and body of this section to clarify that information obtained by patient access to their record may not be used or disclosed for purposes of a criminal charge or criminal investigation.
(14) § 2.24—Requirements for intermediaries (redesignated and proposed heading).
Retitle the redesignated section (to be moved from § 2.13(d)) as “Requirements for intermediaries” to clarify the responsibilities of recipients of records received under a consent with a general designation, such as health information exchanges, research institutions, accountable care organizations, and care management organizations.
(15) § 2.25—Accounting of disclosures (proposed heading).
Add this section to implement 42 U.S.C. 290dd-2(b)(1)(D), as amended by the section 3221 of the CARES Act, to incorporate into Part 2 the HITECH Act right to an accounting of certain disclosures of records for up to three years prior to the date the accounting is requested and add a right to an accounting of disclosures of records that mirrors the standard in the Privacy Rule at 45 CFR 164.528.
(16) § 2.26—Right to request privacy protection for records (proposed heading).
Add this section to implement 42 U.S.C. 290dd-2(b)(1)(B), as amended by the section 3221 of the CARES Act, to incorporate into Part 2 the HITECH Act rights implemented in the Privacy Rule at 45 CFR 164.522, namely: (1) a patient right to request restrictions on disclosures of records otherwise permitted for TPO purposes, and (2) a patient right to obtain restrictions on disclosures to health plans for services paid in full by the patient.
(17) Subpart C—Uses and Disclosures With Patient Consent. (proposed heading)
Change the heading of subpart C to “Uses and Disclosures With Patient Consent” to reflect changes made to the provisions of this subpart related to the consent to use and disclose Part 2 records, consistent with 42 U.S.C. 290dd-2(b), as amended by the section 3221(b) of the CARES Act.
(18) § 2.31—Consent requirements.
Align the content requirements for Part 2 written consent with the content requirements for a valid HIPAA authorization and clarify how recipients may be designated in a consent to use and disclose Part 2 records for TPO.
(19) § 2.32—Notice to accompany disclosure (proposed heading).
Change the heading of this section and align the content requirements for the required notice that accompanies a disclosure of records (hereinafter “notice to accompany disclosure”) with the requirements of 42 U.S.C. 290dd-2(b), as amended by section 3221(b) of the CARES Act.
(20) § 2.33—Uses and disclosures permitted with written consent (proposed heading).
To align this provision with the statutory authority in 42 U.S.C. 290dd-2(b)(1), as amended by section 3221(b) of the CARES Act, replace the provisions requiring consent for uses and disclosures for payment and certain health care operations with permission to use and disclose records for TPO based on a single consent given once for all such future uses and disclosures, until such time as the patient revokes the consent in writing. Create redisclosure permissions for two categories of recipients of Part 2 records pursuant to a written consent: (1) Permit a Part 2 program, covered entity, or business associate that receives Part 2 records pursuant to a written consent for TPO purposes to redisclose the records in any manner permitted by the Privacy Rule, except for certain legal proceedings against the patient; [180] and (2) Permit a lawful holder that is not a covered entity, business associate, or Part 2 program to redisclose Part 2 records for payment and health care operations to its contractors, subcontractors, or legal representatives as needed to carry out the activities in the consent.
(21) § 2.35—Disclosures to elements of the criminal justice system which have referred patients.
For clarity, replace “individuals” with “persons” and clarify that permitted redisclosures of information are from Part 2 records.
(22) Subpart D—Uses and Disclosures Without Patient Consent (proposed heading).
Change the heading of subpart D to “Uses and Disclosures Without Patient Consent” to reflect changes made to the provisions of this subpart related to the consent to use and disclose Part 2 records, consistent with 42 U.S.C. 290dd-2 as amended by the CARES Act.
(23) § 2.51—Medical emergencies.
For clarity in § 2.51(c)(2), replace the term “individual” with the term “person.”
(24) § 2.52—Scientific research (proposed heading).
Revise the heading of § 2.52 to reflect statutory language. To further align Part 2 with the Privacy Rule, replace the requirements to render Part 2 data in research reports non identifiable with the Privacy Rule's de-identification standard in 45 CFR 164.514.
(25) § 2.53—Management audits, financial audits, and program evaluation (proposed heading).
Revise the heading of § 2.53 to reflect statutory language. To support implementation of 42 U.S.C. 290dd-2(b)(1), as amended by section 3221(b) of the CARES Act, add a provision to acknowledge the permission for use and disclosure of records for health care operations purposes based on written consent of the patient and the permission to redisclose such records as permitted by the HIPAA Privacy Rule if the recipient is a Part 2 program, covered entity, or business associate.
(26) § 2.54—Disclosures for public health (proposed heading).
Add a new § 2.54 to implement 42 U.S.C. 290dd-2(b)(2)(D), as amended by section 3221(c) of the CARES Act, to permit disclosure of records without patient consent to public health authorities provided that the records disclosed are de-identified according to the standards established in section 45 CFR 164.514.
(27) Subpart E—Court Orders Authorizing Use and Disclosure (proposed heading).
Change the heading of subpart E to reflect changes made to the provisions of this subpart related to the uses and disclosure of Part 2 records in proceedings consistent with 42 U.S.C. 290dd-2(b) and (2)(c), as amended by sections 3221(b) and (e) of the CARES Act.
(28) § 2.61—Legal effect of order.
Add the term “use” to clarify that the legal effect of a court order would include authorizing the use and Start Printed Page 74252 disclosure of records, consistent with 42 U.S.C. 290dd-2(b) and (c), as amended by section 3221(e) of the CARES Act.
(29) § 2.62—Order not applicable to records disclosed without consent to researchers, auditors, and evaluators.
For clarity, replace the term “qualified personnel” with a reference to the criteria that define such persons.
(30) § 2.63—Confidential communications.
Revise paragraph (c) of § 2.63 to expressly include civil, criminal, administrative, and legislative proceedings as forums where the requirements for a court order under this part would apply, to implement 42 U.S.C. 290dd-2(c), as amended by section 3221(c) of the CARES Act.
(31) § 2.64—Procedures and criteria for orders authorizing uses and disclosures for noncriminal purposes (proposed heading).
Expand the types of forums where restrictions on use and disclosure of records in civil proceedings against patients apply [181] to expressly include administrative and legislative proceedings and also restrict the use of testimony conveying information in a record in civil proceedings against patients, absent consent or a court order. Add the term “uses” to the heading and in this section to align it with current statutory authority.
(32) § 2.65—Procedures and criteria for orders authorizing use and disclosure of records to criminally investigate or prosecute patients (proposed heading).
Expand the types of forums where restrictions on uses and disclosure of records in criminal proceedings against patients apply [182] to expressly include administrative and legislative proceedings and also restrict the use of testimony conveying information in a Part 2 record in criminal legal proceedings against patients, absent consent or a court order.
(33) § 2.66—Procedures and criteria for orders authorizing use and disclosure of records to investigate or prosecute a Part 2 program or the person holding the records. (proposed heading)
Create requirements for investigative agencies to follow in the event they discover in good faith that they received Part 2 records before seeking a court order as required under § 2.66.
(34) § 2.67—Orders authorizing the use of undercover agents and informants to investigate employees or agents of a part 2 program in connection with a criminal matter.
Add new criteria for issuance of a court order in instances where an application is submitted after the placement of an undercover agent or informant has already occurred, requiring an investigative agency to satisfy the conditions at § 2.3(b).
(35) § 2.68—Report to the Secretary (proposed heading).
Create new requirements for investigative agencies to file annual reports about the instances in which they applied for a court order after receipt of Part 2 records or placement of an undercover agent or informant as provided in § 2.66 and § 2.67.
(36) 45 CFR 164.520—Notice of privacy practices for protected health information.
Revise 45 CFR 164.520 to implement updates to the NPP to address Part 2 confidentiality requirements, as required by section 3221(i)(2) of the CARES Act.
The proposed changes to Part 2 and 45 CFR 164.520 would create some estimated costs, and numerous and substantial estimated cost savings and anticipated benefits that the Department is unable to quantify but are described in depth below. These include improving the integration of SUD treatment with that of other health care by facilitating the integration of SUD treatment records with other medical records, reductions in paperwork for providers, and regulatory certainty.
The Department estimates that the first-year costs for Part 2 programs will total approximately $19 million. These first-year costs are attributable to Part 2 programs training workforce members on the revised requirements ($12.4 million); capital expenses ($0.8 million); compliance with breach notification requirements ($1.5 million); updating Patient Notices and NPPs ($2.4 million); updating consent forms ($1.5 million); updating the notice to accompany disclosures ($0.6 million). It also includes nominal costs for responding to requests for privacy protection, providing accounting of disclosures, and $25,795 for investigative agencies to file reports to the Secretary. For years 2 through 5, the estimated annual costs of $2.5 million are primarily attributable to compliance with breach notification requirements and related capital expenses. Additionally, the Department estimates nonrecurring costs of $45 million for covered entities that receive or maintain Part 2 records due to updating the HIPAA NPP under 45 CFR 164.520.
The Department estimates annual cost savings of $12.8 million per year, over 5 years, attributable to reductions in the need for Part 2 programs to obtain written patient consent for disclosures for TPO ($9.8 million), reductions in the need for covered entities and business associates to obtain written patient consent for redisclosures ($2.5 million), and reductions in capital expenses for printing consent forms ($0.5 million).[183]
The Department estimates net costs for Part 2 programs totaling approximately $6.6 million in the first year followed by net savings of approximately $10 million annually in years 2 through 5, resulting in overall net cost savings of approximately $34 million over 5 years.
Start Printed Page 74253Table 1 a —Part 2 Estimated 5-Year Costs and Cost-Savings, Undiscounted, in Millions
Total Part 2 costs and cost-savings Year 1 Year 2 Year 3 Year 4 Year 5 Total Costs: Total, Costs $19 $3 $3 $3 $3 $29 Cost-Savings: Total, Cost-savings 13 13 13 13 13 64 Net (negative = savings) 7 (10) (10) (10) (10) (34) Table 1 b —Estimated Part 2 and HIPAA 5-Year Costs and Cost-Savings, Undiscounted, in Millions
Total regulatory costs and cost-savings Year 1 Year 2 Year 3 Year 4 Year 5 Total Costs: Total, Costs $64 $3 $3 $3 $3 $74 Cost-Savings: Total, Cost-savings 13 13 13 13 13 64 Net (negative = savings) 52 (10) (10) (10) (10) 11 2. Need for the Proposed Rule
On March 27, 2020, Congress enacted the CARES Act as Public Law 116-136. Section 3221 of the CARES Act amended 42 U.S.C. 290dd-2, the statute that establishes requirements regarding the confidentiality and disclosure of certain records relating to SUD, and section 3221(i) of the CARES Act requires the Secretary to promulgate regulations implementing those amendments.[184] With this NPRM, the Department proposes changes to Part 2 and 45 CFR 164.522 to implement section 3221 of the CARES Act, increase clarity, and decrease compliance burdens for regulated entities. The Department believes the proposed changes would reduce data segmentation within entities subject to the regulatory requirements promulgated under both HIPAA and Part 2.
Significant differences in the permitted uses and disclosures of Part 2 records and protected health information (PHI) as defined under the Privacy Rule contribute to ongoing operational compliance challenges. For example, currently, entities subject to Part 2 must obtain specific written consent for most uses and disclosures of Part 2 records, including for TPO, while the Privacy Rule permits many uses and disclosures of PHI without authorization. Therefore, to comply with both sets of regulations, HIPAA covered entities subject to Part 2 must track and segregate Part 2 records from other health records ( e.g., records that are protected under the HIPAA Rules but not Part 2).[185]
In addition, once PHI is disclosed to an entity not covered by HIPAA it is no longer protected by the HIPAA Rules. In contrast, Part 2 strictly limits redisclosures of Part 2 records by individuals or entities that receive a record directly from a Part 2 program or other “lawful holder” of patient identifying information, absent written patient consent.[186 187] Therefore, any Part 2 records received from a Part 2 program or other lawful holder must be segregated or segmented from non-Part 2 records.[188] The need to segment Part 2 records from other health records created data “silos” that hamper the integration of SUD treatment records into entities' electronic record systems and billing processes, which in turn may impact the ability to integrate treatment for behavioral health conditions and other health conditions.[189] Many stakeholders have urged the Department to take action to eliminate the need for such data segmentation,[190] and the Department believes its proposals will reduce, but not completely eliminate, the need for data segmentation or tracking.
3. Cost-Benefit Analysis
Overview and Methodology
In comparison to the estimated number of HIPAA covered entities (774,331 [191] ) the estimated number of Part 2 program is very small (16,066 [192] ) or just 2 percent of the number of covered entities. Because the number of Part 2 programs is so small, the Department includes the entire estimated number of Part 2 programs when estimating the projected costs and cost savings of the proposals in this NPRM, even though a percentage of Part 2 programs are already complying with HIPAA requirements because they are subject to both Part 2 and HIPAA. The Department requests comment on this approach and data on the number or proportion of Part 2 programs that are also HIPAA covered entities.
This regulatory impact analysis (RIA) relies on the same data source used by SAMHSA for the estimated number of Part 2 programs in SAMHSA's 2020 Information Collection Request (ICR) (“Part 2 ICR”) [193] and uses an updated statistic from that source. The NPRM Start Printed Page 74254 also adopts the estimated number of covered entities used in the OCR's 2021 ICR for the Privacy Rule NPRM (“2021 HIPAA ICR”), as well as its cost assumptions for many requirements of the HIPAA Rules, including breach notification activities.
When applying HIPAA cost assumptions to Part 2 programs, the Department multiplies the figures by 2 percent (.02), representing the number of Part 2 programs in proportion to the total number of covered entities. In some instances, the estimates historically used by OCR and SAMHSA for similar regulatory requirements were developed based on different methodologies, resulting in significantly different fiscal projections for some required activities. This RIA adopts OCR's approach for those projected costs and cost savings.
In addition to the quantitative analyses of the effects of the proposed regulatory modifications, the Department analyzes some benefits and burdens qualitatively; relatedly, there is uncertainty inherent in predicting the actions that a diverse scope of regulated entities might take in response to this proposed rule. The Department requests comment on the estimates, assumptions, and analyses contained herein—and any relevant information or data that would inform a quantitative analysis of proposed reforms that the Department qualitatively addresses in this RIA.
For reasons explained more fully below, the proposed changes to the consent requirements for Part 2 programs and redisclosure permissions for covered entities and business associates would result in economic cost savings of approximately $63,776,888 over 5 years based on the proposed changes. The resulting net costs over 5 years is due to first year expenses including costs for some health plans to mail an updated NPP which would be finalized as part of a comprehensive HIPAA Privacy Rule.
Table 2—Accounting Table
Accounting table of estimated benefits and costs of all proposed changes, in millions Year 1 Year 2 Year 3 Year 4 Year 5 Total * Costs: Undiscounted $64 $3 $3 $3 $3 $74 3% Discount 50 2 2 2 2 58 7% Discount 37 1 1 1 1 42 Cost Savings: Undiscounted 13 13 13 13 13 64 3% Discount 10 10 9 9 9 47 7% Discount 7 7 6 6 6 33 NET (undiscounted) Costs $11 Non-quantified benefits and costs are described below. * Totals may not add up due to rounding. Baseline Assumptions
In developing its estimates of the potential costs and cost savings of the proposed regulation the Department relied substantially on recent prior estimates for modifications to this regulation [194] and the Privacy Rule [195] and associated ICRs. Specifically, the Part 2 ICR data previously approved under OMB control #0930-0092 informs the Department's estimates with respect to proposed modifications to Part 2 provisions.[196] However, for proposed Part 2 provisions that are based on provisions of the HIPAA Rules, and for proposed changes to 45 CFR 164.520, the Department relies on OCR's HIPAA regulatory ICRs previously approved under OMB control #0945-0003 and updated consistent with OCR's 2021 Privacy Rule NPRM.[197]
Because the Department lacks data to determine the percentage of Part 2 programs that are also subject to the HIPAA Rules, the Department assumes for purposes of this analysis that the proposed changes to Part 2 would affect all Part 2 programs equally—including those programs that are also HIPAA covered entities, and thus already are subject to requirements under the HIPAA Rules ( e.g., breach notification) that the Department proposes to incorporate into Part 2. Thus, this RIA likely overestimates the overall compliance burden on Part 2 programs posed by the proposals in this NPRM. In contrast, this RIA likely underestimates the cost savings of the NPRM. The estimated cost savings are primarily attributed to the reduction in the number of written patient consents that would be needed to use or disclose records for TPO and to redisclose them for other purposes permitted by the Privacy Rule. Because the Department lacks data to estimate the annual numbers of written patient consents and disclosures to covered entities, this RIA adopts an assumption that only three consents per patient are currently obtained per year (one each for treatment, payment, and health care operations) and only one half of such consents result in a disclosure of records to a HIPAA covered entity or business associate, for which consent would be no longer required to use or redisclose the record under the NPRM's proposals. The Department requests comments on its assumptions and data to refine its estimates.
Part 2 Programs, Covered Entities, and Patient Population
The Department relies on the same source as the approved Part 2 ICR [198] as the basis for its estimates of the total number of Part 2 programs and total annual Part 2 patient admissions. Part 2 programs are publicly (Federal, State, or local) funded, assisted, or regulated SUD treatment programs. The Part 2 ICR's estimate of the number of such programs (respondents) is based on the results of the 2020 National Survey of Substance Abuse Treatment Services (N-SSATS), and the average number of annual total responses is based on the results of the average number of SUD treatment admissions from SAMHSA's 2019 Treatment Episode Data Set (TEDS) as the number of patients treated annually by Part 2 programs, both approved under OMB Control No. 0930- Start Printed Page 74255 0335.[199] In the 2020 data from N-SSATS, the number of Part 2 respondents was 16,066.[200] The TEDS data for SUD treatment admissions has been updated, so the Department relies on the 2019 statistic, as shown in the table below.
Table 3—Part 2 Programs, Covered Entities, and Patients
Estimated number of part 2 programs Total annual part 2 program admissions 16,066 201 1,864,367 Estimated number of covered entities Total annual new patients 774,331 202 203 613,000,000 For purposes of calculating estimated costs and benefits the Department relies on mean hourly wage rates for occupations involved in providing treatment and operating health care facilities, as noted in the table below.
Table 4—Occupational Pay Rates
Occupational pay rates a Occupation code and title Hourly wage rate × 2 b 00-0000 All Occupations $56.02 43-3021 Billing and Posting Clerks 41.10 29-0000 Healthcare Practitioners and Technical Occupations 87.60 29-9098 Health Information Technologists, Medical Registrars, Surgical Assistants, and Healthcare Practitioners and Technical Workers, All Other 59.06 15-1212 Information Security Analysts 108.92 23-1011 Lawyer 142.34 13-1111 Management Analysts 96.66 11-9111 Medical and Health Services Manager 115.22 29-2098 Medical Records Specialist 46.46 43-0000 Office and Administrative Support Occupations 41.76 11-2030 Public Relations and Fundraising Managers 127.70 21-1018 Substance Abuse, Behavioral Disorder, and Mental Health Counselors 51.44 13-1151 Training and Development Specialist 65.02 43-4171 Receptionist and Information Clerk 31.64 15-1257 Web Developer and Digital Interface Designer 91.80 a Bureau of Labor Statistics, U.S. Department of Labor, “ Occupational Employment and Wages” May 2021, https://www.bls.gov/oes/current/oes_stru.htm. b To incorporate employee benefits, these figures represent a doubling of the BLS mean hourly wage. Qualitative Analysis of Non-Quantified Benefits and Burdens
The Department's analysis focuses on primary areas of proposed changes that are likely to have an impact on regulated entities or patients. These are proposals to establish or modify requirements with respect to: enforcement and penalties, notification of breaches, consent for uses and disclosures, Patient Notice and the NPP, notice accompanying disclosure, requests for privacy protection, accounting of disclosures, audit and evaluation, disclosures for public health, and use and disclosure of records by investigative agencies. In addition to these proposals, the Department believes the modifications to Part 2 that are proposed for clarification, readability, or consistency with HIPAA terminology, would have the unquantified benefits of providing clarity and regulatory certainty. The provisions that fall into this category and for which anticipated benefits are not discussed in-depth, are:
§§ 2.1-2.2, 2.4 Statutory authority and enforcement, § 2.11 Definitions, § 2.12 Applicability, § 2.13 Confidentiality restrictions and safeguards, § 2.14 Minor patients, § 2.15 Patients who lack capacity and deceased patients, § 2.17 Undercover agents and informants, § 2.19 Disposition of records by discontinued programs, § 2.20 Relationship to state laws, § 2.21 Relationship to federal statutes protecting research subjects against compulsory disclosure of their identity, § 2.23 Patient access and restrictions on use and disclosure, § 2.24 Requirements for intermediaries, § 2.34 Uses and Disclosures to prevent multiple enrollments, § 2.35 Disclosures to elements of the criminal justice system which have referred patients, § 2.52 Scientific research, §§ 2.61-2.65 Court Orders Authorizing Use and Disclosure.
The Department provides its analysis of non-quantified benefits and burdens for the primary areas of proposed regulatory change below, followed by estimates and analysis of quantified benefits and costs in section (e).
§ 2.3—Civil and criminal penalties for violations (proposed heading).
The Department proposes to create limitations on civil and criminal liability for investigative agencies in the event they unknowingly receive Part 2 records in the course of investigating or prosecuting a Part 2 program or other person holding Part 2 records prior to obtaining the required court order under subpart E. This safe harbor would promote public safety by permitting agencies to investigate Part 2 programs and persons holding Part 2 records in good faith without risk of HIPAA/HITECH Act penalties. The liability Start Printed Page 74256 limitations would be available only to agencies that could demonstrate reasonable diligence in attempting to determine whether a provider was subject to Part 2 before making a legal demand for records or placement of an undercover agent or informant. The proposed changes would benefit SUD providers, Part 2 programs, investigative agencies, and the courts, by encouraging agencies to seek information about a provider's Part 2 status in advance and potentially reduce the number of instances where applications for good cause court orders are denied. Incentivizing investigative agencies to check whether Part 2 applies in advance of investigating a provider would benefit the court system, programs public safety, patients, and agencies by enhancing efficiencies within the legal system, promoting the rule of law, and ensuring the Part 2 protections for records are utilized when applicable.
The limitations on liability for investigative agencies may result in more disclosures of patient records to such agencies by facilitating investigations and prosecutions of Part 2 programs and lawful holders. The Department believes that limiting the application of proposed § 2.3(b) to investigations and prosecutions of programs and holders of records, requiring non-identifying information in the application for the requisite court orders,[204] and keeping patient identifying information under seal [205] will provide strong and continuing protections for patient privacy while promoting public safety.
§ 2.16 Security for records and notification of breaches (proposed heading).
The Department proposes to add notification of breaches to § 2.16 so that the requirements of 45 CFR 164.400 et seq., would apply to breaches of Part 2 records programs in the same manner as those requirements apply to breaches of PHI. Notification of breaches is a cornerstone element of good information practices because it permits affected individuals or patients to take steps to remediate harm, such as putting fraud alerts on their credit cards, checking their credit reports, notifying financial institutions, and informing personal contacts of potential scams involving the patient's identity. It is difficult to quantify the value of receiving notification in comparison to the costs incurred in restoring one's credit, correcting financial records, or the cost of lost opportunities due to loss of income or reduced credit ratings.[206]
The benefit to the patient of learning about a breach of personally identifying information includes the opportunity for the patient to take timely action to regain control over their information and identity. The Department does not have data to predict how many patients will sign up for credit monitoring or other identity protections after receiving a notification of breach of their Part 2 records; however, the Department believes that the costs to patients of taking these actions [207] will be far outweighed by the savings of avoiding identity theft.[208] Requiring Part 2 programs to provide breach notification would ensure that patients of such programs are provided the same informational protections as patients that receive other types of health care services from HIPAA covered entities.
§ 2.22 Patient Notice & 45 CFR 164.520 (NPP).
Patients, Part 2 programs, and covered entities are all likely to benefit from proposed changes to more closely align the Patient Notice and NPP regulatory requirements, which would simplify their compliance with the two regulations. The Department proposes to establish for patients the right to discuss the Patient Notice with a person designated by the program as the contact person and to include information about this right in the header of the Patient Notice as proposed in the HIPAA NPRM.[209] These proposed changes would help improve a patient's understanding of the program's privacy practices and the patient's rights with respect to their records. Even for patients who do not request a discussion under this proposal, knowledge of the right may promote trust and confidence in how their records are handled.
§ 2.25 Accounting of Disclosures (proposed heading).
Adding a requirement to account for disclosures for TPO through an electronic health record would benefit patients by increasing transparency about how their records are used and disclosed for those purposes. This proposed requirement could counterbalance concerns about loss of control that patients may experience as a result of the proposed changes to the consent process that would permit all future TPO uses and disclosures based on a single general consent. The data logs that Part 2 programs would need to maintain to create an accurate and complete accounting of TPO disclosures could also be beneficial for such programs in the event of an impermissible access by enabling programs to identify the responsible workforce member or other wrongful actor.
§ 2.26 Right to request privacy protection for records (proposed heading).
Adding a new right for patients to request restrictions on uses and disclosures of their records for TPO is likely to benefit patients by giving them a new opportunity to assert their privacy interests to program staff, to address patients' concerns about who may see their records and what may be done with the information their records contain.
With respect to the right for patients to restrict disclosures to their health plan when patients have paid in full for services, patients will benefit by being shielded from potential harmful effects of some health plans' restrictive coverage policies or other potential negative effects, such as employers learning of patients' SUD diagnoses.[210]
This right may also improve rates of access to SUD treatment because of patients' increased trust that they have the opportunity to ensure that their records will remain within the Part 2 program. A limitation on the benefits of this right is that it is only available to patients with the means to pay privately for SUD treatment.
Part 2 programs may benefit from increased frequency of patients paying in full out of pocket, which could decrease the time spent by staff in billing and claims activities. Part 2 programs also may benefit from increased patient trust in the programs' protection of records.
§ 2.31 Consent requirements and § 2.33 Uses and disclosures permitted Start Printed Page 74257 with written consent (proposed heading).
The proposed changes to consent for Part 2 records are two-fold: changes to the required elements on the written consent form and a reduction in the instances where a separate written consent is needed (the process of obtaining consent). Proposed changes to the consent form for alignment with the HIPAA authorization form would likely benefit Part 2 programs because they would employ more uniform language and concepts related to information use and disclosure. Such changes may particularly benefit Part 2 programs that are also subject to the HIPAA Rules, so staff do not have to compare and interpret different terms on forms that request the use or disclosure of similar types of information.
Permitting patients to sign a single general consent for all uses and disclosures of their record for TPO, may carry both burdens and benefits to patients. Patients may benefit from a reduction in the amount of paperwork they must sign to give permission for routine purposes related to the treatment and payment and associated reductions in time spent waiting for referrals, transfer of records among providers, and payment of health insurance claims. At the same time, patients may experience a sense of loss of control over their records and the information they contain when they lose the opportunity to make specific decisions about which uses and disclosures they would permit. In some instances, the reduced ability to make specific use and disclosure decisions could result in a greater likelihood of harm to reputation, relationships, and livelihood.
Part 2 programs would likely benefit from the efficiencies resulting from permitting a general consent for all TPO uses and disclosures by freeing staff from burdensome paperwork. In contrast, clinicians in Part 2 programs may find it harder to gain the therapeutic trust needed for patients to divulge sensitive information during treatment if patients become less confident about where their information may be shared and their ability to control those uses and disclosures. Some potential patients may avoid initiating treatment altogether, which would harm both patients and programs.
Covered entities and business associates would benefit markedly from the ability to follow only one set of federal regulations when making decisions about using and disclosing Part 2 records by streamlining processes and simplifying decision making procedures. Additionally, covered entities and business associates would no longer need to segregate SUD treatment data and could improve care coordination and integration of behavioral health with general medical treatment, resulting in comprehensive holistic treatment of the entire patient.
In contrast, this proposal could also create a burden because covered entities and business associates subject to Part 2 may need to sort and filter Part 2 records for certain uses and disclosures, such as audit and evaluation activities that are health care operations, according to whether or not a patient consent for TPO has been obtained. The Department seeks comment and specific data on the number and type of Part 2 programs that are also HIPAA covered entities or business associates. The Department also solicits comment and data on any concerns or questions Part 2 programs may have about how the information technology currently available to them can support implementation of either or both of these proposed provisions.
§ 2.32 Notice to accompany disclosure. (proposed heading)
The proposed revisions to the notice accompanying each disclosure of Part 2 records made with written consent would benefit patients by ensuring that recipients of Part 2 records would be on notice of the expanded prohibition on use of such records against patients in legal proceedings even though uses and redisclosures for other purposes would be more readily permissible. Due to the proposed changes in redisclosure permissions for recipients of Part 2 records that are covered entities and business associates, the importance of the notice to accompany disclosure would increase.
Part 2 programs would benefit from having notice language that accurately reflects statutory changes in the privacy protections for records. Retaining the notice to accompany disclosure requirement would also ensure that certain protections for Part 2 records continue to “follow the record,” as compared to the Privacy Rule whereby protections are limited to PHI held by a covered entity or business associate.
§ 2.53 Management audits, financial audits, and program evaluation (proposed heading).
Programs that are also covered entities would benefit from the proposed changes that would clarify that the limits on use and disclosure for audit and evaluation purposes do not apply to covered entities and business associates to the extent these activities fall within the Privacy Rule disclosure permissions for health care operations. This benefit would provide regulatory flexibility for covered entities when Part 2 records are subject to audit or evaluation.
In some instances, a third-party auditor or evaluator may also be a Part 2 program or a covered entity or business associate. As recipients of Part 2 records, such third parties would be permitted to redisclose the records as permitted by the Privacy Rule, with patient consent for TPO. This flexibility would not extend to government oversight audits and evaluations.
§ 2.54 Disclosures for public health (new provision)
The Department proposes to create a new permission to disclose de-identified records without patient consent for public health activities, consistent with statutory changes. This would benefit public health by permitting records to be disclosed that would address the opioid overdose crisis and other public health issues related to SUDs, and it would protect patient confidentiality because the permission is limited to disclosure of de-identified records.
§ 2.66 Procedures and criteria for orders authorizing use and disclosure of records to investigate or prosecute a part 2 program or the person holding the records (proposed heading).
The Department proposes to specify the actions investigative agencies should take when they discover in good faith that they have received Part 2 records without obtaining the required court order, such as securing the records, ceasing to use or disclose the records, applying for a court order, and returning or destroying the records, as applicable to the situation. This proposal would provide the dual benefits of enabling agencies to move forward with investigations when they have unknowingly sought records from a Part 2 program and protecting patient privacy by ensuring agencies have clear responsibilities to continue protecting records even absent a court order. The proposal would limit the liability of investigative agencies that unknowingly obtain records without the necessary court order and increase agencies' effectiveness in prosecuting programs. The minimal burden for exercising reasonable diligence before an unknowing receipt of Part 2 records is outweighed by the reduction in risk of a penalty for noncompliance. This analysis applies as well to § 2.67 below.
§ 2.67 Orders authorizing the use of undercover agents and informants to investigate employees or agents of a part 2 program in connection with a criminal matter.
The Department's proposal would add a requirement for investigative agencies Start Printed Page 74258 that seek a good cause court order after placement of an undercover agent or information in a Part 2 program to first meet the reasonable diligence criteria in § 2.3(b). This requirement would ensure that agencies take basic actions to determine whether a SUD treatment provider is subject to Part 2 before seeking to place an undercover agent or informant with the provider. Additionally, the reasonable diligence requirement would enhance patient privacy by ensuring that agencies consult available registries and visit websites or physical locations before placing agents in a position to access patients' records. As discussed above in reference to § 2.66, this proposal would also have the benefit of enhancing public safety and aid courts to streamline the application process for court orders for the use and disclosure of records.
§ 2.68 Report to the Secretary (proposed heading).
The Department's proposal to require annual reports by investigative agencies concerning applications for court orders made after receipt of Part 2 records would benefit programs, patients, and investigative agencies by making data available about the frequency of investigative requests made “after the fact.” This requirement would benefit agencies and programs by highlighting the potential need for increased awareness about Part 2's applicability. A program that makes its Part 2 status publicly known would benefit from the procedural protections afforded within the court order requirements of § 2.66 and § 2.67 in the event it becomes the target of an investigation. The proposed reporting requirement could also potentially serve as a deterrent to agencies from overly relying on the ability to obtain belated court orders instead of doing a reasonable amount of research to determine before making an investigative demand whether Part 2 applies. Any resulting reduction in unauthorized uses and disclosures of records could be viewed as a benefit by patients and privacy advocates. In contrast, investigative agencies could view the reporting requirement as an administrative burden requiring resources that otherwise could be used to pursue investigations.
e. Estimated Quantified Cost Savings and Costs From Proposed Changes
The Department has estimated quantified costs and cost savings likely to result from its proposed regulatory modifications for two core expense categories (capital expenses and workforce training) and seven substantive regulatory requirements. The remaining proposed regulatory changes are unlikely to result in quantifiable costs or cost savings, as explained following the discussion of projected costs and savings.
Capital Expenses
Capital expenses related to compliance with the proposed rule fall into two categories: notification of breaches and printing forms and notices. The Department's estimates for capital costs related to providing breach notification are based on estimates from the HIPAA ICR multiplied by a factor of 0.02, representing the proportion of Part 2 programs as compared to covered entities (774,331 × 16,066 = .02). For example, for an estimated 58,482 annual breaches of PHI the Department calculates that there are 1,170 breaches of Part 2 records (58,482 × .02 = 1,170), and associated costs. Those costs are estimated on an ongoing annual basis because programs could experience a breach at any time that would require notification.
Table 5 a —Estimated Capital Expenses—Breach Notification
Breach notification activity Number of occurrences Cost per occurrence Total costs Breach—Printing & Postage a 1,170 b $719.96 $842,091 Breach—Posting Substitute Notice c 55 480.00 26,362 Breach—Call Center 55 d 74.44 4,088 Total Costs 872,541 a Total number of breaches of PHI in 2015 multiplied by a factor of .02 to represent breaches of Part 2 records (58,482 × .02). b The Department assumes that half of all affected individuals (half of 113,535,549 equals 56,767,775) would receive paper notification and half would receive notification by email. Therefore, on average, 971 individuals per breach will receive notification by mail. Further, the Department estimates that each mailed notice will cost $.06 for paper and envelope, $.08 for printing, and $.60 for postage. Accordingly, on average, the capital cost for mailed notices for each breach is $.74 for each of 971 notices, or $719.96. The Department accepts these assumptions for Part 2 breach notification costs as well. c The number of breaches requiring substitute notice equals all 267 large breaches and all 2,479 breaches affecting 10-499 individuals multiplied by .02 to represent breaches of Part 2 records (2,746 × .02). d This number includes $60 per breach for start-up and monthly costs, plus $.35 cents per call (at a standard rate of $.07 per minute for five minutes) for an average of 41.25 individual calls per breach. The Department's estimate of the costs for printing revised consent forms is based on SAMHSA's Part 2 ICR estimates for total annual patient admissions to Part 2 programs [211] at a rate of $0.10 per copy. Programs are already required to print forms and notices on an ongoing basis and no change to the number of such forms and notices is projected, so the Department has not added any new capital costs for printing the revised Patient Notice, NPP, and notice to accompany disclosures. However, the Department estimates that as a result of changes to the requirement to obtain consent for disclosures related to TPO, Part 2 programs and covered entities and business associates would experience cost savings from a significant reduction in the number of needed consent forms. The Department assumes that, on average, each patient's treatment results in a minimum of three written consents obtained by Part 2 programs, one each for treatment, payment, and health care operations purposes. The proposed changes would result in an estimated decrease in the total number of consents by two-thirds because only one patient consent would be required to cover all TPO uses and disclosures. At an estimated cost of $0.10 per consent, for a total of 1,864,367 annual patient admissions, this would result in an annual cost savings to Part 2 programs of 3,728,734 fewer written consents, or $372,873. The Department requests comment on its assumption and welcomes data that may help refine its estimates.
Additionally, covered entities and business associates that receive Part 2 records would also experience a reduced need to obtain written patient Start Printed Page 74259 consent or a HIPAA authorization because redisclosure under the Privacy Rule does not require patient consent or authorization for TPO and many other purposes. The Department lacks data to make a precise estimate of projected cost savings, but each patient record disclosed to a covered entity or business associate would potentially generate a savings based on eliminating the need for the recipient to obtain additional consent for redisclosure. The Department has adopted a low cost savings estimate that one-half of Part 2 annual admissions would result in receipt of Part 2 records by a covered entity or business associate that would no longer be required to obtain specific written patient consent to redisclose such record, representing an annual capital expense savings from printing 932,184 fewer consent forms. At a per-consent cost of $0.10,[212] this would result in annual savings of $93,218. The savings related to the cost of staff time to obtain the patient consent are estimated and discussed separately in the section on consent below.
Table 5 b —Estimated Capital Expense Savings—Printing Consent Forms
Activity Number of occurrences Cost per occurrence Total cost savings Reduction in Consent Forms for Part 2 Programs 3,728,734 $0.10 $372,873 Reduction in Consent Forms for CEs & BAs 932,184 0.10 93,218 Total Annual Savings 466,092 Training Costs
Although Part 2 does not expressly require training and the proposed rule would not require retraining, the Department anticipates that all Part 2 programs would choose to train their workforce members on the modified Part 2 requirements to ensure compliance. The Department estimates the potential costs that all Part 2 programs would incur to train staff on the changes to the confidentiality requirements if they are finalized as proposed. As indicated in the chart below, only certain staff would need to be trained on specific topics and each program would rely on a training specialist whose preparation time would also be accounted for. As compared to the proposed HIPAA Privacy Rule right to discuss privacy practices, the costs for training Part 2 counselors include a higher number of staff per program because Part 2 programs would have no required Privacy Officer who is already assigned similar duties and would be more likely to incur costs for developing a new training regimen. The Department of Labor, Bureau of Labor Statistics (BLS) last reported statistics for substance use and behavioral disorder counselors separate from mental health counselors in 2016, and substance use and behavioral disorder counselors represented 65 percent of the combined total. The Department thus calculates its estimate for the number of substance use and behavioral disorder counselors as 65 percent of the workers in the BLS occupational category for “substance abuse, behavioral disorder, and mental health counselors” and uses that as a proxy for the number of Part 2 program counselors that would require training on the new Patient Notice or NPP.[213] The Department estimates that a total of $12 million in one-time new training costs would be incurred in the first year of the final rule's implementation.
Table 6—Estimated Workforce Training Costs
Training topics—staff member Number of trainees Time in training Total training hours Hourly wage rate Total costs Complaint Procedures & Nonretaliation—Manager 16,066 0.75 12,049.50 $115.22 $1,388,343 Breach Notification—Manager 16,066 1 16,066.00 115.22 1,851,125 Obtaining Consent—Receptionist 32,132 0.5 16,066.00 31.64 508,328 Patient Notices & Right to Discuss—SUD Counselor a 202,072 0.25 50,518.00 51.44 2,598,646 Requests for Restrictions—Receptionist, Medical Records, Billing Clerk 48,198 0.25 12,049.50 39.73 478,767 Accounting of Disclosures—Med. Records Specialist 16,066 0.5 8,033 46.46 373,213 Training Specialist's Time 16,066 5 80,330 65.02 5,223,057 Total Training Costs 167,354 12,421,479 a This figure is the number of substance abuse and behavioral disorder counselors as a proxy for the number of Part 2 program counselors. iii. Notification of Breaches
The Department estimates annual labor costs of $1.5 million to Part 2 programs for providing notification of breaches of unsecured records, including notification to the Secretary, affected patients, and the media, consistent with the requirements of the Breach Notification Rule. This estimate is derived from calculating two percent of the total estimated breach notification activities for covered entities and business associates under the Breach Notification Rule.[214] Capital costs for providing breach notification are discussed separately in Table 5a above.
Start Printed Page 74260Table 7—Estimated Costs of Breach Notification
Section of 45 CFR Notification activity Number of respondents Total respondent costs 164.404 Individual Notice—Written and E-mail Notice (drafting) a 1,170 $51,230 164.404 Individual Notice—Written and E-mail Notice (preparing and documenting notification) 1,170 24,422 164.404 Individual Notice—Written and E-mail Notice (processing and sending) 1,170 758,452 164.404 Individual Notice—Substitute Notice (posting or publishing) b 55 5,042 164.404 Individual Notice—Substitute Notice (staffing toll-free number) 55 7,844 164.404 Individual Notice—Substitute Notice (individuals' voluntary burden to call toll-free number for information) c 2,265 15,863 164.406 Media Notice d 5.34 510 164.408 Notice to Secretary (notice for breaches affecting 500 or more individuals) 5.34 510 164.408 Notice to Secretary (notice for breaches affecting fewer than 500 individuals) e 1,164 48,621 164.414 500 or More Affected Individuals (investigating and documenting breach) 5.34 30,764 164.414 Less than 500 Affected Individuals (investigating and documenting breach)—affecting 10-499 50 45,701 164.414 Less than 500 Affected Individuals (investigating and documenting breach)—affecting <10 f 1,115 513,752 Total 1,502,711 a Total number of breach reports submitted to OCR in 2015 (58,482) multiplied by .02 to represent Part 2 breaches. b All 267 large breaches and all 2,479 breaches affecting 10-499 individuals (2,746) multiplied by 02. c As noted in the previous footnote, this number equals 1% of the affected individuals who require substitute notification (0.01 × 11,326,441 = 113,264) multiplied by .02 to represent Part 2 program breaches. d The total number of breaches affecting 500 or more individuals in 2015, multiplied by .02 to represent the number of Part 2 breaches. e The total number of HIPAA breaches affecting fewer than 500 individuals in 2015, multiplied by .02 to represent the number of Part 2 breaches. f 55,736 multiplied by .02. iv. Patient Notice and NPP
The Department estimates a first-year total of $2.4 million in costs to Part 2 programs for updating the Patient Notice and the NPP, as applicable, and providing patients a right to discuss the program's Patient Notice or NPP. Under the proposed modifications to § 2.22 and 45 CFR 164.520, as under the existing rules, a Part 2 program that is also a covered entity would only need to have one notice that meets the requirements of both rules, so the Department's estimates are based on an unduplicated count of Part 2 programs, each one needing to update either its Patient Notice or its NPP. The Department's estimate is based on the number of total entities and one hour of a lawyer's time to update the notice(s), as detailed in Table 8. The Department anticipates that the changed requirements for the NPP under this proposed rule and the HIPAA NPRM[215] would become effective at the same time so that covered entities would only incur costs for printing, mailing, and posting a revised NPP one time. There would be no new costs for providers associated with distribution of the revised notice other than posting it on the entity's website (if it has one), as providers have an ongoing obligation to provide the notice to first-time patients. The Department bases the estimate on its previous estimates from the 2013 Omnibus Rule, in which the Department estimated approximately 613 million first time visits with health care providers annually.[216] Health plans that post their NPP online would incur minimal costs by posting the updated notice, and then, including the updated NPP in the next annual mailing to subscribers.[217] The Department estimates a potential increase in costs for health plans that do not post an NPP online or provide an annual mailing to subscribers. The increased costs would be associated with the requirement to mail an updated NPP to subscribers within 60 days of making a material change. The Department requests comments on the burdens on covered entity health plans of doing a separate mailing for the updated NPP if they are not subject to requirements in other law for an annual mailing, how many such entities there are, whether there should be an exception to allow entities to send it in the next three-year mailing, and any unintended adverse consequences for individuals of creating such an exception.
In addition to the costs of updating the Patient Notice and NPP, the Department estimates that programs would incur ongoing costs to implement the right to discuss a program's Patient Notice or NPP calculated as 1 percent of all patients, or 18,644 requests, at the hourly wage of a substance abuse, behavioral disorder, and mental health counselor, as defined by BLS, for an average of 7 minutes per request or $111,887 total per year. The number of discussions is based on the same percentage of new patients as the parallel proposal in the HIPAA NPRM, which reflects the anticipated number of patients who would ask to speak with the identified contact person about the NPP or Patient Notice. It does not include the discussion that each counselor may have with a new patient about confidentiality in the clinical context which the Department views as part of treatment.
v. Accounting of Disclosures
The Department's estimate of minimal annual costs to Part 2 programs for providing patients an accounting of disclosures is based on OCR's estimates for covered entities to comply with the requirements in 45 CFR 164.528 multiplied by a factor of .02. This represents two percent of the total estimated requests for an accounting of disclosures under the Privacy Rule. The Department included this estimate in its calculations (detailed in Table 8), although it is negligible, due to the CARES Act mandate to include the requirement in Part 2. The responses to OCR's 2018 Request for Information on Modifying HIPAA Rules to Improve Coordinated Care [218] indicated that Start Printed Page 74261 covered entities and their business associates receive very few requests for an accounting of disclosures annually (a high of .00006).[219] The Department is unable to estimate the additional burdens, if any, of offering these accountings in a machine readable or other electronic format (unless the individual requests otherwise). Further, the Department lacks specific information about the costs to revise electronic health record systems to generate a report of disclosures for TPO, other than they could be substantial.[220] The Department asks for public comments or information that will help to estimate these burdens.
Requests for Privacy Protection for Records
The Department estimates that Part 2 programs would incur a total of $1,590 in annual costs arising from the right to request restrictions on disclosures. OCR's HIPAA ICR estimate of costs for covered entities to comply with the parallel requirement under 45 CFR 164.522 represents a doubling of previous estimated responses from 20,000 to 40,000.[221] However, costs remain low for compliance with this regulatory requirement, in part because the requirement to accept a patient's request for restrictions is mandatory only for services for which the patient has paid in full; the cost of complying with a request not to disclose records or PHI to a patient's health plan occurs in a context in which providers are saved the labor that would be needed to submit claims to health insurers. The details of the Department's estimate are noted in Table 8.
Updated Consent Form
The Department estimates that each program would incur the costs for 40 minutes of a lawyer's time to update its patient consent form for use and disclosure of records. This would result in an estimated total nonrecurring cost of approximately $1.5 million, to be incurred in the first year after publication of a final rule, as detailed in Table 8 below.
Updated Notice To Accompany Disclosures
The Department estimates that each program would incur the costs for 20 minutes of a health care managers' time to update the regulatory notice that is to accompany each disclosure of records with written patient consent. The Department believes that a manager can accomplish this task, rather than a lawyer, because specific text for the notice to accompany disclosure is required and is included in the proposed regulation. For a total of 16,066 programs this would result in estimated total nonrecurring costs in the first year of the rule's implementation of approximately $0.6 million as detailed in Table 8 below.
New Reporting to the Secretary
The proposed reporting requirement in proposed § 2.68 would be directed to those agencies that investigate and prosecute programs and holders of Part 2 records. Part 2 programs are subject to investigations for Medicare and Medicaid fraud and diversion of opioids used in medication assisted treatment (MAT). Medicaid and Medicare fraud investigations may involve both the Department of Justice (DOJ) and the HHS Office of the Inspector General (OIG). The Department estimates that these agencies conduct approximately 225 investigations of Part 2 programs annually. For fiscal years 2019 and 2020 the HHS OIG reported the number of end-of-year open enforcement cases as 159 and 191, respectively, for an average of 175 per year, and annual criminal convictions and civil settlements or penalties totaling 19 and 16, respectively, for an average of 18 annual cases.[222 223] Open Medicaid Fraud Cases of SUD Providers at end of FY 2020 included 140 criminal and 51 civil settlements or penalties for a total of 191.[224] At the end of FY 2019, the total was 159. Additionally, the Drug Enforcement Agency's (DEA) Drug Diversion Division reported actions against 50 registrants in 2020. The Department adds this number to the average of 175 health fraud cases, for an estimate of 225 investigations annually. The Department assumes, as an over-estimate, that all 225 cases targeted Part 2 programs and that all cases result in a required report under proposed § 2.68.
The burden on investigative agencies for annual reporting about unknowing receipt of Part 2 records prior to a court order would include the labor of gathering data and submitting it to the Secretary. As a proxy for this burden, the Department estimates that the labor would be equal to that of reporting large breaches of PHI under HIPAA which has been calculated at 1.5 hours per response at an hourly wage rate of $76.43 [225] for a total estimated cost of $114.65 per response. For an estimated 225 annual investigations this would result in a total cost of $25,794. This figure, albeit low, represents an overestimate because it assumes 100 percent of investigations would involve unknowing receipt of Part 2 records prior to seeking a court order. The Department assumes that the actual proportion of investigations falling within the reporting requirement would be less than 25 percent of cases, although it lacks data to substantiate this assumption, and welcome comments and data to better inform all of the assumptions related to the estimated costs.
Table 8—Estimated Annual Part 2 Costs in First Year of Implementation
Activity Total responses Hours per response Total burden hours Hourly wage rate Total cost 2.16 Breach Notification (from Table 7) $1,502,714 2.22 Updating Patient Notice 16,066 1 16,066 $142.34 2,286,834 2.22 Right to Discuss 18,644 0.12 2,175 51.44 111,887 2.25 Accounting of Disclosures 100 0.05 5 46.46 232 2.26 Requests for privacy protection 800 0.05 40 39.20 1,590 2.31 Consent—Updating Form 16,066 0.67 10,711 142.34 1,524,556 Start Printed Page 74262 2.32 Notice to Accompany Disclosures 16,066 0.33 5,355 115.22 617,042 2.68 Report to the Secretary 225 1.5 337.5 76.43 25,795 Workforce Training (from Table 6) 12,421,479 Capital Expenses (from Tables 5a) 872,541 Total Annual Costs (first year) 19,364,667 Proposed Changes Resulting in Negligible Fiscal Impact
§§ 2.1-2.4 Statutory authority and enforcement.
While civil enforcement of Part 2 by the Department may increase costs for Part 2 programs or lawful holders that experience a breach or become the subject of a Part 2 complaint or compliance review, the costs of responding to a potential violation are not calculated separately from the costs of complying with proposed new or changed regulatory requirements. Thus, the Department's analysis does not estimate any program costs for the proposed changes to §§ 2.1 through 2.4 of 42 CFR part 2.
§ 2.11 Definitions.
Proposed changes to the regulatory definitions are not likely to create significant increases or decreases in burdens for Part 2 programs or covered entities and business associates. These entities, collectively, would benefit from the regulatory certainty resulting from clarification of terms; however, the proposed definitions are generally intended to codify current usage and understanding of the defined terms.
§ 2.12 Applicability.
The proposal to change “Armed Forces” to “Uniformed Services” in paragraph (c)(2) of § 2.12 is likely to result in only a negligible change in burden because this terminology is already in use in 42 U.S.C. 290dd-2. Adding “uses” and “disclosures” in several places provides clarity and consistency, but is unlikely to create quantifiable costs or cost savings. Adding the four express statutory restrictions on use and disclosure of records for court proceedings [226] in paragraph (d)(1) of this section will likely result in no significant burden change, as the restrictions on use and disclosure of records for criminal investigations and prosecutions of patients are already stringent and the ability to obtain a court order remains. Excluding covered entities from the restrictions applied to other “third-party payers” in paragraph (d)(2) of this section would reduce burden on covered entities that are health plans because they will be permitted to disclose records for a wider range of health care operations than under the current regulation. However, this burden reduction is similar to that for all covered entities under the proposed rule, so the Department has not estimated the costs or benefits separately from the effects of § 2.33, Uses and disclosures permitted with written consent.
§ 2.13 Confidentiality restrictions and safeguards.
The primary proposed change to this section is to remove paragraph (d) and redesignate it as § 2.24. Additionally, adding the term “use” to the circumstances when disclosures are permitted or prohibited provides clarification, but is unlikely to generate a change in burden associated with this provision.
§ 2.14 Minor patients.
The proposed changes to this section would clarify that a program director may clinically evaluate whether a minor has decision making capacity, but not issue a legal judgment to that effect. The proposals would also add “uses” to “disclosures” as the types of activities regulated under this section. None of the proposed changes would be likely to result in quantifiable burdens to Part 2 programs.
§ 2.15 Patients who lack capacity and deceased patients.
The Department's proposed modification will replace outdated references to incompetence and instead refer to a lack of capacity to make health care decisions and will add “uses” to “disclosures” to describe the activities permitted when certain conditions are met. These clarifications and additions are unlikely to generate a change in burden that can be quantified, and thus they are not included in the Department's calculation of estimated costs and cost savings.
§ 2.20 Relationship to state laws.
The Department proposes to add the term “use” to describe activities regulated by this section. Similar to 42 CFR part 2, state laws impose restrictions on uses and disclosures related to SUD and the Department assumes programs subject to regulation by this part would be able to comply with Part 2 and the state law. The Department does not anticipate these proposed changes would result in a quantifiable increase or decrease in burden.
§ 2.21 Relationship to federal statutes protecting research subjects against compulsory disclosure of their identity.
The Department replaced “disclosure and use” with “use and disclosure” to align the language of this section with that of the Privacy Rule. The edit does not require any changes to existing Part 2 requirements. The Department does not anticipate this proposed change would result in a quantifiable increase or decrease in burden.
§ 2.24 Requirements for intermediaries. (redesignated and proposed heading)
The Department estimates no change in burdens and benefits as a result of this regulatory clarification because no substantive change is intended.
§ 2.34 Uses and disclosures to prevent multiple enrollments.
The Department proposes to add the term “uses” to the heading and incorporate minor word changes and style edits for clarity. The edits do not require any changes to existing Part 2 requirements. The Department does not anticipate these proposed changes would result in a quantifiable increase or decrease in burden.
§ 2.35 Disclosures to elements of the criminal justice system which have referred patients.
The Department proposes to replace the term “individuals” with “persons,” clarify that permitted redisclosures of information are from Part 2 records, and make minor word and style edits for clarity. The edits do not require any changes to existing Part 2 requirements. The Department does not anticipate these proposed changes would result in a quantifiable increase or decrease in burden.
§ 2.52 Scientific research (proposed heading) Start Printed Page 74263
The Department considered whether the proposal to align the de-identification standard in § 2.52 (and throughout Part 2) with the Privacy Rule de-identification standard in 45 CFR 164.514 would significantly increase burden for Part 2 programs or result in any unintended negative consequences. The Department concluded that the proposed change would not significantly increase burden because a Part 2 program would need to follow detailed protocols to ensure that the current standard is met that are similar to the level of work needed to adhere to the Privacy Rule standard. Additionally, the proposal would ensure that all Part 2 programs are following similar standards for de-identification, which would benefit researchers when creating data sets from different Part 2 programs, by enabling them to populate the data sets with similar content elements.
§ 2.53 Management audits, financial audits, and program evaluation. (proposed heading)
The proposal to clarify that some audit and evaluation activities may be considered health care operations could be used by Part 2 programs, covered entities, and business associates to obtain records based on consent for health care operations and then such entities could redisclose them as permitted by the Privacy Rule. The Privacy Rule may allow these entities greater flexibility to use or redisclose the Part 2 records for permitted purposes as compared to the limitations contained in § 2.53 of Part 2. For Part 2 programs that are covered entities, this proposed change could result in burden reduction because they would not have to track the records used for audit and evaluation purposes as closely; however, the Department is without data to quantify the potential cost reduction. For business associates, there would likely be no change in burden because they are already obligated by contract to only use or disclose PHI (which may be Part 2 records) as allowed by the agreement with the covered entity.
As discussed in preamble, the disclosure permission under § 2.53 would continue to apply to audits and evaluations conducted by a health oversight agency without patient consent. The Department does not believe that the text of section 3221(e) of the CARES Act indicates congressional intent to alter the established oversight mechanisms for Part 2 programs, including those that provide services reimbursed by Medicare, Medicaid, and Children's Health Insurance Program (CHIP). The Department also intends that a government agency conducting activities that could fall within either § 2.53 or § 2.33 for health care operations would have the flexibility to choose which permission to rely on and would not have to meet the conditions of both sections. In the event that the agency is a covered entity that has received the records based on a consent for TPO, it could further redisclose the records as permitted by the Privacy Rule.
§ 2.54 Disclosures for public health. (proposed heading)
The Department does not believe that an express permission to disclose records to public health authorities without patient consent will impact burdens to a significant degree. While programs will likely experience a burden reduction from the lifting of a consent requirement, the permission may cause an increase in disclosures to public health authorities, resulting in a net impact of no change to burdens. Additionally, to the extent these disclosures are required by other law, the compliance burden is not calculated as a change caused by Part 2.
§§ 2.61-2.65 Procedures for court orders.
The Department lacks sufficient data to estimate the number of instances where the expanded scope of protection from use or disclosure of records against the patient in legal proceedings (including in administrative and legislative forums) would result in increased applications for court orders authorizing the disclosure of Part 2 records or testimony.
§ 2.66 Procedures and criteria for orders authorizing use and disclosure of records to investigate or prosecute a part 2 program or the person holding the records. (proposed heading)
Proposed § 2.66(a)(3) provides specific procedures for investigative agencies to follow upon discovering after the fact that they are holders of Part 2 records, such as securing, returning, or destroying the records and optionally seeking a court order under subpart E. Although the existing regulation does not expressly require law enforcement agencies to return or destroy records that it cannot use in investigations or prosecutions against a program when it does not obtain the required court order, it requires lawful holders to comply with § 2.16 Security for records. The Department developed the proposed requirements in § 2.66(a)(3) (to return or destroy records that an investigative agency is unable to use or disclose in an investigation or prosecution) to parallel the existing requirements in § 2.16 for programs and lawful holders to establish policies for securing paper and electronic records, removing them, and destroying them. The proposed § 2.66 requirements to obtain a court order, or to return or destroy the records within a reasonable time (no more than 120 days from discovering it has received Part 2 records), would not significantly increase the existing burden for investigative agencies to comply with § 2.16. The Department requests comment on these assumptions and data on the burden for complying within 120 days of discovering that an investigative agency has unknowingly received Part 2 records.
§ 2.67 Orders authorizing the use of undercover agents and informants to investigate employees or agents of a part 2 program in connection with a criminal matter.
Proposed § 2.67(c)(4) restricts an investigative agency from seeking a court order authorizing placement of an undercover agent or informant unless it has first exercised reasonable diligence as described by proposed § 2.3(b), which provides that steps such as checking an available prescription drug monitoring program (PDMP) or visiting the provider's website or physical location to determine if it is providing SUD-related services shall presumptively constitute reasonable diligence. This provision serves as a prerequisite that would allow an investigative agency to continue placement of the undercover agent or informant in a Part 2 program by correcting an error of oversight if the investigative agency learns after the fact that the undercover agent or informant is in a Part 2 program and avoiding the risk of penalties for the violation. The Department anticipates that the burden for checking a PDMP or a program's website or physical location to ascertain whether the program provides SUD treatment would be minimal, as these activities would normally be included in the course of investigating and prosecuting a program. The proposed requirement would merely shift the timing of these actions in some cases so that investigative agencies ensure they are completed prior to requesting court approval of an undercover agent or use of an informant. The primary burden on investigative agencies would be to include a statement in an application for a court order after learning of the program's Part 2 status after the fact, that the investigator or prosecutor first exercised reasonable diligence to determine whether the program provided SUD treatment. The burden for including this statement within an application for a court order is minimal and could consist of standard language used in each application. Thus, the Start Printed Page 74264 Department has not calculated specific quantitative costs for compliance. The Department requests comment on the likely utilization of the proposed safe harbor involving undercover agents and informants.
f. Costs Borne by the Department
This rule would have a cost impact on HHS. HHS has the primary responsibility to assess the regulatory compliance of covered entities and business associates and Part 2 programs. This proposed rule would extend those responsibilities to Part 2 programs. In addition to promulgating the current regulation, HHS would be responsible for developing guidance and conducting outreach to educate the regulated community and the public. HHS also would be required to investigate and resolve complaints and compliance reviews as part of its expanded responsibility for Part 2 compliance and enforcements. The Department estimates that implementing the proposals would require two full-time policy employees (or contractors) at the OPM General Schedule (GS) GS-14 or equivalent level who will develop regulation, guidance, and national-level outreach. Additionally, the Department estimates needing eight full-time employees (or contractors) for enforcement at a GS-13 or equivalent level to investigate, train investigators, and provide local outreach to regulated entities.[227] The Department also estimates costs for hiring a contractor to create a breach portal or a Part 2 module for the existing HIPAA breach portal. The initial posting of such breaches is automated, and HHS currently pays a contractor approximately $13,000 annually to maintain the database to receive reports of breaches from covered entities. The Department estimates approximately $13,000 to hire a second contractor to maintain the database to receive reports of breaches from Part 2 programs. Additionally, HHS drafts and posts summaries of each large breach on the website at a labor cost of approximately $22,600 per year. To implement these policies, the Department estimates that initial Federal costs will be approximately $1,695,716 million. The Department estimates that based on the GS within grade step increases for each of the proposed GS-13 and GS-14 employees the Federal costs will be approximately $8,972,716 million over 5 years.
Comparison of Benefits and Costs
Table 9 a —Part 2 Costs and Savings Over 5-Year Time Horizon
Cost item 5-Year costs 5-Year savings 2.16 Breach Notice $7,513,554 2.22 Patient Notice & Right to Discuss 2,846,269 2.25 Accounting of Disclosures 1,162 2.26 Requests for Restrictions 7,948 2.31 Updating Consent Form 1,524,556 2.32 Updating Disclosure Notice 617,042 2.68 Reporting to the Secretary 129,364 Training 12,421,479 Capital Expenses 4,362,706 ($2,330,459) Obtaining Consent (61,446,429) Total 29,424,093 (63,776,888) Net Savings/Costs (34,353,198) Table 9 b —Privacy Rule Costs and Savings Over 5-Year Time Horizon
Cost item 5-Year costs 5-Year set-off (savings) 45 CFR 164.520 NPP $36,739,425 45 CFR 154.520 Capital Costs 8,195,800 Total 44,935,225 Net Savings/Costs ($44,935,225) Table 9 c —Combined Part 2 and Privacy Rule Costs and Savings Over 5-Year Time Horizon
Cost item 5-Year costs 5-Year set-off (savings) 2.16 Breach Notice $7,513,554 2.22 Patient Notice & Right to Discuss 2,846,269 2.25 Accounting of Disclosures 1,162 2.26 Requests for Restrictions 7,948 2.31 Updating Consent Form 1,524,556 2.32 Updating Disclosure Notice 617,042 2.68 Reporting to the Secretary 128,976 Training 12,421,479 Capital Expenses (Part 2) 4,362,706 ($2,330,459) Start Printed Page 74265 Obtaining Consent (61,446,429) 45 CFR 164.520 NPP 36,739,425 45 CFR 164.520 Capital Expenses 8,195,800 Total 74,359,318 (63,776,888) Net Savings/Costs 10,582,027 Table 10—Non-Quantified Benefits/Costs for Regulated Entities and Patients
Regulatory changes Costs Benefits Add notification of breaches of records by Part 2 programs in the same manner the Breach Notification Rule applies to breaches of PHI by covered entities Increased opportunity for patients to take steps to mitigate harm. Would provide the same information protections to patients receiving SUD treatment as are afforded to patients that receive other types of health care services. Change the consent form content requirements and reduce instances where a separate written consent is needed Potential loss to patients of opportunity to provide granular consent for each use and disclosure; potential to chill some patients' willingness to access care Improved clarity and reduction of paperwork for patients, Part 2 programs, covered entities, and business associates. Align the Patient Notice and the NPP Improved understanding of individuals' rights and covered entities' privacy practices. Adding right to discuss program's Patient Notice Improved understanding of patients' rights & programs' confidentiality practices; improved access to care. Change the content requirements for the notice accompanying disclosure Increased knowledge by patients of the expanded prohibition on use of records against patients in legal proceedings. Improved coordination for certain protection for Part 2 records to “follow the record.” Add a new right for patients to request restrictions on uses and disclosures of their records for TPO New opportunity for patients to assert their privacy interests to program staff; increased patient control through ability to prevent disclosures to their health plan when patient has paid in full for services. For Part 2 programs, likely increase in full payment by patients which would decrease staff time spent with billing and claims activities. Add an accounting of disclosures for TPO Potential increased costs to modify information systems to capture required data Increased transparency about how records and Part 2 information are disclosed for TPO. Modifications for clarification, readability, or consistency with HIPAA terminology Improved understanding by regulated entities, patients, and the public. Limiting investigative agencies' potential liability for unknowing receipt of Part 2 records Increased awareness of Part 2 obligations for investigative agencies. Opportunity for investigative agencies to pursue action against Part 2 programs despite initial procedural errors. Requiring investigative agencies to report annually to the Secretary if they seek to use records obtained prior to seeking a court order Creates transparency and accountability for agencies' use of Part 2 records in civil, criminal, administrative, and legislative proceedings. 4. Consideration of Regulatory Alternatives
The Department carefully considered several alternatives to the proposals in this NPRM. The Department welcomes public comment on any benefits or drawbacks of the following alternatives it considered while developing the NPRM.
Definitions for “breach,” “health care operations,” “lawful holder,” and “third-party payer.”
Breach. The Department considered adopting only the first sentence of the HIPAA definition of breach in the introductory text of the paragraph and not the remainder of the definition. The Department considered that the HIPAA definition, which includes exclusions from the term breach ( i.e., unintentional access, inadvertent disclosure, disclosure based on good faith belief that an unauthorized recipient would not reasonably been able to retain the information) did not offer a parallel level of protection to Part 2 records as is intended by its overall structure of requiring consent for most disclosures. However, due to the amount of overlap between the types of entities that must comply with both Part 2 and the HIPAA Rules, the Department decided to adopt the HIPAA breach definition in its entirety. Congress was aware of the Breach Notification Rule when it passed the CARES Act, so the Department Start Printed Page 74266 assumes that Congress intended to apply the full scope of the definition to Part 2 records. The Department welcomes comments on any unintended negative consequences of this approach and how any alternative approaches could be implemented consistent with Congressional intent.
Health care operations. The Department considered including the “Sense of Congress” in section 3221(k)(4) of the CARES Act, which states that the definition of health care operations shall have the same meaning as provided in the HIPAA Rules except that clause (v) of paragraph (6) shall not apply. This would have had the effect of excluding from the HIPAA disclosure and redisclosure permissions the use of records for fundraising. In contrast, the Department also considered not including the Sense of Congress in any provision of the proposed rule. This would have narrowly hewed to the statutory amendment mandated by section 3221 of the CARES Act without acknowledging Congressional intent. Instead, the Department proposed to add an opt-in approach for fundraising activities in the requirements for a written consent proposed at § 2.31(a)(5). The Department similarly is proposing in § 2.22 and 45 CFR 164.520 to require that programs and covered entities provide notice to a patient that the use and disclosure of records for such activities may be made only with the patient's written consent. The Department welcomes comments on any unintended adverse consequences of this approach and how any alternative approaches could be implemented consistent with statutory authority and Congressional intent.
Lawful holder. Although not required by the CARES Act, the Department considered proposing a new regulatory definition for the term “lawful holder,” which is not currently defined in Part 2. The definition would be drawn from the Department's descriptions of lawful holders in previous Part 2 proposed and final rule preambles.[228] In particular, the Department considered whether the definition was needed to distinguish the category of records recipients that includes covered entities, business associates, qualified service organizations, and other components of the health care system from other types of recipients of records based on a written patient consent for purposes of applying different requirements to the different categories.
SAMHSA has described a lawful holder as “an individual or entity who has received such information as the result of a part 2-compliant patient consent (with a notice to accompany disclosure) or as a result of one of the exceptions to the consent requirements in the statute or implementing regulations and, therefore, is bound by 42 CFR part 2.” [229] Further, § 2.33(a) provides that a valid consent may name any person or category of persons: “If a patient consents to a disclosure of their records under § 2.31, a [P]art 2 program may disclose those records in accordance with that consent to any person or category of persons identified or generally designated in the consent, except that disclosures to central registries and in connection with criminal justice referrals must meet the requirements of §§ 2.34 and 2.35, respectively.” Taken together, the description of lawful holder and provision on consent mean that any person who receives records pursuant to a valid consent could be considered a lawful holder, and thus subject to the Part 2 requirements that apply to lawful holders.
The Department is concerned that some of the restrictions and obligations placed on lawful holders are not appropriate to apply across all types of persons who receive Part 2 records pursuant to a consent. For example, a patient's family member who receives a record based on consent could not be reasonably expected to develop policies and procedures for securing records. To address this concern, the Department considered proposing a definition that would exclude certain types of persons, such as those who are acting in their capacity as private citizens (rather than in a professional or official capacity as part of the health care system or government authority, for example). The Department also considered a definition that would expressly include only covered entities, Part 2 programs, any person conducting diagnosis, treatment, or referral for treatment, billing or payment, and any other purpose related to a patient's enrollment or participation in a Part 2 program. However, the Department is concerned that inserting a new definition in regulatory text may inadvertently exclude persons who rightfully should be subject to Part 2 requirements and restrictions that apply to both Part 2 programs and lawful holders.
The Department has considered that a small minority of recipients of Part 2 records based on a patient's consent may not be properly subject to regulatory requirements that apply only to Part 2 programs and lawful holders. For example, it is unclear how the Department would enforce organizational requirements, such as policies and procedures, against some persons who receive records based on written consent, such as natural persons who are family members of a patient and are not acting in any professional or official capacity.
Therefore, rather than propose a regulatory definition or create an enforcement exception, the Department instead asks for comment on what would be reasonable to expect of a person who is a lawful holder, but not a covered entity, business associate, or qualified service organization with respect to protecting records against unauthorized use and disclosure or security threats. The Department requests comment on whether it would be appropriate to include a definition of lawful holder—and, if so, what persons should be considered lawful holders.
Third-party payer. The Department considered removing the term “third-party payer” from the regulations because the definition is limited to entities with a contractual obligation to pay for Part 2 services, many of which are covered entity health plans to whom Part 2 redisclosure restrictions will no longer apply. Upon further consideration, the Department determined that some Part 2 programs may be paid based on a contractual obligation between the payer and the patient, but by entities other than a health plan. Retaining a narrower definition of third-party payer rather than removing the definition entirely would ensure that the restrictions on redisclosure are maintained for any third-party payers that are not covered entities. The Department welcomes data on how many and what types of third-party payers are not covered entities.
Exception for reporting suspected abuse and neglect.
The Department considered expanding the exception under § 2.12(c)(6) for reporting suspected child abuse and neglect to include reporting suspected abuse and neglect of adults. Such an expansion would be consistent with the Privacy Rule permission to report abuse, neglect, or domestic violence at 45 CFR 164.512(c), and could be beneficial for vulnerable adults, such as persons who are incapacitated or otherwise are unable to make health care decisions on their own behalf. However, § 2.12(c)(6), under the authority of 42 U.S.C. 290dd-2, limits the reporting of abuse and neglect to reporting child abuse and neglect as required by State or local law. Further, section (c) of the authorizing statute also restricts uses of records in criminal, civil, or administrative contexts, which Start Printed Page 74267 could include investigations by a protective services agency, for example, unless pursuant to a court order or with the patient's consent. Therefore, the Department determined that expanding the exception under § 2.12(c)(6) to include reporting abuse and neglect of adults would exceed the statutory authority.
Security of records and notification of breaches.
The Department considered retaining the current language in § 2.16 (a)(1)(v) with respect to “non-identifiable” information and adding a reference to the Privacy Rule standard with the phrase “as consistent with 45 CFR 164.514.” Upon consideration, the Department decided instead to insert text from the Privacy Rule de-identification standard and a reference to 45 CFR 164.514 to more closely align the two sets of regulations.
The Department also considered further harmonizing Part 2 and the HIPAA Rules by applying the Security Rule, or components of it, to Part 2 programs and other lawful holders with respect to electronic Part 2 records. The Security Rule contains standards and implementation specifications for securing electronic PHI that are consistent with industry best practices, and the implementation of robust security safeguards can prevent many breaches of patients' Part 2 records. However, the CARES Act did not make the Security Rule applicable to Part 2 programs. Therefore, the Department believes it does not have statutory authority to the Security Rule to encompass Part 2 programs that are not covered entities or business associates. The Department requests comment on this interpretation and on whether the Part 2 security provisions should be modified to incorporate additional or different safeguards consistent with the Security Rule.
Patient Notice and NPP.
The Department considered proposing more limited modifications to the Patient Notice in § 2.22 to narrowly address only those changes specifically identified in section (i)(2) of the CARES Act, without incorporating into the Patient Notice other aspects of the NPP. However, the Department determined that greater alignment between the requirements of the Patient Notice and NPP would create more consistency in notices among Part 2 programs and other types of health care providers, and thus more consistency in patients' understanding and expectations regarding their rights and regulated entities' duties with respect to their Part 2 records.
Adding a requirement for notification of TPO consent.
The Department considered adding a requirement to § 2.32 to require Part 2 programs to notify the recipient that a record is being disclosed to them pursuant to a global consent for TPO or whether it is a more limited consent. The Department considered how this might help covered entities to avail themselves of the new redisclosure permissions enacted into the CARES Act by section 3221(b) so that they would be aware when they could redisclose a record according to the HIPAA Rules. However, the Department determined that this would be unduly burdensome on Part 2 programs. The Department requests comment on this alternative and the extent to which covered entities that receive Part 2 records are aware of the purpose of the disclosure and how that information is conveyed between programs and covered entity recipients of Part 2 records.
Adding a new definition for “confidential communications.”
The Department considered adding a new definition for “confidential communications” as an alternative modification to § 2.63 (confidential communications). Specifically, the Department considered whether to propose incorporating in regulatory text a preamble description of “confidential communications” from prior Part 2 rulemaking, which describes the term as “the essence of those matters to be afforded protection” and “highly sensitive communication.” [230] The Department did not propose this approach as it is only used in one specific context and a new definition would likely create unnecessary complexity without improving understanding of the regulatory requirements.
Creating limitations on liability for investigative agencies' unknowing receipt of Part 2 records.
The Department considered creating an enforceable requirement for Part 2 programs to notify investigative agencies of the applicability of Part 2 when presented with an investigative demand for records, but deemed this an unnecessary burden on programs. Instead, the Department created prerequisites for investigative agencies to meet before they could benefit from liability protection, and thus avoided any increased burden on programs.
5. Request for Comments on Costs and Benefits
The Department requests public comment on all the estimates, assumptions, and analyses within the cost-benefits analysis, including the costs to regulated entities and patients. The Department also requests comments on any relevant information or data that would inform a quantitative analysis of proposed reforms that the Department qualitatively addresses in this RIA. The Department also requests comments on whether there may be other indirect costs and benefits resulting from the proposed changes in the proposed rule and welcomes additional information that may help quantify those costs and benefits.
B. Regulatory Flexibility Act
The Department has examined the economic implications of this proposed rule as required by the Regulatory Flexibility Act (5 U.S.C. 601-612). If a rule has a significant economic impact on a substantial number of small entities, the Regulatory Flexibility Act (RFA) requires agencies to analyze regulatory options that would lessen the economic effect of the rule on small entities. For purposes of the RFA, small entities include small businesses, nonprofit organizations, and small governmental jurisdictions. The Act defines “small entities” as (1) a proprietary firm meeting the size standards of the Small Business Administration (SBA), (2) a nonprofit organization that is not dominant in its field, and (3) a small government jurisdiction of less than 50,000 population. Because 90 percent or more of all health care providers meet the SBA size standard for a small business or are nonprofit organization, the Department generally treats all health care providers as small entities for purposes of performing a regulatory flexibility analysis. The SBA size standard for health care providers ranges between a maximum of $8 million and $41.5 million in annual receipts, depending upon the type of entity.
The projected costs and savings are discussed in detail in the regulatory impact analysis (section 3a). This proposed rule would create average net costs for regulated entities (Part 2 programs and covered entities), many of which are small entities, and the proposed changes are needed to implement required statutory changes. As its measure of significant economic impact on a substantial number of small entities, HHS uses a threshold for the size of the impact of 3 to 5 percent. The Start Printed Page 74268 total costs from this rule are estimated to be $10,582,027, spread across 774,331 small entities. The average cost per small entity over 5 years is equal to $13.67, and we do not believe that this threshold will be reached by the requirements in this proposed rule. Therefore, the Secretary certifies that this proposed rule would not result in a significant negative impact on a substantial number of small entities.
C. Unfunded Mandates Reform Act
Section 202(a) of The Unfunded Mandates Reform Act of 1995 (UMRA) requires that agencies assess anticipated costs and benefits before issuing any rule whose mandates require spending that may result in expenditures in any one year of $100 million in 1995 dollars, updated annually for inflation. In 2021, that threshold is approximately $158 million. The Department does not anticipate that this proposed rule would result in the expenditure by state, local, and tribal governments, taken together, or by the private sector, of $158 million or more in any one year. The proposals, however, present novel legal and policy issues, for which the Department is required to provide an explanation of the need for this proposed rule and an assessment of any potential costs and benefits associated with this rulemaking in accordance with Executive Orders 12866 and 13563. The Department presents this analysis in the preceding sections.
D. Executive Order 13132—Federalism
Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on state and local governments, preempts state law, or otherwise has federalism implications. The Department does not believe that this rulemaking would have any federalism implications.
The federalism implications of the Privacy, Security, Breach Notification, and Enforcement Rules were assessed as required by Executive Order 13132 and published as part of the preambles to the final rules on December 28, 2000,[231] February 20, 2003,[232] and January 25, 2013.[233] Regarding preemption, the preamble to the final Privacy Rule explains that the HIPAA statute dictates the relationship between state law and Privacy Rule requirements, and the Rule's preemption provisions do not raise federalism issues. The HITECH Act, at section 13421(a), provides that the HIPAA preemption provisions shall apply to the HITECH Act provisions and requirements.
The Federalism implications of Part 2 were assessed and published as part of the preamble to proposed rules on February 9, 2016.[234]
The Department anticipates that the most significant direct costs on state and local governments would be the cost for state and local government-operated covered entities to revise consent forms, policies and procedures, providing notification in the event of a breach of Part 2 records and drafting, printing, and distributing Patient Notices or NPPs for individuals with first-time health encounters. The regulatory impact analysis above addresses these costs in detail.
In considering the principles in and requirements of Executive Order 13132, the Department has determined that these proposed modifications to the Privacy Rule would not significantly affect the rights, roles, and responsibilities of the States.
E. Assessment of Federal Regulation and Policies on Families
Section 654 of the Treasury and General Government Appropriations Act of 1999 [235] requires Federal departments and agencies to determine whether a proposed policy or regulation could affect family well-being. If the determination is affirmative, then the Department or agency must prepare an impact assessment to address criteria specified in the law. The Department believes that these regulations would positively impact the ability of patients and families to coordinate treatment and payment for health care, particularly for families to participate in the care and recovery of their family members experiencing SUD treatment, by aligning the permission for covered entities and business associates to use and disclose records disclosed to them for TPO purposes with the permissions available in the Privacy Rule. The Department does not anticipate negative impacts on family well-being as a result of this regulation or the separate rulemaking as described.
F. Paperwork Reduction Act of 1995
Under the Paperwork Reduction Act of 1995 (PRA) (Pub. L. 104-13), agencies are required to submit to the Office of Management and Budget (OMB) for review and approval any reporting or record-keeping requirements inherent in a proposed or final rule, and are required to publish such proposed requirements for public comment. The PRA requires agencies to provide a 60-day notice in the Federal Register and solicit public comment on a proposed collection of information before it is submitted to OMB for review and approval. To fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(A) of the PRA requires that the Department solicit comment on the following issues:
1. Whether the information collection is necessary and useful to carry out the proper functions of the agency;
2. The accuracy of the agency's estimate of the information collection burden;
3. The quality, utility, and clarity of the information to be collected; and
4. Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.
The PRA requires consideration of the time, effort, and financial resources necessary to meet the information collection requirements referenced in this section. The Department explicitly seeks, and will consider, public comment on its assumptions as they relate to the PRA requirements summarized in this section. To comment on the collection of information or to obtain copies of the supporting statements and any related forms for the proposed paperwork collections referenced in this section, email your comment or request, including your address and phone number to Sherrette.Funn@hhs.gov, or call the Reports Clearance Office at (202) 690-6162. Written comments and recommendations for the proposed information collections must be directed to the OS Paperwork Clearance Officer at the above email address within 60 days.
As discussed below, the Department estimates a total program burden associated with all proposed Part 2 changes of 565,029 hours and $43,911,857, including capital costs and one-time burdens, across all 16,066 Part 2 programs for 1,864,367 annual patient admissions. On average, this equates to an annual burden of 35 hours and $2,733 per Part 2 program and 0.30 hours and $24 per patient admission. Excluding one-time costs that would be incurred in the first year of the final rule's implementation, the average annual burden would be 22 hours and $1,704 per Part 2 program and 0.19 hours and $15 per patient admission. In addition to program burdens, the Department's proposals would increase burdens on investigative agencies for Start Printed Page 74269 reporting annually to the Secretary in the collective amount of 338 hours of labor and $25,795 in costs. This would result in a total burden for Part 2 of 565,367 hours in the first year after the rule becomes effective and 350,172 annual burden hours thereafter.
Further, due to the proposed changes to 45 CFR 164.520, covered entities may need to update their NPP in order to comply with the documentation requirements of 45 CFR 164.530. Section 164.530 contains the administrative requirements for covered entities, including documenting training of personnel, updating policies and procedures, and updating the NPP in accordance with changes in the law.[236] Due to these proposals, the burden for respondent covered entities to comply with the requirements of the suite of HIPAA Rules (Privacy, Breach Notification, Security, and Enforcement) would increase by 258,110 burden hours.
In this NPRM, the Department is revising certain information collection requirements and, as such, is revising the information collection last prepared in 2020 and previously approved under OMB control #0930-0092. The Department is also revising the NPP information collection requirements in OCR's HIPAA ICR previously approved under OMB control #0945-0003. The estimated burdens of these proposed changes are shown in the tables that follow.
1. Explanation of Estimated Annualized Burden Hours for 42 CFR Part 2
The Department presents, in separate tables below, revised estimates for existing burdens (Table 11), previously unquantified ongoing burdens (Table 12), new ongoing burdens of the proposals (Table 13), and new one-time burdens of the proposals (Table 13).
Table 11—Annualized Estimates of Current Burdens *
Part 2 provision Type of respondent Respondents Responses per respondent Total responses Average time per response (hours) Total burden hours 2.22 Patient Notice a 1,864,367 1 1,864,367 0.021 38,841 2.31 Obtaining Consent for TPO Disclosures 1,864,367 1 1,864,367 0.0833 155,364 2.36 PDMP b Reporting c 16,066 176.03 2,828,0501 0.0333 94,268 2.51 Documenting Emergency Tx. Disclosure 16,066 2 32,132 0.167 5,355 2.52 Disclosures for Research—Elec. d 125,845 1 125,845 0.083 10,487 2.52 Disclosures for Research—Paper e 13,983 1 13,983 0.250 3,496 2.53 Disclosures for Audit & Eval.—Elec. f 125,845 1 125,845 0.083 10,487 2.53 Disclosures for Audit & Eval.—Paper g 13,983 1 13,983 0.250 3,496 Total Ongoing Burdens, Currently Approved 237 6,868,571 321,794 * Not all decimal places are shown. a Number of annual Part 2 program admissions as a proxy for total number of patients. b For more information about PDMPs, see https://store.samhsa.gov/product/In-Brief-Prescription-Drug-Monitoring-Programs-A-Guide-for-Healthcare-Providers/SMA16-4997. c Total number of Part 2 programs. d Estimated number of research disclosures made electronically. e Estimated number of research disclosures on paper. f Estimated number of disclosures for audit and evaluation made electronically. g Estimated number of disclosures for audit and evaluation made on paper. As shown in Table 11, the Department is adjusting the currently approved burden estimates to reflect an increase in the number of Part 2 programs, from 13,585 to 16,066. The respondents for this collection of information are publicly (Federal, State, or local) funded, assisted, or regulated SUD treatment programs. The estimate of the number of such programs (respondents) is based on the results of the 2020 National Survey of Substance Abuse Treatment Services (N-SSATS), which represents an increase of 2,481 program from the 2017 N-SSATS which was the basis for the approved ICR under OMB No. 0930-0335. The average number of annual total responses is based the results of the average number of SUD treatment admissions from SAMHSA's 2019 Treatment Episode Data Set (TEDS) as the number of annual patient admissions by part 2 programs (1,864,367 patients).) To accurately reflect the number of disclosures, the Department based some estimates on the number of patients (or a multiple of that number) and then divided by the number of programs to arrive at the number of responses per respondent. The Department based other estimates on the number of programs and then multiplied by the estimated number of disclosures to arrive at the total number of responses.
The estimate in the currently approved ICR includes the time spent with the patient to obtain consent and the time for training for counselors.[238] The Department is now estimating the time for obtaining consent separately from the burden of training time and applies an average of 5 minutes per patient admission for obtaining consent.
For § 2.31, § 2.52, and § 2.53, the Department is separating out estimates for each provision which were previously reported together and is also adjusting the estimates. For § 2.31, the Department believes that disclosures with written consent for TPO are made for 100 percent of patients; due to the proposed changes to the consent requirements, the Department assumes that programs would experience a decreased burden from an average of 3 consents per admission to 1 consent. The Table above reflects 1 consent for each of the 1,864,367 annual patient admissions (used as a proxy for the estimated number of patients) and a time burden of 5 minutes per consent for a total of 155,364 burden hours. The previously unacknowledged burden of obtaining multiple consents for each patient is shown in Table 12, below.
The Department previously estimated that for § 2.31 (consent), § 2.52 (research), and § 2.53 (audit and Start Printed Page 74270 evaluation) combined, programs would need to disclose an average of 15 percent of all patients' records (1,864,367 records × .15 = 279,655 disclosures). The Department is adjusting its estimates to reflect that 15 percent of patients would have records disclosed without consent for research and audits or evaluations and that this would be divided evenly between the two provisions, resulting in 7.5% of 1,864,367 records (or approximately 139,828 disclosures) for § 2.52 disclosures and the same for § 2.53 disclosures. The Department previously estimated that 10 percent of disclosed records would be disclosed in paper form while the remaining 90 percent would be disclosed electronically. The time burden for disclosing a paper record is estimated as 15 minutes and the time for disclosing an electronic record as 5 minutes. For Part 2 programs using paper records, the Department expects that a staff member would need to gather and aggregate the information from paper records, and manually track disclosures; for those Part 2 programs with a health IT system, the Department expects records and tracking information will be available within the system.
For § 2.36, the Department used the average number of opiate treatment admissions from SAMHSA's 2019 TEDS (565,610 admissions) and assumed the PDMP databases would need to be accessed and reported once initially and quarterly thereafter for each patient (565,610 × 5 = 2,828.050). Dividing the number of opiate treatment admissions by the number of SUD programs results in an average of 35.21 patients per program (565,610 patients ÷ 16,066 programs) and 176.03 PDMP updates per respondent (35.21 patients/program × 5 PDMP updates per patient). Based on discussions with providers, the Department believes accessing and reporting to PDMP databases would take approximately 2 minutes per patient, resulting in a total annual burden of 10 minutes (5 database accesses/updates × 2 minutes per access/update) or 0.166 hours annually per patient. For § 2.51, the time estimate for recordkeeping for a clerk to locate a patient record, record the necessary information and re-file the record is 10 minutes.
Table 12—Annualized Estimate of Previously Unquantified Burden
Part 2 provision Type of respondent Respondents Responses per respondent Total responses Average time per response (hours) Total burden hours 2.31 Obtaining Consent a 1,864,367 2.5 4,660,918 0.083 388,410 a Annual number of Part 2 program admissions as a proxy for number of Part 2 patients. As shown in Table 12, for § 2.31 the Department is recognizing for the first time the burden on programs to obtain multiple consents for each patient annually. The Department estimates that for each patient admission to a program a minimum of 3 consents is needed for disclosures of records: one each for treatment, payment, and health care operations (1,864,367 × 3).
As shown in Table 11, a burden is already recognized for obtaining consent, but the estimate assumed only one consent per admission under the existing regulation and it was combined with estimates for disclosures without consent under § 2.52 (research) and § 2.53 (audit and evaluation). The Department believes its previous calculations underestimated the numbers of consents obtained annually, and thus the Department views its updated estimate ( i.e., adding two consents per patient annually) as acknowledging a previously unquantified burden. Additionally, recipients of Part 2 records that are covered entities or business associates must obtain consent for redisclosure of these records. The Department estimates an average of one-half of patients' records are disclosed to a covered entity or business associate that needs to redisclose the record with consent (1,864,367 × .5), and this also represents a previously unquantified burden. Together, this would result in an increase of 2.5 consents annually per patient. However, this would be offset by the changes proposed in this NPRM which would result in a reduction in the number of consents by 2.5 per patient, thus resulting in no change from the currently approved burden of 1 consent per patient.
Table 13—Annualized Estimates for Proposed New Burdens
Type of respondent Number of respondents Number of responses per respondent Total responses Average burden hours per response Total burden hours Individual Notice—Written and E-mail Notice (drafting) a 1,170 1 1,170 0.5 585 Individual Notice—Written and E-mail Notice (preparing and documenting notification) 1,170 1 1,170 0.5 585 Individual Notice—Written and E-mail Notice (processing and sending) 1,170 1,941 b 2,270,271 0.008 18,162 Individual Notice—Substitute Notice (posting or publishing) 55 1 55 1 55 Individual Notice—Substitute Notice (staffing toll-free number) c 55 1 55 d 3.42 188 Individual Notice—Substitute Notice (individuals' voluntary burden to call toll-free number for information) e 2,265 1 2,265 f .125 283 Media Notice g 5 1 5 1.25 7 Notice to Secretary (notice for breaches affecting 500 or more individuals) 5 1 5 1.25 7 Notice to Secretary (notice for breaches affecting fewer than 500 individuals) h 1,164 1 1,164 1 1,164 500 or More Affected Individuals (investigating and documenting breach) i 5 1 5.34 50 267 Less than 500 Affected Individuals (investigating and documenting breach)—affecting 10-499 j 50 1 49.58 8 397 Start Printed Page 74271 Less than 500 Affected Individuals (investigating and documenting breach)—affecting <10 k 1,115 1 1,114.72 4 4,459 Right to Discuss Patient Notice or NPP l 18,644 1 18,644 0.12 2,175 Accounting for Disclosures of Part 2 Records m 100 1 800 0.05 5 Rights to Request Restrictions n 800 1 800 0.05 40 Report to the Secretary ° 225 1 225 1.5 338 2,297,574 28,378 a Total number of breach reports submitted to OCR in 2015 (58,482) multiplied by .02 to represent Part 2 breaches. b Average number of individuals affected per breach incident reported in 2015 (113,513,562) multiplied by .02. c All 267 large breaches and all 2,479 breaches affecting 10-499 individuals (2,746) multiplied by 02. d This assumes that 10% of the sum of (a) all individuals affected by large breaches in 2015 (113,250,136) and (b) 5% of individuals affected by small breaches (0.05 × 285,413 = 14,271) will require substitute notification. Thus, the Department calculates 0.10 × (113,250,136 + 14,271) = 11,326,441 affected individuals requiring substitute notification for an average of 4,125 affected individuals per such breach. The Department assumes that 1% of the affected individuals per breach requiring substitute notice annually will follow up with a telephone call, resulting in 41.25 individuals per breach calling the toll-free number. The Department assumes that call center staff will spend 5 minutes per call, with an average of 41 affected individuals per breach requiring substitute notice, resulting in 3.42 hours per breach spent answering calls from affected individuals. e As noted in the previous footnote, this number equals 1% of the affected individuals who require substitute notification (0.01 × 11,326,441 = 113,264) multiplied by .02 to represent Part 2 program breaches. f This number includes 7.5 minutes for each individual who calls with an average of 2.5 minutes to wait on the line/decide to call back and 5 minutes for the call itself. g The total number of breaches affecting 500 or more individuals in 2015, multiplied by .02 to represent the number of Part 2 breaches. h The total number of HIPAA breaches affecting fewer than 500 individuals in 2015, multiplied by .02 to represent the number of Part 2 breaches. i 267 multiplied by .02. j 2,479 multiplied by .02. k 55,736 multiplied by .02. l The Department estimates that 1 percent of all patients annually would request a discussion of the Patient Notice for an average of 7 minutes per discussion, calculated as .01 × 1,864,367at the hourly wage of a SUD counselor. m The Department estimates that covered entities annually fulfill 5,000 requests from individuals for an accounting of disclosures of their PHI multiplied by .02 to represent the number of requests from patients for an accounting from Part 2 patients. n The Department doubled the estimated number of requests for confidential communications or restrictions on disclosures of PHI per year (to 40,000) due to the effect of the broadened TPO consent and related redisclosure permission and multiplied it by .02 to represent requests from Part 2 patients. o Estimated number of investigations of programs, used as a proxy for the instances an investigative agency would be in receipt of a record prior to obtaining the required court order. In Table 13 above, the Department shows an annualized new hourly burden of approximately 28,378 hours due to proposed regulatory requirements for breach notification, accounting of disclosures of records, responding to patient's requests for restrictions on disclosures, discussing the Patient Notice, and required reporting by investigative agencies. These burdens would be recurring. The estimates represent 2 percent of the total estimated by the Department for compliance with the parallel HIPAA requirements for covered entities. This percentage was calculated by dividing the total number of covered entities by the number of Part 2 programs (16,066/771,334 = .02). The Department recognizes that this is an overestimate because an unknown proportion of Part 2 programs are also covered entities. The total in Table 13 also includes the Department's estimates for a recurring annual burden on investigative agencies of 338 hours, relying on previous estimates for the burden of reporting breaches of PHI to the Secretary at 1.5 hours per report.
Table 14—Estimates for Proposed Nonrecurring New Burdens
Type of respondent Number of respondents Number of responses per respondent Total responses Average burden hours per response Total burden hours 2.04 Complaint Procedures & Nonretaliation—Training (manager) a 16,066 1 16,066 0.75 12,050 2.16 Breach Notice—Training (manager) 16,066 1 16,066 1 16,066 2.22 Patient Notice, incl. right to discuss—Training (counselor) 202,072 1 202,072 0.25 50,518 2.22 Updating Patient Notice (lawyer) 16,066 1 16,066 1 16,066 2.25 Accounting of Disclosures—Training (med. records specialist) 16,066 1 16,066 0.5 8,033 2.26 Requests for Restrictions—Training (receptionist, medical records, & billing) 16,066 3 48,198 0.25 12,050 2.31 Updating Consent Form (lawyer) 16,066 1 16,066 0.66 10,711 2.31 Obtaining Consent—Training (receptionist) 16,066 2 32,132 0.5 16,066 2.32 Updating Notice to Accompany Disclosure (manager) 16,066 1 16,066 0.333 5,355 Training Specialist's Time 16,066 1 16,066 5 80,330 Start Printed Page 74272 Total 394,862 215,195 a Estimated total number of Part 2 programs. As shown in Table 14, the Department estimates one-time burden increases as a result of proposed changes to § 2.16, § 2.22, § 2.31, and § 2.32 and due to proposed new provisions § 2.25 and § 2.26. The proposed nonrecurring burdens are for training staff on the proposed provisions and for updating forms and notices. The Department estimates that each program would need 5 hours of a training specialist's time to prepare and present the training for a total of 80,330 burden hours.
For § 2.16, the Department estimates that each program would need to train 1 manager on breach notification requirements for 1 hour, for a total of 16,066 burden hours. For § 2.22, the Department estimates that each program will need 1 hours of a lawyer's time to update the content of the Patient Notice (for a total of 16,066 burden hours) and 15 minutes to train 202,072 Part 2 counselors on the new Patient Notice and right to discuss the Patient Notice requirements (for 50,518 total burden hours).
For § 2.25, the Department estimates that each program would need to train a medical records specialist on the requirements of proposed accounting of disclosures requirements for 30 minutes, resulting in a total burden of approximately 8,033 hours. For § 2.26, the Department estimates that each program would need to train three staff (a front desk receptionist, a medical records technician, and a billing clerk (16,066 Part 2 programs × 3 staff)) for 15 minutes each on the right of a patient to request restrictions on disclosures for TPO. The base wage rate is an average of the mean hourly rate for the three occupations being trained. This would total approximately 12,050 burden hours.
For § 2.31, each program would need 40 minutes of a lawyer's time to update the consent to disclosure form (for a total of approximately 10,711 burden hours) and 30 minutes to train an average of 2 front desk receptionists on the changed requirements for consent (for a total of approximately 16,066 burden hours). For § 2.32, the Department estimates that each program would need 20 minutes of a health care manager's time to update the content of the notice to accompany disclosure with the changed language provided in the proposed regulations, for a total of approximately 5,355 burden hours. This is likely an over-estimate because an alternative, short form of the notice is also provided in regulation, and the language for that form is unchanged such that programs that are using the short form notice could continue using the same notice and avoid any burden increase.
2. Explanation of Estimated Capital Expenses for 42 CFR Part 2
Table 15—Capital Expenses for Part 2 Activities *
45 CFR breach section Cost elements Number of breaches Average cost per breach Total breach cost 164.404 Individual Notice—Postage, Paper, and Envelopes 1,170 $719.95 $842,091.28 164.404 Individual Notice—Substitute Notice Media Posting 55 480.00 26,361.60 164.404 Individual Notice—Substitute Notice—Toll-Free Number 55 74.44 4,088.24 Total Breach 872,541.12 Part 2 section Activity Number of notices Average cost per notice Total notice cost 2.22 Printing Patient Notice 932,184 0.10 $93,218.35 2.31 Printing Consent Form 932,184 0.10 93,218.35 2.32 Printing Notice to Accompany Disclosure 186,437 0.10 18,643.67 Total Part 2 Forms 205,080.37 Total Capital Costs 1,077,621.49 * Not all decimal places are shown. As shown above in Table 15, Part 2 programs would incur new capital costs for providing breach notification. The table also reflects existing burdens for printing the Patient Notice, the Notice to Accompany Disclosure, and Consents. The Department has estimated 50 percent of forms used would be printed on paper, taking into account the notable increase in the use of telehealth services for the delivery of SUD treatment and the expectation that the demand for telehealth will continue.[239]
3. Explanation of Estimated Annualized Burden Hours for 45 CFR 164.520 Start Printed Page 74273
Table 16—New Nonrecurring Burdens of Compliance for 45 CFR 164.520
[As required by 45 CFR 164.530]
Privacy rule section Type of respondent Number of respondents Number of responses per respondent Total responses Average burden hours per response Total burden hours 164.530 Administrative Requirements—Policies & Procedures—Revising the Notice of Privacy Practices, 164.520 a 774,331 1 774,331 b .333 258,110 Total 774,331 258,110 a Total number of covered entities. b Not all decimal places are shown. As shown in Table 16, above, the Department proposes increasing the estimated number of covered entities from 700,000 to 774,331 due to updating the estimated the total number of covered entities, consistent with its estimates associated with the HIPAA NPRM published on January 21, 2021.[240] The Department also proposes adding one new burden element for covered entities to update the NPP as required by 45 CFR 164.530 to include the proposed revisions to 45 CFR 164.520. This burden estimate is primarily applicable to covered entities that receive or maintain Part 2 records because the burdens for covered entities that create Part 2 records ( i.e., that are Part 2 programs) are addressed in the Part 2 ICR, discussed above. However, the Department recognizes this likely overestimates the overall compliance burden on covered entities because some covered entities may not receive or maintain Part 2 records and may find the Part 2 NPP language is not applicable. The Department estimates that each covered entity that is not a Part 2 program would incur the burden of 20 minutes of a lawyer's time to evaluate how the modifications may apply to them and to update the NPP accordingly. The Department estimates 258,110 total one-time burden hours in the first year attributable to the proposed changes to 45 CFR 164.520 in this NPRM and no additional burden thereafter.
Start List of SubjectsList of Subjects
42 CFR Part 2
- Administrative practice and procedure
- Alcoholism
- Administrative practice and procedure
- Alcohol use disorder
- Breach
- Confidentiality
- Courts
- Drug abuse
- Electronic information system
- Grant programs—health
- Health
- Health care
- Health care operations
- Health care providers
- Health information exchange
- Health plan
- Health records
- HIPAA
- HITECH Act
- Hospitals
- Investigations
- Medicaid
- Medical research
- Medicare
- Part 2
- Part 2 programs
- Patient rights
- Penalties
- Privacy
- Reporting and record keeping requirements
- Security measures
- Substance use disorder
- SUD
45 CFR Part 164
- Administrative practice and procedure
- Breach
- Confidentiality
- Courts
- Drug abuse
- Electronic information system
- Health
- Health care
- Health care operations
- Health information exchange
- Health plan
- Health records
- HIPAA
- HITECH Act
- Hospitals
- Individual rights
- Investigations
- Medicaid
- Medical research
- Medicare
- Part 2
- Patient rights
- Penalties
- Privacy
- Reporting and record keeping requirements
- Security measures
- Substance use disorder
- SUD
Proposed Rule
For the reasons stated in the preamble, the Department of Health and Human Services proposes to amend 42 CFR part 2 and 45 CFR part 164 as set forth below:
Title 42—Public Health
Start PartPART 2—CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS
End Part Start Amendment Part1. Revise the authority citation for part 2 to read as follows:
End Amendment Part Start Amendment Part2. Revise § 2.1 to read as follows:
End Amendment PartStatutory authority for confidentiality of substance use disorder patient records.Title 42, United States Code, section 290dd-2(g) authorizes the Secretary to prescribe regulations to carry out the purposes of section 290dd-2. Such regulations may contain such definitions, and may provide for such safeguards and procedures, including procedures and criteria for the issuance and scope of orders under subsection 290dd-2(b)(2)(C), as in the judgment of the Secretary are necessary or proper to effectuate the purposes of section 290dd-2, to prevent circumvention or evasion thereof, or to facilitate compliance therewith.
3. Amend § 2.2 by revising paragraphs (a) introductory text, (a)(2), (a)(3), (a)(4), (b)(1), (b)(2), and (b)(3) to read as follows:
End Amendment PartPurpose and effect.(a) Purpose. Pursuant to 42 U.S.C. 290dd-2(g), the regulations in this part impose restrictions upon the use and disclosure of substance use disorder patient records (“records,” as defined in this part) which are maintained in connection with the performance of any part 2 program. The regulations in this part include the following subparts:
* * * * *(2) Subpart C of this part: Uses and Disclosures with Patient Consent, including uses and disclosures that require patient consent and the consent form requirements;
(3) Subpart D of this part: Uses and Disclosures without Patient Consent, including uses and disclosures which do not require patient consent or an authorizing court order; and
(4) Subpart E of this part: Court Orders Authorizing Use and Disclosure, including uses and disclosures of records which may be made with an Start Printed Page 74274 authorizing court order and the procedures and criteria for the entry and scope of those orders.
(b) * * * (1) The regulations in this part prohibit the use and disclosure of records unless certain circumstances exist. If any circumstance exists under which use or disclosure is permitted, that circumstance acts to remove the prohibition on use and disclosure but it does not compel the use or disclosure. Thus, the regulations do not require use or disclosure under any circumstance other than when disclosure is required by the Secretary to investigate or determine a person's compliance with this part pursuant to § 2.3(c) of this part.
(2) The regulations in this part are not intended to direct the manner in which substantive functions such as research, treatment, and evaluation are carried out. They are intended to ensure that a patient receiving treatment for a substance use disorder in a part 2 program is not made more vulnerable by reason of the availability of their record than an individual with a substance use disorder who does not seek treatment.
(3) The regulations in this part shall not be construed to limit:
(i) A patient's right, as described in 45 CFR 164.522, to request a restriction on the use or disclosure of a record for purposes of treatment, payment, or health care operations.
(ii) A covered entity's choice, as described in 45 CFR 164.506, to obtain the consent of the patient to use or disclose a record to carry out treatment, payment, or health care operations.
4. Revise § 2.3 to read as follows:
End Amendment PartCivil and criminal penalties for violations.(a) Under 42 U.S.C. 290dd-2(f), any person who violates any provision of this part shall be subject to the applicable penalties under sections 1176 and 1177 of the Social Security Act, 42 U.S.C. 1320d-5 and 1320d-6.
(b) A person who is acting on behalf of an investigative agency having jurisdiction over the activities of a part 2 program or other person holding part 2 records (or employees or agents of that part 2 program or person holding the records) shall not incur civil or criminal liability under 42 U.S.C. 290dd-2(f) for use or disclosure of such records inconsistent with this part that occurs while acting within the scope of their employment in the course of investigating or prosecuting a part 2 program or person holding the record, if the person or investigative agency demonstrates that the following conditions are met:
(1) Before presenting a request, subpoena, or other demand for records, or placing an undercover agent or informant in a health care practice or provider, as applicable, such person acted with reasonable diligence to determine whether the regulations in this part apply to the records, program, or other person holding part 2 records. The following actions are sufficient to constitute reasonable diligence when made within a reasonable period of time (no more than 60 days) before requesting records from, or placing an undercover agent or informant in, a health care practice or provider where it is reasonable to believe that the practice or provider provides substance use disorder diagnostic, treatment, or referral for treatment services:
(i) consulting a prescription drug monitoring program database in the state where the investigative agency's investigation is occurring, where such database is available and accessible by the investigative agency under state law, or
(ii) checking a practice's or provider's publicly available website or physical location to determine whether in fact such services are provided.
(2) The investigative agency followed all of the applicable provisions in this part for any use or disclosure of the received part 2 records that occurred, or will occur, after the investigative agency knew, or by exercising reasonable diligence would have known, that it received part 2 records.
(c) The provisions of 45 CFR part 160, subparts C, D, and E, shall apply to part 2 programs for violations of this part with respect to records in the same manner as they apply to covered entities and business associates for violations of 45 CFR parts 160 and 164 with respect to protected health information.
5. Revise § 2.4 to read as follows:
End Amendment PartComplaints of Violations.(a) A part 2 program must provide a process to receive complaints concerning the program's compliance with the requirements of this part.
(b) A part 2 program may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any patient for the exercise by the patient of any right established, or for participation in any process provided for, by this part, including the filing of a complaint under this section or § 2.3(c).
(c) A part 2 program may not require patients to waive their right to file a complaint under this section or § 2.3 as a condition of the provision of treatment, payment, enrollment, or eligibility for any program subject to this part.
6. Amend § 2.11 by:
End Amendment Part Start Amendment Parta. Adding in alphabetical order definitions of “Breach”; “Business associate”; “Covered entity”; “Health care operations”; “HIPAA”; “HIPAA regulations”;
End Amendment Part Start Amendment Partb. In the definition of “Informant” revising the introductory text;
End Amendment Part Start Amendment Partc. Adding in alphabetical order definitions of “Intermediary”; and “Investigative agency” ';
End Amendment Part Start Amendment Partd. Revising the definition of “Part 2 program director”;
End Amendment Part Start Amendment Parte. Adding a sentence at the end of the definition of “Patient”;
End Amendment Part Start Amendment Partf. Adding in alphabetical order the definition of “Payment”;
End Amendment Part Start Amendment Partg. Revising the definition of “Person”;
End Amendment Part Start Amendment Parth. In the definition of “Program” revising paragraph (1);
End Amendment Part Start Amendment Parti. Adding in alphabetical order the definition of “Public health authority”;
End Amendment Part Start Amendment Partj. In the definition of “Qualified service organization” revising the introductory text, paragraph (2) introductory text, and adding paragraph (3);
End Amendment Part Start Amendment Partk. Revising the definition of “Records”, “Third-party payer”, “Treating provider relationship”, and “Treatment”;
End Amendment Part Start Amendment Partl. Adding in alphabetical order definitions of “Unsecured protected health information”; “Unsecured record”; and “Use”.
End Amendment PartThe revisions and additions read as follows:
Definitions.* * * * *Breach has the same meaning given that term in 45 CFR 164.402.
Business associate has the same meaning given that term in 45 CFR 160.103.
* * * * *Covered entity has the same meaning given that term in 45 CFR 160.103.
* * * * *Health care operations has the same meaning given that term in 45 CFR 164.501.
HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the Privacy and Security provisions in subtitle D of title XIII of the Health Information Technology for Economic and Clinical Health Act, Public Law 111-5 (“HITECH Act”).
HIPAA regulations means the regulations at 45 CFR parts 160 and 164 (commonly known as the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules or “HIPAA Rules”).
Informant means a person:
* * * * *Intermediary means a person who has received records under a general Start Printed Page 74275 designation in a written patient consent to be disclosed to one or more of its member participant(s) who has a treating provider relationship with the patient.
Investigative agency means a state or federal administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agency having jurisdiction over the activities of a part 2 program or other person holding part 2 records.
* * * * *Part 2 program director means:
(1) In the case of a part 2 program that is a natural person, that person.
(2) In the case of a part 2 program that is an entity, the person designated as director or managing director, or person otherwise vested with authority to act as chief executive officer of the part 2 program.
Patient * * * In provisions where the HIPAA regulations apply in this part, Patient means an individual as that term is defined in 45 CFR 160.103.
* * * * *Payment has the same meaning given that term in 45 CFR 164.501.
Person has the same meaning given that term in 45 CFR 160.103.
Program * * *
(1) A person (other than a general medical facility) who holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or
* * * * *Public health authority has the same meaning given that term in 45 CFR 164.501.
Qualified service organization means a person who:
* * * * *(2) Has entered into a written agreement with a part 2 program under which that person:
* * * * *(3) A qualified service organization includes a person who meets the definition of Business associate in 45 CFR 160.103, paragraphs (1), (2), and (3), with respect to the use and disclosure of protected health information that also constitutes a “record” as defined by this section.
Records means any information, whether recorded or not, created by, received, or acquired by a part 2 program relating to a patient ( e.g., diagnosis, treatment and referral for treatment information, billing information, emails, voice mails, and texts), and including patient identifying information, provided, however, that information conveyed orally by a part 2 program to a non-part 2 provider for treatment purposes with the consent of the patient does not become a record subject to this Part in the possession of the non-part 2 provider merely because that information is reduced to writing by that non-part 2 provider. Records otherwise transmitted by a part 2 program to a non-part 2 provider retain their characteristic as records in the hands of the non-part 2 provider, but may be segregated by that provider.
* * * * *Third-party payer means a person, other than a health plan as defined at 45 CFR 160.103, who pays or agrees to pay for diagnosis or treatment furnished to a patient on the basis of a contractual relationship with the patient or a member of the patient's family or on the basis of the patient's eligibility for federal, state, or local governmental benefits.
Treating provider relationship means that, regardless of whether there has been an actual in-person encounter:
(1) A patient is, agrees to be, or is legally required to be diagnosed, evaluated, or treated, or agrees to accept consultation, for any condition by a person; and
(2) The person undertakes or agrees to undertake diagnosis, evaluation, or treatment of the patient, or consultation with the patient, for any condition.
Treatment has the same meaning given that term in 45 CFR 164.501.
* * * * *Unsecured protected health information has the same meaning given that term in 45 CFR 164.402.
Unsecured record means any record, as defined in this part, that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under Public Law 111-5, section 13402(h)(2).
Use means, with respect to records, the sharing, employment, application, utilization, examination, or analysis of the information contained in such records that occurs either within an entity that maintains such information or in the course of civil, criminal, administrative, or legislative proceedings as described at 42 U.S.C. 290dd-2(c).
* * * * *7. Amend § 2.12 by:
End Amendment Part Start Amendment Parta. Revising paragraphs (a)(1) introductory text, (a)(1)(ii), and (a)(2);
End Amendment Part Start Amendment Partb. Revising paragraphs (c)(2), (c)(3) introductory text, (c)(4), (c)(5) introductory text and (c)(6);
End Amendment Part Start Amendment Partc. Revising paragraphs (d)(1) and (2); and
End Amendment Part Start Amendment Partd. Revising paragraphs (e)(3), (e)(4) introductory text, and (e)(4)(i).
End Amendment PartThe revisions read as follows:
Applicability.(a) * * * (1) Restrictions on use and disclosure. The restrictions on use and disclosure in the regulations in this part apply to any records which:
* * * * *(ii) Contain substance use disorder information obtained by a federally assisted substance use disorder program after March 20, 1972 (part 2 program), or contain alcohol use disorder information obtained by a federally assisted alcohol use disorder or substance use disorder program after May 13, 1974 (part 2 program); or if obtained before the pertinent date, is maintained by a part 2 program after that date as part of an ongoing treatment episode which extends past that date; for the purpose of treating a substance use disorder, making a diagnosis for that treatment, or making a referral for that treatment.
(2) Restriction on use. The restriction on use or disclosure of information to initiate or substantiate any criminal charges against a patient or to conduct any criminal investigation of a patient (42 U.S.C. 290dd-2(c)) applies to any information, whether or not recorded, which is substance use disorder information obtained by a federally assisted substance use disorder program after March 20, 1972 (part 2 program), or is alcohol use disorder information obtained by a federally assisted alcohol use disorder or substance use disorder program after May 13, 1974 (part 2 program); or if obtained before the pertinent date, is maintained by a part 2 program after that date as part of an ongoing treatment episode which extends past that date; for the purpose of treating a substance use disorder, making a diagnosis for the treatment, or making a referral for the treatment.
* * * * *(c) * * *
(2) Uniformed Services. The regulations in this part apply to any information described in paragraph (a) of this section which was obtained by any component of the Uniformed Services during a period when the patient was subject to the Uniform Code of Military Justice except:
(i) Any interchange of that information within the Uniformed Services; and
(ii) Any interchange of that information between the Uniformed Services and those components of the Department of Veterans Affairs furnishing health care to veterans.
(3) Communication within a part 2 program or between a part 2 program Start Printed Page 74276 and an entity having direct administrative control over that part 2 program. The restrictions on use and disclosure in the regulations in this part do not apply to communications of information between or among personnel having a need for the information in connection with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment of patients with substance use disorders if the communications are:
* * * * *(4) Qualified service organizations. The restrictions on use and disclosure in the regulations in this part do not apply to the communications between a part 2 program and a qualified service organization of information needed by the qualified service organization to provide services to or on behalf of the program.
(5) Crimes on part 2 program premises or against part 2 program personnel. The restrictions on use and disclosure in the regulations in this part do not apply to communications from part 2 program personnel to law enforcement agencies or officials which:
* * * * *(6) Reports of suspected child abuse and neglect. The restrictions on use and disclosure in the regulations in this part do not apply to the reporting under state law of incidents of suspected child abuse and neglect to the appropriate state or local authorities. However, the restrictions continue to apply to the original substance use disorder patient records maintained by the part 2 program including their use and disclosure for civil or criminal proceedings which may arise out of the report of suspected child abuse and neglect.
(d) * * * (1) Restriction on use and disclosure of records. The restriction on the use and disclosure of any record subject to the regulations in this part to initiate or substantiate criminal charges against a patient or to conduct any criminal investigation of a patient, or to in use in any civil, criminal, administrative, or legislative proceedings against a patient, applies to any person who obtains the record from a part 2 program, covered entity, business associate, intermediary, or other lawful holder, regardless of the status of the person obtaining the record or whether the record was obtained in accordance with subpart E of this part. This restriction on use and disclosure bars, among other things, the introduction into evidence of a record or testimony in any criminal prosecution or civil action before a Federal or State court, reliance on the record or testimony to form part of the record for decision or otherwise be taken into account in any proceeding before a Federal, State, or local agency, the use of such record or testimony by any Federal, State, or local agency for a law enforcement purpose or to conduct any law enforcement investigation, and the use of such record or testimony in any application for a warrant, absent patient consent or a court order in accordance with subpart E of this part. Information obtained by undercover agents or informants (see § 2.17) or through patient access (see § 2.23) is subject to the restriction on use and disclosure.
(2) Restrictions on use and disclosures —(i) Third-party payers, administrative entities, and others. The restrictions on use and disclosure in the regulations in this part apply to:
(A) Third-party payers, as defined in this part, with regard to records disclosed to them by part 2 programs or under § 2.31(a)(4)(i);
(B) Persons having direct administrative control over part 2 programs with regard to information that is subject to the regulations in this part communicated to them by the part 2 program under paragraph (c)(3) of this section; and
(C) Persons who receive records directly from a part 2 program or other lawful holder of patient identifying information and who are notified of the prohibition on redisclosure in accordance with § 2.32.
(ii) Notwithstanding paragraph (d)(2)(i)(C) of this section, a non-part 2 treating provider may record information about a substance use disorder and its treatment that identifies a patient. This is permitted and does not constitute a record that has been redisclosed under part 2, provided that any substance use disorder records received from a part 2 program or other lawful holder are segregated or segmented. The act of recording information about a substance use disorder and its treatment does not by itself render a medical record which is created by a non-part 2 treating provider subject to the restrictions of this part 2.
* * * * *(e) * * *
(3) Information to which restrictions are applicable. Whether a restriction applies to the use or disclosure of a record affects the type of records which may be disclosed. The restrictions on use and disclosure apply to any records which would identify a specified patient as having or having had a substance use disorder. The restriction on use and disclosure of records to bring a civil action or criminal charges against a patient in any civil, criminal, administrative, or legislative proceedings applies to any records obtained by the part 2 program for the purpose of diagnosis, treatment, or referral for treatment of patients with substance use disorders. (Restrictions on use and disclosure apply to recipients of records as specified under paragraph (d) of this section.)
(4) How type of diagnosis affects coverage. These regulations cover any record reflecting a diagnosis identifying a patient as having or having had a substance use disorder which is initially prepared by a part 2 program in connection with the treatment or referral for treatment of a patient with a substance use disorder. A diagnosis prepared by a part 2 program for the purpose of treatment or referral for treatment, but which is not so used, is covered by the regulations in this part. The following are not covered by the regulations in this part:
(i) Diagnosis which is made on behalf of and at the request of a law enforcement agency or official or a court of competent jurisdiction solely for the purpose of providing evidence; or
* * * * *7. Amend § 2.13 by revising paragraphs (a), (b) and (c)(1) and removing paragraph (d) to read as follows:
End Amendment PartConfidentiality restrictions and safeguards.(a) General. The patient records subject to the regulations in this part may be used or disclosed only as permitted by the regulations in this part and may not otherwise be used or disclosed in any civil, criminal, administrative, or legislative proceedings conducted by any federal, state, or local authority. Any use or disclosure made under the regulations in this part must be limited to that information which is necessary to carry out the purpose of the use or disclosure.
(b) Unconditional compliance required. The restrictions on use and disclosure in the regulations in this part apply whether or not the part 2 program or other lawful holder of the patient identifying information believes that the person seeking the information already has it, has other means of obtaining it, is a law enforcement agency or official or other government official, has obtained a subpoena, or asserts any other justification for a use or disclosure which is not permitted by the regulations in this part.
(c) * * * (1) The presence of an identified patient in a health care facility or component of a health care facility that is publicly identified as a Start Printed Page 74277 place where only substance use disorder diagnosis, treatment, or referral for treatment is provided may be acknowledged only if the patient's written consent is obtained in accordance with subpart C of this part or if an authorizing court order is entered in accordance with subpart E of this part. The regulations permit acknowledgment of the presence of an identified patient in a health care facility or part of a health care facility if the health care facility is not publicly identified as only a substance use disorder diagnosis, treatment, or referral for treatment facility, and if the acknowledgment does not reveal that the patient has a substance use disorder.
* * * * *8. Amend § 2.14 by revising paragraphs (a), (b)(1), (b)(2) introductory text, (b)(2)(ii) and (c) to read as follows:
End Amendment PartMinor patients.(a) State law not requiring parental consent to treatment. If a minor patient acting alone has the legal capacity under the applicable state law to apply for and obtain substance use disorder treatment, any written consent for use or disclosure authorized under subpart C of this part may be given only by the minor patient. This restriction includes, but is not limited to, any disclosure of patient identifying information to the parent or guardian of a minor patient for the purpose of obtaining financial reimbursement. These regulations do not prohibit a part 2 program from refusing to provide treatment until the minor patient consents to a use or disclosure that is necessary to obtain reimbursement, but refusal to provide treatment may be prohibited under a state or local law requiring the program to furnish the service irrespective of ability to pay.
(b) * * * (1) Where state law requires consent of a parent, guardian, or other person for a minor to obtain treatment for a substance use disorder, any written consent for use or disclosure authorized under subpart C of this part must be given by both the minor and their parent, guardian, or other person authorized under state law to act on the minor's behalf.
(2) Where state law requires parental consent to treatment, the fact of a minor's application for treatment may be communicated to the minor's parent, guardian, or other person authorized under state law to act on the minor's behalf only if:
* * * * *(ii) The minor lacks the capacity to make a rational choice regarding such consent as determined by the part 2 program director under paragraph (c) of this section.
(c) Minor applicant for services lacks capacity for rational choice. Facts relevant to reducing a substantial threat to the life or physical well-being of the minor applicant or any other person may be disclosed to the parent, guardian, or other person authorized under state law to act on the minor's behalf if the part 2 program director determines that:
(1) A minor applicant for services lacks capacity because of extreme youth or mental or physical condition to make a rational decision on whether to consent to a disclosure under subpart C of this part to their parent, guardian, or other person authorized under state law to act on the minor's behalf; and
(2) The minor applicant's situation poses a substantial threat to the life or physical well-being of the minor applicant or any other person which may be reduced by communicating relevant facts to the minor's parent, guardian, or other person authorized under state law to act on the minor's behalf.
9. Amend § 2.15 by revising the section heading, paragraphs (a) and (b)(2) to read as follows.
End Amendment PartPatients who lack capacity and deceased patients.(a) Adult patients who lack capacity to make health care decisions. (1) Adjudication by a court. In the case of a patient who has been adjudicated as lacking the capacity, for any reason other than insufficient age, to make their own health care decisions, any consent which is required under the regulations in this part may be given by the guardian or other person authorized under state law to act on the patient's behalf.
(2) No adjudication by a court. In the case of a patient, other than a minor or one who has been adjudicated as lacking the capacity to make health care decisions, that for any period suffers from a medical condition that prevents knowing or effective action on their own behalf, the part 2 program director may exercise the right of the patient to consent to a use or disclosure under subpart C of this part for the sole purpose of obtaining payment for services from a third-party payer or health plan.
(b) * * *
(2) Consent by personal representative. Any other use or disclosure of information identifying a deceased patient as having a substance use disorder is subject to the regulations in this part. If a written consent to the use or disclosure is required, that consent may be given by an executor, administrator, or other personal representative appointed under applicable state law. If there is no such applicable state law appointment, the consent may be given by the patient's spouse or, if none, by any responsible member of the patient's family.
10. Amend § 2.16 by:
End Amendment Part Start Amendment Parta. Revising the section heading and paragraphs (a) introductory text, (a)(1)(v), and (a)(2)(iv); and
End Amendment Part Start Amendment Partb. Adding paragraph (b).
End Amendment PartThe revisions and addition read as follows:
Security for records and notification of breaches.(a) The part 2 program or other lawful holder of patient identifying information must have in place formal policies and procedures to reasonably protect against unauthorized uses and disclosures of patient identifying information and to protect against reasonably anticipated threats or hazards to the security of patient identifying information. These formal policies and procedures must address all of the following:
(1) * * *
(v) Rendering patient identifying information de-identified in accordance with the requirements of the HIPAA Privacy Rule at 45 CFR 164.514(b) such that there is no reasonable basis to believe that the information can be used to identify a particular patient as having or having had a substance use disorder.
(2) * * *
(iv) Rendering the patient identifying information de-identified in accordance with the requirements of the HIPAA Privacy Rule at 45 CFR 164.514(b) such that there is no reasonable basis to believe that the information can be used to identify a patient as having or having had a substance use disorder.
(b) The provisions of 45 CFR part 160 and subpart D of part 164 shall apply to part 2 programs with respect to breaches of unsecured records in the same manner as those provisions apply to a covered entity with respect to breaches of unsecured protected health information.
11. Amend § 2.17 by revising paragraph (b) to read as follows.
End Amendment PartUndercover agents and informants.* * * * *(b) Restriction on use of information. No information obtained by an undercover agent or informant, whether or not that undercover agent or informant is placed in a part 2 program pursuant to an authorizing court order, may be used or disclosed to criminally investigate or prosecute any patient. Start Printed Page 74278
12. Amend § 2.19 by:
End Amendment Part Start Amendment Parta. Adding paragraph (a)(3);
End Amendment Part Start Amendment Partb. Revising paragraphs (b)(1) introductory text, (b)(1)(i) introductory text (b)(1)(i)(A), and (b)(2).
End Amendment PartThe addition and revisions read as follows:
Disposition of records by discontinued programs.(a) * * *
(3) The Part 2 program is transferred, retroceded, or reassumed pursuant to the Indian Self-Determination and Education Assistance Act (ISDEAA), 25 U.S.C. 5301 et seq., and its implementing regulations.
(b) * * *
(1) Records in non-electronic ( e.g., paper) form must be:
(i) Sealed in envelopes or other containers labeled as follows: “Records of [insert name of program] required to be maintained under [insert citation to statute, regulation, court order or other legal authority requiring that records be kept] until a date not later than [insert appropriate date]”.
(A) All hard copy media from which the paper records were produced, such as printer and facsimile ribbons, drums, etc., must be sanitized to render the data non-retrievable.
* * * * *(2) All of the following requirements apply to records in electronic form:
(i) Records must be:
(A) Transferred to a portable electronic device with implemented encryption to encrypt the data at rest so that there is a low probability of assigning meaning without the use of a confidential process or key and implemented access controls for the confidential process or key; or
(B) Transferred, along with a backup copy, to separate electronic media, so that both the records and the backup copy have implemented encryption to encrypt the data at rest so that there is a low probability of assigning meaning without the use of a confidential process or key and implemented access controls for the confidential process or key.
(ii) Within one year of the discontinuation or acquisition of the program, all electronic media on which the patient records or patient identifying information resided prior to being transferred to the device specified in paragraph (b)(2)(i)(A) of this section or the original and backup electronic media specified in paragraph (b)(2)(i)(B) of this section, including email and other electronic communications, must be sanitized to render the patient identifying information non-retrievable in a manner consistent with the discontinued program's or acquiring program's policies and procedures established under § 2.16.
(iii) The portable electronic device or the original and backup electronic media must be:
(A) Sealed in a container along with any equipment needed to read or access the information, and labeled as follows: “Records of [insert name of program] required to be maintained under [insert citation to statute, regulation, court order or other legal authority requiring that records be kept] until a date not later than [insert appropriate date];” and
(B) Held under the restrictions of the regulations in this part by a responsible person who must store the container in a manner that will protect the information ( e.g., climate-controlled environment.
(iv) The responsible person must be included on the access control list and be provided a means for decrypting the data. The responsible person must store the decryption tools on a device or at a location separate from the data they are used to encrypt or decrypt.
(v) As soon as practicable after the end of the required retention period specified on the label, the portable electronic device or the original and backup electronic media must be sanitized to render the patient identifying information non-retrievable consistent with the policies established under § 2.16.
13. Revise § 2.20 to read as follows.
End Amendment PartRelationship to state laws.The statute authorizing the regulations in this part (42 U.S.C. 290dd-2) does not preempt the field of law which they cover to the exclusion of all state laws in that field. If a use or disclosure permitted under the regulations in this part is prohibited under state law, neither the regulations in this part nor the authorizing statute may be construed to authorize any violation of that state law. However, no state law may either authorize or compel any use or disclosure prohibited by the regulations in this part.
14. Amend § 2.21 by revising paragraph (b) to read as follows:
End Amendment PartRelationship to federal statutes protecting research subjects against compulsory disclosure of their identity.* * * * *(b) Effect of concurrent coverage. These regulations restrict the use and disclosure of information about patients, while administrative action taken under the research privilege statutes and implementing regulations protects a person engaged in applicable research from being compelled to disclose any identifying characteristics of the individuals who are the subjects of that research. The issuance under subpart E of this part of a court order authorizing a disclosure of information about a patient does not affect an exercise of authority under these research privilege statutes.
15. Revise § 2.22 to read as follows:
End Amendment PartNotice to patients of federal confidentiality requirements.(a) Notice required. At the time of admission to a part 2 program or, in the case that a patient does not have capacity upon admission to understand their medical status, as soon thereafter as the patient attains such capacity, each part 2 program shall inform the patient that federal law protects the confidentiality of substance use disorder patient records.
(b) Content of notice. In addition to the communication required in paragraph (a), a part 2 program shall provide notice, written in plain language, of the program's legal duties and privacy practices, as specified in this paragraph.
(1) The notice must include the following content:
(i) Header. The notice must contain the following statement as a header or otherwise prominently displayed.
NOTICE OF PRIVACY PRACTICES OF [PART 2 PROGRAM]
THIS NOTICE DESCRIBES:
- HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
- YOUR RIGHTS WITH RESPECT TO YOUR HEALTH INFORMATION
- HOW TO FILE A COMPLAINT CONCERNING A VIOLATION OF THE PRIVACY OR SECURITY OF YOUR HEALTH INFORMATION, OR OF YOUR RIGHTS CONCERNING YOUR INFORMATION
YOU HAVE A RIGHT TO A COPY OF THIS NOTICE (IN PAPER OR ELECTRONIC FORM) AND TO DISCUSS IT WITH [ENTER NAME OR TITLE] AT [PHONE AND EMAIL] IF YOU HAVE ANY QUESTIONS.
(ii) Uses and disclosures. The notice must contain:
(A) A description of each of the purposes for which the part 2 program is permitted or required by this part to use or disclose records without the patient's written consent.
(B) If a use or disclosure for any purpose described in paragraph (b)(1)(ii)(A) of this section is prohibited or materially limited by other applicable law, the description of such use or disclosure must reflect the more stringent law.
(C) For each purpose described in accordance with paragraphs (b)(1)(ii)(A) and (B) of this section, the description must include sufficient detail to place Start Printed Page 74279 the patient on notice of the uses and disclosures that are permitted or required by this part and other applicable law.
(D) A description, including at least one example, of the types of uses and disclosures that require written consent under this part.
(E) A statement that a patient may provide a single consent for all future uses or disclosures for treatment, payment, and health care operations purposes.
(F) A statement that the program will make uses and disclosures not described in the notice only with the patient's written consent.
(G) A statement that the patient may revoke written consent as provided by § 2.31 and § 2.35 of this part.
(H) A statement that includes the following information:
( 1) Records, or testimony relaying the content of such records, shall not be used or disclosed in any civil, administrative, criminal or legislative proceedings against the patient unless based on specific written consent or a court order;
( 2) Records shall only be used or disclosed based on a court order after notice and an opportunity to be heard is provided to the patient or the holder of the record, where required by 42 U.S.C. 290dd-2 and 42 CFR part 2; and
( 3) A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed.
(iii) Separate statements for certain uses or disclosures. If the program intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(D) of this section must include a separate statement as follows:
(A) Records that are disclosed to a program, covered entity, or business associate pursuant to the patient's written consent for treatment, payment, and health care operations may be further disclosed by that program, covered entity, or business associate, without the patient's written consent, to the extent the HIPAA Privacy Rule permits such disclosure.
(B) Records that a program, covered entity, or business associate intends to use or disclose to fundraise for the benefit of the program, covered entity, or business associate, may be used or disclosed only with your valid written consent that complies with the requirements of 42 CFR part 2.
(iv) Patient rights. The notice must contain a statement of the patient's rights with respect to their records and a brief description of how the patient may exercise these rights, as follows:
(A) Right to request restrictions of disclosures made with prior consent for purposes of treatment, payment, and health care operations, as provided in 42 CFR 2.26.
(B) Right to request and obtain restrictions of disclosures of part 2 records to the patient's health plan for those services for which the patient has paid in full, in the same manner as 45 CFR 164.522 applies to disclosures of protected health information.
(C) Right to an accounting of disclosures of electronic part 2 records for the past 3 years, as provided in 42 CFR 2.25, and a right to an accounting of disclosures that meets the requirements of 45 CFR 164.528(a)(2) and (b)-(d) for all other disclosures made with consent.
(D) Right to obtain a paper or electronic copy of the notice from the program upon request.
(E) Right to discuss the notice with a designated contact person identified by the part 2 program pursuant to paragraph (b)(1)(vii).
(v) Part 2 program's duties. The notice must contain:
(A) A statement that the part 2 program is required by law to maintain the privacy of records, to provide patients with notice of its legal duties and privacy practices with respect to records, and to notify affected patients following a breach of unsecured records;
(B) A statement that the part 2 program is required to abide by the terms of the notice currently in effect; and
(C) For the part 2 program to apply a change in a privacy practice that is described in the notice to records that the part 2 program created or received prior to issuing a revised notice, a statement that it reserves the right to change the terms of its notice and to make the new notice provisions effective for records that it maintains. The statement must also describe how it will provide patients with a revised notice.
(vi) Complaints. The notice must contain a statement that patients may complain to the part 2 program and to the Secretary if they believe their privacy rights have been violated, a brief description of how the patient may file a complaint with the program, and a statement that the patient will not be retaliated against for filing a complaint.
(vii) Contact. The notice must contain the name, or title, telephone number, and email address of a person or office to contact for further information about the notice.
(viii) Effective date. The notice must contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published.
(2) Optional elements. (i) In addition to the content required by paragraph (b)(1) of this section, if a part 2 program elects to limit the uses or disclosures that it is permitted to make under this part, the part 2 program may describe its more limited uses or disclosures in its notice, provided that the part 2 program may not include in its notice a limitation affecting its right to make a use or disclosure that is required by law or permitted to be made for emergency treatment.
(ii) For the part 2 program to apply a change in its more limited uses and disclosures to records created or received prior to issuing a revised notice, the notice must include the statements required by paragraph (b)(1)(v)(C) of this section.
(3) Revisions to the notice. The part 2 program must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the patient's rights, the program's legal duties, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which such material change is reflected.
(c) Implementation specifications: Provision of notice. A part 2 program must make the notice required by this section available upon request to any person and to any patient; and
(1) A part 2 program must provide the notice:
(i) No later than the date of the first service delivery, including service delivered electronically, to such patient after the compliance date for the program; or
(ii) In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation.
(2) If the part 2 program maintains a physical service delivery site:
(i) Have the notice available at the service delivery site for patients to request to take with them; and
(ii) Post the notice in a clear and prominent location where it is reasonable to expect patients seeking service from the part 2 program to be able to read the notice in a manner that does not identify the patient as receiving treatment or services for substance use disorder; and
(iii) Whenever the notice is revised, make the notice available upon request on or after the effective date of the Start Printed Page 74280 revision and promptly comply with the requirements of paragraph (c)(2)(ii) of this section, if applicable.
(3) Specific requirements for electronic notice:
(i) A part 2 program that maintains a website that provides information about the part 2 program's customer services or benefits must prominently post its notice on the website and make the notice available electronically through the website.
(ii) A part 2 program may provide the notice required by this section to patient by email, if the patient agrees to electronic notice and such agreement has not been withdrawn. If the part 2 program knows that the email transmission has failed, a paper copy of the notice must be provided to the patient. Provision of electronic notice by the part 2 program will satisfy the provision requirements of paragraph (c) of this section when timely made in accordance with paragraph (c)(1) or (2) of this section.
(iii) For purposes of paragraph (c)(2)(i) of this section, if the first service delivery to an individual is delivered electronically, the part 2 program must provide electronic notice automatically and contemporaneously in response to the individual's first request for service. The requirements in paragraph (c)(2)(ii) of this section apply to electronic notice.
(iv) The patient who is the recipient of electronic notice retains the right to obtain a paper copy of the notice from a part 2 program upon request.
16. Amend § 2.23 by revising the section heading and paragraph (b) to read as follows.
End Amendment PartPatient access and restrictions on use and disclosure.* * * * *(b) Restriction on use and disclosure of information. Information obtained by patient access to their record is subject to the restriction on use and disclosure of records to initiate or substantiate any criminal charges against the patient or to conduct any criminal investigation of the patient as provided for under § 2.12(d)(1).
17. Add § 2.24 to subpart B to read as follows:
End Amendment PartRequirements for intermediaries.Upon request, an intermediary must provide to patients who have consented to the disclosure of their records using a general designation, pursuant to § 2.31(a)(4)(ii)(B), a list of persons to which their records have been disclosed pursuant to the general designation.
(a) Under this provision, patient requests:
(1) Must be made in writing; and
(2) Are limited to disclosures made within the past three years.
(b) Under this provision, the entity named on the consent form that discloses information pursuant to a patient's general designation (the entity that serves as an intermediary) must:
(1) Respond in 30 or fewer days of receipt of the written request; and
(2) Provide, for each disclosure, the name(s) of the entity(ies) to which the disclosure was made, the date of the disclosure, and a brief description of the patient identifying information disclosed.
18. Add § 2.25 to subpart B to read as follows.
End Amendment PartAccounting of disclosures.(a) General rule. Subject to the limitations in paragraph (b) of this section, a part 2 program must provide to a patient, upon request, an accounting of all disclosures made with consent under § 2.31 in the six years prior to the date of the request (or a shorter time period chosen by the patient). The accounting of disclosures must meet the requirements of 45 CFR 164.528(a)(2) and (b)-(d).
(b) Accounting of disclosures for treatment, payment, and health care operations. (1) A part 2 program must provide a patient with an accounting of disclosures of records for treatment, payment, and health care operations only where such disclosures are made through an electronic health record.
(2) A patient has a right to receive an accounting of disclosures described in paragraph (b)(1) of this section during only the three years prior to the date on which the accounting is requested.
19. Add § 2.26 to subpart B to read as follows:
End Amendment PartRight to request privacy protection for records.(a)(1) A part 2 program must permit a patient to request that the part 2 program restrict uses or disclosures of records about the patient to carry out treatment, payment, or health care operations, including when the patient has signed written consent for such disclosures.
(2) Except as provided in paragraph (a)(6) of this section, a part 2 program is not required to agree to a restriction.
(3) A part 2 program that agrees to a restriction under paragraph (a)(1) of this section may not use or disclose records in violation of such restriction, except that, if the patient who requested the restriction is in need of emergency treatment and the restricted record is needed to provide the emergency treatment, the program may use the restricted record, or may disclose information derived from the record to a health care provider, to provide such treatment to the patient.
(4) If information from a restricted record is disclosed to a health care provider for emergency treatment under paragraph (a)(3) of this section, the part 2 program must request that such health care provider not further use or disclose the information.
(5) A restriction agreed to by a part 2 program under paragraph (a) of this section, is not effective under this subpart to prevent uses or disclosures required by law or permitted by this regulation for purposes other than treatment, payment, and health care operations, as defined in this regulation.
(6) A part 2 program must agree to the request of a patient to restrict disclosure of records about the patient to a health plan if:
(i) The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and
(ii) The record pertains solely to a health care item or service for which the patient, or person other than the health plan on behalf of the patient, has paid the program in full.
(b) A program may terminate a restriction, if one of the following applies:
(1) The patient agrees to or requests the termination in writing.
(2) The patient orally agrees to the termination and the oral agreement is documented.
(3) The program informs the patient that it is terminating its agreement to a restriction, except that such termination is:
(i) Not effective for records restricted under paragraph (a)(6) of this section; and
(ii) Only effective with respect to records created or received after it has so informed the patient.
20. Revise the heading of subpart C to read as follows:
End Amendment PartSubpart C—Uses and Disclosures With Patient Consent
* * * * *Start Amendment Part21. Amend § 2.31 by:
End Amendment Part Start Amendment Parta. Revising paragraph (a) introductory text, and paragraphs (a)(2) through (a)(8);
End Amendment Part Start Amendment Partb. Adding paragraph (a)(10); and
End Amendment Part Start Amendment Partc. Revising paragraph (b)(4).
End Amendment PartThe revisions and additions read as follows:
Consent requirements.(a) Required elements for written consent. A written consent to a use or Start Printed Page 74281 disclosure under the regulations in this part may be paper or electronic and must include:
* * * * *(2) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
(3) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
(4)(i) General requirement for designating recipients. The name(s) of the person(s), or class of persons, to which a disclosure is to be made (“recipient(s)”). For a single consent for all future uses and disclosures for treatment, payment, and health care operations, the recipient may be described as “my treating providers, health plans, third-party payers, and people helping to operate this program” or a similar statement.
(ii) Special instructions for intermediaries. Notwithstanding paragraph (a)(4)(i) of this section, if the recipient entity is an intermediary, a written consent must include the name(s) of the intermediary(ies) and
(A) The name(s) of the member participants of the intermediary; or
(B) A general designation of a participant(s) or class of participants, which must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being used or disclosed.
(iii) Special instructions when designating certain recipients. If the recipient is a program, covered entity, or business associate to whom a record (or information contained in a record) is disclosed for purposes of treatment, payment, or health care operations as defined in this part, a written consent must include the statement that the patient's record (or information contained in the record) may be redisclosed in accordance with the permissions contained in the HIPAA Privacy Rule, except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient.
(5) A description of each purpose of the requested use or disclosure.
(i) The statement “at the request of the patient” is a sufficient description of the purpose when a patient initiates the consent and does not, or elects not to, provide a statement of the purpose.
(ii) The statement, “for treatment, payment, and health care operations” is a sufficient description of the purpose when a patient provides consent once for all such future uses or disclosures for those purposes.
(iii) Fundraising. If applicable, a statement that a patient consents to the use or disclosure of the patient's records for the purpose of fundraising for the benefit of the program.
(6) The patient's right to revoke the consent in writing, except to the extent that the part 2 program, or other lawful holder of patient identifying information that is permitted to make the disclosure, has already acted in reliance on it, and how the patient may revoke consent.
(7) An expiration date or an expiration event that relates to the individual patient or the purpose of the use or disclosure. The statement “end of the treatment,” “none,” or similar language is sufficient if the consent is for a use or disclosure for treatment, payment, or health care operations. The statement “end of the research study” or similar language is sufficient if the consent is for a use or disclosure for research, including for the creation and maintenance of a research database or research repository.
(8) The signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent under § 2.14; or, when required for a patient who lacks the capacity to make their own health care decisions or is deceased, the signature of a person authorized to sign under § 2.15. Electronic signatures are permitted to the extent that they are not prohibited by any applicable law.
* * * * *(10) A patient's written consent to use or disclose records for treatment, payment, or health care operations must include all of the following statements:
(i) The potential for the records used or disclosed pursuant to the consent to be subject to redisclosure by the recipient and no longer protected by this part.
(ii) The consequences to the patient of a refusal to sign the consent.
(b) * * *
(4) Is known, or through reasonable diligence could be known, by the person holding the records to be materially false.
22. Amend § 2.32 by revising the section heading and paragraph (a) to read as follows:
End Amendment PartNotice to accompany disclosure.(a) Notice to accompany disclosure. Each disclosure made with the patient's written consent must be accompanied by one of the following written statements ( i.e., either (a)(1) or (a)(2) of this section):
(1) “This record which has been disclosed to you is protected by federal confidentiality rules (42 CFR part 2). These rules prohibit you from using or disclosing this record, or testimony that describes the information contained in this record, in any civil, criminal, administrative, or legislative proceedings by any Federal, State, or local authority, against the patient, unless authorized by the consent of the patient, except as provided at 42 CFR 2.12(c)(5) or as authorized by a court in accordance with 42 CFR 2.64 or 2.65 and compelled by subpoena or other legal requirement. In addition, the federal rules prohibit you from making any other use or disclosure of this record unless at least one of the following applies:
(i) Further use or disclosure is expressly permitted by the written consent of the individual whose information is being disclosed in this record or is otherwise permitted by 42 CFR part 2.
(ii) You are a covered entity or business associate and have received the record for treatment, payment, or health care operations as defined in this part, or
(iii) You have received the record from a covered entity or business associate as permitted by 45 CFR part 164 subparts A and E.
(iv) A general authorization for the release of medical or other information is NOT sufficient to meet the required elements of written consent to further use or redisclose the record (see 42 CFR 2.31).”
(2) 42 CFR part 2 prohibits unauthorized use or disclosure of these records.
* * * * *23. Revise § 2.33 to read as follows:
End Amendment PartUses and disclosures permitted with written consent.(a) If a patient consents to a use or disclosure of their records consistent with § 2.31, a part 2 program may disclose those records in accordance with that consent to any person or category of persons identified or generally designated in the consent, except that disclosures to central registries and in connection with criminal justice referrals must meet the requirements of §§ 2.34 and 2.35, respectively.
(b) If a patient consents to a use or disclosure of their records consistent with § 2.31, the recipient may further use or disclose such records as provided in subpart E of this part, and as follows:
(1) When disclosed for treatment, payment, and health care operations activities as defined in this part, to a program, covered entity, or business associate, the recipient may further use or disclose those records as permitted Start Printed Page 74282 by 45 CFR part 164, except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient.
(2) When disclosed with consent given once for all future treatment, payment, and health care operations activities to a part 2 program that is not a covered entity or business associate, the recipient may further use or disclose those records consistent with the consent.
(3) When disclosed for payment or health care operations activities to a lawful holder that is not a covered entity, business associate, or part 2 program, the recipient may further use or disclose those records as may be necessary for its contractors, subcontractors, or legal representatives to carry out the payment or health care operations specified in the consent on behalf of such lawful holders.
(c) Lawful holders, other than covered entities and business associates, who wish to redisclose patient identifying information pursuant to paragraph (b)(2) of this section must have in place a written contract or comparable legal instrument with the contractor or voluntary legal representative, which provides that the contractor, subcontractor, or voluntary legal representative is fully bound by the provisions of part 2 upon receipt of the patient identifying information. In making any such redisclosures, the lawful holder must furnish such recipients with the notice required under § 2.32; require such recipients to implement appropriate safeguards to prevent unauthorized uses and disclosures; and require such recipients to report any unauthorized uses, disclosures, or breaches of patient identifying information to the lawful holder. The lawful holder may only redisclose information to the contractor or subcontractor or voluntary legal representative that is necessary for the contractor or subcontractor or voluntary legal representative to perform its duties under the contract or comparable legal instrument. Contracts may not permit a contractor or subcontractor or voluntary legal representative to redisclose information to a third party unless that third party is a contract agent of the contractor or subcontractor, helping them provide services described in the contract, and only as long as the agent only further discloses the information back to the contractor or lawful holder from which the information originated.
24. Amend § 2.34 by revising the section heading and paragraph (b) to read as follows:
End Amendment PartUses and Disclosures to prevent multiple enrollments.* * * * *(b) Use of information in records limited to prevention of multiple enrollments. A central registry and any withdrawal management or maintenance treatment program to which information is disclosed to prevent multiple enrollments may not use or redisclose patient identifying information for any purpose other than the prevention of multiple enrollments or to ensure appropriate coordinated care with a treating provider that is not a part 2 program unless authorized by a court order under subpart E of this part.
* * * * *25. Amend § 2.35 by revising paragraphs (a) introductory text, (a)(1), (b)(3), and (d) to read as follows:
End Amendment PartDisclosures to elements of the criminal justice system which have referred patients.(a) A part 2 program may disclose information from a record about a patient to those persons within the criminal justice system who have made participation in the part 2 program a condition of the disposition of any criminal proceedings against the patient or of the patient's parole or other release from custody if:
(1) The disclosure is made only to those persons within the criminal justice system who have a need for the information in connection with their duty to monitor the patient's progress ( e.g., a prosecuting attorney who is withholding charges against the patient, a court granting pretrial or post-trial release, probation or parole officers responsible for supervision of the patient); and
* * * * *(b) * * *
(3) Such other factors as the part 2 program, the patient, and the person(s) within the criminal justice system who will receive the disclosure consider pertinent.
* * * * *(d) Restrictions on use and redisclosure. Any persons within the criminal justice system who receive patient information under this section may use and redisclose it only to carry out official duties with regard to the patient's conditional release or other action in connection with which the consent was given.
26. Revise the heading of subpart D to read as follows:
End Amendment PartSubpart D—Uses and Disclosures Without Patient Consent
* * * * *Start Amendment Part27. Amend § 2.51 by revising paragraph (c)(2) to read as follows:
End Amendment PartMedical emergencies.* * * * *(c) * * *
(2) The name of the person making the disclosure;
* * * * *28. Amend § 2.52 by:
End Amendment Part Start Amendment Parta. Revising the section heading and paragraphs (a) introductory text, (a)(1) introductory text and (a)(2);
End Amendment Part Start Amendment Partb. Revising paragraphs (b) introductory text, (b)(2) and (3);
End Amendment Part Start Amendment Partc. Revising paragraph (c)(1) introductory text and adding paragraph (c)(1)(iii); and
End Amendment Part Start Amendment Partd. Removing the second paragraph (c)(2).
End Amendment PartThe revisions and addition read as follows:
Scientific research.(a) Notwithstanding other provisions of this part, including paragraph (b)(2) of this section, patient identifying information may be used or disclosed for the purposes of the recipient conducting scientific research if:
(1) The person designated as director or managing director, or person otherwise vested with authority to act as chief executive officer or their designee, of a part 2 program or other lawful holder of part 2 data, makes a determination that the recipient of the patient identifying information is:
* * * * *(2) The part 2 program or other lawful holder of part 2 data is a HIPAA covered entity or business associate, and the use or disclosure is made in accordance with the HIPAA Privacy Rule requirements at 45 CFR 164.512(i).
* * * * *(b) Any person conducting scientific research using patient identifying information obtained under paragraph (a) of this section:
* * * * *(2) Must not redisclose patient identifying information except back to the person from whom that patient identifying information was obtained or as permitted under paragraph (c) of this section.
(3) May include part 2 data in research reports only in aggregate form in which patient identifying information has been de-identified in accordance with the requirements of the HIPAA Privacy Rule at 45 CFR 164.514(b) such that there is no reasonable basis to believe that the information can be used Start Printed Page 74283 to identify a patient as having or having had a substance use disorder.
* * * * *(c) * * * (1) Researchers. Any person conducting scientific research using patient identifying information obtained under paragraph (a) of this section that requests linkages to data sets from a data repository(ies) holding patient identifying information must:
* * * * *(iii) Ensure that patient identifying information is not redisclosed for data linkage purposes other than as provided in paragraph (c) of this section.
* * * * *29. Amend § 2.53 by:
End Amendment Part Start Amendment Parta. Revising the section heading;
End Amendment Part Start Amendment Partb. Revising paragraph (a) introductory text and paragraph (a)(1)(ii);
End Amendment Part Start Amendment Partc. Revising paragraphs (b) introductory text, (b)(1)(iii) and (b)(2)(ii);
End Amendment Part Start Amendment Partd. Revising paragraphs (c)(1) introductory text and (c)(1)(i);
End Amendment Part Start Amendment Parte. Revising paragraphs (e)(1) introductory text, (e)(1)(iii), (e)(5), and (e)(6);
End Amendment Part Start Amendment Partf. Revising paragraph (f); and
End Amendment Part Start Amendment Partg. Adding paragraph (h).
End Amendment PartThe revisions and addition read as follows:
Management audits, financial audits, and program evaluation.(a) Records not copied or removed. If patient records are not downloaded, copied or removed from the premises of a part 2 program or other lawful holder, or forwarded electronically to another electronic system or device, patient identifying information, as defined in § 2.11, may be disclosed in the course of a review of records on the premises of a part 2 program or other lawful holder to any person who agrees in writing to comply with the limitations on use and redisclosure in paragraph (f) of this section and who:
(1) * * *
(ii) Any person which provides financial assistance to the part 2 program or other lawful holder, which is a third-party payer or health plan covering patients in the part 2 program, or which is a quality improvement organization performing a QIO review, or the contractors, subcontractors, or legal representatives of such person or quality improvement organization.
* * * * *(b) Copying, removing, downloading, or forwarding patient records. Records containing patient identifying information, as defined in § 2.11, may be copied or removed from the premises of a part 2 program or other lawful holder or downloaded or forwarded to another electronic system or device from the part 2 program's or other lawful holder's electronic records by any person who:
(1) * * *
(iii) Comply with the limitations on use and disclosure in paragraph (f) of this section; and
(2) * * *
(ii) Any person which provides financial assistance to the part 2 program or other lawful holder, which is a third-party payer or health plan covering patients in the part 2 program, or which is a quality improvement organization performing a QIO review, or the contractors, subcontractors, or legal representatives of such person or quality improvement organization; or
* * * * *(c) * * *
(1) Activities undertaken by a federal, state, or local governmental agency, or a third-party payer or health plan, in order to:
(i) Identify actions the agency or third-party payer or health plan can make, such as changes to its policies or procedures, to improve care and outcomes for patients with substance use disorders who are treated by part 2 programs;
* * * * *(e) * * * (1) Patient identifying information, as defined in § 2.11, may be disclosed under paragraph (e) of this section to any person for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation, including an audit or evaluation necessary to meet the requirements for a Centers for Medicare & Medicaid Services (CMS)-regulated accountable care organization (CMS-regulated ACO) or similar CMS-regulated organization (including a CMS-regulated Qualified Entity (QE)), if the person agrees in writing to comply with the following:
* * * * *(iii) Comply with the limitations on use and disclosure in paragraph (f) of this section.
* * * * *(5) If a disclosure to a person is authorized under this section for a Medicare, Medicaid, or CHIP audit or evaluation, including a civil investigation or administrative remedy, as those terms are used in paragraph (e)(2) of this section, the person may further use or disclose the patient identifying information that is received for such purposes to its contractor(s), subcontractor(s), or legal representative(s), to carry out the audit or evaluation, and a quality improvement organization which obtains such information under paragraph (a) or (b) of this section may use or disclose the information to that person (or, to such person's contractors, subcontractors, or legal representatives, but only for the purposes of this section).
(6) The provisions of this paragraph do not authorize the part 2 program, the federal, state, or local government agency, or any other person to use or disclose patient identifying information obtained during the audit or evaluation for any purposes other than those necessary to complete the audit or evaluation as specified in paragraph (e) of this section.
(f) Limitations on use and disclosure. Except as provided in paragraph (e) of this section, patient identifying information disclosed under this section may be disclosed only back to the part 2 program or other lawful holder from which it was obtained and may be used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by a court order entered under § 2.66.
* * * * *(h) Disclosures for health care operations. With respect to activities described in paragraphs (c) and (d) of this section, a part 2 program, covered entity, or business associate may disclose records in accordance with a consent that includes health care operations, and the recipient may redisclose such records as permitted under the HIPAA Privacy Rule if the recipient is a part 2 program, covered entity, or business associate.
30. Add § 2.54 to subpart D to read as follows:
End Amendment PartDisclosures for public health.A part 2 program may disclose records for public health purposes without patient consent so long as:
(a) The disclosure is made to a public health authority as defined in this part; and
(b) The content of the information from the record disclosed has been de-identified in accordance with the requirements of the HIPAA Privacy Rule at 45 CFR 164.514(b) such that there is no reasonable basis to believe that the information can be used to identify a patient has having or having had a substance use disorder.
31. Revise the heading of subpart E to read as follows:
End Amendment PartSubpart E—Court Orders Authorizing Use and Disclosure
* * * * *Start Amendment Part32. Revise § 2.61 to read as follows:
End Amendment PartStart Printed Page 74284Start Amendment PartLegal effect of order.(a) Effect. An order of a court of competent jurisdiction entered under this subpart is a unique kind of court order. Its only purpose is to authorize a use or disclosure of patient information which would otherwise be prohibited by 42 U.S.C. 290dd-2 and the regulations in this part. Such an order does not compel use or disclosure. A subpoena or a similar legal mandate must be issued in order to compel use or disclosure. This mandate may be entered at the same time as and accompany an authorizing court order entered under the regulations in this part.
(b) Examples. (1) A person holding records subject to the regulations in this part receives a subpoena for those records. The person may not use or disclose the records in response to the subpoena unless a court of competent jurisdiction enters an authorizing order under the regulations in this part.
(2) An authorizing court order is entered under the regulations in this part, but the person holding the records does not want to make the use or disclosure. If there is no subpoena or other compulsory process or a subpoena for the records has expired or been quashed, that person may refuse to make the use or disclosure. Upon the entry of a valid subpoena or other compulsory process the person holding the records must use or disclose, unless there is a valid legal defense to the process other than the confidentiality restrictions of the regulations in this part.
33. Revise § 2.62 to read as follows:
End Amendment PartOrder not applicable to records disclosed without consent to researchers, auditors and evaluators.A court order under the regulations in this part may not authorize persons who meet the criteria specified in § 2.52(a)(1)(i)-(iii) of this part, who have received patient identifying information without consent for the purpose of conducting research, audit or evaluation, to disclose that information or use it to conduct any criminal investigation or prosecution of a patient. However, a court order under § 2.66 may authorize use and disclosure of records to investigate or prosecute such persons who are holding the records.
34. Amend § 2.63 by revising paragraph (a)(3) to read as follows:
End Amendment Part(a) * * *
(3) The disclosure is in connection with a civil, criminal, administrative, or legislative proceeding in which the patient offers testimony or other evidence pertaining to the content of the confidential communications.
* * * * *Start Amendment Part35. Amend § 2.64 by by revising the section heading, paragraph (a), paragraph (b) introductory text, (d) and (e) to read as follows:
End Amendment PartProcedures and criteria for orders authorizing uses and disclosures for noncriminal purposes.(a) Application. An order authorizing the use or disclosure of patient records or testimony relaying the information contained in the records for purposes other than criminal investigation or prosecution may be applied for by any person having a legally recognized interest in the use or disclosure which is sought in the course of a civil, administrative or legislative proceeding. The application may be filed separately or as part of a pending civil action in which the applicant asserts that the patient records or testimony relaying the information contained in the records are needed to provide evidence. An application must use a fictitious name, such as John Doe, to refer to any patient and may not contain or otherwise disclose any patient identifying information unless the patient is the applicant or has given written consent (meeting the requirements of the regulations in this part) to disclosure or the court has ordered the record of the proceeding sealed from public scrutiny.
(b) Notice. A court order under this section is only valid when the patient and the person holding the records from whom disclosure is sought have received:
* * * * *(d) * * *
(2) The public interest and need for the use or disclosure outweigh the potential injury to the patient, the physician-patient relationship and the treatment services.
(e) Content of order. An order authorizing a use or disclosure must:
(1) Limit use or disclosure to only those parts of the patient's record, or testimony relaying those parts of the patient's record, which are essential to fulfill the objective of the order;
(2) Limit use or disclosure to those persons whose need for information is the basis for the order; and
(3) Include such other measures as are necessary to limit use or disclosure for the protection of the patient, the physician-patient relationship and the treatment services; for example, sealing from public scrutiny the record of any proceeding for which use or disclosure of a patient's record, or testimony relaying the contents of the record, has been ordered.
36. Amend § 2.65 by revising the section heading, paragraphs (a), (b) introductory text, (d) introductory text, (d)(2) and (e) to read as follows:
End Amendment PartProcedures and criteria for orders authorizing use and disclosure of records to criminally investigate or prosecute patients.(a) Application. An order authorizing the use or disclosure of patient records, or testimony relaying the information contained in those records, to investigate or prosecute a patient in connection with a criminal proceeding may be applied for by the person holding the records or by any law enforcement or prosecutorial official who is responsible for conducting investigative or prosecutorial activities with respect to the enforcement of criminal laws, including administrative and legislative criminal proceedings. The application may be filed separately, as part of an application for a subpoena or other compulsory process, or in a pending criminal action. An application must use a fictitious name such as John Doe, to refer to any patient and may not contain or otherwise use or disclose patient identifying information unless the court has ordered the record of the proceeding sealed from public scrutiny.
(b) Notice and hearing. Unless an order under § 2.66 is sought in addition to an order under this section, an order under this section is valid only when the person holding the records has received:
* * * * *(d) Criteria. A court may authorize the use and disclosure of patient records, or testimony relaying the information contained in those records, for the purpose of conducting a criminal investigation or prosecution of a patient only if the court finds that all of the following criteria are met:
* * * * *(2) There is a reasonable likelihood that the records or testimony will disclose information of substantial value in the investigation or prosecution.
* * * * *(e) Content of order. Any order authorizing a use or disclosure of patient records subject to this part, or testimony relaying the information contained in those records, under this section must:
(1) Limit use and disclosure to those parts of the patient's record, or testimony relaying the information contained in those records, which are essential to fulfill the objective of the order;
(2) Limit disclosure to those law enforcement and prosecutorial officials who are responsible for, or are Start Printed Page 74285 conducting, the investigation or prosecution, and limit their use of the records or testimony to investigation and prosecution of the extremely serious crime or suspected crime specified in the application; and
(3) Include such other measures as are necessary to limit use and disclosure to the fulfillment of only that public interest and need found by the court.
37. Amend § 2.66 by
End Amendment Part Start Amendment Parta. Revising the section heading and paragraph (a)(1);
End Amendment Part Start Amendment Partb. Adding new paragraph (a)(3);
End Amendment Part Start Amendment Partc. Revising paragraphs (b), (c), and (d).
End Amendment PartThe revisions and addition read as follows:
Procedures and criteria for orders authorizing use and disclosure of records to investigate or prosecute a part 2 program or the person holding the records.(a) * * * (1) An order authorizing the use or disclosure of patient records subject to this part to investigate or prosecute a part 2 program or the person holding the records (or employees or agents of that part 2 program or person holding the records) in connection with a criminal or administrative matter may be applied for by any investigative agency having jurisdiction over the program's or person's activities.
* * * * *(3) Upon discovering in good faith that it received part 2 records in the course of investigating or prosecuting a part 2 program or the person holding the records (or employees or agents of that part 2 program or person holding the records), an investigative agency must do the following:
(i) Secure the records in accordance with § 2.16; and
(ii) Cease using and disclosing the records until the investigative agency obtains a court order consistent with paragraph (c) of this section authorizing the use and disclosure of the records and any records later obtained. The application for the court order must occur within a reasonable period of time, but not more than 120 days after discovering it received part 2 records; or
(iii) If the agency does not seek a court order in accordance with paragraph (a)(3)(ii) of this section, the agency must either return the records to the part 2 program or person holding the records, if it is legally permissible to do so, within a reasonable period of time, but not more than 120 days after discovering it received part 2 records; or
(iv) If the agency does not seek a court order or return the records, the agency must destroy the records in a manner that renders the patient identifying information non-retrievable, within a reasonable period of time, but not more than 120 days after discovering it received part 2 records; or.
(v) If the agency's application for a court order is rejected by the court and no longer subject to appeal, the agency must return the records to the part 2 program or person holding the records, if it is legally permissible to do so, or destroy the records immediately after notice from the court.
(b) Notice not required. An application under this section may, in the discretion of the court, be granted without notice. Although no express notice is required to the part 2 program, to the person holding the records, or to any patient whose records are to be disclosed, upon implementation of an order so granted any of those persons must be afforded an opportunity to seek revocation or amendment of that order, limited to the presentation of evidence on the statutory and regulatory criteria for the issuance of the court order in accordance with paragraph (c) of this section. If a court finds that individualized contact is impractical under the circumstances, patients may be informed of the opportunity through a substitute form of notice that the court determines is reasonably calculated to reach the patients, such as conspicuous notice in major print or broadcast media in geographic areas where the affected patients likely reside.
(c) Requirements for order. An order under this section must be entered in accordance with, and comply with the requirements of § 2.64(e). In addition, an order under this section may be entered only if the court determines that good cause exists. To make such good cause determination, the court must find that:
(1) Other ways of obtaining the information are not available, would not be effective, or would yield incomplete information;
(2) The public interest and need for the use or disclosure outweigh the potential injury to the patient, the physician-patient relationship, and the treatment services; and
(3) For an application being submitted pursuant to paragraph (a)(3)(ii) of this section, the investigative agency has satisfied the conditions at § 2.3(b).
(d) Limitations on use and disclosure of patient identifying information. (1) An order entered under this section must require the deletion or removal of patient identifying information from any documents or oral testimony made available to the public.
(2) No information obtained under this section may be used or disclosed to conduct any investigation or prosecution of a patient in connection with a criminal matter, or be used or disclosed as the basis for an application for an order under § 2.65.
38. Amend § 2.67 by revising paragraphs (a), (c), (d)(3) and (e) to read as follows:
End Amendment PartOrders authorizing the use of undercover agents and informants to investigate employees or agents of a part 2 program in connection with a criminal matter.(a) Application. A court order authorizing the placement of an undercover agent or informant in a part 2 program as an employee or patient may be applied for by any investigative agency which has reason to believe that employees or agents of the part 2 program are engaged in criminal misconduct.
* * * * *(c) Criteria. An order under this section may be entered only if the court determines that good cause exists. To make such good cause determination, the court must find all of the following:
(1) There is reason to believe that an employee or agent of the part 2 program is engaged in criminal activity;
(2) Other ways of obtaining evidence of the suspected criminal activity are not available, would not be effective, or would yield incomplete evidence;
(3) The public interest and need for the placement of an undercover agent or informant in the part 2 program outweigh the potential injury to patients of the part 2 program, physician-patient relationships and the treatment services; and
(4) For an application submitted after the placement of an undercover agent or informant has already occurred, that the investigative agency has satisfied the conditions at § 2.3(b) and only discovered that a court order was necessary after such placement occurred.
(d) * * *
(3) Prohibit the undercover agent or informant from using or disclosing any patient identifying information obtained from the placement except as necessary to investigate or prosecute employees or agents of the part 2 program in connection with the suspected criminal activity; and
* * * * *(e) Limitation on use and disclosure of information. No information obtained by an undercover agent or informant placed in a part 2 program under this section may be used or disclosed to investigate or prosecute any patient in connection with a criminal matter or as the basis for an application for an order under § 2.65.
39. Add § 2.68 to subpart E to read as follows:
End Amendment PartStart Printed Page 74286Start PartReport to the Secretary.(a) Any investigative agency covered by this part shall report to the Secretary, not later than 60 days after the end of each calendar year, to the extent applicable and practicable, on:
(1) The number of applications made under § 2.66(a)(3)(ii) and § 2.67(c)(4) during the calendar year;
(2) The number of instances in which such applications were denied, due to findings by the court of violations of this part during the calendar year; and
(3) The number of instances in which part 2 records were returned or destroyed following unknowing receipt without a court order, in compliance with § 2.66(a)(3)(iii)(iv) or (v), respectively during the calendar year.
(b) [Reserved].
* * * * *Title 45—PUBLIC WELFARE
PART 164—SECURITY AND PRIVACY
End Part Start Amendment Part40. The authority citation for part 164 is revised to read as follows:
End Amendment Part Start Amendment Part41. Amend § 164.520 by:
End Amendment Part Start Amendment Parta. Revising paragraphs (a)(1) and removing paragraph (a)(3);
End Amendment Part Start Amendment Partb. Redesignating paragraph (a)(2) as (a)(3) and adding a new paragraph (a)(2);
End Amendment Part Start Amendment Partc. Revising paragraphs (b)(1) introductory text, (b)(1)(i), b)(1)(ii)(C), (b)(1)(ii)(D), and (b)(1)(iii);
End Amendment Part Start Amendment Partd. Revising paragraphs (b)(1)(iv)(C), (b)(1)(iv)(G), (b)(1)(v)(A), (b)(1)(v)(C), (b)(1)(vii), and (b)(2)(iii);
End Amendment Part Start Amendment Parte. Removing paragraph (c)(2)(ii), redesignating paragraphs (c)(2)(iii) and (iv) as (c)(2)(ii) and (iii) and revising newly redesignated (c)(2)(ii) introductory text and (iii) and (c)(3)(iii);
End Amendment Part Start Amendment Partf. Adding paragraph (d)(4); and
End Amendment Part Start Amendment Partg. Revising paragraph (e).
End Amendment PartThe revisions and additions read as follows:
Notice of privacy practices for protected health information(a) * * * (1) Right to notice. Except as provided by paragraph (a)(3) of this section, an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information.
(2) Notice requirements for covered entities creating or maintaining records subject to 42 U.S.C. 290dd-2(a). As provided in 42 CFR 2.22, an individual who is the subject of records protected under 42 CFR part 2 has a right to adequate notice of the uses and disclosures of such records, and of the individual's rights and the covered entity's legal duties with respect to such records.
(3) Exception for group health plans. (i) An individual enrolled in a group health plan has a right to notice:
(A) From the group health plan, if, and to the extent that, such an individual does not receive health benefits under the group health plan through an insurance contract with a health insurance issuer or HMO; or
(B) From the health insurance issuer or HMO with respect to the group health plan through which such individuals receive their health benefits under the group health plan.
(ii) A group health plan that provides health benefits solely through an insurance contract with a health insurance issuer or HMO, and that creates or receives protected health information in addition to summary health information as defined in § 164.504(a) or information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan, must:
(A) Maintain a notice under this section; and
(B) Provide such notice upon request to any person. The provisions of paragraph (c)(1) of this section do not apply to such group health plan.
(iii) A group health plan that provides health benefits solely through an insurance contract with a health insurance issuer or HMO, and does not create or receive protected health information other than summary health information as defined in § 164.504(a) or information on whether an individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan, is not required to maintain or provide a notice under this section.
(b) * * * (1) Required elements. The covered entity, including any covered entity maintaining or receiving records subject to 42 U.S.C. 290dd-2, must provide a notice that is written in plain language and that contains the elements required by this paragraph.
(i) Header. The notice must contain the following statement as a header or otherwise prominently displayed:
NOTICE OF PRIVACY PRACTICES OF [NAME OF COVERED ENTITY, AFFILIATED COVERED ENTITIES, OR ORGANIZED HEALTH CARE ARRANGEMENT, AS APPLICABLE]
THIS NOTICE DESCRIBES:
- HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
- YOUR RIGHTS WITH RESPECT TO YOUR HEALTH INFORMATION
- HOW TO EXERCISE YOUR RIGHT TO GET COPIES OF YOUR RECORDS AT LIMITED COST OR, IN SOME CASES, FREE OF CHARGE
- HOW TO FILE A COMPLAINT CONCERNING A VIOLATION OF THE PRIVACY, OR SECURITY OF YOUR HEALTH INFORMATION, OR OF YOUR RIGHTS CONCERNING YOUR INFORMATION, INCLUDING YOUR RIGHT TO INSPECT OR GET COPIES OF YOUR RECORDS UNDER HIPAA
YOU HAVE A RIGHT TO A COPY OF THIS NOTICE (IN PAPER OR ELECTRONIC FORM) AND TO DISCUSS IT WITH [ENTER [NAME OR TITLE] AT [PHONE AND EMAIL]] IF YOU HAVE ANY QUESTIONS.
(ii) * * *
(C) If a use or disclosure for any purpose described in paragraphs (b)(1)(ii)(A) or (B) of this section is prohibited or materially limited by other applicable law, such as 42 CFR part 2, the description of such use or disclosure must reflect the more stringent law as defined in § 160.202 of this subchapter.
(D) For each purpose described in paragraph (b)(1)(ii)(A) or (B) of this section, the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law, such as 42 CFR part 2.
* * * * *(iii) Separate statements for certain uses or disclosures. If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) or (B) of this section must include a separate statement informing the individual of such activities, as applicable:
(A) In accordance with § 164.514(f)(1), the covered entity may contact the individual to raise funds for the covered entity and the individual has a right to opt out of receiving such communications;
(B) In accordance with § 164.504(f), the group health plan, or a health insurance issuer or HMO with respect to a group health plan, may disclose protected health information to the sponsor of the plan;
(C) If a covered entity that is a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, intends to use or disclose protected Start Printed Page 74287 health information for underwriting purposes, a statement that the covered entity is prohibited from using or disclosing protected health information that is genetic information of an individual for such purposes;
(D) Substance use disorder treatment records received from programs subject to 42 CFR part 2, or testimony relaying the content of such records, shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed; or
(E) If a covered entity that creates or maintains records subject to 42 CFR part 2 intends to use or disclose such records for fundraising for the benefit of the covered entity, a statement that such information may be used or disclosed for such purpose only if the individual grants written consent as provided in 42 CFR 2.31.
(iv) * * *
(C) The right of access to inspect and obtain a copy of protected health information at limited cost or, in some cases, free of charge; and the right to direct a covered health care provider to transmit an electronic copy of protected health information in an electronic health record to a third party, as provided by § 164.524;
* * * * *(G) The right to discuss the notice with a designated contact person identified by the covered entity pursuant to § 164.520(b)(vii);
(v) * * *
(A) A statement that the covered entity is required by law to maintain the privacy of protected health information, to provide individuals with notice of its legal duties and privacy practices, and to notify affected individuals following a breach of unsecured protected health information;
* * * * *(C) A statement that the covered entity reserves the right to change the terms of its notice, provided that such terms are not material or contrary to law, and to make the new notice provisions effective for all protected health information that it maintains. The statement must also describe how it will provide individuals with a revised notice.
* * * * *(vii) Contact. The notice must contain the name or title and telephone number and email for a designated person who is available to provide further information and answer questions about the covered entity's privacy practices, as required by § 164.530(a)(1)(ii).
* * * * *(2) * * *
(iii) A covered entity may provide in its notice information about how an individual who seeks to direct protected health information to a third party, when the protected health information is not in an electronic health record or is in a non-electronic format, can instead obtain a copy of protected health information directly under § 164.524 and send the copy to the third party themselves, or request the covered entity to send a copy of protected health information to a third party using a valid authorization under § 164.508.
* * * * *(c) * * *
(2) * * *
(ii) If the health care provider maintains a physical service delivery site:
* * * * *(iii) Whenever the notice is revised, make the notice available upon request on or after the effective date of the revision and promptly comply with the requirements of paragraph (c)(2)(ii) of this section, if applicable.
(3) * * *
(iii) For purposes of paragraph (c)(2)(i) of this section, if the first service delivery to an individual is delivered electronically, the covered health care provider must provide electronic notice automatically and contemporaneously in response to the individual's first request for service.
* * * * *(d) * * *
(4) The permission in paragraph (c)(1) of this section for covered entities who are part of an organized health care arrangement to issue a joint notice may not be construed to remove any obligations or duties of entities creating or maintaining records subject to 42 U.S.C. 290dd-2, or to remove any rights of patients who are the subjects of such records.
(e) Implementation specifications: Documentation. A covered entity must document compliance with the notice requirements, as required by § 164.530(j), by retaining copies of the notices issued by the covered entity.
Dated: November 21, 2022.
Xavier Becerra,
Secretary, Department of Health and Human Services.
Footnotes
1. For readability, the Department refers to specific sections of 42 CFR part 2 using a shortened citation with the “§ ” symbol except where necessary to distinguish title 42 citations from other CFR titles, such as title 45 CFR, and in footnotes where the full reference is used.
Back to Citation2. Public Law 116-136, 134 Stat. 281 (March 27, 2020).
Back to Citation3. See42 U.S.C. 290dd-2(a). “Records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States shall, except as provided in subsection (e), be confidential and be disclosed only for the purposes and under the circumstances expressly authorized under subsection (b)”.
Back to Citation4. See the Administrative Simplification provisions of title II, subtitle F, of HIPAA (Public Law 104-191), 110 Stat. 1936 (August 21, 1996) which added a new part C to title XI of the Social Security Act (secs.1171-1179 of the Social Security Act, 42 U.S.C. 1320d-1320d-8), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as title XIII of division A and title IV of division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Public Law 111-5, 123 Stat. 226 (February 17, 2009).
Back to Citation5. See the Privacy Rule, 45 CFR parts 160 and 164, subparts A and E; the Security Rule 45 CFR parts 160 and 164, subparts A and C; the Breach Notification Rule, 45 CFR part 164, subpart D; and the Enforcement Rule, 45 CFR part 160, subparts C, D, and E. Breach notification requirements were added by the HITECH Act.
Back to Citation6. PHI is individually identifiable health information maintained or transmitted by or on behalf of a HIPAA covered entity. See45 CFR 160.103 (definitions of “Individually identifiable health information ” and Protected health information ”).
Back to Citation7. Covered entities are health care providers who transmit health information electronically in connection with any transaction for which the Department has adopted an electronic transaction standard, health plans, and health care clearinghouses. See45 CFR 160.103 (definition of “Covered entity”).
Back to Citation8. A business associate is a person, other than a workforce member, that performs certain functions or activities for or on behalf of a covered entity, or that provides certain services to a covered entity involving the disclosure of PHI to the person. See45 CFR 160.103 (definition of “Business associate”).
Back to Citation9. See “Part 2 Proposed Rule Brings Clarity and Reduces Regulatory Burdens for Substance Use Disorder Providers, but Challenges Remain” (September 2019), https://www.mintz.com/insights-center/viewpoints/2146/2019-09-part-2-proposed-rule-brings-clarity-and-reduces-regulatory; “HIPAA: A Trap for the Unwary” (May 2014), https://www.dykema.com/resources-alerts-HIPAA-A-Trap-for-the-Unwary_5-2014.html; and correspondence from Partnership to Amend 42 CFR part 2 (March 2019), https://www.pcpcc.org/sites/default/files/news_files/Response%20from%20Partnership%20to%20Amend%2042%20CFR%20Part%202.pdf.
Back to Citation10. See Published Comments—Request for Public Comment on the Confidentiality of Alcohol and Drug Abuse Patient Records, 79 FR 26929 (May 2014) Document 26, (June 23, 2014) at page 20, https://www.samhsa.gov/sites/default/files/about_us/who_we_are/comments-100-120.pdf; “Privacy Laws are Hurting the Care of Patients with Addiction” (July 2018 ), https://www.statnews.com/2018/07/13/privacy-laws-patients-addiction/.
Back to Citation13. 42 U.S.C. 290dd-2(b)(1)(D). Additionally, section 3221 of the CARES Act further emphasizes the patient's right to request restrictions on disclosures in both the Rules of Construction and the Sense of Congress. See CARES Act secs. 3221(j)(1) and (k)(2), respectively.
Back to Citation16. CARES Act sec. 3221(g) added paragraph (i) to 42 U.S.C. 290dd-2 to insert an express prohibition against discrimination on the basis of information received pursuant to a disclosure of records. See42 U.S.C. 290dd-2(i).
Back to Citation19. CARES Act sec. 3221(i)(2).
Back to Citation20. See45 CFR 160.105.
Back to Citation21. 42 U.S.C. 290dd-2(b)(1)(B) provides in part that “[a]ny information so disclosed may be redisclosed in accordance with the HIPAA regulations.” To align with the statute's spelling of the term “redisclosed” and for drafting consistency, the Department proposes to modify the term “re-disclosed” (and related root words) to remove the hyphen, where appropriate, throughout this document. See, e.g., proposed §§ 2.12(d)(2)(i)(C); 2.12(d)(2)(ii); 2.32(a)(1); 2.33(c); 2.34(b); 2.35(d); 2.52(b)(2); 2.53(a).
Back to Citation22. Generally, the proposals not listed make wording changes, not substantive changes. These proposals are reviewable in the regulatory text and include proposals to modify § 2.17, Undercover agents and informants; § 2.20, Relationship to state laws; § 2.21 Relationship to federal statutes protecting research subjects against compulsory disclosure of their identity; and § 2.34, Uses and Disclosures to prevent multiple enrollments (proposed heading).
Back to Citation23. SeePublic Law 111-5, 123 Stat. 226 (February 17, 2009). Section 13410 of the HITECH Act (codified at 42 U.S.C. 17939) amended sections 1176 and 1177 of the Social Security Act (codified at 42 U.S.C. 1320d-5) to add civil and criminal penalty tiers for violations of the HIPAA Administrative Simplification provisions.
Back to Citation24. See45 CFR part 160.
Back to Citation25. Although this provision is not expressly required by the CARES Act, it falls within the Department's general rulemaking authority in 42 U.S.C. 290dd-2(g), and is needed to address the logical consequences of the changes required by sec. 3221.
Back to Citation26. Section 13400 of the HITECH Act (codified at 42 U.S.C. 17921) defined the term “Breach”. Section 13402 of the HITECH Act (codified at 42 U.S.C. 17932) enacted breach notification provisions, discussed in detail below.
Back to Citation27. See42 U.S.C. 290dd-2(b)(1)(B) and (2)(c).
Back to Citation29. Id.
Back to Citation30. See Substance Abuse and Mental Health Services Administration, National Survey of Substance Abuse Treatment Services (N-SSATS): 2020. Data on Substance Abuse Treatment Facilities. Rockville, MD: Substance Abuse and Mental Health Services Administration, 2021, https://www.samhsa.gov/data/sites/default/files/reports/rpt35313/2020_NSSATS_FINAL.pdf.
Back to Citation31. For example, the Ohio Behavioral Health Providers Network (Network) in an August 21, 2020, letter to SAMHSA, and the Partnership to Amend Part 2 in a similar January 8, 2021, letter to the U.S. Department of Health and Human Services (HHS), both urge that there should be no requirement for data segmentation or segregation after written consent is obtained and Part 2 records are transmitted to a health information exchange or care management entity that is a business associate of a covered entity covered by the new CARES Act consent language. In the letter, the Network states that such requirements are difficult to implement in federally qualified health centers and other integrated settings in which SUD treatment may be provided. See also public comments expressed and summarized in 85 FR 42986, https://www.federalregister.gov/documents/2020/07/15/2020-14675/confidentiality-of-substance-use- disorder-patient-records; and see https://aahd.us/wp-content/uploads/2021/01/PartnershipRecommendationsforNextPart2-uleLtrtoNomineeBecerra_01082021.pdf.
Back to Citation32. See65 FR 82482 (December 28, 2000).
Back to Citation33. See42 CFR 2.12(d)(2)(i)(C).
34. See42 CFR 2.11, definitions of “Patient identifying information” and “Disclose”.
Back to Citation36. See, e.g., remarks of U.S. Representative Earl Blumenauer: “If substance use disorder treatment is not included in your entire medical records, then they are not complete. It makes care coordination more difficult and can lead to devastating outcomes. This bill works to remove the stigma that comes with substance use disorders and ensures necessary information is available for safe, efficient, and transparent treatment for all patients.” See also remarks of U.S. Representative Markwayne Mullin: “It's time that we stop stigmatizing those struggling with opioid abuse and give physicians the tools they need to help their patients. Mental health and physical health have been treated in a silo for too long. Our bill breaks down those barriers so the doctor can treat the whole patient. I'm proud to introduce this bill with my colleagues so that we can provide 21st century care to those who need it the most”, https://blumenauer.house.gov/media-center/press-releases/blumenauer-and-mullin-introduce-bipartisan-legislation-address-opioid.
37. But see85 FR 42986 (July 15, 2020), in which the Department finalized a rule permitting the disclosure of Part 2 records for care coordination by certain “lawful holders” that receive a record for payment or health care operation activities directly from a Part 2 program or other lawful holder.
Back to Citation38. In 2017, the Department declared a public health emergency related to the opioid crisis. See Public Health Emergency (October 26, 2017), https://www.hhs.gov/sites/default/files/opioid%20PHE%20Declaration-no-sig.pdf. https://www.phe.gov/emergency/news/healthactions/phe/Pages/opioids.aspx.
Back to Citation39. NAAG Requests Removal of Federal Barriers to Treat Opioid Use Disorder (August 5, 2019), at https://www.naag.org/policy-letter/naag-requests-removal-of-federal-barriers-to-treat-opioid-use-disorder/.
Back to Citation40. Opioid Overdose Crisis, National Institutes of Health National Institute on Drug Abuse (March 11, 2021), https://www.drugabuse.gov/drug-topics/opioids/opioid-overdose-crisis. See also CDC/NCHS, National Vital Statistics System, Mortality. CDC WONDER, Atlanta, GA: US Department of Health and Human Services, CDC; 2019, https://wonder.cdc.gov.
Back to Citation41. Hearing of the Committee on Health, Education, Labor, and Pensions United States Senate, “The Role of Technology and Data in Preventing and Treating Addiction.” (February 27, 2018), https://www.govinfo.gov/content/pkg/CHRG-115shrg28855/pdf/CHRG-115shrg28855.pdf.
Back to Citation42. See sec. 3221(i) of the CARES Act.
Back to Citation43. See sec. 333, Public Law 91-616, 84 Stat. 1853 (December 31, 1970) (codified at 42 U.S.C. 2688h).
Back to Citation44. See sec. 408, Public Law 92-255, 86 Stat. 65 (March 21, 1972) (codified at 21 U.S.C. 1175). Section 408 also prohibited the use of a covered record for use or initiation or substantiation of criminal charges against a patient or investigation of a patient. Section 408 provided for a fine in the amount of $500 for a first offense violation, and not more than $5,000 for each subsequent offense.
Back to Citation45. Id.
Back to Citation46. See sec. 101, title I, Public Law 93-282, 88 Stat. 126 (May 14, 1974), providing that: “This title [enacting this section and sections 4542, 4553, 4576, and 4577 of this title, amending sections 242a, 4571, 4572, 4573, 4581, and 4582 of this title, and enacting provisions set out as notes under sections 4581 and 4582 of this title] may be cited as the ‘Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act Amendments of 1974”.
Back to Citation47. See sec. 408, title I, Public Law 92-255, 86 Stat. 79 (March 21, 1972) (originally codified at 21 U.S.C. 1175). See21 U.S.C. 1175 note for complete statutory history.
Back to Citation48. See sec. 131, Public Law 102-321, 106 Stat. 323 (July 10, 1992) (codified at 42 U.S.C. 201 note).
Back to Citation49. See sec. 333, Public Law 91-616, 84 Stat. 1853 (December 31, 1970).
Back to Citation50. See sec. 131, Public Law 102-321, 106 Stat. 323 (July 10, 1992) (codified at 42 U.S.C. 201 note).
Back to Citation51. Id., adding sec. 543(b)(2)(C) to the PHSA.
Back to Citation52. Id., adding sec. 543(g) to the PHSA.
Back to Citation53. See40 FR 27802 (July 1, 1975).
Back to Citation54. See52 FR 21796 (June 9, 1987). See also Notice of Decision to Develop Regulations, 45 FR 53 (January 2, 1980) and 48 FR 38758 (August 25, 1983).
Back to Citation55. See60 FR 22296 (May 5, 1995). See also59 FR 42561 (August 18, 1994) and 59 FR 45063 (August 31, 1994). The ambiguity of the definition of “program” was identified in United States v. Eide, 875 F. 2d 1429 (9th Cir. 1989) where the court held that the general emergency room is a “program” as defined by the regulations.
Back to Citation56. SeePublic Law 104-191, 110 Stat. 1936 (August 21, 1996).
Back to Citation57. Cited at fn. 3. See also sec. 264 of HIPAA (codified at 42 U.S.C. 1320d-2 note).
Back to Citation58. See42 U.S.C. 1320d-1-1320d-9. With respect to privacy standards, Congress directed the Department to “address at least the following: (1) The rights that an individual who is a subject of individually identifiable health information should have. (2) The procedures that should be established for the exercise of such rights. (3) The uses and disclosures of such information that should be authorized or required.” 42 U.S.C. 1320d-2 note.
Back to Citation59. See42 U.S.C. 1320d-1 (applying Administrative Simplification provisions to covered entities).
Back to Citation60. See “Office for Civil Rights Fact Sheet on Direct Liability of Business Associates under HIPAA” (May 2019) for a comprehensive list of requirements in the HIPAA Rules that apply directly to business associates (available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html).
Back to Citation61. The HITECH Act extended the applicability of certain Privacy Rule requirements and all of the Security Rule requirements to the business associates of covered entities; required HIPAA covered entities and business associates to provide for notification of breaches of unsecured PHI (implemented by the Breach Notification Rule); established new limitations on the use and disclosure of PHI for marketing and fundraising purposes; prohibited the sale of PHI; required consideration of whether a limited data set can serve as the minimum necessary amount of information for uses and disclosures of PHI; and expanded individuals' rights to access electronic copies of their PHI in an EHR, to receive an accounting of disclosures of their PHI with respect to ePHI, and to request restrictions on certain disclosures of PHI to health plans. In addition, subtitle D strengthened and expanded HIPAA's enforcement provisions. See subtitle D of title XIII of the HITECH Act, entitled “Privacy”, for all provisions (codified in title 42 of U.S.C.).
Back to Citation62. See45 CFR 164.502(a).
Back to Citation63. See45 CFR 164.506.
Back to Citation64. See45 CFR 164.512(b).
Back to Citation65. See45 CFR 164.514(e)(1-4).
Back to Citation66. See45 CFR 164.512(i).
Back to Citation67. See45 CFR 164.520, 164.522, 164.524, 164.526 and 164.528.
Back to Citation68. See45 CFR 164.514(a-c).
Back to Citation69. See45 CFR 164.306(a)(1).
Back to Citation70. See45 CFR 164.306(a)(2).
Back to Citation71. See45 CFR 164.306(a)(3).
Back to Citation72. See45 CFR 164.306(a)(4).
Back to Citation73. See sec. 13402 of the HITECH Act (codified at 42 U.S.C. 17932).
Back to Citation74. See45 CFR 164.402 para. (1).
Back to Citation75. Ibid. para. (2).
Back to Citation76. Criminal penalties may be imposed by the Department of Justice for certain violations under 42 U.S.C. 1320d-6.
Back to Citation77. See45 CFR 160.304. See also45 CFR 160.416 and 160.514.
Back to Citation78. See78 FR 5566 (January 25, 2013).
Back to Citation79. See Office for Civil Rights; Statement of Delegation of Authority, 65 FR 82381 (December 28, 2000); Office for Civil Rights; Delegation of Authority, 74 FR 38630 (August 4, 2009); Statement of Organization, Functions and Delegations of Authority, 81 FR 95622 (December 28, 2016).
80. See65 FR 82381 (December 28, 2000).
Back to Citation81. The limited exceptions are codified in current regulation at 42 CFR 2.12(c), 42 CFR part 2 subpart D, and 42 CFR 2.33(b).
Back to Citation82. See42 CFR 2.12(c)(3). These disclosures are limited to communications within a Part 2 program or between a Part 2 program and an entity having direct administrative control over the Part 2 program.
Back to Citation83. See45 CFR 164.501.
Back to Citation84. See85 FR 42986 and 83 FR 239 (January 3, 2018).
Back to Citation85. 82 FR 6052 (January 18, 2017). See also81 FR 6988 (February 9, 2016).
Back to Citation86. See82 FR 6052, 6064.
Back to Citation88. Id. at 242.
Back to Citation89. 83 FR 239 (January 3, 2018). See also82 FR 5485 (January 18, 2017).
Back to Citation90. Id. at 242.
Back to Citation91. Id.
Back to Citation92. 85 FR 42986. See also84 FR 44568.
Back to Citation93. See42 CFR 2.33(b).
Back to Citation94. See85 FR 42986, 43008-009. Sec. 3221(k)(4) expressed the Sense of Congress that the Department should exclude clause (v) of paragraph 6 of 45 CFR 164.501 (relating to creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity) from the definition of “health care operations” in applying the definition to these records.
Back to Citation95. See85 FR 42986, 43006.
Back to Citation96. See85 FR 42986, 43006, See also 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 85 FR 25642 (May 1, 2020).
Back to Citation97. See proposed 42 CFR 2.11, Definitions: Intermediary means a person who has received records under a general designation in a written patient consent to be disclosed to one or more of its member participants for the treatment of the patient— e.g., a health information exchange, a research institution that is providing treatment, an accountable care organization, or a care management organization.
Back to Citation98. 85 FR 80626 (December 14, 2020).
Back to Citation99. Public Law 116-136, 134 Stat. 281 (March 27, 2020). Significant components of section 3221 are codified at 42 U.S.C. 290dd-2 as further detailed in this NPRM.
Back to Citation100. Section 3221(i) requires the Secretary to update 45 CFR 164.520, the Privacy Rule requirements with respect to the NPP.
Back to Citation101. Paragraph (1) is codified at 42 U.S.C. 290dd-2(b).
Back to Citation102. See sec. 3221(g) of the CARES Act.
Back to Citation103. Id.
Back to Citation104. See Dineen, Kelly K., & Pendo, Elizabeth, “Substance Use Disorder Discrimination and the CARES Act: Using Disability Law to Inform Part 2 Rulemaking” (February 2, 2021) (available at https://arizonastatelawjournal.org/wp-content/uploads/2021/02/02-Dineen-_-Pendo.pdf) and Johnson, Kimberly, “COVID-19: Isolating the Problems in Privacy Protection for Individuals with Substance Use Disorder” (May 1, 2021) (available at https://ssrn.com/abstract=3837955). See also remarks of U.S. Representative Michael C. Burgess: “Current [P]art 2 law does not protect individuals from discrimination based on their treatment records and, to this date, there have been no criminal actions undertaken to enforce [P]art 2.” (available at https://www.congress.gov/congressional-record/2018/06/20/house-section/article/H5325-1).
Back to Citation105. See sec. 504, Public Law 93-112, 86 Stat. 355 (September 26, 1973) (codified at 29 U.S.C. 701, 705).
Back to Citation106. See Public Law 101-336, 104 Stat. 327 (July 26, 1990) (codified at 42 U.S.C. 12101, 12210).
Back to Citation107. See sec. 1557, Public Law 111-148, 124 Stat. 119 (March 23, 2010) (codified at 42 U.S.C. 18001, 18116).
Back to Citation108. See sec. 3601-19, Public Law 90-284, 82 Stat. 81 (April 11, 1968) (codified at 42 U.S.C. 3601, 3602).
Back to Citation109. See e.g., proposed regulatory text at §§ 2.2(a)(2), (a)(3), and (b)(1), Purpose and effect; 2.12(c)(5) and (c)(6), Applicability; 2.13(a) and (b), Confidentiality restrictions and safeguards; 2.21(b), Relationship to federal statutes protecting research subjects against compulsory disclosure of their identity; 2.34(b), Disclosures to prevent multiple enrollments; 2.35(d), Disclosures to elements of the criminal justice system which have referred patients; 2.53(a), (b)(1)(iii), (e)(1)(iii), (e)(6), (f), Management audits, financial audits, and program evaluation (proposed heading); subpart E, Court Orders Authorizing Use and Disclosure (proposed heading); 2.61(a), Legal effect of order; 2.62, Order not applicable to records disclosed without consent to researchers, auditors and evaluators; 2.65 heading, 2.65(a) and (d), 2.65(e), (e)(1), and (e)(3), Procedures and criteria for orders authorizing use and disclosure of records to criminally investigate or prosecute patients (proposed heading); 2.66 heading, 2.66(a)(1) and 2.66(d), Procedures and criteria for orders authorizing use and disclosure of records to investigate or prosecute a part 2 program or the person holding the records (proposed heading).
Back to Citation110. Consistently, the Department refers to “uses and disclosures” or “use and disclosure” in the Privacy Rule. See, e.g.,45 CFR 164.502 Uses and disclosures of protected health information: General rules.
Back to Citation111. See, e.g., proposed §§ 2.12(a)(1), (c)(3) and (c)(4), (d)(2), and (e)(3), Applicability; 2.13(a), Confidentiality restrictions and safeguards; 2.14(a) and (b), Minor patients; 2.15(a)(2), (b)(1) and (b)(2), Patients who lack capacity and deceased patients; 2.20, Relationship to state laws; 2. 23 Patient access and restrictions on use and disclosure (proposed heading) and 2.33(b); Subpart C—Uses and Disclosures With Patient Consent (proposed heading); 2.31(a), (a)(1) and (2), (a)(4)(ii)(B), (a)(10), and (a)(10)(i) and (ii), Consent requirements; 2.33 Uses and disclosures permitted with written consent (proposed heading), and paragraphs 2.33(a), (b), (b)(1), and (b)(2); Subpart D—Uses and Disclosures Without Patient Consent (proposed heading); 2.53(e)(5), Management audits, financial audits, and program evaluation 2.61(a) and (b)(1) and (b)(2), Legal Effect of order; 2.64 heading, Procedures and criteria for orders authorizing uses and disclosures for non-criminal purposes (proposed heading), and paragraphs (a) and (e); 2.65(a) Procedures and criteria for orders authorizing use and disclosure of records to criminally investigate or prosecute patients (proposed heading); 2.67 (d)(3), Orders authorizing the use of undercover agents and informants to investigate employees or agents of a part 2 program in connection with a criminal matter.
Back to Citation112. See proposed §§ 2.63, 2.64, 2.65.
Back to Citation113. See proposed §§ 2.64. 2.65, 2.66.
Back to Citation114. See proposed § 2.3.
Back to Citation115. E.g., Expressly including legislative and administrative proceedings and testimony relaying information contained in records, as discussed above.
Back to Citation116. See Opioid Enforcement Effort, Department of Justice, Consumer Protection Branch, https://www.justice.gov/civil/consumer-protection-branch/opioid and Understanding the Epidemic, Centers for Disease Prevention and Control, https://www.cdc.gov/drugoverdose/epidemic/index.html.
Back to Citation117. For example, using “John Doe” in the application for a court order and keeping records that contain patient identifying information under seal.
Back to Citation118. See45 CFR part 160, subparts C (Compliance and Investigations), D (Imposition of Civil Money Penalties), and E (Procedures for Hearings). See also sec. 13410 of the HITECH Act (codified at 42 U.S.C. 17929).
Back to Citation119. This proposal would implement the required statutory framework establishing that civil and criminal penalties apply to violations of this part, as the Secretary exercises only civil enforcement authority. The Department of Justice has authority to impose criminal penalties where applicable. See68 FR 18895, 18896 (April 17, 2003).
Back to Citation120. See45 CFR 164.501 (definition of “Health care operations”).
Back to Citation121. Section 2.13(d)(2) refers to the description of an intermediary in § 2.31(a)(4)(ii)(B).
Back to Citation122. See45 CFR 160.103 (definition of “Business associate”).
Back to Citation123. See, e.g.,45 CFR 164.504(e).
Back to Citation124. The last sentence reads “For the purpose of the regulations in this part, records include both paper and electronic records.” 42 CFR 2.11 (definition of “Record”).
Back to Citation125. See45 CFR 164.524.
Back to Citation126. See45 CFR 164.501 (definition of “Designated record set”).
Back to Citation127. See45 CFR 164.524(a)(1)(i); see also45 CFR 164.501 (definition of “Psychotherapy notes”).
Back to Citation128. See the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals at https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html.
Back to Citation129. See proposed 45 CFR 164.512(k) at 85 FR 6446, 6487.
Back to Citation130. Administrative agencies may issue subpoenas pursuant to their authority to investigate matters and several statutes authorize the use of administrative subpoenas in criminal investigations. For example, these may be cases involving health care fraud, child abuse, Secret Service protection, controlled substance cases, inspector general investigations, and tracking unregistered sex offenders. See Administrative Subpoenas in Criminal Investigations: A Brief Legal Analysis, EveryCRSReport.com, University of North Texas Libraries Government Documents Department, (December 19, 2012), https://www.everycrsreport.com/reports/RL33321.html.
Legislative investigations may also be conducted in furtherance of the functions of Congress or state legislative bodies. See “What, Exactly, Does Congress Have the Authority To Investigate?” Molo Lamken, LLP 2018, https://www.mololamken.com/knowledge-What-Exactly-Does-Congress-Have-the-Authority-To-Investigate#:~:text=While%20Congress%20can%20investigate%20conduct,otherwise%20initiate%20a%20criminal%20prosecution.
Back to Citation131. The Department proposes to add “disclosures” to secs. 2.17(b) and 2.67(d)(3) for the same reason.
Back to Citation132. 45 CFR part 164 subparts A and E.
Back to Citation134. See, e.g.,42 CFR 2.31, 2.33, 2.52, and 2.53.
Back to Citation135. See82 FR 6052, 6068. See also81 FR 6988, 6997.
Back to Citation136. For example, in the Consideration of Regulatory Alternatives section of this NPRM, the Department describes the entities it considered expressly including in a definition that would be codified in regulatory text, including covered entities, business associates, qualified service organizations, and others.
Back to Citation137. See e.g., Mich. Comp. Laws §§ 333.6111 (expressly excluding SUD records from an emergency medical service as restricted); and NJ Rev. Stat. § 26:2B-20 (2013) (requiring records to be confidential except by proper judicial order whether connected to pending judicial proceedings or otherwise).
Back to Citation138. See e.g., MO Rev. Stat. § 191.731 (requiring SUD records of certain pregnant women remain confidential).
Back to Citation139. Section 3221(i) requires the Department to consult with legal, clinical, privacy and civil rights experts. The Department has completed this consultation as part of its internal review process with the identified experts.
Back to Citation140. See45 CFR 164.520(a)(2) and (a)(3).
Back to Citation141. See45 CFR 164.501 (definitions of “Direct treatment relationship” and “Indirect treatment relationship).
Back to Citation142. See Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 FR 6446.
Back to Citation143. See45 CFR 92.102 (Section 1557 of the Affordable Care Act); 45 CFR 84.4(b), 84.52(a), (c), (d) (Section 504 of the Rehabilitation Act of 1973); 28 CFR 35.160(a)-(b) (Title II of the Americans with Disabilities Act).
Back to Citation144. See45 CFR 92.101 (Section 1557 of the Affordable Care Act); 45 CFR 80.3(b) (Title VI of the Civil Rights Act of 1964).
Back to Citation145. In the event a patient lacks capacity at the time of admission, 42 CFR 2.22(a) alternatively requires that such notice be given as soon as the patient attains capacity.
Back to Citation146. The Department proposed to modify the NPP header in a separate Privacy Rule NPRM, as described at 86 FR 6446, 6485. The proposed regulatory text herein reflects the changes proposed in the earlier NPRM, as well as new proposed changes.
Back to Citation147. See42 U.S.C. 290dd-2(f) and 42 U.S.C. 1320d-5.
Back to Citation148. See45 CFR 164.520(c)(2)(i)(A), (c)(2)(i)(B), (c)(2)(iii)(B). See also proposed amendments to this section in the NPRM to Modify the Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 FR 6446.
Back to Citation149. See86 FR 6446.
Back to Citation151. Section 3221(k)(4) expresses the Sense of Congress that creating de-identified health information, a limited data set, and fundraising for the benefit of a covered entity should be excluded from the definition of health care operations as applied to the use and disclosure of Part 2 records.
Back to Citation152. See86 FR 6446.
Back to Citation153. Id.
Back to Citation154. 42 CFR 2.13(d) (specifying List of Disclosures requirement applicable to intermediaries).
Back to Citation155. OCR published an NPRM to implement this HITECH Act provision in 2011 but did not finalize it because of concerns raised by public comments. OCR announced its intention to withdraw the 2011 NPRM and requested public input on new questions to help OCR implement the HITECH Act requirement as part of the 2018 HIPAA Rules RFI. See83 FR 64302, 64307 (December 14, 2018). A final HIPAA rule on the accounting of disclosures that would apply to TPO disclosures by covered entities has not been issued.
Back to Citation156. See also sec. 13405(c) of the HITECH Act (codified at 42 U.S.C. 17935(c). Since the HITECH Act requirement for accounting of disclosures was enacted in 2009, the Department published a Request for Information (RFI) at 75 FR 23214 (May 3, 2010) and an NPRM at 76 FR 31426 (May 31, 2011). Based in part on public comment the RFI, the Department proposed to provide individuals with an “access report” as a means of fulfilling the requirement. Based on feedback to the NPRM in which commenters overwhelmingly opposed the report as “unworkable,” the Department, in a follow up RFI published at 83 FR 64302 (December 14, 2018), explained its intent to withdraw the proposal of the 2011 NPRM. The Department received additional public comment about implementing sec. 13405(c) and has recently published, in the Spring 2021 Regulatory Unified Agenda, an intent to publish a second RFI seeking further comment on this HITECH ACT section, https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202104&RIN=0945-AA04.
Back to Citation157. See42 U.S.C. 17935(a).
Back to Citation158. CARES Act, sec. 3221(j)(1). The Department believes the effect of this Rule of Construction is that 45 CFR 164.522 of the Privacy Rule continues to apply without change to covered entities with respect to Part 2 records.
Back to Citation159. CARES Act, sec. 3221(k)(2).
Back to Citation160. CARES Act, sec. 3221(k)(3).
Back to Citation161. See proposed 42 CFR 2.31(a)(3).
Back to Citation162. See45 CFR 164.508(c) for the complete set of implementation specifications that apply to written authorization under the Privacy Rule.
Back to Citation163. See e.g.,82 FR 6052, 6087.
Back to Citation164. See82 FR 6052, 6056-6057, 6081, 6090.
Back to Citation165. See Frequently Asked Questions: Applying the Substance Abuse Confidentiality Regulations to Health Information Exchange (HIE). Q15. Does Part 2 require the use of original signed consents? https://www.samhsa.gov/sites/default/files/faqs-applying-confidentiality-regulations-to-hie.pdf.
Back to Citation166. See Cures Act Final Rule, 85 FR 25746 (discussing ONC's adoption of requirements and standards for authentication and authorization). See also CMS' Interoperability and Patient Access Rule, 85 FR 25510, 25545 (stating that “HHS is collectively working to explore standards and technical supports for data segmentation for privacy and consent management and point commenters to the ONC 21st Century Cures Act final rule for additional discussion on this. We also note that using the appropriate FHIR profiles, such as those being finalized by HHS in the ONC 21st Century Cures Act final rule . . . for API technical standards, including the SMART IG (using the OAuth 2.0 standard) and OpenID Connect as finalized at 45 CFR 170.215, can be leveraged to support this.”
Back to Citation167. See65 FR 82462, 82515 (December 28, 2000).
Back to Citation168. Section 3221(b) of the CARES Act is codified at 42 U.S.C. 290dd-2(b)(1)(C).
Back to Citation169. See45 CFR 160.103 (definition of “Individual”).
Back to Citation170. See, e.g.,45 CFR 164.501 (definition of “Health care operations”, paragraph 5).
Back to Citation171. See, e.g.,45 CFR 164.501 (definition of “Health care operations”, paragraph 1).
Back to Citation172. See, e.g.,45 CFR 164.501 (definition of “Health care operations”, paragraph 2).
Back to Citation173. See42 CFR 2.53(e)(6).
Back to Citation174. Codified at 42 U.S.C. 290dd-2(b)(1)(B).
Back to Citation175. 42 CFR 2.65.
Back to Citation176. See e.g.,45 CFR 164.508(a)(2) requiring a covered entity to obtain written authorization prior to using or disclosing psychotherapy notes, subject to certain exceptions, and prohibiting the combining of an authorization to disclose psychotherapy notes with an authorization to disclose other types of PHI.
Back to Citation177. SeePublic Law 111-5, 123 Stat. 226 (February 17, 2009). Section 13410 of the HITECH Act (codified at 42 U.S.C. 17939) amended sections 1176 and 1177 of the Social Security Act (codified at 42 U.S.C. 1320d-5) to add civil and criminal penalty tiers for violations of the HIPAA Administrative Simplification provisions.
Back to Citation178. See45 CFR part 160.
Back to Citation179. Section 13400 of the HITECH Act (codified at 42 U.S.C. 17921) defined the term “Breach”. Section 13402 of the HITECH Act (codified at 42 U.S.C. 17932) enacted breach notification provisions, discussed in detail below.
Back to Citation180. See42 U.S.C. 290dd-2(b)(1)(B) and (2)(c).
Back to Citation181. See42 CFR part 2, subpart E.
Back to Citation182. Id.
Back to Citation183. Totals in this Regulatory Impact Analysis may not add up due to showing rounded numbers in the tables.
Back to Citation184. Section 3221(i) of the CARES Act requires implementation on or after the date that is 12 months after the enactment of the CARES Act, i.e., March 27, 2021.
Back to Citation185. For example, a clinic that provides general medical services, and has a unit specializing in SUD treatment that is a Part 2 program, would need to segregate its SUD records from other medical records, even for the same patient, to ensure that the SUD records are used and disclosed only as permitted by Part 2.
Back to Citation186. See42 CFR 2.12(d)(2)(i)(C).
187. “ Patient identifying information means the name, address, social security number, fingerprints, photograph, or similar information by which the identity of a patient, as defined in this section, can be determined with reasonable accuracy either directly or by reference to other information. The term does not include a number assigned to a patient by a part 2 program, for internal use only by the part 2 program, if that number does not consist of or contain numbers (such as a social security, or driver's license number) that could be used to identify a patient with reasonable accuracy from sources external to the part 2 program.” 42 CFR 2.11. See also definition of “Disclose”: “[T]o communicate any information identifying a patient as being or having been diagnosed with a substance use disorder, having or having had a substance use disorder, or being or having been referred for treatment of a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person.” 42 CFR 2.11.
Back to Citation188. See42 CFR 2.12(d)(2)(ii).
Back to Citation189. McCarty, D., Rieckmann, T., Baker, R.L., & McConnell, K.J. (2017). “The Perceived Impact of 42 CFR part 2 on Coordination and Integration of Care: A Qualitative Analysis.” Psychiatric Services (Washington, DC), 68(3), 245-249, https://doi.org/10.1176/appi.ps.201600138).
Back to Citation190. For example, the Ohio Behavioral Health Providers Network (Network) in an August 21, 2020 letter to SAMHSA, and the Partnership to Amend Part 2 in a similar January 8, 2021 letter to the U.S. Department of Health and Human Services (HHS), both urge that there should be no requirement for data segmentation or segregation after written consent is obtained and Part 2 records are transmitted to a health information exchange or care management entity that is a business associate of a covered entity covered by the new CARES Act consent language. In the letter, the Network states that such requirements are difficult to implement in federally qualified health centers and other integrated settings in which SUD treatment may be provided. See also public comments expressed and summarized in 85 FR 42986, https://www.federalregister.gov/documents/2020/07/15/2020-14675/confidentiality-of-substance-use-disorder-patient-records; and seehttps://aahd.us/wp-content/uploads/2021/01/PartnershipRecommendationsforNextPart2-uleLtrtoNomineeBecerra_01082021.pdf.
Back to Citation191. See Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 FR 6446, 6498 (January 21. 2021).
Back to Citation192. See Substance Abuse and Mental Health Services Administration, National Survey of Substance Abuse Treatment Services (N-SSATS): 2020. Data on Substance Abuse Treatment Facilities. Rockville, MD: Substance Abuse and Mental Health Services Administration, 2021, https://www.samhsa.gov/data/sites/default/files/reports/rpt35313/2020_NSSATS_FINAL.pdf.
Back to Citation193. 85 FR 42986 (July 15, 2020).
Back to Citation194. See83 FR 239 (January 3, 2018) and 85 FR 42986 (July 15, 2020).
Back to Citation195. 86 FR 6446 (January 21, 2021).
Back to Citation196. 85 FR 42986 (July 15, 2020).
Back to Citation197. 84 FR 51604 (September 30, 2019). See also86 FR 6446 (January 21, 2021).
Back to Citation198. 85 FR 42986 (July 15, 2020).
Back to Citation199. 84 FR 787 (January 31, 2019).
Back to Citation200. See Substance Abuse and Mental Health Services Administration, National Survey of Substance Abuse Treatment Services (N-SSATS): 2020. Data on Substance Abuse Treatment Facilities. Rockville, MD: Substance Abuse and Mental Health Services Administration, 2021, https://www.samhsa.gov/data/sites/default/files/reports/rpt35313/2020_NSSATS_FINAL.pdf.
Back to Citation201. Substance Abuse and Mental Health Services Administration, Center for Behavioral Health Statistics and Quality. Treatment Episode Data Set (TEDS): 2019. Admissions to and Discharges From Publicly Funded Substance Use Treatment. Rockville, MD: Substance Abuse and Mental Health Services Administration, 2021, https://www.samhsa.gov/data/sites/default/files/reports/rpt35314/2019_TEDS_Proof.pdf.
202. 86 FR 6446 (January 21, 2021).
203. Id.
Back to Citation204. See § 2.66 (requiring use of “John Doe”).
Back to Citation205. See §§ 2.66 and 2.67.
Back to Citation206. See Preamble, Breach Notification for Unsecured Protected Health Information, 74 FR 42739, 42765-66 (August 24, 2009).
Back to Citation207. See Alexandria White, “How much does credit monitoring cost?” CNBC (November 16, 2021), https://www.cnbc.com/select/how-much-does-credit-monitoring-cost/.
Back to Citation208. See Kenneth Terrell, “Identity Fraud Hit 42 Million People in 2021,” AARP (April 7, 2022) (“[T]he average per-victim loss from traditional identity fraud [is] $1,551.”), https://www.aarp.org/money/scams-fraud/info-2022/javelin-report.html.
Back to Citation209. See Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 FR 6446 (January 21, 2021).
Back to Citation210. National Academies of Sciences, Engineering, and Medicine. (2016). Ending Discrimination Against People with Mental and Substance Use Disorders: The Evidence for Stigma Change. Washington, DC: The National Academies Press. doi: 10.17226/23442, http://www.nap.edu/23442; U.S. Department of Health and Human Services (HHS), Office of the Surgeon General, Facing Addiction in America: The Surgeon General's Report on Alcohol, Drugs, and Health. Washington, DC: HHS, November 2016.
Back to Citation211. Substance Use Disorder Patient Records Supporting Statement A_06102020—OMB 0930-0092, https://omb.report/omb/0930-0092.
Back to Citation212. The Department relies on its estimated capital expenses for printing HIPAA breach notification letters. See 2021 HIPAA ICR, https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=202011-0945-001.
Back to Citation213. In 2021, that figure was 202,072 (310,880 × .65).
Back to Citation214. See 2021 HIPAA ICR, https://omb.report/icr/202011-0945-001. Wage rates are updated to 2021 figures.
Back to Citation215. 86 FR 6446.
Back to Citation216. 78 FR 5675, https://www.govinfo.gov/content/pkg/FR-2013-01-25/pdf/2013-01073.pdf).
Back to Citation218. 83 FR 64302 (December 14, 2018).
Back to Citation219. See generally, public comments posted in response to Docket ID# HHS-OCR-2018-0028, https://www.regulations.gov/document/HHS-OCR-2018-0028-0001/comment).
Back to Citation220. Id.
Back to Citation221. 86 FR 6446, 6498. See also84 FR 51604.
Back to Citation222. HHS, Office of the Inspector General, Medicaid Fraud Control Units Fiscal Year 2020 Annual Report, Appendix C, Medicaid Fraud Control Unit Case Outcomes and Open Investigations by Provider Type and Case Type for Fiscal Year 2020, OEI-09-21-00120, March 2021, p. 25, https://oig.hhs.gov/oei/reports/OEI-09-21-00120.pdf, (FY 2020 Medicaid fraud convictions and civil penalties against outpatient SUD treatment providers included 9 criminal convictions and 7 civil settlements, for a total of 16).
223. 2019 Report, https://oig.hhs.gov/oei/reports/oei-09-20-00110.pdf, (FY 2019 Medicaid fraud convictions and civil penalties against outpatient SUD treatment providers included 4 criminal convictions and 14 civil settlements for a total of 18).
Back to Citation224. Id., Exhibit C2, p. 28.
Back to Citation225. This is a composite wage rate used in burden estimates for OCR's breach notification Information Collection Request.
Back to Citation226. See42 U.S.C. 290dd-2(c).
Back to Citation227. To determine the salary rate of the employees at the GS-13 and GS-14 pay scale, the Department used the U.S. Office of Personnel Management's (OPM's) General Schedule (GS) classification and pay system and used the Department's General Schedule (Base) annual rates. The Department used the available 2021 data for the estimated costs. In 2021, the salary table for schedule GS-13, step 1 annual rate is $158,936, including $79,468 plus 100% for benefits and the GS-14, step 1 annual rate is $187,814, including $93,907 plus 100% for benefits. The Department estimated the costs over 5 years based on within-grade step increases based on an acceptable level of performance and longevity (waiting periods of 1 year at steps 1-3 and 2 years at steps 4-6).
Back to Citation228. See81 FR 6988; See also82 FR 6052.
Back to Citation229. 82 FR 6052, 6068.
Back to Citation230. 52 FR 21801 (June 9, 1987).
Back to Citation231. 65 FR 82462, 82797.
Back to Citation232. 68 FR 8334, 8373.
Back to Citation233. 78 FR 5566, 5686.
Back to Citation234. 81 FR 6987, 7012.
Back to Citation235. Public Law 105-277, 112 Stat. 2681 (October 21, 1998).
Back to Citation236. See45 CFR 164.530(i)(3).
Back to Citation237. This refers to approved information collections; however, the burden hours shown are adjusted for the NPRM.
Back to Citation238. The Department estimated that the amount of time for disclosure to a patient ranged from a low of 3-5 minutes to a high of almost 38 minutes; the approximately 12 minute estimate used to estimate burden reflected a judgment about the time needed to adequately comply with the legal requirements and for basic training of counselors on the importance of patient confidentiality.
Back to Citation239. See Molfenter T, Roget N, Chaple M, Behlman S, Cody O, Hartzler B, Johnson E, Nichols M, Stilen P, Becker S, Use of Telehealth in Substance Use Disorder Services During and After COVID-19: Online Survey Study, JMIR Ment Health 021;8(2):e25835, https://mental.jmir.org/2021/2/e25835.
Back to Citation240. See Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 FR 6446.
Back to Citation[FR Doc. 2022-25784 Filed 11-28-22; 8:45 am]
BILLING CODE 4153-01-P
Document Information
- Published:
- 12/02/2022
- Department:
- Health and Human Services Department
- Entry Type:
- Proposed Rule
- Action:
- Notice of proposed rulemaking.
- Document Number:
- 2022-25784
- Dates:
- Comments due on or before January 31, 2023.
- Pages:
- 74216-74287 (72 pages)
- RINs:
- 0945-AA16: Confidentiality of Substance Use Disorder Patient Records
- RIN Links:
- https://www.federalregister.gov/regulations/0945-AA16/confidentiality-of-substance-use-disorder-patient-records
- Topics:
- Administrative practice and procedure, Alcoholism, Courts, Drug abuse, Grant programs-health, Health, Health care, Health records, Health records, Hospitals, Investigations, Medicaid, Medical research, Medicare, Penalties, Privacy, Reporting and recordkeeping requirements, Reporting and recordkeeping requirements, Security measures
- PDF File:
- 2022-25784.pdf
- Supporting Documents:
- » Confidentiality of Substance Use Disorder Patient Records
- CFR: (36)
- 45 CFR 2.1
- 45 CFR 2.2
- 45 CFR 2.3
- 45 CFR 2.4
- 45 CFR 2.11
- More ...