[Federal Register Volume 89, Number 33 (Friday, February 16, 2024)]
[Rules and Regulations]
[Pages 12472-12631]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-02544]
[[Page 12471]]
Vol. 89
Friday,
No. 33
February 16, 2024
Part III
Department of Health and Human Services
-----------------------------------------------------------------------
42 CFR Part 2
Confidentiality of Substance Use Disorder (SUD) Patient Records; Final
Rule
��Federal Register / Vol. 89 , No. 33 / Friday, February 16, 2024 /
Rules and Regulations��
[[Page 12472]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
42 CFR Part 2
RIN 0945-AA16
Confidentiality of Substance Use Disorder (SUD) Patient Records
AGENCY: Office for Civil Rights, Office of the Secretary, Department of
Health and Human Services; Substance Abuse and Mental Health Services
Administration (SAMHSA), Department of Health and Human Services.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The United States Department of Health and Human Services (HHS
or ``Department'') is issuing this final rule to modify its regulations
to implement section 3221 of the Coronavirus Aid, Relief, and Economic
Security (CARES) Act. The Department is issuing this final rule after
careful consideration of all public comments received in response to
the notice of proposed rulemaking (NPRM) for the Confidentiality of
Substance Use Disorder (SUD) Patient Records. This final rule also
makes certain other modifications to increase alignment with the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy
Rule to improve workability and decrease burden on programs, covered
entities, and business associates.
DATES:
Effective date: This final rule is effective on April 16, 2024.
Compliance date: Persons subject to this regulation must comply
with the applicable requirements of this final rule by February 16,
2026.
FOR FURTHER INFORMATION CONTACT: Marissa Gordon-Nguyen at (202) 240-
3110 or (800) 537-7697 (TDD).
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Executive Summary
A. Purpose of Rulemaking and Issuance of Proposed Rule
B. Severability
C. Summary of the Major Provisions
D. Summary of the Costs and Benefits of the Major Provisions
II. Statutory and Regulatory Background
III. Overview of Public Comments
A. General Discussion of Comments
B. General Comments
1. General Support for the Proposed Rule
2. General Opposition to the Proposed Rule
IV. Analysis and Response to Public Comments and Final Modifications
A. Effective and Compliance Dates
B. Substantive Proposals and Responses to Comments
V. Regulatory Impact Analysis
A. Executive Orders 12866 and 13563 and Related Executive Orders
on Regulatory Review
1. Summary of the Final Rule
2. Need for the Final Rule
3. Response to Public Comment
4. Cost-Benefit Analysis
5. Consideration of Regulatory Alternatives
B. Regulatory Flexibility Act
C. Unfunded Mandates Reform Act
D. Executive Order 13132--Federalism
E. Assessment of Federal Regulation and Policies on Families
F. Paperwork Reduction Act of 1995
1. Explanation of Estimated Annualized Burden Hours for 42 CFR
Part 2
2. Explanation of Estimated Capital Expenses for 42 CFR Part 2
Table of Acronyms
------------------------------------------------------------------------
Acronym Meaning
------------------------------------------------------------------------
ACO............................... Accountable Care Organization.
ADAMHA............................ Alcohol, Drug Abuse, and Mental
Health Administration
Reorganization Act.
ADT............................... Admit, Discharge, Transfer.
APCD.............................. All-Payer Claims Database.
BLS............................... Bureau of Labor Statistics.
CARES Act......................... Coronavirus Aid, Relief, and
Economic Security Act.
CBO............................... Community-based Organizations.
CFR............................... Code of Federal Regulations.
CHIP.............................. Children's Health Insurance Program.
CMP............................... Civil Money Penalty.
CMS............................... Centers for Medicare & Medicaid
Services.
COVID-19.......................... Coronavirus Disease 2019.
CSP............................... Cloud Service Provider.
DOJ............................... U.S. Department of Justice.
E.O............................... Executive Order.
EHR............................... Electronic Health Record.
ePHI.............................. Electronic Protected Health
Information.
FDA............................... Food and Drug Administration.
FOIA.............................. Freedom of Information Act.
FR................................ Federal Register.
GS................................ General Schedule.
Health IT......................... Health Information Technology.
HHS or Department................. U.S. Department of Health and Human
Services.
HIE............................... Health Information Exchange.
HIN............................... Health Information Network.
HIPAA............................. Health Insurance Portability and
Accountability Act of 1996.
HITECH Act........................ Health Information Technology for
Economic and Clinical Health Act of
2009.
HIV............................... Human Immunodeficiency Virus.
ICR............................... Information Collection Request.
IHS............................... Indian Health Service.
ISDEAA............................ Indian Self-Determination and
Education Assistance Act.
MAT............................... Medication Assisted Treatment.
MHPAEA............................ Mental Health Parity and Addiction
Equity Act.
MOUD.............................. Medications for Opioid Use Disorder.
MPCD.............................. Multi-Payer Claims Database.
NIST.............................. National Institute of Standards and
Technology.
NOAA.............................. National Oceanic and Atmospheric
Administration.
NPP............................... Notice of Privacy Practices.
NPRM.............................. Notice of Proposed Rulemaking.
[[Page 12473]]
N-SSATS........................... National Survey of Substance Abuse
Treatment Services.
OCR............................... Office for Civil Rights.
OIG............................... Office of the Inspector General.
OIRA.............................. Office of Information and Regulatory
Affairs.
OMB............................... Office of Management and Budget.
ONC............................... Office of the National Coordinator
for Health Information Technology.
OTP............................... Opioid Treatment Program.
PDMP.............................. Prescription Drug Monitoring
Program.
PHI............................... Protected Health Information.
PHSA.............................. Public Health Service Act.
PRA............................... Paperwork Reduction Act of 1995.
Pub. L............................ Public Law.
QSO............................... Qualified Service Organization.
QSOA.............................. Qualified Service Organization
Agreement.
RFA............................... Regulatory Flexibility Act.
RFI............................... Request for Information.
RIA............................... Regulatory Impact Analysis.
RPMS.............................. Resource and Patient Management
System.
SAMHSA............................ Substance Abuse and Mental Health
Services Administration.
SBA............................... Small Business Administration.
SUD............................... Substance Use Disorder.
TEDS.............................. Treatment Episode Data Set.
TEFCA............................. Trusted Exchange Framework and
Common Agreement.
TPO............................... Treatment, Payment, and/or Health
Care Operations.
U.S.C............................. United States Code.
USPHS............................. U.S. Public Health Service.
VA................................ U.S. Department of Veterans Affairs.
------------------------------------------------------------------------
I. Executive Summary
A. Purpose of Rulemaking and Issuance of Proposed Rule
On March 27, 2020, Congress enacted the Coronavirus Aid, Relief,
and Economic Security (CARES) Act, including section 3221 of the Act
\1\ entitled ``Confidentiality and Disclosure of Records Relating to
Substance Use Disorder.'' Section 3221 enacts statutory amendments to
section 290dd-2 of title 42 United States Code (42 U.S.C. 290dd-2).\2\
These amendments require the U.S. Department of Health and Human
Services (HHS or ``Department'') to increase the regulatory alignment
between title 42 of the Code of Federal Regulations (CFR) (42 CFR part
2 or ``part 2''),\3\ which includes privacy provisions that protect SUD
patient records, and key aspects of the Health Insurance Portability
and Accountability Act of 1996 (HIPAA) \4\ Privacy, Breach
Notification, and Enforcement regulations (``HIPAA regulations''),\5\
which govern the use and disclosure of protected health information
(PHI).\6\
---------------------------------------------------------------------------
\1\ Public Law 116-136, 134 Stat. 281 (Mar. 27, 2020).
\2\ 42 U.S.C. 290dd-2.
\3\ For readability, the Department refers to specific sections
of 42 CFR part 2 using a shortened citation with the ``Sec. ''
symbol except where necessary to distinguish title 42 citations from
other CFR titles, such as title 45 CFR, and in footnotes where the
full reference is used.
\4\ Subtitle F of title II of HIPAA, Public Law 104-191, 110
Stat. 1936 (Aug. 21, 1996) added a new part C to title XI of the
Social Security Act (SSA), Public Law 74-271, 49 Stat. 620 (Aug. 14,
1935), (see sections 1171-1179 of the SSA (codified at 42 U.S.C.
1320d-1320d-8)), as amended by the Health Information Technology for
Economic and Clinical Health (HITECH) Act of 2009, Public Law 111-5,
123 Stat. 226 (Feb. 17, 2009) (codified at 42 U.S.C. 139w-4(0)(2)),
enacted as title XIII of division A and title IV of division B of
the American Recovery and Reinvestment Act of 2009 (ARRA), Public
Law 111-5, 123 Stat. 226 (Feb. 17, 2009).
\5\ See the HIPAA Privacy Rule, 45 CFR parts 160 and 164,
subparts A and E; the HIPAA Security Rule, 45 CFR parts 160 and 164,
subparts A and C; the HIPAA Breach Notification Rule, 45 CFR part
164, subpart D; and the HIPAA Enforcement Rule, 45 CFR part 160,
subparts C, D, and E. Breach notification requirements were added by
the HITECH Act.
\6\ PHI is individually identifiable health information
maintained or transmitted by or on behalf of a HIPAA covered entity.
See 45 CFR 160.103 (definitions of ``Individually identifiable
health information'' and ``Protected health information'').
---------------------------------------------------------------------------
On December 2, 2022, the Department published a notice of proposed
rulemaking (NPRM) proposing to modify part 2 consistent with the
requirements of section 3221.\7\ In the NPRM, the Department proposed
to: (1) enhance restrictions against the use and disclosure of part 2
records \8\ in civil, criminal, administrative, and legislative
proceedings; (2) provide for civil enforcement authority, including the
imposition of civil money penalties (CMPs); (3) modify consent for uses
and disclosures of part 2 records for treatment, payment, and health
care operations (TPO) purposes; (4) impose breach notification
obligations; (5) incorporate some definitions from the HIPAA
regulations into part 2; (6) provide new patient rights to request
restrictions on uses and disclosures and obtain an accounting of
disclosures made with consent; (7) add a permission to disclose de-
identified records to public health authorities; and (8) address
concerns about potential unintended consequences for government
agencies that investigate part 2 programs due to the change in
enforcement authority and penalties for violations of part 2.
---------------------------------------------------------------------------
\7\ 87 FR 74216 (Dec. 2, 2022). The Department also proposed
modifications to the HIPAA Notice of Privacy Practices (NPP) in
January 2021 and April 2023. See Proposed Modifications to the HIPAA
Privacy Rule to Support, and Remove Barriers to, Coordinated Care
and Individual Engagement, 86 FR 6446 (Jan. 21, 2021) and HIPAA
Privacy Rule To Support Reproductive Health Care Privacy 88 FR 23506
(Apr. 17, 2023).
\8\ Within this rule the terms records and part 2 records are
used interchangeably to refer to information subject to part 2.
---------------------------------------------------------------------------
The 60-day public comment period for the proposed rule closed on
January 31, 2023, and the Department received approximately 220
comments in response to its proposal.\9\ After considering the public
comments, the Department is issuing this final rule that adopts many of
the proposals set forth
[[Page 12474]]
in the NPRM, with certain modifications based on the input received.
This final rule aligns certain part 2 requirements more closely with
requirements of the HIPAA regulations to improve the ability of
entities that are subject to part 2 to use and disclose part 2 records
and make other changes to part 2, as described in this preamble. We
believe this final rule implements the modifications required by the
CARES Act amendments to 42 U.S.C. 290dd-2 and will decrease burdens on
patients and providers, improve coordination of care and access to care
and treatment, and protect the confidentiality of treatment records.
---------------------------------------------------------------------------
\9\ The public comments are available at https://www.regulations.gov/docket/HHS-OCR-2022-0018/comments.
---------------------------------------------------------------------------
The provisions of the proposed rule and the public comments
received that were within the scope of the proposed rule are described
in more detail below in sections III and IV.
B. Severability
In this final rule, we adopt modifications to 42 CFR part 2 that
support a unified scheme of privacy protections for part 2 records.
While the unity and comprehensiveness of this scheme maximizes its
utility, we clarify that its constituent elements operate independently
to protect patient privacy. Were a provision of this regulation stayed
or invalidated by a reviewing court, the provisions that remain in
effect would continue to provide vital patient privacy protections. For
example, the essential part 2 provisions concerning such issues as
restrictions on use of part 2 records in criminal, civil, and
administrative proceedings and written consent requirements would
remain in effect even if certain other provisions, such as the
limitation on civil or criminal liability in Sec. 2.3(b), were no
longer in effect. Similarly, the provisions regulating different forms
of conduct under part 2 (e.g., use, disclosure, consent requirements)
each provide distinct benefits for patient privacy. Thus, we consider
the provisions adopted in this final rule to be severable, both
internally within this final rule and from the other provisions in part
2, and the Department's intent is to preserve the rule in its entirety,
and each independent provision of the rule, to the fullest extent
possible.
Accordingly, any provision of 42 CFR part 2 that is held to be
invalid or unenforceable by its terms, or as applied to any person or
circumstance, should be construed so as to give maximum effect to the
provision permitted by law, unless such holding is one of utter
invalidity or unenforceability, in which event the provision is
intended to be severable from this part and not affect the remainder
thereof or the application of the provision to other persons not
similarly situated or to other dissimilar circumstances.
C. Summary of the Major Provisions
After consideration of the public comments received in response to
the NPRM, the Department is issuing this final rule as follows: \10\
---------------------------------------------------------------------------
\10\ Additional revisions are not listed here because they are
not considered major. Generally, the proposals not listed make non-
substantive changes. These proposals are reviewable in section IV
and the amendatory language in the last section of the final rule
and include proposals to modify Sec. 2.17 (Undercover agents and
informants); Sec. 2.20 (Relationship to state laws); Sec. 2.21
(Relationship to Federal statutes protecting research subjects
against compulsory disclosure of their identity); and Sec. 2.34
(Uses and Disclosures to prevent multiple enrollments).
---------------------------------------------------------------------------
1. Section 2.1--Statutory Authority for Confidentiality of Substance
Use Disorder Patient Records
Finalizes Sec. 2.1 to more closely reflect the authority granted
in 42 U.S.C. 290dd-2(g), including with respect to court orders
authorizing the disclosure of records under 42 U.S.C. 290dd-2(b)(2)(C).
2. Section 2.2--Purpose and Effect
Finalizes paragraph (b) of Sec. 2.2 to compel disclosures to the
Secretary \11\ that are necessary for enforcement of this rule, using
language adapted from the HIPAA Privacy Rule at 45 CFR
164.502(a)(2)(ii). Finalizes a new paragraph (b)(3) that prohibits any
limits on a patient's right to request restrictions on use of records
for TPO or a covered entity's \12\ choice to obtain consent to use or
disclose records for TPO purposes as provided in the HIPAA Privacy
Rule. References ``use and disclosure'' in Sec. 2.2(a) and (b).
Removes reference to criminal penalty and finalizes new paragraph
(b)(3).
---------------------------------------------------------------------------
\11\ Unless otherwise stated, ``Secretary'' as used in this rule
refers to the Secretary of HHS.
\12\ Covered entities are health care providers who transmit
health information electronically in connection with any transaction
for which the Department has adopted an electronic transaction
standard, health plans, and health care clearinghouses. See 45 CFR
160.103 (definition of ``Covered entity'').
---------------------------------------------------------------------------
3. Section 2.3--Civil and Criminal Penalties for Violations
Finalizes the heading of this section as above. This section as
finalized now references the HIPAA enforcement authorities in the
Social Security Act at sections 1176 (civil enforcement, including the
culpability tiers established by the Health Information Technology for
Economic and Clinical Health (HITECH) Act of 2009) and 1177 (criminal
penalties),\13\ as implemented in the HIPAA Enforcement Rule.\14\
Paragraph (b) includes a limitation on civil or criminal liability
(``safe harbor'') under part 2 for investigative agencies that act with
reasonable diligence before making a demand for records in the course
of an investigation or prosecution of a part 2 program or person
holding the record, provided that certain conditions are met.\15\
Further modifies the ``reasonable diligence'' steps to mean taking all
of the following actions: searching for the practice or provider among
the SUD treatment facilities in SAMHSA's online treatment locator;
searching in a similar state database of treatment facilities where
available; checking a practice or program's website, where available,
or physical location; viewing the entity's Patient Notice or HIPAA NPP
if it is available; and taking all these steps within no more than 60
days before requesting records or placing an undercover agent or
informant. Updates language referring to enforcement, now set forth in
paragraph (c).
---------------------------------------------------------------------------
\13\ See Public Law 111-5, 123 Stat. 226 (Feb. 17, 2009).
Section 13410 of the HITECH Act (codified at 42 U.S.C. 17939)
amended sections 1176 and 1177 of the Social Security Act (codified
at 42 U.S.C. 1320d-5 and 1320d-6) to add civil and criminal penalty
tiers for violations of the HIPAA Administrative Simplification
provisions.
\14\ See 45 CFR part 160 subparts C, D, and E.
\15\ Although this provision is not expressly required by the
CARES Act, it falls within the Department's general rulemaking
authority in 42 U.S.C. 290dd-2(g), and is needed to address the
logical consequences of the changes required by sec. 3221.
---------------------------------------------------------------------------
4. Section 2.4--Complaints of Noncompliance
Modifies the heading to refer to ``Complaints of noncompliance.''
Finalizes inclusion of requirements consistent with those applicable to
HIPAA complaints under 45 CFR 164.530(d), (g), and (h), including: a
requirement for a part 2 program to establish a process to receive
complaints. Adds a new provision permitting patients to file complaints
with the Secretary in the same manner as under 45 CFR 160.306.
Finalizes a prohibition against taking adverse action against patients
who file complaints and a prohibition against requiring patients to
waive the right to file a complaint as a condition of providing
treatment, enrollment, payment, or eligibility for services.
5. Section 2.11--Definitions
Finalizes definitions of the following terms within this part
consistent with the NPRM: ``Breach,'' ``Business associate,'' ``Covered
entity,'' ``Health
[[Page 12475]]
care operations,'' ``HIPAA,'' ``HIPAA regulations,'' ``Informant,''
``Part 2 program director,'' ``Program,'' ``Payment,'' ``Person,''
``Public health authority,'' ``Records,'' ``Substance use disorder
(SUD),'' ``Third-party payer,'' ``Treating provider relationship,''
``Treatment,'' ``Unsecured protected health information,'' ``Unsecured
record,'' and ``Use.'' Adds a definition of ``Substance Use Disorder
(SUD) counseling notes'' on which input was requested in the NPRM. Adds
new definitions of ``Lawful holder'' and ``Personal representative.''
Adopts a revised definition of ``Intermediary,'' but with an exclusion
for part 2 programs, covered entities, and business associates.
Modifies definition of ``Investigative agency'' to reference state,
local, territorial, and Tribal investigative agencies. Modifies
definition of ``Patient identifying information'' to ensure consistency
with the de-identification standard incorporated into this final rule.
Modifies the proposed definition of ``Qualified Service Organization''
(QSO) to expressly include business associates as QSOs where the QSO
meets the definition of business associate for a covered entity that is
also a part 2 program.
6. Section 2.12--Applicability
Replaces ``Armed Forces'' with ``Uniformed Services'' in paragraphs
(b)(1) and (c)(2) of Sec. 2.12. Incorporates four statutory examples
of restrictions on the use or disclosure of part 2 records to initiate
or substantiate any criminal charges against a patient or to conduct
any criminal investigation of a patient. Adds language to qualify the
term ``Third-party payer'' with the phrase ``as defined in this part.''
Specifies that a part 2 program, covered entity, or business associate
\16\ that receives records based on a single consent for all future
uses and disclosures for TPO is not required to segregate or segment
such records. Revises paragraph (e)(4)(i) to clarify when a diagnosis
is not covered by part 2.
---------------------------------------------------------------------------
\16\ A business associate is a person, other than a workforce
member, that performs certain functions or activities for or on
behalf of a covered entity, or that provides certain services to a
covered entity involving the disclosure of PHI to the person. See 45
CFR 160.103 (definition of ``Business associate'').
---------------------------------------------------------------------------
7. Section 2.13--Confidentiality Restrictions and Safeguards
Finalizes the redesignation of Sec. 2.13(d) requiring a list of
disclosures as new Sec. 2.24 and modifies the text for clarity.
8. Section 2.14--Minor Patients
Finalizes the change of the verb ``judges'' to ``determines'' to
describe a part 2 program director's evaluation and decision that a
minor lacks decision making capacity.
9. Section 2.15--Patients Who Lack Capacity and Deceased Patients
Finalizes changes proposed in the NPRM. Changes the heading as
above. Replaces outdated terminology and clarifies that paragraph (a)
of this section refers to an adjudication by a court of a patient's
lack of capacity to make health care decisions while paragraph (b)
refers to a patient's lack of capacity to make health care decisions
without court adjudication. Clarifies consent for uses and disclosures
of records by personal representatives for patients who lack capacity
to make health care decisions in paragraph (a) and deceased patients in
paragraph (b)(2).
10. Section 2.16--Security for Records and Notification of Breaches
Finalizes changes proposed in the NPRM. Changes the heading as
above. Finalizes the de-identification provision to align with the
HIPAA Privacy Rule standard at 45 CFR 164.514. Creates an exception to
the requirement that part 2 programs and lawful holders create policies
and procedures to secure records that applies to family, friends, and
other informal caregivers who are lawful holders as defined in this
regulation. Applies the HITECH Act breach notification provisions \17\
that are currently implemented in the HIPAA Breach Notification Rule to
breaches of records by part 2 programs. Modifies the exemption for
lawful holders by exempting them from Sec. 2.16(a) instead of only
paragraph (a)(1).
---------------------------------------------------------------------------
\17\ Section 13400 of the HITECH Act (codified at 42 U.S.C.
17921) defined the term ``Breach''. Section 13402 of the HITECH Act
(codified at 42 U.S.C. 17932) enacted breach notification
provisions, discussed in detail below.
---------------------------------------------------------------------------
11. Section 2.19--Disposition of Records by Discontinued Programs
Finalizes an exception to clarify that these provisions do not
apply to transfers, retrocessions, and reassumptions of part 2 programs
pursuant to the Indian Self-Determination and Education Assistance Act
(ISDEAA), to facilitate the responsibilities set forth in 25 U.S.C.
5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C. 5324(e), 25 U.S.C. 5330, 25
U.S.C. 5386(f), 25 U.S.C. 5384(d), and the implementing ISDEAA
regulations. Updates the language to refer to ``non-electronic''
records and include ``paper'' records as an example of non-electronic
records.
12. Section 2.22--Notice to Patients of Federal Confidentiality
Requirements
Finalizes proposed changes to requirements for notice to patients
of Federal confidentiality requirements (hereinafter, ``Patient
Notice'') to address protections required by 42 U.S.C. 290dd-2, as
amended by section 3221 of the CARES Act. Modifies the statement of a
patient's right to discuss the notice with a designated contact person
by permitting the part 2 program to list an office rather than naming a
person. Further modifies the list of patient rights to include the
following: (1) a right to a list of disclosures by an intermediary for
the past 3 years as provided in Sec. 2.24 (moved from the consent
requirements in Sec. 2.31); and (2) a right to elect not to receive
any fundraising communications to fundraise for the benefit of the part
2 program. Further modifies the fundraising provision by replacing the
proposed requirement to obtain patient consent with a requirement to
provide individuals with the opportunity to opt out of receiving
fundraising communications, which more closely aligns with the HIPAA
regulations. Clarifies that a court order authorizing use or disclosure
must be accompanied by a subpoena or similar legal mandate compelling
disclosure.
13. Section 2.23--Patient Access and Restrictions on Use and Disclosure
Finalizes the heading as above. Adds the term ``disclosure'' to the
heading and body of this section to clarify that information obtained
by patient access to their record may not be used or disclosed for
purposes of a criminal charge or criminal investigation.
14. Section 2.24--Requirements for Intermediaries
Finalizes the retitling of the redesignated section that is moved
from Sec. 2.13(d) as above to clarify the responsibilities of
recipients of records received under a consent with a general
designation (other than part 2 programs, covered entities, and business
associates), such as research institutions, accountable care
organizations (ACOs), and care management organizations.
15. Section 2.25--Accounting of Disclosures
Finalizes this new section to implement 42 U.S.C. 290dd-2(b)(1)(B),
as amended by the section 3221 of the CARES Act, to add a right to an
[[Page 12476]]
accounting of all disclosures made with consent for up to three years
prior to the date the accounting is requested. A separate provision
applies to disclosures for TPO purposes made through an EHR. The
compliance date for Sec. 2.25 is tolled until the HIPAA Accounting of
Disclosures provision at 45 CFR 164.528 is revised to address
accounting for TPO disclosures made through an EHR.
16. Section 2.26--Right To Request Privacy Protection for Records
Finalizes this new section to implement 42 U.S.C. 290dd-2(b)(1)(B),
as amended by the section 3221 of the CARES Act, to incorporate into
part 2 the rights set forth in the HIPAA Privacy Rule at 45 CFR
164.522, including: (1) a patient right to request restrictions on
disclosures of records otherwise permitted for TPO purposes, and (2) a
patient right to obtain restrictions on disclosures to health plans for
services paid in full by the patient.
17. Subpart C--Uses and Disclosures With Patient Consent
Finalizes change to the heading of subpart C as above to reflect
changes made to the provisions of this subpart related to the consent
to use and disclose part 2 records, consistent with 42 U.S.C. 290dd-
2(b), as amended by the section 3221(b) of the CARES Act.
18. Section 2.31--Consent Requirements
Finalizes the proposed alignment of the content requirements for
part 2 written consent with the content requirements for a valid HIPAA
authorization and clarifies how recipients may be designated in a
consent to use and disclose part 2 records for TPO. Further modifies
the rule by replacing the proposed requirement to obtain consent for
fundraising with an opportunity for the patient to opt out. Adds
consent provisions for uses and disclosures of SUD counseling notes,
and adds an express requirement for separate consent for use and
disclosure of records in civil, criminal, administrative, or
legislative proceedings.
19. Section 2.32--Notice and Copy of Consent To Accompany Disclosure
Further modifies the proposed heading to read as above by inserting
``and copy of consent''. Finalizes the proposed alignment of the
content requirements for the required notice that accompanies a
disclosure of records (hereinafter ``Notice to Accompany Disclosure'')
with the requirements of 42 U.S.C. 290dd-2(b), as amended by section
3221(b) of the CARES Act. Further modifies this section by creating a
new requirement that each disclosure made with the patient's written
consent must be accompanied by a copy of the consent or a clear
explanation of the scope of the consent provided.
20. Section 2.33--Uses and Disclosures Permitted With Written Consent
Changes the heading as proposed, to read as above. Aligns this
provision with the statutory authority in 42 U.S.C. 290dd-2(b)(1), as
amended by section 3221(b) of the CARES Act. Replaces the provisions
requiring consent for uses and disclosures for payment and certain
health care operations with permission to use and disclose records for
TPO with a single consent given once for all such future uses and
disclosures (``TPO consent'') as permitted by the HIPAA regulations,
until such time as the patient revokes the consent in writing.
Finalizes proposed redisclosure permissions for three categories of
recipients of part 2 records pursuant to a written consent with some
additional modifications to limit the ability to redisclose part 2
records in accordance with HIPAA to covered entities and business
associates, as follows: (1) permits a covered entity or business
associate that receives part 2 records pursuant to a TPO consent to
redisclose the records in accordance with the HIPAA regulations, except
for certain proceedings against the patient; \18\ (2) permits a part 2
program that is not a covered entity to redisclose records received
pursuant to a TPO consent according to the consent; and (3) permits a
lawful holder that is not a covered entity or business associate to
redisclose part 2 records for payment and health care operations to its
contractors, subcontractors, or legal representatives as needed to
carry out the activities specified in the consent. Finalizes the
contracting requirements in paragraph (c) to exclude covered entities
and business associates because they are subject to HIPAA business
associate agreement requirements.
---------------------------------------------------------------------------
\18\ See 42 U.S.C. 290dd-2(b)(1)(B) and (c).
---------------------------------------------------------------------------
21. Section 2.35--Disclosures to Elements of the Criminal Justice
System Which Have Referred Patients
Finalizes the proposals to replace ``individuals'' with ``persons''
and clarifies that permitted redisclosures of information are from part
2 records.
22. Subpart D--Uses and Disclosures Without Patient Consent
Finalizes the proposal to change the heading of subpart D to
reflect changes made to the provisions of this subpart related to the
consent to use and disclose part 2 records, consistent with 42 U.S.C.
290dd-2 as amended by the CARES Act.
23. Section 2.51--Medical Emergencies
Finalizes the proposal to replace the term ``individual'' with the
term ``person'' in Sec. 2.51(c)(2).
24. Section 2.52--Scientific Research
Finalizes the proposed modifications to the heading as above to
reflect statutory language. The final rule further aligns with the
HIPAA Privacy Rule by replacing the requirements to render part 2 data
in research reports non-identifiable with the HIPAA Privacy Rule's de-
identification standard in 45 CFR 164.514.
25. Section 2.53--Management Audits, Financial Audits, and Program
Evaluation
Finalizes changes as proposed. Modifies the heading to reflect
statutory language. To support implementation of 42 U.S.C. 290dd-
2(b)(1), as amended by section 3221(b) of the CARES Act, adds a
provision to acknowledge the permission to use and disclose records for
health care operations purposes based on written consent of the patient
and the permission to redisclose such records as permitted by the HIPAA
Privacy Rule if the recipient is a part 2 program, covered entity, or
business associate.
26. Section 2.54--Disclosures for Public Health
Finalizes the proposed addition of this section to implement 42
U.S.C. 290dd-2(b)(2)(D), as amended by section 3221(c) of the CARES
Act, to permit the disclosure of records without patient consent to
public health authorities provided that the records disclosed are de-
identified according to the standards established in section 45 CFR
164.514.
27. Subpart E--Court Orders Authorizing Use and Disclosure
Finalizes proposed modifications to the heading of subpart E as
above to reflect changes made to the provisions of this subpart related
to the uses and disclosure of part 2 records in proceedings consistent
with 42 U.S.C. 290dd-2(b) and (2)(c), as amended by sections 3221(b)
and (e) of the CARES Act.
28. Section 2.62--Order Not Applicable to Records Disclosed Without
Consent to Researchers, Auditors, and Evaluators
Finalizes the proposed replacement of the term ``qualified
personnel'' with a
[[Page 12477]]
reference to the criteria that define such persons and adds a reference
to Sec. 2.53 as a technical edit.
29. Section 2.63--Confidential Communications
Finalizes proposed changes to paragraph (a)(3) of Sec. 2.63 to
expressly include civil, criminal, administrative, and legislative
proceedings as forums where the requirements for a court order under
this part would apply, to implement 42 U.S.C. 290dd-2(c), as amended by
section 3221(c) of the CARES Act.
30. Section 2.64--Procedures and Criteria for Orders Authorizing Uses
and Disclosures for Noncriminal Purposes
Finalizes proposed changes that expand the types of forums where
restrictions on use and disclosure of records in civil proceedings
against patients apply \19\ to expressly include administrative and
legislative proceedings and also restricts the use of testimony
conveying information in a record in civil proceedings against
patients, absent consent or a court order.
---------------------------------------------------------------------------
\19\ See 42 CFR part 2, subpart E.
---------------------------------------------------------------------------
31. Section 2.65--Procedures and Criteria for Orders Authorizing Use
and Disclosure of Records To Criminally Investigate or Prosecute
Patients
Finalizes changes as proposed. Modifies the heading as above.
Expands the types of forums where restrictions on uses and disclosure
of records in criminal proceedings against patients apply \20\ to
expressly include administrative and legislative proceedings and also
restricts the use of testimony conveying information in a part 2 record
in criminal proceedings against patients, absent consent or a court
order.
---------------------------------------------------------------------------
\20\ Id.
---------------------------------------------------------------------------
32. Section 2.66--Procedures and Criteria for Orders Authorizing Use
and Disclosure of Records To Investigate or Prosecute a Part 2 Program
or the Person Holding the Records
Finalizes changes as proposed and adds new changes. Modifies the
heading as above. Finalizes requirements for investigative agencies to
follow in the event that they discover in good faith that they received
part 2 records during an investigation or prosecution of a part 2
program or the person holding the records, in order to seek a court
order as required under Sec. 2.66. Adds a further modification to
provide that information from records obtained in violation of this
part cannot be used in an application for a court order to obtain such
records.
33. Section 2.67--Orders Authorizing the Use of Undercover Agents and
Informants To Investigate Employees or Agents of a Part 2 Program in
Connection With a Criminal Matter
Finalizes proposed criteria for issuance of a court order in
instances where an application is submitted after the placement of an
undercover agent or informant has already occurred, requiring an
investigative agency to satisfy the conditions at Sec. 2.3(b). Adds a
further modification to provide that information from records obtained
in violation of this part cannot be used in an application for a court
order to obtain such records.
34. Section 2.68--Report to the Secretary
Finalizes the proposed requirement for investigative agencies to
file annual reports about the instances in which they applied for a
court order after receipt of part 2 records or placement of an
undercover agent or informant as provided in Sec. Sec. 2.66(a)(3) and
2.67(c)(4).
35. General Changes To Use and Disclosure
Finalizes proposed changes to re-order ``disclosure and use'' to
``use and disclosure'' throughout the regulation consistent with their
usage in the HIPAA Privacy Rule which generally regulates the ``use and
disclosure'' of PHI and relies on the phrase as a term of art.\21\
Inserts ``use'' or ``disclose'' to reflect the scope of activity that
is the subject of the regulatory provision.
---------------------------------------------------------------------------
\21\ See, e.g., 45 CFR 164.502, Uses and disclosures of
protected health information: General rules.
---------------------------------------------------------------------------
D. Summary of the Costs and Benefits of the Major Provisions
This final rule is anticipated to have an annual effect on the
economy of $12,720,000 in the first year of the rule, followed by net
savings in years two through five, resulting in overall net cost
savings of $8,445,706 over five years. The Office of Management and
Budget (OMB) has determined that this proposed rule is a significant
regulatory action under section 3(f) of E.O. 12866, but not under
section 3(f)(1).
Accordingly, the Department has prepared a Regulatory Impact
Analysis (RIA) that presents the estimated costs and benefits of the
rule.
II. Statutory and Regulatory Background
Confidentiality of SUD Records
Congress enacted the first Federal confidentiality protections for
SUD records in section 333 of the Comprehensive Alcohol Abuse and
Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970.\22\
This statute authorized ``persons engaged in research on, or treatment
with respect to, alcohol abuse and alcoholism to protect the privacy of
individuals who [were] the subject of such research or treatment'' from
persons not connected with the conduct of the research or treatment by
withholding identifying information.
---------------------------------------------------------------------------
\22\ See sec. 333, Public Law 91-616, 84 Stat. 1853 (Dec. 31,
1970) (codified at 42 U.S.C. 2688h).
---------------------------------------------------------------------------
Section 408 of the Drug Abuse Office and Treatment Act of 1972 \23\
applied confidentiality requirements to records relating to drug abuse
prevention authorized or assisted under any provision of the Act.
Section 408 permitted disclosure, with a patient's written consent, for
diagnosis or treatment by medical personnel and to government personnel
for obtaining patient benefits to which the patient is entitled. The
1972 Act also established exceptions to the consent requirement to
permit disclosures for bona fide medical emergencies; to qualified
personnel for conducting certain activities, such as scientific
research or financial audit or program evaluation, as long as the
patient is not identified in any reports; and as authorized by court
order granted after application showing good cause.\24\
---------------------------------------------------------------------------
\23\ See sec. 408, Public Law 92-255, 86 Stat. 65 (Mar. 21,
1972) (codified at 21 U.S.C. 1175). Section 408 also prohibited the
use of a covered record for use or initiation or substantiation of
criminal charges against a patient or investigation of a patient.
Section 408 provided for a fine in the amount of $500 for a first
offense violation, and not more than $5,000 for each subsequent
offense.
\24\ Id.
---------------------------------------------------------------------------
The Comprehensive Alcohol Abuse and Alcoholism Prevention,
Treatment, and Rehabilitation Act Amendments of 1974 \25\ expanded the
types of records protected by confidentiality restrictions to include
records relating to ``alcoholism,'' ``alcohol abuse'', and ``drug
abuse'' maintained in connection with any program or activity
conducted,
[[Page 12478]]
regulated, or directly or indirectly federally assisted by any United
States agency. The 1974 Act also permitted the disclosure of records
based on prior written patient consent only to the extent such
disclosures were allowed under Federal regulations. Additionally, the
1974 Act excluded the interchange of records within the Armed Forces or
components of the U.S. Department of Veterans Affairs (VA), then known
as the Veterans' Administration, from the confidentiality
restrictions.\26\
---------------------------------------------------------------------------
\25\ See sec. 101, title I, Public Law 93-282, 88 Stat. 126 (May
14, 1974) (codified at 42 U.S.C. 4541 note), providing that: ``This
title [enacting this section and sections 4542, 4553, 4576, and 4577
of this title, amending sections 242a, 4571, 4572, 4573, 4581, and
4582 of this title, and enacting provisions set out as notes under
sections 4581 and 4582 of this title] may be cited as the
`Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment,
and Rehabilitation Act Amendments of 1974'.''
\26\ See sec. 408, title I, Public Law 92-255, 86 Stat. 79 (Mar.
21, 1972) (originally codified at 21 U.S.C. 1175). See 21 U.S.C.
1175 note for complete statutory history.
---------------------------------------------------------------------------
In 1992, section 131 of the Alcohol, Drug Abuse, and Mental Health
Administration Reorganization Act (ADAMHA Reorganization Act) \27\
added section 543, Confidentiality of Records, to the Public Health
Service Act (PHSA) \28\ (``part 2 statute''), which narrowed the
grounds upon which a court could grant an order permitting disclosure
of such records from ``good cause'' (i.e., based on weighing the public
interest in the need for disclosure against the injury to the patient,
physician patient relationship, and treatment services) \29\ to ``the
need to avert a substantial risk of death or serious bodily harm.''
\30\ Congress also established criminal penalties for part 2 violations
under title 18 of the United States Code, Crimes and Criminal
Procedure.\31\ Finally, section 543 granted broad authority to the
Secretary of HHS to prescribe regulations to carry out the purposes of
section 543 and provide for safeguards and procedures, including
criteria for the issuance and scope of court orders to authorize
disclosure of SUD records, ``as in the judgment of the Secretary are
necessary or proper to effectuate the purposes of this section, to
prevent circumvention or evasion thereof, or to facilitate compliance
therewith.'' \32\
---------------------------------------------------------------------------
\27\ See sec. 131, Public Law 102-321, 106 Stat. 323 (July 10,
1992) (codified at 42 U.S.C. 201 note).
\28\ Codified at 42 U.S.C. 290dd-2.
\29\ See sec. 333, Public Law 91-616, 84 Stat. 1853 (Dec. 31,
1970).
\30\ See sec. 131, Public Law 102-321, 106 Stat. 323 (July 10,
1992) (codified at 42 U.S.C. 201 note).
\31\ Id., adding sec. 543(b)(2)(C) to the PHSA.
\32\ Id., adding sec. 543(g) to the PHSA.
---------------------------------------------------------------------------
In 1975, the Department promulgated the first Federal regulations
implementing statutory SUD confidentiality provisions at 42 CFR part
2.\33\ In 1987, the Department published a final rule making
substantive changes to the scope of part 2 to clarify the regulations
and ease the burden of compliance by part 2 programs within the
parameters of the existing statutory restrictions.\34\ After the 1992
enactment of the ADAMHA Reorganization Act, the Department later
clarified the definition of ``program'' in a 1995 final rule to narrow
the scope of part 2 regulations pertaining to medical facilities to
cover identified units within general medical facilities which holds
themselves out as providing, and provide SUD treatment and medical
personnel or other staff in a general medical care facility whose
primary function is the provision of SUD diagnosis, treatment or
referral for treatment and who are identified as such providers.\35\
---------------------------------------------------------------------------
\33\ See 40 FR 27802 (July 1, 1975).
\34\ See 52 FR 21796 (June 9, 1987). See also Notice of Decision
to Develop Regulations, 45 FR 53 (Jan. 2, 1980) and (Aug. 25, 1983).
\35\ See 60 FR 22296 (May 5, 1995). See also 59 FR 42561 (Aug.
18, 1994) and 59 FR 45063 (Aug. 31, 1994). The ambiguity of the
definition of ``program'' was identified in United States v. Eide,
875 F. 2d 1429 (9th Cir. 1989) where the court held that the general
emergency room is a ``program'' as defined by the regulations.
---------------------------------------------------------------------------
HIPAA and the HITECH Act
In 1996, Congress enacted HIPAA,\36\ which included Administrative
Simplification provisions requiring the establishment of national
standards \37\ to protect the privacy and security of individuals' PHI
and establishing civil money and criminal penalties for violations of
the requirements, among other provisions.\38\ The Administrative
Simplification provisions and implementing regulations apply to covered
entities, which are health care providers who conduct covered health
care transactions electronically, health plans, and health care
clearinghouses.\39\ Certain provisions of the HIPAA regulations also
apply directly to ``business associates'' of covered entities.\40\
---------------------------------------------------------------------------
\36\ See Public Law 104-191, 110 Stat. 1936 (Aug. 21, 1996).
\37\ See the Administrative Simplification provisions of title
II, subtitle F, of HIPAA, supra note 4. See also sec. 264 of HIPAA
(codified at 42 U.S.C. 1320d-2 note). See also, Centers for Medicare
& Medicaid Services, ``HIPAA and Administrative Simplification''
(Sept. 6, 2023), https://www.cms.gov/about-cms/what-we-do/administrative-simplification/hipaa/statutes-regulations.
\38\ See 42 U.S.C. 1320d-1-1320d-9. With respect to privacy
standards, Congress directed the Department to ``address at least
the following: (1) The rights that an individual who is a subject of
individually identifiable health information should have. (2) The
procedures that should be established for the exercise of such
rights. (3) The uses and disclosures of such information that should
be authorized or required.'' 42 U.S.C. 1320d-2 note.
\39\ See 42 U.S.C. 1320d-1 (applying Administrative
Simplification provisions to covered entities).
\40\ See ``Office for Civil Rights Fact Sheet on Direct
Liability of Business Associates under HIPAA'' (May 2019) for a
comprehensive list of requirements in the HIPAA regulations that
apply directly to business associates, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html.
---------------------------------------------------------------------------
The HIPAA Privacy Rule, including provisions implemented as a
result of the HITECH Act,\41\ regulates the use and disclosure of PHI
by covered entities and business associates, requires covered entities
to have safeguards in place to protect the privacy of PHI, and requires
covered entities to obtain the written authorization of an individual
to use and disclose the individual's PHI unless the use or disclosure
is otherwise required or permitted by the HIPAA Privacy Rule.\42\ The
HIPAA Privacy Rule includes several use and disclosure permissions that
are relevant to this NPRM, including the permissions for covered
entities to use and disclose PHI without written authorization from an
individual for TPO; \43\ to public health authorities for public health
purposes; \44\ and for research in the form of a limited data set \45\
or pursuant to a waiver of authorization by a Privacy Board or
Institutional Review Board.\46\ The HIPAA Privacy Rule also establishes
the rights of individuals with respect to their PHI, including the
rights to: receive adequate notice of a covered entity's privacy
practices; request restrictions of certain uses and disclosures; access
(i.e., to inspect and obtain a copy of) their PHI; request an amendment
of their PHI; and receive an accounting of certain disclosures of their
PHI.\47\ Finally, the HIPAA Privacy Rule specifies standards for de-
identification of PHI such that, when implemented, the information is
no longer individually identifiable health
[[Page 12479]]
information subject to the HIPAA regulations.\48\
---------------------------------------------------------------------------
\41\ The HITECH Act extended the applicability of certain HIPAA
Privacy Rule requirements and all of the HIPAA Security Rule
requirements to the business associates of covered entities;
required HIPAA covered entities and business associates to provide
for notification of breaches of unsecured PHI (implemented by the
HIPAA Breach Notification Rule); established new limitations on the
use and disclosure of PHI for marketing and fundraising purposes;
prohibited the sale of PHI; required consideration of whether a
limited data set can serve as the minimum necessary amount of
information for uses and disclosures of PHI; and expanded
individuals' rights to access electronic copies of their PHI in an
electronic health record (EHR), to receive an accounting of
disclosures of their PHI with respect to electronic PHI (ePHI), and
to request restrictions on certain disclosures of PHI to health
plans. In addition, subtitle D strengthened and expanded HIPAA's
enforcement provisions. See subtitle D of title XIII of the HITECH
Act, entitled ``Privacy'', for all provisions (codified in title 42
of U.S.C.).
\42\ See 45 CFR 164.502(a).
\43\ See 45 CFR 164.506.
\44\ See 45 CFR 164.512(b).
\45\ See 45 CFR 164.514(e)(1) through (4).
\46\ See 45 CFR 164.512(i).
\47\ See 45 CFR 164.520, 164.522, 164.524, 164.526 and 164.528.
\48\ See 45 CFR 164.514(a) through (c).
---------------------------------------------------------------------------
The HIPAA Security Rule, codified at 45 CFR parts 160 and 164,
subparts A and C, requires covered entities and their business
associates to implement administrative, physical, and technical
safeguards to protect electronic PHI (ePHI). Specifically, covered
entities and business associates must ensure the confidentiality,
integrity, and availability of all ePHI they create, receive, maintain,
or transmit; \49\ protect against reasonably anticipated threats or
hazards to the security or integrity of the information \50\ and
reasonably anticipated impermissible uses or disclosures; \51\ and
ensure compliance by their workforce.\52\
---------------------------------------------------------------------------
\49\ See 45 CFR 164.306(a)(1).
\50\ See 45 CFR 164.306(a)(2).
\51\ See 45 CFR 164.306(a)(3).
\52\ See 45 CFR 164.306(a)(4).
---------------------------------------------------------------------------
The HIPAA Breach Notification Rule, codified at 45 CFR parts 160
and 164, subparts A and D, implements HITECH Act requirements \53\ for
covered entities to provide notification to affected individuals, the
Secretary, and in some cases the media, following a ``breach'' of
unsecured PHI. The HIPAA Breach Notification Rule also requires a
covered entity's business associate that experiences a breach of
unsecured PHI to notify the covered entity of the breach. A breach is
the acquisition, access, use, or disclosure of PHI in a manner not
permitted by the HIPAA Privacy Rule that compromises the security or
privacy of ``unsecured'' PHI, subject to three exceptions: \54\ (1) the
unintentional acquisition, access, or use of PHI by a workforce member
or person acting under the authority of a covered entity or business
associate, if such acquisition, access, or use was made in good faith
and within the scope of authority; (2) the inadvertent disclosure of
PHI by a person authorized to access PHI at a covered entity or
business associate to another person authorized to access PHI at the
covered entity or business associate, or organized health care
arrangement in which the covered entity participates; and (3) the
covered entity or business associate making the disclosure has a good
faith belief that the unauthorized person to whom the impermissible
disclosure was made, would not reasonably have been able to retain the
information.
---------------------------------------------------------------------------
\53\ See sec. 13402 of the HITECH Act (codified at 42 U.S.C.
17932).
\54\ See 45 CFR 164.402, ``breach'', paragraph (1).
---------------------------------------------------------------------------
The HIPAA Breach Notification Rule provides that a covered entity
may rebut the presumption that such impermissible use or disclosure
constituted a breach by demonstrating that there is a low probability
that PHI has been compromised based on a risk assessment of at least
four required factors: (1) the nature and extent of the PHI involved,
including the types of identifiers and the likelihood of re-
identification; (2) the unauthorized person who used the PHI or to whom
the disclosure was made; (3) whether the PHI was actually acquired or
viewed; and (4) the extent to which the risk to the PHI has been
mitigated.\55\
---------------------------------------------------------------------------
\55\ Id. paragraph (2).
---------------------------------------------------------------------------
The HIPAA Enforcement Rule, codified at 45 CFR part 160 subparts C,
D, and E, includes standards and procedures relating to investigations
into complaints about noncompliance with the HIPAA regulation,
compliance reviews, the imposition of CMPs, and procedures for
hearings. The HIPAA Enforcement Rule states generally that the
Secretary will impose a CMP upon a covered entity or business associate
if the Secretary determines that the covered entity or business
associate violated a HIPAA Administrative Simplification provision.\56\
However, the HIPAA Enforcement Rule also provides for informal
resolution of potential noncompliance,\57\ which occurs through
voluntary compliance by the regulated entity, corrective action, or a
resolution agreement with the payment of a settlement amount to HHS
Office for Civil Rights (OCR).
---------------------------------------------------------------------------
\56\ Criminal penalties may be imposed by the Department of
Justice for certain violations under 42 U.S.C. 1320d-6.
\57\ See 45 CFR 160.304. See also 45 CFR 160.416 and 160.514.
---------------------------------------------------------------------------
The Department promulgated or modified key provisions of the HIPAA
regulations as part of the ``Modifications to the HIPAA Privacy,
Security, Enforcement, and Breach Notification Rules Under the Health
Information Technology for Economic and Clinical Health Act and the
Genetic Information Nondiscrimination Act, and Other Modifications to
the HIPAA Rules'' final rule (``2013 Omnibus Final Rule''),\58\ in
which the Department implemented applicable provisions of the HITECH
Act, among other modifications. For example, the Department
strengthened privacy and security protections for PHI, finalized breach
notification requirements, and enhanced enforcement by increasing
potential CMPs for violations, including establishing tiers of
penalties based on a covered entity's or business associate's level of
culpability.\59\
---------------------------------------------------------------------------
\58\ 78 FR 5566 (Jan. 25, 2013).
\59\ Id.
---------------------------------------------------------------------------
The Secretary of HHS delegated authority to OCR to make decisions
regarding the implementation and interpretation of the HIPAA Privacy,
Security, Breach Notification, and Enforcement regulations.\60\
---------------------------------------------------------------------------
\60\ See U.S. Dep't of Health and Human Servs., Office of the
Secretary, Office for Civil Rights; Statement of Delegation of
Authority, 65 FR 82381 (Dec. 28, 2000); U.S. Dep't of Health and
Human Servs., Office of the Secretary, Office for Civil Rights;
Delegation of Authority, 74 FR 38630 (Aug. 4, 2009); U.S. Dep't of
Health and Human Servs., Office of the Secretary, Statement of
Organization, Functions and Delegations of Authority, 81 FR 95622
(Dec. 28, 2016).
---------------------------------------------------------------------------
Earlier Efforts To Align Part 2 With the HIPAA Regulations
Prior to amendment by the CARES Act, 42 U.S.C. 290dd-2 provided
that records could be disclosed only with the patient's prior written
consent, with limited exceptions.\61\ The exceptions related to records
maintained by VA or the Armed Forces and, for example, disclosures for
continuity of care in emergency situations or between personnel who
have a need for the information in connection with their duties that
arise out of the provision of the diagnosis, treatment, or referral for
treatment of patients with SUD.\62\ The exceptions did not include, for
example, a disclosure of part 2 records by a part 2 program to a third-
party medical provider to treat a condition other than SUD absent an
emergency situation. Therefore, the current part 2 regulations require
prior written consent of the patient for most uses and disclosures of
part 2 records, including for non-emergency treatment purposes. In
contrast, the HIPAA Privacy Rule permits covered entities to use and
disclose an individual's PHI for TPO without the individual's HIPAA
authorization.\63\
---------------------------------------------------------------------------
\61\ The limited exceptions are codified in current regulation
at 42 CFR 2.12(c) and 42 CFR part 2, subpart D.
\62\ See 42 CFR 2.12(c)(3). These disclosures are limited to
communications within a part 2 program or between a part 2 program
and an entity having direct administrative control over the part 2
program.
\63\ See 45 CFR 164.501.
---------------------------------------------------------------------------
The Department has modified and clarified part 2 several times to
align certain provisions more closely with the HIPAA Privacy Rule,\64\
address changes in health information technology (health IT), and
provide greater flexibility for disclosures of patient identifying
information within the health care system, while continuing to protect
the confidentiality of part 2 records.\65\ For example, the Department
clarified in a 2017 final rule that the definition of ``patient
identifying information'' in
[[Page 12480]]
part 2 includes the individual identifiers listed in the HIPAA Privacy
Rule at 45 CFR 164.514(b)(2)(i) for those identifiers that are not
already listed in the part 2 definition.\66\ The 2017 final rule also
revised Sec. 2.16 (Security for Records) to more closely align with
HIPAA and permitted the use of a consent that generally designates the
recipient of records rather than naming a specific person.\67\
---------------------------------------------------------------------------
\64\ See 85 FR 42986 (July 15, 2020) and 83 FR 239 (Jan. 3,
2018).
\65\ 82 FR 6052 (Jan. 18, 2017). See also 81 FR 6988 (Feb. 9,
2016).
\66\ See 82 FR 6052, 6064.
\67\ 82 FR 6052, 6054.
---------------------------------------------------------------------------
In 2018, the Department issued a final rule clarifying the
circumstances under which lawful holders and their legal
representatives, contractors, and subcontractors could use and disclose
part 2 records related to payment and health care operations in Sec.
2.33(b) and for audit or evaluation-related purposes. The Department
clarified that previously listed types of payment and health care
operations uses and disclosures under the lawful holder permission in
Sec. 2.33(b) were illustrative, and not definitive so as to be
included in regulatory text.\68\ The Department also acknowledged the
similarity of the list of activities to those included in the HIPAA
Privacy Rule definition of ``health care operations'' but declined to
fully incorporate that definition into part 2.\69\ The Department
specifically excluded care coordination and case management from the
list of payment and health care operations activities permitted without
prior written consent of the patient under part 2 based on a
determination that these activities are akin to treatment.
---------------------------------------------------------------------------
\68\ See 83 FR 239, 241-242.
\69\ Id. at 242.
---------------------------------------------------------------------------
In 2018 the Department also codified language for an abbreviated
Notice to Accompany Disclosure of part 2 records.\70\ Although the rule
retained the requirement that a patient must consent before a lawful
holder may redisclose part 2 records for treatment,\71\ the Department
explained that the purpose of the part 2 regulations is to ensure that
a patient receiving treatment for an SUD is not made more vulnerable by
reason of the availability of their patient records than an individual
with a SUD who does not seek treatment.\72\ The Department
simultaneously recognized the legitimate needs of lawful holders to
obtain payment and conduct health care operations as long as the core
protections of part 2 are maintained.\73\
---------------------------------------------------------------------------
\70\ 83 FR 239, 240. See also 82 FR 5485, 5487 (Jan. 18, 2017).
\71\ 83 FR 239, 242.
\72\ 82 FR 6052, 6053.
\73\ 83 FR 239, 242.
---------------------------------------------------------------------------
In a final rule published July 15, 2020,\74\ the Department
retained the requirement that programs obtain prior written consent
before disclosing part 2 records in the first instance (outside of
recognized exceptions). At the same time the Department reversed its
previous exclusion of care coordination and case management from the
list of payment and health care operations in Sec. 2.33(b) for which a
lawful holder may make further disclosures to its contractors,
subcontractors, and legal representatives.\75\ The Department based
this change on comments received on the proposed rule in 2019 and on
section 3221(d)(4) of the CARES Act, which incorporated the HIPAA
Privacy Rule definition of ``health care operations,'' including care
coordination and case management activities,\76\ into paragraph (k)(4)
of 42 U.S.C. 290dd-2.\77\ The July 2020 final rule also modified the
consent requirements in Sec. 2.31 by establishing special requirements
for written consent \78\ when the recipient of part 2 records is a
health information exchange (HIE) (as defined in 45 CFR 171.102 \79\).
In this final rule, the Department now finalizes a definition of the
term ``intermediary'' \80\ to further facilitate the exchange of part 2
records in new models of care, including those involving a research
institution providing treatment, an ACO, or a care coordination or care
management organization.\81\
---------------------------------------------------------------------------
\74\ 85 FR 42986. See also 84 FR 44568 (Aug. 26, 2019).
\75\ See 42 CFR 2.33(b).
\76\ See 45 CFR 164.501.
\77\ See 85 FR 42986, 43008-009. Sec. 3221(k)(4) expressed the
Sense of Congress that the Department should exclude paragraph
(6)(v) of 45 CFR 164.501 (relating to creating de-identified health
information or a limited data set, and fundraising for the benefit
of the covered entity) from the definition of ``health care
operations'' in applying the definition to these records.
\78\ See 85 FR 42986, 43006.
\79\ Id. See also 21st Century Cures Act: Interoperability,
Information Blocking, and the ONC Health IT Certification Program,
85 FR 25642 (May 1, 2020).
\80\ See 42 CFR 2.11, defining ``Intermediary'' as a person,
other than a program, covered entity, or business associate, who has
received records under a general designation in a written patient
consent to be disclosed to one or more of its member participants
for the treatment of the patient(s)--e.g., a health information
exchange, a research institution that is providing treatment, an
accountable care organization, or a care management organization.
\81\ U.S. Dep't of Health and Human Servs., ``Information
Related to Mental and Behavioral Health, including Opioid Overdose''
(Dec. 23, 2022), https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html; U.S. Dep't of Health and
Human Servs., ``Does HIPAA permit health care providers to share
protected health information (PHI) about an individual with mental
illness with a third party that is not a health care provider for
continuity of care purposes? For example, can a health care provider
refer a patient experiencing homelessness to a social services
agency, such as a housing provider, when doing so may reveal that
the basis for eligibility is related to mental health?'' (Jan. 9,
2023), https://www.hhs.gov/hipaa/for-professionals/faq/3008/does-hipaa-permit-health-care-providers-share-phi-individual-mental-illness-third-party-not-health-care-provider-continuity-care-purposes/index.html.
---------------------------------------------------------------------------
The Department again modified part 2 on December 14, 2020,\82\ by
amending the confidential communications section of Sec. 2.63(a)(2),
which enumerated a basis for a court order authorizing the use of a
record when ``the disclosure is necessary in connection with
investigation or prosecution of an extremely serious crime allegedly
committed by the patient.'' The December 2020 final rule removed the
phrase ``allegedly committed by the patient,'' explaining that the
phrase was included in previous rulemaking by error, and clarifying
that a court has the authority to permit disclosure of confidential
communications when the disclosure is necessary in connection with
investigation or prosecution of an extremely serious crime that was
allegedly committed by either a patient or an individual other than the
patient.
---------------------------------------------------------------------------
\82\ 85 FR 80626 (Dec. 14, 2020).
---------------------------------------------------------------------------
Section 3221 of the Coronavirus Aid, Relief, and Economic Security
(CARES) Act
On March 27, 2020, Congress enacted the CARES Act \83\ to provide
emergency assistance to individuals, families, and businesses affected
by the COVID-19 pandemic. Section 3221 of the CARES Act,
Confidentiality and Disclosure of Records Relating to Substance Use
Disorder, substantially amended 42 U.S.C. 290dd-2 to more closely align
Federal privacy standards applicable to part 2 records with the HIPAA
and HITECH Act privacy standards, breach notification standards, and
enforcement authorities that apply to PHI, among other modifications.
---------------------------------------------------------------------------
\83\ Public Law 116-136, 134 Stat. 281 (Mar. 27, 2020).
Significant components of section 3221 are codified at 42 U.S.C.
290dd-2 as further detailed in this final rule.
---------------------------------------------------------------------------
The requirements in 42 U.S.C. 290dd-2(b), (c), and (f), as amended
by section 3221 of the CARES Act, with respect to patient consent and
redisclosures of SUD records, now align more closely with HIPAA Privacy
Rule provisions permitting uses and disclosures for TPO and establish
certain patient rights with respect to their part 2 records consistent
with provisions of the HITECH Act; restrict the use and disclosure of
part 2 records in legal proceedings; and set civil and criminal
penalties for
[[Page 12481]]
violations. Section 3221 also amended 42 U.S.C. 290dd-2(j) and (k) by
adding HITECH Act breach notification requirements and new terms and
definitions consistent with the HIPAA regulations and the HITECH Act,
respectively. Finally, section 3221 requires the Department to modify
the HIPAA NPP \84\ requirements at 45 CFR 164.520 so that covered
entities and part 2 programs provide notice to individuals regarding
privacy practices related to part 2 records, including individuals'
rights and uses and disclosures that are permitted or required without
authorization.
---------------------------------------------------------------------------
\84\ Section 3221(i) requires the Secretary to update 45 CFR
164.520, the HIPAA Privacy Rule requirements with respect to the
HIPAA NPP.
---------------------------------------------------------------------------
Paragraph (b) of section 3221 (Disclosures to Covered Entities
Consistent with HIPAA), adds a new paragraph (1) (Consent), to section
543 of the PHSA \85\ and expands the ability of covered entities,
business associates, and part 2 programs to use and disclose part 2
records for TPO. The text of section 3221(b) adding paragraph (1)(B) to
42 U.S.C. 290dd-2 states that once prior written consent of the patient
has been obtained, those contents may be used or disclosed by a covered
entity, business associate, or a program subject to 290dd-2 for the
purposes of TPO as permitted by the HIPAA regulations. Any disclosed
information may then be redisclosed in accordance with the HIPAA
regulations.
---------------------------------------------------------------------------
\85\ Paragraph (1) is codified at 42 U.S.C. 290dd-2(b).
---------------------------------------------------------------------------
To the extent that 42 U.S.C. 290dd-2(b)(1) now provides for a
general written patient consent covering all future uses and
disclosures for TPO ``as permitted by the HIPAA regulations,'' and
expressly permits the redisclosure of part 2 records received for TPO
``in accordance with the HIPAA regulations,'' the Department believes
this means the recipient redisclosing the records must be a covered
entity, business associate, or part 2 program that has received part 2
records under a TPO consent. The Department's proposals throughout this
final rule are premised on its reading of section 3221(b) as applying
to redisclosures of part 2 records by covered entities, business
associates, and part 2 programs, including those covered entities that
are part 2 programs.
In addition to the provisions of section 3221 described above,
paragraph (g) of section 3221, Antidiscrimination, adds a new provision
(i)(1) to 42 U.S.C. 290dd-2 to prohibit discrimination against an
individual based on their part 2 records in: (A) admission, access to,
or treatment for health care; (B) hiring, firing, or terms of
employment, or receipt of worker's compensation; (C) the sale, rental,
or continued rental of housing; (D) access to Federal, State, or local
courts; or (E) access to, approval of, or maintenance of social
services and benefits provided or funded by Federal, State, or local
governments.\86\ Further, the new paragraph (i)(2) prohibits
discrimination by any recipient of Federal funds against individuals
based on their part 2 records.\87\ As stated in the NPRM, the
Department intends to implement the CARES Act antidiscrimination
provisions in a separate rulemaking. However, we discuss below and
briefly respond to comments we received on the NPRM concerning
antidiscrimination and stigma issues.
---------------------------------------------------------------------------
\86\ See sec. 3221(g) of the CARES Act.
\87\ Id.
---------------------------------------------------------------------------
III. Overview of Public Comments
A. General Discussion of Comments
The Department received approximately 220 comments on the NPRM. By
a wide margin, most of the commenters represented organizations rather
than individuals (87 percent versus 13 percent). Professional and trade
associations, including medical professional associations, and patient,
provider, or other advocacy organizations were the most represented,
followed by organizations that could fall within multiple categories.
Other commenters included hospitals and health care systems, state and
local government agencies, health plans and managed care organizations,
health IT vendors, and unaffiliated individuals. Among the 27
individual commenters, nearly a third stated that they had current or
past experience as an SUD provider, health care administrator, or
health IT or legal professional.
The specific issue mentioned most frequently in comments was the
proposal to allow patients to sign a single consent form for all future
uses and disclosures of their SUD records for TPO purposes. This was
followed by the proposed consent requirements, regulatory definitions,
protections for patients in investigations and proceedings against
them, and requirements for intermediaries, in that order.
B. General Comments
Approximately 75 percent of commenters provided general views on
the NPRM covering multiple issues, including the need for better or
complete alignment with HIPAA, concerns about erosion of privacy and
the need for informed consent for disclosures, requests for
Departmental guidance, and requests to better fund SUD treatment
services and health IT technology for part 2 providers.
General Support for the Proposed Rule
Public comments showed strong general support for the NPRM, with
nearly half voicing clear support and nearly one-third expressing
support while offering suggestions for improvement. Comments in support
of the proposed rule stated that the proposed changes would improve
care coordination, support patient privacy, reduce data and information
gaps between patients and providers, reduce the stigma around SUD
treatment, and reduce costs.
A group of commenters supported the proposed changes but did not
view the proposals as sufficient--they sought more comprehensive
change, to essentially recreate a set of HIPAA standards for part 2
records.
General Opposition to the Proposed Rule
Some commenters that expressed opposition to the NPRM stressed the
importance of privacy and the need for informed consent regarding the
use and disclosure of SUD treatment information, particularly for the
use of records in investigations and proceedings against a patient.
Some SUD providers, medical professionals, trade associations, advocacy
organizations, a mental health provider, and nearly all individual
commenters urged the Department not to make changes to part 2, largely
to maintain the existing privacy protections. One advocacy organization
urged the Department to weigh the risk to patients of their data being
used without their permission and their potential loss of privacy
surrounding seeking treatment for SUD, against any potential benefits
provided for providers by the new rule.
IV. Analysis and Response to Public Comments and Final Modifications
The discussion below provides a section-by-section description of
the final rule and responds to comments received from the public in
response to the 2022 NPRM. As the Department discussed in the NPRM, the
CARES Act did not expressly require every proposal promulgated by the
Department. Some of the Department's proposals were proposed to align
the language of this regulation with that in the HIPAA Privacy Rule and
to clarify already-existing part 2 permissions or restrictions.
[[Page 12482]]
A. Effective and Compliance Dates
Proposed Rule
In the NPRM, the Department proposed to finalize an effective date
for a final rule that would occur 60 days after publication, and a
compliance date that would occur 22 months after the effective date.
Taken together, the two dates would give entities two years after
publication to finalize compliance measures. In the NPRM, we \88\
stated ``[e]ntities subject to a final rule would have until the
compliance date to establish and implement policies and practices to
achieve compliance.'' \89\ The Department proposed to provide the same
compliance date for both the proposed modifications to 45 CFR 164.520,
the HIPAA NPP provision, and the more extensive part 2 modifications.
---------------------------------------------------------------------------
\88\ In this final rule, ``we'' and ``our'' denote the
Department.
\89\ 87 FR 74216, 74218.
---------------------------------------------------------------------------
The HIPAA regulations generally require covered entities and
business associates to comply with new or modified standards or
implementation specifications no later than 180 days from the effective
date of any such standards or implementation specifications,\90\
whereas the part 2 regulation does not contain a standard compliance
period for regulatory changes.
---------------------------------------------------------------------------
\90\ See 45 CFR 160.105.
---------------------------------------------------------------------------
However, as we explained in the NPRM, the proposed compliance
period would allow part 2 programs to revise existing policies and
practices, complete other implementation requirements, and train their
workforce members on the changes, as well as minimize administrative
burdens on entities subject to the HIPAA Privacy Rule.
We requested comment on the adequacy of the 22-month compliance
period that follows the proposed effective date and any benefits or
unintended adverse consequences for entities or individuals of a
shorter or longer compliance period.
Comment
More than half of the commenters who addressed the timeline for
compliance, including several providers, health plans, professional
medical and trade associations, and HIE networks, expressed support or
opined that the proposed dates were feasible. Some of these commenters
believed changes could be implemented sooner. Several of these
supportive commenters offered the opinion that compliance deadlines
facilitate care coordination and therefore should not be unnecessarily
delayed, but that the Department should offer technical assistance
leading up to the compliance deadline to assist entities in
implementing these changes. Some commenters stated that the Department
should make clear that covered entities and part 2 programs who wish to
comply with new finalized provisions, such as permissively using and
disclosing SUD records for TPO or using the new authorization form with
a general designation, before the proposed timeline should be able to
do so voluntarily.
Several commenters opined that the compliance timeline should be
shortened. In general, these commenters stated that a shorter
compliance timeline would more quickly facilitate improved care
coordination for SUD patients and avoid extending the opioid crisis. A
few of these commenters suggested that the gap in time between the
effective date and compliance date would allow entities to ``choose''
whether to follow existing or revised regulations for a period of time,
and thus impede interoperability. Others in this group of commenters
suggested that the proposed compliance date was excessively long,
demonstrated a lack of urgency by the Department for improving SUD data
exchange and care for SUD patients, and would prolong the
``misalignment'' of privacy protections for different types of
information. One of these commenters recommended an alternative 12-
month timeline that would include the effective date with only 10
additional months for compliance. A few of these commenters further
encouraged the Department to clarify that entities wishing to implement
any regulatory changes before the proposed timelines could voluntarily
do so.
Response
We appreciate the comments and clarify here that persons who are
subject to the regulation and are able to voluntarily comply with
regulatory provisions finalized in this rulemaking may do so at any
time after the effective date. We also agree with the commenters who
emphasized the important role that this rule will play in improving
care coordination for patients experiencing addiction or other forms of
SUD, and we acknowledge their concerns about timely implementation. As
finalized, we believe the effective and compliance dates strike the
right balance between incentivizing entities to come into compliance in
a timely fashion, and granting them sufficient time to adjust policies,
procedures, and, in some cases, technology to support new or revised
regulations.
Comment
A few commenters expressed support for the proposed timelines but
requested clarification about whether new finalized provisions would
apply to records created prior to the compliance date of the final
rule. These commenters urged the Department to apply modified
requirements to part 2 records created prior to the compliance date of
the final rule to avoid the burdensome task of separating records and
applications for consent.
Response
The changes finalized in this rule will apply to records created
prior to the final rule. We agree with commenters who stated that
separating records by date of creation for differential treatment would
be unduly burdensome.
Comment
Slightly less than half of the commenters about this topic,
including medical associations, a technology vendor, HIE/HINs, state
and local agencies, health plans, and professional provider
organizations, suggested that the Department should either lengthen the
compliance timeline or finalize the proposed compliance date but delay
enforcement, or issue a compliance safe harbor beyond the compliance
date. For example, one commenter suggested that the Department
implement a two-year enforcement delay while a few other commenters
suggested a three-year enforcement delay or two-year phased enforcement
approach beyond the compliance date. Some commenters requested that the
Department spend the time tolled by the enforcement delay to issue
implementation guidance addressing the interaction of the Centers for
Medicare & Medicaid Services (CMS) Interoperability Rule,\91\ HIPAA
regulations, and 42 CFR part 2, or work with the IT vendor community to
address data segmentation approaches.
---------------------------------------------------------------------------
\91\ See 85 FR 25510 (May 1, 2020).
---------------------------------------------------------------------------
A few state and local agencies opined that the 22-month compliance
period following the effective date would not be adequate for
communication, training, implementation, and monitoring of extensive
SUD provider networks with varying delivery options. One of these
agencies cited as an example the state of California where the Medicaid
SUD service delivery system may include hundreds of county and
contracted providers such that the burden of audits, deficiency
findings, and corrective actions would be felt statewide. Another state
agency commented that its state needed more
[[Page 12483]]
time to develop a means to track TPO disclosures and recommended a 60-
month timeline after publication of the rule. Other alternative
timelines suggested by commenters included a recommendation by a dental
professional association to establish an effective date of no less than
one year after publication of the final rule, and a compliance date of
no less than one year after the effective date; an additional 12 months
beyond the proposed 22-month compliance timeline to better accommodate
new interoperability rules and a corresponding need by part 2 programs
to update technology; or a 34-month period following the 60-day
effective date period to grant part 2 programs greater time to
implement changes in practice related to the rule, as well as
additional time for questions and clarifications from the Department.
Commenters also suggested that an enforcement delay include a delay in
imposing civil monetary penalties or ``safe harbor'' protection for
part 2 programs, providers, business associates, and covered entities
acting in good faith.
Response
We disagree with commenters who suggested or recommended that the
Department delay enforcement of a final part 2 rule beyond the proposed
timeline. We also disagree that additional safe harbor protection for
the entities that would be regulated under this rule is necessary or
appropriate. Either an enforcement delay or an enforcement safe harbor
(that would effectively extend the compliance timeline) would frustrate
the timely implementation of the CARES Act amendments to meaningfully
improve the ability of impacted entities to coordinate care for
individuals experiencing SUD, as suggested by the many commenters who
either agreed with the proposed effective and compliance dates or
sought a shorter compliance timeline. The Department may provide
further guidance on the CMS Interoperability Rule in relation to data
segmentation issues, HIPAA, and part 2, but we do not believe that this
should delay finalization of the modifications to the part 2 rule or
compliance deadlines.
Comment
One commenter, a Tribal health board, recommended that Indian
Health Service (IHS) and Tribal facilities using the existing IHS
medical record system be exempted from compliance with part 2 until
such time as IHS modernizes its electronic health record (EHR) system,
projected for 2025. It further requested that SAMHSA issue guidance for
pharmacies utilizing and issuing electronic prescriptions through the
Resource and Patient Management System (RPMS) EHR system, and
associated redisclosures, in the context of an integrated pharmacy
system with the full RPMS EHR.
Response
The timeline finalized here is consistent with this request. As
explained, the two-month delay between publication and an effective
date combined with a 22-month compliance deadline beyond the effective
date grants entities two years after publication to comply. Absent
extenuating circumstances that cause the Department to require
compliance sooner, this final rule will require compliance no earlier
than third quarter of calendar year 2025.
Comment
A few commenters representing HIE networks expressed support for
the Department's proposal to toll the date by which part 2 programs
must comply with the proposed accounting of disclosures requirements at
Sec. 2.25 until the effective date of a final rule on a revised HIPAA
accounting of disclosures standard at 45 CFR 164.528 to ensure the
consistency with HIPAA.
Response
We appreciate these comments.
Comment
A few commenters recommended that the Department delay this rule in
its entirety until other proposed HIPAA regulations are finalized to
permit commenters to better assess interactions between the alignment
and to reduce administrative burden, such as reviewing multiple
proposed HIPAA NPP provisions.
Response
The Department is not finalizing the proposed HIPAA NPP provisions
in this final rule, but plans to do so in a future HIPAA final rule. We
intend to align compliance dates for any required changes to the HIPAA
NPP and part 2 Patient Notice to enable covered entities to make such
changes at the same time. We believe the two-year compliance timeline
following publication of this rule provides adequate time to assess
alignment implications between HIPAA and part 2 and adjust accordingly.
Final Dates
The final rule adopts the proposed effective date of 60 days after
publication of this final rule, and the proposed compliance date of 24
months after the publication of this final rule. We are also finalizing
the proposed accounting of disclosure provision at Sec. 2.25, but
tolling the effective and compliance dates for that provision until
such time as the Department finalizes a revised provision in HIPAA at
45 CFR 164.528.
B. Substantive Proposals and Responses to Comments
Section 2.1--Statutory Authority for Confidentiality of Substance Use
Disorder Patient Records
Proposed Rule
Section 2.1 describes the statutory authority vested in 42 U.S.C.
290dd-2(g) to prescribe implementing regulations. The Department
proposed to revise Sec. 2.1 to more closely align this section with
the statutory text of 42 U.S.C. 290dd-2(g) and subsection 290dd-
2(b)(2)(C) related to the issuance of court orders authorizing
disclosures of part 2 records.
Comment
A health plan commenter expressed support for this language
alignment and that the specific references to authorized disclosures
pursuant to court order will assist part 2 programs in their compliance
efforts. A state agency said that these changes to part 2 will affect
its Medicaid system and Prepaid Inpatient Health Plans. Compliance is
further required for State licensed narcotic treatment facilities and
residential alcohol and drug treatment facilities.
Response
We appreciate these comments.
Final Rule
The final rule adopts the proposed changes to this section without
further modification.
Section 2.2--Purpose and Effect
Proposed Rule
Section 2.2 establishes the purpose and effect of regulations
imposed in this part upon the use and disclosure of part 2 records. The
Department proposed to amend paragraph (b) of this section to reflect
that Sec. 2.2(b) compels disclosures to the Secretary that are
necessary for enforcement of this rule, using language adapted from the
HIPAA Privacy Rule at 45 CFR 164.502(a)(2)(ii). In the NPRM, the
Department stated that the regulations do not require use or disclosure
under any circumstance other than when disclosure is required by the
Secretary to investigate or determine a person's compliance with
[[Page 12484]]
this part.\92\ The Department also proposed to add a new paragraph
(b)(3) to this section to clarify that nothing in this rule should be
construed to limit a patient's right to request restrictions on use of
records for TPO or a covered entity's choice to obtain consent to use
or disclose records for TPO purposes as provided in the HIPAA Privacy
Rule. The Department specifically stated that the ``regulations in this
part are not intended to direct the manner in which substantive
functions such as research, treatment, and evaluation are carried
out.'' \93\
---------------------------------------------------------------------------
\92\ 87 FR 74216, 74226.
\93\ 87 FR 74216, 74274.
---------------------------------------------------------------------------
Comment
A commenter said that it is logical for disclosures to the
Secretary under Sec. 2.2 to be consistent with analogous disclosures
under HIPAA. Regarding the proposed modification to Sec. 2.2(b)(1) to
provide that the regulations generally do not require the use and
disclosure of part 2 records, except when disclosure is required by the
Secretary, another commenter said that it would be more logical and
appropriate to treat part 2 records as HIPAA-covered records. The
commenter believed that continued stigmatization of the diagnoses
treated by part 2 facilities is a barrier to treatment and creates a
two-tiered approach to use and disclosure that provides no meaningful
benefit to patients.
Response
We appreciate these comments and have finalized this section as
noted below. We believe our changes align part 2 more closely with
HIPAA while also acknowledging changes to 42 U.S.C 290dd-2, as amended
by section 3221 of the CARES Act, which continue to provide additional
protection for part 2 records, especially in legal proceedings against
a patient. This section is needed to prevent harm to patients from
stigma and discrimination consistent with the intent of part 2 and the
CARES Act, including newly added statutory antidiscrimination
requirements (42 U.S.C. 290dd-2(i)).
Comment
A SUD professional association discussed stigma and discrimination
to which SUD patients are subject and asked that any discussion of
proposed changes in the NPRM first begin with the context of why these
protections exist. Citing to Sec. 2.2(b)(2), the association noted
that there are a number of adverse impacts to which patients are
vulnerable including those related to: criminal justice, health care,
housing, life insurance coverage, loans, employment, licensure, and
other intentional or passive discrimination against patients. A
psychiatric hospital said that, under current Sec. 2.2(b)(2), the
purpose of the substance use disorder confidentiality protections is to
encourage care without fear of stigma-related adverse impacts, not to
block access to it for patients.
Response
We have long emphasized and agree with commenters that one primary
purpose of the part 2 regulations is to, as the 1987 rule stated,
ensure ``that an alcohol or drug abuse patient in a federally assisted
alcohol or drug abuse program is not made more vulnerable by reason of
the availability of his or her patient record than an individual who
has an alcohol or drug problem and who does not seek treatment.'' \94\
The final rule continues to emphasize, including in this section, that
most uses and disclosures allowed under part 2 are permissive and not
mandatory. The final rule adds that disclosure may be required ``when
disclosure is required by the Secretary to investigate or determine a
person's compliance with this part pursuant to Sec. 2.3(c).''
Likewise, a court order with a subpoena or similar legal mandate may
compel disclosure of part 2 records, as explained in Sec. 2.61, Legal
effect of order.\95\
---------------------------------------------------------------------------
\94\ 52 FR 21796, 21805.
\95\ Section 2.61(a) provides that court orders entered under
this subpart are ``unique'' and only issued to authorize a
disclosure or use, and not ``compel'' disclosure. It further
provides ``A subpoena or a similar legal mandate must be issued in
order to compel disclosure. This mandate may be entered at the same
time as and accompany an authorizing court order entered under the
regulations in this part.'' Under the HIPAA Privacy Rule, a
disclosure pursuant to such a court order, but without an
accompanying subpoena, would not constitute a disclosure required by
law as that term is defined at 45 CFR 164.103.
---------------------------------------------------------------------------
Comment
A commenter believed the Department's proposal to add a new
paragraph (b)(3) to Sec. 2.2 to provide that nothing in this part
shall be construed to limit a patient's right to request restrictions
on use of records for TPO or a covered entity's choice to obtain
consent to use or disclose records for TPO purposes as provided in the
HIPAA Privacy Rule appears consistent with patients' rights
requirements under HIPAA and is a logical clarification.
Response
We appreciate the comment on our proposed changes which are
finalized here.
Final Rule
The final rule adopts all changes to Sec. 2.2 as proposed, without
further modification.
Section 2.3--Civil and Criminal Penalties for Violations
Proposed Rule
Section 2.3 of 42 CFR part 2 currently requires that any person who
violates any provision of the part 2 regulations be criminally fined in
accordance with title 18 U.S.C. The Department proposed multiple
changes to this section to implement the new authority granted in
section 3221(f) of the CARES Act as applied in 42 U.S.C. 290dd-2(f) so
that sections 1176 and 1177 of the Social Security Act apply to a part
2 program for a violation of 42 CFR part 2 in the same manner as they
apply to a covered entity for a violation of part C of title XI of the
Social Security Act (HIPAA Administrative Simplification).
The Department proposed to replace title 18 criminal enforcement
with civil and criminal penalties under sections 1176 and 1177 of the
Social Security Act (42 U.S.C. 1320d-5, 1320d-6), respectively, as
implemented in the HIPAA Enforcement Rule.\96\ The Department also
proposed to rename Sec. 2.3 as ``Civil and criminal penalties for
violations'' and reorganize Sec. 2.3 into paragraphs (a), (b), and
(c). Proposed Sec. 2.3(a) would incorporate the penalty provisions of
42 U.S.C. 290dd-2(f), which apply the civil and criminal penalties of
sections 1176 and 1177 of the Social Security Act, respectively, to
violations of part 2. Proposed changes and comments regarding
paragraphs (a), (b), and (c) are discussed below.
---------------------------------------------------------------------------
\96\ See 45 CFR part 160, subpart D (Imposition of Civil Money
Penalties).
---------------------------------------------------------------------------
Comment
We received comments concerning proposed revisions to Sec. 2.3(a).
A state agency requested clarification regarding the agencies
authorized to enforce Sec. 2.3. Given statutory changes made by the
CARES Act, the commenter asked that the Department clarify which
agencies are authorized to enforce part 2 pursuant to the proposed
provision. This commenter opined that section 1176 of the Social
Security Act authorizes the Secretary to impose penalties, the attorney
general of a state to bring a civil action for statutory damages in
certain circumstances, and OCR to use corrective action in cases where
the person did not know of the violation involved. The commenter asked
for confirmation that the Department is the Federal agency that is
[[Page 12485]]
authorized to enforce part 2 through civil penalties and further seeks
clarification regarding whether the Department will act through OCR,
SAMHSA, or another entity. The commenter also seeks clarification that
the authorized state enforcement agency is the office of the attorney
general. Additionally, section 1177 of the Social Security Act pertains
to criminal penalties for knowing violations, but does not identify the
specific agency charged with enforcement. The commenter seeks
confirmation that under the proposed rule, the Federal Department of
Justice (DOJ) has jurisdiction over enforcement of part 2 through
criminal penalties.
Response
We appreciate requests for clarification on enforcement of part 2
as proposed and now finalized in this rule. As we have noted in
previous rulemakings such as the ``HIPAA Administrative Simplification:
Enforcement'' final rule ``[u]nder sections 1176 and 1177 of the Act,
42 U.S.C. 1320d-5 and 6, these persons or organizations, collectively
referred to as `covered entities,' may be subject to CMPs and criminal
penalties for violations of the HIPAA regulations. HHS enforces the
CMPs under section 1176 of the Act, and [DOJ] enforces the criminal
penalties under section 1177 of the Act.'' \97\ As part of the HITECH
Act, state attorneys general may bring civil suits for violations of
the HIPAA Privacy and Security Rules on behalf of state residents.\98\
Under this final rule, alleged violators of part 2 are subject to the
same penalties as HIPAA covered entities through sections 1176 and 1177
of the Social Security Act. The CARES Act granted enforcement authority
to the Secretary for civil penalties and the Department will identify
the enforcing agency before the compliance date of this final rule.
---------------------------------------------------------------------------
\97\ 74 FR 56123, 56124 (Oct. 30, 2009). See also, U.S. Dep't of
Health and Human Servs., ``How OCR Enforces the HIPAA Privacy &
Security Rules'' (June 7, 2017), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-ocr-enforces-the-hipaa-privacy-and-security-rules/index.html.
\98\ See U.S. Dep't of Health and Human Servs., ``State
Attorneys General'' (Dec. 21, 2017), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/state-attorneys-general/index.html.
---------------------------------------------------------------------------
Comment
A state agency said that its state strongly opposes what it
perceives as increasing the civil and criminal penalties described in
Sec. 2.3. Understanding the desire to ensure strong privacy
protections are in place and that sanctions are necessary, the agency
opined that the current enforcement framework is adequate and
increasing sanctions would be punitive rather than promoting
compliance. Punitive sanctions should be brought only against those
entities or individuals that failed to use due diligence and/or make
every reasonable attempt to protect against unauthorized disclosure.
Unintended unauthorized disclosures that result in no material patient
harm should be treated as that--unintended disclosures that cause de
minimis or no harm to patients. Increasing sanctions may have the
unintended consequence of part 2 programs not sharing patient records
even if the patient in fact desires disclosure.
Response
We appreciate this commenter's concerns about part 2 enforcement
and disagree that the sanctions for violations will be harsher than for
violations of the HIPAA regulations. We note that 42 U.S.C. 290dd-2(f),
as amended by section 3221(f) of the CARES Act, applies the provisions
of sections 1176 and 1177 of the Social Security Act to a violation of
42 CFR part 2 in the same manner as they apply to a violation of part C
of title XI of the Social Security Act. We are implementing these
requirements in this final rule. As of the compliance date for this
final rule, we anticipate taking a similar approach to addressing
noncompliance under part 2 as for violations of HIPAA, ranging from
voluntary compliance and corrective action to civil and criminal
penalties.\99\ Indeed, we are finalizing below Sec. 2.3(c) which
provides that the provisions of 45 CFR part 160, subparts C, D, and E,
shall apply to noncompliance with this part with respect to records in
the same manner as they apply to covered entities and business
associates for violations of 45 CFR parts 160 and 164 with respect to
PHI. As proposed, we are incorporating the entirety of 45 CFR part 160,
subpart D, which includes the mitigating factors in 45 CFR 160.408 and
the affirmative defenses in 45 CFR 160.410, to align part 2 enforcement
with the HIPAA Enforcement Rule.
---------------------------------------------------------------------------
\99\ See U.S. Dep't of Health and Human Servs., ``Enforcement
Process'' (Sept. 17, 2021), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html;
HIPAA Enforcement Rule, 45 CFR part 160, subparts C, D, and E.
---------------------------------------------------------------------------
In contrast, prior to this final rule, all alleged part 2
violations were subject only to potential criminal penalties. Aligning
part 2 and HIPAA enforcement approaches should make the enforcement
process more straightforward for part 2 programs that are covered
entities because it offers the same mitigating factors for
consideration in enforcement, such as the number of individuals
affected by the violation; whether the violation caused physical,
financial, or reputational harm to the individual or jeopardized an
individual's ability to obtain health care, the size of the covered
entity or part 2 program; and whether the penalty would jeopardize the
covered entity or part 2 program's ability to continue doing business.
This alignment also affords part 2 programs, including those that are
covered entities, the same affirmative defenses to alleged
noncompliance and generally prohibits the imposition of a civil money
penalty for a violation that is not due to willful neglect and is
corrected within 30 days of discovery.
Final Rule
We are finalizing Sec. 2.3(a) to specify that under 42 U.S.C.
290dd-2(f), any person who violates any provision of this part shall be
subject to the applicable penalties under sections 1176 and 1177 of the
Social Security Act, 42 U.S.C. 1320d-5 and 1320d-6, as implemented in
the HIPAA Enforcement Rule.
Section 2.3(b) Limitation on Criminal or Civil Liability
Proposed Rule
As noted in the NPRM, after consultation with DOJ, the Department
proposed in Sec. 2.3(b) to create a limitation on civil or criminal
liability (``safe harbor'') for persons acting on behalf of
investigative agencies when, in the course of investigating or
prosecuting a part 2 program or other person holding part 2 records,
such agencies or persons unknowingly receive part 2 records without
first obtaining the requisite court order. The proposed safe harbor
applies only in instances where records are obtained for the purposes
of investigating a part 2 program or person holding the record, not a
patient. Further, investigative agencies would be required to follow
part 2 requirements for obtaining, using, and disclosing part 2 records
as part of an investigation or prosecution, including requirements
related to seeking a court order, filing protective orders, maintaining
security for records, and ensuring that records obtained in program
investigations are not used in legal actions against patients who are
the subjects of the records.
This safe harbor would be available for uses or disclosures
inconsistent with part 2 only when the person acting on behalf of an
investigative agency acted
[[Page 12486]]
with reasonable diligence to determine in advance whether part 2
applied to the records or part 2 program. Paragraph (b)(1) proposed to
clarify what constitutes reasonable diligence in determining whether
part 2 applies to a record or part 2 program before an investigative
agency makes an investigative demand or places an undercover agent with
the part 2 program or person holding the records. The Department
proposed specifically that reasonable diligence under this provision
would require acting within a reasonable period of time, but no more
than 60 days prior to, the request for records or placement of an
undercover agent or informant. As proposed, reasonable diligence would
include taking the following actions to determine whether a health care
practice or provider (where it is reasonable to believe that the
practice or provider provides SUD diagnostic, treatment, or referral
for treatment services) provides such services: (1) checking a
prescription drug monitoring program (PDMP) in the state where the
provider is located, if available and accessible to the agency under
state law; or (2) checking the website or physical location of the
provider.
In addition, Sec. 2.3(b) as proposed was intended to require an
investigative agency to meet any other applicable requirements within
part 2 for any use or disclosure of the records that occurred, or would
occur, after the investigative agency knew, or by exercising reasonable
diligence would have known, that it received part 2 records. The
Department also proposed amending Sec. Sec. 2.66 and 2.67 to be
consistent with and further implement these proposed changes in Sec.
2.3.
Comment
A state agency that regulates health facilities expressed concern
that statements made by HHS in the NPRM when describing the need for
the safe harbor provision for investigative agencies might bring its
authority to obtain part 2 records from health care facilities into
question. The commenter explains that the Department's justification
and interpretation of the need for a safe harbor provision could result
in licensed health care facilities refusing to provide it with access
to part 2 records until the state agency obtains a court order under
subpart E. While the commenter appreciated the clarification provided
by the Department in the NPRM (``[HHS] does not intend to modify the
applicability of Sec. 2.12 or Sec. 2.53 for investigative
agencies''), the commenter asked that Sec. 2.3(b) affirm that
investigative agencies will not be required to demonstrate due
diligence or obtain a court order if their access, use, and disclosure
of part 2 records is covered by another exception to part 2, such as
the audit and evaluation exception in Sec. 2.53.
An academic medical center advocated for a narrower definition of
``investigative agency'' than proposed and expressed concern about
applying the proposed limitation on liability to a broad category of
agencies. Several other commenters also addressed in their comments the
Department's proposed definition of ``investigative agency'' in Sec.
2.11, suggesting inclusion of state, Tribal, or local agencies in this
definition.
Response
We address comments on definitions below in Sec. 2.11, including
concerns about potential unintended adverse consequences of including
``supervisory'' agencies in the definition of ``investigative agency''.
We believe that the definition of ``investigative agency'', combined
with the safe harbor (and its reasonable diligence prerequisite) and
the annual reporting requirement, provides an appropriate check on
government access to records in the course of investigating a part 2
program or lawful holder in those situations where an agency discovers
it has unknowingly obtained part 2 records. The safe harbor option to
apply for a court order retroactively does not alter the criteria for a
court to grant the order, which includes a finding that other means of
obtaining the records were unavailable, would not be effective, or
would yield incomplete information. Here, we also clarify that we do
not intend, in Sec. 2.3(b), to override the existing authority of
investigative or oversight agencies to access records, without court
order, when permitted under another section of this regulation. Rather
than narrowing the definition, we also include, as some commenters
requested, local, territorial, and Tribal investigative agencies in the
final ``investigative agency'' definition because they have a role in
investigations of part 2 programs.
Comment
Some SUD policy organizations and other commenters suggested that
the Department should not include a safe harbor provision for
investigative agencies, as this is not required by the CARES Act and is
duplicative of existing protections such as qualified immunity.
According to these commenters, the CARES Act does not require a
limitation on civil or criminal liability for persons acting on behalf
of investigative agencies if they unknowingly receive part 2 records.
Additionally, this provision is deleterious to the confidentiality of
patients relying on part 2 protections of their records in seeking or
receiving SUD treatment, further eroding the trust necessary between
provider and patient for successful SUD treatment.
The commenters further addressed in their comments the reasonable
diligence steps proposed to identify whether a provider is a covered
part 2 program. Though the NPRM proposed that passing by a part 2
program to observe its operations or checking a PDMP is sufficient to
determine whether a provider offers SUD services, many SUD providers
are not required to share information with PDMPs, the commenters
assert. One commenter suggested that PDMPs do not contain any
information from part 2 programs that do not prescribe controlled
substances to patients. Under Sec. 2.36, opioid treatment programs
(OTPs) may report methadone dispensing information to PDMPs, but only
if the reporting is mandated by state law and authorized by a part 2-
compliant consent form. The commenters asserted that more accurate
verification methods exist, such as SAMHSA's online treatment locator
or state treatment databases. If such a safe harbor provision is
included, the standard for diligence must be made more explicit and
subject to more rigorous standards, according to these commenters.
A legal advocacy organization commented that the safe harbor
proposal fell outside the scope of the CARES Act and was an unnecessary
change. It further commented that despite disclosing that it consulted
with the DOJ, HHS failed to adequately explain why law enforcement
merits special consideration for protection from liability or why HHS
did not consult with civil rights organizations, legal and policy
advocates, providers, or patients. In addition, this commenter opined
that the proposed safe harbor provision had inadequate guardrails to
protect privacy because the Department proposed a very low standard of
reasonable diligence that the investigative agency would be required to
show and insufficient examples of actions an investigative agency must
take to identify whether a provider offered SUD treatment under part 2.
The commenter also remarked that checking a state's PDMP website should
not be sufficient to establish reasonable diligence since the majority
of part 2 programs do not report information to PDMPs, and similarly,
driving by a provider's physical location should not
[[Page 12487]]
be considered sufficient to establish reasonable diligence because many
SUD providers preserve their patients' privacy by avoiding overt street
signage or advertisements. This commenter suggested checking SAMHSA's
online treatment locator or the state oversight agency's list of
licensed and certified providers as better alternatives than those
proposed in the NPRM.
An HIE association expressed concern that if patients believe that
their information related to seeking SUD treatment or admitting
continued SUD while in treatment could be disclosed to an investigative
Federal Government agency, then they may forgo or stop receiving that
treatment. SUD treatment and the part 2 patient records are some of the
most sensitive pieces of a person's health record. The commenter
suggested that it is important for OCR and SAMHSA to engage with
patient advocacy organizations to understand the needs of patients to
protect that privacy and ensure treatment is not foregone due to a fear
of exposure. An individual commenter also recommended consultation by
the Department with SUD patients and former patients.
Another group of commenters claimed that the proposed rule's new
safe harbor provision in Sec. 2.3 was unnecessary, overly broad, and
was not required by the CARES Act. HHS should withdraw this proposed
change, these commenters stated, or at least should include more
accurate methods of how investigative agencies can determine a provider
offers SUD services (and thus may be subject to part 2) such as
consulting the SAMHSA online treatment locator.
An individual commenter viewed the proposed Sec. 2.3(b) changes as
stigmatizing because it would promote access to patients' records
against their interests by law enforcement. Another individual
commenter suggested the proposed safe harbor may create a chilling
effect, dissuading people from seeking the SUD care and other kinds of
health care, including prenatal care, that they need. One person in
recovery said that the proposal's language is vague and open-ended,
leaving room for interpretation and loopholes for fishing expeditions
by law enforcement through patient records. This commenter further
stated that while it is important that bad actor treatment centers or
providers are held accountable, the solution should not sacrifice
fundamental privacy rights of patients.
Another commenter recommended a bar against using the safe harbor
provision without inquiring directly with the provider about whether
part 2 applies. The organization has helped part 2 programs respond to
hundreds of law enforcement requests for SUD treatment records. Based
on its experience, many part 2 programs report that law enforcement
officials are not familiar with part 2 and do not listen to program
staff when they flag its requirements for law enforcement. The
commenter stated that part 2 program staff have even been arrested and
charged with obstruction for attempting to explain the Federal privacy
law as a result of this lack of knowledge by law enforcement.
A county government expressed opposition to the Department's
proposals in Sec. 2.3, and relatedly in Sec. Sec. 2.66 and 2.67.
According to this commenter, the Department should consider that once
information is received by an investigator, there is no way to undo the
knowledge learned even if records are destroyed as required in
Sec. Sec. 2.66 and 2.67. Thus, the commenter concluded, the Department
should not finalize the safe harbor.
Another county government, also expressing opposition to proposed
changes in Sec. Sec. 2.3 and 2.66, commented that it believes the
creation of a safe harbor for improper use or disclosure of part 2
records by investigative agencies is contrary to the ``fundamental
policy goals'' that support more stringent privacy protections for
substance use treatment records under 42 CFR part 2. This commenter
explained its view that patients remain fearful of legal repercussions
for engaging in substance use and will be discouraged from seeking
treatment if guardrails that protect information are lowered. This
commenter further opined that creating a safe harbor for investigative
agencies could have the unintended consequence of creating an incentive
for investigative agencies to design document requests to technically
meet the requirements of the safe harbor, with the hopes of providers
turning over part 2 records to which the investigative agency would not
otherwise have access. Furthermore, according to the commenter, the
contents of part 2 records could conceivably be used as a basis for
meeting the criteria for a court order to use or disclose these, or
other part 2 records, under Sec. 2.64. This commenter further
recommended that investigators not be permitted to retroactively seek a
court order to use or disclose part 2 record, and in no event should
investigative agencies be able to use information from part 2 records
that they did not have proper authority to receive as the basis for a
retroactive court order for use of disclosure of part 2 records.
Response
As noted above and in response to comments, this final rule no
longer considers the reasonable diligence requirement specific to the
safe harbor to be met by checking the applicable PDMP. Instead, this
rule in the regulatory text of Sec. 2.3 provides that ``reasonable
diligence'' means taking all of the following actions: searching for
the practice or provider among the SUD treatment facilities in SAMHSA's
online treatment locator; searching in a similar state database of
treatment facilities where available; checking a practice or program's
website, where available, or physical location; viewing the entity's
Patient Notice or HIPAA NPP if it is available; and taking all these
steps within no more than 60 days before requesting records or placing
an undercover agent or informant.
SAMHSA's online treatment locator,\100\ even if it does not include
every SUD provider or may include outdated information for some
providers, still is more inclusive than PDMPs. Generally, only SUD
providers who prescribe controlled substances submit data to PDMPs
while SAMHSA's online treatment locator also includes SUD providers who
do not prescribe controlled substances. Further, we believe that
requiring consultation of a PDMP by investigative agencies could
unnecessarily increase exposure of patient records that are contained
in a PDMP with the records of part 2 programs or lawful holders who are
under investigation. The inherent risk of an unnecessary disclosure of
patient records runs counter to the underlying intent to keep these
records confidential. Finally, the SAMHSA online treatment locator uses
existing Departmental resources and is readily available to the general
public at no cost.\101\
---------------------------------------------------------------------------
\100\ See Substance Abuse and Mental Health Servs. Admin.,
``FindTreatment.gov,'' https://findtreatment.gov/.
\101\ See Ned J. Presnall, Giulia Croce Butler, and Richard A.
Grucza, ``Consumer access to buprenorphine and methadone in
certified community behavioral health centers: A secret shopper
study,'' Journal of Substance Abuse Treatment (Apr. 29, 2022),
https://www.jsatjournal.com/article/S0740-5472(22)00070-8/fulltext;
Cho-Hee Shrader, Ashly Westrick, Saskia R. Vos, et al.,
``Sociodemographic Correlates of Affordable Community Behavioral
Health Treatment Facility Availability in Florida: A Cross-Sectional
Study,'' The Journal of Behavioral Health Services & Research (Jan.
4, 2023), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9812544/.
---------------------------------------------------------------------------
As to the suggestion that checking state licensing information
would be a better indicator of a program's part 2 status, the
Department disagrees. Licensing may occur at the facility level,
[[Page 12488]]
or separately by occupational specialty, which would require an
investigative agency to scour several sources of information. Further,
the definition of part 2 program is broader than that of licensed SUD
treatment providers because it can include prevention programs, so the
pool of licensed provider is overly narrow and does not address the
requirements that a program ``hold itself out'' as providing SUD
services or that it is in receipt of Federal assistance.
Regarding comments that HHS did not consult with civil rights
organizations, legal and policy advocates, providers, or patients, we
note that we received and reviewed comments submitted by individuals
and advocacy and civil rights organizations as we are required to do as
part of the rulemaking process. We also consulted with DOJ and other
Federal agencies.
We also acknowledge and appreciate concerns among some individual
commenters that this provision may further stigmatize people seeking
SUD treatment. However, we believe the requirement to demonstrate
reasonable diligence to determine part 2 status in the safe harbor
along with the requirements in Sec. Sec. 2.66 and 2.67 that prohibit
use or disclosure of records against a patient in a criminal
investigation or prosecution or in an application for a court order to
obtain records for such purposes will help ensure and enhance patient
privacy consistent with the purpose and intent of part 2 and 42 U.S.C.
290dd-2 as amended by the CARES Act. We will monitor implementation and
take steps to address any unintended adverse consequences that may
follow, particularly for patients because they are not the intended
focus of these investigations.
The safe harbor is not required by the CARES Act; it is grounded in
the Secretary's general rulemaking authority for the confidentiality of
SUD patient records under 42 U.S.C. 290dd-2(g) and is necessary to
operationalize subpart E, particularly in the context of other health
care investigations. For example, investigative agencies may
inadvertently obtain records from part 2 programs in the course of
their investigations under other laws such as Medicaid fraud
regulations, Drug Enforcement Administration (DEA) regulations, and
HIPAA, where the applicability of part 2 (and the court order
requirement for program investigations) is not obvious. The safe harbor
provision facilitates a pathway to conduct the investigation under the
amended part 2 statute. Contrary to some views expressed by commenters,
it may be inappropriate for an investigative agency to directly discuss
with or contact the provider about whether part 2 applies because this
could apprise them of an investigation or potential use of an informant
under subpart E. In contrast, reliance on a publicly available
directory, a HIPAA NPP, or Patient Notice offers neutral sources to
alert agencies to the potential applicability of part 2.
Comment
A health care system commented that an investigative agency should
have ample and sufficient notice that it may receive or come into
contact with SUD records in the course of investigating or prosecuting
a part 2 program. However, depending on the requirements or standards
to be met, the commenter stated that it may be more expedient for an
investigating agency to rely on the safe harbor after it comes into
contact with part 2 records. As a result, investigative agencies might
intentionally bypass the requirement to obtain consent or a court order
and decide instead to avail themselves of the safe harbor after
disclosure. In addition, the commenter asserted that the good faith
standard could easily become diluted and might permit an investigator
to hide behind the safe harbor when their conduct is the result of
ignorance or an error in judgment. The commenter also expressed concern
that the good faith standard would allow for a spectrum of
interpretations and different courts may apply the standard
differently, leading to inconsistent results; as such, it would be
important for the Department to audit and monitor the use of the safe
harbor to ensure it is being used appropriately.
An individual commenter asserted that expanding the reach of the
CARES Act \102\ to create safe harbors for the criminal justice
communities for violations of part 2 is beyond the intent of Congress,
noting that the CARES Act does not require the creation of a limitation
on civil or criminal liability for persons acting on behalf of
investigative agencies if they unknowingly receive part 2 records. This
commenter expressed concern that creating a limitation on civil or
criminal liability under Sec. 2.3 of 42 CFR part 2 or a good faith
exception under the proposed new paragraph under Sec. 2.66(a)(3) of 42
CFR part 2 would ``encourage lax investigative actions on the part of
an investigative agency.'' The commenter believed that investigative
agencies should continue to be required to seek an authorization from a
court to use or disclose any records implicated by part 2 protections
because admonishing an investigative agency to cease using or
disclosing part 2 records after the fact would in practice give the
investigative agency license to screen and review part 2 records. This
commenter also said that the good faith standard of Sec. 2.66(a)(3)
would offer investigative agencies an ``excuse'' to receive and review
part 2 records. This commenter also asserted that Sec. Sec. 2.3 and
2.66(a)(3) and (b) should be eliminated from the final rule as not
required by the CARES Act and inconsistent with the confidentiality of
a patient relying on part 2 protections of their records in seeking or
receiving SUD treatment.
---------------------------------------------------------------------------
\102\ See sec. 3221(i)(1) of the CARES Act.
---------------------------------------------------------------------------
Another commenter argued that the limitation of liability would not
negatively affect a patient's access to SUD treatment but might
``influence the investigative agency to be cavalier in obtaining the
appropriate [consent or court order] if they are aware that its
liability will be limited.'' This commenter further opined that the
annual reporting to the Secretary could serve as an important way to
audit the use of the safe harbor this protection, and the limitation of
liability may support an investigative agency's ability to investigate
a program, which could increase the quality of care.
Response
We believe that some commenters misunderstand the process of
investigating a health care provider and we disagree that an
investigator would always know before seeking records that a provider
is subject to part 2. In many instances, an investigation is focused on
the use of public money such as Medicaid or Medicare claims and
reimbursement, and the focus is not on whether a provider is treating
SUDs. Regarding the good faith standard as we explain below, we believe
the phrase is generally understood to means acting consistent with both
the text and intent of the statute and part 2 regulations.
We believe that the operation of this provision is clear in the
event a finding of good faith is not met. First, a lack of good faith
could result in the imposition of HIPAA/HITECH Act penalties under 42
U.S.C. 290dd-2, as amended, if investigators are found to have acted in
bad faith in obtaining the part 2 records. Second, in Sec. Sec. 2.66
and 2.67, a finding of good faith is necessary to trigger the ability
of the agency to apply for a court order to use records that were
previously obtained.
We also disagree that this provision will encourage lax
investigative actions or prompt agencies to ``game'' the regulations to
improperly obtain
[[Page 12489]]
records. First, the manner in which agencies obtain records will be
considered by a court as part of the court order process. Second, while
the safe harbor operates as a limitation on civil and criminal
liability under 42 U.S.C. 290dd-2(f), it does not provide absolute
immunity under Federal or state law should an agency or person
knowingly obtain records improperly or under false pretenses. For
example, it would be improper to knowingly obtain records without
following the required procedures for the type of request, or under
false pretenses.
We agree with the sentiment that the reporting requirement in Sec.
2.68 will serve as a useful tool to help monitor the appropriateness of
investigative agencies' reliance on the regulatory safe harbor. We also
appreciate the view that facilitating appropriate investigations will
play an important role in ensuring the quality of care delivered by
part 2 programs.
Comment
An SUD provider said that this safe harbor essentially could
establish a loophole for investigative agencies to obtain part 2
records without following part 2 requirements, and thus adversely
affect patient privacy. This commenter believed that the proposed rule
attempted to justify the safe harbor by addressing the increased
liability due to added penalties for violations of part 2, the need to
prosecute bad actors, and public safety. However, this justification
was misplaced, according to this commenter, and the safe harbor might
only reduce important protections that limit investigative agencies'
ability to obtain protected records. By replacing the required elements
in place to protect the privacy of patients with a loosely defined
reasonable diligence standard, the proposed rule would only increase
the chances of investigative agencies unknowingly receiving part 2
records, according to this commenter. The proposed reasonable diligence
standard provides investigative agencies with two options to determine
part 2 application on a provider both of which the commenter views as
insufficient. Ultimately, these proposed reasonable diligence standards
can be easily bypassed as a way to obtain records without the requisite
requirements. The organization expressed the belief that if a
reasonable diligence standard remains in place, the Department should
impose more stringent requirements under this standard, such as
obtaining a copy of a provider's HIPAA NPP to determine part 2
applicability or comparable requirement.
Response
We acknowledge this commenter's concerns. As noted in this final
rule at Sec. 2.3, we are revising the proposed ``reasonable
diligence'' standard to mean taking all of the following actions:
searching for the practice or provider among the SUD treatment
facilities in SAMHSA's online treatment locator; searching in a similar
state database of treatment facilities where available; checking a
practice or program's website, where available, or its physical
location; viewing the entity's Patient Notice or HIPAA NPP if it is
available; and taking all these steps within no more than 60 days
before requesting records or placing an undercover agent or informant.
We are requiring these reasonable diligence steps to be taken in
response to commenters' concerns about the effects of the safe harbor
on patient privacy and their specific recommendations for strengthening
those steps. Importantly, an investigative agency could be subject to
penalties under the CARES Act enforcement provisions if it does not
take all of the steps in the required time frame as necessary to
qualify for the protection afforded by the safe harbor. Finally, as
discussed above, the reporting requirement to the Secretary will play
an important role in ensuring transparency. After this rule is
finalized, the Department intends to make use of such reports to
monitor compliance with these requirements and work to educate
patients, providers, investigative agencies and others about these
provisions.
Comment
An individual commenter expressed concern about what they
characterized as a broad swath of potential agencies that conduct
activities covered by the term ``investigation.'' The commenter opined
that the types of agencies that conduct investigations are broad and
many have repeatedly demonstrated their lack of prioritization of
patient privacy and personal rights. The commenter believed that the
Department outlines reasonable minimums including access controls,
requesting and maintaining the minimum data required, and taking the
most basic steps to determine if staff should or could access patient
data before doing so, as well as obtaining the legally required
permissions to lawfully receive such data. However, inability to follow
these most basic guidelines does not support reducing liability, the
commenter asserted, suggesting that the reasonable steps the Department
describes in Sec. 2.3 should be required for investigatory agencies to
receive any PHI or part 2 records or to deploy an informant.
An anonymous commenter alleged that parole officers in their state
frequently violate part 2 by making notes in an automated system
redisclosing part 2 information from community providers. Until there
is a regulatory and investigative agency invested in ensuring strict
adherence to this regulation, the commenter said the Department should
not ease up on the restrictions and access to SUD confidential
information.
Response
We acknowledge that a broad range of agencies is encompassed within
the definition of ``investigative agency,'' and they have varying
degrees of involvement with the provision of health care. The
prerequisites for accessing part 2 records for audit and evaluation
differ, intentionally, from the prerequisites for placing an informant
within a program, although both may involve investigative agency review
of part 2 records. The requirement to first obtain a court order before
records are sought in a criminal investigation or prosecution is a much
higher standard. While the safe harbor operates as a limitation on
civil and criminal liability for agencies that have acted in good
faith, it does not provide immunity under Federal or state law should
an investigative agency knowingly obtain records improperly or under
false pretenses. Further, this final rule establishes a right to file a
complaint with the Secretary for violations of part 2 by, among others,
lawful holders.
Comment
A medical professional association encouraged extending safe harbor
protections to part 2 programs, providers, business associates, and
covered entities acting in good faith for at least 34 months following
the 60-day effective date period (36 total months). According to the
commenter, this protection is essential to encourage providers to hold
themselves out as SUD providers and other entities to support part 2
programs, which will be especially important as the health care system
implements these new regulations. However, the commenter opposed the
proposed the safe harbor for investigative agencies as written.
According to this commenter, as written the proposed safe harbor could
reduce access to care if part 2 programs or providers feel more at risk
for acting in good faith than the investigative agencies that do not
provide patient care.
[[Page 12490]]
Response
As discussed in the proposed rule, the effective date of a final
rule will be 60 days after publication and the compliance date will be
24 months after the publication date. The Department acknowledges
concerns about compliance and may provide additional guidance after the
rule is finalized. We acknowledge requests by commenters to extend the
safe harbor beyond investigative agencies to covered entities, health
plans, HIEs/HINs, part 2 programs, APCDs, and others. However, we
decline to make these requested changes because Sec. 2.3 is
specifically intended to operate in tandem with Sec. Sec. 2.66 and
2.67 when investigative agencies unknowingly obtain part 2 records in
the course of investigating or prosecuting a part 2 program and, as a
result, fail to obtain the required court order in advance. We also
believe that covered entities and business associates that are likely
to receive part 2 records are routinely engaged in health care
activities and are more likely to be aware when they are receiving such
records.
Comment
A health IT vendor addressed our request for comment on whether to
expand the limitation on civil or criminal liability for persons acting
on behalf of investigative agencies to other entities. The commenter
requested clarification on how the Department defines ``unknowingly''
when considering whether a safe harbor should be created for SUD
providers that unknowingly hold part 2 records and unknowingly disclose
them in violation of part 2.
Response
We have not developed a formal definition of ``unknowingly;''
however, the safe harbor for investigative agencies addresses
situations where the recipient is unaware that records they have
obtained contain information subject to part 2 although the agency
first exercised reasonable diligence to determine if the disclosing
entity was a part 2 program. The reasonable diligence expected of an
SUD provider would be different in nature because such a provider
uniquely possesses the information necessary to evaluate whether it is
subject to this part, and consequently whether any patient records it
creates are also subject to this part. We think it is more likely that
the ``unknowing'' situation could occur when an entity other than a
part 2 program receives records without the Notice to Accompany
Disclosure and rediscloses them in violation of this part because it is
unaware that it possesses part 2 records. As we stated in the NPRM, we
believe this scenario is addressed by the HITECH penalty tiers, so we
are not expanding the safe harbor to other entities. Covered entities
and business associates that are likely to receive part 2 records are
routinely engaged in health care activities and are more likely to be
aware that they are receiving such records. Further, the HITECH penalty
tiers were designed to address privacy violations by covered entities
and business associates.
Comment
Many commenters argued that the proposed safe harbor provisions
should apply to entities beyond investigative agencies. The commenters
included a medical association, a state Medicaid agency, a managed care
organization, health care providers, HIEs, a state HIE association, and
other professional and trade associations. The range of entities for
which a safe harbor was recommended include the following: non-
investigative agencies; covered entities; business associates; other
SUD providers, facilities, and other providers generally who act in
good faith and use reasonable diligence to determine whether records
received/maintained are covered by part 2; health plans based on good
faith redisclosures that comply with the HIPAA Privacy rule but not
with the part 2 Rule; HIEs; SUD providers that are unaware of its
practice designation as a part 2 provider; state Medicaid agency
administering the Medicaid program; all payer claims databases (APCDs);
part 2 programs; and lawful holders who, in good faith, unknowingly
receive part 2 records and then unintentionally violate part 2 with
respect to those records.
A county government argued that amending Sec. 2.3 to contain a
safe harbor provision for providers would better serve the policy goals
of protecting patient privacy, while recognizing that health systems
are moving toward integrating substance use treatment with other health
conditions and behavioral health needs. Many part 2 programs provide
integrated substance use and mental health treatment, and include
providers who provide both mental health and substance use treatment or
work in collaboration with mental health treatment providers. In these
``dual diagnosis'' programs, mental health providers may over time
unknowingly generate and/or receive and possess records subject to part
2.
Another commenter, a professional association, urged that such a
safe harbor should remain in place until such time as there is an
operationally viable means of providing the Notice to Accompany
Disclosures of part 2 records in Sec. 2.32. It should apply to HIPAA
entities only if and to the extent that HHS does not, in the final
rule, permit these entities to integrate these records with their
existing patient records and treat the data as PHI which, the
association asserted is the best approach from both patient care and
operational perspectives.
Response
We acknowledge requests by commenters to extend the safe harbor
beyond investigative agencies to covered entities, health plans, HIEs/
HINs, part 2 programs, APCDs, and others. However, we decline to make
these requested changes because Sec. 2.3 is specifically intended to
operate in tandem with Sec. Sec. 2.66 and 2.67 when investigative
agencies unknowingly obtain part 2 records in the course of
investigating or prosecuting a part 2 program and, as a result, fail to
obtain the required court order in advance. By contrast, Sec. Sec.
2.12, 2.31, and 2.32, including the requirement in this final rule that
each disclosure made with the patient's written consent must be
accompanied by a notice and a copy of the consent or a clear
explanation of the scope of the consent, should be sufficient to inform
recipients of part 2 records of the applicability of part 2 in
circumstances that do not involve investigations or use of informants.
SUD providers, in particular, are obligated to know whether they
are subject to part 2. In the event of an enforcement action against a
lawful holder that involves an unknowing receipt or disclosure of part
2 records despite the lawful holder having exercised reasonable
diligence, the Department will consider the facts and circumstances and
make a determination as to whether the disclosure of part 2 records
warrants an enforcement action against the lawful holder. This would
include considering application of the ``did not know'' culpability
tier for such violations.\103\
---------------------------------------------------------------------------
\103\ See 45 CFR 160.404 (b)(2)(i) (the entity ``did not know
and, by exercising reasonable diligence, would not have known that
[they] violated such provision[.]''). See also Social Security Act,
sections 1176 and 1177.
---------------------------------------------------------------------------
Comment
A health information management association remarked that covered
entities, lawful holders, and other recipients of SUD PHI are obligated
to be aware of what information is being disclosed prior to disclosing
it. Law enforcement requests for information
[[Page 12491]]
should be clear to prevent inadvertent disclosures. According to the
commenter, a court order, subpoena, or patient ``authorization'' should
be necessary before obtaining SUD information. Under 45 CFR 164.512(e)
criteria required for a valid court order and/or subpoena protects the
SUD PHI. Disclosing SUD information before the correct protections are
in place could result in the SUD information becoming discoverable
through the Freedom of Information Act (FOIA).\104\ In addition, once
the information is disclosed the recipients cannot unsee or unknow the
information, nor are mechanisms in place to properly return or destroy
the information.
---------------------------------------------------------------------------
\104\ Public Law 89-487, 80 Stat. 250 (July 4, 1966) (originally
codified at 5 U.S.C. 1002; codified at 5 U.S.C. 552).
---------------------------------------------------------------------------
Response
Part 2, subpart E, requirements are distinct from the HIPAA Privacy
Rule requirements at 45 CFR 164.512(e). We agree that it is important
to engage with patients and patient organizations to ensure part 2
continues to bolster patient privacy and access to SUD treatment.
SAMHSA provides funding to support the Center of Excellence for
Protected Health Information Related to Behavioral Health \105\ which
does not provide legal advice but can help answer questions from
providers and family members about HIPAA, part 2, and other behavioral
health privacy requirements. The required report to the Secretary in
Sec. 2.68 will help the Department monitor investigations and
prosecutions involving part 2 records. While in theory FOIA or similar
state laws could apply to mistakenly released information, FOIA
includes several exemptions and exclusions that could apply to withhold
information from release in response to a request for such information,
including FOIA Exemptions 3 (requires the withholding of information
prohibited from disclosure by another Federal statute), 6 (protects
certain information about an individual when disclosure would
constitute a clearly unwarranted invasion of personal privacy), and 7
(protects certain records or information compiled for law enforcement
purposes).\106\ State health privacy laws or freedom of information
laws may contain similar exemptions.\107\
---------------------------------------------------------------------------
\105\ See The Ctr. of Excellence for Protected Health Info.,
``About COE PHI,'' https://coephi.org/about-coe-phi/.
\106\ 5 U.S.C. 552(b)(3), (b)(6) & (b)(7).
\107\ See, e.g., National Freedom of Info. Coal., ``State
Freedom of Information Laws,'' https://www.nfoic.org/state-freedom-of-information-laws/ and Seyfarth Shaw LLP, ``50-State Survey of
Health Care Information Privacy Laws'' (July 15, 2021), https://www.seyfarth.com/news-insights/50-state-survey-of-health-care-information-privacy-laws.html.
---------------------------------------------------------------------------
Final Rule
We are finalizing Sec. 2.3(b) with the additional modifications
discussed above in response to public comments and reorganizing for
clarity. This final rule strengthens the safe harbor's proposed
reasonable diligence requirements in response to public comments that
the proposed steps would be insufficient and provides that all of the
specified actions must be initiated for the limitation on liability to
apply. We clarify here that if any of the actions taken results in
knowledge that a program or person holding records is subject to part
2, no further steps are required to further confirm that the program or
person holding records is subject to part 2.
Section 2.3(c) Applying the HIPAA Enforcement Rule to Part 2 Violations
Proposed Rule
Proposed Sec. 2.3(c) stated that the HIPAA Enforcement Rule shall
apply to violations of part 2 in the same manner as they apply to
covered entities and business associates for violations of part C of
title XI of the Social Security Act and its implementing regulations
with respect to PHI.108 109
---------------------------------------------------------------------------
\108\ See 45 CFR part 160, subpart C (Compliance and
Investigations), D (Imposition of Civil Money Penalties), and E
(Procedures for Hearings). See also sec. 13410 of the HITECH Act
(codified at 42 U.S.C. 17929).
\109\ This proposal would implement the required statutory
framework establishing that civil and criminal penalties apply to
violations of this part, as the Secretary exercises only civil
enforcement authority. The DOJ has authority to impose criminal
penalties where applicable. See 68 FR 18895, 18896 (Apr. 17, 2003).
---------------------------------------------------------------------------
Comment
A state agency stated its view that if Sec. 2.3(c) applies the
various sanctions of HIPAA to part 2 programs regardless of whether the
program is a HIPAA covered entity or business associate, the need to
retain QSOs for part 2 programs that are not covered entities seems to
be eliminated.
Response
We disagree that including this section obviates the need for QSOs,
which we discuss below in Sec. 2.11.
Final rule
We are finalizing Sec. 2.3(c) with modifications changing
references to ``violations'' to ``noncompliance.'' This minor change
recognizes that the provisions of the HIPAA Enforcement Rule address
not only penalties based on formal findings of violations but also many
other aspects of the enforcement process, including procedures for
receiving complaints and conducting investigations into alleged or
potential noncompliance, which could result in informal resolution
without a formal finding of a violation.
Section 2.4--Complaints of Noncompliance
Proposed Rule
The Department proposed to change the existing language of
paragraphs (a) and (b) of Sec. 2.4 which provide that reports of
violations of the part 2 regulations may be directed to the U.S.
Attorney for the judicial district in which the violation occurs and
reports of any violation by an OTP may be directed to the U.S. Attorney
and also to SAMHSA. Section 290dd-2(f) of 42 U.S.C., as amended by
section 3221(f) of the CARES Act, grants civil enforcement authority to
the Department, which currently exercises its HIPAA enforcement
authority under section 1176 of the Social Security Act in accordance
with the HIPAA Enforcement Rule. To implement these changes, the
Department proposed to re-title the heading to this section by
replacing ``Reports of violations'' with ``Complaints of
noncompliance,'' and to replace the existing provisions about directing
reports of part 2 violations to the U.S. Attorney's Office and to
SAMHSA with provisions about directing complaints of potential
violations to a part 2 program. The Department noted that SAMHSA
continues to oversee OTP accreditation and certification and therefore
may receive reports of alleged violations by OTPs of Federal opioid
treatment standards, including privacy and confidentiality
requirements.
The Department proposed to add Sec. 2.4(a) to require a part 2
program to have a process to receive complaints concerning a program's
compliance with the part 2 regulations. Proposed Sec. 2.4(b) provided
that a part 2 program may not intimidate, threaten, coerce,
discriminate against, or take other retaliatory action against any
patient for the exercise of any right established, or for participation
in any process provided for in part 2, including the filing of a
complaint. The Department also proposed to add Sec. 2.4(c) to prohibit
a part 2 program from requiring patients to waive their right to file a
complaint as a condition of the provision of treatment, payment,
enrollment, or eligibility for any program subject to part 2.
[[Page 12492]]
Comment
Commenters generally supported the Department's proposal to
establish a complaint process under Sec. 2.4 that aligns with HIPAA
and ensures part 2 programs would not retaliate against patients who
filed a complaint or condition treatment or receipt of services on a
patient's waiving any rights to file a complaint. Commenters advocated
for part 2 patients being protected against potential discrimination,
such as job loss, that may occur following improper disclosures of
their treatment records. They further suggested that this provision
aligns with the HIPAA Privacy Rule and thus will help to reduce
administrative burdens. For example, covered entities can use their
existing Privacy Offices and processes to oversee both part 2 and HIPAA
compliance. Commenters also believed that application of the HIPAA
Breach Notification Rule and the HIPAA Enforcement Rule will further
help to protect part 2 patients. Additionally, commenters supported the
inclusion of business associates and covered entities within the scope
of this section.
Response
We appreciate the comments for the proposed changes to align part 2
with HIPAA Privacy Rule provisions concerning complaints. Patients with
SUD continue to experience the effects of stigma and discrimination,
one reason why privacy protections as established in this regulation
remain important.\110\ We agree that aligning part 2 and HIPAA
requirements may reduce administrative burdens.
---------------------------------------------------------------------------
\110\ See, e.g., Lars Garpenhag, Disa Dahlman, ``Perceived
healthcare stigma among patients in opioid substitution treatment: a
qualitative study,'' Substance Abuse Treatment, Prevention, and
Policy (Oct. 26, 2021), https://pubmed.ncbi.nlm.nih.gov/34702338/;
Janet Zwick, Hannah Appleseth, Stephan Arndt, ``Stigma: how it
affects the substance use disorder patient,'' Substance Abuse
Treatment, Prevention, and Policy (July 27, 2020), https://pubmed.ncbi.nlm.nih.gov/32718328/; Richard Bottner, Christopher
Moriates and Matthew Stefanko, ``Stigma is killing people with
substance use disorders. Health care providers need to rid
themselves of it,'' STAT News (Oct. 2, 2020), https://www.statnews.com/2020/10/02/stigma-is-killing-people-with-substance-use-disorders-health-care-providers-need-to-rid-themselves-of-it/.
---------------------------------------------------------------------------
Comment
One commenter expressed concern about enhanced penalties, which it
characterized as potentially punitive and best reserved for those who
fail to exercise due diligence. Such penalties may deter part 2
programs from sharing part 2 information, this commenter asserted.
Other commenters similarly noted what they viewed as potential
deterrent effects of penalties provided for in this regulation on
information sharing. A commenter urged reduced penalties for
unintentional disclosures by part 2 programs as they may require time
and assistance to comply with these regulations. Another commenter
urged that clinicians should not be held liable for unintentional
disclosures of part 2 records by part 2 programs which may need
additional time and technical assistance to comply with these updated
regulations in accordance with this regulation.
By contrast, another commenter urged strict enforcement of this
provision including penalties for both negligent and intentional
breaches. The commenter recommended enforcement by states' attorneys
general and a private right of action for complainants under part 2 if
states' attorneys general do not pursue enforcement.
Response
Existing part 2 language imposes a criminal penalty for
violations.\111\ Section 3221(f) of the CARES Act (codified at 42
U.S.C. 290dd-2(f)) requires the Department to apply the provisions of
sections 1176 and 1177 of the Social Security Act to a part 2 program
for a violation of 42 CFR part 2 in the same manner as they apply to a
covered entity for a violation of part C of title XI of the Social
Security Act. Accordingly, the Department proposed to replace title 18
U.S.C. criminal enforcement in the current regulation with civil and
criminal penalties under sections 1176 and 1177 of the Social Security
Act (42 U.S.C. 1320d-5, 1320d-6), respectively, as implemented in the
HIPAA Enforcement Rule.\112\ Under the HIPAA Enforcement Rule, criminal
violations fall within the purview of DOJ. Historically, commenters
have noted that enforcement of penalties concerning alleged part 2
violations has been limited.\113\ By aligning part 2 requirements in
this final rule with current HIPAA provisions, part 2 programs now will
be subject to an enforcement approach that is consistent with that for
HIPAA-regulated health care providers, thereby reducing administrative
burdens for part 2 programs that are also HIPAA-covered entities. As
some commenters suggested, this will also enable staff within HIPAA and
part 2-regulated entities to more effectively collaborate given
additional alignment of part 2 and HIPAA regulatory provisions.
---------------------------------------------------------------------------
\111\ 42 CFR 2.3 (Criminal penalty for violation).
\112\ HIPAA Enforcement Rule, 45 CFR part 160, subparts C, D,
and E.
\113\ See Kimberly Johnson, ``COVID-19: Isolating the Problems
in Privacy Protection for Individuals with Substance Use Disorder,''
University of Chicago Legal Forum (May 1, 2021), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3837955; Substance Abuse
and Mental Health Servs. Admin., ``Substance Abuse Confidentiality
Regulations; Frequently Asked Questions'' (July 24, 2023), https://www.samhsa.gov/about-us/who-we-are/laws-regulations/confidentiality-regulations-faqs.
---------------------------------------------------------------------------
Therefore, it is unlikely that part 2 programs will experience an
adverse impact beyond that which in general applies to covered entities
under HIPAA. As the Department has explained elsewhere, alleged
unintentional violations are often resolved with covered entities
through voluntary compliance or corrective action.\114\
---------------------------------------------------------------------------
\114\ See ``Enforcement Process,'' supra note 99; HIPAA
Enforcement Rule, 45 CFR part 160, subparts C, D, and E.
---------------------------------------------------------------------------
Knowing or intentional violations of HIPAA may be referred to DOJ
for a criminal investigation. As noted in the NPRM, criminal penalties
may be imposed by DOJ for certain violations under 42 U.S.C. 1320d-6.
After publication of this final rule, the Department may provide
additional guidance specific to part 2; however, we anticipate that
many entities now will be more comfortable appropriately sharing
information and developing plans to mitigate risks of part 2 and HIPAA
violations because the HIPAA and part 2 complaint provisions are now
better aligned.\115\
---------------------------------------------------------------------------
\115\ See U.S. Dep't of Health and Human Servs., ``Guidance on
Risk Analysis,'' (July 22, 2019), https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html.
---------------------------------------------------------------------------
Section 1176 of the Social Security Act, (codified at 42 U.S.C.
1320d-5), also provides for enforcement by states' attorneys general in
the form of a civil action. The reference to this statutory provision
in Sec. 2.3 encompasses this avenue of enforcement.
Although the HIPAA and HITECH penalties do not provide a private
right of action for privacy violations, as discussed elsewhere in this
preamble, in this final rule we provide a right for a person to file a
complaint to the Secretary for an alleged violation by a part 2
program, covered entity, business associate, qualified service
organization, or other lawful holder of part 2 records. While a person
may file a complaint to the Secretary, part 2 programs also must
establish a process for the program to directly receive complaints. The
right to file a complaint directly with the Secretary for an alleged
violation is analogous to a similar provision within the HIPAA Privacy
Rule.\116\ Although
[[Page 12493]]
the right to file a complaint to the Secretary for an alleged violation
of part 2 was not included in the proposed text of Sec. 2.4, it was
included in the required statements for the Patient Notice. Adding the
language to Sec. 2.4 is a logical outgrowth of the NPRM and a response
to public comments received.
---------------------------------------------------------------------------
\116\ 45 CFR 160.306.
---------------------------------------------------------------------------
Comment
One commenter asked for a clarification of what is considered an
``adverse action'' for the purposes of this section. Other commenters
requested clarification from the Department that acting on a complaint
that was held in abeyance after a patient exercises their right to
withdraw consent would not be viewed as retaliation.
Response
In the NPRM the Department referred to a prohibition on ``taking
adverse action against patients who file complaints.'' This prohibition
is broadly similar to that which exists within HIPAA in 45 CFR 160.316
and 164.530. The Department has described ``adverse actions'' as those
that may constitute intimidation or retaliation, such as suspending
someone's participation in a program.\117\ We are not clear what the
commenter means in referring to taking action on a complaint that was
held in abeyance after a patient exercises their right to withdraw
consent not being viewed as retaliation. However, a complaint can be
withdrawn by the filer.\118\ Health care entities can likewise take
steps to investigate complaints internally and OCR has developed tools
and resources to support HIPAA compliance.\119\
---------------------------------------------------------------------------
\117\ 70 FR 20224, 20230 (Apr. 18, 2005); 71 FR 8389, 8399 (Feb.
16, 2006).
\118\ See U.S. Dep't of Health and Human Servs., ``Enforcement
Highlights'' (July 6, 2023), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html.
\119\ See U.S. Dep't of Health and Human Servs., ``HIPAA
Enforcement'' (July 25, 2017), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html.
---------------------------------------------------------------------------
Comment
Several commenters, including legal and SUD recovery advocacy
organizations, urged the Department to include in the final rule
provisions permitting a patient to complain directly to OCR or the
Secretary, paralleling provisions in HIPAA. Another commenter asked
about obligations of entities, such as medical licensing boards and
physician health programs, and how a patient would report alleged
violations by those entities.
Response
In response to public comments, we are adding a new provision to
Sec. 2.4 in this final rule to permit a person to file a complaint to
the Secretary for a violation of this part by, among others, a lawful
holder of part 2 records in the same manner as a person may file a
complaint under 45 CFR 160.203 for a HIPAA violation. Specifically, we
provide in Sec. 2.4(b) that ``[a] person may file a complaint to the
Secretary for a violation of this part by a part 2 program, covered
entity, business associate, qualified service organization, or other
lawful holder'' in the same manner as under HIPAA (45 CFR 160.306). By
making this change, we are aligning part 2 with HIPAA and ensuring an
adequate mechanism for review and disposition of complaints related to
alleged part 2 violations. We are also adding a regulatory definition
of lawful holder in this final rule at Sec. 2.11. The Department will
provide information about how to file complaints of alleged part 2
violations before the compliance date for the final rule.
Comment
A commenter asked whether the state, agency, or disclosing person
would be penalized for a violation that results in the impermissible
disclosure of records subject to HIPAA or part 2.
Response
Whether a party subject to part 2 is held accountable for a
particular violation will depend on the facts and circumstances of the
case. The Department has explained elsewhere that it will attempt to
resolve enforcement actions through voluntary compliance, corrective
action, and/or a resolution agreement, and we anticipate that applying
the HIPAA Enforcement Rule framework to part 2 will have similar
results.\120\ Further, lawful holders are prohibited from using and
disclosing records in proceedings against a patient absent written
consent or a court order. In the case of an improper disclosure by a
part 2 program employee, the part 2 program would likely be provided
with notice of an investigation and the investigator would review
whether the program had policies and procedures in place and whether
those were followed in its handling of the improper disclosure. An
entity's compliance officer can help ensure breaches are properly
investigated and reported to the Department,\121\ and has
responsibilities to develop and implement a compliance plan.
---------------------------------------------------------------------------
\120\ See ``How OCR Enforces the HIPAA Privacy & Security
Rules,'' supra note 97.
\121\ See ``What are the Duties of a HIPAA Compliance Officer?''
The HIPAA Journal, https://www.hipaajournal.com/duties-of-a-hipaa-compliance-officer/; U.S. Dep't of Health and Human Servs., ``The
HIPAA Privacy Rule'', https://www.hhs.gov/hipaa/for-professionals/privacy/index.html; U.S. Dep't of Health and Human Servs.,
``Submitting Notice of a Breach to the Secretary'' (Feb. 27, 2023),
https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html; U.S. Dep't of Health and Human Servs.,
``Training Materials'', https://www.hhs.gov/hipaa/for-professionals/training/index.html.
---------------------------------------------------------------------------
Comment
A commenter asked for clarification that penalties would not be
concurrently imposed under both HIPAA and part 2 for the same alleged
violation(s).
Response
HIPAA and part 2 regulations stem from different statutory
authorities and are different compliance regulations. With the CARES
Act, Congress replaced the previous criminal penalties established for
part 2 violations with a civil and criminal penalty structure imported
from HITECH. Nothing in the CARES Act states that an entity that is
subject to both regulatory schemes shall be subject to only one
regulation or one regulation's penalties. Therefore, an entity
potentially remains subject to both regulations, including their
provisions on penalties for violations.
What penalties could or would be imposed by the Department in a
particular case, and under which statutes or regulations (HIPAA,
HITECH, part 2, other regulations), remains a fact-specific inquiry.
State law provisions also may apply concurrently with some part 2 and
HIPAA requirements.\122\ Additionally, some aspects of part 2 or HIPAA
violations may fall within the jurisdiction of other agencies such as
SAMHSA (which continues to oversee accreditation of OTPs).\123\
---------------------------------------------------------------------------
\122\ See The Off. of the Nat'l Coordinator for Health Info.
Techn. (ONC), ``HIPAA versus State Laws'' (Sept. 5, 2017), https://www.healthit.gov/topic/hipaa-versus-state-laws; Nat'l Ass'n of State
Mental Health Program Dirs., ``TAC Assessment Working Paper: 2016
Compilation of State Behavioral Health Patient Treatment Privacy and
Disclosure Laws and Regulations,'' (2016) https://www.nasmhpd.org/content/tac-assessment-working-paper-2016-compilation-state-behavioral-health-patient-treatment.
\123\ See Substance Abuse and Mental Health Servs. Admin.,
``Certification of Opioid Treatment Programs (OTPs)'' (July 24,
2023), https://www.samhsa.gov/medications-substance-use-disorders/become-accredited-opioid-treatment-program.
---------------------------------------------------------------------------
Comment
One commenter noted that some covered entities may not be part 2
[[Page 12494]]
providers and urged HHS to ease the burden on such programs. Another
urged that business associates be included within the scope of this
section.
Response
We provide in Sec. 2.4(b) that ``[a] person may file a complaint
to the Secretary for a violation of this part by a part 2 program,
covered entity, business associate, qualified service organization, or
other lawful holder in the same manner as a person may file a complaint
under 45 CFR 160.306 for a violation of the administrative
simplification provisions of the Health Insurance Portability and
Accountability Act (HIPAA) of 1996.'' Thus, covered entities and
business associates are included within the scope of this section. The
compliance burdens for covered entities of receiving part 2 complaints
can be minimized by using the same process they already have in place
for receiving HIPAA complaints.
Comment
Commenters provided their views as to which agency or agencies
should receive part 2-related complaints. One commenter requested that
the regulation expressly identify the agency(ies) authorized to receive
part 2 complaints from patients. The commenter suggested that
complaints made to part 2 programs by patients can raise conflict of
interest issues because the program is investigating its own or its
staff's alleged misconduct. The commenter further urged that the
regulation identify specific agencies, such as OCR and SAMHSA, and
state their obligation to investigate complaints received. Other
commenters urged that OCR, rather than part 2 programs, receive
complaints, that patients be permitted to complain directly of
violations to OCR or that the Department clarify the various roles of
OCR, SAMHSA, and other agencies. One commenter supported part 2
programs having a process to receive complaints but said these programs
are understaffed and underfunded so they would need additional
resources. A health system that is a part 2 program and a covered
entity also supported part 2 programs developing a process to receive
complaints. A county health department asked that Sec. 2.4 be amended
to include specific provisions about how and where patients can file
their complaints with the HHS Secretary and the roles of HHS components
in receiving and investigating complaints.
Response
In response to public comments, and as provided in the HIPAA
regulations, we are finalizing an additional modification to Sec. 2.4
that was not included in this section but was proposed as a required
statement of rights in the Patient Notice in Sec. 2.22(b)(1)(vi). The
intent of the enforcement provisions in Sec. 2.4 was to create a
process that mirrors that for HIPAA violations, but the Department
inadvertently omitted from its proposed changes to this section an
express right to complain to the Secretary. Analogous to 45 CFR
160.306, which permits the submission of complaints to the Secretary
alleging noncompliance by covered entities with the HIPAA Privacy
Rule,\124\ we are providing in this final rule a right for a person to
file a complaint to the Secretary for an alleged violation by a part 2
program, covered entity, business associate, qualified service
organization, and other lawful holder of part 2 records. Part 2
programs also must establish a process for the program to receive
complaints. A patient is not obliged to report an alleged violation
either to the Secretary or part 2 program but may report to either or
both. OCR has explained how HIPAA complaints are investigated, which
may be instructive, but is not dispositive of how part 2 complaints
will be handled.\125\ We believe our changes are a logical outgrowth of
the NPRM which provided an opportunity for public input and we are
making these changes in response to public comments received. We also
anticipate releasing information about the specific complaint process
after publication of this final rule.
---------------------------------------------------------------------------
\124\ See U.S. Dep't of Health and Human Servs., ``Federal
Register Notice of Addresses for Submission of HIPAA Health
Information Privacy Complaints'' (June 8, 2020), https://www.hhs.gov/guidance/document/federal-register-notice-addresses-submission-hipaa-health-information-privacy-complaints; U.S. Dep't
of Health and Human Servs., ``Filing a Complaint'' (Mar. 31, 2020),
https://www.hhs.gov/hipaa/filing-a-complaint/index.html.
\125\ See U.S. Dep't of Health and Human Servs., ``How to File a
Health Information Privacy or Security Complaint'' (Dec. 23, 2022),
https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html.
---------------------------------------------------------------------------
Comment
A commenter urged that the complaint process reflect the needs of
those with limited English proficiency.
Response
Part 2 programs should be mindful that Federal civil rights laws
require certain entities, including recipients of Federal financial
assistance and public entities, to take appropriate steps. For
instance, such entities must take steps to ensure that communications
with individuals with disabilities are as effective as communications
with others, including by providing appropriate auxiliary aids and
services where necessary.\126\ In addition, recipients of Federal
financial assistance must take reasonable steps to ensure meaningful
access to their programs and activities for individuals with limited
English proficiency, including through language assistance services
when necessary.\127\ The Department stated in the 2017 Part 2 Final
Rule that materials such as consent forms ``should be written clearly
so that the patient can easily understand the form.'' \128\ The
Department further stated that it ``encourages part 2 programs to be
sensitive to the cultural and linguistic composition of their patient
population when considering whether the consent form should also be
provided in a language(s) other than English (e.g., Spanish).'' \129\
Consistent with these legal requirements, the Department strongly
encourages development of Sec. 2.4 materials that are clear and
reflect the needs of a program's patient population.
---------------------------------------------------------------------------
\126\ See e.g., U.S. Dep't of Health and Human Servs.,
``Effective Communication for Persons Who Are Deaf or Hard of
Hearing'' (June 16, 2017), https://www.hhs.gov/civil-rights/for-individuals/disability/effective-communication/index.html; U.S.
Dep't of Health and Human Servs., ``Section 1557: Ensuring Effective
Communication with and Accessibility for Individuals with
Disabilities'' (Aug. 25, 2016), https://www.hhs.gov/civil-rights/for-individuals/section-1557/fs-disability/index.html.
\127\ See U.S. Dep't of Health and Human Servs., ``Guidance to
Federal Financial Assistance Recipients Regarding Title VI
Prohibition Against National Origin Discrimination Affecting Limited
English Proficient Persons'' (July 26, 2013), https://www.hhs.gov/civil-rights/for-individuals/special-topics/limited-english-proficiency/guidance-federal-financial-assistance-recipients-title-vi/index.html; U.S. Dep't of Health and Human Servs., ``Section
1557: Ensuring Meaningful Access for Individuals with Limited
English Proficiency'' (Aug. 25, 2016), https://www.hhs.gov/civil-rights/for-individuals/section-1557/fs-limited-english-proficiency/index.html.
\128\ 82 FR 6052, 6077.
\129\ Id.
---------------------------------------------------------------------------
Comment
Another commenter remarked that some covered entities may need
technical assistance from the Department to establish complaint
processes under this section.
Response
The Department has existing materials to support compliance with
HIPAA and part 2.\130\ SAMHSA supports a Center of Excellence for
Protected Health Information Related to Behavioral Health that may
provide educational
[[Page 12495]]
materials and technical assistance to providers, patients, family
members, and others.\131\ The Department will consider what additional
guidance, technical assistance, and engagement on these issues may be
helpful for covered entities and the public after this regulation is
finalized.
---------------------------------------------------------------------------
\130\ See ``How OCR Enforces the HIPAA Privacy & Security
Rules,'' supra note 97; ``Substance Abuse Confidentiality
Regulations; Frequently Asked Questions,'' supra note 113.
\131\ See ``About COE PHI,'' supra note 105.
---------------------------------------------------------------------------
Comment
Other commenters emphasized that the Department may need additional
funding and staff adequate to receive and investigate complaints and
enforce these provisions. Another commenter similarly suggested that
part 2 programs may need more resources to develop a complaint process,
describing this as a ``substantial burden'' given part 2 program staff
and funding challenges.
Response
With respect to the burden on programs to develop a complaint
process, we believe that the two-year compliance timeline will provide
programs with sufficient time to plan for complaint management. We have
accounted for the burden associated with complaints in the RIA. The
Department has requested that Congress provide additional funding to
support part 2 compliance, enforcement, and other activities.\132\ OCR,
SAMHSA, CMS, and the Office of the National Coordinator for Health
Information Technology (ONC) have and will continue to collaborate to
support EHRs and health IT within the behavioral health space.\133\
---------------------------------------------------------------------------
\132\ See U.S. Dep't of Health and Human Servs., ``Department of
Health and Human Services, Fiscal Year 2024,'' FY 2024 Budget
Justification, General Department Management, Office for Civil
Rights, at 255, https://www.hhs.gov/sites/default/files/fy-2024-gdm-cj.pdf.
\133\ Id. See also, The Off. of the Nat'l Coordinator for Health
Info. Tech. (ONC), ``Behavioral Health,'' https://www.healthit.gov/topic/behavioral-health.
---------------------------------------------------------------------------
Comment
Another commenter believed that programs may need time and support
to adapt their information technology and EHRs, and urged SAMHSA to
work with ONC to support such efforts.
Response
The Department has estimated the cost to the Department to
implement this final rule and enforce part 2 and has included that in
the RIA. It has also requested additional funding to support
compliance, enforcement, and other activities.\134\ The number of part
2 programs in relation to HIPAA covered entities and business
associates is very small, so the costs will not rise to the same level
as for HIPAA implementation efforts. OCR, SAMHSA, CMS, and ONC have
collaborated and will continue to collaborate to support EHRs and
health IT within the behavioral health space.\135\
---------------------------------------------------------------------------
\134\ See ``Department of Health and Human Services, Fiscal Year
2024,'' supra note 132.
\135\ See ``Behavioral Health,'' supra note 133.
---------------------------------------------------------------------------
Final Rule
We are finalizing this section as proposed in the NPRM and further
modifying it by adding a new paragraph that provides a patient right to
file a complaint directly with the Secretary for violations of part 2
by programs, covered entities, business associates, qualified service
organizations, and other lawful holders.
As noted in the NPRM, these changes to Sec. 2.4 will align part 2
with HIPAA Privacy Rule provisions concerning complaints. Section
2.4(a) is consistent with the administrative requirements in 45 CFR
164.530(d) (Standard: Complaints to the covered entity). Proposed Sec.
2.4(c) would align with the HIPAA Privacy Rule provision at 45 CFR
164.530(g) (Standard: Refraining from intimidating or retaliatory
acts). The proposed Sec. 2.4(d) would be consistent with the HIPAA
Privacy Rule provision at 45 CFR 164.530(h) (Standard: Waiver of
rights). Thus, part 2 programs that are also covered entities already
have these administrative requirements in place, but programs that are
not covered entities would need to adopt new policies and procedures.
Section 2.11--Definitions
Proposed Rule
Section 2.11 includes definitions for key regulatory terms in 42
CFR part 2. The Department proposed to add thirteen defined regulatory
terms and modify the definitions of ten existing terms. Nine of the new
regulatory definitions proposed for incorporation into part 2 were
required by section 3221(d) of the CARES Act: ``Breach,'' ``Business
associate,'' ``Covered entity,'' ``Health care operations,'' ``HIPAA
regulations,'' ``Payment,'' ``Public health authority,'' ``Treatment,''
and ``Unsecured protected health information.'' In each case, 42 U.S.C.
290dd-2(k), as amended by section 3221(d), requires that each term
``has the same meaning given such term for purposes of the HIPAA
regulations.'' \136\
---------------------------------------------------------------------------
\136\ Section 3221(k) para. 5 incorporates the term HIPAA
regulations and reads: ``The term `HIPAA regulations' has the same
meaning given such term for purposes of parts 160 and 164 of title
45, Code of Federal Regulations.''
---------------------------------------------------------------------------
Other proposed new or modified definitions included: ``Informant,''
``Intermediary,'' ``Investigative agency,'' ``Part 2 program
director,'' ``Patient,'' ``Person,'' ``Program,'' ``Qualified service
organization,'' ``Records,'' ``Third-party payer,'' ``Treating provider
relationship,'' ``Unsecured record,'' and ``Use.'' Some of these terms
and definitions were proposed by either referencing existing HIPAA
regulatory terms in 45 CFR parts 160 and 164 in part based on changes
required by the CARES Act. We also proposed changes for clarity and
consistency in usage between the HIPAA and part 2 regulations and to
operationalize other changes proposed in the NPRM.
In addition, the Department discussed three definitions--for
``Lawful holder,'' ``Personal representative,'' and ``SUD counseling
notes''--in requests for comments. The Department proposed each
definition because it believed the definitions improve alignment of
this regulation with HIPAA and support implementation efforts.
Further, we are finalizing a modified definition of ``Patient
identifying information'' as an outgrowth of changes to the standard
for de-identification of records in Sec. Sec. 2.16, 2.52, and 2.54
that are being finalized in response to comments in the NPRM.
General Comment
Several commenters, including large provider organizations, health
systems, and an employee benefits association, expressed general
support for the Department's approach to aligning the definitions for
terms that would appear in both HIPAA and part 2. One large provider
organization specifically commented that alignment of definitions
within HIPAA and part 2 would reduce administrative burden for covered
entities and part 2 providers by eliminating inconsistent terminology,
duplicative policies (including overlapping workforce training
requirements), and regulatory risk due to misinterpretation. An
academic medical center recommended that the Department compare and
incorporate any HIPAA definition, in their entirety, as applicable to
part 2 programs which are also HIPAA covered entities.
General Response
We appreciate the comments. The Department undertook a careful
analysis of definitions that, if incorporated, would result in the
further alignment of this regulation with HIPAA, or that are required
to operationalize required amendments to the regulations. Responses to
specific comments about each proposed definition are discussed below.
[[Page 12496]]
Breach
Section 290dd-2(k), as added by the CARES Act, required the
Department to adopt the term ``breach'' in part 2 by reference to the
definition in 45 CFR 164.402 of the HIPAA Breach Notification Rule.
HIPAA defines ``breach'' as ``the acquisition, access, use, or
disclosure of protected health information in a manner not permitted
under subpart E which compromises the security or privacy of the
protected health information.'' HIPAA also describes the circumstances
that are considered a ``breach'' and explains that a breach is presumed
to have occurred when an ``acquisition, access, use, or disclosure'' of
PHI occurs in a manner not permitted under the HIPAA Privacy Rule
unless a risk assessment shows a low probability that health
information has been compromised.\137\ To implement section 290dd-2(j)
added by section 3221(h) of the CARES Act, which requires notification
in case of a breach of part 2 records, we reference and incorporate the
HIPAA breach notification provisions.
---------------------------------------------------------------------------
\137\ U.S. Dep't of Health and Human Servs., ``Breach
Notification Rule'' (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.
---------------------------------------------------------------------------
Comment
One legal services commenter requested clarification on the term
``breach'' and suggested that the Department amend the definition to
expressly refer to the misuse of records in a manner not permitted
under 42 CFR part 2 and that compromises the security or privacy of the
part 2 record, instead of referring to PHI. A medical professionals
association questioned whether the term ``breach'' could properly be
applied to lawful holders, but this comment and other comments related
to the application of breach notification provisions to lawful holders
are addressed in the description of comments for Sec. 2.16.
Response
We understand the request to expressly refer to part 2 records
instead of PHI, but as explained above, we are applying the statutory
definition that adopts the definition of ``breach'' in this regulation
by reference to the HIPAA provision. We believe the discussion above
makes clear that the definition should be applied to records under part
2 instead of PHI under HIPAA, and we further clarify that breach
includes use and disclosure of part 2 records in a manner that is not
permitted by part 2.
Final Rule
The final rule adopts the proposed definition of ``breach'' without
modification.
Business Associate
Consistent with 42 U.S.C. 290dd-2(k), the Department proposed to
adopt the same meaning of ``business associate'' as is used in the
HIPAA regulations by incorporating the HIPAA definition codified at 45
CFR 160.103. Within HIPAA, a ``business associate'' generally describes
a person who, for or on behalf of a covered entity and other than a
workforce member of the covered entity, creates, receives, maintains,
or transmits PHI for a function or activity regulated by HIPAA, or who
provides services to the covered entity involving the disclosure of PHI
from the covered entity or from another business associate of the
covered entity to the person.\138\
---------------------------------------------------------------------------
\138\ U.S. Dep't of Health and Human Servs., ``Business
Associates'' (May 24, 2019), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.
---------------------------------------------------------------------------
Comment
The Department received only supportive comments for its proposed
adoption of the term ``business associate'' into part 2 and the
proposed definition, as described above. In contrast, many commenters
expressed concern about the Department's proposal to incorporate
business associates into the definition of ``Qualified service
organization'' or how business associates relate to the proposed term
``Intermediary,'' and those comments are discussed in applicable
definitional sections below.
Response
We appreciate the comments.
Final Rule
The final rule adopts the proposed definition of ``business
associate'' without modification.
Covered Entity
Consistent with 42 U.S.C. 290dd-2(k), the Department proposed to
adopt the same meaning of the term ``Covered entity'' as is used in the
HIPAA regulations by incorporating the HIPAA definition codified at 45
CFR 160.103. Within HIPAA a ``covered entity'' means: (1) a health
plan; (2) a health care clearinghouse; or (3) a health care provider
who transmits any health information in electronic form in connection
with a transaction covered by subchapter C of HIPAA, Administrative
Data Standards and Related Requirements.
Comment
A large hospital system commented that it supported the inclusion
of ``health plan'' as part of the definition of ``covered entity''
asserting that it would allow for more consistent sharing of
information with its own health plan and for certain redisclosures of
part 2 records in alignment with HIPAA.
Response
The HIPAA definition of ``covered entity'' has long included health
plans. However, to the extent that the commenter may be referring to
the narrowed definition of ``third party payer,'' which excludes health
plans because they are already incorporated within the HIPAA definition
of covered entities, we agree that the change could have the effect
described by the commenter.
Final Rule
The final rule adopts the proposed definition of ``covered entity''
without modification.
Health Care Operations
Consistent with 42 U.S.C. 290dd-2(k), the Department proposed to
adopt the same meaning of this term as is used in the HIPAA regulations
by incorporating the HIPAA definition codified at 45 CFR 164.501.
Within HIPAA, ``health care operations'' refer to a set of specified
activities, described in six paragraphs, that are conducted by covered
entities related to covered functions. Paragraphs (1) through (6)
generally refer to quality assessment and improvement; assessing
professional competency or qualifications; insurance; detecting and
addressing fraud and abuse and conducting medical reviews; business
planning and development; and business management and general
administrative activities.
Comment
A provider group specifically supported adoption of the HIPAA
definition of the term ``health care operations'' and its incorporation
into this regulation. A large health plan recommended expanding the
proposed definition to include care coordination and case management by
health plans as proposed by the Department in the 2021 HIPAA Privacy
Rule NPRM.\139\ One individual, commenting anonymously, asserted that
``public health'' should be recognized as a health care operation to
[[Page 12497]]
counter what it termed ``legal activism'' to re-define the term
``life.''
---------------------------------------------------------------------------
\139\ See Proposed Modifications to the HIPAA Privacy Rule to
Support, and Remove Barriers to, Coordinated Care and Individual
Engagement, 86 FR 6446, 6472 (Jan. 21, 2021).
---------------------------------------------------------------------------
Response
We appreciate the comments. The Department also notes that changing
the HIPAA definition of ``health care operations'' is outside the scope
of its authority for this rulemaking, and public comments submitted in
response to the 2021 NPRM remain under consideration.
Final Rule
The final rule adopts the proposed definition of ``health care
operations'' without modification.
HIPAA
Although not directed by statute, the Department proposed to add a
definition of HIPAA that explicitly references the Health Insurance
Portability and Accountability Act of 1996 as amended by the Privacy
and Security provisions in subtitle D of title XIII of the 2009 HITECH
Act. These provisions pertain specifically to the privacy, security,
breach notification, and enforcement standards governing the use and
disclosure of PHI, but exclude other components of the HIPAA statute,
such as insurance portability, and other HIPAA regulatory standards,
such as the standard electronic transactions regulation. The Department
proposed this definition of ``HIPAA'' to make clear the specific
components of the relevant statutes that would be incorporated into
this part.
Comment
The Department did not receive any comments specific to its
adoption of this definition.
Final Rule
The final rule adopts the proposed definition of ``HIPAA'' without
modification.
HIPAA Regulations
The current part 2 rule does not define ``HIPAA regulations.''
Consistent with 42 U.S.C. 290dd-2(k), the Department proposed to adopt
the same meaning of this term as is purposed for parts 160 and 164 of
title 45 CFR, the regulatory provisions that codify the HIPAA Privacy,
Security, Breach Notification, and Enforcement regulations
(collectively referred to as ``HIPAA regulations''). For purposes of
this rulemaking, the term does not include Standard Unique Identifiers,
Standard Electronic Transactions, and Code Sets, 42 CFR part 162.
Comment
The Department did not receive any specific comments, other than
those already discussed above, concerning its proposed definition of
this term.
Final Rule
The final rule adopts the proposed definition of ``HIPAA
regulations'' without modification.
Informant
Part 2 currently states that an ``informant'' means an individual:
(1) who is a patient or employee of a part 2 program or who becomes a
patient or employee of a part 2 program at the request of a law
enforcement agency or official; and (2) who at the request of a law
enforcement agency or official observes one or more patients or
employees of the part 2 program for the purpose of reporting the
information obtained to the law enforcement agency or official. Within
the definition of ``informant,'' the Department proposed to replace the
term ``individual'' with the term ``person'' as is used in the HIPAA
regulations. The Department believes that this change will foster
alignment with HIPAA, avoid confusion with the definition of individual
in HIPAA, and improve the public's understanding of HIPAA and the part
2 rules.
Comment
As noted below, the Department received general support for its
proposal to align the definition of ``person'' within part 2 with the
HIPAA definition of ``person'' in 45 CFR 160.103. The Department did
not receive other specific comments on ``informant''.
Final Rule
The final rule adopts the proposed definition of ``informant''
without modification.
Intermediary
The current rule imposes requirements on intermediaries in Sec.
2.13(d)(2) and special consent provisions in Sec. 2.31(a)(4) without
defining the term ``intermediary.'' Examples of an intermediary
include, but are not limited to, a HIE, a research institution that is
providing treatment, an ACO, or a care management organization. To
improve understanding of the requirements for intermediaries, and to
distinguish those requirements from the proposed accounting of
disclosure requirements, the Department proposed to establish a
definition of intermediary as ``a person who has received records,
under a general designation in a written patient consent, for the
purpose of disclosing the records to one or more of its member
participants who has a treating provider relationship with the
patient.'' Consistent with HIPAA's definition of ``person,'' and as
defined in this regulation, an ``intermediary'' may include entities as
well as natural persons. The requirements for intermediaries were
proposed to remain unchanged but to be redesignated from Sec. 2.13(d)
(Lists of disclosures) to new Sec. 2.24 (Requirements for
intermediaries).
Comment
Approximately half of the commenters on intermediaries opposed the
Department's proposal to define intermediary and retain consent
requirements for disclosures to intermediaries that differ from consent
for disclosures to business associates generally. Three-fourths of the
HIE/HIN and health IT vendors that commented on this set of proposals
opposed them. Several commenters, including a national trade
association and a leading authority on the use of health IT, stated
that the proposed definition is too vague and confusing.
Response
We appreciate these comments about the lack of clarity in the
current understanding and proposed definition of ``intermediary.'' As
we stated in the NPRM, the term ``intermediary'' is based on the
function of the person--receiving records from a part 2 program and
disclosing them to other providers as a key element of its role--rather
than on a title or category of an organization or business. We agree
that the interaction of this term with ``program,'' ``business
associate,'' and ``covered entity'' is a source of confusion and
believe a modified definition could address this confusion.
Comment
Commenters suggested a range of changes to the proposed definition.
These included revising the HIPAA definition of ``covered entity'' to
include examples of the intermediaries and removing the part 2
definition of ``intermediary;'' excluding the following from the
definition of intermediary: business associates, health IT vendors, and
health plans; and clarifying what types of HIEs or health IT vendors
are included in the definition (because some HIE technology or EHR
software does not maintain data or have access to it when exchanging
data between systems).
[[Page 12498]]
Response
We considered the possibility of removing the part 2 definition of
``intermediary'' entirely; however, that would leave a gap in privacy
protection for records that are disclosed to intermediaries that are
not subject to HIPAA requirements. For example, intermediaries may
include research institutions and care coordination organizations that
are not always subject to HIPAA. We adopt the proposed language of the
definition with modification: we exclude programs, covered entities,
and business associates, in part because the primary requirement of
intermediaries--to provide a list of disclosures upon patient request--
is similar to the new accounting of disclosures requirements that the
CARES Act applied to part 2 programs and that already applies to
covered entities and business associates.
For clarification, we reiterate here that a research institution
that is not providing treatment would not be considered an intermediary
because it would not have member participants with a treating provider
relationship to a patient. A health app that is providing individual
patients with access to their records would not be considered an
intermediary unless it is also facilitating the exchange of part 2
records from a part 2 program to other treating providers using a
general designation in a consent.
We also clarify that member participants of an intermediary refers
to health care provider practices or health-related organizations, such
as health plans. The member participants of an intermediary may or may
not be covered entities. Individual health plan subscribers (i.e.,
enrollees, members of a health plan) are not considered member
participants of an intermediary, although they may access records
through an EHR, because they are not providers or health-related
organizations. Further, employees of providers or health-related
organizations who share access to the same EHR system are not
considered member participants of an intermediary because the employer
as an entity is considered the participant. However, an HIE/HIN that is
providing services to a part 2 program that is not a covered entity
would be an intermediary (and the HIE/HIN would also be a QSO).
Comment
An SUD provider recommended modifying the proposed definition of
``intermediary'' to include ``a member of the intermediary named in the
consent,'' rather than limiting it to members of the intermediary that
have a treating provider relationship with the patient.
Response
Expanding the definition of ``intermediary'' to include any member
participant would open the door to accessing patients' SUD records
without their specific knowledge in advance (because the recipient
would be in a general designation within a consent). Although the CARES
Act expanded health plans' and other providers' access to records for
TPO, we do not believe the intention was to remove all restrictions on
access by member participants of a research institution, for example.
Removing programs, covered entities, and business associates from the
definition carves out a significant portion of entities that would
otherwise be subject to the intermediary requirements so that it is not
necessary to change the definition as suggested by the commenter.
Final Rule
We are adopting the proposed definition of ``intermediary,'' but
with an exclusion for part 2 programs, covered entities, and business
associates. We believe excluding business associates, in particular,
will encourage HIEs to accept part 2 records and include part 2
programs as participants and reduce burdens on business associates that
serve as HIEs.
Investigative Agency
The Department proposed to create a new definition of
``investigative agency'' to describe those government agencies with
responsibilities for investigating and prosecuting part 2 programs and
persons holding part 2 records, such that they would be required to
comply with subpart E when seeking to use or disclose records against a
part 2 program or lawful holder. In conjunction with proposed changes
to subpart E pertaining to use and disclosure of records for
investigating and prosecuting part 2 programs, the Department proposed
to define an ``investigative agency'' as ``[a] state or federal
administrative, regulatory, supervisory, investigative, law
enforcement, or prosecutorial agency having jurisdiction over the
activities of a part 2 program or other person holding part 2
records.'' Such agencies potentially will have available a new
limitation on liability under Sec. 2.3 if they unknowingly obtain part
2 records before obtaining a court order for such records, provided
they meet certain prerequisites.
Comment
Several commenters recommended that local, territorial, and Tribal
investigative agencies be added to the definition of ``investigative
agency'' because they have a role in investigations of part 2 program.
These commenters asserted, for instance, that local agencies play a
role in investigating or prosecuting part 2 programs or other holders
of part 2 records and excluding them from the definition could create
an uneven application of the law.
Response
We appreciate the feedback in response to the request for comment
on whether other types of agencies should be included in the definition
of ``investigative agency'', and specifically whether adding agencies
that may be smaller or less resourced would present any concerns or
unintended consequences. We believe it is useful to include local,
Tribal, and territorial agencies in the definition; however, such
agencies should be aware that use of the safe harbor also requires
reporting to the Secretary of instances when it is applied in an
investigation or proceeding against a part 2 program or other holder of
records.
Comment
A few commenters recommended narrowing the definition of
``investigative agency'' by excluding agencies that supervise part 2
programs, to avoid creating uncertainty about whether, in performing
their supervisory functions, they are expected to obtain a court order
to use or disclose part 2 records of their subordinate programs. For
example, a state agency believed that, as proposed, the safe harbor
applies whenever an agency has obtained records without a court order--
thus the existence of the safe harbor implies that a court order may be
required for all types of investigations, even when other part 2
disclosure permissions apply, such as Sec. 2.53 (Management audits,
financial audits, and program evaluation). They expressed concern that
holders of records may resist legitimate agency requests for records
and urge the agency to first seek a court order. One commenter
recommended clarifying that existing permissions for agencies to obtain
records without a court order still apply. Another commenter pointed
out that Sec. 2.12(c)(3)(ii) already allows unlimited communication
``[b]etween a part 2 program and an entity that has direct
administrative control over the program,'' which includes government-
[[Page 12499]]
run SUD programs and administering agencies.
Response
We appreciate these concerns and believe that the existing criteria
for court orders are sufficient to prevent overuse of the court order
process by government agencies. Specifically, Sec. Sec. 2.66 and 2.67
require a finding by the court that ``other ways of obtaining the
information are not available.'' These include, for example, Sec.
2.12(c) for agencies with direct administrative control and Sec. 2.53
for agencies with oversight roles or that act as third-party payers. We
believe that the existing disclosure permissions for government
agencies are sufficient to clarify the scope of access to records by
supervisory agencies without obtaining a court order and that our
explanation will reinforce agencies' abilities to continue to obtain
part 2 records under permissions they have historically used and not
burden courts with unnecessary and potentially ineffective applications
for court orders. We reiterate here that the existence of the safe
harbor provision and the opportunity to seek a court order
retroactively do not affect the availability of other part 2 provisions
that allow access to records without written consent or a court order.
We believe this discussion will encourage investigative agencies to
evaluate how other disclosure permissions may apply to their requests
for records when they are in the role of a supervisory agency to a part
2 program.
Comment
One commenter, a state Medicaid fraud unit, recommended that their
agency be excluded from the proposed definition of ``investigative
agency'' and that they be able to access records without a court order.
In the alternative, they support the proposed safe harbor and related
procedures proposed in Sec. Sec. 2.66 and 2.67.
Response
Agencies with oversight authority may continue to rely on Sec.
2.53 to conduct program evaluations and financial audits without
obtaining a court order. Comments regarding the ability of a fraud unit
to rely on the proposed safe harbor are addressed below in the
discussion of Sec. 2.66.
Final Rule
In the final rule we are adopting the proposed definition of
``investigative agency'' and further modifying it to add local, Tribal,
and territorial agencies.
Lawful Holder
Lawful holders are not formally defined within part 2. In the
January 2017 final rule, the Department clarified its use of the term
``lawful holder'', stating that a ``lawful holder'' of patient
identifying information is an individual or entity who has received
such information as the result of a part 2-compliant patient consent
(with a prohibition on re-disclosure notice) or as a result of one of
the exceptions to the consent requirements in the statute or
implementing regulations and, therefore, is bound by 42 CFR part
2.\140\
---------------------------------------------------------------------------
\140\ See 82 FR 6052, 6068. See also 81 FR 6988, 6997.
---------------------------------------------------------------------------
Lawful holders are subject to numerous obligations within the
regulation, including the following:
Prohibited from using records in investigations or
proceedings against a patient without consent or a court order, Sec.
2.12(d).
Adopting policies and procedures to protect records
received, Sec. 2.16.
Providing notice upon redisclosure, Sec. 2.32.
Having a contract in place to redisclose records for
payment and health care operations that binds recipients to comply with
part 2 and redisclose only back to the program, Sec. 2.33.
Reporting to Prescription Drug Monitoring Programs only
with patient consent, Sec. 2.36.
Lawful holder that is a covered entity--may apply HIPAA
standards for research disclosures, Sec. 2.52.
Complying with audit and evaluation disclosure provisions,
Sec. 2.53.
In the NPRM the Department proposed three key changes that affect
lawful holders:
Section 2.4--to allow patients to file complaints of part
2 violations against both programs and lawful holders.
Section 2.12(d)--to expressly state that downstream
recipients from a lawful holder continue to be bound by the prohibition
on use of a patient's records in proceedings against the patient,
absent written consent or a court order.
Section 2.33(b)(3) and (c)--to exclude covered entities
and business associates from certain requirements for lawful holders
who have received records based on consent for payment and health care
operations; the requirement is for lawful holders to have a written
contract (with required provisions) before redisclosing records to
contractors or subcontractors. This section also provides that when
records are disclosed for payment or health care operations activities
to a lawful holder that is not a covered entity, business associate, or
part 2 program, the recipient may further use or disclose those records
as may be necessary for its contractors, subcontractors, or legal
representatives to carry out the payment or health care operations
specified in the consent on behalf of such lawful holders.
Overview of Comments
Some commenters provided views on whether to create a regulatory
definition of ``lawful holder,'' and if so, what entities should fall
within the definition. A significant majority of those commenters
recommended creation of a regulatory definition to help provide clarity
about responsibilities of respective types of recipients of part 2
records and none opposed a new regulatory definition. A few
organizations did not make a specific recommendation in their comments
about a regulatory definition of lawful holder but requested that the
Department provide clarification in the final rule. Several commenters
offered other views on lawful holders. Additional comments about lawful
holders are included in the comments on intermediaries.
Comment
Commenters recommended various definitions of ``lawful holder''
that exclude covered entities, business associates, family members, or
personal representatives.
Response
We appreciate these recommendations. We are not excluding part 2
programs, covered entities, and business associates from the finalized
regulatory definition of lawful holder when they receive part 2 records
from a part 2 program. However, covered entities and business
associates that receive part 2 records based on a TPO consent may
redisclose them as permitted by Sec. 2.33(b)(1) and part 2 programs
that are not covered entities or business associates, and that receive
part 2 records based on a TPO consent, may redisclose the records for
TPO as permitted by Sec. 2.33(b)(2). These recipients of part 2
records (part 2 programs, covered entities, and business associates)
are not subject to the additional limitations in Sec. 2.33(b)(3) and
(c) that apply to other lawful holders who have received records based
on consent for payment and health care operations. Family members
remain included as lawful holders; however, they are excluded from the
requirements
[[Page 12500]]
in Sec. 2.16 to have formal policies and procedures to protect
records.
Comment
Commenters recommended that the lawful holder provision provide a
safe harbor from the imposition of civil or criminal monetary penalties
under the HIPAA Breach Notification Rule for the unintentional
redisclosure of part 2 records by lawful holders that would have
otherwise been a compliant disclosure of PHI under the HIPAA Privacy
Rules TPO permission.
Response
We appreciate the feedback but decline to create a new safe harbor
for unintentional violations by lawful holders because we believe the
existing penalty tier under the HITECH Act for ``did not know''
violations is appropriate to address these types of violations.
Comment
An advocacy organization for behavioral health recommended that the
Department define mobile health apps that are business associates as
``lawful holders'' and consider whether other health care
interoperability applications or mobile health apps would also fall
within the new definition.
Response
We appreciate this feedback on how technology may interact with the
part 2 regulations. Because we are excluding business associates from
certain requirements that apply to ``lawful holders'' a mobile health
app that is a business associate would also be excluded. However, we do
not believe a technology would qualify on its own as a business
associate, but rather the owner or developer of the technology that
qualifies as a person capable of executing a business associate
agreement. To the extent that the owner or developer of a health app,
through the use of its technology, becomes a recipient of records in
the manner described in the definition of ``lawful holder,'' it would
be a lawful holder subject to the requirements and prohibitions on
lawful holders of part 2 records.
Comment
A state agency urged that the rule add lawful holders and
intermediaries to Sec. 2.12 to permit them to verbally receive part 2
information and include it in a record without it being considered a
part 2 record.
Response
We appreciate this recommendation, but do not believe it is
necessary for several reasons. First, we are finalizing the definition
of ``lawful holder'' and the definition of ``intermediary'' (that
excludes covered entities and business associates). Thus, covered
entities and business associates will not be subject to requirements
for lawful holders or intermediaries. Second, we are finalizing changes
to Sec. 2.12(d) that: (a) expressly state that data segmentation and
record segregation is not required by part 2 programs, covered
entities, and business associates that have received records based on a
single consent for all future TPO; and (b) remove language requiring
segmentation of part 2 data or segregation of records. As a result of
these changes, to the extent a lawful holder or intermediary is a part
2 program, covered entity, or business associate, it is not required to
segregate the information, but it is still considered a part 2 record
subject to the prohibition against disclosure in proceedings against a
patient. Third, the existing rule contains a provision for non-part 2
providers who document verbally shared part 2 information, excluding
that information from part 2 status. Thus, only a small set of
recipients are still subject to the data segregation requirement,
taking into account the combination of changes finalized within this
rule.
Comment
One commenter, a medical professionals association for SUD
providers, recommended that the definition of ``lawful holders''
encompass entities with access to individual part 2 records outside the
HIPAA/HITECH and part 2 rules, and that the Department should clarify
that mobile health apps and ``interoperability applications'' that are
business associates of covered entities would be considered lawful
holders.
Response
Rather than refer to specific types of entities, we believe a
definition based on the status of the person with respect to how they
received subject records is a more workable definition and likely to
facilitate common understanding. In this regard, whether a person is a
managed care organization or mobile app, if that person received
records pursuant to a part 2-compliant consent with an accompanying
notice of disclosure, or as a result of a consent exception, the person
will be properly considered a lawful holder under this final rule.
Final Rule
The final rule adds a new regulatory definition of ``lawful
holder'' that is based on SAMHSA's previous explanations and guidance,
to read as noted in Sec. 2.11.
Part 2 Program Director
To foster alignment between the HIPAA regulations and the part 2
Rules, the Department proposed to replace the first instance of the
term ``individual'' with the term ``natural person'' and the other
instances of the term ``individual'' with the term ``person'' within
the definition of ``part 2 program director.''
Comment
As noted below, the Department received general support for its
proposal to align the definition of person within part 2 with the HIPAA
definition of person in 45 CFR 160.103.
Response
We appreciate the comments on the proposed changes.
Final Rule
The final rule adopts the proposed definition of ``part 2 program
director'' without further modification. The Department believes that
this change will foster alignment with HIPAA and understanding of HIPAA
and the part 2 rules.
Patient
The Department proposed to add language to the existing definition
to clarify that when the HIPAA regulations apply to part 2 records, a
``patient'' is an individual as that term is defined in the HIPAA
regulations.
Comment
The Department received general support for further aligning the
part 2 definition of patient with the definition of individual within
the HIPAA regulations.
Final Rule
The final rule adopts the proposed definition of ``patient''
without further modification.
Patient Identifying Information
Request for Comment
The Department did not propose changes to the definition of
``patient identifying information'' but requested comment on all
proposed changes to part 2, including the modifications to the de-
identification standard in Sec. Sec. 2.16, 2.52, and 2.54.
[[Page 12501]]
Comment
Comments on the proposed de-identification standard are discussed
in the sections listed above where de-identification is applied.
Response
In addressing the comments received on the proposed de-
identification standard and developing additional modification to
better align part 2 with the HIPAA de-identification standard in 45 CFR
164.514(b), we identified additional changes needed to clarify and
align terms related to de-identification, including ``patient
identifying information.'' These changes are described below.
Final Rule
We are finalizing a modification to clarify the definition of
``patient identifying information'' and ensure consistency with the de-
identification standard incorporated into this final rule. This change
is in response to comments received on the NPRM and to align with the
finalization of the de-identification standard in Sec. Sec. 2.16,
2.52, and 2.54, and is consistent with the Department's existing
interpretation of the term. The final rule retains the part 2 term,
``patient identifying information,'' rather than replacing it with the
HIPAA term, ``individually identifiable health information,'' because
the two regulatory schemes apply to different sets of health
information and the CARES Act mandate for alignment did not erase those
distinctions.
The first sentence of the definition of ``patient identifying
information'' lists the following identifiers: name, address, social
security number, fingerprints, photograph, or similar information by
which the identity of a patient, as defined in Sec. 2.11, can be
determined with reasonable accuracy either directly or by reference to
other information. This identifying information is consistent with the
identifiers listed in in 45 CFR 164.514(b)(2)(i) of the HIPAA Privacy
Rule that must be removed from PHI for it to be considered de-
identified and no longer subject to HIPAA protections. As explained in
the background section of this rule, the Department clarified in a 2017
final rule that the definition of patient identifying information in
part 2 includes the individual identifiers listed in the HIPAA Privacy
Rule at 45 CFR 164.514(b)(2)(i) for those identifiers that are not
already listed in the part 2 definition, and in preamble listed those
identifiers.\141\
---------------------------------------------------------------------------
\141\ See 82 FR 6052, 6064.
---------------------------------------------------------------------------
However, the second sentence of the definition of ``patient
identifying information'' in the part 2 rule currently in effect allows
retention of ``a number assigned to a patient by a part 2 program, for
internal use only by the part 2 program, if that number does not
consist of or contain numbers (such as a social security, or driver's
license number) that could be used to identify a patient with
reasonable accuracy from sources external to the part 2 program.'' This
exclusion from the definition for a number that could be a part 2
program's equivalent of a medical record number conflicts with one of
the identifiers that must be removed under the HIPAA de-identification
standard (and that is listed in the 2017 Part 2 Final Rule), namely,
``[a]ny other unique identifying number, characteristic, or code,
except as permitted by paragraph (c) of this section[.]'' Paragraph (c)
of Sec. 164.514 allows a covered entity to assign a code or other
record identifier that can be used to re-identify the PHI, but it must
be kept secure and not used for any other purpose. The allowable code
referred to in paragraph (c) is different from the number assigned to a
patient by a part 2 program, which is more likely to be a provider's
internal record identifier that may be ubiquitous throughout a
patient's medical record. Thus, we believe a clarification of the
current rule is needed that removes the last sentence of the definition
of patient identifying information.
The final rule adopts a modified definition of ``patient
identifying information'' to align more closely with the HIPAA standard
in 45 CFR 164.514.
Payment
The Department proposed to adopt the same definition of this term
as in the HIPAA regulations. This proposal would implement 42 U.S.C.
290dd-2(k), added by section 3221(d) of the CARES Act, requiring the
term ``payment'' in this part be given the same meaning of the term for
the purposes of the HIPAA regulations.
Comment
The Department received general support for aligning the part 2
definition of payment with the HIPAA definition.
Response
We appreciate the comments on adopting the HIPAA definition of
``payment'' and confirm that the intent is to uniformly apply the term
``payment'' in both this regulation and the HIPAA context.
Final Rule
The final rule adopts the proposed definition of ``payment''
without further modification.
Person
The term ``person'' is defined within part 2 as ``an individual,
partnership, corporation, federal, state or local government agency, or
any other legal entity, (also referred to as `individual or entity').''
The part 2 regulation uses the term ``individual'' in reference to
someone who is not the patient and therefore not the subject of a part
2 record. In contrast, the HIPAA regulations at 45 CFR 160.103 define
the term ``individual'' to refer to the subject of PHI, and ``person''
to refer to ``a natural person, trust or estate, partnership,
corporation, professional association or corporation, or other entity,
public or private.'' Thus, the HIPAA definition includes both natural
persons and corporate entities.
To further the alignment of part 2 and the HIPAA regulations and
provide clarity for part 2 programs and entities that must comply with
both sets of requirements, the Department proposed to replace the part
2 definition of ``person'' with the HIPAA definition in 45 CFR 160.103.
As an extension of this clarification, the Department further proposed
to replace the term ``individual'' with ``patient'' when the regulation
refers to someone who is the subject of part 2 records, to use the term
``person'' when it refers to someone who is not the subject of the
records at issue, and to modify the definition of ``patient'' in part 2
to include an ``individual'' as that term is used in the HIPAA
regulations. The Department stated that this combination of
modifications would promote the understanding of both part 2 and the
HIPAA regulations and requested comment on whether this or other
approaches would provide more clarity.
Comment
Commenters generally supported this proposed change as providing
clarity and helping to align with HIPAA. One commenter, a county SUD
provider, suggested that referring to ``person'' is helpful for clarity
and also emphasizes patient autonomy and whole person care. Another
commenter supported the efforts throughout the rulemaking to streamline
language by replacing the phrase ``individual or entity'' with the word
``person,'' but questioned use of this term in Sec. 2.51 (Medical
emergencies).
[[Page 12502]]
Response
We appreciate the comments. We confirm here that within this rule
``person'' refers to both a natural person and an entity, which may
include a government agency, a health care provider, or another type of
organization. Thus, the term ``person'' in the new safe harbor at Sec.
2.3 applies to an investigative agency as well as a natural person who
is acting under a grant of authority from an investigative agency. The
comment about disclosures for medical emergencies is discussed further
in Sec. 2.51 (Medical emergencies).
Final Rule
The final rule adopts the proposed definition of ``person'' without
further modification.
Personal Representative
The Department did not propose a regulatory definition of
``personal representative'' for this rule but requested comment on
whether to do so and apply it to Sec. 2.15 which addresses surrogate
decision making for patients who are deceased or lack capacity to make
decisions about their health care. Under the existing Sec. 2.15(a)(1)
provision, consent for disclosures of records may be given by the
guardian or other individual authorized under state law to act on
behalf of a patient who has been adjudicated as lacking capacity, for
any reason other than insufficient age, to manage their own affairs. In
circumstances without adjudication, under Sec. 2.15(a)(2) the part 2
program director may exercise the right of the patient to consent to
disclosure for the sole purpose of obtaining payment for services from
a third-party payer for an adult patient who for any period suffers
from a medical condition that prevents knowing or effective action on
their own behalf.
The existing rule, at Sec. 2.15(b)(2), requires a written consent
by an executor, administrator, or other personal representative
appointed under applicable state law for disclosures for a deceased
patient's record. If there is no legally appointed personal
representative, the consent may be given by the patient's spouse or, if
none, by any responsible member of the patient's family. However, part
2 does not define any of the terms for the persons who can provide the
consent, including ``personal representative.''
Comment
Several commenters, including state agencies and health technology
vendors, suggested that the Department provide that personal
representatives can give consent to use and disclose part 2 records on
behalf of an incapacitated patient. One of the state agencies commented
that such a grant of authority to personal representatives would help
ensure care coordination. All agreed that the Department should define
``personal representative'' and a few of these commenters commented
that the Department should define it consistent with HIPAA.
Specifically, a few of these commenters described facilities being
faced with requests for records by many individuals of varying
relationships to patients. They asserted that the NPRM leaves room for
interpretation about who has authority, making it difficult to ensure
patient privacy consistent with HIPAA.
Response
We acknowledge and agree with the commenters who provided views on
this topic. HIPAA does not include ``personal representative'' in its
definitions section but provides a clear standard in 45 CFR
164.502(g)(2), where it describes the responsibilities of a personal
representative as having ``authority to act on behalf of an individual
who is an adult or an emancipated minor in making decisions related to
health care.'' Section 164.502(g) provides when, and to what extent, a
personal representative must be treated as the individual for purposes
of the HIPAA Privacy Rule. Section 164.502(g)(2) requires a covered
entity to treat a person with legal authority to act on behalf of an
adult or emancipated minor in making decisions related to health care
as the individual's personal representative with respect to PHI
relevant to such personal representation. Adopting a definition in the
final rule will clarify who qualifies as a personal representative for
decisions about uses and disclosures for adults who lack the capacity
to make decisions about consenting to uses or disclosures of their SUD
records and provide needed consistency between part 2 and the HIPAA
Privacy Rule. Defining the term ``personal representative'' consistent
with the HIPAA standard furthers the alignment of part 2 and HIPAA in
accordance with the CARES Act and will also assist with treatment and
care coordination. We considered but decline to adopt 45 CFR 164.502(g)
in its entirety because several paragraphs conflict with part 2, such
as consent by minors, and we believe it is important to maintain those
provisions of part 2 that are more protective of patient privacy.
Final Rule
We are finalizing in Sec. 2.11 a new regulatory definition of
``personal representative'' that mirrors language in the HIPAA Privacy
Rule at 45 CFR 164.502(g).
Program
Within the definition of ``program,'' the Department proposed to
replace the term ``individual or entity'' with the term ``person'' as
is used in the HIPAA regulations and make no other changes. Part 2
defines program as: (1) An individual or entity (other than a general
medical facility) who holds itself out as providing, and provides,
substance use disorder diagnosis, treatment, or referral for treatment;
or (2) An identified unit within a general medical facility that holds
itself out as providing, and provides, substance use disorder
diagnosis, treatment, or referral for treatment; or (3) Medical
personnel or other staff in a general medical facility whose primary
function is the provision of substance use disorder diagnosis,
treatment, or referral for treatment and who are identified as such
providers.
Comment
The Department received several comments on the existing definition
of ``program,'' including several elements for which no changes were
proposed. Some providers commented that they continue to be confused as
to the meaning of ``holds itself out.'' Commenters also requested
clarity as to whether they or their facility's ``primary function'' was
the provision of SUD treatment. Commenters requested more objective
definitions of these terms or use of another approach to defining a
program, such as HHS creating a central registry of part 2 programs
similar to that developed by the Health Resources and Services
Administration for health centers or the 340B Drug Pricing Program.
Lacking such clarity, commenters asserted that it may be difficult for
providers to distinguish between claims that are subject to part 2
consent or other provisions from those that are not. Commenters also
asked whether a program or provider holds themselves out based on their
advertising SUD services or based on their being known to provide,
refer, or bill for SUD treatment. One commenter believed that general
medical facilities are exempt from the definition of part 2 programs
yet in practice, such facilities may offer SUD treatment and this may
be widely known in the community. The commenter urged the Department to
provide additional clarity is needed on how part 2 applies to general
medical facilities or practices given current emphasis on behavioral
health integration and care coordination for
[[Page 12503]]
patients. Another commenter noted that facilities making it known that
they offer SUD treatment can help to reduce stigma and discrimination
and encourage patients to seek needed care.
A medical professionals' association asserted that EHRs are not
designed to treat some units or locations within a facility, such as
emergency departments, differently than others. The commenter urged the
Department to define part 2 ``program'' as being limited to licensed
SUD providers to help provide needed clarity. Other commenters
suggested that providers may offer medications for opioid use disorder
(MOUD) (also known as medication assisted treatment (MAT)) \142\ but do
not specifically hold themselves out as being part 2 programs.
Commenters urged the Department to clarify that facilities or providers
providing MOUD do not become part 2 programs unless doing so is their
primary function.
---------------------------------------------------------------------------
\142\ This rule follows the convention adopted by SAMHSA of
referring to MOUD rather than MAT. See 87 FR 77330, 77338 (Dec. 16,
2022).
---------------------------------------------------------------------------
Response
We did not propose changes to the long-standing definition of a
part 2 ``program'' in 42 CFR part 2, and thus the final rule is limited
to interpreting the definition rather than revising it. Whether a
provider holds itself out as providing SUD treatment or as a practice
with the primary function of providing SUD treatment within a general
medical facility setting is a fact-specific inquiry that may depend on
how a particular program operates and describes or publicizes its
services. That said, the Department acknowledges comments about
providers' challenges in applying the definition of part 2 ``program''
in integrated care settings or using EHRs and other technologies to
support coordinated, integrated care. The Department has provided
guidance on this issue in the past.\143\ After this rule is final, the
Department may update or provide additional guidance to help further
clarify the definition of program. The Department has historically
noted that most SUD treatment programs are federally assisted and
therefore that prong of part 2 typically applies. In 2017, the
Department largely reiterated its proposed interpretations of ``holds
itself out'' and ``primary function,'' \144\ and more recently
developed guidance on the applicability of part 2.\145\
---------------------------------------------------------------------------
\143\ See Substance Abuse and Mental Health Servs. Admin.,
``Disclosure of Substance Use Disorder Patient Records: Does Part 2
Apply to Me? '' (May 1, 2018), https://www.hhs.gov/guidance/document/does-part-2-apply-me.
\144\ See discussion at 82 FR 6052, 6066.
\145\ See ``Disclosure of Substance Use Disorder Patient
Records: Does Part 2 Apply to Me?,'' supra note 143.
---------------------------------------------------------------------------
Comment
Another commenter asked that the Department specifically carve out
from part 2 IHS and Tribal facilities that provide MOUD incident to
their provision of general medical care.
Response
We appreciate the comment; however, this change is beyond the scope
of this rulemaking. The Department conducted a Tribal consultation
about the CARES Act changes to this rule in March 2022 \146\ and will
continue to provide support to Tribal entities and collaborate with IHS
in implementing the final rule. The Department also notes that some
facilities and providers, even if they do not meet the definition of
program, still may be required by state regulations to comply with part
2 requirements.\147\
---------------------------------------------------------------------------
\146\ See U.S. Dep't of Health and Human Servs., Off. for Civil
Rights and the Substance Abuse and Mental Health Servs. Admin.,
``Follow up Report on the 42 CFR part 2 Tribal Consultation
Recommendations'' (June 2023), https://www.samhsa.gov/sites/default/files/follow-up-report-42-cfr-part-2-tribal-consultation-recommendations-june-2023.pdf.
\147\ See California Health & Human Servs. Agency, Ctr. for Data
Insights and Innovation, ``State Health Information Guidance, 1.2,
Sharing Behavioral Health Information in California'' (Apr. 2023),
https://www.cdii.ca.gov/wp-content/uploads/2023/04/State-Health-Information-Guidance-1.2-2023.pdf; see also ``TAC Assessment Working
Paper: 2016 Compilation of State Behavioral Health Patient Treatment
Privacy and Disclosure Laws and Regulations,'' supra note 122.
---------------------------------------------------------------------------
Final Rule
The final rule adopts the proposed definition of ``program''
without further modification.
Public Health Authority
The Department proposed to adopt the same meaning for this term as
in the HIPAA Privacy Rule at 45 CFR 164.501. This proposal would
implement subsection (k) of 42 U.S.C. 290dd-2, added by section 3221(d)
of the CARES Act, requiring the term in this part be given the same
meaning of the term for the purposes of the HIPAA regulations.
Comment
The Department received a few specific supportive comments,
including from several state agencies, that the addition of the
proposed definition would facilitate public health authorities'
provision of comprehensive health and health care information to the
public, and would help clarify the provision of comprehensive data and
information to public health authorities for critical public health
needs.
Response
We appreciate the comments.
Final Rule
The final rule adopts the proposed definition of ``public health
authority'' without further modification.
Qualified Service Organization
The Department proposed to modify the definition of ``qualified
service organization'' by adding HIPAA business associates to the
regulatory text to clarify that they are QSOs in circumstances when
part 2 records also meet the definition of PHI (i.e., when a part 2
program is also a covered entity). The Department stated that this
proposal would facilitate the implementation of the CARES Act with
respect to disclosures to QSOs. The HIPAA regulations generally permit
disclosures from a covered entity to a person who meets the definition
of a business associate (i.e., a person who works on behalf of or
provides services to the covered entity) \148\ without an individual's
authorization, when based on a business associate agreement that
incorporates certain protections.\149\ Similarly, the use and
disclosure restrictions of this part do not apply to the communications
between a part 2 program and QSO when the information is needed by the
QSO to provide services to the part 2 program. This definition is
proposed in conjunction with a proposal to modify Sec. 2.12
(Applicability), to clarify that QSOs also use part 2 records received
from programs to work ``on behalf of'' the program.
---------------------------------------------------------------------------
\148\ See 45 CFR 160.103 (definition of ``Business associate'').
\149\ See, e.g., 45 CFR 164.504(e).
---------------------------------------------------------------------------
The Department also proposed a wording change to replace the phrase
``individual or entity'' with the term ``person'' as proposed to
comport with the HIPAA meaning of the term.
Comment
Several organizations commented on QSOs. A behavioral health
advocacy organization supported the proposed change because consent
requirements would not apply to information exchanges between part 2
programs and business associates when they are providing ``service
work'' on behalf of the part 2 program and this expansion would
encourage data sharing for part 2 programs. A state health data agency
recommended eliminating the QSO
[[Page 12504]]
definition in favor of business associate. The commenter believed that
if Sec. 2.3(c) applies the various sanctions of HIPAA to part 2
programs regardless of whether the program is a HIPAA covered entity or
business associate, the need to retain QSOs for part 2 programs that
are not covered entities seems to be eliminated. A health system
commenter has found the existing definition of QSO to be broad, and
said that it is difficult to know which recipients are receiving part 2
records. This commenter would support the proposed definition if it
meant that compliance with a business associate agreement would meet
the part 2 requirements for a QSO agreement (QSOA).
Response
The Department is maintaining a distinct definition in part 2 for
QSOs. The revised definition clarifies the obligations of a business
associate that has records created by a covered entity that is a part 2
program (which is subject to all part 2 requirements) and a business
associate that has records from a covered entity that is only a
recipient of part 2 records (and subject to the new redisclosure
permission as allowed under the HIPAA Privacy Rule). While QSOs
supporting part 2 programs in such activities as data processing and
other professional services are analogous to the activities of business
associates supporting covered entities, QSOs have a distinct function
within part 2. For these reasons, QSOA under part 2 should be
understood as distinct from business associate agreements required by
HIPAA.
Comment
Another state commenter suggested that QSOs should be included in
the breach notification requirements that are being newly applied to
part 2 programs.
Response
We considered finalizing a requirement for QSOs to comply with the
new breach reporting requirements in Sec. 2.16 in the same manner as
they apply to business associates under HIPAA. We believe subjecting
QSOs to this requirement would have underscored the status of QSOs as
similar to business associates; however, we are not making this change
because the CARES Act provides that breach notification should apply to
part 2 programs in the same manner as it does to covered entities and
does not mention breach notification requirements with respect to QSOs
or business associates. Regardless, part 2 programs are likely to
address breach notifications in contractual provisions within a QSOA,
so QSOs need to be aware of breach notification.
Comment
A few HIN/HIEs requested that the definition of QSO be modified to
expressly include subcontractors of QSOs. The commenters further
requested that the Department withdraw prior regulatory guidance
regarding ``contract agents,'' because it has been interpreted by some
as requiring a Federal agency-level relationship between the QSO and
the QSO's subcontractor to permit the QSO to engage with a
subcontractor.
Response
The Department declines to withdraw previous guidance concerning
contract agents or subcontractors, which it still views as relevant. In
its 2010 HIE guidance, the Department stated that ``[a]n HIO may
disclose the Part 2 information to a contract agent of the HIO, if it
needs to do so to provide the services described in the QSOA, and as
long as the agent only discloses the information back to the HIO or the
Part 2 program from which the information originated.'' \150\ In 2017
the Department noted that ``[w]e have previously clarified in responses
to particular questions that contracted agents of individuals and/or
entities may be treated as the individual/entity.'' \151\ In the 2018
final rule, the Department stated that ``SAMHSA guidance indicates that
a QSOA does not permit a QSO to re-disclose information to a third
party unless that third party is a contract agent of the QSO, helping
them provide services described in the QSOA, and only as long as the
agent only further discloses the information back to the QSO or to the
part 2 program from which it came.'' \152\
---------------------------------------------------------------------------
\150\ Substance Abuse and Mental Health Servs. Admin.,
``Frequently Asked Questions: Applying the Substance Abuse
Confidentiality Regulations to Health Information Exchange (HIE),''
at 8, https://www.samhsa.gov/sites/default/files/faqs-applying-confidentiality-regulations-to-hie.pdf.
\151\ 82 FR 6052, 6056.
\152\ 83 FR 239, 246.
---------------------------------------------------------------------------
The Department, in the 2020 Part 2 Final Rule, noted that
activities of QSOs ``would overlap with those articulated in Sec.
2.33(b) related to information disclosures to a lawful holder's
contractors, subcontractors, and legal representatives for the purposes
of payment and/or health care operations.'' \153\ This guidance
continues to be relevant to the roles of QSOs and their subcontractors
or agents.
---------------------------------------------------------------------------
\153\ 85 FR 42986, 43009.
---------------------------------------------------------------------------
Comment
According to one county government, the addition of business
associates to the definition of a ``qualified service organization'' is
helpful for the county health system's ability to serve patients in
need of SUD treatment. As a large health system and provider of
behavioral health services, this county relies on business associates
to operate its programs. A clearer definition of QSOs will allow the
county and its part 2 programs to expand services using business
associates to provide much needed assistance with claims, data and
analytics, and quality assurance, the commenter said.
Response
The Department appreciates the comments on its proposed change.
Comment
An advocacy organization urged HHS to clarify that a business
associate must still meet all aspects of the QSO definition, including
entering into a QSOA. It also suggested that HHS should consider
creating and publishing an official version of a joint QSOA and
business associate agreement and that HHS should also work to improve
major technology vendors' understanding of part 2, so that part 2
programs and their patients can benefit from services like email,
cloud-based storage, and telehealth platforms, while maintaining
confidentiality safeguards. Another commenter said the Department
should provide guidance on how terms such as intermediaries, business
associates, qualified service organizations, and lawful holders
interact and differ.
Response
The Department appreciates these comments and will consider what
additional guidance may be helpful after this rule is finalized. The
Department explains throughout this rule that the roles and functions
of lawful holders, business associates, QSOs, and intermediaries but
may provide additional, concise guidance in the future. As highlighted
in its guidance entitled ``Disclosure of Substance Use Disorder Patient
Records: Does Part 2 Apply to Me? '' such inquiries are fact-specific
depending on an organization's or provider's role in SUD treatment and
the records it shares or receives.\154\
---------------------------------------------------------------------------
\154\ See ``Disclosure of Substance Use Disorder Patient
Records: Does Part 2 Apply to Me? '' supra note 143.
---------------------------------------------------------------------------
Final Rule
The final rule adopts the proposed definition of QSO to expressly
include
[[Page 12505]]
business associates as QSOs where the PHI in question also constitutes
a part 2 record and further modifies the new paragraph by adding a
clarification that the definition of QSO includes business associates
where the QSO meets the definition of business associate for a covered
entity that is also a part 2 program. Finalizing the changes to
expressly include business associates as QSOs responds to comments
received on the NPRM and those from others on previous part 2
rulemakings (such as during SAMHSA's 2014 Listening Session) \155\
noting that the role of QSOs is analogous to business associates such
that aligning terminology makes sense given the purpose of section 3221
of the CARES Act to enhance harmonization of HIPAA and part 2. As noted
in the NPRM, the Department also believes finalizing this proposal
facilitates the implementation of the CARES Act with respect to
disclosures to QSOs.
---------------------------------------------------------------------------
\155\ See ``Disclosure of Substance Use Disorder Patient
Records: Does Part 2 Apply to Me? '' supra note 143; see also,
Confidentiality of Alcohol and Drug Abuse Patient Records, Notice of
Public Listening Session, 79 FR 26929 (May 12, 2014).
---------------------------------------------------------------------------
Records
The definition of ``records'' specifies the scope of information
that part 2 protects. The Department proposed to insert a clause to
expressly include patient identifying information within the definition
of records and to remove, as unnecessary, the last sentence that
expressly included paper and electronic records.
Comment
Several organizations commented on the definition of ``records.''
Several commenters on the definition of ``record'' requested that the
final rule expressly state that records received from a part 2 program
under a consent for TPO no longer retain their characteristic as part 2
records. These commenters provided their views of the difficulties
associated with tracking the provenance of a particular data element
once it has been added to a record. One comment suggested that the
recipient should be able to redisclose the data for TPO even if the
provenance could not be tracked.
Response
We appreciate the comments but decline to add a statement that
records received under a consent for TPO are no longer part 2 records.
Instead, in response to other comments we are finalizing an express
statement in Sec. 2.12(d) that segregation of records received by a
part 2 program, covered entity, or business associate under a consent
for TPO is not required. We believe it is necessary for the records
received to retain their characteristic as part 2 records to ensure
that recipients comply with the continuing prohibition on use and
disclosure of the records in investigations or proceedings against the
patient, absent written consent or a court order. We agree with the
comment that a recipient that is a part 2 program, covered entity, or
business associate should be able to redisclose the data for TPO as
permitted by HIPAA and believe that the suite of modifications in the
final rule accomplishes that end.
Comment
According to one commenter, the definitions of ``record,''
``program,'' and ``patient identifying information'' and how they are
applied are inconsistent, cross-referential, and confusing. This
commenter urged the Department to simplify and clarify these terms,
perhaps by adopting a single term as used in HIPAA (e.g., ``protected
health information'') to uniformly apply throughout the regulation.
Response
We appreciate this comment and are finalizing a number of changes
to improve consistency and clarity throughout the rule; however, we are
also mindful that many definitions have a special meaning within this
part and the primary aim of this rulemaking is to implement the CARES
Act amendments to 42 U.S.C. 290dd-2. We are incorporating the term
``patient identifying information'' into the definition of record, in
part to align with the HIPAA definition of PHI which includes
demographic information. Thus, with this modification the definition
includes both information that could identify a patient as having or
having had an SUD, but also information that identifies the patient.
Comment
An individual commenter recommended that the Department retain the
last sentence of the definition because it is helpful to indicate that
part 2 may apply to paper and electronic records and removing it might
suggest to programs that the regulation no longer applies to paper
records.
Response
In the five decades since the promulgation of the part 2
regulation, health IT has become widely adopted and it is evident that
records include both paper and electronic formats. The Department does
not intend to change the meaning or understanding of records with this
proposed modification, but only to streamline the description.
Final Rule
We are adopting the proposed definition of ``records'' without
further modification.
SUD Counseling Notes
In the NPRM, we requested input about whether to create a new
definition similar to psychotherapy notes within HIPAA that is specific
to the notes of SUD counseling sessions by a part 2 program
professional. Such notes would be part 2 records, but could not be
disclosed based on a general consent for TPO. They could only be
disclosed with a separate written consent that is not combined with a
consent to disclose any other type of health information. We requested
comments on the benefits and burdens of creating such additional
privacy protection for SUD counseling notes that are maintained
primarily for use by the originator of the notes, similar to
psychotherapy notes as defined in the HIPAA Privacy Rule. We provided
potential language for ``SUD counseling notes'', defining it as notes
recorded (in any medium) by a part 2 program provider who is an SUD or
mental health professional documenting or analyzing the contents of
conversation during a private counseling session or a group, joint, or
family counseling session and that are separated from the rest of the
patient's record. ``SUD counseling notes'' excludes medication
prescription and monitoring, counseling session start and stop times,
the modalities and frequencies of treatment furnished, results of
clinical tests, and any summary of the following items: diagnosis,
functional status, the treatment plan, symptoms, prognosis, and
progress to date.\156\
---------------------------------------------------------------------------
\156\ 87 FR 74216, 74230.
---------------------------------------------------------------------------
Comment
Many commenters somewhat or strongly supported the Department's
proposal to include a definition of ``SUD counseling notes.'' We are
finalizing the proposed definition and discuss comments specifically
regarding the proposed definition below and other comments relating to
consent and disclosure of SUD counseling notes within Sec. 2.31.
Comments Supporting a Proposed SUD Counseling Notes Definition
An SUD recovery organization supported the potential definition. An
association of medical professionals also supported establishing a
definition of
[[Page 12506]]
``SUD counseling notes'' that effectively copies the definition of
``psychotherapy notes'' under the HIPAA Privacy Rule. A state health
department supported an ``SUD counseling notes'' definition in Sec.
2.11 because this would permit disclosure without patient consent for
the purpose of oversight of the originator of the SUD counseling notes
to ensure patient safety. Another state agency urged that SUD
counseling session notes be treated similarly to psychotherapy notes as
now addressed in HIPAA (i.e., SUD counseling notes be given protections
equal to psychotherapy notes). A provider supported the addition of a
definition of ``SUD counseling notes'' as written to incorporate the
same protections as described in the HIPAA regulations for
psychotherapy notes. The provider believed that any perceived burdens
to creating a separate definition of SUD counseling notes are
outweighed by the benefits of the additional protections by requiring
separate authorization for release of the SUD counseling notes. A
county agency recommended that we add this protection in alignment with
the psychotherapy notes restriction under HIPAA and further suggests
that the protection extend to all clinical notes in addition to the
notes of SUD counselors. The commenter further recommended that the
definition of ``counseling notes'' include assessment forms. This added
protection would safeguard against use of SUD counseling notes in
pending legal cases and pending dependency court (child custody) cases.
A hospital commenter supported providing a corresponding protection
in part 2 for certain notes for SUD patients, like psychotherapy notes
have under HIPAA, but did not support the use of a new term that would
differentiate SUD counseling notes from psychotherapy notes. Instead,
the hospital recommended using psychotherapy notes or SUD psychotherapy
notes for consistency. The commenter also suggested further discussion
of the use of the term ``psychotherapy notes'' in the regulations,
since the term continues to generate confusion. The commenter stated
that the terms ``counseling notes'' and ``psychotherapy notes'' have a
different meaning in routine clinical practice and are used frequently,
but do not seem to meet the definition in the NPRM.
Response
We appreciate comments concerning our proposed definition of ``SUD
counseling notes'' and respond as follows. As discussed in the NPRM,
the intent of the potential definition we described was to align with
HIPAA provisions regarding psychotherapy notes, and we discuss
psychotherapy notes further in Sec. 2.31 below.\157\ We believe the
final definition of ``SUD counseling notes'' will ease compliance
burdens for part 2 programs because the definition almost exactly
matches the definition of ``psychotherapy notes'' under the HIPAA
Privacy Rule except for the references to SUD professionals and SUD
notes.
---------------------------------------------------------------------------
\157\ See, e.g., 45 CFR 164.501; 45 CFR 164.508; U.S. Dep't of
Health and Human Servs., ``Does HIPAA provide extra protections for
mental health information compared with other health information? ''
(Sept. 12, 2017), https://www.hhs.gov/hipaa/for-professionals/faq/2088/does-hipaa-provide-extra-protections-mental-health-information-compared-other-health.html; 65 FR 82461, 82497, 82514 (Dec. 28,
2000).
---------------------------------------------------------------------------
As we explained in the 2000 final HIPAA Privacy Rule, psychotherapy
notes ``are the personal notes of the therapist, intended to help him
or her recall the therapy discussion and are of little or no use to
others not involved in the therapy.'' \158\ While the commenter above
did not define what it meant by assessment forms, consistent with HIPAA
our final definition of ``SUD counseling notes'' expressly excludes
``medication prescription and monitoring, counseling session start and
stop times, modalities and frequencies of treatment furnished, results
of clinical tests, and any summary of the following items: diagnosis,
functional status, the treatment plan, symptoms, prognosis, and
progress to date.''
---------------------------------------------------------------------------
\158\ 65 FR 82461, 82623.
---------------------------------------------------------------------------
Comment
Several SUD recovery organizations supported a ``SUD counseling
notes'' definition because these notes often contain highly sensitive
information that supports therapy. Limiting access to these notes is
critical to protect the therapeutic alliance due to the unique risks
that patients face due to the highly sensitive information in these
notes. An SUD recovery association and SUD provider commented that the
Department should protect counseling notes using a new definition
similar to psychotherapy notes, require specific consent, and not allow
such consent to be combined with consent to disclose any other type of
health information. According to these two commenters the patient's
prognosis should be considered a counseling note because it could bias
staff toward the patient's situation; it is subjective and the large
turnover of counseling staff results in greater reliance on existing
reports. An individual commenter also said that they supported the
Department's version of SUD counseling notes, but expressed concern
about excluding prognosis from SUD counseling notes; they too believed
that prognosis is too subjective and its exclusion from the definition
could result in bias or prejudice. Given the large turnover of
counseling staff and the use of fairly junior clinicians to provide
service, prognosis should be considered a counseling note. A few SUD
treatment professionals associations also said that counseling notes
should be so protected using a new definition similar to psychotherapy
notes.
Response
We appreciate comments from SUD recovery organizations and others
about our proposed changes. The final definition of ``SUD counseling
notes'' expressly excludes ``medication prescription and monitoring,
counseling session start and stop times, the modalities and frequencies
of treatment furnished, results of clinical tests, and any summary of
the following items: diagnosis, functional status, the treatment plan,
symptoms, prognosis, and progress to date.'' Thus, prognosis
information is excluded from ``SUD counseling notes'' under the
definition adopted in this final rule. Information critical to the
patients' diagnosis and treatment such as prognosis and test results,
should be within the patient's part 2 record or medical record such
that it may be available for such activities as treatment consultation,
medication management, care coordination, and billing.\159\
---------------------------------------------------------------------------
\159\ See U.S. Dep't of Health and Human Servs., ``Individuals'
Right under HIPAA to Access their Health Information 45 CFR
164.524'' (Oct. 20, 2022), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html; 45 CFR 164.501
(definition of ``Designated record set'').
---------------------------------------------------------------------------
Neither HIPAA nor part 2 provides a right of access to
psychotherapy notes or SUD counseling notes, but for different reasons.
Under HIPAA, although psychotherapy notes are part of the designated
record set (because the clinician may use them to make decisions about
the individual), they are specifically excluded from the right of
access in 45 CFR 164.524. Under part 2, there is no general right of
access for part 2 records, and thus there is no right of access for SUD
counseling notes, which are a narrow subset of part 2 records. However,
under both HIPAA and part 2, clinicians may exercise their discretion
and voluntarily provide patients with access to psychotherapy notes
and/or SUD counseling notes or a portion of such notes.
[[Page 12507]]
Comment
A local government agency supported explicitly defining ``SUD
counseling notes'' as discussed in the NPRM. The commenter said we
should clearly define how and where SUD counseling notes must be
treated differently from other part 2 records and the HIPAA designated
record set. Such clarification will assist dually regulated entities'
efforts to comply with the HIPAA Privacy Rule and Information Blocking
requirements.\160\ The commenter proposed redefining ``HIPAA
psychotherapy notes'' to include all part 2-defined SUD counseling
notes by reference. Such a straightforward alignment would minimize
burden and maximize ease of compliance.
---------------------------------------------------------------------------
\160\ See The Off. of the Nat'l Coordinator for Health Info.
Tech. (ONC), ``Information Blocking'', https://www.healthit.gov/topic/information-blocking.
---------------------------------------------------------------------------
Response
We appreciate comments concerning the definition of ``SUD
counseling notes'' including the suggestion to redefine HIPAA
``psychotherapy notes'' at 45 CFR 164.501 to include SUD counseling
notes. However, changes to the HIPAA definitions are outside the scope
of this rulemaking.
Comment
A health insurer supported a separate definition of ``SUD
counseling notes'' that makes clear the distinction between these types
of notes, other notes, and part 2 records. SUD counseling notes are
distinct from other notes, such as psychotherapy and analysis notes,
according to this commenter. Most treatment for SUDs is done through
individual and group counseling to address specific goals of a
treatment plan, the commenter said, so excluding all notes would in
effect exclude the disclosure of SUD information, unless there is
differentiation between these notes. Even though the commenter
recognizes the definitions would overlap in several aspects--such as
for consent requirements--it welcomed the overlap, as there would be an
additional administrative burden around creating a separate consent for
SUD counseling notes if requirements differed within the definition.
Response
We appreciate this comment on our proposed changes. The commenter
correctly apprehends that the provisions for SUD counseling notes
require that they be separated from the rest of the part 2 and/or
medical record to be recognized as ``SUD counseling notes'' and
afforded additional privacy protection. We agree that the definition of
``SUD counseling notes'' in this final rule will support patient
participation in individual and group SUD counseling. SAMHSA has noted
elsewhere the importance of privacy and confidentiality in both
individual and group counseling settings.\161\
---------------------------------------------------------------------------
\161\ See Substance Abuse and Mental Health Servs. Admin., ``TIP
41: Substance Abuse Treatment: Group Therapy'' (2015), https://store.samhsa.gov/product/TIP-41-Substance-Abuse-Treatment-Group-Therapy/SMA15-3991; Substance Abuse and Mental Health Servs. Admin.,
``TIP 63: Medications for Opioid Use Disorder--Full Document''
(2021), https://store.samhsa.gov/product/TIP-63-Medications-for-Opioid-Use-Disorder-Full-Document/PEP21-02-01-002.
---------------------------------------------------------------------------
Comments Opposing a New SUD Counseling Notes Definition or Requesting
Clarification
Comment
A county government asked that HHS make SUD records a specific
category of PHI under HIPAA in a way similar to psychotherapy notes. It
is inequitable, said the commenter, that patients have more
confidentiality of their records when receiving SUD services from a
part 2 program versus a primary care provider that is not a part 2
program. A state agency said that the proposed definition of ``SUD
counseling notes'' and the existing definition of ``psychotherapy
notes'' in 45 CFR 164.501 do not accurately capture the intent of the
right of access exclusion. The agency suggested using headings of ``SUD
process notes'' and ``psychotherapy process notes'' to clarify that
these are non-clinical notes and avoid creating confusion for patients
in understanding what they are in fact requesting to exclude.
Response
We appreciate suggestions concerning changes or clarifications to
provisions concerning the definition of HIPAA ``psychotherapy notes''
at 45 CFR 164.501. However, changes to the HIPAA definitions are
outside the scope of our part 2 rulemaking. With respect to SUD
counseling notes, we clarify that the exclusion of psychotherapy notes
from the right of access in the HIPAA Privacy Rule does not have a
parallel in part 2 because part 2 does not contain a right of access.
We do not believe that renaming these notes as process notes would
promote understanding of their essential nature--that they are
separately maintained and intended primarily for use by the direct
treating clinician with few exceptions. Further, we do not categorize
SUD counseling notes or psychotherapy notes as either clinical or non-
clinical. We expect that they contain a mix of information useful to
the clinician but not necessary for routine uses or disclosures for
TPO.
Comment
A few HIE associations questioned the definition discussed in the
NPRM stating that psychotherapy notes rarely exist as they are not
considered in the HIPAA designated record set; therefore, such
psychotherapy notes are not accessible under the patient right of
access or available in the patient portal. These commenters and others,
as discussed below in Sec. 2.31, expressed concern about the need to
keep such records compartmentalized or distinct from other part 2
records and associated burdens for data sharing, health IT, and other
activities.
Response
As the Department explained in guidance, ``[d]esignated record sets
include medical records, billing records, payment and claims records,
health plan enrollment records, case management records, as well as
other records used, in whole or in part, by or for a covered entity to
make decisions about individuals.'' \162\ Psychotherapy notes are used
by the treating clinician to make decisions about individuals, and thus
are part of the designated record set, but, they are expressly excluded
from the individual right of access to PHI.\163\ However, the HIPAA
Privacy Rule permits a treating provider to voluntarily grant an
individual access to such notes.\164\ Similarly, Sec. 2.23 permits,
but does not require, part 2 programs to provide a patient with access
to part 2 records (including SUD counseling notes as finalized here),
based on the patient's consent. As explained above, changes to the
HIPAA Privacy Rule definition of ``psychotherapy notes'' are beyond the
scope of this rulemaking.
---------------------------------------------------------------------------
\162\ U.S. Dep't of Health and Human Servs., ``What personal
health information do individuals have a right under HIPAA to access
from their health care providers and health plans? '' (June 24,
2016), https://www.hhs.gov/hipaa/for-professionals/faq/2042/what-personal-health-information-do-individuals/index.html.
\163\ See ``Individuals' Right under HIPAA to Access their
Health Information 45 CFR 164.524,'' supra note 159.
\164\ The HIPAA Privacy Rule expressly permits disclosures of
PHI to the individual who is the subject of the PHI. See 45 CFR
164.502(a)(1)(i).
---------------------------------------------------------------------------
Comment
A health care provider asserted that it is not necessary to create
a separate term and definition of SUD counseling notes because the
HIPAA term ``psychotherapy notes'' meets these
[[Page 12508]]
needs. The commenter supported applying the HIPAA standard to
psychotherapy notes created within a part 2 program.
Response
We appreciate this comment. As noted in the NPRM, we believe that
it is important to include within part 2 a definition of ``SUD
counseling notes'' specific to the notes of SUD counseling sessions by
a part 2 program professional. SUD counseling notes under this final
rule are part 2 records but cannot be disclosed based on a general
consent for TPO. If this rule failed to include a definition of SUD
counseling notes HIPAA's psychotherapy notes provisions and definitions
in 45 CFR 164.501 and 164.508 would not apply to part 2 programs that
are not covered entities and SUD counseling notes could be disclosed
under a general TPO consent, which would undermine the utility of these
notes being maintained separately from the designated record set by
some SUD providers.
Comment
A county health department stated that SUD counseling notes are
different from psychotherapy notes, which often focus on more intimate
and deeper clinical considerations, while SUD counseling notes often
include more straightforward clinical details that do not require
additional privacy protections. This commenter stated that the
differences in the nature of such notes is due to differences in the
scope of practice of the different workforces of SUD programs and
therapists. The commenter also stated that, because most of the
services provided by part 2 programs are documented via SUD counseling
notes, requiring separate consent for SUD counseling notes would
counteract the aim of facilitating greater information exchange without
providing a clear benefit. As such, the commenter urged the Department
to reject the idea of applying additional privacy protections for SUD
counseling notes.
Another county department similarly stated that the nature of SUD
counseling notes is fundamentally different from psychotherapy notes,
and does not warrant enhanced confidentiality. As described by this
commenter, while psychotherapy notes focus on intimate and nuanced
clinical considerations, the typical SUD counseling note is far less
detailed and more like a standard progress note in a medical record. In
addition, SUD counseling notes are usually kept by providers with less
education and training than psychiatrists, who do not have a
professional practice of maintaining separate counseling notes
primarily for use by the originator of the notes.
A state agency expressed concern that adopting special protections
for SUD counseling notes would create additional administrative
complexity and compliance challenges for part 2 programs and may have
unintended adverse consequences by restricting patient access to, or
beneficial disclosures of, a significant segment of their SUD treatment
records. The commenter asserted that such a change seemed unlikely to
facilitate information exchange for care coordination purposes, and
thus would seem to be inconsistent with many of the other proposed
amendments.
Response
We acknowledge comments that SUD counseling notes and psychotherapy
notes are not precisely equivalent. However, SUD counseling notes, like
psychotherapy notes, may also include particularly sensitive details
about a patient's medical conditions and personal history. Such
concerns may be especially acute, for instance, with pediatric patients
\165\ or patients who have or are at risk of conditions such as human
immunodeficiency virus (HIV).\166\ While these commenters' anecdotal
accounts are helpful to our understanding of the issues, these
experiences and comments, do not necessarily apply to the majority of
SUD counseling situations in which the clinician's notes may play an
important role in patient treatment and necessitate the additional
protections made available in this final rule. More than two-thirds of
commenters on this issue expressed support for moving forward with a
new definition and heightened protections for SUD counseling notes.
---------------------------------------------------------------------------
\165\ See Substance Abuse and Mental Health Servs. Admin.,
``Treatment Considerations for Youth and Young Adults with Serious
Emotional Disturbances and Serious Mental Illnesses and Co-occurring
Substance Use'' (2021), https://www.samhsa.gov/resource/ebp/treatment-considerations-youth-young-adults-serious-emotional-disturbances-serious.
\166\ See Substance Abuse and Mental Health Servs. Admin.,
``Prevention and Treatment of HIV Among People Living with Substance
Use and/or Mental Disorders'' (2020), https://store.samhsa.gov/product/Prevention-and-Treatment-of-HIV-Among-People-Living-with-Substance-Use-and-or-Mental-Disorders/PEP20-06-03-001.
---------------------------------------------------------------------------
Comment
A health care provider expressed support for an approach that
destigmatizes SUD treatment and promotes access to clinically relevant
information that is valuable and informative for all TPO purposes. As
such, the provider did not believe that creating additional protections
for SUD counseling notes would promote access and exchange of valuable
information. An SUD treatment provider association urged the Department
to limit disclosures of patient information that are not necessary for
the purpose of the disclosure, such as details of trauma history that
are not needed for TPO, except by the treating clinician. An insurance
association suggested that a new definition of ``SUD counseling notes''
could be beneficial in some circumstances when heightened privacy is
warranted. But a new definition also could impede care coordination
because SUD counseling notes may contain clinically relevant
information and help inform coordinated treatment plans, according to
this commenter, who also asserted that some programs may have
difficulty implementing the requirement and be unable to share the
remainder of the record for TPO. The commenter urged the Department not
to create a separate category for SUD counseling notes but instead to
allow SUD providers to determine how to best record these notes.
Another insurance association requested that the Department use this
rule as an opportunity to: (1) reinforce the existing HIPAA
restrictions on sharing psychotherapy notes; and (2) clarify that SUD
counseling notes are not psychotherapy notes and maybe used and
disclosed for TPO.
Response
We acknowledge these comments and discuss additional related
provisions below in Sec. 2.31. We do not believe the final ``SUD
counseling notes'' definition will contribute to stigma or
discrimination for SUD patients because it strengthens confidentiality
for the most sensitive information shared during treatment and does so
in a manner similar to what already exists in the HIPAA regulations. We
do not agree that the ``SUD counseling notes'' definition will impede
care coordination because the nature of these notes is that they are
intended primarily for use by the direct treating clinician. We agree
that the final rule may be an opportunity to provide additional
education on existing HIPAA psychotherapy note provisions and will
consider what additional guidance may be helpful after this rule is
finalized. In addition, we note that a part 2 program's use of separate
SUD counseling notes is voluntary and optional--although a program may
adopt a facility-wide policy that either supports or disallows the
creation and maintenance of such notes. As noted above, through the
[[Page 12509]]
separate definition adopted in this final rule in Sec. 2.11, SUD
counseling notes under this final rule are part 2 records but cannot be
disclosed based on a TPO consent.
Comment
A medical professionals association expressed concern about
potential challenges associated with maintaining SUD counseling notes,
noting that the creation of a distinct class of psychotherapy notes in
HIPAA provides an illustrative example of the challenge of implementing
specific data protections within a medical record: although the
``psychotherapy notes'' option was added to HIPAA to protect
psychotherapist-patient privilege, this option specifically excludes
key elements of psychotherapy session notes that are required for
routine clinical care as well as for billing purposes (e.g., medication
prescription and monitoring, summary of diagnosis, treatment plan). As
a result, according to this commenter, if a HIPAA-defined
``psychotherapy note'' is used, it must always be accompanied by a
clinical note that includes the essential elements for routine clinical
care and billing.
Response
We acknowledge this comment and appreciate the analogy to HIPAA
psychotherapy notes in clinical practice; however, we believe the
framework is a valuable option for some clinicians, with the
understanding that the notes are intended to be used only by the
clinician. Neither the HIPAA Privacy Rule nor this final rule mandate
the use within a mental health practice or a part 2 program of
``psychotherapy notes'' or ``SUD counseling notes'' as defined within
the respective regulations. However, clinicians who choose to keep
separate notes for their own use are afforded some additional privacy
and the patient's confidentiality is also protected by additional
consent requirements under Sec. 2.31(b) (Consent required: SUD
counseling notes).
Comment
A medical professionals association suggested that the Department
create a regulatory definition of an ``SUD professional'' who is
qualified to perform treatment and prepare SUD counseling notes.
Response
The definition of ``SUD counseling notes'' matches the definition
of ``psychotherapy notes'' under the HIPAA Privacy Rule except for the
references to SUD professionals and SUD notes. Historically, the
Department has considered licensed providers as ``professionals.'' We
did not propose and therefore are not finalizing a definition of SUD
professionals either separately or in relation to SUD counseling notes.
The exception to the consent requirement for use in a part 2 program's
training program indicates that an ``SUD professional'' may be someone
who is completing their practical experience to receive a degree or
professional certification or license, and, additionally, that such
notes may be used in clinical supervision.
Final Rule
The final rule adopts the definition of ``SUD counseling notes'' as
proposed in the NPRM.
Third-Party Payer
The term ``third-party payer'' refers to an entity with a
contractual obligation to pay for a patient's part 2 services and
includes some health plans, which by definition are covered entities
under HIPAA. The current regulation, at Sec. 2.12(d)(2), limits
disclosures by third-party payers to a shorter list of purposes than
the HIPAA Privacy Rule allows for health plans. The Department proposed
to exclude covered entities from the definition of ``third-party
payer'' to facilitate implementation of 42 U.S.C. 290dd-2(b)(1)(B), as
amended by section 3221(b) of the CARES Act, which enacted a permission
for certain recipients of part 2 records to redisclose them according
to the HIPAA standards. The result of this proposed change would be
that the current part 2 disclosure restrictions continue to apply to a
narrower set of entities. The Department believes that this approach
would carry out the intent of the CARES Act, while preserving the
privacy protections that apply to payers that are not covered entities.
The Department also proposed a wording change to replace the phrase
``individual or entity'' with the term ``person'' as now proposed to
comport with the HIPAA meaning of the term.
Comment
The Department received overwhelmingly supportive comments on the
intent to distinguish health plans, which are covered entities, from
other third-party payers who would be subject to part 2 (but not
HIPAA). The rationales offered for supporting this proposal were that
it furthers the implementation of the CARES Act requirement to align
part 2 with HIPAA, reduces the need to segment part 2 records, reduces
health plan burden, and allows health plans to engage in more
activities that improve health care, such as care coordination and
accountable care.
Response
We appreciate the comments.
Comment
Several commenters stated that the definition could be confusing to
some readers and requested clarification in the final rule along with
additional examples of entities that would remain subject to part 2 as
third-party payers. Specifically, a trade association requested that
the Department exclude business associates of health insurance
providers (i.e., a health plan/payer) from this definition because they
are not independent ``third-party payers'' but rather are acting on
behalf of a health insurance provider. A health system requested that
the Department ensure that ACOs and population health providers have
access to full part 2 information without a beneficiary having to
explicitly opt-in to data sharing.
Response
We appreciate the comments and clarify that business associates
acting on behalf of health plans are not independent ``third-party
payers'' who would fall within this definition. However, business
associates are listed along with covered entities in the new language
of Sec. 2.12(d)(2)(i)(C), which expressly states that covered entities
and business associates are not required to segregate records or
segment part 2 data once received from a part 2 program based on a TPO
consent.
Comment
One commenter asserted that the proposed rule did not clearly
address the role of third-party payers, including the more active role
of these entities in coordinating patient care. This commenter cited,
for example, that third-party payers could provide direct care
coordination; services such as home health visits as a covered entity;
or function solely as a third-party payer, making payment and
overseeing quality claims reporting for providers. The commenter cited
the Ohio Medicaid Comprehensive Privacy Care or ``CPC'' alternative
payment program as an example where health plans act as managed care
organizations that oversee various avenues of payment as well as core
coordination in conjunction with providers. This commenter also
believed that the definition is intended to ensure that third-party
payers that are not HIPAA covered entities are also subject to the same
rules as a covered entities with respect to part 2 records
[[Page 12510]]
and recommended that HHS clarify the definitions of ``covered entity''
and ``third-party payer'' to explain the relationship between these
groups and the obligations of each with respect to part 2 information.
Response
We appreciate the commenter's description of new models of payment
and care coordination. However, we believe the commenter misapprehends
the intent of the proposed definition, which is finalized in this rule.
The intent is to distinguish third-party payers, which are not covered
entities, from health plans (which, by definition, are covered
entities). If a third-party payer is not a covered entity, then it is
not subject to part 2 provisions that apply to covered entities except
when (a) specifically identified as being subject to these provisions
or (b) in those instances where third-party payers are lawful holders
by virtue of having received part 2 records under a written consent or
an exception to the consent requirements. For example, some non-profit
organizations provide health care reimbursement for individuals and
some entities provide payment as part of an insurance policy that does
not meet the definition of health plan in HIPAA.
Final Rule
The final rule adopts all proposed modifications to the definition
of ``third-party payer'' in Sec. 2.11, without further modification.
Treating Provider Relationship
The Department proposed to modify the part 2 definition of
``treating provider relationship'' by replacing the phrase ``individual
or entity'' with ``person,'' in accordance with the proposed changes to
the definition of ``person'' described above. Additionally, several
minor wording changes were proposed for clarity.
Comment
We received no comments on the proposed changes to this definition.
Final Rule
The final rule adopts the proposed changes to the definition of
``treating provider relationship'' without further modification.
Treatment
The Department proposed to modify the part 2 definition of
``treatment'' by adopting the HIPAA Privacy Rule definition in 45 CFR
164.501 by reference. This would implement subsection (k) of 42 U.S.C.
290dd-2, added by section 3221(d) of the CARES Act, requiring that the
term be given the same meaning of the term for the purposes of the
HIPAA regulations. As discussed in the NPRM, by replacing the existing
language, the Department does not intend to change the scope of
activities that constitute treatment. In this context, treatment
includes the care of a patient suffering from an SUD, a condition which
is identified as having been caused by the SUD, or both, to reduce or
eliminate the adverse effects upon the patient.
Comment
In addition to the supportive comments discussed above, a state
government expressed specific support for the adoption of the HIPAA
definition of the term ``treatment.''
Response
We appreciate the comments.
Final Rule
The final rule adopts all proposed modifications to the definition
of ``treatment'' in Sec. 2.11, without further modification.
Unsecured Protected Health Information
The Department proposed to adopt the same meaning of this term as
used in the HIPAA regulations at 45 CFR 164.402 to mean PHI that is not
rendered unusable, unreadable, or indecipherable to unauthorized
persons through the use of a technology or methodology specified by the
Secretary in guidance. This proposal would implement subsection (k) of
42 U.S.C. 290dd-2, added by section 3221(d) of the CARES Act, requiring
that the term in this part be given the same meaning as the term for
the purposes of the HIPAA regulations.
Comment
Other than the supportive comments discussed above pertaining to
the changes to definitions generally, the Department did not receive
specific comments for its proposed definition of this term in the
regulation.
Response
We appreciate the comments.
Final Rule
The final rule adopts all proposed modifications to the definition
of ``unsecured protected health information'' in Sec. 2.11, without
further modification.
Unsecured Record
In the NPRM, the Department explained its view that the proposed
addition was necessary to implement the newly required breach
notification standards for part 2 records. To align with the definition
of ``unsecured protected health information'' in the HIPAA regulations
at 45 CFR 164.402, the Department proposed to apply a similar concept
to records, as defined in this part. Thus, an ``unsecured record''
would be one that is not rendered unusable, unreadable, or
indecipherable to unauthorized persons through the use of a technology
or methodology specified by the Secretary in the guidance issued under
Public Law 111-5, section 13402(h)(2).\167\
---------------------------------------------------------------------------
\167\ See U.S. Dep't of Health and Human Servs., ``Guidance to
Render Unsecured Protected Health Information Unusable, Unreadable,
or Indecipherable to Unauthorized Individuals'' (July 26, 2013),
https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html.
---------------------------------------------------------------------------
Comment
The Department received one comment from a state government that
suggested eliminating ``unsecured record,'' in favor of ``unsecured
protected health information'' because two terms are unnecessary.
Response
We appreciate the comment but believe both terms are needed to
implement the newly required breach notification standards for part 2
records, which are defined differently from PHI.
Final Rule
The final rule adopts all proposed modifications to the definition
of ``unsecured record'' in Sec. 2.11, without further modification.
Use
The Department proposed to add a definition of this term that is
consistent with the definition in the HIPAA regulations at 45 CFR
160.103 and as the term is applied to the conduct of proceedings
specified in 42 U.S.C. 290dd-2(c). As explained in the NPRM, the
Department believes this addition is necessary to more fully align part
2 with the HIPAA regulations' use of the phrase ``use and disclosure,''
as well as make clear, where applicable, that many of the activities
regulated by this part involve not only disclosures but internal uses
of part 2 records by programs or recipients of part 2 records. The
Department also proposed this definition to clarify that in this part,
the term ``use'' has a secondary meaning in accordance with the
statutory requirements at 42 U.S.C. 290dd-2(c) for ``use'' of records
in civil, criminal, administrative, and legislative investigations and
proceedings. The
[[Page 12511]]
Department discusses in greater detail the addition of the term ``use''
to specific provisions throughout this rule.
Comment
The Department received overwhelmingly supportive comments on the
proposed changes throughout this rule to include ``use and'' preceding
``disclosure.'' With respect to proposed definitions of ``use'' and
``disclosure,'' one commenter stated that the term ``use'' was broad
enough to incorporate both the current understanding (as applied to
legal proceedings) and the HIPAA understanding (applied to use of
records within a health care entity) without creating confusion and
other commenters agreed the proposal would provide clarity.
Additionally, several commenters recommended that the Department adopt
the HIPAA definitions of ``use'' and ``disclosure'' to further align
part 2 with the HIPAA regulations. Another commenter suggested further
that the final rule eliminate the clause ``or in the course of civil,
criminal, administrative, or legislative proceedings as described at 42
U.S.C. 290dd-2(c)'' because the proposed language departs from the
HIPAA definition and is unnecessary.
Response
We appreciate the comments. Although we are declining to adopt the
HIPAA definition of ``use,'' we believe that the definition finalized
in this rule is consistent with HIPAA's definition and with the
additional second meaning in this part in accordance with the statutory
requirements at 42 U.S.C. 290dd-2(c) for ``use'' of records in civil,
criminal, administrative, and legislative proceedings.
Comment
One commenter, a health system, suggested that the Department
revise the definition of ``use'' within the HIPAA regulations to match
the understanding of its meaning as proposed here, to include the
initiation of a legal proceeding.
Response
We appreciate this comment, but it is not within the scope of this
rulemaking to address the definition of ``use'' within the HIPAA
regulations.
Final Rule
The final rule adopts all proposed modifications to the definition
of ``use'' in Sec. 2.11, without further modification.
Section 2.12--Applicability
Proposed Rule
In addition to changes to the use and disclosure language in this
section, discussed above, the Department proposed to modify paragraph
(a) to update the terminology by replacing ``drug abuse'' with
``substance use disorder.'' The Department also proposed to modify
paragraph (c)(2) of this section, which excludes from part 2
requirements certain interchanges of information within the Armed
Forces and between the Armed Forces and the VA, by replacing ``Armed
Forces'' with ``Uniformed Services.'' This proposed change would align
the regulatory text with the statutory language at 42 U.S.C. 290dd-
2(e).
As we noted in the 2021 HIPAA NPRM to modify the HIPAA Privacy
Rule, the U.S. Public Health Service (USPHS) and the National Oceanic
and Atmospheric Administration (NOAA) Commissioned Corps share
responsibility with the Armed Services for certain critical missions,
support military readiness and maintain medical fitness for deployment
in response to urgent and emergency public health crises, and maintain
fitness for deployment onto U.S. Coast Guard manned aircraft and
shipboard missions. Because this part 2 proposal with respect to the
Uniformed Services is consistent with the underlying statute, the
Department does not believe the modification will change how SUD
treatment records are treated for USPHS and NOAA Commissioned Corps
personnel, but requested comment on this assumption.
The Department proposed in paragraph (d)(1) of this section to
expand the restrictions on the use of records as evidence in criminal
proceedings against the patient by incorporating the four prohibited
actions specified in 42 U.S.C. 290dd-2(c), as amended by the CARES Act,
and expanding the regulatory prohibition on use and disclosure of
records against patients to cover civil, administrative, or legislative
proceedings in addition to criminal proceedings.\168\ Absent patient
consent or a court order, the proposed prohibitions are: (1) the
introduction into evidence of a record or testimony in any criminal
prosecution or civil action before a Federal or State court; (2)
reliance on the record or testimony to form part of the record for
decision or otherwise be taken into account in any proceeding before a
Federal, State, or local agency; (3) the use of such record or
testimony by any Federal, State, or local agency for a law enforcement
purpose or to conduct any law enforcement investigation; and (4) the
use of such record or testimony in any application for a warrant.
---------------------------------------------------------------------------
\168\ Administrative agencies may issue subpoenas pursuant to
their authority to investigate matters and several statutes
authorize the use of administrative subpoenas in criminal
investigations. For example, these may be cases involving health
care fraud, child abuse, Secret Service protection, controlled
substance cases, inspector general investigations, and tracking
unregistered sex offenders. See Charles Doyle, Administrative
Subpoenas in Criminal Investigations: A Brief Legal Analysis, CRS
Report RL33321 (Dec. 19, 2012), https://crsreports.congress.gov/product/pdf/RL/RL33321; Legislative investigations may also be
conducted in furtherance of the functions of Congress or state
legislative bodies. See U.S. Dept. of Justice, Off. of Legal Policy,
Report to Congress on the Use of Administrative Subpoena Authorities
by Executive Branch Agencies and Entities: Pursuant to Public Law
106-544, https://www.justice.gov/archive/olp/rpt_to_congress.htm.
---------------------------------------------------------------------------
The Department further proposed changes to paragraph (d)(2)
(Restrictions on use and disclosures). In paragraph (d)(2)(i) (Third-
party payers, administrative entities, and others), the term ``third-
party payer'' as modified in Sec. 2.11 would have the effect of
excluding covered entity health plans from the limits on redisclosure
of part 2 records. To clarify the modified scope of this paragraph, the
Department proposed to insert qualifying language in Sec.
2.12(d)(2)(i)(A) to refer to ``third-party payers, as defined in this
part.'' This approach implements the CARES Act changes in a manner that
preserves the existing redisclosure limitations for any third-party
payers that are not covered entities. The modified definition of
``third-party payer'' in Sec. 2.11 excludes health plans by describing
a ``third-party payer'' as ``a person, other than a health plan as
defined at 45 CFR 160.103, who pays or agrees to pay for diagnosis or
treatment furnished to a patient on the basis of a contractual
relationship with the patient or a member of the patient's family or on
the basis of the patient's eligibility for Federal, state, or local
governmental benefits'' [emphasis added]. As a result of the proposal,
health plans would be permitted to redisclose part 2 information as
permitted by the HIPAA regulations and other ``third-party payers''
would remain subject to the existing part 2 prohibition on
redisclosure.
The Department also proposed to substitute the term ``person'' for
the term ``entity'' and the phrase ``individuals and entities'' in
Sec. 2.12(d)(2)(i)(B) and (C), respectively. As discussed above in
relation to Sec. 2.11 (Definitions), the Department does not intend
this to be a substantive change, but rather an alignment with the term
as
[[Page 12512]]
it is defined in the HIPAA Privacy Rule at 45 CFR 160.103.
In addition to these proposed changes to Sec. 2.12(d), the
Department requested comment on how the proposed revisions to Sec.
2.33 (Uses and disclosures with written consent), might affect the
future data segregation practices of part 2 programs and recipients of
part 2 records. We include comments on that topic in this section
because it provides the only explicit reference to data segmentation
and segregation of records within the regulation. Operationalizing
consent for TPO, more narrow consent, revocation of consent, and
requests for restrictions on disclosures for TPO may raise challenges
concerning tagging, tracking, segregating and segmenting records and
health data. These issues are addressed across multiple sections of the
final rule, including Sec. Sec. 2.12, 2.22, 2.31, 2.32, and 2.33.
The Department proposed to conform paragraph (e)(3) of Sec. 2.12
to 42 U.S.C. 290dd-2(c), as amended by section 3221(e) of the CARES
Act, by expanding the restrictions on the use of part 2 records in
criminal proceedings against the patient to expressly include
disclosures of part 2 records and to add civil and administrative
proceedings as additional types of forums where use and disclosure of
part 2 records is prohibited, absent written patient consent or a court
order. Additionally, the Department proposed to clarify language in
paragraph (e)(4)(i) of Sec. 2.12, which excludes from part 2 those
diagnoses of SUD that are created solely to be used as evidence in a
legal proceeding. The proposed change would narrow the exclusion to
diagnoses of SUD made ``on behalf of and at the request of a law
enforcement agency or official or a court of competent jurisdiction''
to be used as evidence ``in legal proceedings.'' The Department
believed the proposed clarification would tighten the nexus between a
law enforcement or judicial request for the diagnosis and the use or
disclosure of the SUD diagnosis based on that request, and requested
comment on this approach.
We respond to comments on all aspects of Sec. 2.12 below.
Comment
A few health system commenters supported the proposed change in
paragraph (c)(2) to replace Armed Forces with Uniformed Services to be
more inclusive.
Response
We appreciate the comments.
Comment
A few commenters expressed concerns about paragraph (c)(6) of this
section, which excludes from part 2 applicability the use and
disclosure of part 2 records in reports of child abuse and neglect
mandated by state law and the fact that the exception does not allow
for reporting of vulnerable adult and elder abuse or domestic violence.
Response
Modifications to this provision are outside of the scope of this
rulemaking. Moreover, the exception that allows part 2 programs to
disclose otherwise confidential records for child abuse reporting is
based in a statutory exclusion in 42 U.S.C. 290dd-2(e). Because
Congress had the opportunity to address this statutory exclusion in the
CARES Act amendments and did not do so we do not believe we can
unilaterally expand the exclusion by adding a regulatory exception for
elder or vulnerable adult abuse similar to that for child abuse
reporting. Congress could in the future choose to add to the statute an
exception that would allow part 2 programs to report vulnerable adult
and elder abuse and neglect. We further address options for disclosures
to prevent harm in the discussion of Sec. 2.20 (Relationship to state
laws).
Comment
Some commenters supported the proposed changes in paragraph (d)(2)
to the prohibition on use and disclosure of part 2 records against a
patient or a part 2 program in investigations and proceedings absent
patient consent or a court order. These commenters appreciated the
expanded protection from use and disclosure in legislative and
administrative investigations and proceedings and the express
protection of testimony that conveys information from part 2 records
within the consent or court order requirements. Some commenters thought
that these express and expanded protections would serve as a beneficial
counterweight to easing the flow of part 2 records for health care-
related purposes.
Response
We appreciate the comments and agree that the expanded scope of
protection to include not only records but testimony and to include
legislative and administrative proceedings provides greater protection
to patients and part 2 programs that are the subject of investigations
and proceedings.
Comment
Many commenters expressed concern about the use of written consent
as a way to overcome the prohibition against the use of records in
proceedings against patients, expressing alarm that this could allow
coerced consent by law enforcement.
Response
We address the concerns about allowing patient consent for use and
disclosure of records in legal proceedings in the discussion of Sec.
2.31 (Consent requirements). Patient consent was not the intended focus
of the modifications to Sec. 2.12(d), but was included to mirror the
statutory language in 42 U.S.C. 290dd-2(c), as amended by section
3221(e) of the CARES Act. The final rule provides guardrails for the
consent process in a new paragraph to Sec. 2.31, discussed below.
Comment
A county board of supervisors commented on changes to paragraph
(d)(2), stating that the current regulations require a special court
order to authorize the use or disclosure of patient records in a
criminal investigation or prosecution. The county expressed concern
that a lack of meaningful safeguards when allowing the disclosure of
patients' SUD records by patient consent may result in patients being
asked to consent to disclosures of their protected SUD treatment
records as a condition of a plea deal, sentencing, or release from
custody, and that without adequate protections individuals may fear
this information being used against them and may not seek treatment.
According to the commenter, expanding the ability to access and use
patients' SUD treatment records in criminal cases may result in harm to
patients such as exacerbation of disparities in access to SUD
treatment, criminalization of SUD, and treatment outcomes. The
commenter recommended that HHS include meaningful protections in the
final rule against patients being coerced into signing consent forms
that can be used against them in a criminal or civil case.
Response
We have added at Sec. 2.31(d) an express requirement that consent
for use and disclosure of records in civil, criminal, administrative,
and legislative investigations and proceedings be separate from consent
to use and disclose part 2 records for other purposes. The existing
rule, at Sec. 2.33(a), permits patients to consent to use and
disclosure of their records and that part 2 programs may disclose the
records according to the consent. We interpret
[[Page 12513]]
this to include consent for use and disclosure of records in legal
proceedings, including those that are brought against a patient. Thus,
we do not view this final rule's language about consent in Sec.
2.12(d) as creating a substantive change to patients' rights or the
existing procedures for legal proceedings, but as clarifying how
consent is one option for achieving the use and disclosure of records
in proceedings against a patient.
Nonetheless, because the role of patient consent is expanding, we
created the new requirement for separate consent as Sec. 2.31(d) in
response to many comments about the potential for coerced consent and
specific suggestions about ways to reduce instances of potential
coercion, including requiring it to be separate from TPO consent or
consent to treatment. This paragraph provides that patient consent for
use and disclosure of records (or testimony relaying information
contained in a record) in a civil, criminal, administrative, or
legislative investigation or proceeding cannot be combined with a
consent to use and disclose a record for any other purpose. Some
commenters asserted that patients are particularly vulnerable to
coerced consent at the initiation of treatment when they are suffering
the effects of SUD and that they may not fully appreciate how their
records may be used or disclosed in proceedings against them. Thus,
requiring separate consent for use or disclosure of records in
investigations or proceedings against a patient would help ensure that
patients are better aware of the nature of the proceedings and how
their records may be used. Signing a separate document specific to one
purpose draws attention to the consent decision and provides greater
opportunity for review of the nature of the consent. Comments about the
proposed changes for legal proceedings are also addressed in Sec. Sec.
2.2, 2.31, 2.66, and 2.67. Additional comments with similar concerns
are discussed in Sec. 2.31.
Comment
With respect to the applicability of part 2 to third-party payers,
we received overwhelming support from the several organizations that
commented on the proposed changed definition of third-party payer as
applied in paragraph (d)(2)(i) of this section. These commenters
supported the proposal to distinguish health plans, which are covered
entities, from other third-party payers who are subject to part 2 (but
not subject to HIPAA). One commenter explained their understanding that
covered entity payers (e.g., health plans) would already be included in
the meaning of covered entity for the purposes of part 2 and HIPAA, and
therefore able to operate under the relaxation of the redisclosure
prohibition for TPO purposes while ``third-party payers'' under this
narrowed definition would not. The commenter stated its belief that the
change was an important and useful clarification of the continued
redisclosure prohibition on treatment uses by such third-party payers.
A few HIE/HIN commenters strongly supported this change because the
inability to segment the part 2-protected claims/encounter data from
the non-part 2 data has often been a barrier to health plans
contributing the clinical component of this administrative data to
local, regional, and national HIE efforts. Additionally, a health
system requested that the Department ensure that ACOs and population
health providers have access to full part 2 information without a
beneficiary having to explicitly opt-in to data sharing.
Response
We appreciate the comments concerning how the proposed narrower
definition of ``third-party payer'' operates in paragraph (d)(2) of
this section. Applicability to health plans is now addressed under
paragraph (d)(2)(C) within the reference to covered entities.
Additionally, the new statement in paragraph (d)(2)(C) in this final
rule provides that health plans are not required to segregate records
or segment data upon receipt from a part 2 program. ACOs and population
health providers will need to evaluate the applicability provision
based on their status as covered entities or business associates.
Comment
A medical professionals association voiced its strong support for
data segmentation in support of data interoperability while maintaining
patient privacy; capabilities for EHRs to track and protect sensitive
information before it can be disclosed or redisclosed; and continuous
monitoring and data collection regarding unintended harm to patients
from sharing their sensitive information.
Response
We appreciate the comment about improving the capabilities for EHRs
to segment data to maintain patient privacy while also remaining
interoperable. The final rule change expressly stating that data
segmentation is not required by recipients under a TPO consent does not
preclude the voluntary use of data segmentation or tracking as means to
protect sensitive data from improper disclosure or redisclosure. As a
result of the modifications to paragraph (d)(2) of Sec. 2.12, key
recipients of part 2 records may choose the best method for their
health IT environment and organizational structure to protect records
from use and disclosure in legal proceedings against the patient,
absent consent or a court order. For example, the use of the data
segmentation for privacy (``DS4P'') standard as adopted as part of the
ONC Health IT Certification Program criteria in 45 CFR 170.315(b) is a
technical capability that would be acceptable/sufficient.\169\
---------------------------------------------------------------------------
\169\ See The Off. of the Nat'l Coordinator for Health Info.
Tech., ``Certification Companion Guide: Security tags'' (2015),
https://www.healthit.gov/test-method/security-tags-summary-care-send.
---------------------------------------------------------------------------
Comment
A few individual commenters, a police and community treatment
collaborative, a health IT vendor, and an SUD recovery policy
organization, requested changes to paragraph (e)(4), which applies to a
``[d]iagnosis which is made on behalf of and at the request of a law
enforcement agency or official or a court of competent jurisdiction
solely for the purpose of providing evidence[.]'' Specifically, they
recommended in Sec. 2.12(e)(4)(i) that we add language to include the
purpose of determining eligibility for participation in deflection,
diversion, or reentry alternatives to incarceration. The commenters
stated that alternatives to incarceration require swift assessments,
diagnoses, and referrals to treatment and care, and that the requested
change is narrowly tailored and consistent with best practice and
priorities within the justice field.
Response
We decline to further modify paragraph (e)(4) in the manner
suggested, although we appreciate the comment and the intent to support
criminal justice deflection programs and alternatives to incarceration
where appropriate. The changes we proposed to this paragraph were for
clarification and not intended to create substantive modifications.
However, we believe that as drafted, the final regulatory language
supports the disclosure of diagnoses made for the purpose of providing
evidence for any number of purposes, which could include determining
eligibility for participation in deflection, diversion, or reentry
alternatives to incarceration. Thus, in our view, the
[[Page 12514]]
suggested change is not necessary to meet the commenter's purposes.
Final Rule
The final rule adopts all proposed changes to Sec. 2.12 and
further modifies this section by: (1) clarifying that the restrictions
on uses and disclosures of records in proceedings against a patient
apply to persons who receive records from not only part 2 programs and
lawful holders, but also from covered entities, business associates,
and intermediaries to allow for the new operation of consent as enacted
by the CARES Act; \170\ (2) modifying paragraph (b)(1) by replacing
``Armed Forces'' with ``Uniformed Services'' to conform with the
changes in paragraph (c)(2) and the statutory language at 42 U.S.C.
290dd-2(e); (3) adding an express statement to paragraph (d)(2)(i)(C)
that recipients of records under a TPO consent who are part 2 programs,
covered entities, and business associates are not required to segregate
the records received or segment part 2 data; and (4) removing a phrase
in paragraph (d)(2)(ii) that implied a requirement for recipients of
part 2 records to segregate or segment the data received, including
removing the requirement from covered entities, business associates,
and intermediaries, as well as from part 2 programs.
---------------------------------------------------------------------------
\170\ The non-substantive wording changes to paragraphs (a),
(c), and (e) are included in the amendatory language in the last
section of this final rule.
---------------------------------------------------------------------------
Section 2.13--Confidentiality Restrictions and Safeguards
Proposed Rule
The current provisions of this section apply confidentiality
restrictions and safeguards to how part 2 records may be ``disclosed
and used'' in this part, and specifically provide that part 2 records
may not be disclosed or used in any civil, criminal, administrative, or
legislative proceedings. The current provisions also provide that
unconditional compliance with part 2 is required by programs and lawful
holders and restrict the ability of programs to acknowledge the
presence of patients at certain facilities. Changes to the Department's
use of terms ``use'' and ``disclose'' in this section are discussed
above. Paragraph (d) of Sec. 2.13 (List of disclosures), includes a
requirement for intermediaries to provide patients with a list of
entities to which an intermediary, such as an HIE, has disclosed the
patient's identifying information pursuant to a general designation.
The Department proposed to remove Sec. 2.13(d) and redesignate the
content as Sec. 2.24, change the heading of Sec. 2.24 to
``Requirements for intermediaries,'' and in Sec. 2.11 create a
regulatory definition of the term ``intermediary'' as discussed above.
The Department's proposal to redesignate Sec. 2.13(d) as Sec. 2.24
would move the section toward the end of subpart B (General
Provisions), to be grouped with the newly proposed Sec. Sec. 2.25 and
2.26 about patient rights and disclosure. Section 2.24 is discussed
separately below.
In addition to these proposed structural changes, the Department
also proposed minor wording changes to paragraphs (a) through (c) of
Sec. 2.13 to clarify who is subject to the restrictions and safeguards
with respect to part 2 records. The Department solicited comment on the
extent to which part 2 programs look to the HIPAA Security Rule as a
guide for safeguarding part 2 electronic records. The Department also
requested comment on whether it should modify part 2 to apply the same
or similar safeguards requirements to electronic part 2 records as the
HIPAA Security Rule applies to ePHI or whether other safeguards should
be applied to electronic part 2 records.
Comment
We received general support from an HIE regarding our efforts to
align the security requirements in part 2 for EHRs with the HIPAA
Security Rule. An individual commenter said that similar safeguard
requirements should apply to electronic part 2 records as the HIPAA
Security Rule applies to ePHI. The commenter stated that, ideally,
stronger safeguards should apply to electronic part 2 records because
these records can function as a bridge to discrimination, sanctions,
and adverse actions. An insurer commenter stated that it manages
electronic part 2 records and information consistent with the HIPAA
Security Rule currently and would--in keeping with the concept of
treating SUD information the same as other PHI--support applying the
same rules and protections of the HIPAA Security Rule to electronically
stored and managed part 2 records and information. Noting that the
HIPAA Privacy and Security Rules are widely adopted across the health
care continuum, an HIE association encouraged the Department to pursue
further alignment with HIPAA Security Rule requirements where
appropriate. Another health insurer supported aligning part 2
safeguards with the safeguards applicable under the HIPAA regulations.
This commenter stated that, as HHS works to align part 2 regulations
with HIPAA regulations, the ultimate goal should be to streamline
policies while ensuring the protection of patient data across programs
and data sharing platforms. The health plan and another commenter, a
health insurer, believed that different types of PHI should share the
same level of protection and supports Department efforts toward this
end.
Response
We appreciate the comments on our proposed changes and comments on
modifying part 2 to apply the same or similar safeguard requirements to
electronic part 2 records as apply to the HIPAA Security Rule. Prior to
our changes in this final rule, part 2 programs and other lawful
holders already were required to have in place formal policies and
procedures to reasonably protect against unauthorized uses and
disclosures of patient identifying information and to protect against
reasonably anticipated threats or hazards to the security of patient
identifying information. The provisions applied to paper records and
electronic records.
Consistent with the amendment enacted in the CARES Act and codified
at 42 U.S.C. 290dd-2(j), the final rule applies breach notification
requirements to ``unsecured records'' in the same manner as they
currently apply to ``unsecured PHI'' in the Breach Notification Rule,
including specific requirements related to the manner in which breach
notification is provided. We are not making any additional
modifications to align the HIPAA Security Rule and part 2 at this time,
but will take these comments into consideration in potential future
rulemaking.
Comment
A few HIEs/HIE associations urged the Department to add new
language to Sec. 2.13 that expressly provides: ``[c]onsent revocation.
If a patient revokes a consent, the consent revocation is only
effective to prevent additional disclosures from the part 2 program(s)
to the consent recipient(s). A recipient is not required to cease using
and disclosing part 2 records received prior to the revocation.''
The commenters believed that adding this language to Sec. 2.13
would mitigate part 2 program concerns that they might be held
accountable for a recipient's continued use and disclosure of
previously disclosed part 2 program records. The Department sought
comment on whether it should require part 2 programs to inform an HIE
when a patient revokes consent for TPO so that additional uses and
disclosures by the HIE would not be imputed to the
[[Page 12515]]
programs that have disclosed part 2 records to the HIE. These
commenters responded that requiring such notification would directly
contradict the Department's statements in the preamble to the NPRM--and
the purpose of the CARES Act--because a notification implies that it
would be unlawful for the HIE to continue to use and disclose the part
2 records it received prior to revocation. A better approach according
to these commenters would be to clarify in the part 2 regulations what
is and is not permitted after a revocation.
Response
Revocation of consent is associated with a patient's wish to modify
or rescind previously granted written consent provided under Sec. 2.31
in subpart C. We do not agree that stating revocation requirements in
this section would clarify these requirements and those issues are
addressed in the discussion of Sec. 2.31.
Comment
A medical professionals association generally supported the
alignment of redisclosure processes with HIPAA. The commenter also
supported prohibiting redisclosures of records for use in civil,
criminal, administrative, and legal proceedings. Along with increased
patient and provider education about disclosure and data protection,
the association further encouraged the Department to support the
development of technological infrastructure to manage these data once
disclosed.
Response
We appreciate this comment on the Department's proposed changes. We
have revised the part 2 redisclosure requirements to align more closely
with HIPAA requirements with respect to disclosures of PHI. We clarify
applicability of these changes to business associates and covered
entities. Subject to limited exceptions, such redisclosed records
cannot be used in any civil, criminal, administrative, or legislative
proceedings by any Federal, State, or local authority against the
patient, unless authorized by the consent of the patient.
Final Rule
The final rule adopts the changes to Sec. 2.13 as proposed,
including removing paragraph (d) and redesignating it as Sec. 2.24
(Requirements for intermediaries).\171\
---------------------------------------------------------------------------
\171\ The changes to the remaining provisions of Sec. 2.13 are
non-substantive and are included in the amendatory language in the
last section of this final rule.
---------------------------------------------------------------------------
Section 2.14--Minor Patients
Proposed Rule
The Department proposed to change the verb ``judges'' to
``determines'' to describe a part 2 program director's evaluation and
decision that a minor lacks decision making capacity, which can lead to
a disclosure to the patient's parents without the patient's consent.
This change is intended to distinguish between the evaluation by a part
2 program director about patient decision making capacity and an
adjudication of incompetence made by a court, which is addressed in
Sec. 2.15. The Department also proposed a technical edit to Sec.
2.14(c)(1) to correct a typographical error from ``youthor'' to ``youth
or.''
The Department also proposed to substitute the term ``person'' for
the term ``individual'' in Sec. 2.14(b)(1) and (2), (c) introductory
text, and (c)(1) and (2), respectively.
Overview of Comments
The Department received general support for its proposed changes to
Sec. 2.14. However, some commenters expressed concern about certain
proposed changes or requested additional clarity, as described below.
Comment
An HIE association urged the Department to align the part 2
requirements regarding minors with the state-based requirements
regarding minor access, consent, and disclosure of their health
records. The commenter noted that some states have stringent rules for
when a minor patient can control different sections of their health
record and urged the Department to engage with patient advocacy
organizations to fully understand the implications of the minor consent
provisions in part 2.\172\ Another commenter noted that jurisdictions
vary with respect to the age of majority, who is considered a legal
guardian or authorized representative, emancipated minors, and specific
consent for special health services (e.g., HIV testing, reproductive
services, mental and behavioral health). Commenters cited examples of
states such as California, which they perceived to have strong consent
and privacy provisions for minors and argued that it was important that
part 2 foster alignment between consent to receive care and access to
medical information by the person authorized to provide consent to
treatment.
---------------------------------------------------------------------------
\172\ See, e.g., Marianne Sharko, Rachael Jameson, Jessica S.
Ancker, et al., ``State-by-State Variability in Adolescent Privacy
Laws,'' Pediatrics (May 9, 2022), https://doi.org/10.1542/peds.2021-053458.
---------------------------------------------------------------------------
Response
We acknowledge that regulations and statutes pertaining to
behavioral health, including treatment and access to records by those
who consent, differ by state.\173\ The Department has previously
highlighted that Sec. 2.14 states that ``these regulations do not
prohibit a part 2 program from refusing to provide treatment until the
minor patient consents to the disclosure necessary to obtain
reimbursement, but refusal to provide treatment may be prohibited under
a state or local law requiring the program to furnish the service
irrespective of ability to pay.'' \174\ State laws may also vary with
respect to access to records by parents or caregivers. As provided in
Sec. 2.20 (Relationship to state laws), part 2 ``does not preempt the
field of law which they cover to the exclusion of all state laws in
that field.'' Thus, states may impose requirements for consent,
including for minors, that are more stringent than what Federal
regulations may require. The Department understands that there exist
variations among jurisdictions concerning minor and parent or guardian
consent requirements. Part 2 programs and other regulated entities are
advised to seek legal advice on the application of their state and
local laws when appropriate.
---------------------------------------------------------------------------
\173\ Id. See also ``TAC Assessment Working Paper: 2016
Compilation of State Behavioral Health Patient Treatment Privacy and
Disclosure Laws and Regulations,'' supra note 122. See also, 82 FR
6079 (Jan. 18, 2017).
\174\ 82 FR 6052, 6083.
---------------------------------------------------------------------------
Comment
One commenter urged the Department to proactively partner with
states to design state-specific educational resources and tools to
expedite access to SUD treatments. The commenter cited as one example
the New York Civil Liberties Union 2018 pamphlet entitled ``Teenagers,
Health Care and the Law: A Guide to Minors' Rights in New York State''
as one helpful resource.\175\ Other commenters also urged the
Department to provide guidance about minor consent in relation to
Medicaid, the Children's Health Insurance Program (CHIP), and other
health coverage programs.
---------------------------------------------------------------------------
\175\ New York Civil Liberties Union, ``Guide: Teenagers, Health
Care, and the Law (English and Spanish)'' (Oct. 2, 2018), https://www.nyclu.org/en/publications/guide-teenagers-health-care-and-law-english-and-spanish.
---------------------------------------------------------------------------
Response
The Department appreciates examples of what commenters view as
relevant or
[[Page 12516]]
helpful resources and publications but does not necessarily endorse the
content of specific publications not developed or reviewed by HHS. We
will consider what additional guidance from HHS may be helpful after
this rule is finalized.
Comment
Commenters generally supported the proposed change from ``judges''
to ``determines'' to better distinguish a part 2 program director's
evaluation and decision that a minor lacks decision-making capacity
from when a court adjudicates (i.e., judges) a patient as lacking
decision-making capacity. But one association noted that in addition to
the Federal regulation, states can also have their own requirements
related to minors, decision-making capacity, and their ability to make
independent decisions regarding care and treatment. The commenter
believed that part 2 programs, consumers, and other stakeholders could
benefit from the Department discussing the Federal standard in the
preamble to final regulations or in future guidance discussing how
states can align with the standard and potential areas for Federal and
state conflicts. Other commenters also urged the Department to provide
additional guidance on the intersection of state and Federal laws,
including for minors out of state and receiving SUD treatment.
Response
The Department appreciates the comments about changing ``judges''
to ``determines'' and will consider what additional guidance on these
issues may be helpful after this rule is finalized.
Comment
Commenters supported the proposal to remove the term
``incompetent'' and instead refer to patients who lack the capacity to
make health care decisions to distinguish between lack of capacity and
adjudication of incompetence.
Response
The Department appreciates the comments on this proposed change.
Comment
Commenters emphasized the importance of minors being able to
control their health records but also ensuring that parents and
guardians do not face unnecessary barriers to obtaining SUD treatment
for youth in their care. Providers, one commenter asserted, are
reluctant or even unwilling to include parents and guardians in
treatment, even when their clinical judgment would dictate otherwise.
Response
The Department agrees that it is important for minors to have input
concerning the use and disclosure of their health records in a manner
that is consistent with state law. The Department also has emphasized
both with respect to HIPAA and part 2 that parents, guardians, and
other caregivers should not face unnecessary barriers in supporting a
loved one's care.\176\ SAMHSA has published resources for families
coping with mental health and SUDs and OCR has issued guidance for
consumers and health professionals on HIPAA and behavioral health.\177\
---------------------------------------------------------------------------
\176\ See ``Frequently Asked Questions: Applying the Substance
Abuse Confidentiality Regulations to Health Information Exchange
(HIE),'' supra note 150; U.S. Dep't of Health and Human Servs.,
``Personal Representatives and Minors,'' https://www.hhs.gov/hipaa/for-professionals/faq/personal-representatives-and-minors/index.html.
\177\ See Substance Abuse and Mental Health Services
Administration, ``Resources for Families Coping with Mental and
Substance Use Disorders'' (Mar. 14, 2023), https://www.samhsa.gov/families; U.S. Dep't of Health and Human Servs., ``The HHS Office
for Civil Rights Responds to the Nation's Opioid Crisis'' (Mar. 11,
2021), https://www.hhs.gov/civil-rights/for-individuals/special-topics/opioids/index.html.
---------------------------------------------------------------------------
Comment
To allow for meaningful care coordination for minors, a state
agency urged the Department to modify proposed Sec. 2.14(b)(2) as
follows: ``[w]here state law requires parental consent to treatment,
any consent required under this Part may be given by the minor's
parent, guardian, or other person authorized under state law to act on
the minor's behalf only if: * * *.''
Response
We appreciate the suggestion; however, because we did not propose
modifications to this language or request public comment related to it,
making this change would be outside the scope of this rulemaking. For
purposes of this rulemaking, finalizing the existing language, without
modification, accurately reflects the current balance between part 2
confidentiality requirements and state legal requirements concerning
minor consent.
Comment
One commenter expressed concern that, in their view, part 2
provides no options for part 2 providers to involve parents or
guardians in a minor's treatment without the minor's consent, even
where state law explicitly permits such involvement or even requires
providers to make determinations about the appropriateness of a parent
or guardian's involvement. The commenter urged the Department to align
Sec. 2.14 with provisions in the Privacy Rule permitting access to
treatment records if a minor consents to care as provided under state
law.
Response
The Department acknowledges the complexity of the intersection of
part 2 and state requirements concerning minor consent, including
parental or caregiver involvement. After this rule is finalized, the
Department may provide additional guidance on these issues. Part 2, in
part, provides that ``[w]here state law requires consent of a parent,
guardian, or other individual for a minor to obtain treatment for a
substance use disorder, any written consent for disclosure authorized
under subpart C of this part must be given by both the minor and their
parent, guardian, or other individual authorized under state law to act
in the minor's behalf.'' The Department has published relevant
resources for families and guidance on applying behavioral health
privacy laws to mental health and SUDs.\178\
---------------------------------------------------------------------------
\178\ See, e.g., The Ctr. of Excellence for Protected Health
Info., ``Families and minors,'' https://coephi.org/topic/families-and-minors/.
---------------------------------------------------------------------------
Comment
With respect to the role of part 2 program director, one
association of medical professionals asserted that the decision-making
of a minor should be made in consultation with the treatment plan team
and not in isolation by a part 2 program director.
Response
The Department appreciates this input on clinician-based decisions
about patients. While the part 2 program director has specific
responsibilities under this section, the Department would expect most
part 2 programs to have protocols detailing the program director's role
and consultation with others on the treatment team as needed. As the
person with authority over the part 2 program, the director would be
responsible for how the program operates, so we do not view additional
regulatory requirements as necessary.
Final Rule
The Department is finalizing all proposed changes to Sec. 2.14
without further modification. This includes a technical edit in Sec.
2.14(c)(1) to correct a typographical error from ``youthor'' to ``youth
or'' and changing the verb ``judges'' to ``determines'' to describe a
part 2 program director's evaluation and decision that a minor lacks
decision making capacity that could lead to a
[[Page 12517]]
disclosure to the patient's parents without the patient's consent.
Section 2.15--Patients Who Lack Capacity and Deceased Patients
Proposed Rule
The Department proposed to replace outdated terminology in this
section that referred to ``incompetent'' patients, refer to the ``use''
of records in addition to disclosures, and to substitute the term
``person'' for the term ``individual'' as discussed above in relation
to Sec. 2.11 (Definitions). The Department further proposed to clarify
that paragraph (a) of this section refers to a lack of capacity to make
health care decisions as adjudicated by a court while paragraph (b)
refers to lack of capacity to make health care decisions that is not
adjudicated by a court, and to add health plans to the list of entities
to which a part 2 program may disclose records without consent to
obtain payment during a period when the patient has an unadjudicated
inability to make decisions. We also proposed updates to paragraph (b)
of this section concerning consent by personal representatives.
Comment
A health plan commenter supported inclusion of health plans to the
list of entities to which a part 2 program can disclose records when a
patient lacks capacity. An association of medical professionals also
supported adding health plans to the list of entities to which a part 2
program may disclose records without consent when a patient lacks
capacity to make health care decisions to ensure that part 2 programs
receive appropriate and timely payment for their services. A health
system expressed general support for our proposed changes.
Response
We appreciate the comments on the proposed changes.
Comment
An association of medical professionals supported the proposed
change from ``incompetent patients'' to ``patients who lack capacity to
make health care decisions,'' whether adjudicated or not. The commenter
also supported the addition of health plans to the list of entities to
which a program may disclose records without consent. The commenter
also said that families often request the records of deceased patients
and there does not appear to be a consistent policy about this among
SUD treatment centers. It would be helpful to have this matter
addressed.
Response
We appreciate the comment on our proposed changes. With respect to
deceased patients, part 2 regulations as finalized ``do not restrict
the disclosure of patient identifying information relating to the cause
of death of a patient under laws requiring the collection of death or
other vital statistics or permitting inquiry into the cause of death.''
Additionally, the regulations state that ``[a]ny other use or
disclosure of information identifying a deceased patient as having a
substance use disorder is subject to the regulations in this part. If a
written consent to the use or disclosure is required, that consent may
be given by the personal representative.'' In the preamble for Sec.
2.11 of this rule, we discuss applying the HIPAA definition of
``personal representative.'' We have stated in guidance for the HIPAA
Privacy Rule that ``[s]ection 164.502(g) provides when, and to what
extent, [a] personal representative must be treated as the individual
for purposes of the [HIPAA Privacy] Rule.'' \179\ Section 164.502(g)(2)
requires a covered entity to treat a person with legal authority to act
on behalf of an adult or emancipated minor in making decisions related
to health care as the individual's personal representative with respect
to PHI relevant to such personal representation.\180\ The definition in
this rule mirrors language in the HIPAA Privacy Rule at 45 CFR
164.502(g).
---------------------------------------------------------------------------
\179\ U.S. Dep't of Health and Human Servs., ``Personal
Representatives'' (Sept. 19, 2013), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/personal-representatives/index.html.
\180\ Id. See also, ``Personal Representatives and Minors,''
supra note 176.
---------------------------------------------------------------------------
Comment
An association of medical professionals supported the proposed
changes but urged the Department to reduce confusion and avoid
potential conflicts with state law by amending Sec. 2.15(b)(2) to
clarify that this section only applies if there are no applicable state
laws governing surrogate decision making.
Response
We decline to modify this section to refer to state law
requirements, as we discuss intersections with state law in Sec. 2.20
and we do not anticipate that the definition of ``personal
representative,'' which mirrors the standard in the HIPAA regulations,
will conflict with state law requirements.
Comment
One commenter believed that even though the NPRM addressed the
issue of a patient's lack of capacity to sign an informed consent, it
failed to address circumstances involving diminished capacity
associated with intoxication, withdrawal, medication induction, and
early phases of treatment. The commenter asserted that addressing the
issue of temporary diminished capacity is critical to the proposed
perpetual consent for TPO purposes promoted by the NPRM. The commenter
also stated that relying on a single enduring consent made at a time
when a person is most vulnerable and cognitively compromised is
unethical, and that a signed consent around the time of treatment entry
should be valid for no more than six months. According to this
commenter, it is important to stress that the authority of the part 2
program director to exercise the right of the patient to consent to
uses and disclosures of their records is restricted to that period
where the patient suffers from a medical condition that creates a lack
of capacity to make knowing or effective health care decisions on their
own behalf. Further, according to this commenter, that authority is
limited to obtaining payment for services from a third-party payer or
health plan, and should not extend more than 30 days. After such time,
the part 2 program director should seek a court order, according to the
commenter.
Response
We agree with the commenter that, as stated in the regulation, the
part 2 program director's authority in Sec. 2.15(a)(2) extends only to
obtaining payment for services from a third-party payer or health plan.
In some cases, a patient who has diminished capacity due to
overdose, intoxication, withdrawal, or other medical conditions may be
considered by a medical provider to be experiencing a ``bona fide
medical emergency in which the patient's prior written consent cannot
be obtained.'' \181\ As the Department explained in preamble to its
final 2020 rule,\182\ under Sec. 2.51, disclosures of SUD treatment
records without patient consent are permitted in a bona fide medical
emergency. Although not a defined term under part 2, a ``bona fide
medical emergency'' most often refers to the situation in which an
individual requires urgent clinical care to treat an immediately life-
threatening condition (including, but not limited to, heart attack,
stroke, overdose), and in which it is infeasible to seek the
individual's consent to release of relevant, sensitive
[[Page 12518]]
SUD records prior to administering potentially life-saving care. In
such cases, the medical emergency provisions of part 2 would apply.
---------------------------------------------------------------------------
\181\ See 42 CFR 2.51 (Medical emergencies).
\182\ 85 FR 42986, 43018.
---------------------------------------------------------------------------
In addition, provisions of Sec. 2.31 (Consent requirements), are
pertinent to this comment. Section 2.31(a)(6) of this final rule
requires that the consent must inform the patient of ``[t]he patient's
right to revoke the consent in writing, except to the extent that the
part 2 program, or other lawful holder of patient identifying
information that is permitted to make the disclosure, has already acted
in reliance on it, and how the patient may revoke consent.'' Thus, a
patient, after their medical condition has been treated, will be able
to modify any part 2 written consent at a later date.
Comment
An academic health system believed that under Sec. 2.15(a)(2),
patients who may lack capacity temporarily, without court intervention,
have no one with the legal authority to consent to uses or disclosures
other than for payment purposes. The commenter viewed this restriction
as inconsistent with both state law and HIPAA and as an outdated and
problematic limitation. The commenter said that at times its part 2
programs admit a patient who lacks capacity temporarily (where there is
no need for court intervention) and permit a surrogate to consent to
treatment as permitted by state law, particularly in the inpatient
context. The commenter added, the regulations should reflect that if a
surrogate or personal representative has the ability under state law to
consent to treatment, then that same surrogate or personal
representative should have the ability to consent to the use and
disclosure of part 2 records regardless of whether there has been an
adjudication by a court. Otherwise, part 2 programs would be admitting
a patient into treatment with no one who has the legal authority to
consent to critical uses or disclosures that are essential or legally
required to operate the part 2 program. According to the commenter,
making this change would also better align part 2 with HIPAA and the
concept that a personal representative has authority under state law to
consent to both treatment and the uses and disclosures of information
related to that treatment.
Response
We refer the commenter to our responses above regarding the part 2
medical emergency provisions that may apply to such circumstances and
to our comments on the definition of personal representative. We
discuss intersections with state law in Sec. 2.20.
Comment
A commenter anticipated that once the proposed rule is finalized,
part 2 programs will begin to utilize existing technologies and
workflows that have been created to comply with HIPAA standards. The
commenter stated that many part 2 programs may require all patients to
sign a global consent as a condition of treatment to take advantage of
these current technologies and workflows that will now be available to
part 2 programs. The commenter expressed concern that, once these part
2 programs change their practices to align with existing technologies
and workflows, there would be no mechanism for a part 2 program to
treat a patient who refuses to sign a global consent. The commenter
suggested that the ``payment only'' limitation in Sec. 2.15(a)(2)
would prevent part 2 programs from offering treatment to those most
vulnerable patients because no one will have the authority to consent
to the use and disclosure of part 2 information. Having a patient
admitted into a part 2 program with no one able to provide TPO consent
that would permit subsequent beneficial redisclosures, may penalize
patients who are most in need of treatment, according to this
commenter.
Another commenter, a health plan association, also urged HHS to
allow the part 2 program director to exercise the patient's right to
consent to any use or disclosure under part 2 when the patient is
incompetent but not yet adjudicated by a court as such. The commenter
stated that the rule should not deprive incompetent persons most in
need of care from the ability to access care and expressed particular
concern about circumstances in which a part 2 program may be the only
mental health provider in the area (e.g., in rural locations). The
commenter stated that part 2 should not prevent part 2 programs from
divulging information without which the incompetency adjudication
process cannot proceed; otherwise, part 2 would create a barrier to
access to care for incompetent patients because the information the
part 2 program has might be the only information that would enable an
adjudication of incompetence. The ``medical emergency'' exception, the
commenter asserted, would sometimes be of little use if the emergency
providers to whom information is disclosed cannot obtain consent to
render care, and a court adjudication of incompetency is impossible to
achieve without part 2 program information.
Additionally, the commenter found that the proposed rule did not
address advance directives like durable powers of attorney that do not
involve court adjudication but physician adjudication to trigger the
provisions conferring authority to the patient's personal
representative. Therefore, according to the commenter, Sec. 2.15(a)(2)
should read: ``[i]n the case of a patient, other than a minor or one
who has been adjudicated as lacking the capacity to make health care
decisions, that for any period suffers from a medical condition that
prevents knowing or effective action on their own behalf, the part 2
program director may exercise the right of the patient to consent to a
use or disclosure under subpart C of this part.''
Response
As noted above, the part 2 medical emergency provisions may apply
to the circumstances described by the commenter if a patient cannot
consent to treatment due to a bona fide medical emergency. Absent a
medical emergency, under Sec. 2.15(a)(2) the part 2 program director
may exercise the right of the patient to consent to disclosure for the
sole purpose of obtaining payment for services from a third-party payer
for an adult patient who for any period suffers from a medical
condition that prevents knowing or effective action on their own
behalf. Consistent with the Privacy Rule's provisions on personal
representatives, we state in Sec. 2.11 that a personal representative
means a person who has authority under applicable law to act on behalf
of a patient who is an adult or an emancipated minor in making
decisions related to health care. Also, consistent with the Privacy
Rule, a personal representative under part 2 would have authority only
with respect to patient records that are relevant to such personal
representation.
Comment
A state agency recommended modifying Sec. 2.15(a) to specifically
address adult patients who lack capacity, but have appointed a personal
representative. This change, according to the commenter, would allow
for better care and coordination for patients who have a personal
representative.
Response
We believe our modifications to Sec. 2.15(a) as finalized in this
rule respond to the commenter's concerns about the role of the personal
representative. We decline to make additional changes to this section
as requested by the commenter because the
[[Page 12519]]
new definition of ``personal representative'' defers to state law.
Comment
A health plan commenter stated that when a patient has an
unadjudicated inability to make decisions due to a medical condition,
this section of the final rule should clarify that patients would be
allowed to request that their billing information not be sent to a
health plan if the patient (or third party other than the health plan)
agrees to pay for services in full. The commenter also expressed
concern about a general lack of guidance on how proof of an
unadjudicated inability to made decisions (other than in an emergency)
would be documented and sought further clarification. The commenter
asked the Department to confirm that a health plan would not be
required to (1) confirm how consent was obtained and (2) treat SUD
information of patients who lack capacity in a special manner--for
example, through specialized documentation and other procedures--or
differently from information of patients who directly provided consent.
The commenter said that these changes would help facilitate treatment
and payment for patients who lack capacity temporarily, which may lead
to more timely care and better outcomes. According to this commenter,
relying on a part 2 program's director expertise to determine the
patient's present capacity would facilitate more timely care decisions
and reduce burden on health plans.
Response
We discuss consent provisions elsewhere in this rule. We confirm
that this final rule does not create new requirements for special or
unique treatment of SUD information of patients who lack capacity.
As we discuss above, when a patient suffers from a medical
condition that prevents knowing or effective action on their own behalf
for any period, the part 2 program director may exercise the right of
the patient to consent to a use or disclosure under subpart C for the
sole purpose of obtaining payment for services from a third-party payer
or health plan. If a part 2 program director believes that this step is
unnecessary after speaking with the patient or others, the director may
choose not to exercise this right. If a patient has an unadjudicated
inability to make decisions due to a medical condition that prevents
them from knowing or taking action, he or she may be unable to consent
to or refuse consent to a use or disclosure for the sole purpose of
obtaining payment for services from a third-party payer or health plan;
in such circumstances, the part 2 program director's ability to
exercise the patient's right to consent for the sole purpose of
obtaining payment may apply.
Final Rule
In additional to finalizing changes such as replacing
``individual'' with ``person'' and referring to ``use'' in addition to
``disclosures,'' we are finalizing the proposal to remove the term
``incompetent'' in this section and refer instead to patients who lack
capacity to make health care decisions. We also are finalizing the
proposal to clarify that paragraph (a) of this section refers to lack
of capacity to make health care decisions as adjudicated by a court
while paragraph (b) refers to lack of capacity to make health care
decisions that is not adjudicated, and to add health plans to the list
of entities to which a part 2 program may disclose records without
consent to obtain payment during a period when the patient has an
unadjudicated inability to make decisions. We also are finalizing
updates to paragraph (b) of this section concerning deceased patients
and consent by personal representatives.
Section 2.16--Security for Records and Notification of Breaches
Overview of Rule
Section 2.16 (Security for records) contains several requirements
for securing records. Specifically, Sec. 2.16(a) requires a part 2
program or other lawful holder of patient identifying information to
maintain formal policies and procedures to protect against unauthorized
uses and disclosures of such information, and to protect the security
of this information. Section 2.16(a)(1) and (2) set forth minimum
requirements for what these policies and procedures must address with
respect to paper and electronic records, respectively, including, for
example, transfers of records, maintaining records in a secure
location, and appropriate destruction of records. Section 2.16(a)(1)(v)
requires part 2 programs to implement formal policies and procedures to
address removing patient identifying information to render it non-
identifiable in a manner that creates a low risk of re-identification.
The current part 2 requirements for maintaining the security of
records are limited to these provisions requiring policies and
procedures. In contrast, the HIPAA regulations include a HIPAA Security
Rule with specific standards and implementation specifications for how
covered entities and business associates are required to safeguard
ePHI. Part 2 does not have similar requirements.
Application of Part 2 Security Requirements to Lawful Holders
Current Sec. 2.16 applies security requirements to part 2 programs
and lawful holders. The term ``lawful holder'' is a recognized term
that is applied in several part 2 regulatory provisions; however, it is
not defined in regulation. Generally, it refers to ``an individual or
entity who has received such information as the result of a part 2-
compliant patient consent (with a prohibition on re-disclosure) or as a
result of one of the exceptions to the consent requirements in the
statute or implementing regulations and, therefore, is bound by 42 CFR
part 2.'' \183\
---------------------------------------------------------------------------
\183\ See 82 FR 6052, 6068; See also 81 FR 6988, 6997.
---------------------------------------------------------------------------
The Department sought public comment on whether security
requirements should apply uniformly across all persons who receive part
2 records pursuant to consent such that certain failures, such as a
failure to have ``formal policies and procedures'' or to ``protect''
against threats, would result in the imposition of civil or criminal
penalties again all persons who receive these records pursuant to
consent. The Department's request for comment in this regard asked,
``whether the requirements of this section that apply to a lawful
holder should in any way depend on the level of sophistication of a
lawful holder who is in receipt of Part 2 records by written consent,
or should depend on whether the lawful holder is acting in some
official or professional capacity connected to or related to the Part 2
records.''
Comment
One commenter, an association, of medical professionals, opined
that all entities that hold personal health information should be
required to notify persons when their information is breached, but also
that breach rules must not hold parties responsible for the actions of
other parties over whom they do not have control.
Response
We agree with the sentiments expressed in this comment and assume
that the commenter's use of the term ``entity'' is referring to an
organizational or professional entity and not an individual acting in a
personal capacity. The final rule requires part 2 programs to provide
breach notification for breaches of part 2 records in the same manner
as breach notification is
[[Page 12520]]
required for breaches of PHI, which would include breaches of part 2
records held on behalf of a program by QSOs or business associates.
Under HIPAA, a business associate is required to notify a covered
entity of breaches and we believe part 2 programs that are not covered
entities could obligate their QSOs to notify the programs of breaches
through contractual provisions. A part 2 program would not be
responsible for breaches by QSOs or business associates. However, the
part 2 program is responsible under this rule for having in place
contractual requirements to ensure that it is timely notified of a
breach by such entities so that it can meet its obligations to notify
affected individuals.
Comment
A few commenters, including a managed care organization and a
county health department, opined that it is appropriate to apply breach
notification requirements to QSOs. Another commenter, a health plan,
requested confirmation from the Department that the part 2 breach
notification requirements are the same as the requirements under the
HIPAA Breach Notification Rule, and also sought confirmation that the
requirements would not apply to lawful holders who are caregivers not
acting in a professional capacity.
Response
Our close review of the statute leads us to believe that there is
no authority to apply notification requirements to QSOs as they are
applied to business associates under the HIPAA Breach Notification
Rule. We also agree that non-professional lawful holders, such as
family members, friends, or other informal caregivers, are not the same
as lawful holders acting in a professional capacity. However, non-
professionals should nonetheless take reasonable steps to protect
records in their custody.
Final Rule for Lawful Holders and Security of Records
We are re-organizing Sec. 2.16(a) and finalizing additional
language to clarify to whom the security requirements apply.
Specifically, we are creating a new exception for certain lawful
holders in new paragraph (a)(2) that expressly excludes ``family,
friends, and other informal caregivers'' from the requirements to
develop formal policies and procedures. We expect that informal
caregivers and other similar lawful holders who would be subject to
this exception still recognize some responsibility to safeguard these
sensitive records and exercise caution when handling such records. We
clarify here that while we are not making informal caregivers subject
to the final rule requirements to develop formal policies and
procedures, we do encourage all lawful holders to protect records. For
example, informal caregivers should at least take reasonable steps to
protect the confidentiality of patient identifying information.
We are finalizing breach notification requirements for part 2
programs; lawful holders are not subject to breach notification
requirements.
De-Identification
Proposed Rule
Section 3221(c) of the CARES Act required the Department to apply
the HIPAA standard in 45 CFR 164.514(b) for de-identification of PHI to
part 2 for the purpose of disclosing part 2 records for public health
purposes. To further advance alignment with HIPAA and reduce burden on
disclosing entities, the Department proposed to apply 45 CFR 164.514(b)
to the existing de-identification requirements in part 2: Sec. Sec.
2.16 (Security for records) and 2.52 (Research) (discussed below).
Specifically, the Department proposed to modify Sec. 2.16(a)(1)(v)
(for paper records) and (a)(2)(iv) (for electronic records), to read as
follows: ``[r]endering patient identifying information de-identified in
accordance with the requirements of the [HIPAA] Privacy Rule at 45 CFR
164.514(b), such that there is no reasonable basis to believe that the
information can be used to identify a patient as having or having had a
substance use disorder.''
As proposed, this provision would permit part 2 programs to
disclose records de-identified in accordance with the implementation
specification in the HIPAA Privacy Rule (i.e., the expert determination
method or the safe harbor method) but the provision does not reference
the HIPAA Privacy Rule standard at 45 CFR 164.514(a) that the
implementation specification is designed to achieve--that the
information is de-identified such that there is no reasonable basis to
believe that the information disclosed can be used to identify an
individual.
Comment
Many commenters expressed support for the Department's de-
identification proposal citing a variety of reasons. One health system,
stating that many part 2 programs are embedded within covered entities
or share workforces with such programs, commented that de-
identification standards within part 2 consistent with the HIPAA
Privacy Rule would reduce workforce confusion, inadvertent non-
compliance, and unintentional leaks of confidential information. A
government agency commented that the express alignment with the HIPAA
Privacy Rule was a welcome clarification that would protect the privacy
and confidentiality of SUD patients. An individual commented that it
would be prudent to enact the standards in 45 CFR 164.514(b) to offer
more protection to patients and that doing so would not create adverse
consequences. A managed care organization suggested that HIPAA provided
an appropriate existing regulatory standard for rendering part 2
records non-identifiable. A few commenters, all health systems that
partly specialize in providing SUD services, expressed strong support
for the proposal and the principle that programs should not be required
to obtain consent from individuals prior to de-identifying their
information.
Response
We appreciate these comments.
Comment
Some commenters, including a health IT vendor and a few health
information management associations, expressed support for the
Department's proposal but also urged the Department to ``fully align''
the part 2 de-identification standard with the HIPAA Privacy Rule. For
example, one of these commenters opined that the language ``such that
there is no reasonable basis to believe that the information can be
used to identify a patient as having or having had a substance use
disorder'' is not the HIPAA de-identification standard, and that the
Department should instead use the exact language of HIPAA. Other
commenters urged the Department to expressly clarify that both the
HIPAA safe harbor method and expert determination method could satisfy
the proposed de-identification requirements for part 2 records. A
behavioral health advocacy organization asked the Department to clarify
that the definition of part 2 ``records'' does not include de-
identified records consistent with the HIPAA Privacy Rule's treatment
of de-identified health information.
Response
We agree that, as drafted, the Department's proposal does not fully
align with the regulatory text of the full de-identification standard
in the HIPAA Privacy Rule, which includes paragraphs (a) and (b) of 45
CFR 164.514. We clarify here that by
[[Page 12521]]
incorporating the HIPAA standard codified at 45 CFR 164.514(b), either
method of de-identification of PHI can be used to de-identify records
under part 2. We also note here a critical difference between the
definitions of PHI under the HIPAA Privacy Rule and records in this
part. The definition of PHI is grounded in the recognition that it is
``individually identifiable health information.'' \184\ The HIPAA
Privacy Rule standard for de-identification therefore renders PHI no
longer ``individually identifiable.'' In this part, the definition of
records does not refer to ``individually identifiable'' information,
but rather information ``relating to a patient'' and is already
understood to relate to SUD records. The final rule modifies the de-
identification standard in Sec. 2.16(a)(1)(v) (for paper records) and
(a)(2)(iv) (for electronic records) so it aligns more closely with the
HIPAA language such that the de-identified part 2 information cannot be
``used to identify a patient.''
---------------------------------------------------------------------------
\184\ See 45 CFR 160.103 (definition of ``Protected health
information'').
---------------------------------------------------------------------------
Comment
A few HIEs asked the Department to re-examine the ``base minimum''
standards for de-identified data, opining that some data may be
anonymized for some algorithms, but as technology continues to improve,
``de-identification in perpetuity'' is truly unknown, and therefore the
proposed standard may still represent a privacy risk for patients.
Response
The Department acknowledges the concerns about the burgeoning
ability of some technologists to re-identify data stored in large data
sets. The Department is committed to monitoring these issues as it
works to determine their application to the HIPAA and part 2 de-
identification standards.
Comment
One commenter, a health system, suggested that the Department make
explicit the right to use part 2 records for health care operations to
create a de-identified data set without patient consent. Another
commenter, a health plan, recommended that the Department remove the
requirement to obtain express written consent to create a de-identified
data set because it conflicts with the HIPAA Privacy Rule, is
counterproductive, and confuses patients when they receive a notice
requesting consent to use their SUD data once de-identified.
Response
We appreciate the comment, but are constrained by the authorizing
statute at 42 U.S.C. 290dd-2, which sets forth the circumstances for
which records subject to part 2 may be disclosed. Where part 2 programs
are not disclosing to a covered entity, the CARES Act amendments did
not rescind the requirement to obtain consent prior to disclosing
records for TPO.\185\
---------------------------------------------------------------------------
\185\ The HIPAA term also includes a description of the
activities that are excluded as not constituting a breach, and an
explanatory paragraph that applies a breach presumption when an
``acquisition, access, use, or disclosure'' of PHI occurs in a
manner not permitted under the HIPAA Privacy Rule, and that fails to
demonstrate a low probability of breach based on breach risk
assessment. See discussion of proposed definition of the term
``breach'' above.
---------------------------------------------------------------------------
Comment
One commenter, an industry trade association for pharmacies,
commented that Sec. 2.16 should simply refer to rendering the patient
identifying information de-identified where practicable, and then
define ``de-identified'' in section Sec. 2.11 as data which meets the
standard for de-identification under HIPAA.
Response
The proposed regulatory text is consistent with the intent
expressed by the commenter, but still comports with the language
required by the CARES Act for disclosures for public health activities.
We therefore believe that we are finalizing a more workable standard
because it is uniform across the regulation.
Comment
Several commenters opposed the proposed de-identification standard
for various reasons. A privacy advocacy organization commented that the
target HIPAA standard is outdated and needs ``tightening.'' A few HIE
organizations commented that the proposal would materially and
detrimentally affect the use of SUD information from part 2 records in
limited data sets. These organizations interpreted the current part 2
regulations to only require removal of ``direct identifiers'' and
believed that, under HIPAA, a limited data set can be used and
disclosed for research, public health, and health care operations
activities if the recipient agrees to a HIPAA data use agreement, which
prohibits (among other things) re-identification of individuals. These
organizations further suggested that changing Sec. Sec. 2.16 and 2.52
to require use of the more stringent HIPAA de-identification standard
under 45 CFR 164.514(b) will prevent researchers, public health
authorities, quality improvement organizations, and others from using a
limited data set containing part 2 SUD data. A limited data set is
useful for research, public health, and quality improvement activities
because it permits analysis of health data in connection with certain
identifiers that are relevant to health outcomes, such as age, race,
and gender. Prohibiting use of limited data sets for research involving
part 2 records may ultimately deny SUD patients the benefits of better
and more effective treatments and services. They recommended that the
Department continue to consider limited data sets of SUD records as
non-patient identifying information under part 2 at least for purposes
of research, public health, and health care operations. With respect to
consent models for de-identification, these entities requested that it
be left up to part 2 programs and other lawful holders of part 2 data
to decide--based on their patient populations and business needs--what
is the most effective model for their community.
Response
We acknowledge the relatively large number of commenters raising
the possibility that the Department codify a limited data set option in
this regulation. Because many of these comments were submitted in
response to our proposal to incorporate the same de-identification
standard proposed here into Sec. 2.52 (Scientific research), our
response to the comments on limited data sets and similar comments
related to research are addressed together, below.
Comment
One individual commented that the proposal to re-align de-
identification with HIPAA lowers the part 2 standard from an objective
standard to one that is subjective. The commenter believed that the
phrase ``no reasonable basis to believe'' was subjective and would
decrease the researcher's responsibility. By contrast, under existing
Sec. 2.52 requirements information is de-identified ``such that the
information cannot be re-identified and serve as an unauthorized means
to identify a patient'' is a more objective standard. Another
individual commented that the proposed standard is vague and likely
unenforceable.
Response
We disagree with the commenters' characterization of the proposed
change as creating a standard that is subjective or vague and
unenforceable. The HIPAA standard incorporated here clearly
[[Page 12522]]
identifies two methods for de-identifying records, the expert
determination method and the safe harbor method, which set forth
specific requirements that are long established and well understood in
the health care industry.
Final Rule Related to De-Identification of Records
We agree with commenters who urged the Department to fully align
the de-identification standard in this part with the standard in the
HIPAA Privacy Rule. Whereas the part 2 requirement protected records
identifying a patient as having or having had an SUD, the HIPAA
standard at 45 CFR 164.514(a) protects information that identifies or
can be used to identify an individual. The existing part 2 standard
focuses on protection of a limited number of data points based on one
health condition (i.e., SUD) while HIPAA protects the identity of the
individual in connection with any health care and thus already
incorporates protection of the information in part 2. Because 45 CFR
164.514(a) shields a wider range of data elements from disclosure, it
is more protective of privacy than the existing part 2 de-
identification requirement. By complying with the HIPAA standard, a
part 2 program would also be meeting the requirements of the existing
part 2 de-identification standard.
The final rule incorporates the HIPAA Privacy Rule de-
identification standard in 45 CFR 164.514(b) into Sec. 2.16 as
proposed, and further modifies paragraph (a) of this section to more
fully align with the complete HIPAA de-identification standard,
including language that is similar to that in the HIPAA Privacy Rule at
45 CFR 164.514(a). To achieve this, we are deleting the existing part 2
phrase ``as having or having had a substance use disorder'' and
retaining the phrase ``such that there is no reasonable basis to
believe that the information can be used to identify a particular
patient.'' Section 2.16(a)(1)(v) and (a)(2)(iv) are now modified as
Sec. 2.16(a)(1)(i)(E) and (a)(1)(ii)(D) and read as ``[r]endering
patient identifying information de-identified in accordance with the
requirements of 45 CFR 164.514(b) such that there is no reasonable
basis to believe that the information can be used to identify a
particular patient.'' We removed the language ``the HIPAA Privacy
Rule'' from in front of the regulatory references to 45 CFR 164.514(b)
because we believe it unnecessary and for consistency throughout this
final rule.
By adopting the same de-identification standard as we are required
to adopt for public health disclosures (in new Sec. 2.54) into this
provision (and in Sec. 2.52 for scientific research purposes,
discussed below), we provide a uniform method for de-identifying part 2
records for all purposes and provide more privacy protection than our
proposed incorporation of only HIPAA 45 CFR 164.514(b). We also make
clear here that the inability to identify an individual, as consistent
with the language in 45 CFR 164.514(a) of HIPAA, includes the inability
to identify them as a person with SUD. The final rule therefore would
include the interpretation that is consistent with our initial
proposal, but we believe it also protects from reidentification a
broader scope of identifiers. This approach is also most responsive to
commenters who generally agreed that the de-identification standards
for both HIPAA and part 2 should completely align.
Breach Notification
Overview
Section 290dd-2(j) of 42 U.S.C., as amended by the CARES Act,
requires the Department to apply the HIPAA breach notification
provisions of the HITECH Act (codified as 42 U.S.C. 17932, Notification
in the case of breach) to part 2 records ``to the same extent and in
the same manner as such provisions apply to a covered entity in the
case of a breach of unsecured protected health information.'' Paragraph
(k)(1) of 42 U.S.C. 290dd-2 incorporated a definition of the term
breach, giving it the same meaning as under the HIPAA regulations. The
HIPAA Breach Notification Rule at 45 CFR 164.402 defines breach as
``the acquisition, access, use, or disclosure of protected health
information in a manner not permitted under subpart E of this part
which compromises the security or privacy of the protected health
information.'' \186\ Paragraph (k)(9) of the 42 U.S.C. 290dd-2
incorporated a definition of ``unsecured protected health
information,'' giving it the same meaning as under the HIPAA
regulations. The HIPAA Breach Notification Rule defines ``unsecured
protected health information'' to mean PHI ``that is not rendered
unusable, unreadable, or indecipherable to unauthorized persons through
the use of a technology or methodology specified by the Secretary in
the guidance issued under section 13402(h)(2) of Public Law 111-5.''
---------------------------------------------------------------------------
\186\ Id.
---------------------------------------------------------------------------
Paragraph (a) of 42 U.S.C. 17932 contains the HIPAA \187\ breach
notification requirements for covered entities; paragraph (b) requires
a business associate of a covered entity to notify the covered entity
when there is a breach and includes requirements for the notice;
paragraph (c) sets forth the circumstances for when a covered entity or
business associate shall treat a breach as discovered; and paragraphs
(d) through (g) contain requirements related to timeliness of notice,
method of notice, content of notice, and allowance for delay of notice
authorized by law enforcement, respectively. Other paragraphs define
``unsecured PHI,'' set forth requirements for congressional reporting,
and authorize interim regulations. The Department implemented 42 U.S.C.
17932 in the HIPAA Breach Notification Rule codified at 45 CFR 164.400
through 164.414.
---------------------------------------------------------------------------
\187\ The HIPAA Breach Notification Rule, codified at 45 CFR
parts 160 and 164, subparts A and D, implements sec. 13402 of the
HITECH Act (codified at 42 U.S.C. 17932).
---------------------------------------------------------------------------
Proposed Rule
To implement the new requirements in paragraph (j) of 42 U.S.C.
290dd-2, as amended by the CARES Act, the Department proposed to modify
the heading of Sec. 2.16 to add ``and notification of breaches'' and
add a new paragraph Sec. 2.16(b) to require part 2 programs to
establish and implement policies and procedures for notification of
breaches of unsecured part 2 records consistent with the requirements
of 42 U.S.C. 17932. The HIPAA Breach Notification Rule refers to
``unsecured protected health information.'' The existing part 2
regulation does not have a definition of ``unsecured records'' but to
align with HIPAA we proposed such a definition, as discussed in Sec.
2.11, above.
Comment
The commenters who addressed the breach notification proposals
unanimously expressed support for applying breach notification
requirements to part 2, with slightly more than half expressing general
support without further elaboration. Other supportive commenters
expressed additional views, including that the Department's proposal:
implemented the CARES Act; was likely to ensure patient confidentiality
in the same manner as HIPAA; and could provide a ``counterweight'' to
the perceived lessening of part 2 protections brought about by the
CARES Act.
[[Page 12523]]
Response
The Department appreciates these comments.
Comment
Almost half of all commenters on breach notification expressed
support for the proposal but requested clarification or guidance,
especially related to the interaction of newly proposed breach
notification requirements and HIPAA breach notification requirements.
For example, one commenter, a health plan association, recommended that
the Department clarify that if a use or disclosure of part 2 records is
permitted by the HIPAA Privacy Rule, then the same use or disclosure
would not be considered a breach under part 2. This same commenter
requested, in the alternative, that if the activity did amount to a
breach under part 2, the rule should provide that states have the
ability to exempt HIPAA covered entities and business associates from
part 2 breach notification requirements to avoid overlap, confusion, or
conflict among individuals who receive notification. A legal advocacy
association commented that HHS should clarify that the breach
notification requirement applies to disclosures that violate the part 2
standard of confidentiality, and not just disclosures that violate the
HIPAA Privacy Rule, and that the Department should amend the definition
of ``breach'' in Sec. 2.11 or clarify in Sec. 2.16 that patients
should be notified of any acquisition, access, use, or disclosure of
part 2 records in a manner not permitted under 42 CFR part 2. Yet
another commenter, a health system, requested clarification of whether
overlapping breach reporting obligations triggered by an activity that
violated both HIPAA and part 2 would involve communicating with OCR,
SAMHSA, or both.
Response
In the CARES Act, Congress replaced the criminal penalties for part
2 violations with the HITECH civil penalty structure that is applied to
violations of the HIPAA regulations, as well as criminal penalties for
certain violations. The CARES Act did not include an exemption for
persons who are subject to both regulatory schemes, and who commit acts
that violate both regulatory schemes. We expect a new enforcement
process to ensure efficient use of Department agencies' resources,
emphasize bringing entities into compliance with part 2, and avoid
duplicative reporting by part 2 programs.
Comment
We received several comments related to breach notification and the
impact of the proposed effective dates and compliance dates for a final
rule. A hospital association and a health IT vendor recommended that
the Department phase in the breach notification requirements or extend
the period of time for compliance beyond the proposed timeline, noting
that compliance with part 2 is already complex and a potential
deterrent to treating patients with SUD, and that the risk of monetary
penalties would further deter providers from taking on these patients.
One of these commenters also noted that implementing breach
notification capability could be a time-consuming process requiring
time beyond what the Department estimated. Several commenters stated
that many part 2 programs are also subject to HIPAA and thus are
already complying with breach notification, so the proposal would not
create any additional burden for such programs. One commenter believed
that the number of entities or individuals affected by the proposal
(part 2 programs not subject to HIPAA) would be small.
Response
We appreciate the concerns expressed about the potential complexity
of implementing breach notification among this community of providers
but agree that many providers have already implemented breach
notification because they are also covered entities under HIPAA and
that overall, a relatively small number of entities will be affected.
We are mindful, however, that this regulation must also still serve the
community of part 2 programs that are not subject to HIPAA. We remind
such entities that the required compliance date would not occur until
almost two years after the rule becomes effective. These entities may
wish to review existing guidance on breach notification.\188\
---------------------------------------------------------------------------
\188\ See, e.g., U.S. Dep't of Health and Human Servs., ``Breach
Notification Rule'' (July 2013), https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.
---------------------------------------------------------------------------
Comment
One anonymous commenter urged the Department to cease or disallow
part 2 programs, covered entities, and investigative agencies from
relying on TV and newspaper notification avenues because these methods
are no longer likely to be seen by patients, and therefore should not
be treated as meaningful or considered cost effective.
Response
We note at the outset that we have not proposed to make breach
notification applicable to lawful holders such as ``investigative
agencies.'' We agree that breach notification provisions across types
of entities should be uniform. We also believe the commenter's
suggestion is reasonable; however, we believe that more breach
notification options, rather than fewer options, are preferable.
Final Rule
The Department adopts the proposal to add paragraph (b) to Sec.
2.16 to require part 2 programs to establish and implement policies and
procedures for notification of breaches of unsecured part 2 records
consistent with the requirements of 45 CFR parts 160 and 164, subpart
D. First, we believe this provision is consistent with the CARES Act
requirement to apply breach notification to part 2 in the same manner
as it applies to covered entities for breaches of unsecured PHI.
Second, we believe the same public policy objectives of the HIPAA
Breach Notification Rule as applied to covered entities are furthered
by establishing analogous requirements for part 2 programs. In the NPRM
we established those policy objectives as: (1) greater accountability
for part 2 programs through requirements to maintain written policies
and procedures to address breaches and document actions taken in
response to a breach; (2) enhanced oversight and public awareness
through notification of the Secretary, affected patients, and in some
cases the media; (3) greater protection of patients through obligations
to mitigate harm to affected patients resulting from a breach; and (4)
improved measures to prevent future breaches as part 2 programs timely
resolve the causes of record breaches.
Finally, as we discuss in greater detail in Definitions, in Sec.
2.11 above, we are finalizing proposed definitions for ``breach'' and
``unsecured records.'' In addition to the term ``breach'' being
required by the amended statute, we believe incorporating these terms
and definitions, as proposed, helps bring clarity to regulated entities
on how to operationalize breach notification requirements aligned with
HIPAA in part 2. In keeping with these changes, we are finalizing the
proposed modification of the heading of Sec. 2.16 so that it now reads
``Security for records and notification of breaches.''
[[Page 12524]]
Section 2.17--Undercover Agents and Informants
As we discussed above, the final rule adopts the proposed addition
of the language ``or disclosed'' behind ``used'' in this section so
that the use and disclosure of part 2 records is prohibited by this
section pursuant to the statutory authority. We did not receive public
comments on this proposal and there are no other substantive changes to
this section.
Section 2.19--Disposition of Records by Discontinued Programs
Proposed Rule
Section 2.19 requires a part 2 program to remove patient
identifying information or destroy the records when a program
discontinues services or is acquired by another program, unless patient
consent is obtained or another law requires retention of the records.
The Department proposed to create a third exception to this general
requirement to clarify that these provisions do not apply to transfers,
retrocessions, and reassumptions of part 2 programs pursuant to the
ISDEAA, to facilitate the responsibilities set forth in 25 U.S.C.
5321(a)(1), 25 U.S.C. 5384(a), 25 U.S.C. 5324(e), 25 U.S.C. 5330, 25
U.S.C. 5386(f), 25 U.S.C. 5384(d), and the implementing ISDEAA
regulations.\189\ The Department also proposed wording changes to
improve readability and modernize the regulation, such as by referring
to ``non-electronic'' records instead of ``paper'' records, and
structural changes to the numbering of paragraphs.
---------------------------------------------------------------------------
\189\ For further information on the ISDEAA, see Indian Health
Service, Title 1, HHS, https://www.ihs.gov/odsct/title1/.
---------------------------------------------------------------------------
Comment
One commenter asserted that the Department's proposed exception to
clarify that these provisions do not apply to transfers, retrocessions,
and reassumptions of part 2 programs pursuant to the ISDEAA is a
logical addition that will promote continuity of patient treatment.
However, the commenter requested further clarification of the rule's
record retention requirements for discontinued or acquired programs,
including the provision that requires labeling stored non-electronic
record with specific regulatory language. The commenter asked if the
reference in the NPRM preamble to ``another law'' that might require
record retention was a reference to HIPAA for covered entities.
Response
The Department appreciates the comments about clarifying in the
final rule that these provisions do not apply to transfers,
retrocessions, and reassumptions of part 2 programs pursuant to the
ISDEAA. Part 2 has long had requirements pertaining to paper records
which were updated in 2017 to apply to electronic records of
discontinued programs as well.\190\
---------------------------------------------------------------------------
\190\ 82 FR 6052, 6076; 81 FR 6987, 6999 (Feb. 9, 2016).
---------------------------------------------------------------------------
When there is a legal requirement that the records be kept for a
period specified by law which does not expire until after the
discontinuation or acquisition of the part 2 program, the dates of
record retention would be reflected in the requirements of that law
under Sec. 2.19(a)(2). The NPRM discussion of this was not intended as
a reference to a specific law, but more generally to records retention
laws which are typically established in state law for medical records.
The HIPAA regulations do not address the time period for retention of
medical records, but contain requirements for how retained records must
be safeguarded. The HIPAA regulations also address retention of
compliance documentation that may be located within a medical record
(such as a signed authorization) or stored separately (such as security
risk analyses). HIPAA Security Rule requirements for proper storage and
security of records also may apply to records maintained by part 2
programs that also are covered entities.\191\
---------------------------------------------------------------------------
\191\ See, e.g., U.S. Dep't of Health and Human Servs.,
``Security Rule Guidance Material'' (June 29, 2023), https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.
See also, ``Guidance on Risk Analysis,'' supra note 115; U.S. Dep't
of Health and Human Servs., ``Does the HIPAA Privacy Rule require
covered entities to keep patients' medical records for any period of
time?'' (Feb. 18, 2009), https://www.hhs.gov/hipaa/for-professionals/faq/580/does-hipaa-require-covered-entities-to-keep-medical-records-for-any-period/index.html.
---------------------------------------------------------------------------
Comment
Another commenter expressed concern that current EHR systems do not
support removing only part 2 data from one program for a particular
patient or subset of patients, so it may not be technically feasible to
remove patient identifying information or destroy the data as required
by Sec. 2.19. The commenter claimed that the requirements for this
section as described in the NPRM would require EHRs to be redesigned
and therefore recommends alignment with the HIPAA Privacy and Security
Rules. The commenter asserted that the HIPAA Security Rule requires
that covered entities implement policies and procedures that address
the final disposition of ePHI and/or the hardware or electronic media
on which it is stored, as well as to implement procedures for removal
of ePHI from electronic media before the media are made available for
re-use.
Response
We appreciate the feedback. Distinct requirements for disposition
of part 2 records for discontinued programs have existed since
1987.\192\ In 2017 the Department applied this section to electronic
records.\193\ At that time, we cited resources that may support
compliance with this requirement including from OCR (e.g., Guidance
Regarding Methods for De-identification of Protected Health Information
in Accordance with the Health Insurance Portability and Accountability
Act (HIPAA) Privacy Rule) and the National Institute of Standards and
Technology (NIST) (e.g., Special Publication 800-88, Guidelines for
Media Sanitization).\194\ These and other resources developed by OCR,
NIST, ONC, and others can continue to aid compliance with this section.
The Department also notes that part 2 has established distinct
requirements in Sec. 2.19 for disposition of part 2 records that may
be more stringent and specific than those articulated in the HIPAA
Security Rule based on the purposes of part 2 and stigma and
discrimination associated with improper disclosure of SUD records. This
section was updated in the 2020 final rule to apply to use of personal
devices and accounts.\195\
---------------------------------------------------------------------------
\192\ See 52 FR 21796.
\193\ 82 FR 6052, 6076.
\194\ 82 FR 6052, 6075; 81 FR 6987, 6999.
\195\ 85 FR 42986, 42988.
---------------------------------------------------------------------------
Final Rule
The Department is finalizing all proposed changes to this section
without further modification.
Section 2.20--Relationship to State laws
Proposed Rule
Section 2.20 establishes the relationship of state laws to part 2
and provides that part 2 does not preempt the field of law which it
covers to the exclusion of all applicable state laws, but that no state
law may either authorize or compel a disclosure prohibited by part 2.
Part 2 records frequently are also subject to regulation by various
state laws. For example, similar to part 2, state laws impose
restrictions to varying degree on uses and disclosures of records
related to
[[Page 12525]]
SUD \196\ and other sensitive health information, such as reproductive
health, HIV, or mental illness.\197\ The Department stated in the NPRM
its assumption that, to the extent state laws address SUD records, part
2 programs generally are able to comply with part 2 and state law. The
Department requested comment on this assumption and further requested
examples of any circumstances in which a state law compels a use or
disclosure that is prohibited by part 2, such that part 2 preempts such
state law.
---------------------------------------------------------------------------
\196\ See, e.g., Mich. Comp. Laws sec. 333.6111 (expressly
excluding SUD records from an emergency medical service as
restricted); and NJ Rev. Stat. sec. 26:2B-20 (2013) (requiring
records to be confidential except by proper judicial order whether
connected to pending judicial proceedings or otherwise).
\197\ See, e.g., MO Rev. Stat. sec. 191.731 (requiring SUD
records of certain pregnant women remain confidential). Ctrs. for
Disease Control and Prevention, ``State Laws that address High-
Impact HIV Prevention Efforts'' (March 17, 2022), https://www.cdc.gov/hiv/policies/law/states/index.html; ``TAC Assessment
Working Paper: 2016 Compilation of State Behavioral Health Patient
Treatment Privacy and Disclosure Laws and Regulations,'' supra note
122.
---------------------------------------------------------------------------
Comment
Several commenters asserted that complete Federal preemption is
needed on part 2 issues with respect to state law, or barriers to care
coordination will continue to exist. One commenter, a county
government, said that part 2 preemption of state law is a problem in
California because it creates a barrier when parents attempt to obtain
SUD treatment for their minor children over the objection of the minor.
Part 2 prevents disclosure of the minor's records without the minor's
consent. Another commenter believed that part 2 conflicts with state
law regarding state-mandated reporting on other types of abuse other
than child abuse (such as elder abuse or domestic violence) and creates
a dilemma for part 2 providers who need to report because there is not
a ``required by law'' exception within part 2.
Response
We acknowledge that considerable variation in patient consent laws
exists for minors at the state level and discuss these issues in more
detail in responding to comments regarding Sec. 2.14.\198\ The
Department also notes that state behavioral health privacy laws may
vary.\199\
---------------------------------------------------------------------------
\198\ See ``State-by-State Variability in Adolescent Privacy
Laws,'' supra note 172.
\199\ See ``TAC Assessment Working Paper: 2016 Compilation of
State Behavioral Health Patient Treatment Privacy and Disclosure
Laws and Regulations,'' supra note 122.
---------------------------------------------------------------------------
With respect to reporting abuse and neglect, 42 U.S.C. 290dd-2
expressly states that the prohibitions of part 2 ``do not apply to the
reporting under State law of incidents of suspected child abuse and
neglect to the appropriate State or local authorities.'' However, no
similar references are made to domestic violence, elder abuse, animal
abuse, or other similar activities. Moreover, such changes were not
proposed in the NPRM. Part 2 does, however, permit reporting a crime on
the premises or against part 2 program personnel (Sec. 2.12(c)(5)), or
applying for a court order to disclose confidential communications
about an existing threat to life or serious bodily injury (Sec. 2.62).
The Department also advised in the 2017 rule that ``if a program
determines it is important to report elder abuse, disabled person
abuse, or a threat to someone's health or safety, or if the laws in a
program's state require such reporting, the program must make the
report anonymously, or in a way that does not disclose that the person
making the threat is a patient in the program or has a substance use
disorder.'' \200\ A program could file a report therefore in such a way
that does not note that the subject of the report is a patient in a
part 2 program or has an SUD.
---------------------------------------------------------------------------
\200\ 82 FR 6052, 6071.
---------------------------------------------------------------------------
Comment
One commenter supported balancing the alignment of Federal privacy
law and regulations with HIPAA and applicable state law for the
purposes of TPO. Another commenter believed that to foster care
coordination the Department should work with states to better align
with the Federal standards to improve care coordination and individual
patient outcomes.
Response
We appreciate the comments on our proposed changes to align part 2
with HIPAA consistent with the CARES Act.
Comment
A state agency requested express permission within the regulation
to permit disclosures to state data collection agencies, such as APCDs,
because there is not a ``required by law'' provision in this part that
would otherwise permit SUD records to be submitted to the state
agencies that collect other health and claims data. A state agency
requested that the final rule clearly authorize state agencies that
maintain repositories of health care claims and discharge data to
receive SUD information under 42 CFR part 2. SAMHSA, the commenter
said, addressed a similar issue with state-operated PDMPs by clarifying
in its 2020 final rule that such disclosures were authorized under 42
CFR part 2. The commenter reported that the PDMP modification
strengthened a critical component of states' ability to monitor access,
use, and abuse of prescription drugs, while protecting patient privacy
and confidentiality.
Response
We appreciate the comment and recommendation. The Department, in
2020, added a new section Sec. 2.36 (Disclosures to prescription drug
monitoring programs),\201\ based on a regulatory proposal. No provision
was proposed in the NPRM pertaining to APCDs/multi-payer claims
databases (MPCDs) and thus there is no basis to add such a provision in
the final rule. The Department previously declined to include
exceptions to various requirements for APCDs/MPCDs after consideration
of comments received on these issues in 2017.\202\
---------------------------------------------------------------------------
\201\ See 85 FR 42986, 43015; 84 FR 44568, 44576.
\202\ 82 FR 6052, 6079.
---------------------------------------------------------------------------
Comment
A state agency said that in its state, the majority of SUD
treatment records are covered by part 2; it has communicated to
licensed SUD treatment providers that they will not be cited for state
regulatory violations if they disclose information as permitted by part
2. Licensed providers who are not part 2 programs are currently asked
to verify this status with the state if a disclosure is made under
HIPAA that would not be permitted by part 2.
Response
The Department appreciates this information in response to our
request for input about these issues.
Comment
For one commenter, the final rule provides an opportunity to
encourage states to update regulations that can often be outdated and
confusing with regard to applicability. Such updates could facilitate
care coordination and access. A hospital association requested more
guidance on the interaction of Federal and state laws and that
hospitals in states with confidentiality laws specific to SUD or citing
part 2 will have to invest significant time and financial resources
into understanding the interaction between Federal and state laws and
how to incorporate those laws into real-time care decisions. Some
hospitals also may provide services in
[[Page 12526]]
multiple states, the commenter pointed out, and patients may therefore
receive treatment at facilities in more than one state. Other
commenters requested additional guidance on the interaction between
Federal and state SUD confidentiality requirements and provide
technical assistance to help providers operationalize these
requirements. One commenter also requested guidance to address such
issues as hospitals providing services in multiple states and
application of state laws to out-of-state telehealth consultations.
Response
We appreciate these comments and may provide additional guidance
and technical support to states and others after this rule is
finalized. As previously noted, the Department supports the Center of
Excellence for Protected Health Information Related to Behavioral
Health, that can provide guidance and technical support on behavioral
health privacy laws.\203\ The Department will continue to support this
Center. The Department supports efforts to facilitate telehealth use
consistent with HIPAA, part 2, and other state and Federal
requirements. The Department has developed and supported resources to
promote appropriate use of telehealth for SUD and other behavioral
health conditions.\204\ The Department acknowledges that hospitals or
other providers providing services in multiple states may face more
complex compliance burdens and may need to consult legal counsel to
ensure compliance, as the Department has previously advised.\205\
---------------------------------------------------------------------------
\203\ See ``About COE PHI,'' supra note 105.
\204\ See The Ctr. of Excellence for Protected Health Info.,
``Telehealth,'' https://coephi.org/protecting-health-information/telehealth-resources/; U.S. Dep't of Health and Human Servs.,
``Telehealth for behavioral health care,'' https://telehealth.hhs.gov/providers/best-practice-guides/telehealth-for-behavioral-health; Substance Abuse and Mental Health Servs. Admin.,
``Telehealth for the Treatment of Serious Mental Illness and
Substance Use Disorders'' (2021), https://www.samhsa.gov/resource/ebp/telehealth-treatment-serious-mental-illness-substance-use-disorders.
\205\ 82 FR 6052, 6071.
---------------------------------------------------------------------------
Comment
One commenter said that any changes need to take into account
discrepancies between state and Federal laws regarding release of
information and ways to protect patients from the consequences of their
information being used against them.
Response
The Department acknowledges that the complex intersection of state
and Federal behavioral health privacy statutes and regulations may
result in unnecessary or improper disclosures. As we have noted in this
section, part 2 does not preempt more stringent state statutes or
regulations. Likewise, we have stated that HIPAA constitutes a floor of
privacy protection that does not preclude more stringent state
laws.\206\
---------------------------------------------------------------------------
\206\ See U.S. Dep't of Health and Human Servs., ``Preemption of
State Law,'' https://www.hhs.gov/hipaa/for-professionals/faq/preemption-of-state-law/index.html. For surveys of state privacy
laws and discussion of state requirements see, e.g., ``50-State
Survey of Health Care Information Privacy Laws,'' supra note 107;
George Washington Univ.'s Hirsh Health Law and Pol'y Program and the
Robert Wood Johnson Found., ``States,'' Health Information & the
Law, http://www.healthinfolaw.org/state; ``TAC Assessment Working
Paper: 2016 Compilation of State Behavioral Health Patient Treatment
Privacy and Disclosure Laws and Regulations,'' supra note 122.
---------------------------------------------------------------------------
Comment
One commenter was concerned that Federal efforts to promote
interoperability may intersect with conflicting state requirements,
pointing to the Federal Trusted Exchange Framework and Common Agreement
(TEFCA) initiative as an example.\207\ The commenter believed that the
health care industry does not yet fully understand all the potential
conflicts and how they will impact health information exchange. Another
commenter suggested requiring electronic records to display the basis
when certain information is not visible or accessible (e.g., due to
state law, patient restriction, etc.).
---------------------------------------------------------------------------
\207\ See The Off. of the Nat'l Coordinator for Health Info.
Tech. (ONC), ``Trusted Exchange Framework and Common Agreement
(TEFCA),'' https://www.healthit.gov/topic/interoperability/policy/trusted-exchange-framework-and-common-agreement-tefca.
---------------------------------------------------------------------------
Response
The Department will continue to support health IT and behavioral
health integration by ensuring that TEFCA and other efforts are
consistent with part 2 and take into account state requirements.\208\
As noted above, the Department has developed guidance for part 2
programs on exchanging part 2 data and may update such guidance in the
future.\209\ The Department continues to support EHRs and health IT
compliant with part 2 and HIPAA requirements as well as care
coordination and behavioral health integration.\210\
---------------------------------------------------------------------------
\208\ See ``Behavioral Health,'' supra note 133.
\209\ See ``Substance Abuse Confidentiality Regulations,'' supra
note 113.
\210\ See ``Behavioral Health,'' supra note 133.
---------------------------------------------------------------------------
Comment
A commenter recommended that a Federal electronic consent standard
should override conflicting state law.
Response
While electronic signatures are beyond the scope of this rulemaking
and no modifications to electronic signature requirements were proposed
by the Department, both HIPAA and part 2 permit electronic signatures
for authorizations or consents consistent with state law. As stated in
HHS guidance, the HIPAA Privacy Rule ``allows HIPAA authorizations to
be obtained electronically from individuals, provided any electronic
signature is valid under applicable law.'' \211\ The Department also
has stated in guidance and regulation that under part 2 electronic
signatures are permissible.\212\ In 2017 the Department revised Sec.
2.31 to ``to permit electronic signatures to the extent that they are
not prohibited by any applicable law.'' However, the Department also
advised that ``[b]ecause there is no single federal law on electronic
signatures and there may be variation in state laws, SAMHSA recommends
that stakeholders consult their attorneys to ensure they are in
compliance with all applicable laws.'' \213\
---------------------------------------------------------------------------
\211\ U.S. Dep't of Health and Human Servs., Off. for Civil
Rights, ``How do HIPAA authorizations apply to an electronic health
information exchange environment?'' (Sept. 17, 2021), https://www.hhs.gov/hipaa/for-professionals/faq/554/how-do-hipaa-authorizations-apply-to-electronic-health-information/index.html;
U.S. Dep't of Health and Human Servs., ``Does the Security Rule
require the use of an electronic or digital signature?'' (July 26,
2013), https://www.hhs.gov/hipaa/for-professionals/faq/2009/does-the-security-rule-require-the-use-of-an-electronic-signature/index.html.
\212\ See ``Frequently Asked Questions: Applying the Substance
Abuse Confidentiality Regulations to Health Information Exchange
(HIE),'' supra note 150.
\213\ 82 FR 6052, 6080.
---------------------------------------------------------------------------
The requirements for providing consent under Sec. 2.31 and the
notice and copy of consent to accompany disclosure under Sec. 2.32
could be met in electronic form. The requirements of Sec. 2.32 would
not require the written consent, copies of a written consent, or a
notice to accompany a disclosure of part 2 records to be in paper or
other hard copy form, provided that any required signatures obtained in
electronic form would be valid under applicable law. This
interpretation is consistent with the Department's approach under the
HIPAA Privacy Rule. OCR has provided prior guidance stating that
covered entities can disclose PHI pursuant to an electronic copy of a
valid and signed authorization, and the
[[Page 12527]]
Privacy Rule allows HIPAA authorizations to be obtained electronically
from individuals, provided that any electronic signature is valid under
applicable law.\214\
---------------------------------------------------------------------------
\214\ U.S. Dep't of Health and Human Servs., Off. For Civil
Rights, ``How do HIPAA authorizations apply to an electronic health
information exchange environment?'' https://www.hhs.gov/hipaa/for-professionals/faq/554/how-do-hipaa-authorizations-apply-to-electronic-health-information/index.html.
---------------------------------------------------------------------------
Final Rule
After considering the public comments on the relationship of part 2
to state laws we are finalizing this section as proposed without
further modification.
Section 2.21--Relationship to Federal Statutes Protecting Research
Subjects Against Compulsory Disclosure of Their Identity
The Department adopts the proposal in Sec. 2.21(b) to reorder
``disclosure and use'' to read ``use and disclosure'' to better align
the wording of this section with language used in the HIPAA Privacy
Rule. A provider health system supported the proposal and no other
comments were received on this proposal.
Section 2.22--Notice to Patients of Federal Confidentiality
Requirements \215\
---------------------------------------------------------------------------
\215\ In the NPRM, we included a detailed discussion of proposed
modifications to HIPAA Privacy Rule 45 CFR 164.520, Notice of
privacy practices for protected health information, in addition to
modifications proposed to Sec. 2.22, Notice to Patients of Federal
Confidentiality. Here, we include a brief explanation that HIPAA
Privacy Rule proposed modifications and public comments will be
considered in a separate rulemaking.
---------------------------------------------------------------------------
Patient Notice
Proposed Rule
Section 3221(i) of the CARES Act required the Secretary to update
the HIPAA NPP requirements at 45 CFR 164.520 to specify new
requirements for covered entities and part 2 programs with respect to
part 2 records that are PHI (i.e., records of SUD treatment by a part 2
program that are transmitted or maintained by or for covered entities).
By applying such requirements, entities that are dually regulated by
both part 2 and HIPAA would be subject to the notice requirements.
Discussed here and consistent with our approach throughout this
rulemaking, in addition to proposing the required updates to 45 CFR
164.520 (discussed below), we also proposed to revise the Patient
Notice at Sec. 2.22.
As explained in the NPRM, to the extent the HIPAA regulations and
part 2 cover different, but often overlapping, sets of regulated
entities, and the HIPAA NPP offers more robust notice requirements than
the Patient Notice, the Department proposed to modify Sec. 2.22 to
provide the same information to patients of part 2 programs as
individuals receive under the HIPAA Privacy Rule. The Department's
proposed modifications to the Patient Notice would also restructure it
to substantially mirror the structure of the HIPAA NPP but exclude
those elements that are inapplicable to part 2 programs. The specific
proposed changes are described in detail in the NPRM and set forth
below following the discussion of general comments.
Overview of Comments
The Department received more comments about its approach to
modifying the Patient Notice to align with the HIPAA NPP than comments
about specific elements of the proposed notice. Some commenters
supported aligning part 2 Patient Notice requirements with the HIPAA
NPP. Other commenters expressed concerns, asked for clarity on certain
specific proposed requirements, or urged the Department to provide
resources or examples to support compliance.
Response
We appreciate the comments about the proposed changes and discuss
our response to specific concerns expressed by commenters below.
Patient Understanding
Comment
Some commenters questioned whether the Patient Notice would ensure
part 2 patients, programs, and recipients of part 2 records understand
how part 2 records will be used, disclosed, and protected. Such
requirements, these commenters said, should be delineated in easy-to-
understand wording in the patient's primary language. One commenter,
describing their experiences as a patient and professional, said that
they were not educated about the consent forms or what they were
disclosing and their rights.
Some commenters expressed concern that patients may not understand
the revised notices, suggesting that the Department's approach could
lead to additional downstream disclosures and legal consequences for
patients even as it supported care coordination. A medical
professionals association also emphasized its view that the Department
should ensure standard and easily understandable notices of privacy
practices. Other commenters suggested the Patient Notices be simplified
and streamlined such as limiting notices to one page or gearing notices
to a fifth-grade reading level. A state agency suggested that the
Patient Notice adhere to language and disability access standards to
the extent required under HIPAA. A privacy association opined that the
proposed rule allows a patient to consent to a broad range of TPO
disclosures, but also notes that SUD patients may at times lack
capacity to understand the Patient Notice. These challenges may also
apply to understanding consents and to managing revocation of consents.
However, the association believes that this result is dictated by the
statute rather than the Department's approach in the NPRM. A county
government also expressed its view that it is difficult to provide
these notices when the patient is undergoing detoxification or
treatment for a SUD.
Response
We appreciate these comments. We mirrored required elements of the
HIPAA NPP in the Patient Notice because we believe that patients have
become familiar with it and to reflect the closer alignment between
part 2 and HIPAA in the final rule. We have provided further
clarification concerning the substantive alignment of part 2 and HIPAA
requirements through responses to public comments in several other
sections of the final rule. The Department recognizes that outreach and
further guidance will be needed both to persons with SUD and to
providers in connection with the final rule. The Department will
continue to monitor the response to part 2 in the SUD treatment
community and will provide clarification of the final rule as needed.
We discuss patients who lack capacity to make health care decisions in
Sec. 2.15 above.
Single or Streamlined Form
Comment
Commenters expressed different views as to whether they preferred
using a single document or separate HIPAA and part 2 notices to provide
notice statements to patients to aid compliance and patient
understanding. One public health agency asked HHS to confirm that a
single notice of privacy practices can fulfill both part 2 and HIPAA
obligations. Some commenters said that for them that a single notice of
privacy practices would reduce burdens or be the most effective way to
convey privacy information to patients without creating unnecessary
confusion and burden through excessive paperwork and asked for
confirmation this was
[[Page 12528]]
permitted. An academic health center supported covered entities which
have part 2 programs using one NPP addressing key elements of the HIPAA
NPP such as a Header, Uses and Disclosures, Individual Rights. If a
joint notice is acceptable, a commenter asked that proposed 42 CFR
2.22(b)(1)(i) be updated to note that the 45 CFR 164.520(b)(1)(v)(C)
header may be used in a combined notice. A trade association and health
plan supported part 2 notices including elements of the HIPAA NPP such
as a description of the permitted uses and disclosures of part 2
records, the complaint process, and the patient's right to revoke their
consent for the part 2 program to disclose records in certain
circumstances.
Response
We have stated both in HIPAA and part 2 guidance that notices for
different purposes may be separate or joint/combined so long as the
required elements are included.\216\ Thus, either using separate HIPAA,
state law, or part 2 notices or combining these notices into one form
would be acceptable so long as all required elements are included.
---------------------------------------------------------------------------
\216\ See U.S. Dep't of Health and Human Servs., ``Notice of
Privacy Practices for Protected Health Information'' (July 26,
2013), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/privacy-practices-for-protected-health-information/index.html;
``Substance Abuse Confidentiality Regulations,'' supra note 113.
---------------------------------------------------------------------------
Comment
Commenters also urged the Department to support a simplified or
streamlined Patient Notice. One advocacy organization characterized the
proposed notice as unwieldy and overly detailed for both patients
seeking to understand their rights and covered entities. The Department
should streamline both notices and develop model Patient Notices as it
has done for HIPAA NPPs. A health plan encouraged the Department to
align with the HIPAA Privacy Rule by developing two versions of the
part 2 model notice language: (a) the minimum necessary additional
language/verbiage, which would be required to be added to an existing
HIPAA NPP for entities which already are subject to that requirement;
and (b) a notice similar to what is in the proposed rule for entities
which do not already have a notice.
Other commenters urged the Department to develop notice templates
or model forms in multiple languages. A state agency supported the
HIPAA NPP's being translated, at a minimum, into the top three
languages for a provider's client population. One commenter asked the
Department to develop at least two example Patient Notices--one
directed at providers, and the other directed at payers and health
coverage issuers. Another commenter suggested that model Patient
Notices were needed for a HIPAA covered entity that has an existing
HIPAA NPP and therefore HHS should create a minimal addendum or
template which highlights any additional language specifically required
to be added to that existing HIPAA NPP relative to this rule. The
commenter also urged the Department to develop a Patient Notice
template for third-party payers or other entities which may not already
use a HIPAA NPP. Commenters urged that given the HIPAA enforcement
proposal, there should be a safe harbor for using these standard
notices.
Response
We appreciate this comment and understand the value of having a
sample or model notice that incorporated the changes finalized in this
rule. The Department may, at a future time, develop sample templates
and forms to support compliance with Sec. 2.22. We also note that this
final rule provides 24 months from the date of publication for
compliance with its provisions.
Administrative Burdens
Comment
The Department received several comments stating that proposed
changes to the part 2 notice would either reduce or increase part 2
program, provider, or covered entity burdens. While part 2 programs and
covered entities would need to update both the Patient Notice and the
HIPAA NPP, the benefits outweighed the burdens, according to some
commenters. One commenter asked HHS to clarify that Sec. 2.22 only
applies to part 2 programs that are not subject to HIPAA. Another
commenter said that as a dually regulated entity it believed that
aligning these two notices will reduce dually regulated entities'
burden of compliance, and improve patient understanding by reducing the
amount of reading required. The commenter said updating notices
concurrently would reduce their burden. Many commenters said examples
of the updated HIPAA NPP and Patient Notice would be helpful and reduce
their administrative burdens. Others also suggested the Department
reduce administrative burdens and improve compliance by providing
educational resources and templates to providers and patients and work
with advocacy organizations to ensure the notice requirements are
understood by patients and practical for providers.
Another commenter supported the proposed changes, stating that it
anticipated an additional administrative burden on part 2 programs
which are not covered by HIPAA but limited impact or additional burden
on those part 2 programs covered by HIPAA. One commenter similarly
described what it viewed as potential burdens but said that for
entities which are both part 2 programs and covered entities, a portion
of the burden would be offset by the ability to have consistent
policies and procedures given the new alignment between the part 2
rules and the HIPAA regulations. A medical professionals association,
while supporting alignment of the part 2 notice with the HIPAA NPP,
suggested there would be an additional burden that modifying the HIPAA
NPP for physician practices, especially small practices and those in
rural areas.
Response
The Department detailed its analysis of potential costs and
benefits in the NPRM and in the RIA below. As we earlier noted, we are
finalizing the part 2 Rule only at this time. The Department intends to
publish the CARES Act required revisions to the HIPAA NPP provision (45
CFR 164.520) as part of a future HIPAA rulemaking. Thus, this final
rule focuses only on changes to the Patient Notice under Sec. 2.22. We
intend to align compliance dates for any required changes to the HIPAA
NPP and part 2 Patient Notice to enable covered entities to makes such
changes at the same time.
After both this rule and the forthcoming HIPAA Privacy Rule changes
are finalized, while entities initially may require time to update the
content of the Patient Notice and HIPAA NPP, commenters stated many
part 2 programs, such as those that also are covered entities, may be
able to save time and patients may benefit from enhanced protections
offered by the revised notices. The Department acknowledges that some
smaller, rural, or other types of practices may face increased burdens
relative to larger entities, though this may not be true in all cases
as many smaller practices or providers may also have familiarity both
with HIPAA and part 2. After this rule is finalized, the Department may
develop template/model forms or other guidance subsequent to finalizing
this rule.
[[Page 12529]]
Notifying Patients
Comment
Some commenters expressed concerns about notifying patients of new
or updated notices. A medical professionals association expressed
concern that the notification process as described in the NPRM may be
problematic for those patients who lack mailing addresses and
substitute notice by publication still might not be sufficient to
inform patients about release of their records.
Response
We appreciate the comments and acknowledge that updating the
Patient Notice will create some burden for part 2 programs, as may
copying and mailing costs; however, we believe that the burdens will be
balanced by the overall burden reduction as a result of the decreased
number of consents that are required for routine uses and disclosures.
Section 2.22 as revised in this rule requires part 2 programs to notify
patients when requirements that pertain to a patient's treatment have
materially changed. It specifically requires the updated Patient Notice
to be provided by the first day the health care is provided to the
patient after the compliance date for the program, or for emergency
treatment as soon as reasonably practicable after the emergency. The
Department's stated intention to hold in abeyance updates to the HIPAA
NPP pending a future rulemaking does not negate the Department's
expectation that part 2 programs will comply with the requirements in
Sec. 2.22. However, as explained above, we intend to align compliance
dates for any required changes to the HIPAA NPP and part 2 Patient
Notice to enable covered entities to make such changes at the same
time.
Recommendations To Change the Proposal
Comment
One commenter noted that the proposed Patient Notice did not
include notice that patients could obtain copies of their records at
limited costs or in some case, free of charge. The commenter stated
that, although Sec. Sec. 2.22 and 2.23 do not require a part 2 program
to give a patient the right to inspect or get copies of their records,
but the Department should use the general regulatory authority of the
CARES Act (section 3221(i)(1)) to require part 2 programs to allow
patients to inspect or get copies of their records. This commenter
supported the Patient Notice statement describing the duties of part 2
programs with respect to part 2 records even though it is not required
by 42 U.S.C. 290dd-2.
Response
The commenter is correct that these regulations do not create a
patient right of access to their records analogous to the HIPAA Privacy
Rule right of access.\217\ We discuss patient access and restrictions
on use and disclosure in Sec. 2.23.
---------------------------------------------------------------------------
\217\ See ``Individuals' Right under HIPAA to Access their
Health Information 45 CFR 164.524,'' supra note 159.
---------------------------------------------------------------------------
Comment
A commenter requested modification of the section of the notice
pertaining to complaints so that complaints may be filed ``either to
the Part 2 Program or the Secretary'' rather than to the program and
the Secretary. Requiring the patient to complain to both entities may
intimidate the patient especially if they are dependent on the part 2
program for employment, child welfare, or criminal justice purposes,
the commenter asserted.
Response
As we state in Sec. 2.4 (Complaints of noncompliance), a person
may file a complaint with the Secretary for a violation of this part by
a part 2 program, covered entity, business associate, qualified service
organization, or other lawful holder but is not compelled to file a
complaint of violation both with the Secretary and the part 2 program.
This ``no wrong door'' approach mirrors the language in the HIPAA NPP
for the HIPAA Privacy Rule, and OCR has continued to receive thousands
of privacy complaints annually. A patient who files a complaint with a
provider may or may not receive a response, and we do not believe a
patient should be required to wait before bringing their complaints of
noncompliance to the Department's attention. Further, many complaints
filed with the Department are readily resolved through voluntary
compliance and technical assistance to aid the entity's compliance with
the regulation. Thus, we do not believe it will overly burden part 2
programs to allow patients to file complaints directly with the
Department.
Final Rule
Header
The Department proposed to require a header for the Patient Notice
that would be nearly identical to the header required in the HIPAA NPP
(and as proposed for amendment in the NPRM) at 45 CFR 164.520(b)(1)(i)
except where necessary to distinguish components of the notice not
applicable to 42 CFR part 2. For example, the Patient Notice that would
be provided pursuant to this part would not include notice that
patients could exercise the right to get copies of records at limited
costs or, in some cases, free of charge, nor would it provide notice
that patients could inspect or get copies of records under HIPAA.
The final rule adopts the header as proposed without modification.
Uses and Disclosures
The Department is finalizing its proposal, without modification, to
require a part 2 program to include in its Patient Notice descriptions
of uses and disclosures that are permitted for TPO, are permitted
without written consent, or will only be made with written consent. The
Department is finalizing its proposed requirement that a covered entity
that creates or maintains part 2 records include sufficient detail in
its Patient Notice to place the patient on notice of the uses and
disclosures that are permitted or required. Although, as stated in the
NPRM, the Department believes section 3221(k)(4) of the CARES Act--
stating that certain de-identification and fundraising activities
should be excluded from the definition of health care operations--has
no legal effect as a Sense of Congress, the Department will finalize
its proposed new paragraph (b)(1)(iii) in Sec. 2.22. This provision
requires that a part 2 program provide notice to patients that the
program may use and disclose part 2 records to fundraise for the
program's own behalf only if the patient is first provided with a clear
and conspicuous opportunity to elect not to receive fundraising
communications. This new notice requirement is consistent with the
requirement at Sec. 2.31(a)(5)(iii) in which a part 2 program, when
obtaining a patient's TPO consent, must provide the patient the
opportunity to elect not to receive fundraising communications.
Rather than referring to ``the HIPAA Privacy Rule'' we instead
refer in this rule to ``HIPAA regulations'' to describe the
redisclosure permission applicable to part 2 programs, covered
entities, and business associates following an initial disclosure based
on a TPO consent. We believe this modification to what we initially
proposed is consistent with our incorporation of the new defined term
``HIPAA regulations'' into part 2.
Patient Rights
The Department is finalizing its proposal, with further
modification, to require that a part 2 program include in
[[Page 12530]]
the Patient Notice statements of patients' rights with respect to part
2 records. The structure mirrors the statements of rights required in
the HIPAA NPP for covered entities and PHI but, be based on amended 42
U.S.C. 290dd-2, and patient rights under the final rule. The patient
rights listed include, for example, the rights to:
Request restrictions of disclosures made with prior
consent for purposes of TPO, as provided in 42 U.S.C. 290dd-2(b)(1)(C).
Request and obtain restrictions of disclosures of part 2
records to the patient's health plan for those services for which the
patient has paid in full, in the same manner as 45 CFR 164.522 applies
to restrictions of disclosures of PHI.
Obtain an electronic or non-electronic copy of the notice
from the part 2 program upon request.
Discuss the notice with a designated contact person
identified by the part 2 program pursuant to paragraph 45 CFR
164.520(b)(1)(vii).
A list of disclosures by an intermediary for the past 3
years as provided in 42 CFR 2.24.
Elect not to receive any fundraising communications.
Part 2 Program's Duties
The Department is finalizing its proposal, without modification, to
incorporate into the Patient Notice statements describing the duties of
part 2 programs with respect to part 2 records that parallel the
statements of duties of covered entities required in the HIPAA NPP with
respect to PHI. Although this change is not required by 42 U.S.C.
290dd-2, the statement of duties would put patients on notice of the
obligations of part 2 programs to maintain the privacy and security of
part 2 records, abide by the terms of the Patient Notice, and inform
patients that it may change the terms of a Patient Notice. The Patient
Notice also would include a statement of the new duty under 42 U.S.C.
290dd-2(j) to notify affected patients following a breach of part 2
records.
Complaints
The Department is finalizing its proposal, without modification, to
require that a part 2 program inform patients, in the Patient Notice,
that the patients may complain to the part 2 program and Secretary when
they believe their privacy rights have been violated, as well as a
brief description of how the patient may file the complaint and a
statement that the patient will not be retaliated against for filing a
complaint. We are finalizing the new provision that patients may
complain to the Secretary as well as the part 2 program. These changes
support the implementation of the CARES Act enforcement provisions,
which apply the civil enforcement provisions of section 1176 of the
Social Security Act to violations of 42 U.S.C. 290dd-2.
Contact and Effective Date
The Department is finalizing its proposal, without modification, to
require that the Patient Notice provide the name or title, telephone
number, and email address of a person or office a patient may contact
for further information about the part 2 Notice, and information about
the date the Patient Notice takes effect. We intend to align compliance
dates for any required changes to the HIPAA NPP and part 2 Patient
Notice to enable covered entities to make such changes at the same
time.
Optional Elements
The Department is finalizing its proposal, without modification, to
incorporate into the Patient Notice the optional elements of a HIPAA
NPP, which a part 2 program could include in its Patient Notice. This
provision permits a program that elects to place more limits on its
uses or disclosures than required by part 2 to describe its more
limited uses or disclosures in its notice, provided that the program
may not include in its notice a limitation affecting its ability to
make a use or disclosure that is required by law or permitted to be
made for emergency treatment.
Revisions to the Patient Notice
The Department is finalizing the proposal, without modification, to
require that a part 2 program must promptly revise and distribute its
Patient Notice when there has been a material change and provide that,
except when required by law, such material change may not be
implemented prior to the effective date of the Patient Notice.
Implementation Specifications
The Department is finalizing its proposal, without modification, to
require that a part 2 program provide the Sec. 2.22 notice to anyone
who requests it and provide it to a patient not later than the date of
the first service delivery, including where first service is delivered
electronically, after the compliance date for the Patient Notice. This
provision also would require that the notice be provided as soon as
reasonably practicable after emergency treatment. If the part 2 program
has a physical delivery site, the notice would have to be posted in a
clear and prominent location at the delivery site where a patient would
be able to read the notice in a manner that does not identify the
patient as receiving SUD treatment, and the Patient Notice would need
to be included on a program's website, where available. These
provisions would parallel the current requirements for provision of the
HIPAA NPP by HIPAA-covered health care providers.
45 CFR 164.520 HIPAA Notice of Privacy Practices
In the NPRM, we proposed to update the HIPAA NPP requirements
consistent with requirements in the CARES Act using plain language that
is easily understandable. We also proposed additional updates
consistent with changes to the HIPAA NPP we proposed in January 2021
(Proposed Modifications to the HIPAA Privacy Rule To Support, and
Remove Barriers to, Coordinated Care and Individual Engagement).\218\
This part 2 final rule adopts changes to the part 2 Patient Notice
only; it does not include finalized changes to the HIPAA NPP in 45 CFR
164.520. The Department intends to publish modifications to 45 CFR
164.520 as part of a future HIPAA rulemaking. Comments received
regarding changes to the HIPAA NPP proposed in the 2022 NPRM will be
addressed when those changes are published as part of a HIPAA final
rule. As we consider public comments received related to the HIPAA NPP,
we intend to carefully consider the progress made by affected entities
working to implement changes to the Patient Notice.
---------------------------------------------------------------------------
\218\ See 86 FR 6446.
---------------------------------------------------------------------------
Section 2.23--Patient Access and Restrictions on Use and Disclosure
Proposed Rule
In addition to the paragraph (b) changes discussed above in the
``use'' or ``disclosure'' section, the Department proposed wording
changes to paragraph (b) to improve readability and to replace the
phrase ``this information'' with ``records,'' which more accurately
describes the scope of the information to which the regulation applies.
The comments and the Department's responses regarding Sec. 2.23 are
set forth below.
Comment
While not proposed in the NPRM, a few commenters suggested adding a
patient right to direct copies of PHI to a third party, as follows: (1)
to define a right to direct copies to prevent
[[Page 12531]]
unintended parties from receiving records; (2) to allow covered
entities to restrict or refuse requests from any entity that are not
the individual or an entity authorized by the individual; and (3) to
create a patient right to direct a copy of records to third parties
without a consent form to align with HIPAA.
Response
We appreciate the suggestion to create a patient right to direct
copies of PHI to a third party; however, that suggestion is outside the
scope of the current rulemaking.
Comment
While not proposed in the NPRM, a few commenters also suggested
creating a right of access for part 2 records to afford part 2 patients
the same rights as individuals under the HIPAA Privacy Rule.
Response
We appreciate the suggestion to create a right of access for part 2
records and the intent to provide equity for those being treated for
SUD with respect to their patient rights compared to the rights for
patients with other health conditions under HIPAA. This proposal falls
outside the scope of the part 2 rulemaking and we did not propose this
change or request comment on this topic in the NPRM; therefore, there
is not an adequate foundation for adopting a right of access in the
final rule.
The HIPAA Privacy Rule established for an individual the right of
access to their PHI in a designated record set. The HIPAA right of
access applies to records created by a part 2 program that is also a
covered entity as well as part 2 records received by a covered
entity.\219\ For part 2 programs that are not covered entities, Sec.
2.23 does not prohibit a part 2 program from giving a patient access to
their own records, including the opportunity to inspect and copy any
records that the part 2 program maintains about the patient.
---------------------------------------------------------------------------
\219\ See ``Individuals' Right under HIPAA to Access their
Health Information 45 CFR 164.524,'' supra note 159.
---------------------------------------------------------------------------
Comment
One commenter recommended that the Department not adopt the changes
proposed to the right of access in its 2021 HIPAA NPRM on coordination
of care \220\ because the proposed changes ``would create new pathways
for third parties to easily access patient health information through
personal health apps with little to no requirements for patient
education and consent, thus eroding longstanding privacy protections
and increasing burden on providers.''
---------------------------------------------------------------------------
\220\ 86 FR 6446.
---------------------------------------------------------------------------
Response
We appreciate the comment; however, the topic is outside the scope
of the current rulemaking.
Comment
One commenter appreciated knowing that once they receive SUD
records, the records become PHI and are subject to the access
requirements in the HIPAA Privacy Rule.
Response
We appreciate the comment. We clarify that when part 2 records are
received by or for a covered entity and are part of a designated record
set they become PHI and are subject to the HIPAA Privacy Rule access
requirements. Generally, the HIPAA Privacy Rule gives individuals the
right to access all of their PHI in a designated record set.\221\ A
``designated record set'' is a group of records maintained by or for a
covered entity that are a provider's medical and billing records, a
health plan's enrollment, payment, claims adjudication, and case or
medical management record systems, and any other records used, in whole
or in part, by or for the covered entity to make decisions about
individuals.\222\ A covered entity's part 2 records usually fall into
one of these categories and thus are part of the designated record set.
This is true when a part 2 program is a covered entity, as well as when
a covered entity receives part 2 records but is not a part 2 program.
As such, the records held by a covered entity are subject to the HIPAA
Privacy Rule's right of access requirements.
---------------------------------------------------------------------------
\221\ See 45 CFR 164.524.
\222\ See 45 CFR 164.501 (definition of ``Designated record
set'').
---------------------------------------------------------------------------
Comment
One commenter expressed concerns about any access or disclosures
that could subject part 2 patients to criminal charges.
Response
We appreciate this comment. The revisions to Sec. 2.23 clarify the
existing prohibition on use and disclosure of information obtained by
patient access to their record for purposes of a criminal charge or
criminal investigation of the patient.
Comment
One commenter believed that the Department was proposing to remove
the written consent requirement for patient access to their own
records.
Response
Section 2.23 does not require a part 2 program to obtain a
patient's written consent or other authorization to provide access by
the patient to their own records, and the final rule is not changing
this. Thus, the ability of a patient to obtain access to their record
without written consent will be maintained.
Final Rule
The final rule adopts all proposed modifications to Sec. 2.23(b),
without further modification.
Section 2.24--Requirements for Intermediaries
Proposed Rule
The Department proposed to address the role of intermediaries by:
(a) creating a regulatory definition of the term in Sec. 2.11; (b)
reorganizing the existing requirements for intermediaries and
redesignating that provision as Sec. 2.24; and (c) clarifying in Sec.
2.31(a)(4)(ii)(B) how a general designation in a consent for use and
disclosure of records to an intermediary would operate. The definition
as proposed would read as follows: Intermediary means a person who has
received records under a general designation in a written patient
consent to be disclosed to one or more of its member participant(s) who
has a treating provider relationship with the patient. The current part
2 consent requirements in Sec. 2.31 contain special instructions when
making a disclosure to entities that fall within the proposed
definition of intermediary: the consent must include the name of the
intermediary and one of the following: (A) the name(s) of member
participant(s) of the intermediary; or (B) a general designation of a
participant(s) or class of participants, which must be limited to a
participant(s) who has a treating provider relationship with the
patient whose information is being disclosed. The NPRM proposed to
replace ``entities that facilitate the exchange of health information
and research institutions'' with ``intermediaries'' and add ``used
and'' before ``disclosed'' in Sec. 2.31.
Comment
We received comments both supporting and opposing the Department's
proposal to define ``intermediary'' and retain consent requirements for
disclosures to intermediaries. Most HIEs/HINs and health IT vendors
that commented on this set of proposals, expressed concern about our
changes. Opposing commenters stated their views that the special
provisions for intermediaries
[[Page 12532]]
were a holdover from before the CARES Act and were inconsistent with
its alignment of part 2 and HIPAA, especially with regard to the new
provision to allow a single consent for all future TPO. Some commenters
suggested that the CARES Act may require the Department to remove the
intermediary provisions. Other commenters believed that these
provisions did not support care coordination or were inconsistent with
allowing a single consent for TPO.
Commenters asked that we revise the HIPAA definition of ``covered
entity'' to include examples of the intermediaries and remove the part
2 definition of ``intermediary''; exclude business associates, health
IT vendors, or health plans from the part 2 definition of intermediary;
expressly allow intermediaries to disclose for TPO; expressly allow
HIEs and HIE participants to be listed in a general designation in the
consent for disclosures for TPO; and clarify what types of HIEs or
health IT vendors are included in the definition (because some HIE
technology or EHR software does not maintain data or have access to it
when exchanging data between systems).
One commenter asserted that the CARES Act does not define nor use
the term ``intermediary'' and the Department should instead rely upon
established terms of ``covered entity,'' ``business associate,'' and
part 2 ``programs.'' Another commenter believed the NPRM created a
``two-tiered'' system that perpetuates discrimination because patients
with SUD cannot reap the benefits of integrated care that is
facilitated by shared electronic records. A health plan said that there
would not be sufficient oversight of intermediaries under the proposed
definition because they include entities that are not subject to HIPAA.
One commenter, a health plan association, asserted that business
associates should be carved out from the definition of ``intermediary''
as most already defined as covered entities or business associates
under HIPAA. Others agreed that the role of intermediaries such as
HIEs/HINs or ACOs should be carved out from this definition. A few HIE
commenters viewed requirements for intermediaries as based on 2017 rule
changes, in which the Department attempted to limit those instances
when a general designation consent could be used without specifically
naming the persons entitled to receive the part 2 record. Additionally,
the 2017 rule changes layered on additional accounting and consent
requirements that--together with the operational challenge of
determining when and whether a downstream entity has a ``treating
provider relationship'' with the patient--resulted in low adoption due
to the technical and administrative challenges in implementing these
requirements and limitations. A county department argued that there is
no analog to intermediary within HIPAA, thus these changes are
inconsistent with the CARES Act effort to foster closer alignment
between HIPAA and part 2.
Response
We appreciate input from commenters and have made changes in
response to their expressed concerns. Our final definition of
``intermediary'' in Sec. 2.11 includes ``a person, other than a
program, covered entity, or business associate, who has received
records under a general designation in a written patient consent to be
disclosed to one or more of its member participant(s) who has a
treating provider relationship with the patient.'' We also are
finalizing provisions that an intermediary must provide to patients who
have consented to the disclosure of their records using a general
designation, pursuant to Sec. 2.31(a)(4)(ii)(B), a list of persons to
whom their records have been disclosed pursuant to the general
designation. These changes will implement the CARES Act consent
provisions by permitting HIEs that are business associates to receive
part 2 records under a broad TPO consent and redisclose them consistent
with the HIPAA regulations. These changes also will encourage HIEs to
accept part 2 records and include part 2 programs as participants,
facilitate integration of behavioral health information with other
medical records, and reduce burdens on business associates that serve
as HIEs. Our final rule also is consistent with previous SAMHSA
guidance to ensure part 2 data exchanged by HIEs remains subject to
protection under this final rule.\223\
---------------------------------------------------------------------------
\223\ See U.S. Dep't of Health and Human Servs., ``Disclosure of
Substance Use Disorder Patient Records: How Do I Exchange Part 2
Data?'' https://www.samhsa.gov/sites/default/files/how-do-i-exchange-part2.pdf.
---------------------------------------------------------------------------
Comment
According to one commenter, if a patient signed a consent form
designating ``my health plan'' as the recipient, the part 2 program
would be permitted to disclose such information directly to the health
plan but would be prohibited from disclosing that information to the
very same health plan if the disclosure was made via an intermediary
without specifically naming the intermediary and the health plan. This
approach could thus impede operations of HIEs/HINs.
Response
We agree with the commenter's concerns that the proposed consent
requirements for intermediaries may impede HIEs/HINs. The finalized
definition of intermediary in Sec. 2.11 excludes part 2 programs,
covered entities, and business associates. This approach should help
remove barriers to HIEs'/HINs' inclusion of part 2 records from part 2
programs that are also covered entities. As noted, we believe excluding
business associates, in particular, will encourage HIEs to accept part
2 records and include part 2 programs as participants and reduce
burdens on business associates that serve as HIEs.
Comment
One HIE commenter said that the NRPM provides an example of an
intermediary being an electronic health vendor that enables entities at
two different health systems to share records and would be bound by the
requirements proposed under Sec. 2.24. However, that same vendor would
not be an intermediary when used by employees in different departments
of a hospital to access the same patient's records. The commenter finds
this confusing and seeks clarification on the definition of
intermediary and their associated requirements. Another commenter, a
health IT vendor, also questioned our example in the NPRM claiming that
the developer of the product used in an exchange of information is no
more an intermediary to the exchange than the manufacturer of a fax
machine is an intermediary to information faxed from one place to
another. The EHR vendor described in the NPRM should only be considered
an intermediary when it controls the exchange of health records between
systems using its software or when it serves as the recipient of
records.
Response
We acknowledge that some commenters may have found this NPRM
example confusing. We believe our revised definition and changes to
Sec. 2.24 help clarify the role of intermediaries. We have in the NPRM
and other past rules and guidance cited HIEs/health information
networks or ``HINs,'' ACOs, coordinated care organizations, care
management organizations, and research institutions as examples of
[[Page 12533]]
intermediaries but this may be a fact-specific inquiry.\224\
---------------------------------------------------------------------------
\224\ Id. See also, 87 FR 74216, 74224; 82 FR 6052, 6055.
---------------------------------------------------------------------------
Comment
Other comments on the proposal addressed the role of community-
based organizations (CBOs), such as those providing services to people
experiencing homelessness. A few commenters requested that such CBOs be
considered as intermediaries, and one pointed out that the limitation
on sharing part 2 records through an intermediary would likely result
in limiting the sharing of records with CBOs via an HIE because CBOs
are not treating providers. A county HIE said that it fosters data
sharing across dozens of health care providers, managed care, and CBOs
to enable better care coordination to and address social determinants
of health. The county asserted that allowing part 2 records to be
shared based on a single consent for TPO would be ``deeply enhanced by
pairing it with the technology of an HIE.''
Response
We have noted the definition of ``intermediary'' and examples
above. An intermediary may be named in a general designation in Sec.
2.31(a)(4) though special instructions apply to such use. Under the
final rule, we have excluded business associates, part 2 programs, and
covered entities from the definition of ``intermediary'' in Sec. 2.11.
Thus, HIEs that meet the definition of ``business associates'' are not
intermediaries.
Part 2 programs, covered entities, and business associates (notably
HIEs) are permitted to disclose records for TPO under the new TPO
consent requirements and redisclose records as permitted by the HIPAA
Privacy Rule once a consent for all future uses and disclosures for TPO
is obtained. Accordingly, when a part 2 program that is covered entity
discloses records through an HIE, the intermediary consent requirements
under Sec. 2.31(a)(4) do not apply because the HIE would be serving as
a business associate of the part 2 program/covered entity, and as a
business associate the HIE would be excluded from the definition of
``intermediary.'' We believe that part 2 programs that rely on HIEs are
those most likely to be covered entities and to benefit from the
narrowed definition of intermediary in the final rule.
Comment
A commenter said that definition of ``intermediary'' is broad
enough that a primary care provider connecting a patient (and a
patient's part 2 records) from one program to another could be seen as
an intermediary. This commenter seeks guidance on the relationship
between part 2 programs and intermediaries, and what unintended
consequences the Department is seeking to avoid. The commenter suggests
collaboration with ONC to leverage TEFCA, as there seems to be overlap
between what constitutes an intermediary and how ONC defines a
Qualified Health Information Network under TEFCA.
An insurance association referenced TEFCA and said that it is
expected to be operating this year, creating a national network for
health care information exchange among both HIPAA covered and non-HIPAA
covered entities. The part 2 rule, the association said, should be
structured to ensure data can be seamlessly shared among covered
entities for TPO and other purposes designated in an individual's
consent. However, the commenter believed that robust privacy
protections for part 2 records remain critical for all entities
involved in health data exchanges. The TEFCA processes are building in
governance and operating requirements parallel to the HIPAA privacy and
security requirements for all participants in the system even if they
are not covered entities under the law to ensure robust protections no
matter what role the entity plays. The commenter was concerned that a
single weak link in the chain could compromise the entire system.
The commenter also stated that activities by HIEs that go beyond
the role of a ``basic conduit'' should come with commensurate
responsibilities for data protections. Therefore, the commenter
questioned the definition of ``intermediary'' as proposed, asserting
that it would minimize the accountability of these entities.
Response
We appreciate input from commenters on the role of HIEs and TEFCA.
ONC, OCR, SAMHSA and others are collaborating to support participation
in TEFCA and implementation of health IT and EHRs within the behavioral
health sector.\225\ When an HIE is acting as a business associate to a
part 2 program that is also a covered entity, it would not be
considered an ``intermediary'' as defined in this final rule because we
have excluded business associates (along with programs and covered
entities) from the definition. An HIE that is a ``business associate''
is subject to certain HIPAA requirements, including safeguards under
the HIPAA Security Rule.\226\
---------------------------------------------------------------------------
\225\ See ``Behavioral Health,'' supra note 133.
\226\ See U.S. Dep't of Health and Human Servs., ``Business
Associates'' (May 24, 2019), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.
---------------------------------------------------------------------------
For clarity, we also explain here that the exclusion of business
associates from the ``intermediary'' definition in Sec. 2.11 results
in far fewer entities being subject to intermediary consent
requirements under Sec. 2.31(a)(4) and the list of disclosures
obligations under Sec. 2.24 because most HIEs--which were the most
typical example of an intermediary--are business associates. A QSO--
which is analogous to a business associate for a part 2 program--is
only considered an intermediary when it is providing services to a
program that is not a covered entity. We believe that part 2 programs
that are covered entities are those most likely to make use of HIE
services and that the burden reduction on HIE business associates in
this final rule may incentivize them to accept part 2 records into
their systems more frequently than under the existing part 2
regulation.
Comment
SUD recovery organizations recommended modifying the proposed
definition of ``intermediary'' to also include ``a member of the
intermediary named in the consent,'' rather than limiting it to members
of the intermediary that have a treating provider relationship with the
patient. A state data agency urged us to add intermediaries and other
lawful holders to the language of Sec. 2.12(d)(2)(ii), which permitted
a non-part 2 treatment provider who receives part 2 information to
record it without it becoming a part 2 record, so long as any part 2
records they receive are segregated from other health information.
Response
Section 2.12(d)(2)(ii) applies to persons who receive records
directly from a part 2 program or other lawful holder of patient
identifying information and who are notified of the prohibition on
redisclosure in accordance with Sec. 2.32. We are finalizing a
modification to this provision to expressly state that: ``[a] program,
covered entity, or business associate that receives records based on a
single consent for all treatment, payment, and health care operations
is not required to segregate or segment such records.'' Thus, an HIE
that is a business associate of a covered entity
[[Page 12534]]
that operates a part 2 program cannot, by definition, be an
intermediary, and thus would not be required to segregate the part 2
records they receive. However, the records would still be considered
part 2 records (as well as PHI) and there is a continuing obligation to
protect the records from use or disclosure in proceedings against the
patient.
Because the concept of intermediary by its nature is limited to
organizations that mediate the interactions between a program and an
intended recipient of records, it would not be practical to include in
the definition of ``intermediary'' language concerning ``a member of
the intermediary named in the consent.''
Comment
Several commenters requested clarification of certain aspects of
the proposal, such as: whether entities already subject to HIPAA are
included as intermediaries; whether QSOs can serve as intermediaries
and how the QSO role would fit into the requirements; whether the
intermediary definition is limited to facilitating access for treatment
purposes or whether the definition contemplates facilitating access for
other purposes (e.g., for payment purposes, patient access, etc.); and
which entities have the responsibility for the required list of
disclosures and exactly which responsibilities related to that
requirement. One commenter requested that the Department expressly
clarify that QSOs are not intermediaries since QSOs do not receive
records under a general designation in a written patient consent, but
rather they receive records through a QSOA.
Response
We discuss our changes to the definition of ``intermediary'' here
and in Sec. 2.11. As noted, in response to public comments we are
excluding covered entities, business associates, and part 2 programs
from the definition of ``intermediary.'' Further, the ``intermediary''
definition is not, in and of itself, expressly limited to facilitating
access for treatment purposes; however, by the operation of the consent
requirement in Sec. 2.31, the use of intermediaries is generally
limited to facilitating the exchange of records among treating
providers. The final rule definition of ``qualified service
organization'' includes a person who meets the definition of ``business
associate'' in 45 CFR 160.103, for a part 2 program that is a covered
entity, with respect to the use and disclosure of PHI that also
constitutes a part 2 record. Expressly including business associates as
QSOs, where both definitions are met, responds to comments received on
the NPRM noting that the role of QSOs is analogous to business
associates, such that aligning terminology makes sense given the
purpose of section 3221 of the CARES Act to enhance harmonization of
HIPAA and part 2. Additionally, as commenters requested, we have carved
out business associates from the definition of ``intermediary.'' Thus,
while a QSO may be a business associate, it cannot at the same time
also be considered an intermediary. As a result, an HIE/HIN that is a
QSO and business associate for a part 2 program that is also a covered
entity would not be subject to the intermediary requirements (e.g., a
general designation in a consent and the list of disclosures).
Comment
About half of the commenters on intermediaries opposed the
requirement that intermediaries provide a list of disclosures for the 3
years preceding the request. Many commenters expressed concern that the
TPO consent provisions in Sec. Sec. 2.31 and 2.33 would result in an
increase in requests for a list of disclosures made via an intermediary
and that HIEs were not equipped to respond in volume. One commenter
opined that millions of transactions will be facilitated by the
intermediary daily and, as a result, it would be difficult for both the
part 2 program and the intermediary to provide a full accounting of
disclosure that would feasibly be usable and helpful to the patient.
Others suggested the part 2 program directly assume this obligation.
While supporting the proposed changes, a few commenters raised
substantial concerns about the existing requirements, stating that it
would be difficult for an intermediary to log individual accesses and
reasons why data was accessed over a multi-year period. While patients
should understand where and how their data is being transferred, it
must be done while maintaining the interoperability pathway outlined by
other HHS programs and with the full understanding of burden
represented. A few commenters specifically supported the proposed
extension for the list of disclosures from 2 to 3 years. A local
government and a health system appreciated that the obligation for
producing the list of disclosures remains with the intermediary and not
the part 2 program. A few commenters asserted that the proposed changes
would help address technological issues with HIEs that are compliant
with part 2. Others suggested this process would be burdensome for HIEs
and part 2 programs.
Response
We acknowledge these comments. The final rule in Sec. 2.24 extends
the ``look back'' period for the required list of disclosures by an
intermediary from 2 years to 3 years as proposed. We made this change
to align with the new right to an accounting of disclosures in Sec.
2.25 for disclosures made with consent, that contains a 3-year look
back period. As we have stated prior to this final rule, the
intermediary, not the part 2 program itself, is responsible for
compliance with the required list of disclosures under Sec. 2.24.\227\
We discuss costs and benefits associated with this rule below including
for Sec. Sec. 2.24 and 2.25.
---------------------------------------------------------------------------
\227\ 82 FR 6052, 6072.
---------------------------------------------------------------------------
Comment
Comments asserted that the accounting requirement for
intermediaries was duplicative of the accounting of disclosure for TPO
from an EHR requirements under HIPAA (which have not been finalized in
regulation) and had created barriers to the use of HIEs to exchange
part 2 records. One commenter asserted that they have not allowed part
2 records in their system due to the differing requirements and that
the intermediary proposal would perpetuate this outcome. Another
commenter explained that a group of organizations that tested part 2
disclosure models did not ultimately adopt them because the part 2
requirements were too problematic. Several commenters requested that
the requirement for providing the list of disclosures be tolled until
the finalization of the expected HIPAA accounting of disclosures
regulation for TPO disclosures through an EHR.
Response
We are not tolling the list of disclosures requirements for
intermediaries because these obligations already exist in Sec. 2.13(d)
and are simply being continued in a new section Sec. 2.24 with the
time period covered being extended from 2 years to 3. Intermediaries
are not subject to the HIPAA accounting of disclosures requirements, by
definition, because we have excluded covered entities and business
associates from the definition of ``intermediary'' in the final rule.
Because the HIPAA accounting of disclosures requirement for TPO
disclosures through an EHR has not yet been finalized, we believe this
distinct list of disclosures requirement should remain effective.
[[Page 12535]]
Final Rule
We are finalizing in this section, redesignated as Sec. 2.24, that
an intermediary must provide to patients who have consented to the
disclosure of their records using a general designation pursuant to
Sec. 2.31(a)(4)(ii)(B), a list of persons to whom their records have
been disclosed pursuant to the general designation.
Section 2.25--Accounting of Disclosures
Proposed Rule
The Department noted in the NPRM that except for disclosures made
by intermediaries, the current part 2 regulation did not have
provisions that included a right for patients to obtain an accounting
of disclosures of part 2 records.\228\ Section 290dd-2(b)(1)(B) of 42
U.S.C., as amended by section 3221(b) of the CARES Act, applies section
13405(c) of the HITECH Act, 42 U.S.C. 17935(c) (Accounting of Certain
Protected Health Information Disclosures Required if Covered Entity
Uses Electronic Health Record), to part 2 disclosures for TPO with
prior written consent. Therefore, the Department proposed to add a new
Sec. 2.25 (Accounting of disclosures) to establish the patient's right
to receive, upon request, an accounting of disclosures of part 2
records made with written consent for up to three years prior to the
date the accounting is requested.
---------------------------------------------------------------------------
\228\ 42 CFR 2.13(d) (specifying List of Disclosures requirement
applicable to intermediaries).
---------------------------------------------------------------------------
This proposal was intended to apply the individual right to an
accounting of disclosures in the HITECH Act to disclosure of part 2
records.\229\ The Department proposed at Sec. 2.25(a) that paragraph
(a) would generally require an accounting of disclosures made with
patient consent for a period of 6 years prior to the request, and
paragraph (b) would limit the requirement with respect to disclosures
made with TPO consent, which would only be required for disclosures
made from an EHR system for a period of 3 years prior to the request.
In both instances, the proposed changes would be contingent on the
promulgation of HITECH Act modifications to the accounting of
disclosures standard in the HIPAA Privacy Rule at 45 CFR 164.528.\230\
---------------------------------------------------------------------------
\229\ OCR published an NPRM to implement this HITECH Act
provision in 2011 but did not finalize it because of concerns raised
by public comments. See 76 FR 31426 (May 31, 2011). OCR announced
its intention to withdraw the 2011 NPRM and requested public input
on new questions to help OCR implement the HITECH Act requirement as
part of the 2018 HIPAA Rules Request for Information (RFI). See 83
FR 64302, 64307 (Dec. 14, 2018). A final HIPAA regulation on the
accounting of disclosures that would apply to TPO disclosures by
covered entities has not been issued.
\230\ See also sec. 13405(c) of the HITECH Act (codified at 42
U.S.C. 17935(c). Since the HITECH Act requirement for accounting of
disclosures was enacted in 2009, the Department published a RFI at
75 FR 23214 (May 3, 2010) and an NPRM at 76 FR 31426 (May 31, 2011).
Based in part on public comment on the RFI, the Department proposed
to provide individuals with an ``access report'' as a means of
fulfilling the requirement. Based on feedback on the NPRM in which
commenters overwhelmingly opposed the report as ``unworkable,'' the
Department, in a follow up RFI published at 83 FR 64302, explained
its intent to withdraw the proposal of the 2011 NPRM. The Department
received additional public comment about implementing sec. 13405(c)
and will publish in a future Regulatory Unified Agenda notice about
any future actions.
---------------------------------------------------------------------------
The Department stated in the NPRM preamble that this proposed
accounting requirement is consistent with section 3221(b) of the CARES
Act, 42 U.S.C. 290dd-2(b)(1)(B), as amended. The Department noted that
the CARES Act applied the HITECH Act ``look back'' time period for
accounting of disclosures to ``all disclosures'' of part 2 records with
consent and not just those disclosures contained in an EHR. From a
policy perspective, the Department therefore proposed to apply the 3-
year ``look back'' to all accountings of disclosures with consent and
not just for accountings of disclosures of records contained in an EHR.
Because the Department has not yet finalized the HITECH Act
accounting of disclosures modifications within the HIPAA Privacy Rule,
the Department did not propose to require compliance with Sec. 2.25
before finalizing the HIPAA Privacy Rule provision in 45 CFR 164.528.
The comments and the Department's responses regarding Sec. 2.25 are
set forth below.
Accounting of Disclosures for TPO
Comment
A few commenters expressed opposition to the accounting of
disclosures for TPO because: (1) the proposal does not align with the
HIPAA Privacy Rule, including the exclusion pursuant to an
authorization; (2) it would increase administrative burden; and (3) the
existing and established technology lacks the capability, including
manual collection of data from multiple systems (e.g., EHR and practice
management system for payment and health care operations). Other
commenters remarked that unless technical capabilities are developed
within certified EHR technology to capture why someone has opened a
patient record, providing a full accounting would be impossible and
requiring providers to mark and maintain a full accounting would
incentivize providers to forego going into a patient's record, even
when it may be better for treatment coordination.
Response
We appreciate the comments. However, the proposed change is
required by section 290dd-2(b)(1)(B) of 42 U.S.C., as amended by
section 3221(b) of the CARES Act, that applies section 13405(c) of the
HITECH Act, 42 U.S.C. 17935(c), to part 2 disclosures for TPO with
prior written consent. The final rule attempts to balance the potential
compliance burden by tolling the effective and compliance dates for the
HITECH accounting of disclosures requirement until it is finalized
within the HIPAA Privacy Rule.
Comment
A health system and a health IT vendor commented on the timeframes
covered in accountings of disclosure and suggested that the period for
which accountings can be requested be limited to those after the rule
is effective because of different applicable privacy standards prior to
rule finalization. For example, if the Department finalizes the
accounting of disclosures provision to include data for six years prior
to the request date, the first day for which part 2 programs would need
to provide accountings would be the effective date of the rule.
Response
We appreciate the comments. We clarify that the period for which an
accounting can ``look back'' is limited to those disclosures occurring
after the first day of the compliance date.
Comment
An HIE association requested the Department provide a specific
maximum allowable cost to a patient for fulfilling a requested
accounting of disclosures for their PHI in the final rule. According to
the commenter, the Department provides guidance in other resources on
the maximum allowable cost that a patient can incur when requesting an
accounting of disclosures but the NPRM did not provide a clear and
concise regulatory specification.
Response
We appreciate the comment and decline at this time to state a
maximum patient cost; however, we will further consider the comment in
drafting the HIPAA accounting of disclosures final rule to implement
section 13405(c) of the HITECH Act, 42 U.S.C. 17935(c). We are not
aware of resources that discuss
[[Page 12536]]
the maximum allowable cost that a patient can incur when requesting an
accounting of disclosure. However, the Department has provided guidance
in other resources on the costs a covered entity may charge individuals
to receive a copy of their PHI, which is a different cost from
providing individuals an accounting of disclosures. For an accounting
of disclosures, the HIPAA Privacy Rule at 45 CFR 164.528(c)(2) requires
a covered entity provide the first accounting to an individual in any
12-month period without charge. The covered entity may impose a
reasonable, cost-based fee for each subsequent request for an
accounting by the same individual within the 12-month period, provided
that the covered entity informs the individual in advance of the fee
and provides the individual with an opportunity to withdraw or modify
the request.
Comment
Several commenters were supportive of the proposal to add a new
accounting of disclosures requirement in part 2 because it would align
with an individual's rights under the HIPAA Privacy Rule. One health IT
vendor said health IT and other digital technologies should incorporate
audit trails to help detect inappropriate access to PHI. An advocacy
organization supported the proposed timeframes an accounting of
disclosures would cover, while a health system said the three-year
timeframe for TPO disclosures should match the six-year timeframe in
the HIPAA Privacy Rule.
Response
We appreciate the comments. With respect to the ``look back''
period for accounting of disclosures in the HIPAA Privacy Rule, an
individual has a right to receive an accounting of disclosures of PHI
made by a covered entity in the six years prior to the date on which
the accounting is requested.\231\ The HITECH accounting requirement
covers disclosures for TPO made via an EHR and a look back period of
only three years; however, this has not been finalized in the HIPAA
Privacy Rule, so we cannot harmonize the part 2 TPO disclosure
timeframe to that of the HIPAA Privacy Rule accounting of disclosure
requirement. Additionally, a HIPAA accounting of disclosures rulemaking
would implement the HITECH Act modification to 45 CFR 164.528 for
disclosures for TPO to three years prior to the date which the
accounting is requested.\232\
---------------------------------------------------------------------------
\231\ See 45 CFR 164.528(a)(3).
\232\ See sec. 13405(c) of the HITECH Act (codified at 42 U.S.C.
17935(c)).
---------------------------------------------------------------------------
Comment
A few trade associations and a health IT vendor requested the
Department provide a template for the accounting of disclosures that
includes the level of detail necessary to fulfill the requirement.
Response
We appreciate the comments and will consider providing a template
when the HITECH accounting of disclosures requirement is finalized
within the HIPAA Privacy Rule.
Tolling of Compliance Date
Comment
A few commenters addressed tolling the compliance date for part 2
programs and each of them agreed with tolling the effective and
compliance dates of the accounting of disclosures proposal until the
effective and compliance dates of the modified HIPAA Privacy Rule
accounting provision to provide consistency for part 2 providers,
covered entities, and business associates.
Response
We appreciate the comments. We are tolling the effective and
compliance dates for part 2 programs until the effective and compliance
dates of a final rule on the HIPAA/HITECH accounting of disclosures
standard (section 13405(c) of the HITECH Act) to ensure part 2 programs
do not incur new compliance obligations before covered entities and
business associates under the HIPAA Privacy Rule are obligated to
comply. We are also mindful that the alignment of the part 2 and HIPAA
compliance dates for the accounting of disclosures is most important
for part 2 programs that are also covered entities. We also note the
part 2 programs are not required to include the statement of a
patient's right to an accounting of disclosures in the Patient Notice
under Sec. 2.22 until the future compliance date of the accounting of
disclosures.
Other Comments on Requests for Accountings of Disclosures
The Department, in the NPRM, asked for feedback on potential
burdens such as staff time and other costs associated with accounting
of disclosure requests.\233\ The Department also requested data on the
extent to which covered entities receive requests from patients to
restrict disclosures of patient identifying information for TPO
purposes, how covered entities document such requests, and the
procedures and mechanisms used by covered entities to ensure compliance
with patient requests to which they have agreed or that they are
otherwise required to comply with by law.
---------------------------------------------------------------------------
\233\ 87 FR 74216, 74239, 74249.
---------------------------------------------------------------------------
Comment
A few commenters said they rarely receive requests for an
accounting of disclosures and a few commenters stated they receive
between 1-10 requests annually. Some of these commenters said in their
experiences a single request for an accounting of disclosures from a
patient may take one staffer with the current functionality within an
organization a full 40-hour week to respond.
Response
We appreciate the comments and the information provided on the
number and type of requests for an accounting of disclosures of PHI
received annually and the staff time involved in responding to an
individual's request for an accounting of disclosures of PHI.
Final Rule
The final rule adopts all proposed modifications to Sec. 2.25,
with a correction to the timeframe in paragraph (a) to require an
accounting of disclosures made with consent in the 3 years prior to the
date of the request.
Section 2.26--Right to Request Privacy Protection for Records
Proposed Rule
Prior to the CARES Act amendments, the part 2 statute did not
explicitly provide a patient the right to request restrictions on
disclosures of part 2 records for TPO, although patients could tailor
the scope of their consent, which would govern the disclosure of their
part 2 records. Section 3221(b) of the CARES Act amended 42 U.S.C.
290dd-2 such that section 13405(c) of the Health Information Technology
and Clinical Health Act (42 U.S.C. 17935(c)) applies to subsection
(b)(1). Therefore, the Department proposed to codify in Sec. 2.26 a
patient's rights to: (1) request restrictions on disclosures of part 2
records for TPO purposes, and (2) obtain restrictions on disclosures to
health plans for services paid in full. The proposed provision would
align with the individual right in the HITECH Act, as implemented in
the HIPAA Privacy Rule at 45 CFR 164.522.\234\ As with the HIPAA
Privacy Rule right to request
[[Page 12537]]
restrictions, a part 2 program that denies a request for restrictions
still would be subject to any applicable state or other law that
imposes greater restrictions on disclosures than part 2 requires.
---------------------------------------------------------------------------
\234\ See 42 U.S.C. 17935(a).
---------------------------------------------------------------------------
In addition to applying the HITECH Act requirements to part 2, the
CARES Act emphasized the importance of the right to request
restrictions in three provisions, including:
(1) a rule of construction that the CARES Act should not be
construed to limit a patient's right under the HIPAA Privacy Rule to
request restrictions on the use or disclosure of part 2 records for
TPO; \235\
---------------------------------------------------------------------------
\235\ See sec. 3221(j)(1) of the CARES Act. The Department
believes the effect of this rule of construction is that 45 CFR
164.522 of the HIPAA Privacy Rule continues to apply without change
to covered entities with respect to part 2 records.
---------------------------------------------------------------------------
(2) a Sense of Congress that patients have the right to request a
restriction on the use or disclosure of a part 2 record for TPO; \236\
and
---------------------------------------------------------------------------
\236\ See sec. 3221(k)(2) of the CARES Act.
---------------------------------------------------------------------------
(3) a Sense of Congress that encourages covered entities to make
every reasonable effort to the extent feasible to comply with a
patient's request for a restriction regarding TPO uses or disclosures
of part 2 records.\237\
---------------------------------------------------------------------------
\237\ See sec. 3221(k)(3) of the CARES Act.
---------------------------------------------------------------------------
Comment
Commenters provided general support for the proposal to modify part
2 to implement requirements in the CARES Act concerning a patient's
right to request restrictions on uses and disclosures of part 2
records. For instance, a medical professionals association supported
this proposed change, stating that transparent privacy policies should
accommodate patient preference and choice as long as those preferences
and choices do not preclude the delivery of clinically appropriate
care, public health, or safety. A county health system said the
proposed changes will promote patient advocacy, privacy, and
transparency. Health system and health plan commenters supported the
proposed language allowing patients to request restrictions on the use
or disclosure of their PHI if this request aligns with the HIPAA
Privacy Rule, which gives covered entities the ability to approve or
deny these requests. Others such as state agencies, health care
providers, and a health IT vendor also supported provisions to request
restrictions on disclosures including for disclosures otherwise
permitted for TPO purposes.
Response
We appreciate the comments about the proposed addition of a new
patient right to request restrictions on uses and disclosures of part 2
records for TPO and the alignment of the right with the parallel HIPAA
provision.
Comment
A health information association supported a mechanism for patients
to request to restrict where and who can access their records in
specific situations as this approach builds trust and allows the
patient to control use and disclosure of their health record. The
commenter further asserted that while data segmentation challenges
exist, most providers follow HIPAA and align with state law privacy
requirements regarding use and disclosure of part 2 records. However,
the association urged that as the Department finalizes these
requirements the ability for a patient to request restriction of
disclosure should not be mandatory for providers to adhere to when they
are otherwise required to provide disclosure. Another provider
supported aligning the right to request a restriction with HIPAA
language to include specific language which clarifies a covered entity
and/or part 2 program is under no obligation to agree to requests for
restrictions. Due to EHR functionality limitations, the provider cannot
accommodate most requests for restrictions, especially related to
treatment.
Response
We appreciate the comments about our proposed change to align part
2 and HIPAA requirements. As stated in Sec. 2.26(a)(5): ``[a]
restriction agreed to by a part 2 program under paragraph (a) of this
section is not effective under this subpart to prevent uses or
disclosures required by law or permitted by this regulation for
purposes other than treatment, payment, and health care operations, as
defined in this part.'' Paragraph (a)(6) of Sec. 2.26 also states that
``[a] part 2 program must agree to the request of a patient to restrict
disclosure of records about the patient to a health plan if . . . [t]he
disclosure is for the purpose of carrying out payment or health care
operations and is not otherwise required by law [. . .].'' Therefore, a
part 2 program that is a covered entity is not required by this section
to agree to restrict a disclosure that otherwise is required by law
\238\ or for a purpose permitted by part 2 other than TPO.\239\
---------------------------------------------------------------------------
\238\ For further discussion of ``required by law'' in the HIPAA
context, see 78 FR 5566, 5628.
\239\ For further discussion of ``required by law'' in the HIPAA
context, see 78 FR 5566, 5628.
---------------------------------------------------------------------------
Comment
An individual commenter urged the Department to expand its proposal
by using the general regulatory authority given it by the CARES Act to
modify 42 CFR part 2 to indicate that a covered entity is required to
agree to a patient's requested restriction of uses and disclosures of
part 2 information. Thus, the commenter suggested the provisions of 45
CFR 164.522(a)(1)(ii) and (a)(2)(iii) would be eliminated. The
commenter asserted that a ``rule of construction'' in the CARES Act
should not be construed to limit a patient's right under the HIPAA
Privacy Rule to request restrictions on the use or disclosure of part 2
records for TPO. The commenter stated its interpretation of the Sense
of Congress in the CARES Act that patients have the right to request a
restriction on the use or disclosure of a part 2 record for TPO and
that encourages covered entities to make every reasonable effort to the
extent feasible to comply with a patient's request for a restriction
regarding TPO uses or disclosures of part 2 records.
A health system also supported this change stating that this
provision aligns with existing standards under the HIPAA Privacy Rule,
which allows a patient to request restrictions, while a covered entity
is not obligated to agree to that request (except when the service in
question has been paid in full). The health system appreciated that HHS
proposed to allow the same flexibility and decision-making capacity for
part 2 programs. Another commenter proposed that the same standards are
applied in part 2 as in HIPAA, which requires covered entities to
evaluate requests and take reasonable means. The commenter believed
that a covered entity is not mandated to honor a restriction for
purposes of operation/treatment but would be for payment in
circumstances where the patient pays out of pocket, in full. The
commenter suggested applying the same standards to part 2 as applied to
covered entities in the HIPAA restriction process. A health system said
it supported aligning part 2 and HIPAA, but if there is a part 2 entity
that is not already a covered entity under HIPAA, HHS should expand the
HIPAA definition of covered entity rather than duplicate HIPAA
provisions in this rule.
Response
We acknowledge these comments and emphasize the Sense of Congress
expressed in section 3221(k)(3) of the CARES Act that ``[c]overed
entities should make every reasonable effort to the extent feasible to
comply with a
[[Page 12538]]
patient's request for a restriction'' regarding such use or disclosure.
Comment
A health system citing to 42 CFR 2.12(c)(3) supported HHS' attempt
to better align part 2 with HIPAA as it relates to both uses and
disclosures, stated that the introduction of restrictions on uses poses
significant challenges for part 2 programs unless additional changes or
clarifications to the regulations are made. The commenter urged the
Department to clarify in the final rule that permitted uses also
include those uses necessary to carry out the payment or health care
operations of the part 2 program. Such clarification will ensure part 2
programs may continue to use part 2 records internally for payment and
health care operations that may not directly relate to the diagnosis,
treatment, or referral for treatment of patients. Without this
clarification, if a part 2 program fails to secure consent from a
patient, the part 2 program would be prohibited from using part 2
records for essential internal purposes, such as quality improvement,
peer review, and other legally required patient safety activities.
Response
Section 2.12(c)(3), which excludes from part 2 restrictions
treatment-related internal communications among staff in a program and
communications with entities that have direct administrative control of
the program, is not inconsistent with the new patient right to request
restrictions on disclosures for TPO purposes, and a patient's right to
obtain restrictions on disclosures to health plans for services paid in
full by the patient. Additional changes desired by the commenter to
Sec. 2.12(c)(3) are outside the scope of this rulemaking.
Comment
A medical professionals association asserted that given the
sensitivity of SUD data patients may request that their SUD treatment
data not be shared with other clinicians nor be accessible via various
third-party applications. The commenter believed that physicians,
especially those in primary care, generally lack the ability to segment
out certain parts of a patient's record while maintaining the ability
to meaningfully share the non-SUD treatment data with the patient's
care team for the purposes of care coordination and management. The
commenter explained its view that this lack of granular data
segmentation functionality increases administrative burden and creates
challenges for clinicians who are complying with requests not to
disclose SUD treatment data while still complying with HIPAA and
information blocking requirements. As a result, clinicians must either
place sensitive data in the general medical record and institute
policies and procedures outside of the EHR to protect this data or
create a new location or shadow chart that houses and protects the
data. These workarounds disrupt the flow of comprehensive health data
within a patient's care team and increases administrative tasks. The
association urges HHS to work with EHR vendors to modernize the
functionality of health care data management platforms to ensure part 2
programs can keep patients' data confidential when requested. Another
medical association also reflected similar views.
A health IT vendor claimed that several NPRM provisions, including
Sec. 2.26, would require it to implement procedural changes. But the
vendor stated that these updates are necessary to eliminate barriers to
data sharing amongst patients, providers, and health care facilities.
The vendor also believed these requirements can be implemented within
the proposed 22-month compliance period.
A health IT association supported alignment with a patient's right
to request restrictions under the existing HIPAA Privacy Rule. But the
commenter believed that it is important not to add a burden on covered
entities participating in a shared electronic health information
platform or with an HIE or HIN. The commenter urged OCR and SAMHSA to
connect to health IT developers, technology companies, HIE, and HINs to
ensure that technology exists to feasibly allow for covered entity
compliance with interoperability and information blocking requirements.
Response
We acknowledge concerns that data segmentation may be difficult for
part 2 programs and covered entities and discuss this further in Sec.
2.12. However, covered entities have had to address individuals'
requests for restrictions of TPO uses and disclosures since the HIPAA
Privacy Rule was implemented more than two decades ago. The renewed
emphasis on the right to request restrictions on uses and disclosures
of records for TPO is closely linked to the new permission to use and
disclose records based on a single consent for all future TPO. We have
stated in the discussion of the new consent permission that programs
and covered entities that want to utilize the TPO consent mechanism
should be prepared from a technical perspective to also afford patients
their requested restrictions when it is otherwise reasonable to do so.
Entities that are planning to benefit from streamlined transmission and
integration of part 2 records by using the single consent for all TPO
should be prepared to ensure that patients' privacy also benefits from
the use of health IT.
EHR systems' technical capabilities are outside the scope of this
rulemaking, but we are cognizant of and refer throughout this rule to
the existing health IT capabilities supported by data standards adopted
by ONC on behalf of HHS in 45 CFR part 170, subpart B, and referenced
in the ONC Health IT Certification Program certification criteria for
security labels and segmentation of sensitive health data. ONC, SAMHSA,
OCR, and others collaborate to support EHRs and health IT in behavioral
health and integrated care settings.\240\
---------------------------------------------------------------------------
\240\ See ``Behavioral Health,'' supra note 133.
---------------------------------------------------------------------------
Comment
A provider association opined that the NPRM overemphasizes the
social harms that disclosing SUD clinical information creates, at the
risk of medical harms and overdose deaths that are a consequence of
poor care coordination. The commenter urged the Department to provide
guidance on precisely what is expected of providers as they incorporate
processes to respect these patient rights if the provisions are
finalized as proposed.
Response
We appreciate this comment and the concern for patient safety. As
noted above, providers are not required to agree to all patient
requests for restrictions on uses and disclosures for TPO, but are
encouraged to make reasonable efforts to do so. Providers retain the
responsibility for patient care and determining what is reasonable
under the circumstances. The final rule is emphasizing, however, that
programs and covered entities are expected to do more than merely
establish policies and procedures on the right to request
restrictions--they need to make a concerted effort to evaluate how they
can reasonably accommodate patients' requests.
Comment
An academic health center stated its general support for patients'
rights to limit access to their medical records but wanted to avoid
creating further administrative and operational burdens on staff and
avoid managing patient data retroactively.
[[Page 12539]]
Response
We acknowledge this comment and concerns about burdens that could
result from Sec. 2.26 implementation. However, part 2 programs that
are covered entities are already subject to the HIPAA provisions on the
right to request restrictions in 45 CFR 164.522. As finalized, we
believe this section is consistent with HIPAA as well as CARES Act
requirements.
Comment
A medical professionals association asserted that the NPRM does not
account for patient protections in plans self-funded through an
employer. The association requested clarity on how TPO information will
be kept protected from the employer and how patients will be protected
against discriminatory practices, arguing that without further
clarification, employees will be hesitant to seek treatment if there is
an assumption that an employer will have knowledge of his or her SUD.
In contrast, a national employee benefits association for large
employers urged the Department to allow health plan sponsors (i.e.,
employers) to access part 2 records containing de-identified claims
data that are held by third-party vendors that manage SUD programs.
From the employer/health plan sponsors' perspective, these records are
needed to evaluate and improve health benefits.
Response
Self-funded group health plans are not permitted to retaliate
against SUD or other patients/employees for seeking care. HHS has
explained in guidance application of HIPAA to self-funded employer
group health plans that: ``the [HIPAA] Privacy Rule does not directly
regulate employers or other plan sponsors that are not HIPAA covered
entities. However, the [HIPAA] Privacy Rule, in 45 CFR 164.504(f) does
control the conditions under which the group health plan can share
protected health information with the employer or plan sponsor when the
information is necessary for the plan sponsor to perform certain
administrative functions on behalf of the group health plan [. . . .]
The covered group health plan must comply with [HIPAA] Privacy Rule
requirements, though these requirements will be limited when the group
health plan is fully insured.'' \241\
---------------------------------------------------------------------------
\241\ U.S. Dep't of Health and Human Servs., ``As an employer, I
sponsor a group health plan for my employees. Am I a covered entity
under HIPAA?'' (Apr. 6, 2004), https://www.hhs.gov/hipaa/for-professionals/faq/499/am-i-a-covered-entity-under-hipaa/index.html.
---------------------------------------------------------------------------
In discussing 45 CFR 164.530, HHS has further stated in guidance
that ``group health plans are exempt from most of the administrative
responsibilities under the [HIPAA] Privacy Rule. These health plans are
still required, however, to refrain from intimidating or retaliatory
acts, and from requiring an individual to waive their privacy rights.''
\242\
---------------------------------------------------------------------------
\242\ See U.S. Dep't of Health and Human Servs., ``I'm an
employer that offers a fully insured group health plan for my
employees. Is the fully insured group health plan subject to all of
the Privacy Rule provisions?'' (Apr. 6, 2004), https://www.hhs.gov/hipaa/for-professionals/faq/496/is-the-fully-insured-group-health-plan-subject-to-all-privacy-rule-provisions/index.html.
---------------------------------------------------------------------------
As well, self-funded group health plans are subject to the Mental
Health Parity and Addiction Equity Act (MHPAEA) which requires that
most health plans providing mental health and SUD benefits must provide
services comparable to those for medical/surgical conditions.\243\
While previously able to opt-out of these requirements, recent changes
made by the Consolidated Appropriations Act of 2023 state that ``self-
funded, non-Federal governmental group health plans that opt out of
compliance with MHPAEA are required to come into compliance with these
requirements.'' \244\ This change too should mitigate the potential of
employees to be subject to stigma and discrimination within self-funded
group health plans because they have or are in recovery from an SUD.
---------------------------------------------------------------------------
\243\ See Ctrs. for Medicare & Medicaid Servs., ``The Mental
Health Parity and Addiction Equity Act (MHPAEA),'' https://www.cms.gov/cciio/programs-and-initiatives/other-insurance-protections/mhpaea_factsheet; Ctrs. for Medicare & Medicaid Servs.,
``Sunset of MHPAEA opt-out provision for self-funded, non-Federal
governmental group health plans'' (June 7, 2023), https://www.cms.gov/files/document/hipaa-opt-out-bulletin.pdf.
\244\ Ctrs. for Medicare & Medicaid Servs., ``Sunset of MHPAEA
opt-out provision for self-funded, non-Federal governmental group
health plans,'' at 1 (June 7, 2023), https://www.cms.gov/files/document/hipaa-opt-out-bulletin.pdf. See also, 42 U.S.C. 300gg-26,
Parity in mental health and substance use disorder benefits.
---------------------------------------------------------------------------
With respect to employer/health plan sponsor access to de-
identified part 2 records, the Department did not propose to create new
use and disclosure permissions specific to employers/health plan
sponsors and does not adopt such changes in this final rule. However,
under this final rule, a covered entity or business associate that
receives records under a TPO consent may redisclose them in accordance
with the HIPAA Privacy Rule, which does not place limitations on the
use or disclosure of de-identified information.
Comment
A health plan asserted that, as written, the rule might be
interpreted to prevent plans with part 2 data from redisclosing it
without consent. Additional restrictions around TPO may negatively
impact plans' business operations since plans would need to separate
part 2 records from other records. This restriction would be burdensome
and more operationally challenging even for the most sophisticated
stakeholders, according to the commenter, who also asserted that
patients may be more likely to receive unnecessary information in these
broad disclosures. The commenter believed that the proposed expanded
TPO restriction would overwhelm both patients and plans, ultimately
hindering efforts toward more efficient care coordination for patients
with SUD.
Response
This section as finalized is consistent with the Sense of Congress
as articulated in the CARES Act, which provides that patients have the
right to request a restriction on the use or disclosure of a part 2
record for TPO. The CARES Act similarly encourages covered entities to
make every reasonable effort to the extent feasible to comply with a
patient's request for a restriction regarding TPO uses or disclosures
of part 2 record.
A patient's right to request restrictions does not prevent health
plans with part 2 records from redisclosing such records without
patient consent as permitted under this rule, except in those
situations where the plan has agreed to a requested restriction.
Comment
A few commenters, including an advocacy organization, professional
associations, and a recovery organization asserted that the proposed
right is profoundly inequitable because it is only available to
patients with the means to pay privately for SUD treatment. Pointing to
what it views as disparities and the cost of SUD treatment, one
commenter asserted that underserved communities and persons affected by
poverty and inequality thus will be less able to exercise this right to
restrict uses and disclosures of their SUD records. Other commenters
expressed concern that some patients can afford to self-pay and may not
wish to face the risks of restrictive health plan coverage policies,
employers, and others finding out they are being treated for an SUD,
but this right is not extended to those who cannot self-pay. These
commenters believed that the rule
[[Page 12540]]
should not subject most Americans to these very real risks while
acknowledging that persons of means can avoid them.
The commenter recommended that HHS strengthen this provision so
that providers comply with all patients' requests to restrict
disclosures of this sensitive health information--not just those
patients who are wealthy enough to pay in full and out-of-pocket. The
commenter argued that strengthening the provision is also consistent
with the CARES Act's ``Sense of Congress'' in section 3221(k)(3):
``covered entities should make every reasonable effort to the extent
feasible to comply with a patient's request for a restriction regarding
such use or disclosure.'' The commenter asserted that when patients
request a restriction on disclosure of their part 2 records, the
default answer should be ``yes,'' subject to narrow exceptions such as
disclosures to treat a medical emergency. In practice, however,
providers' default answer is almost always ``no,'' which is why HHS
should provide a more enforceable right here.
Response
We acknowledge that, as structured, some elements of the right to
request restrictions may benefit patients who can self-pay rather than
those who are unable to do so. However, the provision requiring covered
entities to agree to certain requests is statutory. For this reason and
to align with HIPAA requirements pertaining to requests for
restrictions by self-pay patients.\245\ The Department also
acknowledges and is working to address disparities in access to SUD
treatment.\246\
---------------------------------------------------------------------------
\245\ U.S. Dep't of Health and Human Servs., ``Under HIPAA, may
an individual request that a covered entity restrict how it uses or
discloses that individual's protected health information (PHI)?''
(Dec. 28, 2022), https://www.hhs.gov/hipaa/for-professionals/faq/3026/under-hipaa-may-an-individual-request-that-a-covered-entity-restrict-how-it-uses-or-discloses-that-individuals-protect-health-information/index.html.
\246\ See, e.g., Substance Abuse and Mental Health Servs.
Admin., ``Behavioral Health Equity,'' https://www.samhsa.gov/behavioral-health-equity; Off. of the Assistant Secretary for
Planning and Evaluation, ``Meeting Substance Use and Social Service
Needs in Communities of Color'' (2022), https://aspe.hhs.gov/reports/substance-use-social-needs-people-color.
---------------------------------------------------------------------------
Comment
One county government stated that in its experience there are very
few requests for restriction received each year and virtually none are
agreed to because of the related operational challenges. An academic
health center said that in its experience of patients who request
restrictions annually, only a relatively small number of restrictions
are made in the context of self-pay for services. The center urged HHS
to align the request for restriction process for part 2 records with
what it views as the already established and operationally familiar
process under HIPAA, explaining that from a technological perspective
restricting patient information within the organization for TPO is
burdensome, and highly error-prone. Restrictions for treatment purposes
can endanger patients, as members of the treatment team need
information to safely provide care, according to this commenter.
Response
We appreciate this information in response to our request for input
in the NPRM. Given that the number of requests for restrictions is
small, the overall organizational burden for fulfilling such requests
should not be overwhelming. When a regulated entity agrees to a
requested restriction, we encourage it to explain to the patient any
limits on its ability to ensure that the request is implemented fully.
Comment
A commenter requested that notice of the right to request
limitations of disclosures of health records, and the process for doing
so comply with Federal guidance and best practices for individuals with
limited English proficiency and individuals with limited literacy or
health literacy skills.
Response
We discuss notice requirements in Sec. 2.22 above. We have in the
past stated that materials should take into consideration the cultural
and linguistic needs of a provider's patients and be written to be
clear and understandable.\247\
---------------------------------------------------------------------------
\247\ 82 FR 6052, 6078.
---------------------------------------------------------------------------
Comment
A privacy foundation cited one of its resources concerning HIPAA
and why the right to request restrictions is in its view almost
meaningless. The commenter suggested that the rule does not require a
covered entity to agree to a restriction requested by a patient. More
importantly, the covered entity does not have to agree even if the
patient's request is reasonable. If HHS does not require a covered
entity to respond to a patient's request for restriction, even to state
whether the request is granted or declined, the right to request
restrictions is meaningfully diminished, according to the commenter,
which, added that in some cases, the right to request restrictions will
be--for all intents and purposes--abrogated in cases where the request
is never given any response.
Response
As finalized, we believe this section is consistent with HIPAA as
well as CARES Act requirements. We have provided guidance within HIPAA
about requests for restrictions on disclosures of PHI in HIPAA under 45
CFR 164.522.\248\ The right to request restrictions must be balanced
with other regulatory requirements and patient needs, such as for
emergency treatment even when use of records has been restricted. We
also note that as required by Sec. 2.26(a)(6)(ii), a part 2 program
must implement restrictions on disclosure when requested by a patient
if a record pertains solely to a health care item or service for which
the patient, or person other than the health plan on behalf of the
patient, has paid the part 2 program in full.
---------------------------------------------------------------------------
\248\ ``Under HIPAA, may an individual request that a covered
entity restrict how it uses or discloses that individual's protected
health information (PHI)?'' supra note 245; U.S. Dep't of Health and
Human Servs., ``Uses and Disclosures for Treatment, Payment, and
Health Care Operations'' (Apr. 3, 2003), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html.
---------------------------------------------------------------------------
Comment
An SUD provider recommended eliminating the ability for tailored
restrictions by patients. Additionally, should the Department implement
this requirement, the provider requests requested that the regulations
clarify whether a part 2 program is responsible for notifying other
recipients of part 2 information if a patient decides to restrict
future disclosures.
Response
As explained, we are finalizing the proposed requirements.
Redisclosure provisions are discussed in this rule in Sec. Sec.
2.12(d) and 2.33. As we note, consistent with the Sense of Congress in
the CARES Act, section 3221(k)(3), covered entities, including those
covered entities that also are part 2 programs, should make every
reasonable effort to the extent feasible to comply with a patient's
request for a restriction regarding a particular use or disclosure.
This would apply should a patient subsequently modify a request under
this section.
Comment
An advocacy group supported the proposed right of patients to
request privacy protections as a means of
[[Page 12541]]
building trust with the patient but urged HHS to adopt a reasonable or
as practicable a standard as possible when adopting this proposal. Some
patient requests may not be feasible, and a part 2 program should not
have to comply with requests that are overly burdensome or impractical.
Response
We draw attention to the Sense of Congress expressed in the CARES
Act that ``[c]overed entities should make every reasonable effort to
the extent feasible to comply with a patient's request for a
restriction regarding such use or disclosure,'' \249\ and we encourage
part 2 programs to do so as well. We believe that this language makes
it clear that reasonable effort is expected and that it may be balanced
by what is feasible. We believe that a program should not condition
treatment on a TPO consent unless it has some capacity to fulfill
patients' requests for restrictions on uses and disclosures for TPO
such that ``every reasonable effort'' has some meaning. We are
finalizing as proposed in Sec. 2.22 a requirement to include in the
Patient Notice a statement that the patient has the right to request
restrictions on disclosures for TPO and in Sec. 2.26 a patient's right
to request restrictions.
---------------------------------------------------------------------------
\249\ See section 3221(k)(3).
---------------------------------------------------------------------------
Comment
With respect to proposed Sec. 2.26(a)(4), a health system
suggested that a request to restrict access to records for treatment
purposes would likely not be granted since such a restriction could not
be reasonably guaranteed in an EHR. In its system, part 2 programs have
been implemented as restricted departments. Access controls have been
implemented to permit emergency physicians to access such records by
breaking the glass and documenting the purpose of access. At this time,
the commenter believed that there is not a practical way to
operationalize the inclusion of additional language in the break the
glass process so emergency physicians could view language to not
further use or disclose this information.
Response
As finalized Sec. 2.26(a)(4) states that ``[i]f information from a
restricted record is disclosed to a health care provider for emergency
treatment under paragraph (a)(3) of this section, the part 2 program
must request that such health care provider not further use or disclose
the information.'' Section 2.26(a)(3) permits use of restricted records
for emergency treatment. While we have stated in this rule that data
segmentation is not required, we also stated in 2017 that ``data
systems must be designed to ensure that the part 2 program is notified
when a `break the glass' disclosure occurs and part 2 records are
released pursuant to a medical emergency. The notification must include
all the information that the part 2 program is required to document in
the patient's records.'' \250\ We recognize that EHR systems have
varying degrees of functionality for implementing requested
restrictions and programs are in different stages of updating their
systems; however, we believe that programs need to evaluate how the
limitations of their EHRs may affect patient choice and develop
policies accordingly. For example, if a program conditions treatment on
a patient's TPO consent and the patient agrees to sign the consent, but
only if their records are not provided to a certain provider, the
program should have the means to accommodate the request and if not,
allow the patient to sign a more limited consent as appropriate within
the context. While lack of EHR system capability may be a valid
rationale for not accommodating some patients' requests for
restrictions, it may also be a basis for not adopting a policy of
conditioning treatment on signing a single consent for all TPO if the
program has no other mechanism available to limit disclosures of part 2
records in the event that patients request restrictions.
---------------------------------------------------------------------------
\250\ 82 FR 6052, 6096.
---------------------------------------------------------------------------
Final Rule
We are finalizing this new section as proposed. We also note the
Sense of Congress expressed in section 3221(k)(3) of the CARES Act
stating that ``[c]overed entities should make every reasonable effort
to the extent feasible to comply with a patient's request for a
restriction regarding a particular use or disclosure.'' We also
encourage part 2 programs that are not covered entities to make such
efforts. OCR has provided examples in guidance about the analogous
HIPAA provision that could demonstrate ``reasonable effort'' to
operationalize compliance with a patient's request for a restriction
including in circumstances when an individual is unable to pay for
their health care in full. For instance, consistent with 45 CFR
164.522(a)(1)(vi) we cite the example that ``if an individual pays for
a reproductive health care visit out-of-pocket in full and requests
that the covered health care provider not submit PHI about that visit
in a separate claim for follow-up care to their health plan, the
provider must agree to the requested restriction.'' \251\ If an
individual wishes to not receive fundraising communications, we noted
in preamble to the 2013 Omnibus Final Rule that ``[c]overed entities
should consider the use of a toll-free phone number, an email address,
or similar opt out mechanisms that provide individuals with simple,
quick, and inexpensive ways to opt out of receiving further fundraising
communications.'' \252\ For instance, a covered entity might develop a
phone-based process that supports individuals in making appropriate
requests for restrictions on use and disclosure of PHI.\253\
---------------------------------------------------------------------------
\251\ ``Under HIPAA, may an individual request that a covered
entity restrict how it uses or discloses that individual's protected
health information (PHI)?'' supra note 245.
\252\ 78 FR 5565, 5621 (Jan. 25, 2013).
\253\ See Ctrs. for Medicare & Medicaid Servs., ``CMS Security
and Privacy Handbooks,'' https://security.cms.gov/learn/cms-security-and-privacy-handbooks; Ctrs. for Medicare & Medicaid
Servs., ``CMS Privacy Program Plan,'' https://security.cms.gov/policy-guidance/cms-privacy-program-plan.
---------------------------------------------------------------------------
Some entities also have developed specific forms to facilitate
compliance with 45 CFR 164.522 requirements.\254\ Similar reasonable
efforts could be used to operationalize requests for restrictions in
Sec. 2.26 as finalized, such as supporting options for a patient
wishing to restrict disclosures for TPO.
---------------------------------------------------------------------------
\254\ See Kyle Murphy, ``How IHS plans to implement the HIPAA
Privacy Rule,'' HealthITSecurity (Jan. 11, 2013). https://healthitsecurity.com/news/how-ihs-plans-to-implement-the-hipaa-privacy-rule (discussing Indian Health Service efforts). See also,
Indian Health Service, ``Patient Forms,'' https://www.ihs.gov/forpatients/patientforms/.
---------------------------------------------------------------------------
Section 2.31--Consent Requirements.
Section 2.31(a) Requirements for Written Consent
Proposed Rule
The Department proposed to align the required elements for a part 2
consent in paragraph (a) with the required elements of a HIPAA
authorization, to include: the patient's name; the person or class of
persons making the disclosure; a description of the information to be
disclosed in a specific and meaningful fashion; a designation of
recipients; a description of the purpose or if no stated purpose, ``at
the request of the patient;'' the patient's right to revoke consent and
how to do so; an expiration date or event; the patient's or authorized
person's signature; and the date signed. In addition, the Department
proposed several provisions in the consent requirements to support
implementation of the CARES Act requirement to permit
[[Page 12542]]
a single consent for all future uses and disclosures for TPO, as listed
below:
The recipient may be a class of persons including a part 2
program, covered entity, or business associate and the consent may
describe the recipient as ``my treating providers, health plans, third-
party payers, and those helping operate this business'' or use similar
language. The consent also may include a named intermediary under
paragraph (a)(4)(ii), as applicable.
The statement, ``for treatment, payment, and health care
operations'' is a sufficient description of the purpose when a patient
provides consent for all future uses or disclosures for those purposes.
The required expiration date or event may be ``none'' for
a consent for all future uses and disclosures for TPO.
The consent must include:
[cir] The statement that the patient's record (or information
contained in the record) may be redisclosed in accordance with the
permissions contained in the HIPAA regulations, except for uses and
disclosures for civil, criminal, administrative, and legislative
proceedings against the patient.
[cir] A statement about the potential for the records used or
disclosed pursuant to the consent to be subject to redisclosure by the
recipient and no longer protected by this part.
[cir] The consequences to the patient of a refusal to sign the
consent.
The Department proposed to require that a consent to disclose part
2 records to intermediaries state the name(s) of the intermediary(ies)
and one of the following:
The name(s) of member participant(s) of the intermediary;
or
A general designation of a participant(s) or class of
participants, which must be limited to a participant(s) who has a
treating provider relationship with the patient whose information is
being used or disclosed.
The Department proposed to remove from the consent requirements a
required statement of a patient's right to obtain a list of disclosures
made by an intermediary.
Finally, the Department proposed wording changes to replace the
term ``individual'' with the term ``person'' to comport with the
meaning of person in the HIPAA regulations and consistent with similar
changes proposed throughout this part.
Required Elements of Consent
Comment
Some commenters who supported the proposed alignment of part 2 with
the HIPAA regulations expressed enthusiasm for what they described as a
long-awaited change that would support the streamlining of
administrative processes, improvements in care coordination, and
reduced inequities in how SUD treatment is viewed compared with general
health care. One commenter specifically appreciated the clarification
that electronic signatures are permitted. An Indian health board noted
that allowing American Indian/American Native patients to identify a
``class of participants'' with a treating provider relationship (like a
``health care team'') within a single prior consent would facilitate
care within the Indian health system. Another supporter pointed out
that including ``use'' as well as ``disclosure'' clarifies the consent
form and noted that informing patients about the ability for
information to be redisclosed it also important. A health information
management association described the changes as ``removing regulatory
morass.'' A health plan believed that the proposed changes ``mak[e] it
easier to comply with both regulatory requirements [of part 2 and the
HIPAA regulations] without adding an additional layer of regulatory
burden. The statutorily required six elements [of a consent] noted
above as well the additional explanations for failing to sign a consent
will better ensure that patients are apprised of their rights under
Part 2 and instill patients' trust.''
Response
We appreciate the comments about our efforts to improve health care
and reduce burdens on regulated entities by aligning the required
elements of the written consent for disclosure of part 2 records with
the required elements of a HIPAA authorization to disclose PHI.
Comment
Many commenters requested clarification and simplification of the
consent requirements. One commenter recommended that the Department
develop model consent language, limited to a single comprehensible
paragraph with an option to find further information online, such as
through a scannable QR code. Some commenters stated that the part 2
consent is vague, complicated, and difficult to read and should be
simplified into plain language for an ordinary person and they opposed
the proposed changes to consent. They also urged the Department to
``prioritize transparency.'' Another commenter asserted that it is in
providers' best interests to inform patients ``of their rights in a
straightforward, easy-to-understand manner, focusing on how their
information will be used and who will have access to it.''
Response
We appreciate the comments recommending simplification and
streamlining of the required consent and will consider the various
suggestions for doing so as we develop guidance or other materials. We
agree that consent should be in plain language that ordinary readers
can understand and believe that the required statements can be drafted
in that manner.
Comment
Several commenters believed that since the proposed part 2 consent
requirements are like a HIPAA authorization, it is confusing to have
similar documents with different purposes. They recommended that the
consent process be easily folded into existing HIPAA compliance
processes, preferably incorporating the acknowledgment of receipt of
the HIPAA NPP and the patient's part 2 consent into the same document.
Response
We appreciate the concern and believe that aligning the required
elements of a part 2 consent with those required for a HIPAA
authorization will facilitate the use of a single form by part 2
programs that are covered entities, and thus must meet both sets of
requirements.
Comment
Several commenters suggested ceasing use of the word ``consent''
when referring to disclosure of records and using the term
``authorization'' instead.
Response
We decline to make this change because covered entities and part 2
programs, particularly those that are not covered entities, are still
obligated to comply with differing sets of disclosure permissions.
Moreover, 42 U.S.C. 290dd-2, as amended by the CARES Act, continues to
expressly refer to consent and thus this final rule remains consistent
with statutory terminology.
Although we are modifying the requirements for a part 2 consent to
align more closely with a HIPAA authorization, the scope and effect of
these documents continue to differ in meaningful ways. For example, a
part 2 consent is required for uses and disclosures of part 2 records
for TPO, but a HIPAA authorization is not required for uses and
disclosures of PHI for TPO. The part 2 consent is required for part 2
programs and the
[[Page 12543]]
authorization is for covered entities and business associates. Because
of these and other differences, we believe using the term
``authorization'' for individual permission under HIPAA as well as for
patient permission under part 2 would create confusion.
Comment
An academic medical center suggested making no changes to part 2
consent requirements for HIPAA covered entities, but instead allowing
them to use the HIPAA authorization to obtain consent for TPO and to
use the patient's right to request a restriction for more granular
consents, such as for disclosure limited to a specific provider.
Response
We assume in this response that the granular consent referred to in
the comment is a consent for some aspects of TPO, but not the full
scope of the TPO consent. We decline to adopt this suggestion in its
entirety because the HIPAA authorization applies to a narrower set of
uses and disclosures than part 2 and does not have all the required
elements of a part 2 consent. For example, the consent, as finalized
here, requires a statement about the potential for records to be
redisclosed by the recipient when they are disclosed under a TPO
consent, and it contains special requirements for disclosures through
an intermediary. Covered entities that are also part 2 programs will
have more flexibility under the final rule consent requirements, so
that they may be able to use a single form that meets the applicable
requirements of a part 2 consent and a HIPAA authorization. Covered
entities that are recipients of part 2 records but are not operating a
part 2 program do not need to create or use a part 2 consent. Instead,
covered entities that are not part 2 programs may use a HIPAA
authorization to disclose part 2 records they receive provided that the
authorization is not for the release of medical or other information
generally. The authorization form must be specific to part 2 records or
records of SUD treatment rather than ``my medical records,'' so that it
identifies the information in a specific and meaningful fashion
according to Sec. 2.31.
Comment
In addition to supporting the proposal to allow a single consent
for all future uses and disclosures for TPO, a county government
recommended that programs be allowed to rely on verbal consent when
making patient referrals, particularly at the initial stages of patient
access to and engagement in treatment and requested regulatory guidance
on how to do so. The commenter explained the importance of verbal
consent for referral or intake purposes before a treatment relationship
has been established in many instances. In the alternative, the
commenter suggested creating a safe harbor from part 2 violations ``for
providers who share information based on a verbal consent to refer a
patient for treatment (which may first take place through a call
center) and then later request written consent at the first appointment
with the patient to share for TPO purposes.''
Response
We decline to adopt an express permission to accept a verbal
consent to disclose part 2 records for purposes of intake and referral
because prior written consent is a statutory requirement in 42 U.S.C.
290dd-2(b)(1)(A); however, some options for handling referrals verbally
may be available depending on the circumstances. One approach would be
to provide de-identified information about the patient to a potential
treatment provider to determine if a placement is suitable and
available and then either provide referral information to the potential
patient so that they can contact the new provider independently or
include the patient in a three-way call with the second provider and
allow the patient to provide identifying information directly to that
provider. In a medical emergency, involving an attempted overdose, or
similar crisis, a program could disclose part 2 records to a hotline
call center as needed to provide treatment. Similarly, in 2020 the
Department amended part 2 to permit disclosures of patient information
to another part 2 program or other SUD treatment provider during State
or federally-declared natural and major disasters when a part 2 program
is closed or unable to provide services or obtain patient informed
consent.\255\
---------------------------------------------------------------------------
\255\ 85 FR 42986, 43018.
---------------------------------------------------------------------------
Comment
A commenter recommended that, after obtaining the original written
consent, programs should be required to notify patients before each
use, disclosure, and redisclosure of their part 2 records and give them
the opportunity to rescind consent.
Response
This recommendation runs counter to the CARES Act requirement to
allow a single consent for all future uses and disclosures for TPO.
Further, we do not believe it would be practical to require that
patients be notified and given the opportunity to rescind consent
before each use, disclosure, and redisclosure of their part 2 records,
and it would likely create a large increase in burdens for programs and
other entities subject to part 2 requirements. That said, nothing in
the rule prohibits programs from notifying a patient before a
particular use or disclosure of their part 2 records.
Designation of Recipients and Purpose
Comment
Several commenters recommended complete removal of the consent
requirement for TPO, stating that the new disclosure permission does
not go far enough to align with HIPAA.
Response
This recommendation exceeds the scope of the changes authorized
under the CARES Act amendments to 42 U.S.C. 290dd-2. The CARES Act did
not eliminate the statutorily mandated consent requirement for TPO uses
and disclosures.
Comment
A few organizations requested clarification of whether the phrase,
``people helping to operate this program,'' in the general designation
for a TPO consent includes case management and care coordination
providers and suggested that it should.
Response
We agree with the commenters that within the part 2 context,
``people helping to operate this program'' could include case
management and care coordination providers who are QSOs. Disclosures to
case management and care coordination providers who are not QSOs would
also be permitted under a TPO consent as disclosures for treatment.
Regarding the TPO consent, the phrase ``people helping to operate this
program'' is intended to cover those who are not part 2 program
personnel and who would be QSOs (or business associates for part 2
programs that are covered entities).
Comment
Some commenters generally opposed the proposed change to permit a
single consent for all future uses and disclosures for TPO in part
because it would not require designating specific recipients.
Response
The CARES Act amended 42 U.S.C. 290dd-2 to restructure the
statutory permission to disclose part 2 records with consent for TPO.
Thus, the Department is required to implement
[[Page 12544]]
the consent requirements for the new disclosure and redisclosure
permissions. The CARES Act amendments preserved the requirement to
obtain initial consent and the prohibition against use of records in
proceedings against a patient--both core elements of the part 2
confidentiality protections for SUD records. We further discuss the
single TPO consent in Sec. 2.33.
Uses and Disclosures With Written Consent
Comment
Commenters opposing use of a single TPO consent recommended that
the consent provide clear options for the types of consent a patient
may sign, which would include a consent for a specific, one-time use or
disclosure. The commenters believed that this approach would allow
patients to understand their options and to avoid being pressured into
signing a TPO consent because they mistakenly believe it is their only
option.
Response
We agree that part 2 programs should ensure that patients
understand their consent options--which include signing a consent for a
specific, one-time use or disclosure--and we encourage programs to
draft their consent in a manner that is clear and easy to understand.
Congress urged the Department to provide incentives to programs for
explaining to patients the benefits of sharing their records.\256\
Accordingly, the manner in which programs offer information about
different consent options should not undermine efforts to explain to
patients the benefits of TPO consent. Sections 2.22 and 2.31(a) of this
final rule require that part 2 programs notify patients of their rights
and obtain consent before using and disclosing records for TPO.
---------------------------------------------------------------------------
\256\ See sec. 3221(k)(5) of the CARES Act.
---------------------------------------------------------------------------
Comment
Approximately half of commenters on intermediaries opposed the
Department's proposal to retain consent requirements for disclosures to
intermediaries that differ from consent requirements for disclosures to
business associates generally. Of the HIEs and health IT vendors that
commented on this set of proposals, most expressed opposition. Opposing
commenters believed that the special provisions for intermediaries were
a holdover from before the CARES Act and were inconsistent with
aligning part 2 with the HIPAA regulations, especially with regard to
the new provision to allow a single TPO consent.
The board of supervisors for a large county explained the county's
view that the combination of consent proposals (allowing TPO consent
and retaining the consent provision for intermediaries) would result in
a system where health plans, third-party payers, and business
associates may be generally described in a consent as recipients, but
these same recipient entities must be specifically named if the
disclosure is made through an HIE. According to the commenter, ``[t]his
imposes a burden on the use of HIEs for enhancing patient care while
providing no discernable privacy benefit.''
A state-wide e-health collaborative that administers a network of
HINs similarly remarked that if a patient signed a consent form
designating ``my health plan'' as the recipient, the part 2 program
would be permitted to disclose such information directly to the health
plan, but the program would be prohibited from disclosing that
information to the very same health plan if the disclosure was made via
an intermediary without specifically naming the intermediary and the
health plan. A large health IT vendor also voiced these concerns,
describing the potential result as a ``two-tiered'' system that
perpetuates discrimination because patients with SUD cannot reap the
benefits of integrated care that is facilitated by shared electronic
records.
Response
We appreciate the comments and information about how intermediaries
operate and acknowledge that the CARES Act changes to consent for uses
and disclosures for TPO and redisclosures by business associates have
significantly reduced the need for a regulatory provision for
intermediaries. In response to public comments the final rule excludes
covered entities and business associates from the definition of
``intermediary'' in Sec. 2.11. Thus, an HIE, for example, that meets
the definition of ``business associate'' is excluded from the
definition of ``intermediary'' and would not need to be specifically
named in the consent--it would fall under the provision for a general
designation under a TPO consent in Sec. 2.31(a)(4). Other issues
regarding intermediaries are discussed in Sec. Sec. 2.11, 2.13, and
2.24.
Comment
A commenter recommended changes to Sec. 2.31 that would modify the
wording of a consent to specifically permit disclosures to the Food and
Drug Administration (FDA) even after revocation of consent.
Response
We appreciate the comment, but believe expressly permitting
additional disclosures after revocation of consent, where consent is
required, is inconsistent with respecting patient choice. However,
there may be circumstances where consent is not required for
disclosures to the FDA, for example, if they fall within the provision
for program audits and financial evaluations in Sec. 2.53 or public
health disclosures of de-identified records under Sec. 2.54.
Comment
One commenter recommended that disclosures to public health
authorities be included in the general TPO consent.
Response
The CARES Act mandated that disclosures to public health
authorities are permitted without consent, but this permission applies
only to records that have been de-identified. Further, the general
consent authorized by the CARES Act applies only to uses and
disclosures for TPO. Under the HIPAA Privacy Rule, disclosures to
public health authorities are not considered disclosures for TPO and we
apply this same interpretation to part 2. To the extent that a patient
elects to consent to the disclosure of identifiable records to a public
health authority, the consent must include a specific designation of
the recipient.
Consent for Fundraising and De-Identification Activities
Comment
A commenter suggested that consent for fundraising be offered as an
opt-out rather than an opt-in process. Other commenters requested that
fundraising not be allowed or that consent for use or disclosure of
part 2 information for fundraising be obtained using a separate consent
form (i.e., not combined with any other consent). A few commenters
stated that part 2 programs did not need to use part 2 records for
fundraising purposes.
Response
Under the HIPAA Privacy Rule, fundraising falls within the
definition of health care operations.\257\ The CARES Act required us to
incorporate the definition of health care operations wholesale into
this regulation. However, the CARES Act also included a Sense of
[[Page 12545]]
Congress that health care operations do not include fundraising for
purposes of part 2.\258\ Thus, taking into account the Sense of
Congress, a general TPO consent, without more, is not sufficient to
allow the use and disclosure of records for fundraising purposes by a
part 2 program that obtains a TPO consent. We considered whether to
require a separate consent for an entity's fundraising activities, but
determined that offering an opt-out for fundraising on the same form as
consent for TPO would place appropriate guardrails on fundraising uses
and disclosures consistent with the Sense of Congress without
increasing burdens for part 2 programs. Part 2 programs, covered
entities, and business associates that receive part 2 records under a
TPO consent would be permitted to use and redisclose the records
according to the HIPAA requirements. We are implementing the
requirement at 42 U.S.C. 290dd-2(k)(4) to add the definition of
``health care operations'' to this regulation as it is defined in
HIPAA, and operationalizing the Sense of Congress for fundraising
purposes.
---------------------------------------------------------------------------
\257\ 45 CFR 164.501 (definition of ``Health care operations,''
paragraph (6)(v)).
\258\ See section 3221(k)(4) stating that paragraph (6)(v) of
``health care operations'' in 45 CFR 164.501 shall not apply.
---------------------------------------------------------------------------
Comment
In the NPRM, we requested comment on whether the Department should
require entities subject to part 2 requirements to obtain consent to
use records for de-identification purposes and whether such consent
should be structured to provide patients with the ability to opt-in or
opt-out of having their records used in this manner. One commenter, an
HIE, opined that the Department should not mandate either option
because when de-identification is done appropriately through expert
determination method or safe harbor method under 45 CFR 164.514(b),
there is no possibility that information will be reidentified.
Response
As we explained in the NPRM, although we believe that an opt-in
requirement would offer more patients more control over their records
and best fulfill privacy expectations, we also believe that requiring
patient consent for de-identification activities would be inconsistent
with--and potentially hinder--the new permission to disclose de-
identified information for public health purposes under 42 U.S.C.
290dd-2(b)(2)(D), as amended by section 3221(c) of the CARES Act. Such
a requirement also would create a barrier to de-identification in a
manner that negatively affects patient privacy by increasing
permissible but unnecessary uses and disclosures of identifiable part 2
records in circumstances when de-identified records would serve the
intended purpose.
Implementation Concerns
Comment
One commenter recommended that the Department work with ONC and
provide guidance, technical assistance, and model forms to assist
regulated entities to comply with the proposed changes to consent.
Response
We will continue to work with our Federal partners, including ONC,
as needed to provide guidance, technical assistance, and model forms
for regulated entities.
Comment
Another commenter requested clarification of whether consent could
be broadly obtained and apply to a patient's entire historical record
maintained by a part 2 program.
Response
Yes, a consent may apply broadly to all future uses and disclosures
for TPO and may apply to a patient's entire treatment record.
Expiration of Consent
Comment
A managed care organization requested clarification that an
expiration date is not required, consistent with the HIPAA Privacy
Rule.
Response
The commenter is correct in observing that an expiration date is
not required under the modified consent requirements if the consent is
for all future uses and disclosures for TPO. As noted in the NPRM, the
Department does not intend to create substantive change by replacing
``expiration date, event, or condition'' with ``expiration date or an
expiration event that relates to the individual patient or the purpose
of the use or disclosure.'' However, the example proposed in Sec.
2.31(a)(7) that allows ``none'' to be entered if the consent is for a
use or disclosure for TPO represents a change from the current part 2
consent. Although the HIPAA Privacy Rule allows an authorization to
have ``none'' as an expiration date or event only in limited
circumstances,\259\ the ability to enter ``none'' for TPO consent under
part 2 creates greater consistency with the HIPAA Privacy Rule because
the HIPAA Privacy Rule neither requires consent nor authorization for
TPO uses or disclosures.\260\ Under Sec. 2.31(a)(7) a blank expiration
date or event is insufficient, but an actual date is not always
required. Other expiration language for a TPO consent that is
consistent with 42 U.S.C. 290dd-2(b)(1)(C) is a phrase such as ``until
revoked by the patient.''
---------------------------------------------------------------------------
\259\ 45 CFR 164.508(c)(1)(v).
\260\ U.S. Dep't of Health and Human Servs., ``Guidance:
Treatment, Payment, and Health Care Operations'' (July 26, 2013),
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html.
---------------------------------------------------------------------------
Comment
One commenter stated that the consent should not be indefinite and
suggested that, at a minimum, the written consent should be renewed
annually.
Response
Annual renewal of consent is not required under HIPAA, and we are
not finalizing a requirement to do so under part 2. This would run
counter to the permission to provide consent for all future uses and
disclosures for TPO. However, we recognize that it may be valuable to
periodically ensure that all patient documentation is up to date and
that it may be a good practice to invite patients to review their
consent choices and any documents designating surrogate decision
makers, such as medical powers of attorney. We view this as a matter of
good practice, rather than a legal requirement.
Conditioning Treatment on Consent
Overview of Comments
A professional association for SUD providers and 10 state
affiliates as well as a major health plan/health insurer (who otherwise
supported the TPO consent) opposed allowing part 2 programs to
condition treatment on the signing of a single consent for all future
uses and disclosures for TPO.
Comment
An SUD provider requested clarification about conditioning
treatment on signing consent to disclose records and whether the
Department intended the required statement about the consequences of
not signing the consent to mean that part 2 programs will not have to
comply with the HIPAA Privacy Rule (which generally prohibits
conditioning treatment on signing an authorization).
[[Page 12546]]
Response
A part 2 program is not subject to the HIPAA Privacy Rule unless it
is also a covered entity. The substantive differences between the HIPAA
Privacy Rule and part 2 regarding conditioning treatment on signing a
consent or authorization arise from the fact that the HIPAA Privacy
Rule does not require any type of consent or authorization for TPO.
Thus, the need to condition treatment, for example, on an authorization
for payment disclosures, does not arise under HIPAA. However, part 2
expressly allows conditioning treatment on a consent for disclosures
for payment, for example, in Sec. 2.14 (Minor patients). And we stated
in the NPRM preamble that a ``Part 2 program may condition the
provision of treatment on the patient's consent to disclose information
as needed, for example, to make referrals to other providers, obtain
payment from a health plan (unless the patient has paid in full), or
conduct quality review of services provided.'' Because the prohibition
on conditioning treatment on a signed authorization under HIPAA does
not track closely to part 2,\261\ we are adopting, as proposed, only
language from paragraph (c)(2)(ii)(B) of 45 CFR 164.508, and only a
modified version of the first part of that paragraph. Thus, with
respect to conditioning treatment on consent, Sec. 2.31 requires a
statement of ``the consequences to the patient of a refusal to sign the
consent.''
---------------------------------------------------------------------------
\261\ U.S. Dep't of Health and Human Servs., ``What is the
difference between `consent' and `authorization' under the HIPAA
Privacy Rule? '' (Dec. 28, 2022), https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is-the-difference-between-consent-and-authorization/index.html.
---------------------------------------------------------------------------
Comment
Several commenters asserted that part 2 programs should not be
permitted to condition treatment on a requirement that the patient sign
the general TPO consent. They asserted that could create a barrier to
treatment or harm patients' privacy interests. A few of these
commenters recommended that if conditioned consent was allowed the
minimum necessary requirement should apply to any such disclosures.
Response
The availability of a single consent for all future uses and
disclosures for TPO raises new considerations for patient
confidentiality and ethical practice if access to treatment is
conditioned on signing such a consent. Congress did not directly
address whether a program may condition treatment on a TPO consent, but
emphasized guardrails to ease privacy concerns in section 3221 of the
CARES Act. We believe that a program should not condition treatment on
a TPO consent unless it has taken reasonable steps to establish a
workable process to address patients' requests for restrictions on uses
and disclosures for TPO. We are finalizing as proposed in Sec. 2.22
the rule of construction that a patient has the right to request
restrictions on disclosures for TPO and in Sec. 2.26 a patient's right
to request restrictions. Additionally, the existing rule provides that
all disclosures of part 2 records should include only the information
necessary for the purpose of the disclosure.
Comment
Several other commenters requested clarification of what is needed
to give patients notice that treatment may be conditioned on signing
consent for TPO.
Response
The regulation does not require specific language; however, consent
for TPO use and disclosure should include a statement that patient
consent is needed (or required) to allow the program to use and
disclose the patient's records for TPO (or ``to help the program
operate its health care business'') or something similar. The final
rule also requires a statement or statements explaining the
consequences of failing to sign, based on the program's consent
policies. For example, a program may decide not to provide ongoing
treatment although it allows for an initial evaluation, or it may
require payment before services are provided, or it may offer a more
narrow or specific consent option. The program is not required to do
so, but may find it helpful to point to the patient's right to request
restrictions on TPO disclosures and the program's commitment to
accommodate such requests. We assume that programs will carefully
consider their goals, treatment population, and professional standards
in deciding how to fashion a statement about conditioning treatment on
signing a TPO consent. New patients are likely to be more hesitant
about signing broad disclosure permissions than existing patients who
have an established rapport with staff.
Final Rule
The final rule adopts all proposed modifications to Sec. 2.31(a),
but refers to ``HIPAA regulations'' in place of the references to 45
CFR 164.502 and 164.506. This modification aligns with the addition of
the new defined term, ``HIPAA regulations.''
Section 2.31(b) Consent Required: SUD Counseling Notes
In the NPRM, we requested comments on a potential definition of
``SUD counseling notes'' and specific consent provisions regarding
these notes. We offered for consideration that a separate consent
requirement, if adopted, would not apply to SUD counseling notes in
certain specific situations such as when such information was required
for the reporting of child abuse or neglect, needed for the program to
defend itself in a legal action or other proceeding brought by the
patient, or required for oversight of the originator of the SUD
counseling notes.\262\
---------------------------------------------------------------------------
\262\ See full discussion at 87 FR 74216, 74231.
---------------------------------------------------------------------------
Overview of Comments
We received comments in support of the proposal, asking for
modification, and expressing concern about consent provisions related
to SUD counseling notes. We also received comments on such issues as
whether a separate consent should be required for SUD counseling notes,
the similarity or distinctions between psychotherapy notes under HIPAA
and SUD counseling notes, and patient rights to access such notes. We
respond to these comments below. Comments primarily relating to the
proposed definition of ``SUD counseling notes'' are discussed in Sec.
2.11.
Comment
We received support for the proposals in the NPRM concerning SUD
counseling notes from commenters such as HIE/HINs, state and local
agencies, and recovery organizations for treating SUD counseling notes
under Sec. 2.31 similar to psychotherapy notes in the HIPAA Privacy
Rule by requiring a separate written consent for their disclosure.
These commenters believed a separate consent would serve as an added
layer of protection to patients receiving service under Sec. 2.31. A
medical professionals association believed that parties are already
familiar with how to comply with psychotherapy notes under HIPAA. If
such a category is created, the association urged the Department to
issue clear guidance to make the segregation of these counseling notes
as easy as possible so that part 2 programs do not have to take
repetitive actions that would add to their administrative burden.
Response
We appreciate these comments and are finalizing provisions in this
section that require a program to obtain separate
[[Page 12547]]
consent for any use or disclosure of SUD counseling notes subject to
certain specific listed exceptions. We will consider what additional
guidance may be helpful on these issues after the rule is finalized.
Comment
According to several SUD and recovery associations, notes often
contain highly sensitive information that supports therapy. Limiting
access to these notes is critical to protect the therapeutic alliance
due to the unique risks that patients face due to the risks of
inappropriate sharing of highly sensitive information in these notes. A
health care provider believed the SUD counseling note provision would
allow a SUD provider the ability to more accurately capture critical
impressions of his or her patient without running the risk that it
could adversely impact the patient or the provider-patient
relationship.
A few HIE associations commented that providers rarely use the
option to keep psychotherapy notes as defined in the HIPAA regulations;
instead, the type of information previously envisioned to be included
in the psychotherapy note is now included in ``progress notes'' or the
information is not captured and documented in an EHR. If organizations
move towards utilizing a separate category for SUD counseling notes, it
could lead to information either not being documented, or to important
information not being captured at all, which is against the principles
of interoperability supported by these associations and the Federal
Government, these commenters asserted. A hospital said that in its
experience clinicians, both internal and external to its organization,
usually refer to these types of notes as ``process notes'' which are
not part of the designated record set and are not documented in the
EHR. This commenter also has heard from clinicians that these types of
notes are rarely used.
A medical professionals association believed that SUD counseling
notes should be separated from the rest of the patient's health record,
to allow a firewall between notes used by the individual therapist or
treating professional and the rest of the patient's health record (such
as diagnosis, functional status, treatment plan, symptoms, prognosis,
start and stop times, modalities and frequencies of treatment,
medication prescription and monitoring, and results of clinical tests)
that is designed to be shared, as appropriate, with other health care
entities. According to this association, psychotherapy notes provide a
vital tool for psychologists to protect sensitive therapy details from
third parties. These notes are a way for psychologists to protect
patient privacy as to sensitive details that are important for the
psychologist to remember, but that do not need to be shared with other
health care entities.
Response
We discuss our changes to the definition of ``SUD counseling
notes'' in Sec. 2.11 above. We intend for SUD counseling note
provisions in 42 CFR part 2 to parallel the HIPAA psychotherapy note
provisions.\263\
---------------------------------------------------------------------------
\263\ As discussed elsewhere in this rule, psychotherapy notes
are part of the designated record set. See ``Individuals' Right
under HIPAA to Access their Health Information 45 CFR 164.524,''
supra note 159.
---------------------------------------------------------------------------
Providers may vary in their use of SUD counseling or psychotherapy
notes. Moreover, some providers in behavioral health or other medical
practices also may use ``open notes'' intended to permit patient access
to EHRs, including provider notes.\264\ The preamble to the 2000 HIPAA
Privacy Rule explained that ``process notes capture the therapist's
impressions about the patient, contain details of the psychotherapy
conversation considered to be inappropriate for the medical record, and
are used by the provider for future sessions.'' The preamble further
noted that ``[w]e were told that process notes are often kept separate
to limit access, even in an electronic record system, because they
contain sensitive information relevant to no one other than the
treating provider. These separate `process note' are what we are
calling `psychotherapy notes.' '' \265\ By contrast, progress notes
(referred to as ``progress to date'' in our definition of ``SUD
counseling notes'') would be included in the patient's medical record
or part 2 record.
---------------------------------------------------------------------------
\264\ See Steve O'Neill, Charlotte Blease, Tom Delbanco, ``Open
Notes Become Law: A Challenge for Mental Health Practice,''
Psychiatric Services (2021), https://pubmed.ncbi.nlm.nih.gov/33971748/ 33971748/.
\265\ 65 FR 82461, 82623.
---------------------------------------------------------------------------
We also believe that licensed part 2 program providers that are
especially trained in the handling of these types of records (i.e.,
familiar with and qualified to maintain separate session notes) will
likely be able to understand and apply special requirements to protect
these types of notes. We also reiterate from the NPRM that ``[i]f SUD
treatment is provided by a mental health professional that is a Part 2
program and a covered entity, and the provider creates notes of
counseling sessions that are kept separate from the individual's
medical record, those notes would be [considered] psychotherapy notes
as well as Part 2 records.'' \266\
---------------------------------------------------------------------------
\266\ 87 FR 74216, 74230.
---------------------------------------------------------------------------
Comment
A health IT vendor was not opposed to the proposal to create
special protections for SUD counseling notes but urged the Department
to develop guidance for effective implementation. Also, although it
seems reasonable to this commenter to align the SUD counseling note
consent requirements to the HIPAA psychotherapy note consent
requirements, any requirement for ``a separate written consent that is
not combined with a consent to disclose any other type of health
information'' could be burdensome for providers who provide services to
dually diagnosed (mental health and SUD) consumers.
Response
We are finalizing a modification to permit consent for use and
disclosure of SUD counseling notes to be combined with another consent
for use and disclosure of SUD counseling notes. Combining a consent for
disclosure of SUD counseling notes with an authorization for the use
and disclosure of psychotherapy notes is not permitted under the HIPAA
Privacy Rule. Further, we are not aware that psychotherapy notes or SUD
counseling notes are disclosed with such frequency as to create a
burden for providers.
Comment
A medical professional association interpreted the NPRM to suggest
that SUD counseling notes, like psychotherapy notes, would generally
not be accessible to patients. The association said that in most
states, patients have full or only slightly limited access to these
notes. The reason is that HIPAA's preemption requirement gives priority
to state laws that give patients greater access to their records. Since
most state laws on access to mental health records do not contain an
exemption for psychotherapy notes, those laws are not preempted by the
HIPAA provision denying patients access to psychotherapy notes. The
association believed that the main exception to this effect is in the
minority of states that have changed their patient access laws to align
with HIPAA, including the exclusion of psychotherapy notes from the
patient's right to access their mental health records. The association
anticipated that the creation of SUD counseling notes would have a
similar effect on patient access except to the extent that state
[[Page 12548]]
laws on patient access to records exclude, or are otherwise different
for, SUD records.
Response
Under the HIPAA Privacy Rule, patients do not have a right of
access to psychotherapy notes.\267\ We have noted that while there is
no right of access to psychotherapy notes, ``HIPAA generally gives
providers discretion to disclose the individual's own protected health
information (including psychotherapy notes) directly to the individual
or the individual's personal representative.'' \268\ Under HIPAA,
psychotherapy notes must be maintained separately from the rest of the
individual's medical record. We establish a similar expectation with
respect to SUD counseling notes in this final rule.
---------------------------------------------------------------------------
\267\ See 65 FR 82461, 82554; 45 CFR 164.524(a)(1)(i).
\268\ See U.S. Dep't of Health and Human Servs., ``Information
Related to Mental and Behavioral Health, including Opioid Overdose''
(Dec. 23, 2022), https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html.
---------------------------------------------------------------------------
Under the existing (and final) rule, part 2 programs are vested
with discretion about providing patients with access to their records.
Section 2.23 neither prohibits giving patients access nor requires it
and a part 2 program is not required to obtain a patient's written
consent or other authorization to provide such access to the patient.
We confirm here that SUD counseling notes fall within the scope of part
2 records although they are separated from the rest of the patient's
SUD and medical record under Sec. 2.11 (SUD counseling notes). The
final rule therefore does not require under Sec. 2.23 that SUD
counseling notes be disclosed to the patient, but a clinician may
choose to do so voluntarily.
We assume that SUD treating professionals are aware of the
statutory and regulatory requirements in their state pertaining to
patient access to records, including access to separately maintained
notes of counseling sessions, and considered state requirements when
making decisions about whether to adopt the use of the SUD counseling
notes provision in this final rule.
Comment
A medical professional association commented that since SUDs are
frequently a dual diagnosis with mental health disorders, it is
appropriate for SUD counseling notes to be like psychotherapy notes.
This approach would lessen the provider's burden when treating dual
diagnoses by requiring the same type of notes.
The association described its concerns, however, that a separate
consent requirement, if adopted, not apply to training programs in
which students, trainees, or practitioners use to improve their skills
in a SUD treatment environment. The commenter requested that we
consider patient consent for educational training using audio or video
recordings. Another professional association echoed support for
allowing use or disclose of SUD counseling notes for a program's
supervised student training activities.
Response
The final rule expressly provides an exception from requirements
for consent to disclose SUD counseling notes when such use or
disclosure is made ``by the part 2 program for its own training
programs in which students, trainees, or practitioners in SUD treatment
or mental health learn under supervision to practice or improve their
skills in group, joint, family, or individual SUD counseling.'' This
parallels the exception for psychotherapy notes in the HIPAA Privacy
Rule for training of mental health professionals. With respect to audio
or video recording, the definition of ``SUD counseling notes,'' like
the definition of ``psychotherapy notes'' under HIPAA, does not include
such recordings.
Comment
We received many comments on segregation or separation of SUD
counseling notes from other parts of a patient's medical record. A
medical professionals association recommended that SUD counseling notes
be handled in the same manner that psychotherapy notes are treated
under HIPAA. This category would provide greater protection for SUD
counseling notes and limit the notes from being shared under a TPO
consent. Providers are already familiar with how to comply with
psychotherapy notes under HIPAA. If such a category is created, the
association encouraged the Department to issue clear guidance to make
the segregation of these counseling notes as easy as possible so that
part 2 programs do not have to take repetitive actions that will add
administrative burden.
A medical school trade association echoed these comments stating
that it supports not disclosing SUD counseling session notes without a
separate written authorization or consent. These notes, which are
maintained primarily for use by the originator of the notes, should
have heightened protections and accountability. This policy would be
consistent with the approach that limits the individual's right of
access to psychotherapy notes under HIPAA. The association requested
HHS explore, in partnership with stakeholders, how these SUD counseling
session notes would be best protected while minimizing data
segmentation challenges. The association also asked that the Department
issue guidance on how these counseling notes could be segregated.
A health IT vendor indicated that it understands the importance of
maintaining the confidentiality of counseling sessions and supports
maintaining strict protections for counseling session notes. Its
platform enables providers to maintain these notes as strictly
confidential.
A few professional associations and an individual commenter
asserted that segregation of client notes under this section creates an
extra burden, which is harder for publicly funded without money for the
systems.
According to a medical professionals' association, the creation of
a distinct class of psychotherapy notes in HIPAA provides an
illustrative example of the challenge of implementing specific data
protections within a medical record: options for segregating SUD
records from other records that require manual or duplicative action by
the clinician are likely not viable at scale. Further, the personnel
time and infrastructure costs of configuring such an option in the EHR
is not negligible.
A county department believed that SUD counseling notes are
appropriate to share with the patient upon request. The agency asserted
that it would be inadvisable to segregate these notes from the
remainder of the medical record, and that it would add undue burden to
subject them to a separate patient consent requirement.
An academic medical center stated that even if SUD counseling notes
were included in the final rule, it did not anticipate using them.
Segregating a progress note would be administratively burdensome to do.
Additionally, segregation of information impacts the overall care of
the patient by not providing quality continuity of care to patients
being treated in SUD programs, according to this commenter. The
commenter added, allowing all SUD progress notes related to a patient's
care to be accessible and integrated in the EHR would allow the medical
team to view and use notes from the patient's SUD course of treatment
to care for the patient.
A health insurer asserted that segregation of SUD notes could
impede the sharing of information that should
[[Page 12549]]
be part of the patient's overall part 2 record and information that is
critical to support necessary treatment and care coordination. In
addition, the commenter stated that such segregation and the attendant
requirements attached to these notes (e.g., separate consent required
for release) would unduly burden patients, providers, and other
stakeholders with no demonstrated justification or value. The commenter
requested that, if the Department created a separate category of record
information for ``SUD counseling notes,'' the final rule clarify that
this narrow category is limited to contemporaneous notes from an in-
person counseling session and not, as was noted in the proposed rule,
summary information from the overall part 2 record and information such
as diagnosis, treatment plan, progress notes, etc.
Response
We appreciate comments concerning the potential challenges of
maintaining SUD counseling notes apart from the medical or part 2
record. ``SUD counseling notes'' as defined in this rule ``are
separated from the rest of the patient's SUD and medical record.''
Although the definition is neutral regarding the format in which SUD
counseling notes are maintained, a key aspect is that they are not
generally available to anyone other than the treating clinician. Thus,
session notes of an SUD provider that are maintained in an EHR
environment where they are accessible by multiple members of the
treatment team would not qualify as SUD counseling notes nor receive
the additional protection from disclosure.
The final rule's approach to SUD counseling notes and requiring
that such notes be separate from other portions of the record is
entirely consistent with the long-standing approach regarding
psychotherapy notes within HIPAA which dates back to 2000. In the 2000
HIPAA Privacy Rule, we explained that ``any notes that are routinely
shared with others, whether as part of the medical record or otherwise,
are, by definition, not psychotherapy notes, as we have defined them.
To qualify for the definition and the increased protection, the notes
must be created and maintained for the use of the provider who created
them . . . [.]'' \269\
---------------------------------------------------------------------------
\269\ 65 FR 82461, 82623.
---------------------------------------------------------------------------
We further elaborated that ``[t]he final rule retains the policy
that psychotherapy notes be separated from the remainder of the medical
record to receive additional protection.'' We noted that mental health
providers told the Department that ``information that is critical to
the treatment of individuals is normally maintained in the medical
record and that psychotherapy notes are used by the provider who
created them and rarely for other purposes.'' Similarly, SUD counseling
notes support provider recollections of sessions with the patient but
are not intended to supplant other information, such as the patient's
test results and diagnosis, within the part 2 record or medical record.
Comment
Several commenters raised concerns about SUD counseling notes being
distinct from psychotherapy notes under HIPAA. One commenter did not
believe these SUD counseling notes with additional protections promote
access and exchange of valuable information and prefers an approach
that destigmatizes SUD treatment and promotes access to clinically
relevant information which is valuable and informative for all TPO
purposes.
A state agency believed that SUD counseling notes are qualitatively
different than psychotherapy notes and are most frequently maintained
by unlicensed providers. The agency is concerned that this change would
create additional administrative complexity and compliance challenges
for part 2 programs and may have unintended consequences by restricting
patient access to, or disclosure of, a significant segment of their SUD
treatment records. This change seems unlikely to facilitate information
exchange for care coordination purposes, and as such would seem to be
inconsistent with many of the other proposed amendments, according to
this commenter.
One county health department asserted that the utility of this
category of records is likely minimal, and another said that requiring
separate consent for SUD counseling notes would counteract the aim of
facilitating greater information exchange, with unclear benefits. HHS'
proposed consent framework for part 2 records provides patients with
sufficient control to limit what substance use treatment information is
shared and does not require creation of a category of ``SUD counseling
notes'' with different protections.
A health care provider recommended a different approach whereby all
part 2 data is used in a similar manner to psychotherapy notes. This
policy would reduce the need for new part 2 workflows and
interoperability frameworks. Additionally, by deeming part 2
information identical to a psychotherapy note, that data could also be
carved out of the definition of ``electronic health information'' and
would not be subject to the 21st Century Cures Act, but still maintain
critical clinical information. For example, results of clinical tests,
summaries of diagnosis, functionality status, treatment plan, symptoms,
prognosis and progress to date are all excluded from a psychotherapy
note. By treating part 2 data or SUD data similar to psychotherapy
notes, the most sensitive information made available in a part 2
encounter would continue to be restricted but critical information for
treatment and continuity of care would remain available.
A health care provider commented that it did not recommend
including special protection for SUD counseling notes by requiring a
separate written consent for their disclosure because they are
concerned that it would impede care coordination. SUD counseling notes
may contain clinically relevant information and be useful to inform
coordinated treatment plans. Also, given the variety of part 2 program
structures, as well as differences in state licensing laws, the
categorization of personnel who could create or view counseling notes
would be confusing to implement and would require significant
administrative burden to designate records within the SUD counseling
notes category. As a result, the commenter believed that some programs
may have difficulty implementing the requirement and be deterred from
sharing vital information within the record for TPO purposes.
Response
Use of the SUD counseling notes provision by an SUD professional is
voluntary and optional, although a program may adopt a facility-wide
policy that either supports or disallows the creation and maintenance
of such notes. Also, SUD counseling notes are a subset of a part 2
record and the separate consent requirement would only apply to such
notes when they are maintained separately from the rest of the part 2
record. Additionally, the CARES Act, while supporting alignment of
HIPAA and part 2, continues to recognize the importance of applying
additional protections to SUD information. Accordingly, the Department
cannot treat psychotherapy notes and SUD counseling notes as synonymous
as this would be contrary to the CARES Act and 42 U.S.C. 290dd-2 as
amended. Regarding requests for additional guidance, we may provide
[[Page 12550]]
additional guidance on these issues after the rule is finalized.
Comment
An academic health center said that as proposed, an SUD counseling
note, created by and used by the creating provider, segments patient
care and could introduce patient safety risks. Information known to
only one member of the treatment team is antithetical to an integrated
care approach. The commenter believed that once the patient has
provided consent to be treated in our SUD program those records should
be visible to the rest of the care team across the covered entity, not
just the SUD treatment counselor who created the note or the SUD team.
Response
``SUD counseling notes'' as defined in this rule ``excludes
medication prescription and monitoring, counseling session start and
stop times, the modalities and frequencies of treatment furnished,
results of clinical tests, and any summary of the following items:
diagnosis, functional status, the treatment plan, symptoms, prognosis,
and progress to date.'' SUD counseling notes are intended, like
psychotherapy notes, to support an individual provider and are not
routinely shared with others. Information critical to patient diagnosis
and treatment such as prognosis and test results, should be within the
patient's medical record or part 2 record. We do not believe the use of
separate SUD counseling notes will impede either integrated care or
patient safety; however, a program may adopt its own policy with
respect to the use by its clinicians of such notes.
Comment
According to a health IT vendor, the treatment of SUD counseling
notes under part 2 raises complexities similar to HIPAA with respect to
limits on patient access and for the need for a distinct specific
consent from the patient. Addressing such matters depends on whether
the notes are included in a specific medical record document or record
type or comingled with other documentation. The health IT vendor stated
that many part 2 providers have not been in a habit of maintaining
distinct forms of documents or records that would allow for these
provisions to be so simply applied. The commenter urged the Department
develop guidance for their effective implementation. The commenter
suggested a single consent option to cover both psychotherapy and SUD
counseling notes, not combined with any consent to disclose any other
type of health information, to facilitate the release of notes for
dually diagnosed consumers being treated by the same provider/provider
group. For this and other reasons, it would seem beneficial to this
commenter to align these consent requirements as closely as possible to
avoid confusion, and variations in data exchange rules.
Response
As noted, the Department, including ONC, is working to support
implementation of EHRs and health IT within the behavioral health
sector. We believe that separate consent for release of SUD counseling
notes is important because these notes will be maintained distinctly
from other parts of the patient's medical record. This approach is
consistent with our approach to psychotherapy notes under HIPAA.\270\
According to SAMHSA's National Survey on Drug Use and Health, we know
that many patients will have both mental health and SUDs as well as
other comorbidities or co-occurring conditions. We believe the
definition of ``SUD counseling notes'' in this final rule and the
consent provisions will support integration of care and care
coordination for dually diagnosed SUD and mental health patients.\271\
---------------------------------------------------------------------------
\270\ See ``Does HIPAA provide extra protections for mental
health information compared with other health information? '' supra
note 157.
\271\ See Substance Abuse and Mental Health Servs. Admin.,
``SAMHSA Announces National Survey on Drug Use and Health (NSDUH)
Results Detailing Mental Illness and Substance Use Levels in 2021''
(Jan. 4, 2023), https://www.samhsa.gov/newsroom/press-announcements/20230104/samhsa-announces-nsduh-results-detailing-mental-illness-substance-use-levels-2021.
---------------------------------------------------------------------------
Comment
An insurer suggested that the final rule make clear that this
narrow category of SUD counseling notes is limited to contemporaneous
notes from an in-person counseling session and not, as is noted in the
proposed rule, summary information from the overall part 2 record and
information such as diagnosis, treatment plan, and progress notes. The
commenter asserted that in practice the HIPAA Privacy Rule's provision
on ``psychotherapy notes'' has been used by some parties as a
justification for information blocking and refusal to provide
information for TPO in some cases. The commenter believed that similar
behavior could occur with this provision if boundaries and limitations
are not clearly articulated both in the definition and related
provisions of the final rule.
Response
The Department is collaborating to ensure successful implementation
of information blocking requirements and acknowledges this commenter's
concerns.\272\ That said, we believe the final definition of ``SUD
counseling notes'' makes clear that for the purposes of part 2 SUD
counseling notes do not include medication prescription and monitoring,
counseling session start and stop times, the modalities and frequencies
of treatment furnished, results of clinical tests, and any summary of
the following items: diagnosis, functional status, the treatment plan,
symptoms, prognosis, and progress to date.
---------------------------------------------------------------------------
\272\ See ``Information Blocking,'' supra note 160.
---------------------------------------------------------------------------
Comment
An HIE/HIN stated its view that adding an additional level of
complexity in the consent process is likely to cause confusion and have
the practical result of eliminating data sharing in circumstances where
Congress intended to facilitate the sharing of data. Should the
Department decide to add such a definition, the commenter asked that
HHS not prohibit a consent permitting the release of such notes from
being combined with a general consent to release part 2 records. The
commenter believed that any heightened security requirements could be
met by requiring that a consent for release of SUD counseling notes to
explicitly reference such notes in conspicuous language separate and
apart from any other permissions to disclose data.
Response
As noted, consistent with the Department's approach to
psychotherapy notes in HIPAA, we are requiring a separate consent for
disclosure of SUD counseling notes and specifically prohibiting
combining a consent for disclosure of SUD counseling notes with a
consent for disclosure of any other type of health information other
than for release of psychotherapy notes. A part 2 consent form may have
a combination of options, including a check box for SUD counseling
notes. However, when a patient is consenting for SUD counseling notes
that is the only type of information that can be indicated on the
consent (other than psychotherapy notes). For instance, if a patient
checks both ``billing information'' and ``SUD counseling notes'' this
consent is not valid to release the SUD notes.
[[Page 12551]]
Comment
With respect to the proposed exception for disclosure of SUD
counseling notes to lessen a serious and imminent threat to the health
or safety of a person or the public, an individual commenter said that
this proposed language reflecting this otherwise known as Tarasoff
\273\ exception is too broad.\274\
---------------------------------------------------------------------------
\273\ Tarasoff v. Regents of the Univ. of Cal., 17 Cal. 3d 425
(Cal. 1976).
\274\ For an analysis of how this applies under HIPAA, see U.S.
Dep't of Health and Human Servs., ``If a doctor believes that a
patient might hurt himself or herself or someone else, is it the
duty of the provider to notify the family or law enforcement
authorities? '' (Sept. 12, 2017), https://www.hhs.gov/hipaa/for-professionals/faq/2098/if-doctor-believes-patient-might-hurt-himself-or-herself-or-someone-else-it-duty-provider.html.
---------------------------------------------------------------------------
The commenter stated the objective in this exception is to
``lessen'' a serious and imminent threat to the health or safety of a
person or the public. The commenter believed that this approach was
discriminatory because it equated being in treatment for SUD with being
an imminent threat from a physical or health perspective. Specifically,
the commenter said inclusion of the term ``health'' was too vague and
suggested that if a person in SUD treatment has HIV, hepatitis B or C,
or any other communicable disease, that it is the responsibility of the
SUD counselor to determine whether to report that information if the
patient is in a conjugal relationship or might expose another person.
The commenter argued that it is sufficient to characterize the nature
of the imminent physical threat, assert that the reporter has reason to
believe that the imminent physical threat is serious, and any personal
information that would allow a person to avoid the instigator of the
threat or to allow a person(s) reasonably able to prevent or lessen the
threat.
Response
We acknowledge the commenter's concerns about the suggested
exception, which we decline to include in the final rule. HIPAA and
part 2 provisions on serious and imminent threats and disclosure
differ. With respect to preventing harm, the final rule permits use or
disclosure of SUD counseling notes under Sec. 2.63(a)(1) and (2) based
on a court order to disclose ``confidential communications'' made by a
patient to a part 2 program when necessary to protect against an
existing threat to life or of serious bodily injury, or in connection
with the investigation or prosecution of an extremely serious crime,
such as one which directly threatens loss of life or serious bodily
injury, including homicide, rape, kidnapping, armed robbery, assault
with a deadly weapon, or child abuse and neglect. When such a use or
disclosure is made, Sec. 2.13 provides that ``[a]ny use or disclosure
made under the regulations in this part must be limited to that
information which is necessary to carry out the purpose of the use or
disclosure.'' Thus, the information shared under these circumstances or
with respect to any disclosure without consent should be the minimum
necessary to carry out the purposes of the disclosure.\275\
---------------------------------------------------------------------------
\275\ See 83 FR 239, 244; 85 FR 42986, 43003.
---------------------------------------------------------------------------
Final Rule
As noted, we have finalized a definition of ``SUD counseling
notes'' discussed above in section Sec. 2.11. With respect to consent
for use and disclosure of SUD counseling notes we are finalizing the
provision as Sec. 2.31(b). The consent requirement does not apply to
SUD counseling notes in certain specific situations such as the: (1)
use by the originator of the SUD counseling notes for treatment; (2)
use or disclosure by the program for its own training programs; or (3)
use or disclosure by the program to defend itself in a legal action or
other proceeding brought by the patient.
Section 2.31(c) Expired, Deficient, or False Consent
Proposed Rule
The NPRM proposed in paragraph (c)(4) of this section to replace
the phrase ``individual or entity'' with the term ``person'' to comport
with the meaning of person in the HIPAA regulations and as consistent
with similar changes proposed throughout this part. The revised
language would read, ``[a] disclosure may not be made on the basis of a
consent which . . . [i]s known, or through reasonable diligence could
be known, by the person holding the records to be materially false.''
Additionally, the Department solicited comments on whether the final
rule should require part 2 programs to inform an HIE when a patient
revokes consent for TPO so that additional uses and disclosures by the
HIE would not be imputed to the programs that have disclosed part 2
records to the HIE.
False or ``Uninformed'' Consent
Comment
Several commenters said that the rule should require that programs
engage in an ``informed consent'' process where they explain the nature
of the consent and potential consequences to the patient. These
commenters urged the Department to adopt an informed consent process.
Response
``Informed consent'' generally refers to consent to receive
treatment or consent to participate in research.\276\ As such, the
obligation to ensure that patient consent is informed is outside of the
scope of part 2, but is addressed in other law and is part of the
professional and ethical requirements for licensed SUD professionals.
However, we expect programs to ensure that consent is knowing and
voluntary in the sense that the patient understands the consequences of
signing or not signing the consent or authorization or that a personal
representative provides consent when needed. We believe that consent
that has been coerced or unknowing would be invalid and that, in the
context of an application for a part 2 court order, the court would
decide such matters. In addition, we believe that a consent that is
based on false information or a lack of material information about the
nature of the disclosure would be considered an invalid consent, as
would any consent if the part 2 program knows or has reason to know
that the signature was forged.
---------------------------------------------------------------------------
\276\ See Off. of Human Research Protections, ``Informed Consent
FAQs'' (Sept. 24, 2003), https://www.hhs.gov/ohrp/regulations-and-policy/guidance/faq/informed-consent/index.html (discussing the HHS
Common Rule and other requirements); Food and Drug Admin.,
``Informed Consent Guidance for IRBs, Clinical Investigators, and
Sponsors,'' (August 2023) https://www.fda.gov/regulatory-information/search-fda-guidance-documents/informed-consent; American
Medical Ass'n, Code of Medical Ethics. Chapter 2, Informed Consent,
Opinion 2.1.1, https://code-medical-ethics.ama-assn.org/ethics-opinions/informed-consent; R. Walker, TK Logan, JJ Clark et. al.
Informed consent to undergo treatment for substance abuse: a
recommended approach. 29 J Subst Abuse Treat. 241-51 (2005); Johns
Hopkins Medicine, Off. of Human Subjects Research, ``Relevant State
Law Requirements'' (August 2020), https://www.hopkinsmedicine.org/institutional-review-board/guidelines-policies/guidelines/marylandlaw. See also, e.g., 42 CFR 482.24(c)(4)(v)).
---------------------------------------------------------------------------
Revocation of Consent
Comment
Some commenters addressed revocation of consent for use and
disclosure of part 2 records, including several member organizations of
an HIE/HIN that co-signed a comment letter. Some of these commenters
urged that the final rule expressly state that disclosed part 2 records
cannot be pulled back from the recipient once released, following a
patient's revocation of the original signed consent as stated in the
NPRM preamble discussion.
[[Page 12552]]
Response
We appreciate the comments and information provided about the
consent revocation process, particularly when it occurs in an HIE
environment. We reaffirm the statement in the NPRM preamble that
revocation does not require pulling back records that have been
disclosed and do not believe it is necessary to so state in regulatory
text.
Comment
Several commenters recommended that HIEs be informed when a patient
revokes consent, including an HIE association, health IT vendors, and a
state government agency. One health IT vendor explained that consent
revocation mechanisms may be implemented through the Trusted Exchange
Framework when made by HIEs and HINs. The vendor asserted that most
HIEs already receive notice of revocation when they use a model of
exchange in which a potential recipient seeks medical records from
another exchange participant and the current status of a patient's
consent permission to have their records exchanged is known, including
whether a patient has revoked consent. A health plan requested that
recipients should be notified so they can stop redisclosing information
they already received based on consent.
One commenter asserted that the existing pathways for complying
with a more granular consent (e.g., that is specific to a certain
recipient or purpose) should remain available and that HIEs should be
informed about changes to consent for disclosures made through the HIE.
This commenter recommended that the Department explore further how HIEs
learn of the consent status, whether it means that the HIE must
directly record the status of a revocation or if the HIE relies on some
kind of electronic ``polling'' of the part 2 program to ascertain if a
valid consent remains or has been revoked.
In contrast, a behavioral health network/HIE opposed requiring
notice of revocation to an HIE, opining that it is not necessary
because--under the CARES Act--once part 2 records are disclosed to a
covered entity or business associate they are no longer part 2 records.
As such, the commenter stated, the records can be redisclosed without
limitation under part 2 even after a part 2 consent to disclose has
been revoked.
Response
We appreciate these comments, which provided perspectives on how
consent and revocation are communicated through an electronic health
exchange. We disagree with the view that once records are disclosed
they are no longer part 2 records. Once received by a covered entity or
business associate, the part 2 records are also PHI but, under this
final rule, do not have to be segregated or segmented from other PHI.
However, the records remain subject to the part 2 prohibitions against
uses and disclosures for certain proceedings against a patient without
written consent or a court order under this part. We agree that
programs should convey to recipients when a consent is provided and,
where feasible, when it has been revoked. This effort should include
using whatever tools are at the disposal of the program to ensure that
only consented information is exchanged.
While we appreciate the comments stating that HIEs are able to
operationalize a requirement to provide notice of revocation, we are
concerned about the burdens that would apply to all programs if we
imposed a requirement that programs ``must'' notify recipients upon
consent revocation. Thus, while we are finalizing additional
requirements for a copy of consent to travel with each disclosure of
records for which consent is required, we decline to adopt a
requirement for programs to notify recipients of records of each
revocation. The new requirement to attach a copy of consent is
discussed under Sec. 2.32 (Notice and copy of consent to accompany
disclosure). Regarding revocation, we intend for programs to convey to
recipients when a patient has provided written revocation where
feasible. When the records have been disclosed through an HIE, the
mechanism for informing recipients of a revocation would likely depend
on the consent model used by the HIE. But our expectation is that all
programs make efforts to initiate actions needed to accomplish the
notification and to give full effect to the patient right to revoke
consent as stated in the Patient Notice.
Consistent with the recommendation of one commenter to explore
further how HIEs learn of the consent status, we intend to monitor how
provision of notice of revocation could work across all types of
entities, including in a fully electronic environment such as an HIE,
but also for stand-alone systems and paper-based exchanges.
Comment
A health information association recommended requiring programs to
inform HIEs, and HIEs to follow, a patient's request to revoke consent
for distribution of their information for TPO. If patients are not able
to stop the exchange of their information once it is released to an
HIE, they may hesitate to consent to information being released to an
HIE or HIN. If a patient's data is out of date at one provider and the
patient cannot revoke consent for that information to be exchanged by
an HIE, then they will continue to fight a losing battle to ensure
every subsequent record is correct as the HIE may still be exchanging
the incorrect information.
Response
The language in the final rule for Sec. 2.31(a)(6) regarding
``[t]he patient's right to revoke the consent in writing, except to the
extent that the part 2 program, or other lawful holder of patient
identifying information that is permitted to make the disclosure, has
already acted in reliance on it [. . .]'' is broadly applicable and
therefore would include HIEs/HINs. As a result, when an HIE/HIN learns
of a patient's revocation of consent they would need to cease using or
redisclosing the patient's part 2 record to other entities.
Comment
An academic medical center compared the proposed part 2 TPO consent
to a HIPAA authorization for TPO disclosures and explained that during
the entire period that the HIPAA Privacy Rule has been effective they
were not aware of any patient that sought to revoke a HIPAA
authorization for use of their PHI for purposes of TPO.
Response
We acknowledge the similarities and differences between part 2
consent and HIPAA authorization. Under HIPAA, neither consent nor
authorization is required for TPO, so the opportunity to revoke such an
authorization is unlikely to exist. Revocation of consent is further
discussed under Sec. 2.31.
Comment
Some commenters addressed the question of whether a revocation
should halt all future uses and disclosures by a recipient or whether a
revocation should only prevent any further disclosures to that
recipient. Commenters did not show a strong consensus on one approach,
although more comments than not supported allowing additional
redisclosures following revocation when the information is limited to
records already in possession of the initial recipient. HIE-related
comments uniformly affirmed the Department's statement in the NPRM
preamble that information did not need to be ``clawed back'' following
a revocation and several further asserted that an HIE needs to cease
making redisclosures of health
[[Page 12553]]
information it retains once it learns of a revocation of consent or
HIPAA authorization. These commenters also urged express clarification
that revocation of consent only applies going forward. Commenters that
supported the ability to continue making redisclosures of information
retained by the recipient requested clarification to reduce concerns by
part 2 programs that they could be liable for redisclosures made by
recipients after consent has been revoked. As described in the
discussion of Sec. 2.13 above, a few HIE/HINs proposed addressing
revocation in Sec. 2.13 and limiting it to new information received
after the revocation and to allow continued use and disclosure of part
2 records the recipient has receiving prior to the revocation.
Response
As stated in the NPRM, the Department does not expect a part 2
program to ``pull back'' records that it has disclosed under a valid
consent based on a patient's revocation of consent. At a minimum we
intend that a written revocation serves to prohibit a part 2 program
from making further uses and disclosures of a patient's record
according to the scope of the revocation. Based on the public comments
received, we also intend that when records have been transmitted
through an HIE, the HIE should cease making further disclosures of the
patient's record to other member participants. As stated in the NPRM,
to fully accomplish the aims of the right to revoke consent, we expect
that part 2 programs will work to ensure that any ongoing or automatic
disclosure mechanisms are halted upon receipt of a request for
revocation.
Certain recipients under a consent for TPO (part 2 programs,
covered entities, and business associates) are permitted to redisclose
records according to the HIPAA regulations. Under 45 CFR 164.508(b)(5)
a covered entity or business associate is required to cease making
further uses and disclosures of PHI received once they are informed of
an authorization revocation, except to the extent they have already
taken action in reliance on the authorization or if it was obtained as
a condition of obtaining insurance coverage and other law provides the
insurer with the right to contest a claim. We believe this requirement
applies equally to revocation of a part 2 consent. This interpretation
is revised from the NPRM preamble discussion that proposed a revocation
would only be effective to prohibit further disclosures by a program
and would not prevent a recipient part 2 program, covered entity, or
business associate from using the record for TPO, or redisclosing the
record as permitted by the HIPAA Privacy Rule.
Taking into account covered entities' obligations under HIPAA once
they are informed of a revocation, we believe they are also obligated
to comply with a revoked consent about which they are aware. We do not
see a reason for a recipient covered entity to treat a patient's
revocation of part 2 consent differently that a revoked HIPAA
authorization. For example, if a part 2 program disclosed part 2
records under a TPO consent to a health plan and the patient later
revoked said consent, the health plan that is processing a claim may
complete the transaction but may not process new part 2 claims for that
patient/plan member. In another example, a covered entity health care
provider who is currently treating a patient and has received a
patient's part 2 records will necessarily need to continue relying on
the records it received to continue treating the patient (e.g., the
provider cannot ``unlearn'' the patient's history); however, it is
prohibited from redisclosing the records once the patient revokes
consent in writing. Handling revoked authorizations is not a new
process for covered entities and they should therefore be capable of
handling revoked consents in the same manner.
Comment
An academic medical center expressed concern about scenarios in
which the part 2 program relied on the original consent for a specific
use or disclosure, but such use or disclosure may need to occur after
such revocation has occurred. Examples include when a patient signs a
consent to permit the part 2 program to disclose records for payment
purposes, to ensure the program receives appropriate reimbursement for
its services but then revokes his or her consent prior to the part 2
program submitting the bill to the patient's payor. According to this
commenter, the NPRM seems to suggest that the part 2 program would no
longer be permitted to make such a disclosure, despite the fact that
the part 2 program agreed to treat the patient on the condition of
receiving reimbursement from the patient's payor.
Response
If a disclosure cannot practically or feasibly be stopped after
revocation because it is already in process or due to technological
limitations, this would constitute such reliance. For example, such
reliance could occur in research or if the patient is being treated for
co-occurring disorders for which close consultation among specialists
is paramount. Revocation of consent raises some of the same issues as
withholding consent and conditioning treatment on consent for necessary
disclosures. Thus, a program would need to explain to the patient when
it is not feasible to stop or prevent a disclosure from occurring and
discuss with a patient the consequences of revoking their consent in
some circumstances. It is reasonable that a patient who seeks to revoke
consent for disclosure to their health plan would be expected to make
another arrangement to ensure payment which may include paying out of
pocket for services.
Comment
Some commenters specifically addressed whether oral revocation of
consent should be permitted and were nearly even in opposition and
support. The several organizations favoring oral revocation expressed
very strong support for recognizing this as a valid expression of
patient choice. The rationales offered by commenters that did not
support the proposed changes were the following:
HIPAA requires written revocation.
The CARES Act requires written revocation.
Equating oral revocation with oral consent because part 2
programs are most likely to document oral consent in the part 2 record.
Concern about how oral revocation would be documented and
communicated to all entities that receive part 2 records.
Response
The statute, 42 U.S.C. 290dd-2(b)(C), states that revocation of a
TPO consent must be in writing. At the same time, consideration should
be given to other civil rights implicated in this interaction and the
entity's obligation under the relevant civil rights laws to provide
assistance as needed to ensure meaningful access by enabling patients
to effectuate a revocation.
Final Rule
The final rule adopts the proposed changes to the consent
requirements in paragraph (a) with further modifications to paragraph
(a)(4)(iii) to replace ``HIPAA Privacy Rule'' with ``HIPAA
regulations'' and remove part 2 program from the statement about
redisclosure according to the HIPAA regulations and to paragraph
(a)(5)(iii) to require an opportunity to opt out of fundraising
communications rather than requiring patient consent. The final rule
adopts the proposed changes to the existing paragraph (b) of Sec. 2.31
(Expired, deficient, or false consent) and
[[Page 12554]]
redesignates the content of paragraph (b) as a new paragraph (c).
Additionally, the final rule adds a new paragraph (b) to require
separate consent for the use and disclosure of SUD counseling notes,
and a new paragraph (d) to require a separate consent for use and
disclosure of records in civil, criminal, administrative, or
legislative proceedings.
Section 2.32--Notice and Copy of Consent To Accompany Disclosure
Heading of Section
Proposed Rule
The Department proposed to change the heading of this section from
``Prohibition on re-disclosure'' to ``Notice to accompany disclosure''
because Sec. 2.32 is wholly a notice requirement, while other
provisions (Sec. 2.12(d)) prohibit recipients of part 2 records from
redisclosing the records without obtaining a separate written patient
consent. To ensure that recipients of part 2 records comply with the
prohibition at Sec. 2.12(d), Sec. 2.32(a) requires that part 2
programs attach a notice whenever part 2 records are disclosed with
patient consent, notifying the recipient of the prohibition on
redisclosure and of the prohibition on use of the records in civil,
criminal, administrative, and legislative proceedings against the
patient.
Comments
We received no comments on the proposed change to the heading of
this section.
Final Rule
The final rule is adopting the language of the proposed heading
with a further modification to take into account the new paragraph (b)
that we are adding, as discussed below. The new heading reads, ``Notice
and copy of consent to accompany disclosure.''
Expanded Notice of Prohibited Uses and Disclosures
Proposed Rule
The Department proposed to modify paragraph (a)(1) of Sec. 2.32 to
reflect the expanded prohibition on use and disclosure of part 2
records in certain proceedings against the patient, which includes
testimony that relays information in a part 2 record and the use or
disclosure of such records or testimony in civil, criminal,
administrative, and legislative proceedings, absent consent or a court
order.
In addition, the proposed language of the notice listed exceptions
to the general rule prohibiting further use or disclosure of the part 2
records by recipients of such records, which would allow covered
entities, business associates, and part 2 programs who receive part 2
records for TPO based on a patient's consent to redisclose the records
as permitted by the HIPAA Privacy Rule. This exception also would apply
to entities that received part 2 records from a covered entity or
business associate under the HIPAA Privacy Rule disclosure permissions,
although the legal proceedings prohibition would still apply to covered
entities and business associates that receive these part 2 records. The
Department stated that these changes are necessary to conform Sec.
2.32 with 42 U.S.C. 290dd-2(b)(1)(B), as amended by section 3221(b) of
the CARES Act, and proposed a statement in paragraph (a)(1) as follows:
This record which has been disclosed to you is protected by
Federal confidentiality rules (42 CFR part 2). These rules prohibit
you from using or disclosing this record, or testimony that
describes the information contained in this record, in any civil,
criminal, administrative, or legislative proceedings by any Federal,
State, or local authority, against the patient, unless authorized by
the consent of the patient, except as provided at 42 CFR 2.12(c)(5)
or as authorized by a court in accordance with 42 CFR 2.64 or 2.65.
In addition, the Federal rules prohibit you from making any other
use or disclosure of this record unless at least one of the
following applies:
Further use or disclosure is expressly permitted by the
written consent of the individual whose information is being
disclosed in this record or is otherwise permitted by 42 CFR part 2;
You are a covered entity or business associate and have
received the record for treatment, payment, or health care
operations as defined in this part; or
You have received the record from a covered entity or
business associate as permitted by 45 CFR part 164, subparts A and
E.
Comment
An individual commenter asserted that disclosures made by a part 2
program to a covered entity or a business associate for TPO and
redisclosures made by a covered entity or business associate in
accordance with the HIPAA regulations should not require a notice
accompanying the disclosure as set out in Sec. 2.32 of the proposed
revisions.
The commenter stated that under the CARES Act, with the prior
written consent of the patient, the contents of a part 2 program record
may be used or disclosed by a covered entity, business associate, or
program for TPO as permitted by the HIPAA regulations. Further, once
disclosed to a covered entity or business associate, the CARES Act
provides that the information so disclosed may be redisclosed in
accordance with the HIPAA regulations. The requirement of an
accompanying written notice for each disclosure imposes a hurdle to the
electronic exchange of information though a HIE and is not required
under 42 U.S.C. 290dd-2. The commenter suggested that the provisions of
42 U.S.C. 290dd-2(c) operate independently and refer to uses and
disclosures in proceedings rather than uses and disclosures by covered
entities or business associates. Thus, the prohibition can be enforced
independently by the patient in the course of any such proceeding. To
the extent that an accompanying notice is determined to be necessary,
it should be permissible to reference the provisions of 42 U.S.C.
290dd-2(c) in contractual agreements between the program, covered
entities, and business associates rather than requiring that a notice
accompany each disclosure.
An HIE described its reliance on contractual requirements in its
agreements with data providers to ensure that it is notified of any
limitations on its ability to share data prior to receiving that data.
That practice will continue in response to the proposed changes
contained in the NPRM. The commenter said that if the final rule
includes a requirement for part 2 programs to notify data recipients,
that requirement should be that they notify recipients when data is not
received pursuant to a global consent for TPO, and that the operating
assumption of parties receiving all forms of health data should be that
it can be used consistently with the requirements of HIPAA and any
relevant state laws or express contractual limitations.
Response
The notice does not establish a limitation on redisclosure but
rather is intended to align the content of Sec. 2.32 (Notice to
accompany disclosure) with the requirements of 42 U.S.C. 290dd-2(b), as
amended by the CARES Act.
As the Department noted in its 2010 HIE guidance and regulations,
this notice was intended to inform downstream record recipients of part
2 and restrictions on redisclosure.\277\ The notice as we have
finalized it in this rule, like the existing notice, continues to
inform record recipients that the information they receive may not be
[[Page 12555]]
used in legal proceedings absent patient consent or a court order. We
believe that the notice remains applicable to redisclosures by part 2
programs, covered entities, and business associates to operationalize
the continuing prohibition on use and disclosure of part 2 records in
proceedings against the patient, which applies to redisclosures by
recipients under Sec. 2.12(d).
---------------------------------------------------------------------------
\277\ 83 FR 239, 241; See ``Frequently Asked Questions: Applying
the Substance Abuse Confidentiality Regulations to Health
Information Exchange (HIE),'' supra note 150.
---------------------------------------------------------------------------
Also, consistent with 42 U.S.C. 290dd-2 and previous part 2 final
rules, this final rule states in Sec. 2.33 that ``[w]hen disclosed for
treatment, payment, and health care operations activities [. . .] to a
covered entity or business associate, the recipient may further use or
disclose those records as permitted by 45 CFR part 164, except for uses
and disclosures for civil, criminal, administrative, and legislative
proceedings against the patient.''
Simply citing 42 U.S.C. 290dd-2(c) in contractual agreements
between the program, covered entities, and business associates rather
than providing a notice to accompany each disclosure also is
insufficient because this approach would fail to convey to the
recipient of part 2 records essential information provided in the
Notice to Accompany Disclosure under Sec. 2.32 as finalized in this
rule. However, business associate or other contractual agreements may
refer to these provisions. Additionally, part 2 programs do not
necessarily have contractual agreements with every recipient of records
for uses and disclosures for TPO.
The text of 42 U.S.C. 290dd-2, as amended by the CARES Act,
continues to emphasize limitations on use of part 2 records in civil,
criminal, administrative, and legislative proceedings absent patient
consent or a court order. Consistent with the statute and congressional
intent reflected in the CARES Act, limitations on sharing information
in proceedings within part 2 as finalized also remain distinct and more
restrictive than analogous provisions within the HIPAA Privacy
Rule.\278\
---------------------------------------------------------------------------
\278\ See U.S. Dep't of Health and Human Servs., ``Court Orders
and Subpoenas'' (Nov. 2, 2020), https://www.hhs.gov/hipaa/for-individuals/court-orders-subpoenas/index.html.
---------------------------------------------------------------------------
Comment
A commenter opined that the notice prohibiting redisclosure, which
accompanies records disclosed with patient consent, should clearly
identify whether the records are subject to the new redisclosure
permissions or still protected by part 2.
Response
We believe this comment assumes a false dichotomy--that records are
either subject to redisclosure or protected by part 2. Records that may
be redisclosed according to the HIPAA standards--those for which a TPO
consent was obtained--are still protected by the part 2 prohibition on
use and disclosure in proceedings against the patient, absent consent
or a court order under this part. However, assuming that the commenter
is questioning how the recipient would identify records that are
disclosed under a single consent for all TPO versus those that are
disclosed under a more limited consent, we are finalizing an additional
modification in Sec. 2.32(b) to require that ``[e]ach disclosure made
with the patient's written consent must be accompanied by a copy of the
consent or a clear explanation of the scope of the consent provided.''
We believe this will provide the information recipients of records need
to understand the redisclosure permissions that may be available.
Comment
A few medical professionals' associations and other commenters said
that retaining the Notice to Accompany Disclosure requirement means
that the need to identify, segment, and segregate the data will persist
to append the notice with each disclosure. One association requested
that the Department exclude covered entities from this requirement.
Response
We do not believe that the notice requirement in Sec. 2.32 is what
may prompt segmentation of records or segregation of part 2 data. The
continuing prohibition in Sec. 2.12(d) on a recipient's use or
disclosure of records in legal proceedings must be effectively
operationalized, and it is unclear how that can be accomplished unless
the recipient is aware that the records are subject to the prohibition.
We believe this can be accomplished within an electronic health
exchange environment, and we are finalizing additional modifications to
Sec. 2.12(d)(2)(i)(C) to expressly state that ``[a] part 2 program,
covered entity, or business associate that receives records based on a
single consent for all treatment, payment, and health care operations
is not required to segregate or segment such records.'' We believe
health IT vendors are capable of updating or creating systems that
manage consent, revocation, and other limitations on disclosure and
redisclosure so long as the users of the system have current knowledge
of the type of data and the limitations on its use and disclosure. The
final rule neither requires nor prohibits segregation of records or
segmentation of data to accomplish these tasks. The short form of the
notice has not changed and was created for use in an electronic health
information exchange environment. We further recognize that the notice
is required only for disclosures made with consent, and thus the notice
would not be required for redisclosures as permitted by HIPAA for TPO
or other permitted purposes when the initial disclosure was based on a
TPO consent.
Comment
Some commenters supported proposed changes in whole or part and
other commenters opposed or expressed mixed views of proposed changes.
A health care provider supported the proposed heading
clarification, and further clarification of redisclosure rights for TPO
by covered entities, business associates and part 2 programs as allowed
by the HIPAA Privacy Rule. A health insurer supported aligning notices
to accompany disclosures with the HIPAA Privacy Rule, particularly
adding exceptions for the prohibition on use or disclosure of part 2
records for TPO. A few health information associations supported the
Department's proposal to include a Notice to Accompany Disclosure of
records to instruct an organization of their ability to redisclose this
information at the direction of the patient. A health system commenter
said that it includes a disclosure statement on all records it
releases. Therefore, it supported a Notice to Accompany Disclosure of
part 2 records. However, the commenter recommended that the disclosure
statement apply to all disclosures, including for TPO, stating that
this would minimize time and operational burden of determining which
records would require the disclosure statement.
Response
We appreciate the comments.
Comment
A health plan and at least a few associations recommended that the
Notice to Accompany Disclosures be eliminated. A couple of commenters
stated that retaining the notice to accompany the disclosure
requirement will ensure that certain protections for part 2 records
continue to ``follow the record,'' as compared to HIPAA, whereby
protections are limited to PHI held by a covered entity or business
associate. A few commenters stated that
[[Page 12556]]
this Notice means that the need to identify, segment, and segregate the
data will persist to append the notice with each disclosure. And a few
commenters requested that the Department eliminate this notice to align
with HIPAA. At a minimum, the Department should excuse covered entity
and business associate recipients of the part 2 records from the notice
requirement, according to one commenter.
A few HIEs suggested that the Sec. 2.32 notice requirement has
been difficult to implement in electronic systems and across electronic
networks in part because it requires the part 2 data to be treated and
maintained differently than the rest of the clinical record. The
commenters also suggested that it may also be legally impermissible
under the CARES Act amendments, which mandate that once a patient's TPO
consent is obtained, the disclosed part 2 record may be redisclosed in
accordance with HIPAA and HIPAA does not require use of a prohibition
on redisclosure notice.
Continuing to require the notice, according to these commenters,
may effectively require the continued downstream identification,
segmentation, and segregation of part 2 records, because segmentation/
segregation will be necessary to properly apply, transmit, and display
the notice in an electronic environment. Even though the Department
emphasizes that the Notice to Accompany Disclosure is not a consent
requirement (that is, it is not necessary for there to be a valid
disclosure), these commenters believed that it was still a legal
requirement that would carry stringent penalties under the HIPAA
enforcement structure. Thus, requiring the notice would perpetuate the
same barriers to SUD data sharing that the CARES Act amendment's
changes were intended to eliminate.
Response
We appreciate input from these commenters, including concerns about
continued segmentation of part 2 records that may result from providing
the required notice. The introductory sentence of paragraph (a) of
Sec. 2.32 applies to each disclosure made with the patient's written
consent, which includes the TPO consent finalized in this rule. We do
not intend for this requirement to impede the integration of part 2
records with other PHI and have expressly removed any requirement to
segregate or segment such records in this final rule at Sec.
2.12(d)(2)(i)(C). Additionally, we believe the notice remains necessary
to operationalize the continuing prohibition on redisclosures for use
in civil, criminal, administrative, and legislative proceedings against
the patient, absent written consent or a court order under this part.
We also believe that Congress attempted to balance permitting multiple
redisclosures under a TPO consent for programs, covered entities, and
business associates who are recipients of part 2 records and retaining
the core patient protection against use of the records in proceedings
against the patient. Congress could have amended part 2 to strike
entirely the regulatory Notice to Accompany Disclosure or removed the
consent requirement for disclosures to programs, covered entities, and
business associates, but it did not do so; instead, Congress mandated a
modified version of consent. Therefore, we interpret the existing
requirement of a notice that accompanies each disclosure to apply to
disclosures under a TPO consent in the same manner as for other
disclosures with consent.
Comment
A commenter asserted that the proposed Notice to Accompany
Disclosure language might confuse both patients and part 2 program
recipients because it uses legalese and confusingly requires provision
of the notice while simultaneously notifying covered entity and
business associate recipients (and their downstream recipients) that
they are not subject to part 2's use and disclosure restrictions. The
commenter stated that proposed Sec. 2.32 was silent regarding
``intermediaries,'' which also seemingly conflicted with the part 2
consent form elements that restrict redisclosures by covered entities
and business associate that function as ``intermediaries'' to only
named member participants or participants that have a ``treating
provider relationship'' with the patient. For these reasons, the
commenter encouraged the Department to remove the notice requirement
under this section or, at the least, not to require it for
redisclosures made by covered entities and business associates
(including those that operate as ``intermediaries'') and their
downstream recipients pursuant to a patient's TPO consent.
Response
We appreciate input from these commenters and agree that the
language of paragraph (a)(1) is more detailed and involved than
paragraph (a)(2) but provide it as an option for programs that would
find a complete explanation more useful and that are providing a paper
copy of the notice. Providing the short form of the notice in paragraph
(a)(2) is permitted. Thus, any program that prefers to do so may
continue to use the language of the abbreviated notice in paragraph
(a)(2) rather than paragraph (a)(1). The shorter notice in paragraph
(a)(2) states simply that ``42 CFR part 2 prohibits unauthorized use or
disclosure of these records,'' and should be readily understandable to
recipients. The longer notice in paragraph (a)(1) further aligns with
HIPAA. Both notices are consistent with a 2017 NPRM \279\ discussion
and requirements that have been in place since 2018 \280\ (for the
abbreviated notice). The requirement added in paragraph (b) of this
section that ``[e]ach disclosure made with the patient's written
consent must be accompanied by a copy of the consent or a clear
explanation of the scope of the consent provided'' also should help
clarify to recipients when records are subject to part 2 because it
would indicate that SUD treatment records are being disclosed.
---------------------------------------------------------------------------
\279\ 82 FR 5485, 5487.
\280\ 83 FR 239, 240.
---------------------------------------------------------------------------
We disagree with the commenter's interpretation that paragraph
(a)(1) notifies ``covered entity and business associate recipients (and
their downstream recipients) that they are not subject to part 2's use
and disclosure restrictions'' because the paragraph (a)(1) explicitly
prohibits the recipient from using or disclosing the record in any
civil, criminal, administrative, or legislative proceedings against the
patient, absent consent or a court order.
With respect to the role of intermediaries, addressed in Sec. Sec.
2.11 and 2.24, we have excluded programs, covered entities, and
business associates from the definition of intermediary in this final
rule. This relieves HIEs that are business associates from the
requirements for intermediaries; however, all HIEs that receive part 2
records with consent (whether they are intermediaries or business
associates) would need to provide the notice to accompany disclosure
when redisclosing such records with consent.
Comment
Commenters urged OCR and SAMHSA to engage technology companies and
intermediaries most likely involved in these types of disclosures and
the accompanying notices to understand the feasibilities and technical
capacities in current technology. As the health system moves away from
paper and the transmission of paper through processes like fax
machines, having the technical capabilities in place for providers to
move this information with the record is crucial, the commenter
believed.
[[Page 12557]]
Engaging the organizations that govern this work will give OCR and
SAMHSA a clearer picture of understanding related to the ability for an
accompanying notice of disclosure to be included with a part 2 record
and consent form.
Response
We acknowledge the commenter's concerns about EHRs and the need to
ensure they have the capabilities necessary to transmit information
about prohibited uses and disclosures and the scope of consent on which
a disclosure is based. ONC, OCR, SAMHSA, and other Federal partners are
collaborating to support EHRs and health IT within the behavioral
health sector.\281\ We also may provide additional guidance on this
section after the rule is finalized.
---------------------------------------------------------------------------
\281\ See ``Behavioral Health,'' supra note 133.
---------------------------------------------------------------------------
Comment
A commenter said that one concern they had with including a Notice
to Accompany Disclosure on every patient record that is being
redisclosed is the ability of EHR systems to ingest that information.
The commenter explained that a v2x HL7 ADT message (or for that matter
a lab message) does not include this type of language.\282\
---------------------------------------------------------------------------
\282\ Note Health Level 7 is discussed in ONC guidance at
https://www.healthit.gov/topic/standards-technology/standards/fhir-fact-sheets. ADT is a reference to admit, discharge, transfer.
---------------------------------------------------------------------------
The commenter suggested that even if an HL7 message could be
created with the information, it is unclear that receiving systems are
currently able to populate the field in the ADT message or will be able
to consume the message. The commenter is not aware of any designated
spot for that type of language on any interstate event notification
specification. Therefore, if a hospital wanted to share an admission or
discharge notice for a patient admitted to a substance use unit, they
couldn't easily include the language in the notification. Even if the
sending part 2 program could transmit the message, the downstream
receiver may not be able to receive it.
The commenter suggested that it would be possible to put a
confidentiality/protection flag on an ADT message--but not general
language like the notice to accompany disclosure language.
Response
We have previously noted that EHR systems are beyond the scope of
this rulemaking. However, the abbreviated notice in Sec. 2.32(a)(2) is
intended to support use of EHRs, and the abbreviated notice remains a
valid option. ONC, SAMHSA, and OCR continue to work to support EHR
implementation and may provide guidance on these issues after this rule
is finalized.
Comment
An academic medical center said that it saw no value in adding the
language regarding redisclosure to part 2 records and believed that
recipients of these notices were not familiar with part 2 restrictions.
The commenter stated that it is able to affix stamps on records that
are being disclosed but from a practical perspective does not believe
the stamp is value added. Recipients may not know what a part 2 program
is. The commenter has other patients throughout the medical center that
are not being discharged from part 2 program that also have been or are
being treated for SUD conditions and receive medications specific to
SUDs.
Response
We appreciate the commenter's perspective on patients' and
recipients' lack of understanding about part 2 protections. We hope
that the revised Patient Notice will improve part 2 patients'
understanding of their confidentiality rights under part 2 which should
also enhance their appreciation for the prohibition on redisclosure in
proceedings against patients. As explained in this rule, we continue to
believe that the Notice to Accompany Disclosures under Sec. 2.32
provides important protections to part 2 patients, and the lack of
these protections for other patients is not a justification for
reducing or removing protections for part 2 patients. As stated in the
2017 final rule, part 2 does not apply to health information unrelated
to SUDs, such as patient treatment for unrelated medical
conditions.\283\
---------------------------------------------------------------------------
\283\ 82 FR 6052, 6089.
---------------------------------------------------------------------------
Comment
A SUD provider and a health plan requested clarification about the
applicability of the notice requirement to recipients who redisclose
records, including whether the requirement for the Notice to Accompany
Disclosure applies only to part 2 programs, or whether it also applies
to covered entities, business associates, and intermediaries that might
receive and redisclose the patient's PHI. The commenters asked,
collectively, whether an HIE, covered entity, and business associate
must attach the notice on part 2 records being redisclosed in
accordance with the HIPAA privacy regulations, such as in paragraph
(a)(2): ``42 CFR part 2 prohibits unauthorized use or disclosure of
these records.''
Response
The existing introductory language of paragraph (a) applies the
notice requirement to ``[e]ach disclosure made with the patient's
written consent.'' \284\ The abbreviated notice under paragraph (a)(2)
was primarily intended to support EHR systems. As the Department
explained in 2018, ``SAMHSA has adopted an abbreviated notice that is
80 characters long to fit in standard free-text space within health
care electronic systems.'' \285\ Though the notice under paragraph
(a)(2) has been modified in this final rule to include the word
``use,'' it remains largely as adopted in 2018. At that time the
Department also said that it ``encourages part 2 programs and other
lawful holders using the abbreviated notice to discuss the requirements
with those to whom they disclose patient identifying information.''
\286\ An HIE may elect to use the abbreviated notice under paragraph
(a)(2) or can choose to use one of the notices permitted under
paragraph (a)(1). Covered entities and business associates are
referenced in Sec. 2.32(a)(1).
---------------------------------------------------------------------------
\284\ 52 FR 21796, 21810.
\285\ 83 FR 239, 240.
\286\ 83 FR 239, 240.
---------------------------------------------------------------------------
Comment
An HIE urged the Department to include language that will resonate
with the patient as opposed to those in the health care space. The
commenter stated that in the NPRM, the Department proposed to require
the consent form to notify the patient about how covered entities and
business associate recipients may use and redisclose information as
permitted by HIPAA. The commenter expressed concern that this was
problematic for two reasons. First, this is not an existing requirement
under HIPAA and the objective of the rule is to align part 2 with
HIPAA. Second, the terms covered entity and business associate are not
terms some patients may be aware of. To include this requirement,
according to the commenter, could introduce legalese in the patient-
facing workflow and be contrary to calls to improve the rule's utility
for patients. The commenter asked the Department to use standard
language required under HIPAA that notifies individuals that not all
recipients are subject to the same laws.
[[Page 12558]]
Response
We appreciate input from these commenters and acknowledge the
concerns they express. But we disagree that the Notice to Accompany
Disclosure will confuse patients. First, we anticipate that most
recipients of these notices will be health professionals or staff such
as those working for part 2 programs, covered entities, and business
associates rather than patients themselves. Second, the provisions of
this rule, including Sec. Sec. 2.22, 2.31, and 2.32 are consistent
with the provisions of the HIPAA Privacy Rule as explained above.
However, even with this rule and additional alignment with HIPAA
fostered by the CARES Act some part 2 provisions remain distinct from
requirements in HIPAA. Likewise, while part 2 consent forms under Sec.
2.31 must include specified required elements for written consent there
is no requirement these forms use such terms as ``covered entity'' or
``business associate.'' As noted above, we may provide additional
guidance or template notices or model forms to help clarify
requirements of this final rule. Finally, the abbreviated notice in
Sec. 2.32(a)(2) is especially brief and easy to understand, although
we believe the lengthier notice in paragraph (a)(1) is fairly easy to
understand as well.
Comment
A health plan recommended that the Department clarify that these
redisclosures do not need to be included in an accounting of
disclosures under Sec. 2.25. Requiring a notice to accompany
redisclosures would run counter to the general exemption of TPO
disclosures under HIPAA's accounting provisions.
Response
With respect to the right to an accounting of redisclosures, the
applicability of Sec. 2.25 would depend on the status of the
recipient. For example, a covered entity or business associate would be
subject to 45 CFR 164.528 for redisclosures. A part 2 program that
rediscloses records received from another part 2 program would be
subject to Sec. 2.25 for such redisclosures that fall within the scope
of Sec. 2.25 in the same manner as for disclosures. The accounting of
disclosures requirements under Sec. 2.25 do not distinguish between
disclosures and redisclosures, but focus on whether a disclosure is
made with consent and the purpose of the disclosure or redisclosure.
The Sec. 2.25 requirements are distinct from the required notices to
accompany disclosures under Sec. 2.32. Therefore, the accounting of
disclosures under Sec. 2.25 would not need to include a separate and
distinct list of redisclosures accompanied by a notice under Sec.
2.32.
Comment
A commenter recommended that HHS move proposed item (iv) of the
statement in Sec. 2.32(a)(1) to the main text of the statement, so
that it does not appear to be one of the exceptions following items
(i), (ii), and (iii) of the statement. The commenter also suggested
revised language for these provisions.
Response
We retain in the statement in Sec. 2.32(a)(1) the following
notification: ``[a] general authorization for the release of medical or
other information is NOT sufficient to meet the required elements of
written consent to further use or redisclose the record (see 42 CFR
2.31).'' We have moved this information to the main text which is
consistent with the commenter's suggestion.
Comment
An advocacy group opined that proposed changes to this section will
cause confusion. The commenter said that at this time all recipients of
records are subject to the same redisclosure prohibition: they may only
use or disclose the records with patient consent, pursuant to a court
order, or subject to one of the other limited exceptions in part 2 that
apply to lawful holders. However, according to this commenter, this
rulemaking introduces a new standard for some recipients who receive
records pursuant to a TPO consent: these recipients may redisclose
records pursuant to the HIPAA Privacy Rule, except if the records will
be used against the patient in a legal proceeding. A recipient of part
2 records, however, will have no way of knowing which redisclosure
standard applies to the records they receive: the standard part 2
redisclosure prohibition, described in proposed item (i) in the
statement in Sec. 2.32(a)(1), or redisclosures as permitted by the
HIPAA Privacy Rule except for legal proceedings against the patient,
described in proposed item (ii) in the statement in Sec. 2.32(a)(1).
Response
We appreciate the comment and agree that with the additional
changes to consent in Sec. Sec. 2.31 and 2.33, the Notice to Accompany
Disclosure is insufficient to provide needed information to the
recipient about the scope of consent that pertains to the disclosed
records. To address this issue, we are also finalizing a new provision
in paragraph (b) of this section to require each disclosure made with
the patient's written consent to be accompanied by a copy of the
consent or a clear explanation of the scope of the consent provided, as
discussed below.
Comment
A medical professionals association said that we should require
part 2 programs to give health care providers adequate written notice
well in advance of sharing any part 2 record, clearly explaining that
such records are subject to additional Federal confidentiality
regulations and include clear guidance for non-part 2 providers to
understand their obligations and options concerning such records once
received.
Response
We believe that Sec. 2.32(a) as finalized clearly notifies the
recipient of redisclosed records whether the records are subject to
part 2. The new requirement in paragraph (b) of this section, discussed
below, will provide additional information to recipients about the
scope of the consent that applies.
Final Rule
The final rule adopts the proposed language of Sec. 2.32(a)
without further substantive modification, and finalizes proposed item
(i) of the statement in Sec. 2.32(a)(1) as part of the statement in
Sec. 2.32(a)(1).
Copy of Consent To Accompany Disclosure
Request for Comment
Although we did not propose requirements for consent management, we
requested comment throughout the NPRM on how proposed changes to
consent, revocation, and requests for restrictions could be
implemented, the experience of entities that have already
operationalized aspects of the proposed changes, potential unforeseen
negative consequences from new or changed requirements, and data
relating to any of these.
Overview of Comments
We received many comments addressing cross-cutting issues involving
data segmentation and segregation of records, use of HIEs for exchange
of ePHI and part 2 records, how to track consent and consent
revocation, and how to operationalize patients' requests for
restrictions on disclosures for TPO. We have responded to these
comments throughout the preamble to the final rule in relation to
applicable regulatory provisions, and here we respond to comments that
pertain to tracking consent (which is
[[Page 12559]]
required in Sec. Sec. 2.31 and 2.33), both global (i.e., TPO consent)
and granular (for a specific use and disclosure). Of the commenters
that addressed whether the rule should require a copy of consent to be
attached with each disclosure of records, a majority opposed such a
requirement, several supported it, and a few responded with other
viewpoints. A mix of professional associations, SUD providers, and
advocacy organizations provided views on both sides of the question;
however, all health plans, health IT vendors, and HIE/HIN organizations
that weighed in opposed the idea and all government entities that
voiced an opinion supported providing a copy of the consent.
Comment
A medical professionals association urged the Department to ensure
that, going forward, patient information will be tagged and limited to
the purpose of TPO. The agencies can incentivize compliance with these
goals through enforcement actions and penalties for noncompliance. The
commenter believes that technology can assist physicians with
increasing the flow of information while maintaining privacy and a
patient's consent. To do so, information should be tagged to identify
where the information originated, for what purposes it can be
disclosed, and to whom. Another medical professionals' association
asked the Department to facilitate collaboration with ONC and health IT
vendors to develop technical standards and feasible certification
criteria to identify, tag, segregate, and remove specific data based on
type of care, provider, and patient consent. The commenter also stated
that HHS should provide incentives and support to clinicians,
practices, and EHR vendors--particularly those designed for specialty
settings or small practices--in designing and adopting health IT that
meets these objectives. A provider health system believed that even if
HIPAA and part 2 records are treated as PHI for most of the situations,
there will still be the need to identify part 2 records due to any
directed restrictions and the legal proceedings prohibition. This could
become further complicated as part 2 records and PHI are intermingled.
While the provider health system supported alignment of HIPAA and part
2, it requested the Department provide guidance about how records will
be denoted and differentiated to ensure compliance.
Response
We appreciate input from these commenters, including suggestions to
tag or segregate part 2 records. We acknowledge concerns about data
segmentation and address it further in the discussion of Sec. 2.12.
The continuing prohibition in Sec. 2.12(d) on a recipient's use or
disclosure of records in legal proceedings must be effectively
operationalized, and it is unclear how that can be accomplished unless
the recipient is aware that the records are subject to the prohibition.
Although the Department may provide further guidance in relation to
data segmentation, tagging, or tracking, we are not requiring specific
technology or software solutions.
Comment
A trade association suggested that HHS is maintaining separate
underlying regulatory structures for SUD patient records and all other
patient data, meaning EHR vendors will need to distinguish between the
two types of records. Some SUD patients may not provide consent or
revoke their consent throughout the course of their treatment, meaning
their record will need to be flagged differently. This is a significant
health IT challenge that is not addressed in the NPRM. The commenter
stated that HHS should ensure that there is ample time and resources
for health IT vendors to update their capabilities and adapt to the
evolving operational needs of health care providers.
An academic medical center suggested that information about the
scope of consent be included in the notice that is required to
accompany disclosures of part 2 records and that this would be the
simplest way to communicate the patient's intent and have that intent
stay with the actual records downstream.
A health IT vendor recommended that the Department explore further
how revocation becomes known, and if it means that the HIE must
directly record the status of a revocation (and how this is done) or if
the HIE relies on some kind of ``polling'' of the part 2 program to
ascertain if a valid consent remains effective by interrogating the
part 2 program electronically for whether a valid consent exists or if
an applicable consent has been revoked. In the end, a revocation needs
to not only limit future disclosures but also limit disclosures of any
part 2 records an HIE already may possess should they store patient
records.
Among others, a health IT vendor, a health care provider, and a
health insurer believed that part 2 programs should not be required to
provide a copy of the written patient consent when disclosing records.
They believe the notice to accompany disclosures already required under
the Sec. 2.32 is sufficient to alert the recipient of potential
restrictions regarding redisclosure and the requirement would not align
with disclosures for TPO under HIPAA. A health insurer suggested that
allowing a part 2 program to retain the consent for future auditing and
use or disclosure needs is sufficient and also helps to share only the
minimum necessary PHI. If the Department were to also require provision
of the written consent authorizing the disclosure, it would place an
unnecessary administrative burden on both the part 2 program and the
recipient of records. Even more problematic, such a requirement would
create a corresponding duty for the recipient of records to evaluate
the legal sufficiency of the consent related to the part 2 program's
disclosure. The recipient of records should not be placed in the
position of identifying and correcting errors in a part 2 program's
disclosure, or assuming any potential downstream liabilities that may
result.
An insurance association supported the use of electronic processes
whenever feasible. In addition, to reduce the burden on part 2 programs
and to ensure that HIPAA entities can act promptly on part 2 data, the
association asked that the Department clarify in final regulations that
HIPAA entities that receive part 2 data may accept that the data was
disclosed pursuant to a TPO consent unless otherwise notified in
writing. This is particularly important in industries such as pharmacy
benefits management, where data is transmitted in huge volumes in real
time, and there is no consistent mechanism currently available to
``flag'' certain records as containing part 2 data, nor explain the
legal basis on which the data were disclosed.
Response
We acknowledge commenter concerns about how to manage consent and
any limitations on consent within EHRs and through HIEs and the
disadvantages of segmenting data and segregating records. Although we
are finalizing a modification to Sec. 2.12 to expressly state that
``[a] program, covered entity, or business associate that receives
records based on a single consent for all treatment, payment, and
health care operations is not required to segregate or segment such
records[,]'' some means to ensure that records are used and disclosed
according to the scope of the
[[Page 12560]]
consent will be needed. Thus, we look to the consent provided by the
patient and the existing requirement to attach a Notice to Accompany
Disclosure as solutions and are adding a new requirement in Sec.
2.32(b) to require that a copy of the consent be attached to each
disclosure for which consent is required. The attached consent may be
combined with the required Notice to Accompany Disclosure in Sec.
2.32(a). This will significantly reduce any administrative burdens
associated with the new requirement.
We are finalizing a new requirement in this section to require that
each disclosure made with the patient's written consent must be
accompanied by a copy of the consent or a clear explanation of the
scope of the consent provided. We believe that by putting in regulatory
text that the consent must accompany the disclosure or provide a clear
description of the scope of the consent, the recipient will be able to
accurately use and disclose the part 2 records as the patient intended.
Additionally, where feasible, part 2 programs should convey to
recipients when a consent has been revoked to ensure that only
consented information is exchanged. Combining a copy of the consent
with the required Notice to Accompany Disclosures in Sec. 2.32 is one
way this requirement may be implemented, though it is not the only
potential approach to tracking consent, redisclosure and revocation of
consent. Both paragraphs (a) and (b) of this section address concerns
about ensuring recipients of records understand whether or not the
records are subject to part 2.
We acknowledge that there are technical challenges associated with
complying concurrently with HIPAA and part 2 and that time and
resources are needed to update technical and procedural capabilities.
The recommendation for recipients to assume TPO consent has been
provided unless otherwise notified in writing does not address how
recipients other than programs, covered entities, and business
associates would learn about this assumption. Nor does this
recommendation address how a program (i.e., a discloser) would know in
advance whether a recipient is a program, covered entity, or business
associate to whom the TPO consent assumption applies. We evaluated this
recommendation, but are concerned that the negative requirement (e.g.,
not to provide consent unless it is other than for TPO) places undue
burden on the disclosing program to decide when and when not to attach
a copy of the consent.
We believe the concern that receipt of notice may transfer
liability for improper disclosures from the part 2 program to the
recipient is misplaced. However, the recipient incurs an obligation for
complying with part 2 requirements that apply to them, namely, the
prohibition on use or disclosure of the records for use in proceedings
against the patient, absent consent or a court order under this part.
Comment
Regarding intermediaries and tracking consent, an HIE association
suggested that part 2 providers may need to include in the consent form
a place for patients to indicate whether they provide consent for
disclosure to the intermediary. For additional information on how an
intermediary would accept or track patient consent for data
redisclosure, the commenter recommended OCR and SAMHSA consult
nationwide HINs, as well as ONC, to understand how current state HINs
and the TEFCA could impact this landscape.
Response
We appreciate the comment and the reference to TEFCA. As discussed
above in relation to Sec. 2.31 (Consent requirements), a consent to
disclose records via an intermediary must contain a general designation
as well as additional information about the recipient(s). Thus, we
believe the final rule provides for the consent form to have space for
an intermediary to be named as the commenter suggests. We note,
however, that we are excluding business associates from the final rule
definition of ``intermediary,'' thus HIE business associates will not
be subject to the intermediary consent requirements. Instead, HIEs that
are business associates will fall within the requirements for a general
designation for the TPO consent which does not require specifically
consenting to use of an HIE. We received many informative public
comments from HIEs/HINs with respect to consent (and revocation)
management and will continue to consult with our partner agencies
within the Department. OCR, SAMHSA, and others are collaborating to
support participation by behavioral health entities in health IT and
EHRs, including TEFCA.
Final Rule
This final rule adopts further modifications in Sec. 2.32 by
adding a new paragraph (b) providing that each disclosure made with the
patient's written consent must be accompanied by a copy of the consent
or a clear explanation of the scope of the consent provided.
Section 2.33--Uses and Disclosures Permitted With Written Consent
Proposed Rule
Section 2.33 currently permits part 2 programs to disclose records
in accordance with written patient consent in paragraph (a) and permits
lawful holders, upon receipt of the records based on consent for
payment or health care operations purposes, to redisclose such records
to contractors and subcontractors for certain activities, such as those
provided as examples in paragraph (b). The Department proposed
substantial changes to paragraph (b) to apply the new consent structure
in Sec. 2.31 for a single consent for all TPO by: applying HIPAA
standards for uses and initial disclosures for TPO, creating two new
categories of redisclosure permissions, and revising the existing
redisclosure permission. This would align Sec. 2.33 with the statutory
authority in 42 U.S.C. 290dd-2(b)(1), as amended by section 3221(b) of
the CARES Act. The first change would permit part 2 programs, covered
entities, and business associates that have obtained a TPO consent to
use and disclose a part 2 record for TPO as allowed by HIPAA. With
respect to redisclosures, proposed (b)(1) would permit part 2 programs,
covered entities, and business associates that have received a part 2
record with consent for TPO to redisclose the records as permitted by
the HIPAA Privacy Rule, except for proceedings against a patient which
require written consent or a court order. The second category, in
proposed paragraph (b)(2), would permit part 2 programs that are not
covered entities or business associates that have received a part 2
record with consent for TPO to further use or disclose the records as
permitted by the consent. The third category, in proposed paragraph
(b)(3), would apply to lawful holders that are not business associates,
covered entities, or part 2 programs and have received part 2 records
with written consent for payment and health care operations purposes.
This provision would permit the recipient to redisclose the records for
uses and disclosures to its contractors, subcontractors, and legal
representatives to carry out the intended purpose, also subject to the
limitations of proposed subpart E of part 2 pertaining to legal
proceedings. A lawful holder under this provision would not be
permitted to redisclose part 2 records it receives for treatment
purposes before obtaining an additional written consent from the
patient.
[[Page 12561]]
Paragraph (c) proposed to require lawful holders that are not
covered entities or business associates and that receive records based
on written consent to have contracts in place if they wish to
redisclose the records to contractors and subcontractors. The
Department proposed to exclude covered entities and business associates
from the requirements of paragraph (c) because they are already subject
to the HIPAA Privacy Rule requirements for business associate
agreements.
Overview of Comments
Most commenters on the single consent for all future TPO supported
the proposal, and all but one of the supportive commenters represented
organizations. Supportive organizations included several professional
associations, health systems, and state or local governments. A few SUD
providers also supported the proposal. The views expressed by these
commenters in support of the proposal included the following:
(a) reducing stigma of persons with SUD by integrating SUD
treatment and SUD treatment records, respectively, with general health
care and PHI;
(b) reducing burdens on the health care system by aligning part 2
requirements more closely with the HIPAA regulations; and
(c) improving care coordination, continuity of care, and patient
safety as a result of greater access to complete information to treat
patients comprehensively and obtain services to support their recovery.
As an example, a commenter asserted that the proposal may make it
easier for the state Medicaid agency to gain input about barriers for
patients receiving SUD services such as co-occurring medical or
behavioral conditions, or to address social determinants of health that
impede treatment or recovery. An association of state hospitals and
health systems illustrated what it views as the need for an aligned
consent process, citing what it regards as differing regulatory
requirements that may ``cause confusion, and even fear, among treating
providers, at times leading them to withhold information that may be
shared.''
Response
We appreciate the comments about the proposed changes to implement
the statutory requirements for uses and disclosures with a single
consent for all future TPO and permitted redisclosures by certain
recipients. The rationales offered in support--reducing stigma,
integrating and coordinating behavioral health care, and reducing
health care entities' burdens--are key aims of this final rule.
Comment
Commenters favoring the proposal also appreciated the reduction in
the number of consents needed for uses and disclosures of part 2
records as well as the reduction in consents required for redisclosures
of records. A health plan remarked that ``requiring multiple consents .
. . adds confusion and distrust to an already underserved population,''
and further stated that ``[a] single consent will give stakeholders a
single reference point to review the patient's permissions and any
relevant requested restrictions.''
Response
We agree that the changes to allow a single consent for all future
TPO will reduce the number of consents that part 2 programs will need
to obtain from patients as well as the number of consents that
recipients will need to obtain for redisclosures of part 2 records. We
have estimated the amount of that reduction and describe it more fully
in the costs-benefits analysis in the RIA for this final rule.
Comment
A health system pointed out that people suffering from untreated
SUD are among the highest utilizers of health care services and
asserted the importance of reducing barriers to integrated care. The
commenter stated its belief that the existing part 2 regulation was
written before the current models of care and related best practices
were established and that it now is a barrier to coordinated care for
patients with SUD.
Response
We appreciate this feedback and recognize the importance of
integrated health records for providing integrated and coordinated
health care, including for treatment of SUD in a whole person context.
This perspective underpins one of the key purposes of section 3221 of
the CARES Act that is being implemented in this final rule.
Comment
Several commenters who supported the TPO consent and redisclosure
proposal thought that it did not go far enough to align with the HIPAA
Privacy Rule and urged the Department to allow for Patient Notice to
replace consent for TPO disclosures of part 2 records.
Response
The CARES Act amendments to 42 U.S.C. 290dd-2 did not remove the
written consent requirement for disclosure of part 2 records. Thus, the
Department lacks authority to replace a patient's written consent with
Patient Notice. We anticipate that patient consent will remain as a
foundation for protection of part 2 records.
Comment
The commenters that opposed the proposals for a single TPO consent
and redisclosure as allowed by HIPAA presented a largely unified set of
views developed by a core group of organizations representing addiction
treatment professionals, advocacy and policy organizations, and SUD
providers. These commenters strongly believed that the current
requirement of consent for each disclosure and segregation of part 2
records offers patients the needed confidence to enter and remain in
treatment and develop the necessary therapeutic trust to share details
of their lives and struggles with SUD. The commenters acknowledged that
discrimination is often perpetuated by those outside of the health care
system as a result of the criminalization of the use of certain
substances and they oppose finalizing the loosened consent provisions
until the Department issues the statutorily required antidiscrimination
protections. These commenters strongly supported regulatory
requirements to ensure patients' trust in the SUD treatment and the
health care system. Several other commenters agreed with this set of
core comments.
Response
We appreciate these comments and the concerns expressed for access
to SUD treatment, patient trust in the relationship with treatment
providers, patients' privacy expectations, the societal harms of
discrimination against patients with SUD, and the Department's
obligations to fully implement section 3221 of the CARES Act. We
believe that the changes finalized to Sec. 2.33 herein are necessary
and reasonable as a means to implement to 42 U.S.C. 290dd-2(b), as
amended by the CARES Act.
Comment
Several commenters addressed whether recipients of records based on
a TPO consent (part 2 programs, covered entities, and business
associates) should be able redisclose the part 2 information for any
purposes permitted by HIPAA or only for TPO purposes. And some of these
asserted or recommended that the rule should permit redisclosures as
permitted by the HIPAA Privacy Rule (not limited to TPO). A few medical
[[Page 12562]]
professional associations recommended that redisclosures by recipients
under a TPO consent should only be permitted for TPO purposes. This
would maintain patient privacy and be consistent with the consent
provided. One association suggested this could be accomplished by
tagging data associated with the TPO consent. Another suggested that
limiting redisclosure to TPO would permit PHI to be integrated into
part 2 records systems, thus partially furthering the goal of
integrating health information.
Response
The changes to consent finalized in this rule are based on 42
U.S.C. 290dd-2, as amended by the CARES Act. With respect to
redisclosures by recipients under a TPO consent, paragraph (b)(1)(B) of
the statute states that once records are used and disclosed for TPO
they may be further disclosed in accordance with the HIPAA regulations.
The clear terms of the statute apply the initial use and disclosure
permission to a part 2 program, covered entity, or business associate
for TPO as permitted by the HIPAA regulations, and then allow disclosed
records to be more broadly redisclosed provided that it is according to
the HIPAA regulations. We interpret the broader HIPAA redisclosure
permission to apply only to the recipient. Thus, a part 2 program that
obtains a TPO consent is limited to using or disclosing the record for
TPO purposes--it cannot obtain a TPO consent and ``disclose'' the
records to itself to trigger the permission to redisclose according to
the HIPAA regulations and avoid overall compliance with part 2. We
believe that a disclosure implies a recipient other than the entity
making the disclosure and the only recipients authorized by the statute
to redisclose records according to the HIPAA regulations are those that
are otherwise subject to HIPAA, which are covered entities (including
those that are also part 2 programs), and business associates. The
redisclosure permission refers to ``in accordance with HIPAA,'' and we
believe that part 2 programs that are not subject to HIPAA would not be
qualified to make such redisclosures in that manner. Such part 2
programs are not subject to the same obligations as covered entities,
such as adopting written policies and procedures for handling PHI,
training members of the workforce on their policies and procedures, and
adhering to the HIPAA Security Rule requirements for safeguarding
electronic PHI.
The prohibition on using and disclosing records in civil, criminal,
administrative, and legislative proceedings against a patient remains
effective once records are disclosed and this raises the issue for
recipients of potentially tracking, tagging, or otherwise identifying
the part 2 data that must be protected from such uses and disclosures
absent written consent or a court order under subpart E of part 2.
The last sentence of paragraph (b)(1)(B) of the statute provides
that the patient's right to request restrictions on uses and
disclosures for TPO applies to all disclosures under paragraph (b)(1),
which includes redisclosures by recipients of records. Thus, a
recipient entity that complies with a patient's request for
restrictions on disclosures for TPO is acting in accordance with the
HIPAA regulations. We believe that Congress intended to emphasize the
availability of patient-requested restrictions by the placement of this
right in the part 2 statute with the redisclosure permission and
including it in both the Rules of Construction and the Sense of
Congress in section 3221 of the CARES Act.
Final Rule
The final rule adopts the proposed changes to the header and to
paragraph (c) of Sec. 2.33 without modification. For clarity, the
final rule further modifies paragraph (a) by adding ``use and'' before
``disclosure'' and by redesignating the content of the paragraph as
paragraph (a)(1) and adding a new paragraph (a)(2) that provides,
``[w]hen the consent provided is a single consent for all future uses
and disclosures for treatment, payment, and health care operations, a
part 2 program, covered entity, or business associate may use and
disclose those records for treatment, payment, and health care
operations as permitted by the HIPAA regulations, until such time as
the patient revokes such consent in writing.'' This new provision
clarifies the regulatory permission for use and disclosure for TPO that
previously was only implied by a general reference to the consent
requirements in Sec. 2.31, and it more explicitly states what the
statute provides relating to reliance on the HIPAA standards. As a
result of this change, part 2 programs will be able to rely on the
HIPAA regulations when using or disclosing part 2 records for TPO in
many instances, and covered entities and business associates will not
need to silo part 2 records once a TPO consent has been obtained.
This rule also finalizes proposed paragraph (b)(1) with
modifications to more closely align with the statutory language by
changing ``further use and disclose'' to ``further disclose'' and
replacing ``as permitted by 45 CFR part 164'' with ``in accordance with
the HIPAA regulations.'' For clarity, the final rule also removes ``a
program'' from paragraph (b)(1) because part 2 programs that are not
covered entities or business associates are separately addressed in
paragraph (b)(2). The rule finalizes proposed paragraph (b)(2) with the
further modification of changing ``further use and disclose'' to
``further disclose'' as in paragraph (b)(1). The rule finalizes
proposed paragraph (b)(3) with the further modification of removing the
exclusion of ``part 2 program.'' This has the effect of applying the
existing requirements of paragraph (b)(3) to a part 2 program when it
is a lawful holder (i.e., a recipient of part 2 records) and ensures
that redisclosure in accordance with HIPAA is limited to covered
entities and business associates. We clarify here that paragraph (b)(3)
applies in situations where the written consent is only for payment
and/or health care operations and does not include treatment.
Section 2.34--Uses and Disclosures To Prevent Multiple Enrollments
Comment
While not proposed in the NPRM, an individual stated that central
registries have not been classified as a QSO or a business associate
and therefore, there are no safeguards protecting the information
exchanged between central registries and non-member treating providers
under Sec. 2.34(d). The commenter further stated that the patient
consents to the use or disclosure of their SUD information to the
central registry but not to a non-member treating prescriber.
Response
We appreciate the suggestion to classify central registries as a
QSO or a business associate; however, that suggestion is outside the
scope of the current rulemaking.
Final Rule
The final rule adopts the proposed addition of the language in
Sec. 2.34(b) of ``use of information in records'' instead of just
``use of information'' in this section to make clear that this
provision relates to part 2 records. The final rule also adopts the
proposed replacement of the phrase ``re-disclose or use'' to ``use or
redisclose'' as it relates to preventing a registry from using or
redisclosing part 2 records, to align the language of this provision
with the HIPAA Privacy Rule. A provider health system supported the
alignment of ``use or redisclose'' and there were no other comments on
these proposals.
[[Page 12563]]
Section 2.35--Disclosures to Elements of the Criminal Justice System
Which Have Referred Patients
Proposed Rule
Section 2.35 outlines conditions for disclosures back to persons
within the criminal justice system who have referred patients to a part
2 program for SUD diagnosis or treatment as a condition of the
patients' confinement or parole. The Department proposed to clarify
that the permitted disclosures would be of information from the part 2
record and to replace the term ``individual'' within the criminal
justice system with ``persons'' consistent with similar changes
throughout this rule. The Department also proposed to add the phrase
``from a record'' after the term ``information'' to make clear that
this section regulates ``records.'' In addition to requesting comment
on the proposed wording changes, the Department invited comments on
whether the alternative term ``personnel'' would more accurately cover
the circumstances under which referrals under Sec. 2.35 are made.
Comment
One individual commenter asserted that the alternative term
``personnel'' was too broad in this context and would create
circumstances that could compromise patient confidentiality. This
individual also commented that replacing the term ``individual'' with
the term ``person'' would be more acceptable. Another commenter, a
provider health system, expressed support for the term change from
``individual'' to ``person'' and stated that the term ``person'' is
preferable to ``personnel'' since the term ``personnel'' may
inadvertently imply employment status while the term ``persons'' would
accurately reflect referrals from the criminal justice system
regardless of status as an employee, independent contractor or other
individual on behalf of the criminal justice system.
Response
We agree with these commenters for the reasons discussed in the
NPRM.
Comment
Several advocacy organizations and a health IT vendor commented
that the Department's proposed changes unnecessarily limit diversion to
court based programs. These commenters recommended certain changes to
the proposal that, in their opinion, would include pre-arrest diversion
as well as other types of law enforcement deflection to avoid the court
system and direct the patient into treatment and services. In Sec.
2.35(a), these commenters recommended changing ``A part 2 program may
disclose information from a record about a patient to those persons
within the criminal justice system who have made participation in the
part 2 program a condition of the disposition of any criminal
proceedings against the patient or of the patient's parole or other
release from custody if . . .'' to ``A part 2 program may disclose
information from a record about a patient to those persons within the
criminal justice system who have made participation in the part 2
program a condition of the filing, prosecution, or disposition of any
criminal proceedings against the patient or of the patient's parole or
other release from custody if . . .'' (emphasis added).
For Sec. 2.35(a)(1), these commenters recommended changing
``(e.g., a prosecuting attorney who is withholding charges against the
patient, a court granting pretrial or post-trial release, probation or
parole officers responsible for supervision of the patient)'' to
``(e.g., a police officer or a prosecuting attorney who is withholding
charges against the patient, a court granting pretrial or post-trial
release, probation or parole officers responsible for supervision of
the patient)'' (emphasis added).
Response
We appreciate the detailed recommendations for regulatory text in
these comments. We also acknowledge the important social policy raised,
to promote treatment over referral to courts. However, we believe the
consent process is sufficient for the operation of diversion and
deflection initiatives, without a need for the Department to loosen
confidentiality restrictions, because it allows patients to consent to
the release of part 2 records for such initiatives if they wish to do
so.
Final Rule
The Department adopts the proposed changes without modification.
Subpart D--Uses and Disclosures Without Patient Consent \287\
---------------------------------------------------------------------------
\287\ As described below, the Department adopts the proposal to
add ``Uses and'' to this heading to more accurately reflect the
scope of activities regulated in this subpart.
---------------------------------------------------------------------------
Section 2.51--Medical Emergencies
Proposed Rule
In Sec. 2.51(c)(2) the Department proposed for clarity replacing
the term ``individual'' with ``person'' such that this now requires a
part 2 program to document the name of the person making the disclosure
in response to a medical emergency.
Comment
An advocacy group recommended that the proposed change to Sec.
2.51 (Medical emergencies), be withdrawn. The commenter suggested that
as part of its efforts throughout the rulemaking to standardize
regulatory language, HHS proposed to replace the word ``individual''
with the word ``person'' in the documentation requirements. HHS
proposed to define ``person'' by reference to the HIPAA Privacy Rule as
a ``natural person, trust or estate, partnership, corporation,
professional association or corporation, or other entity, public or
private.'' The commenter said that in its view even though the
Department states this change will promote clarity it will actually
result in less clarity for patients, who may no longer be able to tell
who disclosed their part 2-protected information to 911 and medical
personnel. The patient already knows that the part 2 program was the
``person'' making a disclosure of part 2 records during a medical
emergency. For this reason, it is the identity of the individual making
the disclosure that is important to document. In general, the
organization supported the efforts throughout the rulemaking to
streamline language by replacing the phrase ``individual or entity''
with the word ``person,'' but in this instance the change will diminish
patients' rights and transparency with no clear benefit to impacted
patients.
Response
We discuss our changes to definitions, including the term
``person'' in Sec. 2.11. Commenters generally supported this proposed
change as providing clarity and helping to align with HIPAA. However,
we acknowledge that in this instance replacing the term ``individual''
with the term ``person'' could result in less transparency about who
disclosed the patient's record during an emergency; however, under the
wording change a part 2 program is not prevented from identifying the
individual who disclosed the part 2 information. Further, there may be
instances or treatment settings where documenting only the name of the
disclosing entity, rather than the individual, is needed to protect the
safety of program staff.
Comment
A few health information associations supported the ability for
providers, under certain circumstances such as medical emergencies, to
access, use, and disclose patient part 2 data when necessary. It is
important for providers
[[Page 12564]]
to have access to all points of decision-making in a medical emergency
to ensure patients are protected physically both in the short and the
long term. A health care provider and medical professionals'
association also supported the proposed changes in this section.
Response
We appreciate the comments on our changes in this section of the
rule.
Comment
Another commenter asserted that a workflow obstacle occurs when
patients previously treated in their part 2 program present to the
emergency department for care. The emergency department personnel are
blinded from accessing care notes which can be relevant to the
emergency event. In addition, the current part 2 requirements
complicate this commenter's ability to meet interoperability
requirements included in the CARES Act. Under current regulations, the
commenter has not released part 2 patient records, as they view the EHR
is an all or nothing proposition; and consenting is unique to the
patient.
Response
We acknowledge the commenter's concerns about lack of access to
needed information by treating providers. As the Department stated in
the 2020 final rule ``[a]lthough not a defined term under part 2, a
`bona fide medical emergency' most often refers to the situation in
which an individual requires urgent clinical care to treat an
immediately life-threatening condition (including, but not limited to,
heart attack, stroke, overdose), and in which it is infeasible to seek
the individual's consent to release of relevant, sensitive SUD records
prior to administering potentially life-saving care.'' \288\ In the
2017 final rule, the Department stated that ``[w]ith regard to the
request that a `medical emergency' be determined by the treating
provider, SAMHSA clarifies that any health care provider who is
treating the patient for a medical emergency can make that
determination.'' \289\ While workflow barriers may exist in particular
institutions or situations during medical emergencies, patient
identifying information may be disclosed to medical personnel to meet
the bona fide medical emergency and support patient treatment.\290\
---------------------------------------------------------------------------
\288\ 85 FR 42986, 43018.
\289\ 82 FR 6052, 6095.
\290\ 85 FR 42986, 43018; 82 FR 6052.
---------------------------------------------------------------------------
Comment
A medical professionals association opined that the proposed rule
does not make any changes to the current part 2 exemption for medical
emergencies, which states that SUD treatment records can be disclosed
without patient consent in a ``bona fide medical emergency.'' However,
the commenter stated that there are both real and perceived barriers to
providing emergency care and coordinating appropriate transitions of
care for patients with SUD. For example, patients with SUD can have
separate charts that are not visible to physical health clinicians in
the EHR that could influence the acute care provided or in some
instances even the existence of those behavioral health charts. When
information is requested related to emergency treatment, there is often
confusion about what type of information can be shared without
violating part 2 requirements. Thus, in practice, when there is any
amount of uncertainty, part 2 providers and physical health providers
trying to provide and coordinate care that falls under part 2 revert to
the most restrictive access possible even if not indicated at that
time. The commenter provided another potential concern related to
methadone dosing. Unless patients disclose that they are taking
methadone or it is indicated in prior notes in the physical health EHR,
a treating emergency physician would have no way of knowing that the
patient is even taking methadone, let alone their dosage.
The commenter believed that aligning the rules governing physical
health and behavioral health, as this proposed rule attempts to do,
will hopefully reduce stigma and better enable emergency physicians to
care for the whole individual, working in parallel with other
clinicians.
Response
We acknowledge the commenter's concerns and appreciate that the
aims of the changes throughout this regulation are to reduce stigma for
patients with SUD and improve integrated care. Additionally, this final
rule provides in Sec. 2.12(d) that a part 2 program, covered entity,
or business associate that receives records based on a single consent
for all TPO is not required to segregate or segment such records,
therefore more integrated care may be available for patients who sign a
TPO consent.
Final Rule
The final rule adopts the proposed changes to Sec. 2.51(c)(2)
without further modification.
Section 2.52--Scientific Research
Proposed Rule
Section 2.52 permits part 2 programs to disclose patient
identifying information for research, without patient consent, under
limited circumstances. Paragraph (a) sets forth the circumstances for
when patient identifying information may be disclosed to recipients
conducting scientific research. Paragraph (b) governs how recipients
conducting the research may use patient identifying information. In
Sec. 2.52(b)(3), any individual or entity conducting scientific
research using patient identifying information may include part 2 data
in research reports only in non-identifiable aggregate form. Paragraph
(c) governs how researchers may use patient identifying information to
form data linkages to data repositories, including requirements for how
researchers must seek Institutional Review Board approval to ensure
patient privacy concerns are addressed.
The Department proposed to change the title of this section from
``Research'' to ``Scientific Research'' for consistency with 42 U.S.C.
290dd-2(b)(2)(B) that permits programs to disclose to ``qualified
personnel for the purpose of conducting scientific research . . . .''
The Department also proposed to change the de-identification
standard in Sec. 2.52(b)(3) to more closely align with the HIPAA
Privacy Rule de-identification standard. Specifically, the current text
for Sec. 2.52(b)(3) permits a person conducting scientific research
using patient identifying information that has been disclosed for
research to ``include part 2 data in research reports only in aggregate
form in which patient identifying information has been rendered non-
identifiable such that the information cannot be re-identified and
serve as an unauthorized means to identify a patient, directly or
indirectly, as having or having had a substance use disorder.''
Consistent with proposed changes to Sec. 2.16(a)(1)(v) and
(a)(2)(vi) (Security for records and notification of breaches),
discussed above, the Department proposed to modify the language in this
section related to rendering information non-identifiable so that it
also refers to the HIPAA Privacy Rule de-identification standard. Under
our proposal, a person conducting scientific research using patient
identifying information disclosed for research
[[Page 12565]]
would have been permitted to ``include part 2 data in research reports
only in aggregate form in which patient identifying information has
been de-identified in accordance with the requirements of the HIPAA
Privacy Rule at 45 CFR 164.514(b) such that there is no reasonable
basis to believe that the information can be used to identify a patient
as having or having had a substance use disorder.''
As explained above in section Sec. 2.16, section 3221(c) of the
CARES Act required the Department to apply the HIPAA Privacy Rule de-
identification standard for PHI codified in 45 CFR 164.514(b) to part 2
for the purpose of disclosing part 2 records for public health
purposes. The change here (and in Sec. 2.16 above) was proposed to
further advance alignment with HIPAA and reduce burden on disclosing
entities that would otherwise have to apply differing de-identification
standards.
The Department also proposed for clarity and consistency to replace
several instances of the phrase ``individual or entity'' with the term
``person,'' which would encompass both individuals and entities, and to
replace the term ``individual'' with the term ``person.''
Comment
As discussed above in connection to Sec. 2.16, commenters that
addressed de-identification largely voiced support for adopting a
uniform standard in this regulation that aligns with HIPAA, including
adopting a de-identification standard applicable to research data. Many
of these commenters believed that doing so could facilitate alignment
and understanding among covered entities and part 2 programs.
Response
The Department appreciates these comments.
Comment
One commenter questioned whether the Department should define the
terms ``research'' and ``researcher'' because it is not clear how the
terms apply outside a traditional academic or medical research setting.
This commenter also urged the Department to clarify whether the
definitions of these terms in the HIPAA Privacy Rule at 45 CFR 164.501
be used as the standard in Sec. 2.52.
Response
We appreciate the comment and have not applied the HIPAA
definitions of ``research'' and ``researcher'' with the final rule
because those were not adopted by the CARES Act amendments to 42 U.S.C.
290dd-2. We acknowledge that the HIPAA Privacy Rule definition of
``research'' is useful and could be applied to research using part 2
records; however, we decline in this rule to require that. Within the
Privacy Rule, ``research'' is defined as ``a systematic investigation,
including research development, testing, and evaluation, designed to
develop or contribute to generalizable knowledge.'' \291\ The HIPAA
Privacy Rule does not define the term ``researcher'' but in guidance
the Department has explained when a researcher is considered a covered
entity (``[f]or example, a researcher who conducts a clinical trial
that involves the delivery of routine health care such as an MRI or
liver function test, and transmits health information in electronic
form to a third party payer for payment, would be a covered health care
provider'').\292\ We continue to believe that the purpose behind each
term is sufficiently clear without having to incorporate regulatory
terms in this part.
---------------------------------------------------------------------------
\291\ 45 CFR 164.501 (definition of ``Research''). The
definition is based on the Common Rule definition of the same term,
45 CFR 46.102 (July 19, 2018).
\292\ See U.S. Dep't of Health and Human Servs., ``When is a
researcher considered to be a covered health care provider under
HIPAA'' (Jan. 9, 2023), https://www.hhs.gov/hipaa/for-professionals/faq/314/when-is-a-researcher-considered-a-covered-health-care-provider-under-hipaa/index.html.
---------------------------------------------------------------------------
Comment
More than half of all commenters that expressed support for the
Department's research proposal urged the Department to expressly permit
disclosure of part 2 records in limited data sets protected by data use
agreements as allowed in the HIPAA Privacy Rule. These commenters
asserted that doing so may greatly facilitate the exchange of public
health information and research about SUDs. One commenter, a research
company that expressed support for the de-identification proposal,
believed that it failed to address the creation of limited data sets as
defined by HIPAA, including that patient consent should not be required
to create limited data sets. The commenter urged recognition in Sec.
2.52(a) of what the commenter referred to as the ``right'' of part 2
programs or responsible parties conducting scientific research to use
identifiable part 2 data for making de-identified data or limited data
sets without the need for obtaining individual consent in the same
manner as is permitted under 45 CFR 164.514.
Response
We decline to finalize a provision that would incorporate limited
data sets into this regulation. We understand that commenters have
questions and suggestions regarding the interaction of the HIPAA
limited data set requirements and the part 2 research requirements. We
did not propose any changes to this regulation to expressly address
limited data sets and are not finalizing any such changes in this rule;
however, we will take these comments into consideration for potential
future rulemaking or guidance.
Comment
One commenter, a research association, perceived a discrepancy in
how part 2 and HIPAA would treat de-identified information under the
proposal. This commenter argued that under proposed Sec. 2.52(b)(3),
part 2 programs must limit the use of de-identified part 2 data in
``research reports'' to data presented in aggregate form instead of
treating it as non-PHI as in the HIPAA Privacy Rule. The commenter
asserted that this unnecessarily restricts research without benefiting
patients and defeats the CARES Act objective to align part 2 with
HIPAA. The commenter recommended that the Department consider alternate
language in Sec. 2.52(b)(3) such as: ``[m]ay use Part 2 data in
research if the patient identifying information (a) has been de-
identified in accordance with any of the standards of the HIPAA Privacy
Rule at 45 CFR 164.514(b); or (b) is in the format of a limited data
set as defined in 45 CFR 164.514(e), which limited data set is used in
accordance with all requirements of Sec. 164.514(e), including the
requirement for a data use agreement.''
Response
As stated previously, the Department did not propose to incorporate
limited data sets into this regulation and is not finalizing such a
change in this final rule. Additionally, the statute limits the
disclosure of records in reports, not the use of records in conducting
research. Section 290dd-2(b)(2)(B) of title 42 provides that records
may be disclosed without consent ``[t]o qualified personnel for the
purpose of conducting scientific research . . . but such personnel may
not identify, directly or indirectly, any individual patient in any
report [emphasis added] of such research . . .[.]''
Comment
A few individual commenters claimed that researchers consistently
demonstrate the ability to re-identify data so de-identification of SUD
records offers no protection to this sensitive information and exposes
patients to stigmatization.
[[Page 12566]]
Response
As noted above in connection to a similar comment regarding the de-
identification proposal in Sec. 2.16, the Department is aware of the
concerns related to the potential to re-identify data. The Department,
however, also recognizes that the HIPAA standard for de-identification
incorporated here is largely viewed as workable and understandable. We
believe this sentiment is borne out in the much larger set of
supportive comments.
Final Rule
Similar to the approach adopted in Sec. 2.16 (Security for records
and notification of breaches), above, the final rule incorporates the
HIPAA Privacy Rule de-identification standard at 45 CFR 164.514(b) into
Sec. 2.52 as proposed, and further modifies this section to more fully
align with the complete HIPAA de-identification standard that adopts
and includes language from 45 CFR 164.514(a). The final rule deletes
the phrase in Sec. 2.52(b)(3), ``as having or having had a substance
use disorder,'' and modifies this language to: ``such that there is no
reasonable basis to believe that the information can be used to
identify a patient.'' In so doing, we are aligning with the HIPAA
standard in paragraph (a) of 45 CFR 164.514 which refers to ``no
reasonable basis to believe that the information can be to identify an
individual,'' and is not limited to removing information about a
particular diagnoses or subset of health conditions. In this way, the
final standard incorporated here is more privacy protective than the
proposed standard. Moreover, as we also stated in connection with the
final de-identification standard incorporated in Sec. 2.16 above, our
adoption of the same de-identification standard for public health
disclosures (new Sec. 2.54) into this provision provides a uniform
method for de-identifying part 2 records for all purposes. Finally, we
removed the language ``the HIPAA Privacy Rule'' from regulatory
references to 45 CFR 164.514(b) because we believe it to be
unnecessary.
Section 2.53--Management Audits, Financial Audits, and Program
Evaluation
Proposed Rule
The Department proposed to change the heading of Sec. 2.53 to
specifically refer to management audits, financial audits, and program
evaluation to more clearly describe the disclosures permitted without
consent under 42 U.S.C. 290dd-2(b)(2)(B). The Department also proposed
to replace several instances of the phrase ``individual or entity''
with the term ``person'', which would encompass both individuals and
entities. The Department also proposed to modify the audit and
evaluation provisions at Sec. 2.53 by adding the term ``use'' where
the current language of Sec. 2.53 refers only to disclosure and by
adding paragraph (h) (Disclosures for health care operations).
Section 2.53 permits a part 2 program or lawful holder to disclose
patient identifying information to an individual or entity in the
course of certain Federal, State, or local audit and program evaluation
activities. Section 2.53 also permits a part 2 program to disclose
patient identifying information to Federal, State, or local government
agencies and their contractors, subcontractors, and legal
representatives when mandated by law if the audit or evaluation cannot
be carried out using de-identified information.
The Department explained in the NPRM that there is significant
overlap between activities described as ``audit and evaluation'' in
Sec. 2.53 and health care operations as defined in the HIPAA Privacy
Rule at 45 CFR 164.501. For example, the following audit and evaluation
activities under part 2 align with the health care operations defined
in the HIPAA Privacy Rule, as cited below:
Section 2.53(c)(1) (government agency or third-party payer
activities to identify actions, such as changes to its policies or
procedures, to improve care and outcomes for patients with SUDs who are
treated by part 2 programs; ensure that resources are managed
effectively to care for patients; or determine the need for adjustments
to payment policies to enhance care or coverage for patients with SUD);
\293\
---------------------------------------------------------------------------
\293\ See, e.g., 45 CFR 164.501 (definition of ``Health care
operations,'' paragraph (5)).
---------------------------------------------------------------------------
Section 2.53(c)(2) (reviews of appropriateness of medical
care, medical necessity, and utilization of services); \294\ and
---------------------------------------------------------------------------
\294\ See, e.g., 45 CFR 164.501 (definition of ``Health care
operations,'' paragraph (1)).
---------------------------------------------------------------------------
Section 2.53(d) (accreditation).\295\
---------------------------------------------------------------------------
\295\ See, e.g., 45 CFR 164.501 (definition of ``Health care
operations,'' paragraph (2)).
---------------------------------------------------------------------------
In addition, activities by individuals and entities (``persons''
under the final rule) conducting Medicare, Medicaid, and CHIP audits or
evaluations described at Sec. 2.53(e) parallel those defined as health
oversight activities in the HIPAA Privacy Rule at 45 CFR 164.512(d)(1).
Part 2 programs and lawful holders making disclosures to these persons
must agree to comply with all applicable provisions of 42 U.S.C. 290dd-
2, ensure that the activities involving patient identifying information
occur in a confidential and controlled setting, ensure that any
communications or reports or other documents resulting from an audit or
evaluation under this section do not allow for the direct or indirect
identification (e.g., through the use of codes) of a patient as having
or having had an SUD, and must establish policies and procedures to
protect the confidentiality of the patient identifying information
consistent with this part. Patient identifying information disclosed
pursuant to Sec. 2.53(e) may be further redisclosed to contractor(s),
subcontractor(s), or legal representative(s), to carry out the audit or
evaluation, but are restricted to only that which is necessary to
complete the audit or evaluation as specified in paragraph (e).\296\
---------------------------------------------------------------------------
\296\ See 42 CFR 2.53(e)(6).
---------------------------------------------------------------------------
We confirm here that nothing in the proposed or final rule is
intended to alter the existing use and disclosure permissions for the
conduct of audits and evaluations, including for investigative agencies
that conduct audits. Thus, an investigative agency that is performing
an oversight function may continue to review records under the Sec.
2.53 requirements as they did under the previous rule. At such time
within a review that an audit needs to be referred for a criminal
investigation or prosecution, that investigative agency would be
expected to follow the requirements under subpart E for seeking a court
order. In the event an investigative agency fails to seek a court order
because it is unaware that it has obtained part 2 records, it may rely
on the newly established safe harbor within Sec. 2.3, provided that it
first exercised reasonable diligence in trying to ascertain if the
provider was providing SUD treatment. In making use of the safe harbor,
an investigative agency would then be obligated to follow the new
requirements in Sec. 2.66 or Sec. 2.67, as applicable.
Section 3221(b) of the CARES Act amended the PHSA to permit part 2
programs, covered entities, and business associates to use or disclose
the contents of part 2 records for TPO after obtaining the written
consent of a patient.\297\ Covered entities, including those that are
also part 2 programs, and business associates are further permitted to
redisclose the same information in accordance with the HIPAA Privacy
Rule. As the Department noted throughout the NPRM, these new
[[Page 12567]]
disclosure pathways are permissive, not required.
---------------------------------------------------------------------------
\297\ Codified at 42 U.S.C. 290dd-2(b)(1)(B).
---------------------------------------------------------------------------
To implement the new TPO permission that includes the ability of
the entities above to use or disclose part 2 records for health care
operations with a general consent, the Department proposed to modify
the audit and evaluation provisions at Sec. 2.53 by adding the term
``use'' where the current language of Sec. 2.53 refers only to
disclosure and by adding paragraph (h) (Disclosures for health care
operations). This new paragraph as proposed would clarify that part 2
programs, covered entities, and business associates are permitted to
disclose part 2 records pursuant to a single consent for all future
uses and disclosures for TPO when a requesting entity is seeking
records for activities described in paragraph (c) or (d) of Sec. 2.53.
Such activities are health care operations, but do not include
treatment and payment. To the extent that a requesting entity is itself
a part 2 program, covered entity, or business associate that has
received part 2 records pursuant to a consent that includes disclosures
for health care operations, it would then be permitted to redisclose
the records for other purposes as permitted by the HIPAA Privacy Rule.
Thus, if an auditing entity is a part 2 program, covered entity, or
business associate that has obtained TPO consent and is not performing
health oversight, it would not be subject to all the requirements of
Sec. 2.53 (e.g., the requirement to only disclose the records back to
the program that provided them). Requesting entities that are not part
2 programs, covered entities, or business associates would not have
this flexibility but would still use existing permissions in Sec. 2.53
to obtain access to records for audit and evaluation purposes, and they
would remain subject to the redisclosure limitations and written
agreement requirement therein.
The Department proposed paragraph (h) which would leave intact
existing disclosure permissions and requirements for audit and
evaluation activities without consent, including health care oversight
activities, such as described in paragraph (e). At the same time, the
proposal would provide a new mechanism for programs and covered
entities to obtain patient consents for all future TPO uses and
disclosures (including redisclosures), which in some instances may
include audit and evaluation activities.
Comment
We received several comments about audit and evaluation provisions.
Most commenters expressed support for our proposed changes to this
section. A major health plan expressed support without further comment.
Others expressed support and offered additional recommendations or
suggestions for further alignment or clarity. A state data center
requested clarity on whether there could be other permissible
disclosures for licensing proceedings and hearings before an
administrative tribunal brought by an agency that provides financial
assistance to the part 2 program or is authorized by law to regulate
the part 2 program and administratively enforce remedies authorized by
law to be imposed as a result of the findings of the administrative
tribunal. The commenter suggested adding a new subsection Sec.
2.53(c)(3) to address these issues and add appropriate restrictions.
One state regulatory agency expressed concerns about Sec. 2.53
describing its recent experience with licensed health care facilities
significantly disrupting the department's regulatory responsibilities
by using 42 CFR part 2 as justification. Specifically, it expressed
concern that licensed health care facilities may rely on the proposed
public health authority exception to prevent the state from accessing
SUD records without patient consent or a court order. This same agency
further commented that the final rule should clarify the scope of the
``public health authority'' exception and affirm the ability of state
licensing authorities to access identifiable patient records pursuant
to Sec. 2.53 for surveys and investigations.
Response
We appreciate the comments on our proposed changes. We discuss
redisclosure provisions in Sec. 2.33. We clarify here that although
the new disclosure permission for public health in Sec. 2.54 is
limited to records that are de-identified, the existing permission for
access to identifiable patient information in Sec. 2.53 remains a
valid and viable means for government agencies with audit and
evaluation responsibilities to review records without obtaining a court
order. We believe that Congress enacted the public health disclosure
permission to enhance the ability of part 2 programs and other lawful
holders of part 2 records to report to public health authorities. This
is distinct from the regulatory and oversight authority over programs
and lawful holders that permits them to review records that are not de-
identified, providing the conditions of Sec. 2.53 are met. We decline
to add a new subsection to Sec. 2.53(c) to clarify other disclosure
provisions for use by regulatory agencies with enforcement authority
over part 2 programs and lawful holders, but Sec. Sec. 2.62, 2.63,
2.64, and 2.66 may govern use of audit and evaluation records in
criminal and non-criminal proceedings against a program. These
provisions also are clear that a court order will not be granted unless
other means of obtaining the records are unavailable or would be
ineffective. Therefore, use of the disclosure permission under Sec.
2.53 is encouraged as courts are unlikely to grant these orders given
the provisions of this rule.
Comment
Several commenters addressed APCDs or MPCDs. One non-profit agency
which administrates a state-based APCD commented that the rule should
expressly include a permission to disclose to state-mandated APCDs for
audit and evaluation purposes required by statute or regulation. It
also recommended that the Department clarify that a state mandated APCD
housed in a non-state nonprofit entity does not need to be providing
oversight and management of a part 2 program as a prerequisite for
relying on Sec. 2.53 to conduct an audit or evaluation on behalf of a
state agency. It asserted that in many states the APCD is the most
comprehensive source of cross-payer data and analytics, and the lack of
clarity around APCD authority to hold SUD data is actively hampering
the ability to use APCDs to provide information about the current
opioid epidemic, to evaluate what and where progress is being made, and
to determine if there are populations with inequitable access to the
programs and mitigation strategies used across the country. Another
non-government agency and a state agency made similar comments and a
recommendation for guidance or an express permission to disclose SUD
records to a state agency for APCDs.
One commenter remarked that there continues to be confusion within
the data submitter community about the ability of health insurance
carriers to legally submit data to state health database organizations
without patient consent. According to the commenter, there is an
opportunity for the Department to expressly identify this use as an
authorized release of data to state agencies. Alternatively, the
Department could provide guidance for the existing rules with this
necessary clarification rather than use the rule-making process. The
commenter also suggested that HHS provide clarification to understand
better if the limitations in Sec. 2.53(f) apply to audits/evaluations
[[Page 12568]]
conducted under all of Sec. 2.53 or only those preceding Sec.
2.53(f).
A state agency recommended that restrictions against law
enforcement accessing the database and against information in the
databases being used for legal proceedings against the patient should
accompany the permission to disclose to state APCDs. It further
requested clarity on whether it has authority to request SUD data from
downstream HIPAA covered entities (such as health plans and non-part 2
providers) and business associates if those entities received part 2
records for TPO purposes with patient consent. The commenter also
opined that although, by law, it receives data to determine what
actions are needed at a health plan level to improve care and outcomes
for patients in part 2 programs, it was not clear if the limitations in
Sec. 2.53(f) prohibited another state agency also conducting mandated
audit or evaluations under Sec. 2.53(g) from providing or sharing that
data. If not, the state agency noted government agencies may not be
able to ``directly use'' its databases, even if they are conducting
proper but separate audit or evaluations under Sec. 2.53. Such a
result, according to the commenter, could result in lost efficiencies
and added burdens on part 2 programs or lawful holders because they
would need to provide the data to the requesting government agencies,
instead of the government agencies utilizing existing state databases.
The commenter also asserted that per Sec. 2.53(g), this data release
would only occur in cases where the work could not be carried out using
de-identified information (and subject to the government agency
recipient accepting privacy and security responsibilities consistent
with applicable law).
Response
We appreciate the comments on APCDs or MPCDs and other provisions
under this section and may provide additional guidance after this rule
is finalized. In preamble to the 2017 Part 2 Final Rule, the Department
stated ``that MPCDs [. . .] are permitted to obtain part 2 data under
the research exception provided in Sec. 2.52, provided that the
conditions of the research exception are met. Furthermore, an MPCD [ .
. .] that obtains part 2 data in this fashion would be considered a
`lawful holder' under these final regulations and would therefore be
permitted to redisclose part 2 data for research purposes, subject to
the other conditions imposed under Sec. 2.52.'' \298\
---------------------------------------------------------------------------
\298\ 82 FR 6052, 6102.
---------------------------------------------------------------------------
In the preamble to the 2020 Part 2 Final Rule, the Department
explained that under Sec. 2.53, government agencies and third-party
payer entities would be permitted to obtain part 2 records without
written patient consent to periodically conduct audits or evaluations
for purposes such as identifying agency or health plan actions or
policy changes aimed at improving care and outcomes for part 2
patients.\299\ Such purposes could include, e.g., provider education
and recommending or requiring improved health care approaches.\300\ The
Department also noted that government agencies and private not-for-
profit entities granted authority under applicable statutes or
regulations may be charged with conducting such reviews for licensing
or certification purposes or to ensure compliance with Federal or state
laws. The 2019 Part 2 NPRM explained ``that the concept of audit or
evaluation is not restricted to reviews that examine individual part 2
program performance.'' \301\
---------------------------------------------------------------------------
\299\ 85 FR 42986, 43023.
\300\ Id.
\301\ 85 FR 42986, 43023; 84 FR 44568, 44579.
---------------------------------------------------------------------------
In this final rule we also provide in this section that a part 2
program, covered entity, or business associate may disclose records in
accordance with a consent that includes health care operations to the
extent that the audit or evaluation constitutes a health care operation
activity, and the recipient may redisclose such records as permitted
under the HIPAA Privacy Rule if the recipient is a covered entity or
business associate. Health care operations include a broad range of
quality improvement and related activities, some of which overlap with
the audit and evaluations under Sec. 2.53.\302\
---------------------------------------------------------------------------
\302\ See ``Uses and Disclosures for Treatment, Payment, and
Health Care Operations,'' supra note 248.
---------------------------------------------------------------------------
As worded, Sec. 2.53(f) applies to the entirety of Sec. 2.53 and
states that ``[e]xcept as provided in paragraph (e) of this section,
patient identifying information disclosed under this section may be
disclosed only back to the part 2 program or other lawful holder from
which it was obtained and may be used only to carry out an audit or
evaluation purpose or to investigate or prosecute criminal or other
activities, as authorized by a court order entered under Sec. 2.66.''
Comment
One managed care entity asserted that the proposed rule should
fully align the part 2 audit and evaluation provisions with the HIPAA
Privacy Rule to avoid distinctions between disclosures that would be
permitted as part of health care operations but might not fit within
the scope of audits and evaluations. It further commented that such
misalignment could be administratively challenging and inadvertently
impact the results of audits and evaluations due to incomplete or
inaccurate data sets.
A large pharmacy provider commented that it strongly supported
alignment of HIPAA and 42 CFR part 2, and to achieve full alignment,
the Department should clarify that HIPAA governs all part 2 records
that are PHI when in the hands of covered entities and business
associates for any TPO purposes, including not applying the audit and
evaluation provisions of Sec. 2.53 to covered entities when the
subject activities fall within TPO for HIPAA purposes. A major health
system commented that the redisclosure permission granted to part 2
providers, covered entities, and business associates for records
received under a TPO consent (including for the clarified health care
operations provision at Sec. 2.53) may lead to better SUD treatment
and payment for such treatment, and a reduction of operational issues
between and among providers and their business associates.
Response
The changes to Sec. 2.53 as finalized more closely align with the
HIPAA Privacy Rule because this section now expressly addresses
disclosures for health care operations that are permitted with a single
consent for all future uses and disclosures for TPO under Sec. Sec.
2.31 and 2.33. However, full alignment of Sec. 2.53 with the HIPAA
Privacy Rule is not authorized by the CARES Act because most of this
section includes additional protections for part 2 records when used or
disclosed for oversight, such as vesting the part 2 program director
with discretion to determine whether a requester is qualified,
prohibiting redisclosure of the records by the recipient, and requiring
the return or destruction of records after completion of the audit and
evaluation. We address redisclosures in more depth in the discussion of
Sec. 2.32 and TPO disclosures in Sec. 2.33 above.
Comment
Although the CARES Act does not expressly address Sec. 2.53, one
commenter believed that leaving out health oversight activities while
including the CARES Act provisions for TPO purposes makes SUD patients
more vulnerable. This individual commenter further suggested that the
general regulatory authority given to the
[[Page 12569]]
Department by the CARES Act would permit incorporating health oversight
into this provision, which the commenter views as an acceptable
tradeoff for diminished patient autonomy in terms of consent.
Response
Even though section 3221(e) of the CARES Act does not expressly
address audits and evaluations, 42 U.S.C. 290dd-2 continues to
reference audits and evaluations. The CARES Act emphasized use and
disclosure of records for TPO and restrictions on use and disclosure in
civil, criminal, administrative, or legislative proceedings. We note
and have discussed in the 2018 and 2020 final rules \303\ and 2022 NPRM
that Sec. 2.53 is comprised of many activities that many would view as
constituting health care oversight, including audits and quality
improvement activities. Paragraph (e) specifically concerns Medicare,
Medicaid, CHIP, or related audit or evaluation. In addition, Sec. 2.62
expressly precludes records that are obtained under this section from
being used and disclosed in proceedings against the patient.
---------------------------------------------------------------------------
\303\ See 83 FR 239, 247 and 85 FR 42986, 43025, respectively.
---------------------------------------------------------------------------
Final Rule
The final rule adopts the proposed changes to Sec. 2.53, with two
modifications to paragraph (h). The first is to limit redisclosure to
recipients that are covered entities and business associates and the
second is to refer to ``HIPAA regulations'' instead of 45 CFR 164.502
and 164.506. We believe this is consistent with the changes to Sec.
2.33(b) and the addition of the defined term ``HIPAA regulations.''
Section 2.54--Disclosures for Public Health
Proposed Rule
The existing part 2 regulations do not permit the disclosure of
part 2 records for public health purposes. Section 3221(c) of the CARES
Act added paragraph (b)(2)(D) to 42 U.S.C. 290dd-2 to permit part 2
programs to disclose de-identified health information to public health
authorities and required the content of such de-identified information
to meet the HIPAA Privacy Rule de-identification standard for PHI
codified in 45 CFR 164.514(b). Accordingly, the Department proposed to
add a new Sec. 2.54 to permit part 2 programs to disclose part 2
records without patient consent to public health authorities provided
that the information is de-identified in accordance with the standards
in 45 CFR 164.514(b).
We proposed this change in conjunction with 42 U.S.C. 290dd-
2(b)(2)(D), as added by CARES Act section 3221(d), which directed the
Department to add a new definition of ``public health authority'' to
this part. We also proposed the new definition in Sec. 2.11, as
discussed above.
Comment
Most commenters voiced support for the proposal to permit
disclosures of de-identified records to public health authorities.
Comments included assertions that the proposal may: promote awareness
of SUDs; align goals between providers and public health authorities
regarding SUD treatment; better help address the drug overdose crisis
by ensuring information was available to develop useful tools while not
impinging on individuals' privacy; assist with addressing population
health matters; improve population health; and assist vulnerable
populations by ensuring SUD records are available (e.g., addressing the
COVID-19 pandemic).
Response
The Department appreciates the comments and takes the opportunity
to reiterate here that the proposal is consistent with the new
authority enacted in the CARES Act.
Comment
Some commenters asserted that while the regulation should allow the
disclosure of SUD records for public health purposes, it should permit
the disclosure of identifiable information rather than limit it to de-
identified data. A few of these commenters acknowledged that the CARES
Act modified title 42 to permit disclosure only of health information
de-identified to the HIPAA standard in 45 CFR 164.512(b). Despite
awareness of the CARES Act, these commenters gave multiple reasons why
they thought the Department should promulgate a rule that permits the
disclosure of identifiable data to a public health authority. For
example, several of these commenters, including an academic medical
center, a private SUD recovery center, and a state-affiliated HIE,
asserted that state laws often require public health reporting for
communicable/infectious disease surveillance. A Tribal consulting firm
asserted that part 2 rules for disclosing data to public health
authorities contradict state, Tribal, local, and territorial public
health laws when other health care providers are required to submit
individually identifiable information. A SUD treatment provider cited
the potential vulnerability of this patient population to sexually
transmitted diseases and the need for individual level data (e.g., age,
address) to accomplish effective disease surveillance and resource
allocation. A managed care organization, a health system, and a few
state/local health departments commented that the limitation of
disclosing only de-identified information could hinder public health
efforts. A few HIE/HINs commented that in their role as Health Data
Utilities, they regularly share critical health data with public health
authorities. They gave examples such as overdose death information,
which facilitates public health authorities' provision of appropriate
follow-up services and resources to those affected by SUD. The HIE/HINs
also have a role in producing public and population health information
such as data maps or other rendering showing utilization of SUD
facilities and open bed counts for the purpose of referrals. These
organizations commented that the differences between HIPAA and the
proposed part 2 public health disclosure permission may complicate the
IT landscape.
Response
We acknowledge the many good explanations of how identifiable
information could be useful for public health purposes that would not
involve public reporting of patient identifying information. However,
we lack authority to permit disclosures of identifiable information for
public health purposes absent patient consent. This limitation is
reflected in the amended statute at 42 U.S.C. 290dd-2(b)(2)(D).
Comment
Several other commenters supported the proposal but suggested other
modifications or accompanying guidance. For example, one commenter, a
regional HIN, asserted that part 2 and HIPAA already permit the
disclosure of de-identified data without patient consent, and therefore
the revision is a clarification rather than a substantive change. It
urged the Department to clarify that the use of a general designation
on an authorization form could allow disclosures to public health
authorities operating in their state of residence. It also requested
the Department to clarify--either in regulation or in guidance--when
disclosures to public health authorities may fall into the research or
audit and evaluation consent exceptions. A major health plan commented
that conducting public health activities using a limited
[[Page 12570]]
data set would be more useful and could advance important public health
goals, as de-identified data lacks dates of service and ages which are
often important variables for both research and public health
activities. A state commented that the Department should specify what
constitutes ``public health purposes.'' A large health care provider
commented that the Department could help clarify the general right to
de-identify part 2 records and disclose such de-identified part 2
records by including an explicit right to do so in the regulations as a
permitted use, including an express right to use part 2 records for
health care operations and to create a de-identified data set without
patient consent.
Response
We appreciate these comments but have proposed this provision
consistent with statutory authority. With respect to limited data sets,
we address this topic in the discussion of Sec. 2.52 above. We decline
at this time to issue guidance related to distinctions between public
health activities, research activities, and audit and evaluation. We
have not received a large number of comments or requests to do so but
will monitor for the need to address once this rule is finalized.
Comment
A health information management organization opposed the proposal
and commented that the Department should fully understand the realities
of de-identified data and should engage patient advocacy focused
organizations to understand if transmitting de-identified data to
public health entities would jeopardize patient trust in part 2
programs. It further commented that the de-identification standard for
data within health care continues to evolve and change overtime as
technology and artificial intelligence is better able to reidentify
patients.
Response
The CARES Act now requires the Department to finalize a standard
that permits disclosure of information that is de-identified according
to the HIPAA standard. Although we are obligated to implement the
standard, we will monitor developments in accepted de-identification
practices and how emerging technology developments may reduce the
effectiveness of current standards.
Comment
One commenter, a health system, recommended that the Department
ensure the de-identification standard for records conforms with various
state reporting requirements and patient expectations. It cited the
example of the state being required to track and report certain
statistical information. The commenter also believed that adopting the
HIPAA standard should be done in a way to allow for continued
compliance with these state regulations. Another commenter, a medical
professionals association, urged the Department to facilitate
coordination between physicians and health IT entities to improve de-
identification technology and make it more widely accessible for
physician practices. A few other commenters, another medical
professional association and a trade association representing health
plans, commented that it was important for best practices for de-
identification to be adhered to and reflected in regulations, and that
regulated entities should specify which de-identification methods are
being used for each data set.
Response
We have found that in most cases, state reporting requirements
contemplate the disclosure of aggregate data, which may include de-
identified records. Similarly, our authority to override state public
health report requirements is statutorily limited. We express support
for and encourage physicians to work with their respective technology
vendors to assure the availability of compliant technology in physician
practices.
Final Rule
The final rule adopts the proposed addition of a new Sec. 2.54
into this regulation, and the accompanying definition of ``public
health authority'' discussed in Sec. 2.11. The proposal is adopted
with further modification, but we believe it remains within our
authority as enacted by the CARES Act. Consistent with the approach
adopted above in Sec. Sec. 2.16 (Security for records and notification
of breaches) and 2.52 (Scientific research), we are further modifying
the language proposed to align with the full HIPAA de-identification
standard, which includes 45 CFR 164.514(a). As such, the final standard
here permits a part 2 program to disclose records for public health
purposes if made to a ``public health authority'' and the content has
been de-identified in accordance with the requirements of the HIPAA
Privacy Rule standard at 45 CFR 164.514(b), ``such that there is no
reasonable basis to believe that the information can be used to
identify a patient.'' This final language strikes from the proposal the
limiting phrase after this language that is in the existing rule: ``as
having or having had a substance use disorder.'' In addition, we
removed the language ``the HIPAA Privacy Rule'' from the regulatory
reference to 45 CFR 164.514(b) because we believe it unnecessary.
We reiterate here that the proposed change should not be construed
as extending the protections of part 2 to de-identified information, as
such information is outside the scope of Sec. 2.12(a). Thus, once part
2 records are de-identified for disclosure to public health
authorities, part 2 no longer applies to the de-identified records.
Subpart E--Court Orders Authorizing Use and Disclosure
The CARES Act enacted significant statutory changes governing how
records could be used in legal proceedings. Section 290dd-2(c) (Use of
Records in Criminal, Civil, or Administrative Contexts), as amended by
section 3221(e) of the Act, newly emphasizes the allowance of written
consent as a basis for disclosing records for proceedings. Revised
paragraph (c) of 42 U.S.C. 290dd-2, as amended, now provides ``[e]xcept
as otherwise authorized by a court order under subsection (b)(2)(c) or
by the consent of the patient, a record referred to in subsection (a),
or testimony relaying the information contained therein, may not be
disclosed or used in any civil, criminal, administrative, or
legislative proceedings [. . .] against a patient [. . .].'' Thus,
paragraph (c) of the amended statute also applies restrictions beyond
records to ``testimony relaying the information contained therein.'' In
the NPRM, the Department proposed to implement this amended statutory
provision across every subpart E section as applicable, and in
addition, proposed changes to Sec. Sec. 2.12(d) and 2.31, discussed
above, to more generally address how restrictions on use and disclosure
of records apply in legal proceedings, and requirements for the
structure of written consents for uses and disclosures of record and
information in testimony in legal proceedings.\304\
---------------------------------------------------------------------------
\304\ As discussed above, the Department is finalizing changes
to Sec. 2.12, Applicability. Paragraph (d) of Sec. 2.12, as
finalized, provides that restrictions on the use and disclosure of
any record to initiate or substantiate criminal charges against a
patient or to conduct any criminal investigation of a patient, or to
use in any civil, criminal, administrative, or legislative
proceeding against a patient, applies to any person who obtains the
record from a part 2 program, covered entity, business associate,
intermediary, or lawful holder regardless of the status of the
person obtaining the record or whether the record was obtained in
accordance with part 2.
---------------------------------------------------------------------------
[[Page 12571]]
To properly reflect that subpart E regulates uses and disclosures
of records, information, and testimony therein, the Department is
finalizing the proposed heading so that it now refers to ``Court Orders
Authorizing Use and Disclosure.'' We received no comments addressing
the proposed change in heading. We also note with respect to proposed
modifications throughout this subpart, many public comments were
intermingled across sections or intended to provide comment related to
multiple regulatory sections. To the best of our ability, we responded
to such comments in the regulatory section where we believe them most
applicable.
Section 2.61--Legal Effect of Order
Section 2.61 includes the requirement that in addition to a court
order that authorizes disclosure, a subpoena is required to compel
disclosure of part 2 records. The final rule adopts the proposed
addition to add the word ``use'' to paragraphs (a) and (b)(1) and (2)
to clarify that the legal effect of a court order with respect to part
2 records would include authorizing the use of part 2 records, in
addition to the disclosure of part 2 records. The Department did not
propose substantive changes to this section although in relation to
other provisions of this rulemaking, a few commenters expressed concern
that the rule contemplates the added expense of a subpoena. Those
comments are addressed below.
Section 2.62--Order Not Applicable to Records Disclosed Without Consent
to Researchers, Auditors, and Evaluators
Proposed Rule
Section 2.62 provides that a court order issued pursuant to part 2
may not authorize ``qualified personnel'' who have received patient
identifying information without consent for conducting research, audit,
or evaluation, to disclose that information or use it to conduct any
criminal investigation or prosecution of a patient. As we explained in
the NPRM, the term ``qualified personnel'' has a precise meaning but
does not have a regulatory definition within 42 CFR part 2 and is used
only once within the regulation. For greater clarity, the Department
proposed to refer instead to ``persons who meet the criteria specified
in Sec. 2.52(a)(1)(i) through (iii),'' and later in the paragraph to
``such persons.'' The individual paragraphs of Sec. 2.52(a)(1)(i)
through (iii) describe the circumstances by which the person designated
as director, managing director, or authoritative representative of a
part 2 program or other lawful holder may disclose patient identifying
information to a recipient conducting scientific research.
Comment
The Department did not receive comments specific to this section.
Final Rule
The Department adopts the proposed change and additionally inserts
``and Sec. 2.53'' as a technical correction given that the regulatory
text references audit and evaluation but not Sec. 2.53. The final text
provides that the court ``may not authorize persons who meet the
criteria specified in Sec. Sec. 2.52(a)(1)(i) through (iii) and 2.53,
who have received patient identifying information without consent for
the purpose of conducting research, audit, or evaluation, to disclose
that information or use it to conduct any criminal investigation or
prosecution of a patient.''
Section 2.63--Confidential Communications
Proposed Rule
Section 2.63 contains provisions that protect the confidential
communications made by a patient to a part 2 program. Paragraph (a) of
Sec. 2.63 provides that a court order may authorize disclosure of
confidential communications made by a patient to a part 2 program
during diagnosis, treatment, or referral only if necessary: (1) to
protect against an existing threat to life or of serious bodily injury;
(2) to investigate or prosecute an extremely serious crime, such as one
that directly threatens loss of life or serious bodily injury,
including homicide, rape, kidnapping, armed robbery, assault with a
deadly weapon, or child abuse and neglect; or (3) in connection with
litigation or an administrative proceeding in which the patient
introduces their own part 2 records. Paragraph (b) of current Sec.
2.63 is reserved.
To implement changes to 42 U.S.C. 290dd-2 that could properly be
applied to this section, the Department proposed to specify in Sec.
2.63(a)(3) that civil, as well as criminal, administrative, and
legislative proceedings are circumstances under which a court may
authorize disclosures of confidential communications made by a patient
to a part 2 program. Specifically, the Department proposed in Sec.
2.63(a)(3) to expand the permission's application from ``litigation or
administrative proceeding'' to ``civil, criminal, administrative, or
legislative proceeding'' in which the patient offers testimony or other
evidence pertaining to the content of the confidential communications.
Comment
One commenter expressed support for the proposal with the caveat
that the part 2 program or covered entity be permitted to use the
records, without a requirement that the patient first introduce the
records into a legal proceeding, if the purpose of the use is for
defense against professional liability claims brought by the patient.
One health plan also expressed unconditional support for this
proposal.
Response
We appreciate the comments. We reaffirm here that this regulation
is intended to protect those communications that are narrow in scope
and limited to those statements made by a patient to a part 2 program
in the course of diagnosis, treatment, or referral for treatment. We
believe continuing to permit disclosure only under circumstances of
serious harm coupled with a patient's own ``opening the door'' in legal
proceedings strikes the right balance against an obvious disincentive
to seeking care when such communications are not kept confidential. On
the other hand, should an applicant believe it necessary to seek a
court order and subpoena authorizing and compelling disclosure,
respectively, there is nothing in this section that would restrict the
ability of the applicant to attempt to convince a court that the
information sought is broader than that governed by Sec. 2.63, such as
information contained in records subject to disclosure under Sec. 2.64
and evaluation by a competent court with jurisdiction.
Final Rule
The final rule adopts the proposed changes to this section without
further modification.
Section 2.64--Procedures and Criteria for Orders Authorizing Uses and
Disclosures for Noncriminal Purposes
Proposed Rule
Section 2.64 describes the procedures and criteria that permit any
person having a legally recognized interest in the disclosure of
patient records for purposes ``other than criminal investigation or
prosecution'' to apply for a court order authorizing the disclosure of
the records.
The current language of Sec. 2.64 refers only to ``purposes other
than criminal investigation or prosecution'' and ``noncriminal
purposes'' in the heading. To implement the changes to 42 U.S.C. 290dd-
2(c), the Department proposed to
[[Page 12572]]
modify paragraph (a) of Sec. 2.64 to expand the forums for which a
court order must be obtained, absent written patient consent, to permit
use and disclosure of records in civil, administrative, or legislative
proceedings. The Department also proposed, consistent with the language
of the amended statute, to apply the requirement for the court order to
not only records, but ``testimony'' relaying information within the
records.
Comment
One commenter, a state Medicaid Office, sought guidance from the
Department on determining the appropriateness of applying redisclosure
procedures under HIPAA or part 2 when the underlying disclosure relates
to a judicial or administrative proceeding. Specifically, this
commenter noted that following a receipt of records pursuant to a TPO
consent, proposed Sec. 2.33(b) authorizes subsequent redisclosures
under HIPAA regulations. As an example, it described a covered entity
that receives an order for part 2 records of a Medicaid recipient as
part of a civil, administrative, legislative, or criminal proceeding or
criminal investigation. The proceeding in this situation is not against
the Medicaid recipient who is instead, a witness, an alternate suspect,
or other third-party individual. In these cases, this commenter asked
if it should review and respond to the order under 45 CFR 164.512(e)
\305\ pursuant to the proposed Sec. 2.33(b) or under the procedures
required by Sec. 2.64.
---------------------------------------------------------------------------
\305\ 45 CFR 164.512(e) grants permissions to covered entities
to disclose PHI for judicial and administrative proceedings.
---------------------------------------------------------------------------
Response
As we understand the commenter's example and question, the
underlying proceedings are not against the subject of the records or
``patient,'' and therefore the covered entity would be permitted to
redisclose the records in accordance the HIPAA Privacy Rule permission
at 45 CFR 164.512(e). This response is consistent with the part 2
statute and with revised Sec. 2.33(b) which provides that ``[i]f a
patient consents to a use or disclosure of their records consistent
with Sec. 2.31, the recipient may further use or disclose such records
as provided in subpart E of this part, and as follows . . . [w]hen
disclosed for treatment, payment, and health care operations activities
[. . .] the recipient may further use or disclose those records in
accordance with the HIPAA regulations, except for uses and disclosures
for civil, criminal, administrative, and legislative proceedings
against the patient [emphasis added].''
Although revisions to Sec. 2.33 permit a covered entity or
business associate to redisclose records obtained pursuant to a TPO
consent ``in accordance with the HIPAA regulations,'' any person
seeking to redisclose such records or information in a proceeding
against the patient is required to comply with the procedures in Sec.
2.64 or Sec. 2.65 to obtain the part 2 court order or a separate
consent of the patient that meets the requirements of new Sec.
2.31(d).
Comment
One supportive commenter, a health system, asserted that a
reasonable and necessary exception to the rule requiring patient
consent or court order is in the case of a health care entity and
provider needing access to records to vigorously defend their positions
in legal proceedings against a patient, such as with a professional
liability claim. This commenter further asserted that redacted records
would be inadequate for preparation or case presentation.
Response
We do not believe that a professional liability claim brought by a
patient against a provider is a proceeding ``against a patient.'' If a
provider believes that a part 2 record or information is required to
mount a defense against a professional liability claim brought by a
patient, there is nothing in this regulation which would prevent the
provider from seeking relief from a court.
Comment
One commenter did not object to the Department's proposal extending
the current provision to apply to administrative and legislative
proceedings, but objected to the requirement that a part 2 program or
covered entity may incur legal expenses to obtain an instrument that
would compel compliance (i.e., a subpoena, in addition to a court
order).
Response
We appreciate the comment but even before this rulemaking, Sec.
2.61 made clear that the sole purpose of a court order issued pursuant
to subpart E was to authorize use or disclosure of patient information
but not to compel the same. Additionally, under the current Sec. 2.61,
a subpoena or a similar legal mandate must be issued in order to compel
disclosure. There is nothing in the CARES Act amendments that suggests
we should modify these requirements.
Comment
Several commenters expressed support for this proposal, including a
county department of public health and several individuals. One
individual expressed strong support for restricting disclosures for
civil and non-criminal procedures to promote racial equity. Another
individual commenter thanked the Department for protecting patients
from having records used against them, including the content of records
in testimony.
Response
We appreciate the comments, but historically part 2 has always
placed some restriction on disclosure of records in both civil and
criminal types of proceedings.
Final Rule
The final rule adopts Sec. 2.64 as proposed in the NPRM without
further modification.
Section 2.65--Procedures and Criteria for Orders Authorizing Use and
Disclosure of Records To Criminally Investigate or Prosecute Patients
Proposed Rule
Section 2.65 establishes procedures and criteria for court orders
authorizing the use and disclosure of patient records in criminal
investigations or prosecutions of the patient. Under Sec. 2.65(a), the
custodian of the patient's records or a law enforcement or
prosecutorial official responsible for conducting criminal
investigative or prosecutorial activities, may apply for a court order
authorizing the disclosure of part 2 records to investigate or
prosecute a patient. Paragraph (b) describes the operation of notice to
the holder of the records about the application for a court order under
this section and opportunity to be heard and present evidence on
whether the criteria in paragraph (d) for a court order have been met.
Paragraph (d) sets forth criteria for the issuance of a court order
under this section, including paragraph (d)(2), which requires a
reasonable likelihood that the records would disclose information of
substantial value in the investigation or prosecution. Paragraph (e)
sets forth requirements for the content of a court order authorizing
the disclosure or use of patient records for the criminal investigation
or prosecution of the patient. Paragraph (e)(1) requires that such
order must limit disclosure and use to those parts of the patient's
record as are essential to fulfill the objective of the order, and
paragraph (e)(2) requires that the order limit the disclosure to those
law enforcement and
[[Page 12573]]
prosecutorial officials who are responsible for, or are conducting, the
investigation or prosecution, and limit their use of the records to
investigating and prosecuting extremely serious crimes or suspected
crimes specified in the application.\306\ Paragraph (e)(3) requires
that the order include other measures as are necessary to limit use and
disclosure to the fulfillment of only that public interest and need
found by the court.
---------------------------------------------------------------------------
\306\ Section 2.63(a)(1) and (2) of the current rule specifies
that the type of crime for which an order to disclose confidential
communications could be granted would be one ``which directly
threatens loss of life or serious bodily injury, including homicide,
rape, kidnapping, armed robbery, assault with a deadly weapon, or
child abuse and neglect.'' Thus, the use of an illegal substance
does not in itself constitute an extremely serious crime.
---------------------------------------------------------------------------
The Department proposed to modify Sec. 2.65 (a) to expand the
types of criminal proceedings related to the enforcement of criminal
laws to include administrative and legislative criminal proceedings for
which a court order is required for uses and disclosures of records,
and in paragraphs (a), (d) introductory text, (d)(2), (e) introductory
text, and (e)(1) and (2), to include testimony relaying information
within the records. The Department also proposed a non-substantive
change to move the term ``use'' before ``disclosure'' in paragraphs (e)
introductory text and (e)(1) and (3). As noted in the NPRM, criminal
investigations may be carried out by executive agencies and legislative
bodies as well as in criminal prosecutions through the judicial
process. These changes implement 42 U.S.C. 290dd-2(c), as amended by
section 3221(e) of the CARES Act by widening the scope of
confidentiality protections for patients in all of these forums where
an investigation or action may be brought against them.
Notably, the statute, as amended by the CARES Act, also expressly
permits disclosures and uses of records and testimony in legal
proceedings against the patient if a patient consents. To address
concerns about consent for use and disclosure of records in proceedings
against the patient, the Department is adding a separate consent
requirement in Sec. 2.31(d), as discussed above.
Comment
Nearly half of all commenters that addressed subpart E proposals
opposed the proposal to allow patients to consent to the use and
disclosure of their part 2 records in proceedings against the patient.
Many of these commenters contended that permitting disclosures of
records and testimony in proceedings against the patient, based on the
patient's consent, only makes patients vulnerable to coercion from law
enforcement who condition certain outcomes in the matter underlying the
dispute on obtaining consent.
While several commenters acknowledged the statutory language that
expressly allows consent for court proceedings, most nonetheless urged
the Department not to implement the statutory change and instead
finalize a regulatory provision that will protect patients from law
enforcement seeking to condition outcome in criminal and civil
proceedings on signed consent forms. Other commenters expressed alarm
that the consent provision would further disincentivize historically
vulnerable populations experiencing SUD, including pregnant
individuals, from seeking SUD treatment. One commenter asserted that
recipients of records released with consent for criminal, civil,
administrative, and legislative proceedings are lawful holders under
the regulations and recommended they be expressly barred from using
these records or patient information in ways that discriminate against
the patient.
Response
We appreciate the sentiments expressed by many of these commenters
regarding the risks of a consent option. However, the language of the
statute, as amended by the CARES Act, is clear and unambiguous and
emphasizes the existing ability of patients to consent to the use or
disclosure of their records or testimony within such records in legal
proceedings against them. We also view patient consent as one of the
cornerstones of privacy protection. Consistent with the statute and
principle of empowering the patient to control the flow of their own
information, the existing rule at Sec. 2.33(a) clearly allows patient
consent for disclosure of records for any purpose, which may include
investigations and proceedings against the patient. The final rule
expands this to encompass consent for use of records as well as
disclosures. Additionally, in Sec. Sec. 2.12 and 2.31 above, we
discuss the specific regulatory modifications that refer to consent for
legal proceedings and newly require separate consent for use and
disclosure of records in civil, criminal, administrative, and
legislative proceedings. We reiterate here that we intend for
references to such proceedings to also encompass investigations, as
stated in 42 U.S.C. 290dd-2.
Comment
One commenter, a mental health advocacy organization, commented
that the Department should establish a safe harbor that would protect
health plans from civil and criminal penalties when violations arise
from good faith redisclosures that comply with the HIPAA Privacy Rule
but not part 2. According to this commenter this provision could
support sharing information on claims databases since there are
disparate state approaches to protecting and administering these
records.
Response
We are sympathetic to concerns related to disparate state laws that
conflict with or overlap with this Part, and understand the issues
faced by plans that consistently interact with or disclose information
to state claims databases. However, we believe the extent of our
statutory authority is clear in how this regulation only permits use
and disclosures of records and information therein, in legal
proceedings against patients, when consent or the requisite court order
is obtained. Having said that, under the newly promulgated enforcement
structure required by statute, criminal liability inures only when a
willful or knowing violation occurs. Moreover, the crux of this
requirement remains as it did prior to this rulemaking and the CARES
Act did nothing to modify the added protection afforded to records that
would otherwise be used to prosecute a patient. Given the continuity of
this requirement, we anticipate that plans and state claims databases
should have already built-in mechanisms to accommodate this regulation.
Comment
Approximately one-third of commenters on this topic supported
requiring patient consent or a court order for use and disclosure of
part 2 records against a patient or a part 2 program. Some of these
commenters expressed appreciation for the expanded protection from use
and disclosure in legislative and administrative investigations and
proceedings, and express protection of testimony that conveys
information from part 2 records within the consent or court order
requirements. Some commenters expressed the sentiment that these
express and expanded protections would serve as a counterweight to
easing the flow of part 2 records for health care-related purposes.
[[Page 12574]]
Response
We appreciate these comments. As we've stated above, the revised
language of this section, and our revision to Sec. 2.12(d), discussed
above, implement key CARES Act statutory modifications. We agree that
the expanded protections for testimony arising from information
contained in records, and the extension of protection to additional
types of legal proceedings could counterbalance, in some respects, the
expanded permission to use and disclose of part 2 records under a
single consent for all future TPO.
Comment
One commenter, a health system, expressed support for this proposal
but suggested that a covered entity should be able to rely and act upon
a court order issued by a court of competent jurisdiction without
potentially incurring additional legal expenses for an instrument
compelling compliance.
Response
Consistent with our response above, the requirement for a subpoena
has been firmly enshrined in part 2 and was not proposed for revision
in this rulemaking.
Comment
An individual appreciated the emphasis in the Sec. 2.65 NPRM
discussion that ``the use of an illegal substance does not in itself
constitute an extremely serious crime'' and recommended reiterating
that neither substance use nor engagement in SUD treatment services
should in and of themselves be considered evidence of child abuse or
neglect, including for people who are pregnant.
Response
We agree and state that the regulation continues to place emphasis
on crimes that pose threats to loss of life or serious bodily injury,
such as homicide, rape, kidnapping, armed robbery, assault with a
deadly weapon, and child abuse and neglect.\307\
---------------------------------------------------------------------------
\307\ See Sec. Sec. 2.65(d)(1) (criteria for court issuance of
an order authorizing use and disclosure of records in a criminal
proceeding against a patient) and 2.63(a)(2) (limiting disclosure of
confidential communications to investigations or prosecution of
serious crimes).
---------------------------------------------------------------------------
Final Rule
The final rule adopts Sec. 2.65 as proposed without further
modification.
Section 2.66--Procedures and Criteria for Orders Authorizing Use and
Disclosure of Records To Investigate or Prosecute a Part 2 Program or
the Person Holding the Records
Proposed Rule
The Department proposed to add a new paragraph (a)(3) that details
procedures for investigative agencies to follow in the event they
unknowingly obtain part 2 records during an investigation or
prosecution of a part 2 program or person holding part 2 records
without obtaining a court order as required under subpart E. Section
2.66 specifies the persons who may apply for an order authorizing the
disclosure of patient records for the purpose of investigating or
prosecuting a part 2 program or ``person holding the records (or
employees or agents of that part 2 program or person holding the
records)'' in connection with legal proceedings, how such persons may
file the application, and provides that, at the court's discretion,
such orders may be granted without notice to the part 2 program or
patient.
In conjunction with a new definition of ``investigative agency''
that the Department proposed and is finalizing in Sec. 2.11 above, the
Department modified paragraph (a) to refer only to ``investigative
agency'' as the type of organization that may apply for an order under
this section. The new term includes, by definition, the other types of
organizations referenced in the current provision (i.e., state or
Federal administrative, regulatory, supervisory, investigative, law
enforcement, or prosecutorial agency having jurisdiction over the
activities of part 2 programs or other person holding part 2 records)
as well as local, Tribal, and territorial agencies. The Department also
proposed a new paragraph (a)(3). The Department's proposed change would
require an investigative agency (other than one relying on another
disclosure provision, such as Sec. 2.53(e)) \308\ that discovers in
good faith that it has obtained part 2 records to secure the records
consistent with Sec. 2.16 and immediately cease using or disclosing
them until it obtains a court order authorizing the use and disclosure
of the records and any records later obtained. A court order must be
requested within a reasonable period of time, but not more than 120
days after discovering it received the records. As proposed, if the
agency does not seek a court order, it must return the records to the
part 2 program or person holding the records if it is legally
permissible to do so, within a reasonable period of time, but not more
than 120 days from discovery; or, if the agency does not seek a court
order or return the records, it must destroy the records in a manner
that renders the patient identifying information non-retrievable,
within a reasonable period of time, but not more than 120 days from
discovery. Finally, if the agency's application for a court order is
rejected by the court and no longer subject to appeal, the agency must
return the records to the part 2 program or person holding the records,
if it is legally permissible to do so, or destroy the records
immediately after notice of rejection from the court.
---------------------------------------------------------------------------
\308\ Section 2.53 also permits a person to disclose patient
identifying information for the purpose of conducting a Medicare,
Medicaid, or CHIP audit or evaluation. However, subpart E
proceedings are distinguished from those under Sec. 2.53 in that
Sec. 2.53 audits and evaluation are limited to that conducted by a
governmental agency providing financial assistance to a part 2
program or other lawful holder or an entity with direct
administrative control over the part 2 program or lawful holder, and
is determined by the part 2 program or other lawful holder to be
qualified to conduct an audit or evaluation. See Sec. 2.53 for the
provision in its entirety.
---------------------------------------------------------------------------
The Department proposed in paragraph (b) to provide an option for
substitute notice by publication when it is impracticable under the
circumstances to provide individual notification of the opportunity to
seek revocation or amendment of a court order issued under Sec. 2.66.
Additionally, the Department proposed to reorganize paragraph (c) by
expressly incorporating the provisions from Sec. 2.64(d) \309\ that
would require an applicant to obtain a good cause determination from a
court and adding the proposed Sec. 2.3(b) requirements as elements of
good cause for investigative agencies that apply for a court order
under proposed Sec. 2.66(a)(3)(ii).
---------------------------------------------------------------------------
\309\ In addition to incorporating the provisions in Sec.
2.64(d), the Department proposed a slight modification to Sec.
2.66(c)(1) to add that other ways of obtaining the information would
yield incomplete information.
---------------------------------------------------------------------------
We note at the outset of the discussion of comments for this
section and Sec. 2.67 that some comments were intertwined with
comments in response to Sec. 2.3(b), limitation of liability for
investigative agency personnel. Those comments are addressed above in
the discussion of comments related to Sec. 2.3(b).
Comment
A large health system expressed support for providing a remedy when
an investigative agency discovers in good faith that it has received
part 2 records, that allows the agency to either seek a court order or
return records in lieu of an order.
[[Page 12575]]
Response
We appreciate the comments.
Comment
Several commenters, including a Medicaid fraud unit and a large
health system, expressed support for the proposal to allow for
substitute notice under Sec. 2.66 when individual notice is infeasible
or impractical. One commenter, a state-based regional Medicaid fraud
unit, asked the Department to consider applying the ``substitute notice
by publication'' requirement retroactively.
Response
We appreciate the comments regarding substitute notice. In
consideration of the burden that would inure to part 2 programs and
holders of records, we decline to make this requirement retroactive.
Comment
A state Medicaid fraud unit recommended that it not be considered
an ``investigative agency'' as defined in Sec. 2.11 and used in this
section and Sec. 2.67, and that it be permitted to access records
without a court order. In the alternative, it expressed support for the
proposed safe harbor and related procedures proposed in Sec. Sec. 2.66
and 2.67.
Response
We believe that a state Medicaid fraud unit meets the definition of
``investigative agency'' in Sec. 2.11. The definition that we are
finalizing provides that ``[i]nvestigative agency means a Federal,
state, Tribal, territorial, or local administrative, regulatory,
supervisory, investigative, law enforcement, or prosecutorial agency
having jurisdiction over the activities of a part 2 program or other
person holding part 2 records.'' We are aware that in some states,
Medicaid fraud units are created within state attorney general offices
under Federal authority.\310\
---------------------------------------------------------------------------
\310\ See, e.g., Maryland Office of the Att'y Gen., ``Medicaid
Fraud Control Unit,'' https://www.marylandattorneygeneral.gov/Pages/MFCU/default.aspx.
---------------------------------------------------------------------------
Comment
A commenter, a state-based data center requested that language be
added to Sec. 2.66(a)(2), (b), and (c) to clarify that an
administrative tribunal can issue orders under this section, and that a
separate court proceeding is not required.
Response
As we have noted previously, we lack authority to circumvent the
statutory requirement in 42 U.S.C. 290dd-2(c) for a court order to
authorize use and disclosure of records for civil, criminal,
administrative, and legislative proceedings, including administrative
tribunals.
Comment
One commenter, a managed care organization, requested that the
Department require investigative agencies to notify the program when it
unknowingly is in receipt of part 2 records but lacks the required
court order and whether it intends to seek a court order, return, or
destroy the records. The organization also requested clarification that
the rule does not authorize an investigative agency to destroy records
unless it has confirmed that they are not originals.
Response
We believe the proposed rule adequately protects the records from
misuse by requiring the person holding the records to either return the
records in a timely manner or destroy the records in a manner that
renders the patient identifying information non-retrievable in a timely
manner. We do not believe additional notice to the part 2 program or
other holder of the record, as described by this commenter, is
necessary and believe such a notice would go beyond the current rule in
Sec. 2.66 which does not require notice to be made until such time as
a court order is granted. We agree that it is a best practice to
confirm with the part 2 program that produced the records whether they
are originals before an investigative agency destroys them.
Comment
One commenter, a state Medicaid agency recommended that the
Department include language outlining what ``good faith'' means and
what will happen if the standard is not met.
Response
We believe it unnecessary to define in regulation the phrase ``good
faith,'' which is required to support a finding that an investigative
agency unknowingly acquired part 2 records in the course of an
investigation in Sec. 2.66, Sec. 2.67, or a finding that the safe
harbor applies to shield from liability investigators who are holding
such records.\311\ We believe the phrase is generally understood to
mean without malice or without bad intent. We also believe that the
operation of this provision is clear, in the event a finding of good
faith is not met. First, if investigators are found to have acted in
bad faith in obtaining the part 2 records, penalties could result.
Second, in Sec. Sec. 2.66 and 2.67, a finding of good faith is
necessary to trigger the ability of the agency to apply for a court
order to use records that were previously obtained.
---------------------------------------------------------------------------
\311\ See our NPRM discussion at 87 FR 74216, 74227 where we
stated, ``The proposed safe harbor could promote public safety by
permitting government agencies to investigate or prosecute Part 2
programs and persons holding Part 2 records for suspected criminal
activity, in good faith without risk of HIPAA/HITECH Act
penalties.''
---------------------------------------------------------------------------
Comment
One commenter, an advocacy organization, requested that additional
protections be added to Sec. 2.66 (as well as Sec. 2.3) for cloud
service providers (CSPs). Such protections, the commenter believed,
would apply to a ``person holding the record'' who coordinates with the
SUD data owner (to the extent permitted by the legal request) and,
despite such coordination unknowingly makes a record available in
response to an investigatory court order or subpoena. This same
commenter further requested that the Department allow CSPs to, at their
discretion: (1) require requestors of records to certify or attest
that, to the best of the requestor's knowledge, part 2 records are not
part of the request or that information sought will not be used as part
of proceedings against a patient of a part 2 program; and (2) rely on
such certifications or attestations of requestors when making
disclosures in response to an investigatory court order or subpoena.
Response
We understand the challenges faced by CSPs and agree that under
some circumstances they may be treated as the ``person holding the
record'' under this regulation. However, under many service agreements
the person that stores data in a CSP system is the one with the legal
capability to disclose the data. We decline to adopt additional rules
for CSPs that are different than the rules for other lawful holders of
a part 2 record. The rule does not prevent a person holding the record
to inquire of the requestor whether they have knowledge as to the
nature of the records within the scope of the request. However, we
believe that a holder of the record, as a baseline, has some
responsibility to know whether they are maintaining records that are
PHI or subject to part 2. We also believe that in most cases, a CSP
should be acting under the purview of a valid business associate
agreement or other contract that specifies the particular protections
[[Page 12576]]
needed with respect to the type of data being held and disclosed.\312\
---------------------------------------------------------------------------
\312\ See U.S. Dep't of Health and Human Servs., ``Guidance on
HIPAA & Cloud Computing'' (Dec. 23, 2022), https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html (``The BAA also contractually
requires the business associate to appropriately safeguard the ePHI,
including implementing the requirements of the Security Rule.'' From
an enforcement standpoint, we would apply this same principle to any
agreement between a CSP and originator of part 2 data under part 2
obligations.).
---------------------------------------------------------------------------
Comment
One commenter, a medical professionals association, expressed
concern that the patient notification process is insufficient
(including under existing policies). In particular, according to this
commenter the notification process may be problematic for those
patients who lack mailing addresses, and it is not clear that the
allowance for substitute notice by publication would increase its
effectiveness. Instead, this commenter recommended instituting further
notice requirements such as more detailed information provided to part
2 patients regarding the potential for court-ordered disclosure of
records, the absence of an initial notice requirement, and the
potential for substitute notice by publication. This same commenter
recommended such information be included in the HIPAA NPP and included
on the part 2 program's website; further, if a part 2 program comes
under investigation and receives a court order authorizing disclosure,
the part 2 program be required to post information on its website
regarding the investigation and court order.
Response
We assume the crux of this comment is that the proposal does not
account for an initial notice to a patient upon an application for a
court order by a person seeking to use or disclose the patient's
record. We disagree that the regulation does not provide for adequate
notice to patients and part 2 programs about the entry of court orders.
With respect to patients, we have proposed and are finalizing in a
revised Patient Notice required by Sec. 2.22 a requirement that part 2
programs include in the Patient Notice a statement such as ``[r]ecords
shall only be used or disclosed based on a court order after notice and
an opportunity to be heard is provided to the patient or the holder of
the record, where required by 42 U.S.C. 290dd-2 and this part''. We
believe this statement provides adequate notice to the patient such
that the patient is made aware that he or she will be provided with
some type of notice in the event a court order authorizes a use or
disclosure of the patient's records. As we have stated above, the HIPAA
Privacy Rule proposed modifications and public comments will be
considered in a separate rulemaking.
While we agree with the sentiment that website notice of a court
ruling permitting use or disclose of a patient's records is generally
reasonable, we decline to adopt this as a regulatory requirement. Given
the court involvement in these proceedings, we believe it best left to
the discretion of the court to determine the means of substitute notice
that is reasonable under the specific circumstances that exist at the
time.
Comment
One individual expressed negative views about this section and
opined that the Department's proposed new paragraph Sec. 2.66(a)(3) is
not related to any requirement in the CARES Act. It is instead,
according to this commenter, a means to excuse efforts by investigative
agencies that fail to presume, as they should, that an investigation of
a part 2 program would result in obtaining part 2 records. This
commenter further recommended that the investigative agency be required
to seek court authorization prior to any investigation and that the
good faith standard is ``disingenuous.'' Finally, this commenter opined
that the proposed option in Sec. 2.66(b) for a substitute notice by
publication when it is deemed ``impracticable'' under the circumstances
to provide individual notification of the opportunity to seek
revocation or amendment of a court order runs counter to the protection
of patients in that an ability to locate a patient should not diminish
their right to confidentiality.
Response
We understand the underlying concerns expressed in this comment and
in response, are making some additional modifications to the proposed
rule as discussed below. Also, in response, we point to the robust
requirements that relate to obtaining the court order under paragraph
(c) of this section, including that other ways of obtaining the
information are not available (or would not be effective or would yield
incomplete results), there is a public interest that outweighs
potential injury to the patient, and the required diligence that must
be exercised on the part of the investigative agency related to
determining the application of this part. Additionally, with respect to
substitute notice, it is only permitted once it is determined that
individual notice is not available. Further, we assume that agencies
obtaining a court order under Sec. 2.66 have already complied with the
requirement to use a pseudonym for the patient in the application for
the court order (or to ensure the court seals the record of the
proceedings) and expect them to comply with the requirement not to
disclose any patient identifying information in any public mention of
the court order, which would include any public form of substitute
notice.
Final Rule
We are appreciative of the many comments in response to this
section, but as we note above, the requirement of a court order or
consent to make uses and disclosures regulated under this section has
not changed, despite the widening of application to types of
proceedings and testimony contained in records. In addition, as
proposed, this change is consistent with the revised statute. The final
rule therefore adopts Sec. 2.66 as proposed with one additional
modification. We are modifying paragraph (c)(3) to clarify that with
respect to an application pursuant to Sec. 2.66(a)(3)(ii), it is not
permissible to use information from records obtained in violation of
part 2 to support an application for a court order under 42 U.S.C.
290dd-2(b)(2)(C). We adopted this modification in response to
commenters' concerns about the potential misuse of the safe harbor
established in Sec. 2.3(b) by investigative agencies. We are adding
this express prohibition on the use of records obtained in violation of
part 2 to counterbalance the latitude provided to investigative
agencies and to disincentivize improper uses of information to support
applications for court orders.
Section 2.67--Orders Authorizing the Use of Undercover Agents and
Informants To Investigate Employees or Agents of a Part 2 Program in
Connection With a Criminal Matter
Proposed Rule
Section 2.67 authorizes the placement of an undercover agent in a
part 2 program as an employee or patient by law enforcement or a
prosecutorial agency pursuant to court order when the law enforcement
organization has reason to believe the employees of the part 2 program
are engaged in criminal misconduct. Paragraph (a) authorizes the
application of an order by law enforcement or prosecutorial agencies
for placement of undercover agents or informants in part 2 program
based on
[[Page 12577]]
reason to believe criminal activity is taking place. Paragraph (c)
includes the ``good cause'' criteria by which an order under this
section may be entered.
The Department proposed to replace the phrase ``law enforcement or
prosecutorial'' with ``investigative'' in paragraph (a), and clarify
that the good cause criteria for a court order in paragraph (c)(2)
includes circumstances when obtaining the evidence another way would
``yield incomplete evidence.'' The Department also proposed to create a
new paragraph (c)(4) addressing investigative agencies' retroactive
applications for a court order authorizing placement of an undercover
informant or agent to investigate a part 2 program or its employees
when utilizing the safe harbor under Sec. 2.3. This provision would
require the investigative agency to satisfy the conditions at proposed
Sec. 2.3(b) before applying for a court order for part 2 records after
discovering that it unknowingly had received such records.
Comment
Several commenters, including a large health system and managed
care organization, expressed support for the requirement that an
investigative agency placing an undercover agent or informant must seek
a court order and promote strict adherence to the requirements,
including limitations and restrictions on uses and disclosures of part
2 information, of the court order. One of the commenters asserted that,
if finalized, the proposal may ensure appropriate conduct by local and
state agencies.
Response
We appreciate the comments.
Comment
One commenter, a regional state-based Medicaid fraud unit,
recommended that the Department define or issue guidance about the
meaning of ``yield incomplete evidence.''
Response
Paragraph (c)(3) addresses one of the criteria under which a court
must make a good cause determination for the entry of an order
permitting placement of an undercover agent by an investigative agency,
and requires a finding that other ways of obtaining information are not
available or would ``yield incomplete evidence.'' We believe the court
evaluating the application of this criteria is best situated to
determine the facts and whether said facts support this finding.
Comment
An individual commenter expressed strong concern that proposed
Sec. 2.67 represents an unnecessary concession to law enforcement.
Citing what this individual believes to be a prior concession in the
2020 rulemaking related to an extension of time from six to twelve
months in which an undercover agent could be placed in a part 2
program,\313\ this commenter expressed the belief that this proposal
relies on a second concession, grounded in ``convenience'' for law
enforcement that uses the ``good cause'' criteria for a court order in
paragraph (c)(2) as a justification circumstance when obtaining the
evidence another way would ``yield incomplete evidence.'' This
commenter specifically objected to modifying the current in paragraph
(c)(2) by adding ``or would yield incomplete evidence'' after ``other
ways of obtaining evidence of the suspected criminal activity are not
available or would not be effective.''
---------------------------------------------------------------------------
\313\ 85 FR 42986, 43039.
---------------------------------------------------------------------------
Response
We appreciate the sentiment expressed in this comment, but believe
that the newly imposed statutory civil penalties require us to
consider, and finalize, a more workable standard for law enforcement.
We also believe that the commenter fails to appreciate the difficulty
in determining at times whether a health care entity has records that
are subject to part 2. The need for a means for law enforcement to
investigate crimes related to activity by part 2 programs or their
employees remains a reality, as does the need to keep sensitive records
confidential. Overall, we believe that because the standard applied
will be adjudicated by a court of competent jurisdiction from which
appeals may be taken, the modified criteria is appropriate.
Final Rule
The final rule adopts Sec. 2.67 as proposed with one additional
modification to paragraph (c)(4) to clarify that with respect to an
application submitted after the placement of an undercover agent or
informant has already occurred, the applicant is prohibited from using
information from records obtained in violation of part 2 by that
undercover agent or informant. We adopt this modification in response
to those public comments expressing concern about the potential for
misuse of the limitation on liability established in Sec. 2.3(b) to
persons who under the purview of investigative agencies, are granted
safe harbor for unknowingly and in good faith obtaining part 2 records.
Similar to our consideration of comment in response to Sec. 2.66, we
believe the express prohibition on the use of records obtained in
violation of part 2 will disincentivize improper uses of information to
support applications for court orders.
Section 2.68--Report to the Secretary
Proposed Rule
The Department proposed to create a new Sec. 2.68 to require
investigative agencies to file an annual report with the Secretary of
the applications for court orders filed after obtaining records in an
investigation or prosecution of a part 2 program or holder of records
under Sec. 2.66(a)(3)(ii) and after placement of an undercover agent
or informant under Sec. 2.67(c)(4). The report as proposed would also
include the number of instances in which such applications were denied
due to findings by the court of violations of this part during the
calendar year, and the number of instances in which the investigative
agency returned or destroyed part 2 records following unknowing receipt
without a court order, in compliance with Sec. 2.66(a)(3)(iii), (iv),
or (v), respectively during the calendar year. The Department proposed
that such reports would be due within 60 days following the end of the
calendar year. The comments and the Department's responses regarding
Sec. 2.68 are set forth below.
Comment
A state government asserted that requiring investigative agencies
to file an annual report of the number of applications for court
orders, the number of requests for court orders denied, and the number
of instances of records returned following unknowing receipt without a
court order could be extremely time consuming and unduly burdensome.
Further, according to this commenter, calendar year reporting of this
data does not align with Federal and state fiscal year reporting
causing additional burden on investigative agencies.
Response
We appreciate the comment. An investigative agency should file a
court order in advance of receiving part 2 records or placing an
undercover agent or informant in a part 2 program in accordance with
Sec. Sec. 2.66 and 2.67, respectively. A report is only required for
investigative agencies that discover in good faith that they received
part 2 records that required a court order in
[[Page 12578]]
advance and a court order was not initially sought. Additionally, we
did not receive data in public comments from investigative agencies
about how frequently this occurs, and we will monitor this requirement
after the final rule to gain an understanding of how widespread these
retroactive discoveries are. To limit the burden, the Department has
made this an annual report, rather than per incident reporting, with 60
days to compile the data after the end of the calendar year. And the
calendar year reporting aligns with the HIPAA breach reporting
requirements for breaches of unsecured PHI affecting fewer than 500
individuals. Also, the Federal, state, and local fiscal year reporting
dates may differ across jurisdictions, and it is not feasible for the
Department to align all reporting dates.
Comment
The Department received a few supportive comments about the
benefits to the annual reporting requirement which may include:
assuring appropriate conduct by local and state investigative agencies;
assuring ongoing compliance; auditing the use of the limitation on
liability within this regulation; and promoting the privacy and
security of part 2 information.
Response
We appreciate the comments.
Comment
One commenter asked: (1) how the Department will advise Federal,
state, and local law enforcement about the requirement to submit annual
reports; (2) what the consequences of failing to submit an annual
report will be; (3) what the purpose is and what criteria the
Department will apply; and (4) how the Department will use the
information in the annual reports to safeguard patient privacy rights
and improve law enforcement's understanding of the rule.
Response
We appreciate the comment. A report is only required for
investigative agencies that discover in good faith that they have
received part 2 records for which a court order was required in advance
and that a court order was not initially sought. We do not have data on
how frequently this occurs and one purpose of the requirement is to
gain an understanding of how widespread these retroactive discoveries
are. The consequences of failing to meet the reporting requirement are
the same as for other violations of the part 2 rule under the newly
established penalties which utilize the four culpability tiers that are
applied to HIPAA violations; however, part 2 programs, covered
entities, and business associates that create or maintain part 2
records are the primary focus of this regulation. In determining
compliance with the safe harbor reporting requirement, the Department
would focus on an investigative agency rather than an employee of that
agency. The Department will provide guidance or instructions on how to
submit the reports to the Secretary on its website and through press
releases and OCR listserv announcements.\314\ The reporting obligation
is not intended to be a public reporting requirement, but for the
Department's internal use in evaluating the utility and effectiveness
of the safe harbor provision in Sec. 2.3. The Department will review
the annual reports and consider what guidance or other resources are
needed by investigative agencies that are lawful holders of part 2
records.
---------------------------------------------------------------------------
\314\ OCR has established two listservs to inform the public
about health information privacy and security FAQs, guidance, and
technical assistance materials. To sign up for the OCR Privacy &
Security Listserv, visit: https://www.hhs.gov/hipaa/for-professionals/list-serve/index.html.
---------------------------------------------------------------------------
Final Rule
The final rule adopts the proposed language of new Sec. 2.68,
without modification.
Re-Ordering ``Disclosure and Use'' to ``Use and Disclosure''
Proposal
The Department proposed throughout the NPRM to re-order the terms
``disclosure and use'' in the part 2 regulation to ``use and
disclosure.'' \315\ The new order of these terms is consistent with
their usage in the HIPAA Privacy Rule which generally regulates the
``use and disclosure'' of PHI and relies on the phrase as a term of
art.\316\
---------------------------------------------------------------------------
\315\ See 87 FR 74216, 74225, fn 109.
\316\ Consistently, the Department refers to ``uses and
disclosures'' or ``use and disclosure'' in the HIPAA Privacy Rule.
See, e.g., 45 CFR 164.502 Uses and disclosures of protected health
information: General rules.
---------------------------------------------------------------------------
Comment
The Department received no substantive comments other than a few
commenters that expressed general support for re-ordering terms to
align with the HIPAA Privacy Rule.
Final Rule
The final rule adopts each proposal to re-order these terms,\317\
although not discussed in detail here. As stated in the NPRM, we
believe these changes fall within the scope of our regulatory authority
and further the intent and implementation of the CARES Act by improving
the ability of regulated entities to use and disclose records subject
to protection by part 2 and HIPAA.
---------------------------------------------------------------------------
\317\ See final regulatory text for Sec. 2.2(a)(2) and (3) and
(b)(1); Sec. 2.12(c)(5) and (6); Sec. 2.13(a) and (b); Sec.
2.21(b); Sec. 2.34(b); Sec. 2.35(d); Sec. 2.53(a), (b)(1)(iii),
(e)(1)(iii), (e)(6), (f); subpart E heading; Sec. 2.61(a); Sec.
2.62; Sec. 2.65 heading, (a), (d), (e) introductory text, and
(e)(1) and (3); Sec. 2.66 heading, (a)(1), and (d).
---------------------------------------------------------------------------
Inserting ``Use'' or ``Disclose'' To Reflect the Scope of Activity
Proposal
The Department also proposed to add the term (or related forms of
the term) ``use'' where only the term ``disclose'' was present in the
part 2 regulation or in some cases the term ``disclose'' (or related
forms) where only the term ``use'' was present.\318\ This proposed
change was intended to more accurately describe the scope of the
activity that is the subject of the regulatory provision. In the NPRM,
the Department described these changes as non-substantive, but we did
receive comments opining in some instances that adding the term ``use''
in particular, changes the scope of part 2. We also explained in the
NPRM that we believe these changes are necessary to align with changes
made to 42 U.S.C. 290dd-2(b)(1)(A), as amended by section 3221(b) of
the CARES Act (providing that part 2 records may be used or disclosed
in accordance with prior written consent); to 42 U.S.C. 290dd-
2(b)(1)(B) and (b)(1)(C), as amended by section 3221(b) of the CARES
Act (providing that the contents of part 2 records may be used or
disclosed by covered entities, business associates, or part 2 programs
as permitted by the HIPAA regulations for TPO purposes); and to 42
U.S.C. 290dd-2(c), as amended by section 3221(e) of the CARES Act
(prohibiting disclosure and use of part 2 records in proceedings
against the patient).
---------------------------------------------------------------------------
\318\ See 87 FR 74216, 74225, fn 111.
---------------------------------------------------------------------------
Overview of General Comments
The Department requested comment on these proposed modifications
and received generally supportive or positive comments in response.
Several commenters suggested the Department go further than the
proposed changes and the proposed definition of ``use'' by adopting the
HIPAA definitions of ``use'' and ``disclosure'' to further align part 2
with the HIPAA regulations. A few HIE associations indicated that they
did not believe that the addition of ``use'' or ``uses'' to existing
regulatory text would substantively expand the
[[Page 12579]]
scope of requirements and prohibitions where previously the text stated
only ``disclosure.'' One commenter stated the addition of ``use'' or
``uses'' may actually narrow the scope for which part 2 data can be
obtained, as disclosure does not require the implication that the data
is being used for TPO and could just be held by an entity. A state
agency said that it would not anticipate adverse consequences to part 2
programs or to its own operations from the revisions throughout the
rule that add the terms ``use'' or ``uses'' to references to
``disclose'' or ``disclosure.''
A health plan said that these changes may limit confusion around
obligations with respect to ``use'' and ``disclose.'' The plan said
that these words are often considered terms of art in contracts and
other privacy-related policies and documents. As such, clarifying when
requirements apply to either or both terms by re-ordering or adding
such terms to provisions may help covered entities and their business
associates better understand their regulatory requirements under a
final rule.
Another health plan supported these changes asserting that with
this understanding, a part 2 record could be both used and disclosed
for purposes related to the provision of care, but also for purposes
such as the initiation of a legal proceeding. This change, the
commenter said, can be supported by revising the definition within the
HIPAA regulations.
An advocacy organization agreed with the Department that these
changes are not substantive in nature, given that under part 2 and
HIPAA, ``use'' and ``disclosure'' can be mutually exclusive,
independent actions, and that the proposed definition of ``use'' is
inclusive of the historical definition of ``use'' related to legal
proceedings under part 2. A provider said this change adds clarity and
better aligns the proposed rule with HIPAA terminology.
A health IT vendor had no concerns with expanding the focus of the
part 2 regulations to make reference to uses in addition to disclosures
in the regulatory text in a manner consistent with the HIPAA Privacy
Rule construction for how uses and disclosures are defined and used
throughout the HIPAA Privacy Rule. The commenter opined that part 2
regulations have not addressed the uses of SUD records for purposes
within part 2 programs as they have focused on how disclosure and
redisclosure of part 2 records must be handled. However, the proposed
changes seem appropriate to this commenter for purpose of parallel
structure and regulatory consistency between part 2 and the HIPAA
Privacy Rule.
A provider contended that this change is necessary and within the
Department's regulatory authority, even if not expressly included in
the CARES Act. A health system characterized this proposal as a good
basic change that sets the stage for several other proposed changes
toward meeting the goal of aligning with HIPAA. This change also may
help reduce the existing differences in describing how we manage and
protect our patient's health information, across service locations.
Comment on Specific Sections
A few commenters expressed support for proposed changes to
replace the phrase ``disclosure and use'' by re-ordering the phrase to
``use or disclosure'' at Sec. 2.2(a) introductory text, (a)(4), and
(b)(1), to align the language with that used in the HIPAA Privacy Rule.
A health plan expressed support for proposed changes to
Sec. 2.13 for adding the term ``use'' to clarify that confidentiality
restrictions and safeguards apply to both uses and disclosures.
A few commenters expressed support for adding the term
``disclosure'' to Sec. 2.23.
Response
We appreciate the comments about these changes. We decline to adopt
the HIPAA formal definitions for the terms ``use'' or ``disclosure'' or
change the definitions of the terms in the HIPAA Privacy Rule as we
believe their application is understood as applied to part 2 records
and PHI, respectively. The overall sentiment of the comments is that
these modifications bring clarity and the understanding about how the
terms are used across the two regulations. The Department disagrees
with the suggestion that adding the term ``use'' in some cases may
narrow the scope of activity under part 2. In no regulatory provision
are we changing the term ``disclose'' to ``use'' and we remind
stakeholders that many TPO activities contemplate ``uses.''
Overview of Final Rule
The final rule adopts all proposed modifications to add the term
``use'' or some form of it or ``disclose'' or some form of it to the
scope of certain covered activities under part 2. The Department also
defines the term ``use'' in regulation (discussed above in Sec.
2.11).\319\ As discussed in the NPRM, historically, the part 2
regulation associated ``use'' with the initiation of legal proceedings
against a patient and associated ``disclosure'' with sharing records to
an external entity. In contrast, the HIPAA Privacy Rule applies the
term ``use'' to refer to internal use of health information within an
entity, such as access by staff members.\320\ The part 2 and HIPAA
definitions for the term ``disclose'' are fairly consistent \321\ and
therefore a part 2 record can be both used and disclosed for purposes
related to the provision of health care and for purposes such as the
initiation of a legal proceeding. Where made, these changes are also
consistent with section 3221(b) of the CARES Act that addresses
permissions and restrictions for both uses and disclosures of records
for TPO purposes by part 2 programs and covered entities, and
proscribes the rules related to certain legal proceedings.
---------------------------------------------------------------------------
\319\ See final regulatory text of: Sec. 2.2(a)(2) and (3) and
(b)(1); Sec. 2.12(a)(1) and (2), (c)(3) and (4), (d)(2) and (3),
(e)(3); Sec. 2.13(a); Sec. 2.14(a) and (b); Sec. 2.15(a)(2) and
(b); Sec. 2.17(b); Sec. 2.20; Sec. 2.23 heading and (b); subpart
C heading; Sec. 2.31(a) introductory text and (a)(4)(ii)(B); Sec.
2.32(a)(2); Sec. 2.33 heading, (a), and (b); Sec. 2.34 heading;
subpart D heading; Sec. 2.52(a); Sec. 2.53(a)(5); Sec. 2.61(a)
and (b)(1) and (2); Sec. 2.64 heading, (a), (d)(2), and (e); Sec.
2.65(a), (d) introductory text, (d)(2), (e) introductory text,
(e)(1) and (2); Sec. 2.66(d)(2); Sec. 2.67(d)(3) and (e).
\320\ 87 FR 74232.
\321\ 42 CFR 2.11, definition of ``Disclose.'' 45 CFR 160.103,
definition of ``Disclosure.''
---------------------------------------------------------------------------
Antidiscrimination Protections, Stigma and Discrimination
Overview
As noted in the NPRM and above, paragraph (g) of section 3221 of
the CARES Act, Antidiscrimination, adds a new provision (i)(1) to 42
U.S.C. 290dd-2 to prohibit discrimination against an individual based
on their part 2 records. We stated in the NPRM and reiterate that the
Department intends to develop a separate rulemaking to implement the
CARES Act antidiscrimination prohibitions. Nonetheless, we received
several comments on antidiscrimination requirements as well as more
general concerns about stigma and discrimination. While these comments
are outside the scope of this rulemaking, we briefly summarize and
respond to these comments below.
Comments and Response
Comments we received on antidiscrimination issues addressed such
topics as:
Antidiscrimination rulemaking
Harmful consequences to patients
Increased reluctance to enter SUD treatment
Stigma and discrimination in the context of criminalization
and racial disparities
Statistics on stigma and discrimination
[[Page 12580]]
Unwillingness to disclose SUD treatment
Timing of SUD treatment regulatory framework
Considering stigma in regulatory updates
Most commenters also addressed issues other than antidiscrimination
topics and their comments on other provisions of part 2 were fully
considered along with other comments received to the NPRM docket.
Some commenters, including medical professionals associations,
advocacy organizations, a trade association, a government agency, a
provider-other, a health system, SUD providers, a consultant, a
researcher, a law enforcement organization, and individuals urged the
Department to expedite the rulemaking implementing the CARES Act
antidiscrimination protections, or to put this rulemaking on hold until
the antidiscrimination protections are in place. Some commenters such
as SUD providers, recovery organizations, individuals, and advocacy
organizations also expressed concern about significant stigma
associated with SUD and SUD treatment. Several commenters, including
advocacy organizations, a professional association, a government
agency, and a health plan, cited reports, survey results, and
statistics they believed reflect the stigma associated with addiction
that continues to influence the perceptions and behaviors of health
care professionals and continues to influence patients to avoid SUD
treatment.
Commenters described the many potential adverse outcomes that they
say privacy protections help prevent, including discrimination in child
custody, denial of life insurance, loss of employment, discrimination
in health care decision making, and criminal charges, among many
others. Some commenters also asserted that under the current
regulations there are patients that are unwilling to disclose SUD
treatment to caregivers or unwilling to enter treatment due to the
concern surrounding stigma and discrimination.
Several commenters, including a mental health provider, medical
professionals' associations, and a few individuals, suggested that the
proposed rule may increase the reluctance of patients to seek help for
SUD. Commenters pointed to such potential issues as patients being
unsure of how information will be used or having SUD information used
against them. Additionally, several commenters, including an advocacy
organization, and individual commenters addressed the effects of stigma
and discrimination related to SUD and SUD treatment in the context of
criminalization and racial disparities.
Response
We acknowledge and appreciate comments asking us to expedite
promulgation of the required antidiscrimination provisions and raising
concerns about the continued impacts of discrimination and stigma
within health care and other settings. As noted, we intend to issue a
separate proposed regulation for part 2 antidiscrimination provisions
after this rule is finalized. For that reason, as detailed in the NPRM,
we also decline to hold publication of this rule until the
antidiscrimination provisions also are proposed and finalized. As
explained, comments on the NPRM concerning antidiscrimination
requirements are beyond the scope of this rulemaking. However, we will
take all comments received into account as we issue the forthcoming
antidiscrimination provisions of part 2. We further encourage these
commenters and others to provide input on the forthcoming proposed rule
containing the antidiscrimination provisions.
V. Regulatory Impact Analysis
A. Executive Orders 12866 and 13563 and Related Executive Orders on
Regulatory Review
The Department has examined the impact of the final rule as
required by Executive Order (E.O.) 12866 on Regulatory Planning and
Review as amended by E.O. 14094, 58 FR 51735 (October 4, 1993); E.O.
13563 on Improving Regulation and Regulatory Review, 76 FR 3821
(January 21, 2011); E.O. 13132 on Federalism, 64 FR 43255 (August 10,
1999); E.O. 13175 on Consultation and Coordination with Indian Tribal
Governments, 65 FR 67249 (November 9, 2000); the Congressional Review
Act, Public Law 104-121, sec. 251, 110 Stat. 847 (March 29, 1996); the
Unfunded Mandates Reform Act of 1995, Public Law 104-4, 109 Stat. 48
(March 22, 1995); the Regulatory Flexibility Act, Public Law 96-354, 94
Stat. 1164 (September 19, 1980); E.O. 13272 on Proper Consideration of
Small Entities in Agency Rulemaking, 67 FR 53461 (August 16, 2002); the
Assessment of Federal Regulations and Policies on Families, Public Law
105-277, sec. 654, 112 Stat. 2681 (October 21, 1998); and the Paperwork
Reduction Act (PRA) of 1995, Public Law 104-13, 109 Stat. 163 (May 22,
1995).
E.O.s 12866 and 13563 direct us to assess all costs and benefits of
available regulatory alternatives and, when regulation is necessary, to
select regulatory approaches that maximize net benefits (including
potential economic, environmental, public health and safety, and other
advantages; distributive impacts; and equity). Section 3(f) of E.O.
12866 (as amended by E.O. 14094) defines a ``significant regulatory
action'' as any regulatory action that is likely to result in a rule
that may: (1) have an annual effect on the economy of $200 million or
more (adjusted every 3 years by the Administrator of the Office of
Information and Regulatory Affairs (OIRA) for changes in gross domestic
product); or adversely affect in a material way the economy, a sector
of the economy, productivity, competition, jobs, the environment,
public health or safety, or State, local, territorial, or Tribal
governments or communities; (2) create a serious inconsistency or
otherwise interfere with an action taken or planned by another agency;
(3) materially alter the budgetary impact of entitlements, grants, user
fees, or loan programs or the rights and obligations of recipients
thereof; or (4) raise legal or policy issues for which centralized
review would meaningfully further the President's priorities or the
principles set forth in this E.O., as specifically authorized in a
timely manner by the Administrator of OIRA in each case.
This final rule is partially regulatory and partially deregulatory.
The Department estimates that the effects of the final rule for part 2
programs would result in new costs of $26,141,649 within 12 months of
implementing the final rule. The Department estimates these first-year
costs would be partially offset by $13,421,556 of first year cost
savings, attributable to reductions in the need for part 2 programs to
obtain written patient consent for disclosures for treatment, payment,
or health care operations (TPO) ($10.3 million); reductions in the need
for covered entities, business associates, and part 2 programs to
obtain written patient consent for redisclosures ($2.6 million); and
reductions in capital expenses for printing consent forms ($0.5
million). This results in an estimated net cost of $12,720,093 in the
first year of the rule. This is followed by net savings of
approximately $5.2 to $5.4 million annually in years two through five,
resulting from a continuation of first-year cost saving of $13.4
million per year, minus varying Federal costs at approximately $2.3 to
$2.6 million in years 1 to 5 and the estimated annual
[[Page 12581]]
costs of $5.7 million primarily attributable to compliance with
attaching consent forms with every disclosure and breach notification
requirements. This results in overall net cost savings of $8,445,536
over 5 years for changes to 42 CFR part 2.
The Department estimates that the private sector would bear
approximately 60 percent of the costs, with state and Federal health
plans bearing the remaining 40 percent of the costs. All of the cost
savings experienced from the first year through subsequent years would
benefit part 2 programs and covered entities. This final rule is a
significant regulatory action, under sec. 3(f) of E.O. 12866 (as
amended by E.O. 14094). Accordingly, the Office of Management and
Budget (OMB) has reviewed this final rule.
The Department presents a detailed analysis below.
Summary of the Final Rule
This final rule modifies 42 CFR part 2 (``part 2'') to implement
changes required by section 3221 of the Coronavirus Aid, Relief, and
Economic Security (CARES) Act, to further align part 2 with the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) Rules, and
for clarity and consistency. Major changes are summarized in the
preamble.
The Department estimates that the first-year costs for part 2
programs will total approximately $26.1 million in 2022 dollars. These
first-year costs are attributable to part 2 programs training workforce
members on the revised requirements ($13.3 million); capital expenses
($0.9 million); compliance with breach notification requirements ($1.6
million); updating Patient Notices ($2.6 million); attaching consent
forms for disclosures (2.9 million); updating consent forms ($1.7
million); updating the notice to accompany disclosures ($0.7 million);
and costs to the Department for part 2 enforcement and compliance ($2.3
million). It also includes nominal costs for responding to requests for
privacy protection, providing accounting of disclosures, $32,238 for
receiving complaints, and $61,726 for investigative agencies to file
reports to the Secretary. For years 2 through 5, the estimated annual
costs of $5.7 million are primarily attributable to compliance with
attaching consent forms and breach notification requirements and
related capital expenses, on top of variable Federal costs amounting to
roughly $2.3 to $2.5 million from years 1 to 5.
The Department estimates annual cost savings of $13.4 million per
year, over 5 years, attributable to reductions in the need for part 2
programs to obtain written patient consent for disclosures for TPO
($10.3 million), reductions in the need for covered entities and
business associates to obtain written patient consent for redisclosures
($2.6 million), and reductions in capital expenses for printing consent
forms ($0.5 million).\322\
---------------------------------------------------------------------------
\322\ Totals in this Regulatory Impact Analysis may not add up
due to showing rounded numbers in the tables.
---------------------------------------------------------------------------
The Department estimates net costs for part 2 programs totaling
approximately $12.7 million in the first year followed by net savings
of approximately $5.4 to $5.2 million in years 2 to 5, resulting in
overall net cost savings of approximately $8.4 million over 5 years.
The yearly costs, cost-savings and net for part 2 are displayed in
Table 1 below.
[GRAPHIC] [TIFF OMITTED] TR16FE24.011
Need for the Final Rule
On March 27, 2020, Congress enacted the CARES Act as Public Law
116-136. Section 3221 of the CARES Act amended 42 U.S.C. 290dd-2, the
statute that establishes requirements regarding the confidentiality and
disclosure of certain records relating to SUD, and section 3221(i) of
the CARES Act requires the Secretary to promulgate regulations
implementing those amendments.\323\ With this final rule, the
Department changes part 2 to implement section 3221 of the CARES Act,
increase clarity, and decrease compliance burdens for regulated
entities. The Department believes the changes will reduce the need for
data segmentation within entities subject to the regulatory
requirements promulgated under part 2.
---------------------------------------------------------------------------
\323\ Section 3221(i) of the CARES Act requires implementation
on or after the date that is 12 months after the enactment of the
CARES Act, i.e., March 27, 2021.
---------------------------------------------------------------------------
Significant differences in the permitted uses and disclosures of
part 2 records and protected health information (PHI) as defined under
the
[[Page 12582]]
HIPAA Privacy Rule contribute to ongoing operational compliance
challenges. For example, under the previous rule, entities subject to
part 2 must obtain prior written consent for most uses and disclosures
of part 2 records, including for TPO, while the HIPAA Privacy Rule
permits many uses and disclosures of PHI without authorization.
Therefore, to comply with both sets of regulations, HIPAA covered
entities subject to part 2 must track and segregate part 2 records from
other health records (e.g., records that are protected under the HIPAA
regulations but not part 2).\324\
---------------------------------------------------------------------------
\324\ For example, a clinic that provides general medical
services, and has a unit specializing in SUD treatment that is a
part 2 program, would need to segregate its SUD records from other
medical records, even for the same patient, to ensure that the SUD
records are used and disclosed only as permitted by part 2.
---------------------------------------------------------------------------
In addition, once PHI is disclosed to an entity not covered by
HIPAA, it is no longer protected by the HIPAA regulations. In contrast,
part 2 strictly limits redisclosures of part 2 records by individuals
or entities that receive a record directly from a part 2 program or
other ``lawful holder'' of patient identifying information, absent
written patient consent.325 326 Therefore, any part 2
records received from a part 2 program or other lawful holder must be
segregated or segmented from non-part 2 records.\327\ The need to
segment part 2 records from other health records created data ``silos''
that hamper the integration of SUD treatment records into entities'
electronic record systems and billing processes, which in turn may
impact the ability to integrate treatment for behavioral health
conditions and other health conditions.\328\ Many stakeholders,
including public commenters on the NPRM, have urged the Department to
take action to eliminate the need for such data segmentation,\329\ and
the Department believes this final rule will reduce the need for data
segmentation or tracking. Where segmentation may be necessary, we
encourage the use of data standards adopted by ONC on behalf of HHS in
45 CFR part 170, subpart B, and referenced in the ONC Health IT
Certification Program certification criteria for security labels and
segmentation of sensitive health data.
---------------------------------------------------------------------------
\325\ See 42 CFR 2.12(d)(2)(i)(C).
\326\ See definition of ``Patient identifying information'' in
42 CFR 2.11. See also definition of ``Disclose'' in 42 CFR 2.11.
\327\ See 42 CFR 2.12(d)(2)(ii).
\328\ Dennis McCarty, Traci Rieckmann, Robin L. Baker, et al.,
``The Perceived Impact of 42 CFR part 2 on Coordination and
Integration of Care: A Qualitative Analysis,'' Psychiatric Services
(Nov. 2016), https://doi.org/10.1176/appi.ps.201600138.
\329\ For example, the Ohio Behavioral Health Providers Network
(Network) in an August 21, 2020, letter to SAMHSA, and the
Partnership to Amend Part 2 in a similar January 8, 2021, letter to
the U.S. Department of Health and Human Services (HHS), both urge
that there should be no requirement for data segmentation or
segregation after written consent is obtained and part 2 records are
transmitted to a health information exchange or care management
entity that is a business associate of a covered entity covered by
the new CARES Act consent language. In the letter, the Network
states that such requirements are difficult to implement in health
centers and other integrated settings in which SUD treatment may be
provided. See also public comments expressed and summarized in 85 FR
42986 (July 15, 2020); and see Letter from The Partnership to Amend
42 CFR part 2 to HHS Secretary Becerra (Jan. 8, 2021), https://aahd.us/wp-content/uploads/2021/01/PartnershipRecommendationsforNextPart2-uleLtrtoNomineeBecerra_01082021.pdf.
---------------------------------------------------------------------------
Response to Public Comment
The Department requested public comment on all aspects of the
proposed amendments to the regulations at 42 CFR part 2,
Confidentiality of Substance Use Disorder Patient Records. Seventy-two
commenters, both individuals and organizations, offered views on
various aspects related to the Regulatory Impact Analysis (RIA).
Comments from organizations who expressed support for specific
issues in the NPRM pointed to a decrease in the administrative burden
and cost on providers, an increase in access to care, a decrease in
costs for patients, and a general improvement in communication within
the industry. One organization suggested that the changes in the rule
will allow for streamlining care by decreasing the number of times the
provider must ask for consent from the patient. Another organization
asserted that the proposed rule changes could help minimize the stigma
surrounding SUD treatment and help decrease the technical burdens that
the previous rules have caused.
Organizations and government entities who expressed opposition to
specific issues in the NPRM asserted that the changes would increase
costs and legal liability for both patients and providers, decrease the
quality of care, create additional administrative and technical
burdens, and be overly time consuming to follow. A government
organization asserted that most current electronic health care record
systems do not have the ability to give accountings of TPO disclosures,
which would force the entities using these systems to manually process
the information. This is a burdensome and time-consuming task,
according to the organization, as the entities may have to account for
disclosures for the previous six years. An organization argued that due
to differences in Patient Notice requirements for part 2 and HIPAA,
there may be different language for each privacy notice. Multiple
organizations asserted that changing the language of the privacy
notices is expensive, especially for larger organizations. One
organization suggested that the expanded requirement to provide TPO
accounting will lead to changes in the health care system and increased
costs for patients. Another organization argued that the separation of
part 2 data will lead to delays in care and threats to patient health
as providers may not be able to see a patient's full medical history,
which is necessary to give adequate care. One commenter argued that the
proposed change could weaken patient privacy and lead to the
information being misused in criminal investigations and court
proceedings. This change also may put an additional burden on providers
to counsel patients on the ethical and constitutional considerations
that will go into signing the form.
Organizations and government entities who expressed mixed views on
the issues discussed in the excerpts change agreed with the need for
the rule change and the general change itself but provided additional
comments on concerns related to specific topics such as TPO disclosures
and notices of privacy protections. One organization argued that HHS
should take into consideration the time and costs associated with
updating changes to the accounting of disclosures requirement and the
timeframe to implement these changes. Another organization requested
that accounting for TPO disclosures be delayed until regulations
pursuant to the HITECH Act are enacted. This commenter asserted that
applying the accounting requirement only to TPO disclosures made
through an electronic health care record creates a disincentive to
adopt electronic health care records, especially for small and rural
providers and those serving patients of color and other historically
underserved communities. Multiple organizations argued that if
discrepancies exist between part 2 and HIPAA, there may be
administrative burdens surrounding data segregation. Due to this part 2
and HIPAA need to be aligned as much as possible to minimize
impediments to critical care. One organization believed that it is
unnecessary for part 2 to include providing a copy of a patient's
consent and imposing retention periods on maintaining those consents
since other laws, such as HIPAA, CMS regulations, and state licensing
requirements already cover these requirements.
[[Page 12583]]
After reviewing the comment submissions, the Department is making
the following changes to this RIA, some of which result in changes to
the RIA analysis presented in the proposed rule.\330\ Changes to the
RIA also include updating wage rates and other cost factors to 2022
dollars to reflect more recent data, adding small quantitative burdens,
and qualitatively discussing changes from the proposed to the final
rule when unquantifiable.
---------------------------------------------------------------------------
\330\ Specific changes to the proposed rule RIA are discussed in
each of the RIA sections where applicable.
---------------------------------------------------------------------------
Adding a new quantitative recurring cost for receiving a
complaint;
Adding reference to the changes to the investigative
agency definition;
Adding a qualitative discussion of reasonable diligence
steps for the limitation on liability for investigative agencies and
their potential impacts on costs;
Increasing the time required and the number of responses
in the quantitative costs for the right to request restrictions;
Adding a qualitative discussion of requirements for
intermediaries;
Adding a qualitative discussion of the benefit associated
with the removal of data segmentation requirements;
Adding qualitative discussion of SUD counseling notes
which the Department does not expect to impose a quantifiable burden;
Adding a new quantitative recurring cost for the
requirement to attach consent with each disclosure or provide clear
description of scope of consent;
Including a clarification that qualified service
organizations (QSOs) are also subject to breach notification
requirements in the quantification of these costs;
Qualitatively discussing the impacts of part 2 programs
being required to notify recipients of a revocation of consent.
Cost-Benefit Analysis
a. Overview and Methodology
This RIA relies on the same data source used by SAMHSA for the
estimated number of part 2 programs in SAMHSA's 2020 Information
Collection Request (ICR) (``part 2 ICR'') \331\ and uses an updated
statistic from that source. The final rule also adopts the estimated
number of covered entities used in the Department's 2021 ICR for the
HIPAA Privacy Rule NPRM (``2021 HIPAA ICR''),\332\ as well as its cost
assumptions for many requirements of the HIPAA regulations, including
breach notification activities.
---------------------------------------------------------------------------
\331\ 85 FR 42986.
\332\ While the number of covered entities used in this final
rule was adopted from the 2021 ICR for the HIPAA Privacy Rule, these
numbers are also reflected in the more recent 2023 ICR for the HIPAA
Privacy Rule NPRM and are the most up to date numbers the Department
has. These ICRs may be found under OMB control # 0945-0003.
---------------------------------------------------------------------------
Although HIPAA was a component of the proposed rule and is not for
the final rule, the HIPAA number of covered entities (774,331) are
still used in some calculations of costs from part 2 such as for breach
notifications. When applying HIPAA cost assumptions to part 2 programs,
the Department multiplies the figures by 2 percent (.02), representing
the number of part 2 programs in proportion to the total number of
covered entities. In some instances, the estimates historically used by
the Department for similar regulatory requirements were developed based
on different methodologies, resulting in significantly different fiscal
projections for some required activities. This RIA adopts the approach
used for HIPAA's projected costs and cost savings.
In addition to the quantitative analyses of the effects of the
regulatory modifications, the Department analyzes some benefits and
burdens qualitatively; relatedly, there is uncertainty inherent in
predicting the actions that a diverse scope of regulated entities might
take in response to this final rule.
For reasons explained more fully below, the changes to the consent
requirements for part 2 programs and redisclosure permissions for
covered entities and business associates would result in economic cost
savings of approximately $67,107,778 over 5 years based on the final
rule changes. Table 2 presents the undiscounted and discounted costs
and cost savings figures over 5 years. All estimates are presented in
millions of year-2022 dollars, using 2024 as the base year for
discounting.
[[Page 12584]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.012
b. Baseline Assumptions
In developing its estimates of the potential costs and cost savings
of the final rule the Department relied substantially on recent prior
estimates for modifications to this regulation \333\ and the HIPAA
Privacy Rule \334\ and associated ICRs. Specifically, the part 2 ICR
data previously approved under OMB control #0930-0092 informs the
Department's estimates with respect to final rule modifications to part
2 provisions.\335\ However, for final rule part 2 provisions that are
based on provisions of the HIPAA regulations, the Department relies on
the HIPAA regulatory ICRs previously approved under OMB control # 0945-
0003 and updated consistent with the 2021 HIPAA Privacy Rule NPRM.\336\
---------------------------------------------------------------------------
\333\ See 83 FR 239 (Jan. 3, 2018) and 85 FR 42986.
\334\ 86 FR 6446 (Jan. 21, 2021).
\335\ 85 FR 42986.
\336\ 84 FR 51604 (Sept. 30, 2019). See also 86 FR 6446.
---------------------------------------------------------------------------
Because the Department lacks data to determine the percentage of
part 2 programs that are also subject to the HIPAA regulations, the
Department assumes for purposes of this analysis that the final rule
changes to part 2 would affect all part 2 programs equally--including
those programs that are also HIPAA covered entities, and thus already
are subject to requirements under the HIPAA regulations (e.g., breach
notification) that the Department incorporates into part 2. Thus, this
RIA likely overestimates the overall compliance burden on part 2
programs posed by the final rule. In contrast, this RIA likely
underestimates the cost savings of the final rule. The estimated cost
savings are primarily attributed to the reduction in the number of
written patient consents that would be needed to use or disclose
records for TPO and to redisclose them for other purposes permitted by
the HIPAA Privacy Rule. Because the Department lacks data to estimate
the annual numbers of written patient consents and disclosures to
covered entities, this RIA adopts an assumption that only three
consents per patient are currently obtained per year (one each for
treatment, payment, and health care operations) and only one half of
such consents result in a disclosure of records to a HIPAA covered
entity or business associate, for which consent would be no longer
required to use or redisclose the record under the final rule.
c. Part 2 Programs, Covered Entities, and Patient Population
The Department relies on the same source as the approved part 2 ICR
\337\ as the basis for its estimates of the total number of part 2
programs and total annual part 2 patient admissions. part 2 programs
are publicly (Federal, State, or local) funded, assisted, or regulated
SUD treatment programs. The part 2 ICR's estimate of the number of such
programs (respondents) is based on the results of the 2020 National
Survey of Substance Abuse Treatment Services (N-SSATS), and the average
number of annual total responses is based on the results of the average
number of SUD treatment admissions from SAMHSA's 2019 Treatment Episode
Data Set (TEDS) as the number of patients treated annually by part 2
programs, both approved under OMB Control No. 0930-0335.\338\ In the
2020 data from N-SSATS, the number of part 2 respondents was
16,066.\339\ The TEDS data for SUD treatment admissions has been
updated, so the Department relies on the 2019 statistic, as shown in
Table 3 below.
---------------------------------------------------------------------------
\337\ 85 FR 42986.
\338\ 84 FR 787 (Jan. 31, 2019).
\339\ See Substance Abuse and Mental Health Servs. Admin.,
``National Survey of Substance Abuse Treatment Services (N-SSATS):
2020. Data on Substance Abuse Treatment Facilities'' (2021), https://www.samhsa.gov/data/sites/default/files/reports/rpt35313/2020_NSSATS_FINAL.pdf.
---------------------------------------------------------------------------
[[Page 12585]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.013
For purposes of calculating estimated costs and benefits the
Department relies on mean hourly wage rates for occupations involved in
providing treatment and operating health care facilities, as noted in
Table 4 below. This final rule updates the proposed rule RIA wages to
the most recent year of available data.
---------------------------------------------------------------------------
\340\ Substance Abuse and Mental Health Servs. Admin., Ctr. for
Behavioral Health Statistics and Quality, ``Treatment Episode Data
Set (TEDS): 2019. Admissions to and Discharges From Publicly Funded
Substance Use Treatment'' (2021), https://www.samhsa.gov/data/sites/default/files/reports/rpt35314/2019_TEDS_Proof.pdf.
\341\ 86 FR 6446, 6497.
\342\ Id. at 6515.
[GRAPHIC] [TIFF OMITTED] TR16FE24.014
[[Page 12586]]
d. Qualitative Analysis of Non-Quantified Benefits and Burdens
The Department's analysis focuses on primary areas of changes
imposed by the final rule that are likely to have an impact on
regulated entities or patients. These are changes to establish or
modify requirements with respect to: enforcement and penalties,
notification of breaches, consent for uses and disclosures, Patient
Notice, notice accompanying disclosure, copy of consent accompanying
disclosure, requests for privacy protection, accounting of disclosures,
audit and evaluation, disclosures for public health, and use and
disclosure of records by investigative agencies. In addition to these
changes, the Department believes the modifications to part 2 for
clarification, readability, or consistency with HIPAA terminology,
would have the unquantified benefits of providing clarity and
regulatory certainty. The provisions that fall into this category and
for which anticipated benefits are not discussed in-depth, are:
Sections 2.1, 2.2, 2.4, 2.11 Through 2.15, 2.17, 2.19 Through 2.21,
2.23, 2.24, 2.34, 2.35, 2.52, and 2.61 Through 2.65
The Department provides its analysis of non-quantified benefits and
burdens for the primary areas of final rule regulatory change below,
followed by estimates and analysis of quantified benefits and costs in
section (e).
Section 2.3--Civil and Criminal Penalties for Violations
The Department creates limitations on civil and criminal liability
for investigative agencies in the event they unknowingly receive part 2
records in the course of investigating or prosecuting a part 2 program
or other person holding part 2 records prior to obtaining the required
court order under subpart E. This safe harbor promotes public safety by
permitting agencies to investigate part 2 programs and persons holding
part 2 records in good faith with a reduced risk of HIPAA/HITECH Act
penalties. The liability limitations would be available only to
agencies that could demonstrate reasonable diligence in attempting to
determine whether a provider was subject to part 2 before making a
legal demand for records or placement of an undercover agent or
informant. The changes benefit SUD providers, part 2 programs,
investigative agencies, and the courts by encouraging agencies to seek
information about a provider's part 2 status in advance and potentially
reduce the number of instances where applications for good cause court
orders are denied. Incentivizing investigative agencies to check
whether part 2 applies in advance of investigating a provider would
benefit the court system, programs public safety, patients, and
agencies by enhancing efficiencies within the legal system, promoting
the rule of law, and ensuring the part 2 protections for records are
utilized when applicable.
The limitations on liability for investigative agencies may result
in more disclosures of patient records to such agencies by facilitating
investigations and prosecutions of part 2 programs and lawful holders.
The Department believes that limiting the application of Sec. 2.3(b)
to investigations and prosecutions of programs and holders of records,
requiring non-identifying information in the application for the
requisite court orders,\343\ and keeping patient identifying
information under seal \344\ will provide strong and continuing
protections for patient privacy while promoting public safety.
---------------------------------------------------------------------------
\343\ See Sec. 2.66 (requiring use of ``John Doe'').
\344\ See Sec. Sec. 2.66 and 2.67.
---------------------------------------------------------------------------
Section 2.12--Applicability
The final rule removes data segmentation requirements and instead
expressly states that segregation of records is not required upon
receipt. This results in the final rule neither requiring nor
prohibiting data segmentation, leading to a benefit to covered
entities, according to public comments on this issue. The Department
acknowledges that there is likely a burden reduction from the express
statement that segmentation of data or records is not required;
however, the Department lacks data on the number of records benefitting
from the removal of the data segmentation requirement to quantify this
impact.
Section 2.16--Security for Records and Notification of Breaches
The Department adds notification of breaches to Sec. 2.16 so that
the requirements of 45 CFR 164.400 through 164.414, apply to breaches
of part 2 records programs in the same manner as those requirements
apply to breaches of PHI. Notification of breaches is a cornerstone
element of good information practices because it permits affected
individuals or patients to take steps to remediate harm, such as
putting fraud alerts on their credit cards, checking their credit
reports, notifying financial institutions, and informing personal
contacts of potential scams involving the patient's identity. It is
difficult to quantify the value of receiving notification in comparison
to the costs incurred in restoring one's credit, correcting financial
records, or the cost of lost opportunities due to loss of income or
reduced credit ratings.\345\
---------------------------------------------------------------------------
\345\ See 74 FR 42739, 42765-66 (Aug. 24, 2009).
---------------------------------------------------------------------------
The benefit to the patient of learning about a breach of personally
identifying information includes the opportunity for the patient to
take timely action to regain control over their information and
identity. The Department does not have data to predict how many
patients will sign up for credit monitoring or other identity
protections after receiving a notification of breach of their part 2
records; however, the Department believes that the costs to patients of
taking these actions \346\ will be far outweighed by the savings of
avoiding identity theft.\347\ Requiring part 2 programs to provide
breach notification ensures that patients of such programs are provided
the same awareness of breaches as patients that receive other types of
health care services from HIPAA covered entities.
---------------------------------------------------------------------------
\346\ See Alexandria White, ``How much does credit monitoring
cost? '' CNBC (Nov. 16, 2021), https://www.cnbc.com/select/how-much-does-credit-monitoring-cost/.
\347\ See Kenneth Terrell, ``Identity Fraud Hit 42 Million
People in 2021,'' AARP (Apr. 7, 2022) (``[T]he average per-victim
loss from traditional identity fraud [is] $1,551.''), https://www.aarp.org/money/scams-fraud/info-2022/javelin-report.html.
---------------------------------------------------------------------------
Section 2.22 Patient Notice
Patients, part 2 programs, and covered entities are all likely to
benefit from final rule changes to more closely align the Patient
Notice and HIPAA NPP regulatory requirements, which simplify their
compliance with the two regulations. The Department establishes for
patients the right to discuss the Patient Notice with a person
designated by the program as the contact person and to include
information about this right in the header of the Patient Notice as
proposed in the HIPAA Coordinated Care and Individual Engagement
NPRM.\348\ These changes help improve a patient's understanding of the
program's privacy practices and the patient's rights with respect to
their records. Even for patients who do not request a discussion under
this final rule, knowledge of the right may promote trust and
confidence in how their records are handled.
---------------------------------------------------------------------------
\348\ See 86 FR 6446, 6485.
---------------------------------------------------------------------------
Section 2.24 Requirements for Intermediaries
The final rule adopts a definition of ``intermediary'' that
excludes part 2 programs, covered entities, and business associates.
Business associates that are HIEs will particularly benefit from being
excluded from the definition of
[[Page 12587]]
``intermediary'' because HIEs were the most representative example of
an intermediary; therefore, had the most to benefit from burden
reduction. They will not be subject to the requirement in Sec. 2.24 to
provide a list of disclosures upon request of a patient; they will not
be subject to the special consent requirements for intermediaries that
many HIEs have found to be a barrier to accepting part 2 records in
their systems; and they will be generally included when a patient signs
a TPO consent. This will also benefit covered entities that are part 2
programs because they will be able to use an HIE business associate to
exchange part 2 data as well as PHI, furthering the integration of
behavioral health information with other health information. We believe
this will also benefit patients because it will enhance their ability
to receive comprehensive care.
Section 2.25 Accounting of Disclosures
Adding a requirement to account for disclosures for TPO through an
electronic health record (EHR) benefits patients by increasing
transparency about how their records are used and disclosed for those
purposes. This requirement could counterbalance concerns about loss of
control that patients may experience as a result of the changes to the
consent process that would permit all future TPO uses and disclosures
based on a single general consent. The data logs that part 2 programs
need to maintain to create an accurate and complete accounting of TPO
disclosures could also be beneficial for such programs in the event of
an impermissible access by enabling programs to identify the
responsible workforce member or other wrongful actor.
Section 2.26 Right To Request Privacy Protection for Records
Adding a new right for patients to request restrictions on uses and
disclosures of their records for TPO is likely to benefit patients by
giving them a new opportunity to assert their privacy interests to part
2 program staff, to address patients' concerns about who may see their
records, and to understand what may be done with the information their
records contain.
With respect to the right for patients to restrict disclosures to
their health plan when patients have self-paid in full for services,
patients will benefit by being shielded from potential harmful effects
of some health plans' restrictive coverage policies or other potential
negative effects, such as employers learning of patients' SUD
diagnoses.\349\ This right may also improve rates of access to SUD
treatment because of patients' increased trust that they have the
opportunity to ensure that their records will remain within the part 2
program. A limitation on the benefits of this right is that it is only
available to patients with the means to pay privately for SUD
treatment.
---------------------------------------------------------------------------
\349\ Nat'l Academies of Sciences, Engineering, and Medicine,
The Nat'l Acads. Press, ``Ending Discrimination Against People with
Mental and Substance Use Disorders: The Evidence for Stigma Change''
(2016), http://www.nap.edu/23442; U.S. Dep't of Health and Human
Servs., Office of the Surgeon General, ``Facing Addiction in
America: The Surgeon General's Report on Alcohol, Drugs, and
Health'' (Nov. 2016), https://store.samhsa.gov/sites/default/files/d7/priv/surgeon-generals-report.pdf.
---------------------------------------------------------------------------
Part 2 programs may benefit from increased frequency of patients
paying in full out of pocket, which could decrease the time spent by
staff in billing and claims activities. Part 2 programs also may
benefit from increased patient trust in the programs' protection of
records.
Section 2.31 Consent Requirements and Sec. 2.33 Uses and Disclosures
Permitted With Written Consent
The changes to consent for part 2 records are two-fold: changes to
the required elements on the written consent form and a reduction in
the instances where a separate written consent is needed (the process
of obtaining consent). Changes to the consent form for alignment with
the HIPAA authorization form would likely benefit part 2 programs
because they would employ more uniform language and concepts related to
information use and disclosure. Such changes may particularly benefit
part 2 programs that are also subject to the HIPAA regulations, so
staff do not have to compare and interpret different terms on forms
that request the use or disclosure of similar types of information.
Permitting patients to sign a single general consent for all uses
and disclosures of their record for TPO, may carry both burdens and
benefits to patients. Patients may benefit from a reduction in the
amount of paperwork they must sign to give permission for routine
purposes related to the treatment and payment and associated reductions
in time spent waiting for referrals, transfer of records among
providers, and payment of health insurance claims. At the same time,
patients may experience a sense of loss of control over their records
and the information they contain when they lose the opportunity to make
specific decisions about which uses and disclosures they would permit.
In some instances, the reduced ability to make specific use and
disclosure decisions could result in a greater likelihood of harm to
reputation, relationships, and livelihood.
Part 2 programs would likely benefit from the efficiencies
resulting from permitting a general consent for all TPO uses and
disclosures by freeing staff from burdensome paperwork. In contrast,
clinicians in part 2 programs may find it harder to gain the
therapeutic trust needed for patients to divulge sensitive information
during treatment if patients become less confident about where their
information may be shared and their ability to control those uses and
disclosures. Some potential patients may avoid initiating treatment
altogether, which would harm both patients and programs.
Covered entities and business associates would benefit markedly
from the ability to follow only one set of Federal regulations when
making decisions about using and disclosing part 2 records by
streamlining processes and simplifying decision making procedures.
Additionally, covered entities and business associates would no longer
need to segregate SUD treatment data and could improve care
coordination and integration of behavioral health with general medical
treatment, resulting in comprehensive holistic treatment of the entire
patient.
In contrast, this final rule could also create a burden because
covered entities and business associates subject to part 2 may need to
sort and filter part 2 records for certain uses and disclosures, such
as audit and evaluation activities that are health care operations,
according to whether or not a patient consent for TPO has been
obtained.
Section 2.32 Notice and Copy of Consent To Accompany Disclosure
The revisions to the notice accompanying each disclosure of part 2
records made with written consent benefit patients by ensuring that
recipients of part 2 records are notified of the expanded prohibition
on use of such records against patients in legal proceedings even
though uses and redisclosures for other purposes would be more readily
permissible. Due to the final rule changes in redisclosure permissions
for recipients of part 2 records that are covered entities and business
associates, the importance of the Notice to Accompany Disclosure would
increase.
Part 2 programs will benefit from having notice language that
accurately
[[Page 12588]]
reflects statutory changes in the privacy protections for records.
Retaining the notice to accompany disclosure requirement would also
ensure that certain protections for part 2 records continue to ``follow
the record,'' compared to the HIPAA Privacy Rule whereby protections
are limited to PHI held by a covered entity or business associate.
Section 2.53 Management Audits, Financial Audits, and Program
Evaluation
Part 2 programs that are also covered entities would benefit from
the final rule changes that would clarify that the limits on use and
disclosure for audit and evaluation purposes do not apply to covered
entities and business associates to the extent these activities fall
within the HIPAA Privacy Rule disclosure permissions for health care
operations. This benefit provides regulatory flexibility for covered
entities when part 2 records are subject to audit or evaluation.
In some instances, a third-party auditor or evaluator may also be a
part 2 program or a covered entity or business associate. As recipients
of part 2 records, such third parties would be permitted to redisclose
the records as permitted by the HIPAA Privacy Rule, with patient
consent for TPO. This flexibility would not extend to government
oversight audits and evaluations.
Section 2.54 Disclosures for Public Health
The Department creates a new permission to disclose de-identified
records without patient consent for public health activities,
consistent with statutory changes. This benefits public health by
permitting records to be disclosed that would address the opioid
overdose crisis and other public health issues related to SUDs, and it
protects patient confidentiality because the permission is limited to
disclosure of de-identified records.
Section 2.66 Procedures and Criteria for Orders Authorizing Use and
Disclosure of Records To Investigate or Prosecute a Part 2 Program or
the Person Holding the Records
The Department specifies the actions investigative agencies should
take when they discover in good faith that they have received part 2
records without obtaining the required court order, such as securing
the records, ceasing to use or disclose the records, applying for a
court order, and returning or destroying the records, as applicable to
the situation. This final rule would provide the benefit of enabling
agencies to move forward with investigations when they have unknowingly
sought records from a part 2 program. The final rule limits the
liability of investigative agencies that unknowingly obtain records
without the necessary court order and increase agencies' effectiveness
in prosecuting programs. The minimal burden for exercising reasonable
diligence before an unknowing receipt of part 2 records is outweighed
by the reduction in risk of a penalty for noncompliance. This analysis
applies as well to Sec. 2.67 below.
Section 2.67 Orders Authorizing the Use of Undercover Agents and
Informants To Investigate Employees or Agents of a Part 2 Program in
Connection With a Criminal Matter
The Department's final rule adds a requirement for investigative
agencies that seek a good cause court order after placement of an
undercover agent or information in a part 2 program to first meet the
reasonable diligence criteria in Sec. 2.3(b). This requirement ensures
that agencies take basic actions to determine whether a SUD treatment
provider is subject to part 2 before seeking to place an undercover
agent or informant with the provider. As discussed above in reference
to Sec. 2.66, this final rule also has the benefit of aiding courts to
streamline the application process for court orders for the use and
disclosure of records.
Section 2.68 Report to the Secretary
The Department created a requirement for annual reports by
investigative agencies concerning applications for court orders made
after receipt of part 2 records. This new requirement benefits
programs, patients, and investigative agencies by making data available
about the frequency of investigative requests made ``after the fact.''
This requirement benefits agencies and programs by highlighting the
potential need for increased awareness about part 2's applicability. A
program that makes its part 2 status publicly known benefits from the
procedural protections afforded within the court order requirements of
Sec. Sec. 2.66 and 2.67 in the event it becomes the target of an
investigation. The final rule's reporting requirement could also
potentially serve as a deterrent to agencies from overly relying on the
ability to obtain belated court orders instead of doing a reasonable
amount of research to determine before making an investigative demand
whether part 2 applies. Any resulting reduction in unauthorized uses
and disclosures of records could be viewed as a benefit by patients and
privacy advocates. In contrast, investigative agencies could view the
reporting requirement as an administrative burden requiring resources
that otherwise could be used to pursue investigations.
e. Estimated Quantified Cost Savings and Costs From the Final Rule
The Department has estimated quantified costs and cost savings
likely to result from the final rule modifying three core expense
categories (capital expenses, attaching consent forms, and workforce
training) and seven substantive regulatory requirements. The remaining
regulatory changes are unlikely to result in quantifiable costs or cost
savings, as explained following the discussion of projected costs and
savings.
i. Capital Expenses
Capital expenses related to compliance with the final rule fall
into two categories: notification of breaches and printing forms and
notices. The Department's estimates for capital costs related to
providing breach notification are based on estimates from the HIPAA ICR
multiplied by a factor of 0.02, representing the proportion of part 2
programs compared to covered entities (774,331 x 16,066 = .02). For
example, for an estimated 58,482 annual breaches of PHI the Department
calculates that there are 1,170 breaches of part 2 records (58,482 x
.02 = 1,170), and associated costs. Those costs are estimated on an
ongoing annual basis because part 2 programs could experience a breach
at any time that would require notification. Capital costs for breach
notifications are presented in Table 5 below.
[[Page 12589]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.015
The Department's estimate of the costs for printing revised consent
forms is based on SAMHSA's part 2 ICR estimates for total annual
patient admissions to part 2 programs \350\ at a rate of $0.11 per
copy. Programs are already required to print forms and notices on an
ongoing basis and no change to the number of such forms and notices is
projected, so the Department has not added any new capital costs for
printing the revised Patient Notice and Notice to Accompany
Disclosures. However, the Department estimates that as a result of
changes to the requirement to obtain consent for disclosures related to
TPO, part 2 programs and covered entities and business associates would
experience cost savings from a significant reduction in the number of
needed consent forms. The Department assumes that, on average, each
patient's treatment results in a minimum of three written consents
obtained by part 2 programs, one each for treatment, payment, and
health care operations purposes. The final rule is estimated to result
in a decrease in the total number of consents by two-thirds because
only one patient consent would be required to cover all TPO uses and
disclosures. At an estimated cost of $0.11 per consent, for a total of
1,864,367 annual patient admissions, this would result in an annual
cost savings to part 2 programs of 3,728,734 fewer written consents, or
$396,222.
---------------------------------------------------------------------------
\350\ Substance Use Disorder Patient Records Supporting
Statement A_06102020--OMB 0930-0092, https://omb.report/omb/0930-0092.
---------------------------------------------------------------------------
Additionally, covered entities and business associates that receive
part 2 records will also experience a reduced need to obtain written
patient consent or a HIPAA authorization because redisclosure under the
HIPAA Privacy Rule does not require patient consent or authorization
for TPO and many other purposes. The Department lacks data to make a
precise estimate of projected cost savings, but each patient record
disclosed to a covered entity or business associate would potentially
generate a savings based on eliminating the need for the recipient to
obtain additional consent for redisclosure. The Department has adopted
a low-cost savings estimate that one-half of part 2 annual admissions
would result in receipt of part 2 records by a covered entity or
business associate that would no longer be required to obtain specific
written patient consent to redisclose such record, representing an
annual capital expense savings from printing 932,184 fewer consent
forms. At a per-consent cost of $0.11,\351\ this would result in annual
savings of $99,056. The capital expense savings for printing consent
forms are presented in Table 6 below. The savings related to the cost
of staff time to obtain the patient consent are estimated and discussed
separately in the section on consent below.
---------------------------------------------------------------------------
\351\ The Department relies on its estimated capital expenses
for printing HIPAA breach notification letters adjusted to 2022
dollars. See 2021 HIPAA ICR, https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=202011-0945-001.
---------------------------------------------------------------------------
[[Page 12590]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.016
ii. Training Costs
Although part 2 does not expressly require training and the final
rule does not require retraining, the Department anticipates that all
part 2 programs will choose to train their workforce members on the
modified part 2 requirements to ensure compliance. The Department
estimates costs that all part 2 programs would incur to train staff on
the changes to the confidentiality requirements. As indicated in the
chart below, only certain staff would need to be trained on specific
topics and each program would rely on a training specialist whose
preparation time would also be accounted for. Compared to the proposed
HIPAA Privacy Rule right to discuss privacy practices, the costs for
training part 2 counselors include a higher number of staff per program
because part 2 programs have no required Privacy Officer who is already
assigned similar duties and are more likely to incur costs for
developing a new training regimen. The Department of Labor, BLS last
reported statistics for substance use and behavioral disorder
counselors separate from mental health counselors in 2016, and
substance use and behavioral disorder counselors represented 65 percent
of the combined total. The Department thus calculates its estimate for
the number of substance use and behavioral disorder counselors as 65
percent of the workers in the BLS occupational category for ``substance
abuse, behavioral disorder, and mental health counselors'' and uses
that as a proxy for the number of part 2 program counselors that would
require training on the new Patient Notice.\352\ The Department
estimates that a total of $13.3 million in one-time new training costs
would be incurred in the first year of the final rule's implementation,
as presented in Table 7 below.
---------------------------------------------------------------------------
\352\ This final rule RIA updates the number of counselors based
on more recent data from the May 2022 National Occupational
Employment and Wage Estimates. In 2022, the number of part 2
counselors is estimated to be 224,231 (344,970 substance abuse and
behavioral disorder counselors separate from mental health
counselors. SOC code 21-1018) x .65).
---------------------------------------------------------------------------
BILLING CODE 4153-01-P
[[Page 12591]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.017
iii. Receiving a Complaint
The Department estimates a new burden in this final rule, for
covered entities to receive complaints filed by patients against a
program, covered entity, business associate, qualified service
organization, or other lawful holder in violation of this part would
amount to a total annual labor cost of $38,328. This estimate is
derived under the assumption that one in every thousand patients would
file a complaint, leading to 1,864 complaints annually.\353\ The
complaint is also assumed to be received by a manager and take 10
minutes to address. The cost of receiving complaints poses both a
recurring annual cost as well as a one-time cost to establish
procedures for handling complaints. It is assumed that
---------------------------------------------------------------------------
\353\ The assumption that one out of every 1,000 patients would
file a complaint was adopted from the 2000 HIPAA Final Rule RIA's
calculation of costs of internal complaints under 45 CFR part 160.
---------------------------------------------------------------------------
[[Page 12592]]
the cost for setting up complaint procedures is captured under the
training requirement as well as the Patient Notice requirements, laid
out in Tables 7 and 10 respectively. Table 8 presents the costs for
receiving a complaint.
[GRAPHIC] [TIFF OMITTED] TR16FE24.018
iv. Notification of Breaches
The Department estimates annual labor costs of $1.6 million to part
2 programs for providing notification of breaches of unsecured records,
including notification to the Secretary, affected patients, and the
media, consistent with the requirements of the HIPAA Breach
Notification Rule. This estimate is derived from calculating two
percent of the total estimated breach notification activities for
covered entities, business associates, and qualified service
organizations under the HIPAA Breach Notification Rule.\354\ Costs for
the labor spent to provide breach notifications are estimated in Table
9 below. Capital costs for providing breach notification are discussed
separately in Table 5 above.
---------------------------------------------------------------------------
\354\ See 2021 HIPAA ICR, https://omb.report/icr/202011-0945-001. Wage rates are updated to 2022 figures.
---------------------------------------------------------------------------
[[Page 12593]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.019
BILLING CODE 4153-01-C
[[Page 12594]]
v. Patient Notice
The Department estimates a first-year total of $2.6 million in
costs to part 2 programs for updating the Patient Notice, as
applicable, and providing patients a right to discuss the program's
Patient Notice. Under the final rule's modifications to Sec. 2.22, as
under the existing rules, a part 2 program that is also a covered
entity only needs to have one notice that meets the requirements of
both rules, so the Department's estimates are based on an unduplicated
count of part 2 programs, each one needing to update its Patient
Notice. The Department's estimate is based on the number of total
entities and one hour of a lawyer's time to update the notice(s), as
detailed in Table 10. There would be no new costs for providers
associated with distribution of the revised notice other than posting
it on the entity's website (where available), as providers have an
ongoing obligation to provide the notice to first-time patients. The
Department bases the estimate on its previous estimates from the 2013
Omnibus Final Rule, in which the Department estimated approximately 613
million first time visits with health care providers annually.\355\
---------------------------------------------------------------------------
\355\ 78 FR 5565, 5675 (Jan. 25, 2013).
---------------------------------------------------------------------------
In addition to the costs of updating the Patient Notice, the
Department estimates that part 2 programs incur ongoing costs to
implement the right to discuss a program's Patient Notice calculated as
1 percent of all patients, or 18,644 requests, at the hourly wage of a
substance abuse, behavioral disorder, and mental health counselor, as
defined by BLS, for an average of 7 minutes per request or $117,586
total per year. The number of discussions is based on the same
percentage of new patients as the parallel proposal in the HIPAA
Coordinated Care and Individual Engagement NPRM, which reflects the
anticipated number of patients who would ask to speak with the
identified contact person or office about the Patient Notice. It does
not include the discussion that each counselor may have with a new
patient about confidentiality in the clinical context which the
Department views as part of treatment. Total costs for the Patient
Notice are presented in Table 10 below.
[GRAPHIC] [TIFF OMITTED] TR16FE24.020
vi. Accounting of Disclosures
The Department's estimate of minimal annual costs to part 2
programs for providing patients an accounting of disclosures is based
on the Department's estimates for covered entities to comply with the
requirements in 45 CFR 164.528 multiplied by a factor of .02. This
represents two percent of the total estimated requests for an
accounting of disclosures under the HIPAA Privacy Rule. The Department
included this estimate in its calculations (detailed in Table 11),
although it is negligible, due to the CARES Act mandate to include the
requirement in part 2. In addition, these costs will not constitute an
immediate burden since they are contingent on the promulgation of
HITECH Act modifications to the accounting of disclosures standard in
the HIPAA Privacy Rule at 45 CFR 164.528, which the Department has not
yet finalized.
The responses to the Department's 2018 Request for Information on
Modifying HIPAA Rules to Improve Coordinated Care \356\ indicated that
covered entities and their business associates receive very few
requests for an accounting of disclosures annually (a high of
.00006).\357\ Comments received on the part 2 NPRM were consistent with
these and suggested that covered entities still receive very few
requests; however, one commenter asserted that a request can take
approximately 40 hours of labor to address.\358\ We believe this figure
is an outlier and that most requests cover a narrow time period related
to a specific disclosure concern. The Department is unable to estimate
the additional burdens, if any, of offering these accountings in a
machine readable or other electronic format. Further, the Department
lacks specific information about the costs to revise EHR systems to
generate a report of disclosures for TPO, other than they could be
substantial.\359\ We note too that the compliance date for the
accounting of disclosures requirement is tolled until modifications to
the accounting requirement are finalized in 45 CFR 164.528 of the HIPAA
Privacy Rule. Table 11 presents the estimated costs for accounting of
disclosures.
---------------------------------------------------------------------------
\356\ 83 FR 64302 (Dec. 14, 2018).
\357\ See generally, public comments posted in response to
Docket ID# HHS-OCR-2018-0028, https://www.regulations.gov/document/HHS-OCR-2018-0028-0001/comment.
\358\ See public comments posted in response to Docket ID# HHS-
OCR-2022-0018-0001, https://www.regulations.gov/document/HHS-OCR-2022-0018-0001.
\359\ Id.
---------------------------------------------------------------------------
[[Page 12595]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.021
vii. Requests for Privacy Protection for Records
The Department estimates that part 2 programs would incur a total
of $5,019 in annual costs arising from the right to request
restrictions on disclosures. OCR's HIPAA ICR estimate of costs for
covered entities to comply with the parallel requirement under 45 CFR
164.522 represents a doubling of previous estimated responses from
20,000 to 40,000.\360\ However, costs remain low for compliance with
this regulatory requirement, in part because the requirement to accept
a patient's request for restrictions is mandatory only for services for
which the patient has paid in full; the cost of complying with a
request not to disclose records or PHI to a patient's health plan
occurs in a context in which providers are saved the labor that would
be needed to submit claims to health insurers.
---------------------------------------------------------------------------
\360\ 86 FR 6446, 6498. See also 84 FR 51604.
---------------------------------------------------------------------------
The Department acknowledges that in addition to the handling of
restriction requests, providers will likely also incur costs related to
the adjustment of their technological capabilities. Comments received
on the part 2 NPRM outlined some of the existing shortcomings and
potential improvements to the EHR systems. Some of the issues discussed
included perceptions regarding the inability of current EHR systems to
automatically flag and separate part 2 records, and challenges of
granular data segmentation functionality, inability of systems to
handle multiple types of information workflows, and difficulties in
ensuring that the current systems protect part 2 data adequately from
access and redistribution in large patient settings where data is
received and redistributed electronically. Commenters suggested, among
others, the development of broader interoperability frameworks, and the
development of consistent standards as potential remedies for those
technical issues, but there was no specific actionable data provided
that could inform the cost analysis of such efforts. The Department
therefore lacks a basis to formally quantify these costs and does
include them in this RIA.
The estimated costs for requests for privacy protection for records
is presented in Table 12 below. The estimated number of responses is
increased from the proposed rule to 1,200 and the average burden
doubled to 6 minutes (0.1 hours) to account for the final rule adding
the requirement that covered entities use reasonable effort to
accommodate patient's request for restrictions resulting in a slight
increase in estimated burden.
[GRAPHIC] [TIFF OMITTED] TR16FE24.022
viii. Updated Consent Form
The Department estimates that each part 2 program would incur the
costs for 40 minutes of a lawyer's time to update its patient consent
form for use and disclosure of records. This would result in an
estimated total nonrecurring cost of approximately $1.7 million, to be
incurred in the first year after publication of a final rule, as
detailed in Table 13 below.
[[Page 12596]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.040
ix. Attaching Consent Form
The Department estimates a new cost in this final rule (compared to
the proposed rule RIA) for the requirement associated with Sec. 2.32
that each part 2 program would need to attach consent forms with each
disclosure. The Department assumes an average of three (3) annual
disclosures per patient. The Department assumes consent forms would
need to be attached to paper disclosures as well as electronic
disclosures and assumes ninety percent (90%) of disclosures are
received electronically while the remaining ten percent (10%) would be
received in paper format. This would result in a total recurring cost
of $2.9 million per year. The estimated costs for attaching consent
form are presented in Table 14 below.
[GRAPHIC] [TIFF OMITTED] TR16FE24.023
x. Updated Notice To Accompany Disclosures
The Department estimates that each part 2 program would incur the
costs for 20 minutes of a health care managers' time to update the
regulatory notice that is to accompany each disclosure of records with
written patient consent. The Department believes that in most cases a
manager can accomplish this task, rather than a lawyer, because
specific text for the Notice to Accompany Disclosure is required and is
included in the final rule. For a total of 16,066 programs this would
result in estimated total nonrecurring costs in the first year of the
rule's implementation of approximately $0.7 million as detailed in
Table 15 below.
[[Page 12597]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.024
xi. New Reporting to the Secretary
The final rule's reporting requirements in Sec. 2.68 are directed
to those agencies that investigate and prosecute programs and holders
of part 2 records. Part 2 programs are subject, for example, to
investigations for Medicare and Medicaid fraud and diversion of opioids
used in medications for opioid use disorder (MOUD). Medicaid and
Medicare fraud investigations may involve several agencies, such as the
Department of Justice (DOJ), HHS Office of the Inspector General (OIG),
and state agencies. Investigations involving the use and disclosure of
part 2 records include those where SUD providers are the targeted
entities as well as where other health care providers are the target
and have received records from a part 2 program. The Department has
revised its estimates of the number of investigations that involve part
2 records, resulting in an increase of more than 100 percent from the
225 estimated investigations in the NPRM. The Department estimates that
approximately 506 investigations, prosecutions, or sanctions involve
part 2 programs or records annually, based on FY 2021 statistics. The
reported data does not separately track part 2 programs so we based our
estimate on the proportion of part 2 programs as compared to covered
entities, which is 2 percent, as we have done for other estimates
within the analysis for this rule.\361\ We acknowledge that this may
not capture all the entities subject to investigations that include
part 2 records. At the same time, we have added a more extensive list
of investigations and actions against health care entities, many of
which represent duplicate actions, such as the removal of entities from
Medicare participation based on a fraud conviction against the same
entity that is also counted within the same year and counting both new
fraud investigations and pending cases at the year's end. We included
data from FY 2021 \362\ for the following actions:
---------------------------------------------------------------------------
\361\ 16,066 part 2 programs/774,331 covered entities = .02
\362\ Annual Report of the Departments of Health and Human
Services and Justice, FY 2021 Health Care Fraud and Abuse Control
Report (July 2022). We include data reflecting OIG investigations as
one representative data point in an effort to estimate the volume of
relevant records obtained through investigations throughout the
country. Annual reporting will be conducted consistent with
applicable Federal laws.
---------------------------------------------------------------------------
831 new criminal health care fraud investigations (DOJ).
462 cases of criminal charges filed by Federal
prosecutors.
805 new civil health care fraud investigations (DOJ).
1,432 civil health care fraud matters pending at the end
of the fiscal year (DOJ).
107 health care fraud criminal enterprises dismantled
(FBI).
504 criminal actions for Medicare and Medicaid crimes
(HHS-OIG).
669 civil actions (HHS-OIG).
1,689 individuals and entities excluded from participation
in Medicare, Medicaid, and other Federal health care programs (HHS-
OIG).
18,815 open investigations by state Medicaid Fraud Control
Units in FY 2021.\363\
---------------------------------------------------------------------------
\363\ https://oig.hhs.gov/fraud/medicaid-fraud-control-units-mfcu/expenditures_statistics/fy2021-statistical-chart.pdf. https://oig.hhs.gov/fraud/medicaid-fraud-control-units-mfcu/expenditures_statistics/fy2021-statistical-chart.pdf.
---------------------------------------------------------------------------
This results in a count of 25,314 actions taken by investigative
agencies and 506 as the estimated proportion involving use and
disclosure of part 2 records. The Department assumes, as an over-
estimate, that all 506 cases involve use of the safe harbor under Sec.
2.3 and result in a required report under Sec. 2.68.
The burden on investigative agencies for annual reporting about
unknowing receipt of part 2 records prior to a court order includes the
labor of gathering data and submitting it to the Secretary. As a proxy
for this burden, the Department estimates that the labor would be equal
to reporting large breaches of PHI under HIPAA which has been
calculated at 1.5 hours per response at an hourly wage rate of $81.28
\364\ for a total estimated cost of $121.92 per response. For an
estimated 506 annual investigations this would result in a total cost
of $61,726. This figure represents an overestimate because it assumes
100 percent of investigations would involve unknowing receipt of part 2
records prior to seeking a court order. The Department assumes that the
actual proportion of investigations falling within the reporting
requirement would be less than 25 percent of cases, although it lacks
data to substantiate this assumption. The final rule also adds to the
definition of investigative agencies to include local, territorial, and
Tribal agencies. The Department acknowledges the potential for
expanding the definition to increase the affected population for
investigative agencies; however, the Department lacks sufficient data
to quantify the number of additional agencies impacted by the rule. The
estimated costs for new reporting to the Secretary are presented in
Table 16 below.
---------------------------------------------------------------------------
\364\ This is a composite wage rate used in burden estimates for
the Department's breach notification Information Collection Request.
---------------------------------------------------------------------------
[[Page 12598]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.025
f. Summary of First Year Costs
Table 17 presents the total first year part 2 quantified costs
presented in the above sections, totaling $23.9 million.
BILLING CODE 4153-01-P
[[Page 12599]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.026
BILLING CODE 4153-01-C
g. Final Rule Changes Resulting in Negligible Fiscal Impact
Sections 2.1 and 2.2 Statutory Authority and Enforcement
While civil enforcement of part 2 by the Department may increase
costs for part 2 programs or lawful holders that experience a breach or
become the subject of a part 2 complaint or compliance review, the
costs of responding to a potential violation are not calculated
separately from the costs of complying with new or changed regulatory
requirements. Thus, the Department's analysis does not estimate any
program costs for the changes to Sec. Sec. 2.1 and 2.2 of 42 CFR part
2.
Section 2.3 Civil and Criminal Penalties for Violations
The final rule adds local, territorial, and Tribal agencies to the
investigative agency definition. In Sec. 2.3(b)(1), investigative
agencies that do not use reasonable diligence would be precluded from
seeking a court order to use or disclose part 2 records that they later
discover in their possession. The Department acknowledges there may be
an overall increase in the affected population associated with
including local, territorial, and Tribal agencies to investigative
agency definition; however, the Department lacks sufficient data on the
extent these agencies are involved in investigating part 2 programs to
quantify these potential impacts.
Section 2.3 also creates a limitation on civil or criminal
liability for persons acting on behalf of investigative agencies when
they may unknowingly receive part 2 records without first
[[Page 12600]]
obtaining the requisite court order. The final rule mandates reasonable
diligence steps that mean taking all of the following actions:
Searching for the practice or provider among the SUD treatment
facilities in SAMHSA's online treatment locator; searching in a similar
state database of treatment facilities where available; checking a
practice or program's website, where available, or physical location;
viewing the entity's Patient Notice or HIPAA NPP if it is available;
and taking all these steps within no more than 60 days before
requesting records or placing an undercover agent or informant. The
regulatory change encourages investigative agencies to take
preventative measures, reducing the need for after-the-fact court
orders. The Department acknowledges that the reasonable diligence steps
may result in additional burdens for investigative agencies to check
websites and visit physical locations; however, the Department lacks
sufficient data to quantify the additional burden and expects that it
is negligible.
Section 2.11 Definitions
Changes to the regulatory definitions are not likely to create
significant increases or decreases in burdens for part 2 programs or
covered entities and business associates. These entities, collectively,
would benefit from the regulatory certainty resulting from
clarification of terms; however, the definitions are generally intended
to codify current usage and understanding of the defined terms. One
change that has the potential to result in additional burden to part 2
programs but potentially represents a benefit of increased privacy
protection for patients would be the inclusion of a new definition of
``SUD counseling notes.'' The Department has discussed the potential
impact to the inclusion of SUD counseling notes in Sec. 2.31. The
Department also changes the definition of ``investigative agency'' to
include local, territorial, and Tribal agencies. This change in the
definition has the potential to increase the population of
investigative agencies. Additional discussion on the potential impact
of adding local, territorial, and Tribal agencies is discussed in Sec.
2.3. The final rule adds a new definition on ``lawful holder'' used in
several provisions. The final rule also adds a new definition of
``personal representative,'' replacing language in Sec. 2.15
describing individuals authorized to act on a patient's behalf, as
mentioned under the discussion on Sec. 2.15 below. Another change to
the definition of ``intermediary'' excludes part 2 programs, covered
entities, and business associates and may result in burden decreases to
these entities, as mentioned under the discussion on Sec. 2.24 below.
The Department estimates that these three changes will have a
negligible impact.
Section 2.12 Applicability
The final rule change from ``Armed Forces'' to ``Uniformed
Services'' in paragraphs (b)(1) and (c)(2) of Sec. 2.12 is likely to
result in only a negligible change in burden because this terminology
is already in use in 42 U.S.C. 290dd-2. Adding ``uses'' and
``disclosures'' in several places provides clarity and consistency, but
is unlikely to create quantifiable costs or cost savings. Adding the
four express statutory restrictions on use and disclosure of records
for court proceedings \365\ in paragraph (d)(1) of this section will
likely result in no significant burden change, as the restrictions on
use and disclosure of records for criminal investigations and
prosecutions of patients are already stringent and the ability to
obtain a court order remains. Excluding covered entities from the
restrictions applied to other ``third-party payers'' in paragraph
(d)(2) of this section would reduce burden on covered entities that are
health plans because they will be permitted to disclose records for a
wider range of health care operations than under the current
regulation. However, this burden reduction is similar to that for all
covered entities under the final rule, so the Department has not
estimated the costs or benefits separately from the effects of Sec.
2.33 (Uses and disclosures permitted with written consent).
---------------------------------------------------------------------------
\365\ See 42 U.S.C. 290dd-2(c).
---------------------------------------------------------------------------
Section 2.13 Confidentiality Restrictions and Safeguards
The primary change to this section is to remove paragraph (d) and
redesignate it as Sec. 2.24. Additionally, adding the term ``use'' to
the circumstances when disclosures are permitted or prohibited provides
clarification, but is unlikely to generate a change in burden
associated with this provision.
Section 2.14 Minor Patients
The final rule changes to this section would clarify that a part 2
program director may clinically evaluate whether a minor has decision
making capacity, but not issue a legal judgment to that effect. The
changes also add ``uses'' to ``disclosures'' as the types of activities
regulated under this section. None of the changes would be likely to
result in quantifiable burdens to part 2 programs.
Section 2.15 Patients Who Lack Capacity and Deceased Patients
The final rule replaces the terms for ``guardian or other
individual authorized under state law to act on the patient's behalf''
with the term ``personal representative'' under Sec. 2.11, as
described above. The Department does not anticipate this to result in
any significant burdens or benefits. The Department's final rule will
also replace outdated references to incompetence and instead refer to a
lack of capacity to make health care decisions and will add ``uses'' to
``disclosures'' to describe the activities permitted when certain
conditions are met. These clarifications and additions are unlikely to
generate a change in burden that can be quantified, and thus they are
not included in the Department's calculation of estimated costs and
cost savings.
Section 2.17 Undercover Agents or Informants
The final rule adds the phrase ``and disclosure'' in the heading of
paragraph (b) of this section and ``or disclosed'' after ``used'' in
paragraph (b) for consistency with changes throughout the rule to align
with HIPAA language. We do not expect any change in burden as a result
of this change.
Section 2.20 Relationship to State Laws
The final rule adds the term ``use'' to describe activities
regulated by this section. Similar to 42 CFR part 2, state laws impose
restrictions on uses and disclosures related to SUD and the Department
assumes programs subject to regulation by this part would be able to
comply with part 2 and the state law. The Department does not
anticipate these changes would result in a quantifiable increase or
decrease in burden.
Section 2.21 Relationship to Federal Statutes Protecting Research
Subjects Against Compulsory Disclosure of Their Identity
The Department replaced ``disclosure and use'' with ``use and
disclosure'' to align the language of this section with the HIPAA
Privacy Rule. The edit does not require any changes to existing part 2
requirements. The Department does not anticipate this change would
result in a quantifiable increase or decrease in burden.
[[Page 12601]]
Section 2.24 Requirements for Intermediaries
The final rule changes the definition of ``intermediary'' to
exclude part 2 programs, covered entities, and business associates, as
noted above. The Department acknowledges that this poses a burden
reduction to covered entities and business associates as they are no
longer subject to these requirements; however, the Department does not
anticipate these changes to have a significant impact.
Section 2.31 Consent Requirements
The final rule adds a new consent requirement at Sec. 2.31(b),
requiring separate consent for the use and disclosure of SUD counseling
notes. The final rule limits use and disclosure of SUD counseling notes
without patient consent in a manner that aligns with the HIPAA Privacy
Rule authorization requirements for psychotherapy notes. The Department
believes there is a qualitative benefit to patients and clinicians who
keep separate SUD counseling notes. Requiring a separate consent for
SUD counseling notes offers a means for patients to selectively
disclose sensitive information and reduces barriers to clinicians
recording treatment information for patients concerned about their
confidentiality being protected. The Department acknowledges that there
is a potential increase in the administrative burden to part 2 programs
for segmenting SUD counseling notes as well as obtaining an additional
patient consent; however, a separate consent requirement strikes a
balance between heightened protection and an appropriately tailored
permission for uses and disclosures that are low risk for abuse or
related to requirements in law. The Department lacks sufficient data on
the number of SUD counseling notes requiring additional consent and
does not expect there to be a large number; and therefore, does not
anticipate these changes would result in a quantifiable increase or
decrease in burden.
Section 2.34 Uses and Disclosures To Prevent Multiple Enrollments
The final rule adds the term ``uses'' to the heading and
incorporate minor word changes and style edits for clarity. The edits
do not require any changes to existing part 2 requirements. The
Department does not anticipate these changes would result in a
quantifiable increase or decrease in burden.
Section 2.35 Disclosures to Elements of the Criminal Justice System
Which Have Referred Patients
The final rule replaces the term ``individuals'' with ``persons,''
clarify that permitted redisclosures of information are from part 2
records, and make minor word and style edits for clarity. The edits do
not require any changes to existing part 2 requirements. The Department
does not anticipate these changes would result in a quantifiable
increase or decrease in burden.
Section 2.52 Scientific Research
The Department considered whether the requirement to align the de-
identification standard in Sec. 2.52 (and throughout part 2) with the
HIPAA Privacy Rule de-identification standard in 45 CFR 164.514 would
significantly increase burden for part 2 programs or result in any
unintended negative consequences. The Department concluded that the
final rule change would not significantly increase burden because a
part 2 program would need to follow detailed protocols to ensure that
the current standard is met that are similar to the level of work
needed to adhere to the HIPAA Privacy Rule standard. Additionally, the
final rule ensures that all part 2 programs are following similar
standards for de-identification, which would benefit researchers when
creating data sets from different part 2 programs, by enabling them to
populate the data sets with similar content elements.
Section 2.53 Management Audits, Financial Audits, and Program
Evaluation
The final rule clarifies that some audit and evaluation activities
may be considered health care operations could be used by part 2
programs, covered entities, and business associates to obtain records
based on consent for health care operations and then such entities
could redisclose them as permitted by the HIPAA Privacy Rule. The HIPAA
Privacy Rule may allow these entities greater flexibility to use or
redisclose the part 2 records for permitted purposes compared to the
limitations contained in Sec. 2.53 of part 2. For part 2 programs that
are covered entities, this change could result in burden reduction
because they would not have to track the records used for audit and
evaluation purposes as closely; however, the Department is without data
to quantify the potential cost reduction. For business associates,
there would likely be no change in burden because they are already
obligated by contract to only use or disclose PHI (which may be part 2
records) as allowed by the agreement with the covered entity.
As discussed in preamble, the disclosure permission under Sec.
2.53 would continue to apply to audits and evaluations conducted by a
health oversight agency without patient consent. The Department does
not believe that the text of section 3221(e) of the CARES Act indicates
congressional intent to alter the established oversight mechanisms for
part 2 programs, including those that provide services reimbursed by
Medicare, Medicaid, and Children's Health Insurance Program (CHIP). The
Department also intends that a government agency conducting activities
that could fall within either Sec. 2.53 or Sec. 2.33 for health care
operations would have the flexibility to choose which permission to
rely on and would not have to meet the conditions of both sections. In
the event that the agency is a covered entity that has received the
records based on a consent for TPO, it could further redisclose the
records as permitted by the HIPAA Privacy Rule. Further, the Department
intends that the availability of the safe harbor under Sec. 2.3 does
not affect the ability of government agencies conducting health
oversight to continue relying on Sec. 2.53 to access records without a
court order.
Section 2.54 Disclosures for Public Health
The Department does not believe that an express permission to
disclose records to public health authorities without patient consent
will impact burdens to a significant degree. While part 2 programs will
likely experience a burden reduction from the lifting of a consent
requirement, the permission may cause an increase in disclosures to
public health authorities, resulting in a net impact of no change to
burdens. Additionally, to the extent these disclosures are required by
other law, the compliance burden is not calculated as a change caused
by part 2.
Sections 2.61 Through 2.65 Procedures for Court Orders
The Department lacks sufficient data to estimate the number of
instances where the expanded scope of protection from use or disclosure
of records against the patient in legal proceedings (including in
administrative and legislative forums) would result in increased
applications for court orders authorizing the disclosure of part 2
records or testimony.
[[Page 12602]]
Section 2.66 Procedures and Criteria for Orders Authorizing Use and
Disclosure of Records To Investigate or Prosecute a Part 2 Program or
the Person Holding the Records
Section 2.66(a)(3) provides specific procedures for investigative
agencies to follow upon discovering after the fact that they are
holders of part 2 records, such as securing, returning, or destroying
the records and optionally seeking a court order under subpart E.
Although the existing regulation does not expressly require law
enforcement agencies to return or destroy records that it cannot use in
investigations or prosecutions against a part 2 program when it does
not obtain the required court order, it requires lawful holders to
comply with Sec. 2.16 (Security for records). The Department developed
the requirements in Sec. 2.66(a)(3) (to return or destroy records that
an investigative agency is unable to use or disclose in an
investigation or prosecution) to parallel the existing requirements in
Sec. 2.16 for programs and lawful holders to establish policies for
securing paper and electronic records, removing them, and destroying
them. Section 2.66(c) requirements to obtain a court order, obtain
information in violation if this part, or to return or destroy the
records within a reasonable time (no more than 120 days from
discovering it has received part 2 records), would not significantly
increase the existing burden for investigative agencies to comply with
Sec. 2.16.
Section 2.67 Orders Authorizing the Use of Undercover Agents and
Informants To Investigate Employees or Agents of a Part 2 Program in
Connection With a Criminal Matter
Section 2.67(c)(4) restricts an investigative agency from seeking a
court order authorizing placement of an undercover agent or informant
unless it has first exercised reasonable diligence as described by
Sec. 2.3(b). This provision serves as a prerequisite that would allow
an investigative agency to continue placement of the undercover agent
or informant in a part 2 program by correcting an error of oversight if
the investigative agency learns after the fact that the undercover
agent or informant is in a part 2 program and avoiding the risk of
penalties for the violation. The Department anticipates that the added
burden for searching SAMHSA's online treatment locator
(FindTreatment.gov) and a similar state database, and a program's
website or physical location, including its Patient Notice or HIPAA NPP
to ascertain whether the program provides SUD treatment, would be
minimal, as these activities would normally be included in the course
of investigating and prosecuting a part 2 program. The requirement
would merely shift the timing of these actions in some cases so that
investigative agencies ensure they are completed prior to requesting
court approval of an undercover agent or use of an informant. The
primary burden on investigative agencies would be to include a
statement in an application for a court order after learning of the
program's part 2 status after the fact, that the investigator or
prosecutor first exercised reasonable diligence to determine whether
the program provided SUD treatment. The burden for including this
statement within an application for a court order is minimal and could
consist of standard language used in each application. Thus, the
Department has not calculated specific quantitative costs for
compliance.
h. Costs Borne by the Department
This rule has cost impact on HHS. HHS has the primary
responsibility to assess the regulatory compliance of covered entities
and business associates and part 2 programs. This final rule would
extend those responsibilities to part 2 programs. In addition to
promulgating the current regulation, HHS would be responsible for
developing guidance and conducting outreach to educate the regulated
community and the public. The final rule also requires HHS to
investigate and resolve complaints and compliance reviews as part of
its expanded responsibility for part 2 compliance and enforcements. The
Department estimates that implementing the new part 2 enforcement
requirements would require two full-time policy employees (or
contractors) at the Office of Personnel Management (OPM) General
Schedule (GS) GS-14 or equivalent level who will develop regulation,
guidance, and national-level outreach. Additionally, the Department
estimates needing eight full-time employees (or contractors) for
enforcement at a GS-13 or equivalent level to investigate, train
investigators, and provide local outreach to regulated entities.\366\
The cost of labor for enforcement of part 2 programs across the ten
employees described above amounts to $2,214,100 in the first year and
$11,808,508 over all five years from 2024 to 2028, including
appropriate step increases expected across years. The Department also
estimates costs for hiring a contractor to create a breach portal or a
part 2 module for the existing HIPAA breach portal. The Department
assumes that the costs of hiring each contractor to maintain the breach
portal amounts to 5 percent of the annual operation and management
funding for the breach portal.\367\ The initial posting of such
breaches is automated, and HHS currently pays a contractor
approximately $13,814 annually to maintain the database to receive
reports of breaches from HIPAA covered entities. Under the same
assumptions, the Department estimates approximately $13,814 to hire a
second contractor to maintain the database to exclusively receive
reports of breaches from part 2 programs. Additionally, HHS drafts and
posts summaries of each large breach on the website, using a
combination of GS-12, GS-13, GS-14, and GS-15 workers.\368\ In total,
the Department assumes it will take workers 1.5 hours to summarize each
breach and that there will be 267 breaches requiring summaries per
year, equaling a labor cost of approximately $32,107 per year. To
implement the enforcement requirements, breach portal maintenance, and
breach summary reporting, the Department estimates that first year
Federal costs will be approximately $2,260,021 million. The Department
estimates that based on the GS within grade step increases for each of
the GS-13 and GS-14 employees working to enforce part 2 the Federal
costs will be approximately $12,038,112 million over 5 years. These
costs are presented in Table 18 below. The NPRM had not originally
included the cost to the Department in the total cost estimate.
However, as these costs to the Department are new to establish an
[[Page 12603]]
enforcement program for part 2, they have been incorporated into the
final costs, presented below.\369\
---------------------------------------------------------------------------
\366\ To determine the salary rate of the employees at the GS-13
and GS-14 pay scale, the Department used the U.S. OPM's GS
classification and pay system and used the Department's General
Schedule (Base) annual rates. The Department used the available 2022
data for the estimated costs. In 2022, the salary table for schedule
GS-13, step 1 annual rate is $213,646, including $106,832 plus 100%
for fringe benefits and overhead, and the GS-14, step 1 annual rate
is $252,466, including $126,233 plus 100% for fringe benefits and
overhead. The Department estimated the costs over 5 years based on
within-grade step increases based on an acceptable level of
performance and longevity (waiting periods of 1 year at steps 1-3
and 2 years at steps 4-6).
\367\ The Department estimates that the O&M costs of maintaining
the portal are $276,281 in 2022.
\368\ The Department uses hourly rates for Federal employees
from the OPM's GS Base hourly rates for 2022. All workers are
assumed to be at step 1. In 2022, GS-12 workers' hourly rate is
$65.46, including $32.73 plus 100% for fringe benefits and overhead;
GS-13 workers' hourly rate is $77.84, including $38.92 plus 100% for
fringe benefits and overhead; an average rate between GS-14 and GS-
15 workers is used, equaling $100.08, including $50.04 plus fringe
benefits and overhead; and lastly HHS headquarters staff is
calculated at the GS-12 step 1 level with Washington, DC locality
pay, equaling $86.06, including $43.04 plus 100% for fringe benefits
and overhead.
\369\ Note, an FY 2024 budget request to support additional
enforcement activity is pending. See U.S. Dep't of Health and Human
Servs., ``Department of Health and Human Services, Fiscal Year
2024,'' FY 2024 Budget Justification, General Department Management,
Office for Civil Rights, at 255, https://www.hhs.gov/sites/default/files/fy-2024-gdm-cj.pdf.
---------------------------------------------------------------------------
BILLING CODE 4153-01-P
[GRAPHIC] [TIFF OMITTED] TR16FE24.027
i. Comparison of Benefits and Costs
The final rule results in costs, cost savings, and benefits as
described in the preceding sections. Table 19 presents the 5-year costs
and cost savings associated with part 2. Finally, Table 20 provides a
narrative description of the non-quantified final rule changes and
costs and benefits.
[GRAPHIC] [TIFF OMITTED] TR16FE24.028
[[Page 12604]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.029
[[Page 12605]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.030
BILLING CODE 4153-01-C
Consideration of Regulatory Alternatives
Upon review of public comments on the NPRM, the Department
considered alternatives to several proposals and the provisions that
are finalized in this rule as explained below.
Section 2.11 Definitions
Lawful Holder
Although not required by the CARES Act, the Department is
finalizing a regulatory definition of the term ``lawful holder.'' We
considered expressly excluding family, friends, and informal caregivers
from the definition because we understand that these types of informal
caregivers are overwhelmingly not professional entities and would not
have the means or other resources necessary to meet obligations that
part 2 places upon them. For example, Sec. 2.16 requires part 2
programs or other lawful holders to have in place formal policies and
procedures to protect against unauthorized disclosures and a patient's
family member who receives a record based on consent could not be
reasonably expected to comply.
The description of ``lawful holder'' as a person who has received a
part 2 record based on consent means that any person who receives
records pursuant to a valid consent could be considered a lawful
holder. We believe maintaining the parameters of the definition so it
is confined to those who receive records as specified, is clear and
unambiguous. To maintain this clarity, the Department believes it more
appropriate to carve out an exception in Sec. 2.16 for certain types
of lawful holders (i.e., family, friends, and informal caregivers) from
those obligations to which they should not reasonably be expected to
adhere. As we discuss in preamble, we do expect that these informal
caregivers will still exercise some level of caution and care when
handling these records.
Section 2.12 Exception for Reporting Suspected Abuse and Neglect
The Department considered for a second time expanding the exception
under Sec. 2.12(c)(6) for reporting suspected child abuse and neglect
to include reporting suspected abuse and neglect of adults. Such an
expansion would be consistent with the HIPAA Privacy Rule permission to
report abuse, neglect, or domestic violence at 45 CFR 164.512(c), and
could be beneficial for vulnerable adults, such as persons who are
incapacitated or otherwise are unable to make health care decisions on
their own behalf. However, Sec. 2.12(c)(6), under the authority of 42
U.S.C. 290dd-2, limits the reporting of abuse and neglect to reporting
child abuse and neglect as required by State or local law. Further,
section (c) of the authorizing statute also restricts uses of records
in criminal, civil, or administrative contexts, which could include
investigations by a protective services agency, for example, unless
pursuant to a court order or with the patient's consent. Therefore, the
Department determined that expanding the exception under Sec.
2.12(c)(6) to include reporting abuse and neglect of adults would
exceed the statutory authority although we believe such reporting is
needed.
Section 2.16 Security of Records and Notification of Breaches
The Department considered further harmonizing part 2 and the HIPAA
regulations by applying the HIPAA Security Rule, or components of it,
to
[[Page 12606]]
part 2 programs and other lawful holders with respect to electronic
part 2 records. A majority of commenters who addressed this issue
recommended applying the HIPAA Security Rule to part 2 programs;
however, few of these comments were from part 2 programs. Further, the
CARES Act did not make the HIPAA Security Rule applicable to part 2
programs. The Department is not finalizing any additional modifications
to align the HIPAA Security Rule and part 2 at this time, but will take
these comments into consideration in potential future rulemaking.
Breach Notification Obligation for QSOs
The Department considered expressly applying breach notification
provisions finalized in paragraph (b) of Sec. 2.16 to qualified
service organizations ``in the same manner as those provisions apply to
a business associate [. . .]''. To the extent that QSOs handle
unsecured part 2 records on behalf of part 2 programs, the same policy
objectives for requiring breach notification would equally apply.
Further, to align with the structure of HIPAA, which imposes breach
notification obligations on both covered entities and business
associates, the Department considered that finalizing a parallel
provision would further align the regulations. However, in analyzing
title 42, as amended by the CARES Act, Congress was silent on this
issue. In comparison, in section 13402(b) of the HITECH Act, Congress
expressly extended the obligation of a business associate to notify
covered entity in the event of a breach of PHI. This difference leads
us to conclude that the requirement for QSOs to report was not
intended. However, we expect that part 2 programs are likely to
consider adding such requirements to QSO agreements to enable the
programs to meet their breach notification obligations.
Section 2.26 Right To Request Restrictions Based on Ability To Pay
Section 290dd-2 of title 42 of U.S.C., as amended by the CARES Act,
applied section 13405(c) of the HITECH Act, including the right of a
patient to obtain restrictions on disclosures to health plans for
services paid in full similar to how the right is structured in the
HIPAA Privacy Rule at 45 CFR 164.522 with respect PHI. In response to
public comments, the Department considered a more equitable provision
that would require part 2 programs to agree to a requested restriction
in the case of those who cannot afford to pay for care in full. The
Department determined that the amended statute did not grant such
authority. The Sense of Congress in the CARES Act, section 3221(k)(3),
provides that: ``[c]overed entities should make every reasonable effort
to the extent feasible to comply with a patient's request for a
restriction regarding a particular use or disclosure.'' Although the
Sense of Congress did not include part 2 programs in its urging, we
encourage these programs to also make every reasonable effort to
fulfill requested restrictions on disclosures for TPO.
Sections 2.31 and 2.32 Tracking Consent and Revocation of Consent
The Department considered alternatives to facilitate the new TPO
consent and redisclosure permission for recipients of part 2 records
and ensure such records are protected from use and disclosure in
proceedings against the patient, absent consent or a court order. The
Department further considered how other changes to the scope of a
patient's consent would be tracked or communicated to recipients, such
as patient-requested restrictions on disclosures and revocation of
consent. We received many comments offering information about current
practices, technology capabilities, and different approaches to
tracking consent, revocation, and restrictions, as discussed in the
preamble, and considered not imposing any new requirements. However,
comments that sought no requirement to track the scope of consent
provided were from organizations that did not believe that the
prohibition on use of records in proceedings against patients should
continue to apply to records received by a covered entity or business
associate under a TPO consent. We disagree with this view and further,
recognize that patients may still provide a consent for disclosures
that is not a TPO consent. We considered requiring a copy of consent to
be attached to each disclosure without any other option; however, in
consideration of the amount of the burden and the available HIE models
used to exchange electronic records, we offer an option in new
paragraph (b) of Sec. 2.32 for disclosers to provide a clear
explanation of the scope of the consent provided. We believe this
offers the flexibility needed for health IT systems to exchange needed
information about the consent status of an electronic record.
The Department also analyzed how part 2 programs and recipients of
records would effectively implement a patient's revocation of consent
and considered adding a requirement for programs to notify recipients
when a consent is revoked. Upon consideration of the complexities and
burden this would impose we decided not to create a regulatory
requirement, but to explain our expectation in preamble that programs
would ensure patients' revocation rights are respected.
Section 2.52 Adding a Permission To Disclose Records in Limited Data
Sets
The Department considered adding a permission to allow part 2
programs to disclose records in the form of a limited data set. The
part 2 requirements for a limited data set would have matched those for
limited data sets under the HIPAA Privacy Rule (45 CFR 164.504(e)) and
would have responded to public comments requesting such a permission
for research and public health disclosures of records. However, title
42 refers only to the disclosure of records de-identified to the HIPAA
standard at 45 CFR 164.514(b) for public health purposes and this
differs from de-identification allowed for a limited data set under 45
CFR 164.514(e). Although the Department is finalizing new standards for
public health and research purposes that align with the 45 CFR
164.514(a) and (b), we are not promulgating a standard for limited data
sets at this time.
Subpart E Evidentiary Suppression Remedy for Records Obtained in
Violation of Part 2
In response to commenters' concerns about the potential for law
enforcement to obtain records through coerced patient consent, we
considered creating an express right for patients to request
suppression of records obtained in violation of this part for use as
evidence in proceedings against them. However, we determined that was
unnecessary for two reasons. First, the provision for patients to
consent to use and disclosure of records in investigations and
proceedings against them is not new--it is covered in Sec. 2.33(a)--
thus, newly heightened concern about consent based on changes in this
final rule is unwarranted. Second, the prohibition on disclosures based
on false consent in Sec. 2.31(c) offers some protection to patients
from coerced consent.
Sections 2.66 and 2.67 Preventing Misuse of Records by Investigative
Agencies
In response to public comments expressing concern about misuse of
records by investigative agencies shielded from liability under the
proposed safe harbor, the Department considered describing, in
preamble, the expectation that information from records obtained in
violation of part 2 cannot be used to apply for a court order for such
records. Instead, the
[[Page 12607]]
Department added language to Sec. Sec. 2.66(c)(3) and 2.67(c)(4) to
expressly prohibit the use of such information, in regulatory text. The
Department believes codifying the prohibition in regulatory text
creates an enforceable legal prohibition and more strongly deters
investigative agencies from misusing records or information obtained in
violation of part 2.
HIPAA NPP
The Department considered finalizing modifications to 45 CFR
164.520 in this final rule and decided not to do so, in part, because
of limitations on how often modifications may be made to the HIPAA
Privacy Rule.\370\ Thus, it is necessary to combine changes to the
HIPAA NPP with other changes to the HIPAA NPP that are anticipated in
the future. Finalizing changes to the HIPAA NPP in this final rule
would prevent us from making any further modifications to the HIPAA NPP
for one year. We realize this creates a possible gap when covered
entities may have changes in policies and procedures that are not
reflected in their HIPAA NPP; however, potentially needing to make
multiple changes to the HIPAA NPP over a short time span would be
equally problematic and confusing to individuals. Additionally, each
set of revisions to the HIPAA NPP would add a burden to covered
entities for making updates and distributing the HIPAA NPP totaling
approximately $45 million as described in the NPRM.\371\ As explained
in preamble, we intend to align compliance dates for any required
changes to the HIPAA NPP and part 2 Patient Notice to enable covered
entities to make such changes at the same time.
---------------------------------------------------------------------------
\370\ See 45 CFR 160.104 (limiting changes by the Secretary to
HIPAA standards or implementation specifications to once every 12
months).
\371\ See 87 FR 74216 (Dec. 2, 2022), Table 9b. Privacy Rule
Costs and Savings Over 5-year Time Horizon.
---------------------------------------------------------------------------
B. Regulatory Flexibility Act
The Department has examined the economic implications of this final
rule as required by the Regulatory Flexibility Act (5 U.S.C. 601-612).
If a rule has a significant economic impact on a substantial number of
small entities, the Regulatory Flexibility Act (RFA) requires agencies
to analyze regulatory options that would lessen the economic effect of
the rule on small entities. For purposes of the RFA, small entities
include small businesses, nonprofit organizations, and small
governmental jurisdictions. The Act defines ``small entities'' as (1) a
proprietary firm meeting the size standards of the Small Business
Administration (SBA), (2) a nonprofit organization that is not dominant
in its field, and (3) a small government jurisdiction of less than
50,000 population. The Department did not receive any public comments
on the NPRM small business analysis assumptions and is therefore making
no changes to them for this final rule; however, we have updated this
analysis of small entities for consistency with revisions to the
regulatory impact analysis relating to the costs and cost savings to
part 2 programs and covered entities. The Department has determined
that roughly 90 percent or more of all health care providers meet the
SBA size standard for a small business or are nonprofit organization.
The Department assumes the part 2 program entities have the same size
distribution as health care providers. Therefore, the Department
estimates there are 14,459 small entities affected by this rule.\372\
The SBA size standard for health care providers ranges between a
maximum of $9 million and $47 million in annual receipts, depending
upon the type of entity.\373\
---------------------------------------------------------------------------
\372\ 14,459 = 16,066 (the number of part 2 program) x 0.9 (90%
of all health care providers are small entities).
\373\ This range of size standards covers the full list of 6-
digit codes in Sector 62--Health Care and Social Assistance. The
analysis uses SBA size standards effective as of March 17, 2023.
U.S. Small Business Admin., ``Table of Small Business Size
Standards,'' https://www.sba.gov/sites/sbagov/files/2023-06/Table%20of%20Size%20Standards_Effective%20March%2017%2C%202023%20%282%29.pdf.
---------------------------------------------------------------------------
The projected costs and savings are discussed in detail in the RIA
(section 4.e.). This final rule would create cost savings for regulated
entities (part 2 programs and covered entities), many of which are
small entities. The Department considers a threshold for the size of
the impact of 3 to 5 percent of entity annual revenue as a measure of
significant economic impact. The Department estimates the annualized 3
percent discounted net savings, excluding Federal Government costs
since they do not apply to covered or small entities, of this rule to
be $4,921,888. Spread across 14,459 small entities, the average savings
per small entity are equal to $340.39. Since even the smallest entities
in Sector 62 average over $55,000 in annual receipts, the projected
impact for most of them is well below the 3 to 5 percent
threshold.\374\ Therefore, the Secretary certifies that this final rule
would not result in a significant negative impact on a substantial
number of small entities.
---------------------------------------------------------------------------
\374\ The entities in the smallest recorded receipt size
category (<$100,000) average $56,500 in annual receipts (in 2022
dollars). See U.S. Census. ``2017 SUSB Annual Data Tables by
Establishment Industry''. https://www.census.gov/data/tables/2017/econ/susb/2017-susb-annual.html.
---------------------------------------------------------------------------
C. Unfunded Mandates Reform Act
Section 202(a) of The Unfunded Mandates Reform Act of 1995 requires
that agencies assess anticipated costs and benefits before issuing any
rule whose mandates require spending that may result in expenditures in
any one year of $100 million in 1995 dollars, updated annually for
inflation. The current threshold after adjustment for inflation is $177
million, using the most current (2022) Implicit Price Deflator for the
Gross Domestic Product. The Department does not anticipate that this
final rule would result in the expenditure by state, local, and Tribal
governments, taken together, or by the private sector, of $177 million
or more in any one year. The final rule, however, present novel legal
and policy issues, for which the Department is required to provide an
explanation of the need for this final rule and an assessment of any
potential costs and benefits associated with this rulemaking in
accordance with E.O.s 12866 and 13563. The Department presents this
analysis in the preceding sections.
D. Executive Order 13132--Federalism
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a proposed rule (and subsequent
final rule) that imposes substantial direct requirement costs on state
and local governments, preempts state law, or otherwise has federalism
implications. The Department does not believe that this rulemaking
would have any federalism implications.
The federalism implications of the HIPAA Privacy, Security, Breach
Notification, and Enforcement Rules were assessed as required by E.O.
13132 and published as part of the preambles to the final rules on
December 28, 2000,\375\ February 20, 2003,\376\ and January 25,
2013.\377\ Regarding preemption, the preamble to the final HIPAA
Privacy Rule explains that the HIPAA statute dictates the relationship
between state law and HIPAA Privacy Rule requirements, and the Privacy
Rule's preemption provisions do not raise federalism issues. The HITECH
Act, at section 13421(a), provides that the HIPAA preemption provisions
shall apply to the HITECH Act provisions and requirements.
---------------------------------------------------------------------------
\375\ 65 FR 82462, 82797.
\376\ 68 FR 8334, 8373.
\377\ 78 FR 5566, 5686.
---------------------------------------------------------------------------
The federalism implications of part 2 were assessed and published
as part of
[[Page 12608]]
the preamble to proposed rules on February 9, 2016.\378\
---------------------------------------------------------------------------
\378\ 81 FR 6987, 7012 (Feb. 9, 2016).
---------------------------------------------------------------------------
The Department anticipates that the most significant direct costs
on state and local governments would be the cost for state and local
government-operated covered entities to revise consent forms, policies
and procedures, providing notification in the event of a breach of part
2 records and drafting, printing, and distributing Patient Notices for
individuals with first-time health encounters. The RIA above addresses
these costs in detail.
In considering the principles in and requirements of E.O. 13132,
the Department has determined that the final rule would not
significantly affect the rights, roles, and responsibilities of the
States.
E. Assessment of Federal Regulation and Policies on Families
Section 654 of the Treasury and General Government Appropriations
Act of 1999 \379\ requires Federal departments and agencies to
determine whether a proposed or final policy or regulation could affect
family well-being. If the determination is affirmative, then the
Department or agency must prepare an impact assessment to address
criteria specified in the law. The Department believes that these
regulations would positively impact the ability of patients and
families to coordinate treatment and payment for health care,
particularly for families to participate in the care and recovery of
their family members experiencing SUD treatment, by aligning the
permission for covered entities and business associates to use and
disclose records disclosed to them for TPO purposes with the
permissions available in the HIPAA Privacy Rule. The Department does
not anticipate negative impacts on family well-being as a result of
this regulation or the separate rulemaking as described.
---------------------------------------------------------------------------
\379\ Public Law 105-277, 112 Stat. 2681 (Oct. 21, 1998).
---------------------------------------------------------------------------
F. Paperwork Reduction Act of 1995
Under the Paperwork Reduction Act of 1995 (PRA) (Pub. L. 104-13),
agencies are required to submit to the OMB for review and approval any
reporting or recordkeeping requirements inherent in a proposed or final
rule, and are required to publish such proposed requirements for public
comment. The PRA requires agencies to provide a 60-day notice in the
Federal Register and solicit public comment on a proposed collection of
information before it is submitted to OMB for review and approval. To
fairly evaluate whether an information collection should be approved by
OMB, section 3506(c)(2)(A) of the PRA requires that the Department
solicit comment on the following issues:
1. Whether the information collection is necessary and useful to
carry out the proper functions of the agency;
2. The accuracy of the agency's estimate of the information
collection burden;
3. The quality, utility, and clarity of the information to be
collected; and
4. Recommendations to minimize the information collection burden on
the affected public, including automated collection techniques.
The PRA requires consideration of the time, effort, and financial
resources necessary to meet the information collection requirements
referenced in this section. The Department did not receive comments
related to the previous notice but has adjusted the estimated
respondent burden in this request to reflect revised assumptions based
on updated information available at the time of the final rule's
publication. This revision resulted in adjusted cost estimates that are
consistent with the RIA presented in this final rule. The estimates
covered the employees' time for reviewing and completing the
collections required.
As discussed below, the Department estimates a total part 2 program
burden associated with all final rule part 2 changes of 672,663 hours
and $50,516,207, including capital costs and one-time burdens, across
all 16,066 part 2 programs for 1,864,367 annual patient admissions. On
average, this equates to an annual burden of 42 hours and $3,1444 per
part 2 program and 0.36 hours and $27 per patient admission. Excluding
one-time costs that would be incurred in the first year of the final
rule's implementation, the average annual burden would be 27 hours and
$1,940 per part 2 program and 0.24 hours and $17 per patient admission.
In addition to program burdens, the Department's final rule would
increase burdens on investigative agencies for reporting annually to
the Secretary in the collective amount of 759 hours of labor and
$61,726 in costs. This would result in a total burden for part 2 of
672,663 hours in the first year after the rule becomes effective and
439,880 annual burden hours thereafter.
In this final rule, the Department is revising certain information
collection requirements and, as such, is revising the information
collection last prepared in 2020 and previously approved under OMB
control #0930-0092.
Explanation of Estimated Annualized Burden Hours for 42 CFR Part 2
The Department presents, in separate tables below, revised
estimates for existing burdens (Table 21), previously unquantified
ongoing burdens (Table 22), new ongoing burdens of the final rule
(Table 23), and new one-time burdens of the final rule (Table 24).
BILLING CODE 4153-01-P
[[Page 12609]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.031
BILLING CODE 4153-01-C
As shown in Table 21, the Department is adjusting the currently
approved burden estimates to reflect an increase in the number of part
2 programs, from 13,585 to 16,066. The respondents for this collection
of information are publicly (Federal, State, or local) funded,
assisted, or regulated SUD treatment programs. The estimate of the
number of such programs (respondents) is based on the results of the
2020 N-SSATS, which represents an increase of 2,481 program from the
2017 N-SSATS which was the basis for the approved ICR under OMB No.
0930-0335. The average number of annual total responses is based the
results of the average number of SUD treatment admissions from SAMHSA's
2019 TEDS as the number of annual patient
[[Page 12610]]
admissions by part 2 programs (1,864,367 patients). To accurately
reflect the number of disclosures, the Department based some estimates
on the number of patients (or a multiple of that number) and then
divided by the number of programs to arrive at the number of responses
per respondent. The Department based other estimates on the number of
programs and then multiplied by the estimated number of disclosures to
arrive at the total number of responses.
---------------------------------------------------------------------------
\380\ This refers to approved information collections; however,
the burden hours shown are adjusted for the final rule.
---------------------------------------------------------------------------
The estimate in the currently approved ICR includes the time spent
with the patient to obtain consent and the time for training for
counselors.\381\ The Department is now estimating the time for
obtaining consent separately from the burden of training time and
applies an average of 5 minutes per patient admission for obtaining
consent.
---------------------------------------------------------------------------
\381\ The Department estimated that the amount of time for
disclosure to a patient ranged from a low of 3-5 minutes to a high
of almost 38 minutes; the approximately 12-minute estimate used to
estimate burden reflected a judgment about the time needed to
adequately comply with the legal requirements and for basic training
of counselors on the importance of patient confidentiality.
---------------------------------------------------------------------------
For Sec. Sec. 2.31, 2.52, and 2.53, the Department is separating
out estimates for each provision which were previously reported
together and is also adjusting the estimates. For Sec. 2.31, the
Department believes that disclosures with written consent for TPO are
made for 100 percent of patients; due to the final rule changes to the
consent requirements, the Department assumes that part 2 programs would
experience a decreased burden from an average of 3 consents per
admission to 1 consent. Table 21 reflects 1 consent for each of the
1,864,367 annual patient admissions (used as a proxy for the estimated
number of patients) and a time burden of 5 minutes per consent for a
total of 155,364 burden hours. The previously unacknowledged burden of
obtaining multiple consents for each patient is shown in Table 22,
below.
The Department previously estimated that for Sec. Sec. 2.31
(consent), 2.52 (research), and 2.53 (audit and evaluation) combined,
part 2 programs would need to disclose an average of 15 percent of all
patients' records (1,864,367 records x .15 = 279,655 disclosures). The
Department is adjusting its estimates to reflect that 15 percent of
patients would have records disclosed without consent for research and
audits or evaluations and that this would be divided evenly between the
two provisions, resulting in 7.5% of 1,864,367 records (or
approximately 139,828 disclosures) for Sec. 2.52 disclosures and the
same for Sec. 2.53 disclosures. The Department previously estimated
that 10 percent of disclosed records would be disclosed in paper form
while the remaining 90 percent would be disclosed electronically. The
time burden for disclosing a paper record is estimated as 15 minutes
and the time for disclosing an electronic record as 5 minutes. For part
2 programs using paper records, the Department expects that a staff
member would need to gather and aggregate the information from paper
records, and manually track disclosures; for those part 2 programs with
a health IT system, the Department expects records and tracking
information will be available within the system.
For Sec. 2.36, the Department used the average number of opiate
treatment admissions from SAMHSA's 2019 TEDS (565,610 admissions) and
assumed the PDMP databases would need to be accessed and reported once
initially and quarterly thereafter for each patient (565,610 x 5 =
2,828.050). Dividing the number of opiate treatment admissions by the
number of SUD programs results in an average of 35.21 patients per
program (565,610 patients / 16,066 programs) and 176.03 PDMP updates
per respondent (35.21 patients/program x 5 PDMP updates per patient).
Based on discussions with providers, the Department believes accessing
and reporting to PDMP databases would take approximately 2 minutes per
patient, resulting in a total annual burden of 10 minutes (5 database
accesses/updates x 2 minutes per access/update) or 0.166 hours annually
per patient. For Sec. 2.51, the time estimate for recordkeeping for a
clerk to locate a patient record, record the necessary information and
re-file the record is 10 minutes.
[GRAPHIC] [TIFF OMITTED] TR16FE24.032
As shown in Table 22, for Sec. 2.31 the Department is recognizing
for the first time the burden on part 2 programs to obtain multiple
consents for each patient annually. The Department estimates that for
each patient admission to a program a minimum of 3 consents is needed
for disclosures of records: one each for treatment, payment, and health
care operations (1,864,367 x 3).
As shown in Table 21, a burden is already recognized for obtaining
consent, but the estimate assumed only one consent per admission under
the existing regulation and it was combined with estimates for
disclosures without consent under Sec. Sec. 2.52 (research) and 2.53
(audit and evaluation). The Department believes its previous
calculations underestimated the numbers of consents obtained annually,
and thus the Department views its updated estimate (i.e., adding two
consents per patient annually) as acknowledging a previously
unquantified burden. Additionally, recipients of part 2 records that
are covered entities or business associates must obtain consent for
redisclosure of these records. The Department estimates an average of
one-half of patients' records are disclosed to a covered entity or
business associate that needs to redisclose the record with consent
(1,864,367 x .5), and this also represents a previously unquantified
burden. Together, this would result in an increase of 2.5 consents
annually per
[[Page 12611]]
patient. However, this would be offset by the changes in this final
rule which is estimated to result in a reduction in the number of
consents by 2.5 per patient, thus resulting in no change from the
currently approved burden of 1 consent per patient.
BILLING CODE 4153-01-P
[GRAPHIC] [TIFF OMITTED] TR16FE24.033
[[Page 12612]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.034
[[Page 12613]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.035
[[Page 12614]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.036
In Table 23 above, the Department shows an annualized new hourly
burden of approximately 94,781 hours due to final rule requirements for
receiving complaints, breach notification, accounting of disclosures of
records, responding to patient's requests for restrictions on
disclosures, discussing the Patient Notice, attaching consent form with
each disclosure, and required reporting by investigative agencies.
These burdens would be recurring. The estimates represent 2 percent of
the total estimated by the Department for compliance with the parallel
HIPAA requirements for covered entities. This percentage was calculated
by dividing the total number of covered entities by the number of part
2 programs (16,066/774,331 = .02). The Department recognizes that this
is an overestimate because an unknown proportion of part 2 programs are
also covered entities. As a result of these calculations, the estimated
number of respondents and responses is a not a whole number. The totals
were based on calculations that included decimals not shown in the
table, resulting in different totals than computed in ROCIS for some
line items. For Sec. 2.32, the Department estimates a new burden for
attaching a consent or a clear explanation of the scope of the consent
to each disclosure. The Department estimates that each part 2 program
would make three (3) annual disclosures per patient for 1,864,367
patients yearly. The Department also estimates that consent forms would
need to be attached to paper disclosures as well as electronic
disclosures and assumes ninety percent (90%) of disclosures are
received electronically, totaling 5,033,791 consents or explanations of
consent attached to electronic disclosures, while the remaining ten
percent (10%) would be received in paper format, totaling 559,310
attached paper disclosures. The Department assumes a receptionist or
information clerk would take 5 minutes to attach a consent form for
each paper disclosure and 30 second to attach a consent form for each
electronic disclosure. This would result in a total recurring burden of
46,609 hours for paper disclosures and 41,948 hours for electronic
disclosures.
The total number of responses for the accounting of disclosures has
been corrected in the table to show 100, whereas the proposed rule
displayed a total of 800. The total in Table 23 also includes the
Department's estimates for a recurring annual burden on investigative
agencies of 759 hours, relying on previous estimates for the burden of
reporting breaches of PHI to the Secretary at 1.5 hours per report.
[[Page 12615]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.037
[[Page 12616]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.038
As shown in Table 24, the Department estimates one-time burden
increases as a result of final rule changes to Sec. Sec. 2.16, 2.22,
2.31, and 2.32 and due to new provisions Sec. Sec. 2.25 and 2.26. The
nonrecurring burdens are for training staff on the final rule
provisions and for updating forms and notices. The Department estimates
that each part 2 program would need 5 hours of a training specialist's
time to prepare and present the training for a total of 80,330 burden
hours.
For Sec. 2.16, the Department estimates that each part 2 program
would need to train 1 manager on breach notification requirements for 1
hour, for a total of 16,066 burden hours. For Sec. 2.22, the
Department estimates that each program will need 1 hour of a lawyer's
time to update the content of the Patient Notice (for a total of 16,066
burden hours) and 15 minutes to train 202,072 part 2 counselors on the
new Patient Notice and right to discuss the Patient Notice requirements
(for 56,058 total burden hours).
For Sec. 2.25, the Department estimates that each part 2 program
would need to train a medical records specialist on the requirements of
accounting of disclosures requirements for 30 minutes, resulting in a
total burden of approximately 8,033 hours. For Sec. 2.26, the
Department estimates that each part 2 program would need to train three
staff (a front desk receptionist, a medical records technician, and a
billing clerk (16,066 part 2 programs x 3 staff)) for 15 minutes each
on the right of a patient to request restrictions on disclosures for
TPO. The base wage rate is an average of the mean hourly rate for the
three occupations being trained. This would total approximately 12,050
burden hours.
For Sec. 2.31, each part 2 program would need 40 minutes of a
lawyer's time to update the consent to disclosure form (for a total of
approximately 10,711 burden hours) and 30 minutes to train an average
of 2 front desk receptionists on the changed requirements for consent
(for a total of approximately 16,066 burden hours). For Sec. 2.32, the
Department estimates that each part 2 program would need 20 minutes of
a health care manager's time to update the content of the Notice to
Accompany Disclosure with the changed language provided in the final
rule, for a total of approximately 5,355 burden hours. This is likely
an over-estimate because an alternative, short form of the notice is
also provided in regulation, and the language for that form is
unchanged such that part 2 programs that are using the short form
notice could continue using the same notice and avoid any burden
increase.
Explanation of Estimated Capital Expenses for 42 CFR Part 2
BILLING CODE 4153-01-P
[[Page 12617]]
[GRAPHIC] [TIFF OMITTED] TR16FE24.039
BILLING CODE 4153-01-C
As shown above in Table 25, part 2 programs would incur new capital
costs for providing breach notification. The table also reflects
existing burdens for printing the Patient Notice, the Notice to
Accompany Disclosure, and Consents. The Department has estimated 50
percent of forms used would be printed on paper, taking into account
the notable increase in the use of telehealth services for the delivery
of SUD treatment and the expectation that the demand for telehealth
will continue.\382\
---------------------------------------------------------------------------
\382\ See Todd Molfenter, Nancy Roget, Michael Chaple, et al.,
``Use of Telehealth in Substance Use Disorder Services During and
After COVID-19: Online Survey Study,'' JMIR Mental Health (Aug. 2,
2021), https://mental.jmir.org/2021/2/e25835.
---------------------------------------------------------------------------
List of Subjects in 42 CFR Part 2
Administrative practice and procedure, Alcohol use disorder,
Alcoholism, Breach, Confidentiality, Courts, Drug abuse, Electronic
information system, Grant programs--health, Health, Health care, Health
care operations, Health care providers, Health information exchange,
Health plan, Health records, Hospitals, Investigations, Medicaid,
Medical research, Medicare, Patient rights, Penalties, Privacy,
Reporting and recordkeeping requirements, Security measures, Substance
use disorder.
Final Rule
For the reasons stated in the preamble, the U.S. Department of
Health and Human Services amends 42 CFR part 2 as set forth below:
Title 42--Public Health
PART 2--CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS
0
1. Revise the authority citation for part 2 to read as follows:
Authority: 42 U.S.C. 290dd-2; 42 U.S.C. 290dd-2 note.
0
2. Revise Sec. 2.1 to read as follows:
Sec. 2.1 Statutory authority for confidentiality of substance use
disorder patient records.
Title 42, United States Code, section 290dd-2(g) authorizes the
Secretary to prescribe regulations to carry out the purposes of section
290dd-2. Such
[[Page 12618]]
regulations may contain such definitions, and may provide for such
safeguards and procedures, including procedures and criteria for the
issuance and scope of orders under subsection 290dd-2(b)(2)(C), as in
the judgment of the Secretary are necessary or proper to effectuate the
purposes of section 290dd-2, to prevent circumvention or evasion
thereof, or to facilitate compliance therewith.
0
3. Revise Sec. 2.2 to read as follows:
Sec. 2.2 Purpose and effect.
(a) Purpose. Pursuant to 42 U.S.C. 290dd-2(g), the regulations in
this part impose restrictions upon the use and disclosure of substance
use disorder patient records (``records,'' as defined in this part)
which are maintained in connection with the performance of any part 2
program. The regulations in this part include the following subparts:
(1) Subpart B: General Provisions, including definitions,
applicability, and general restrictions;
(2) Subpart C: Uses and Disclosures With Patient Consent, including
uses and disclosures that require patient consent and the consent form
requirements;
(3) Subpart D: Uses and Disclosures Without Patient Consent,
including uses and disclosures which do not require patient consent or
an authorizing court order; and
(4) Subpart E: Court Orders Authorizing Use and Disclosure,
including uses and disclosures of records which may be made with an
authorizing court order and the procedures and criteria for the entry
and scope of those orders.
(b) Effect. (1) The regulations in this part prohibit the use and
disclosure of records unless certain circumstances exist. If any
circumstance exists under which use or disclosure is permitted, that
circumstance acts to remove the prohibition on use and disclosure but
it does not compel the use or disclosure. Thus, the regulations in this
part do not require use or disclosure under any circumstance other than
when disclosure is required by the Secretary to investigate or
determine a person's compliance with this part pursuant to Sec.
2.3(c).
(2) The regulations in this part are not intended to direct the
manner in which substantive functions such as research, treatment, and
evaluation are carried out. They are intended to ensure that a patient
receiving treatment for a substance use disorder in a part 2 program is
not made more vulnerable by reason of the availability of their record
than an individual with a substance use disorder who does not seek
treatment.
(3) The regulations in this part shall not be construed to limit:
(i) A patient's right, as described in 45 CFR 164.522, to request a
restriction on the use or disclosure of a record for purposes of
treatment, payment, or health care operations.
(ii) A covered entity's choice, as described in 45 CFR 164.506, to
obtain the consent of the patient to use or disclose a record to carry
out treatment, payment, or health care operations.
0
4. Revise Sec. 2.3 to read as follows:
Sec. 2.3 Civil and criminal penalties for violations.
(a) Penalties. Any person who violates any provision of 42 U.S.C.
290dd-2(a)-(d), shall be subject to the applicable penalties under
sections 1176 and 1177 of the Social Security Act, 42 U.S.C. 1320d-5
and 1320d-6.
(b) Limitation on criminal or civil liability. A person who is
acting on behalf of an investigative agency having jurisdiction over
the activities of a part 2 program or other person holding records
under this part (or employees or agents of that part 2 program or
person holding the records) shall not incur civil or criminal liability
under 42 U.S.C. 290dd-2(f) for use or disclosure of such records
inconsistent with this part that occurs while acting within the scope
of their employment in the course of investigating or prosecuting a
part 2 program or person holding the record, if the person or
investigative agency demonstrates that the following conditions are
met:
(1) Before presenting a request, subpoena, or other demand for
records, or placing an undercover agent or informant in a health care
practice or provider, as applicable, such person acted with reasonable
diligence to determine whether the regulations in this part apply to
the records, part 2 program, or other person holding records under this
part. Reasonable diligence means taking all of the following actions
where it is reasonable to believe that the practice or provider
provides substance use disorder diagnostic, treatment, or referral for
treatment services:
(i) Searching for the practice or provider among the substance use
disorder treatment facilities in the online treatment locator
maintained by the Substance Abuse and Mental Health Services
Administration.
(ii) Searching in a similar state database of treatment facilities
where available.
(iii) Checking a provider's publicly available website, where
available, or its physical location to determine whether in fact such
services are provided.
(iv) Viewing the provider's Patient Notice or the Health Insurance
Portability and Accountability Act (HIPAA) Notice of Privacy Practices
(NPP) if it is available online or at the physical location.
(v) Taking all these actions within a reasonable period of time (no
more than 60 days) before requesting records from, or placing an
undercover agent or informant in, a health care practice or provider.
(2) The person followed all of the applicable provisions in this
part for any use or disclosure of the received records under this part
that occurred, or will occur, after the person or investigative agency
knew, or by exercising reasonable diligence would have known, that it
received records under this part.
(c) Enforcement. The provisions of 45 CFR part 160, subparts C, D,
and E, shall apply to noncompliance with this part in the same manner
as they apply to covered entities and business associates for
noncompliance with 45 CFR parts 160 and 164.
0
5. Revise Sec. 2.4 to read as follows:
Sec. 2.4 Complaints of noncompliance.
(a) Receipt of complaints. A part 2 program must provide a process
to receive complaints concerning the program's compliance with the
requirements of this part.
(b) Right to file a complaint. A person may file a complaint to the
Secretary for a violation of this part by a part 2 program, covered
entity, business associate, qualified service organization, or lawful
holder in the same manner as a person may file a complaint under 45 CFR
160.306 for a violation of the administrative simplification provisions
of the Health Insurance Portability and Accountability Act (HIPAA) of
1996.
(c) Refraining from intimidating or retaliatory acts. A part 2
program may not intimidate, threaten, coerce, discriminate against, or
take other retaliatory action against any patient for the exercise by
the patient of any right established, or for participation in any
process provided for, by this part, including the filing of a complaint
under this section or Sec. 2.3(c).
(d) Waiver of rights. A part 2 program may not require patients to
waive their right to file a complaint under this section or Sec. 2.3
as a condition of the provision of treatment, payment, enrollment, or
eligibility for any program subject to this part.
0
6. Amend Sec. 2.11 by:
0
a. Adding in alphabetical order definitions of ``Breach'', ``Business
associate'', ``Covered entity'', ``Health
[[Page 12619]]
care operations'', ``HIPAA'', and ``HIPAA regulations'';
0
b. Revising the introductory text in the definition of ``Informant'';
0
c. Adding in alphabetical order definitions of ``Intermediary'',
``Investigative agency'', and ``Lawful holder'';
0
d. Revising the definition of ``Part 2 program director'';
0
e. Adding a sentence at the end of the definition of ``Patient'';
0
f. Revising the definition of ``Patient identifying information'';
0
g. Adding in alphabetical order the definition of ``Payment'';
0
h. Revising the definition of ``Person'';
0
i. Adding in alphabetical order the definition of ``Personal
representative'';
0
j. Revising paragraph (1) in the definition of ``Program'';
0
k. Adding in alphabetical order the definition of ``Public health
authority'';
0
l. Revising the introductory text and paragraph (2) introductory text
and adding paragraph (3) in the definition of ``Qualified service
organization'';
0
l. Revising the definitions of ``Records'' and ``Substance use
disorder'';
0
m. Adding in alphabetical order the definition of ``Substance use
disorder (SUD) counseling notes'';
0
n. Revising the definitions of ``Third-party payer'', ``Treating
provider relationship'', and ``Treatment'';
0
o. Adding in alphabetical order definitions of ``Unsecured protected
health information'', ``Unsecured record'', and ``Use''.
The revisions and additions read as follows:
Sec. 2.11 Definitions.
* * * * *
Breach has the same meaning given that term in 45 CFR 164.402.
Business associate has the same meaning given that term in 45 CFR
160.103.
* * * * *
Covered entity has the same meaning given that term in 45 CFR
160.103.
* * * * *
Health care operations has the same meaning given that term in 45
CFR 164.501.
HIPAA means the Health Insurance Portability and Accountability Act
of 1996, Public Law 104-191, as amended by the privacy and security
provisions in subtitle D of title XIII of the Health Information
Technology for Economic and Clinical Health Act, Public Law 111-5
(``HITECH Act'').
HIPAA regulations means the regulations at 45 CFR parts 160 and 164
(commonly known as the HIPAA Privacy, Security, Breach Notification,
and Enforcement Rules or ``HIPAA Rules'').
Informant means a person:
* * * * *
Intermediary means a person, other than a part 2 program, covered
entity, or business associate, who has received records under a general
designation in a written patient consent to be disclosed to one or more
of its member participant(s) who has a treating provider relationship
with the patient.
Investigative agency means a Federal, state, Tribal, territorial,
or local administrative, regulatory, supervisory, investigative, law
enforcement, or prosecutorial agency having jurisdiction over the
activities of a part 2 program or other person holding records under
this part.
Lawful holder means a person who is bound by this part because they
have received records as the result of one of the following:
(1) Written consent in accordance with Sec. 2.31 with an
accompanying notice of disclosure.
(2) One of the exceptions to the written consent requirements in 42
U.S.C. 290dd-2 or this part.
* * * * *
Part 2 program director means:
(1) In the case of a part 2 program that is a natural person, that
person.
(2) In the case of a part 2 program that is an entity, the person
designated as director or managing director, or person otherwise vested
with authority to act as chief executive officer of the part 2 program.
Patient * * * In this part where the HIPAA regulations apply,
patient means an individual as that term is defined in 45 CFR 160.103.
Patient identifying information means the name, address, Social
Security number, fingerprints, photograph, or similar information by
which the identity of a patient, as defined in this section, can be
determined with reasonable accuracy either directly or by reference to
other information.
Payment has the same meaning given that term in 45 CFR 164.501.
Person has the same meaning given that term in 45 CFR 160.103.
Personal representative means a person who has authority under
applicable law to act on behalf of a patient who is an adult or an
emancipated minor in making decisions related to health care. Within
this part, a personal representative would have authority only with
respect to patient records relevant to such personal representation.
Program * * *
(1) A person (other than a general medical facility) that holds
itself out as providing, and provides, substance use disorder
diagnosis, treatment, or referral for treatment; or
* * * * *
Public health authority has the same meaning given that term in 45
CFR 164.501.
Qualified service organization means a person who:
* * * * *
(2) Has entered into a written agreement with a part 2 program
under which that person:
* * * * *
(3) Qualified service organization includes a person who meets the
definition of business associate in 45 CFR 160.103, paragraphs (1),
(2), and (3), for a part 2 program that is also a covered entity, with
respect to the use and disclosure of protected health information that
also constitutes a ``record'' as defined by this section.
Records means any information, whether recorded or not, created by,
received, or acquired by a part 2 program relating to a patient (e.g.,
diagnosis, treatment and referral for treatment information, billing
information, emails, voice mails, and texts), and including patient
identifying information, provided, however, that information conveyed
orally by a part 2 program to a provider who is not subject to this
part for treatment purposes with the consent of the patient does not
become a record subject to this part in the possession of the provider
who is not subject to this part merely because that information is
reduced to writing by that provider who is not subject to this part.
Records otherwise transmitted by a part 2 program to a provider who is
not subject to this part retain their characteristic as records in the
hands of the provider who is not subject to this part, but may be
segregated by that provider.
Substance use disorder (SUD) means a cluster of cognitive,
behavioral, and physiological symptoms indicating that the individual
continues using the substance despite significant substance-related
problems such as impaired control, social impairment, risky use, and
pharmacological tolerance and withdrawal. For the purposes of the
regulations in this part, this definition does not include tobacco or
caffeine use.
Substance use disorder (SUD) counseling notes means notes recorded
(in any medium) by a part 2 program provider who is a SUD or mental
health professional documenting or analyzing the contents of
conversation during a private SUD counseling session or a
[[Page 12620]]
group, joint, or family SUD counseling session and that are separated
from the rest of the patient's SUD and medical record. SUD counseling
notes excludes medication prescription and monitoring, counseling
session start and stop times, the modalities and frequencies of
treatment furnished, results of clinical tests, and any summary of the
following items: diagnosis, functional status, the treatment plan,
symptoms, prognosis, and progress to date.
Third-party payer means a person, other than a health plan as
defined at 45 CFR 160.103, who pays or agrees to pay for diagnosis or
treatment furnished to a patient on the basis of a contractual
relationship with the patient or a member of the patient's family or on
the basis of the patient's eligibility for Federal, state, or local
governmental benefits.
Treating provider relationship means that, regardless of whether
there has been an actual in-person encounter:
(1) A patient is, agrees to be, or is legally required to be
diagnosed, evaluated, or treated, or agrees to accept consultation, for
any condition by a person; and
(2) The person undertakes or agrees to undertake diagnosis,
evaluation, or treatment of the patient, or consultation with the
patient, for any condition.
Treatment has the same meaning given that term in 45 CFR 164.501.
* * * * *
Unsecured protected health information has the same meaning given
that term in 45 CFR 164.402.
Unsecured record means any record, as defined in this part, that is
not rendered unusable, unreadable, or indecipherable to unauthorized
persons through the use of a technology or methodology specified by the
Secretary in the guidance issued under Public Law 111-5, section
13402(h)(2).
Use means, with respect to records, the sharing, employment,
application, utilization, examination, or analysis of the information
contained in such records that occurs either within an entity that
maintains such information or in the course of civil, criminal,
administrative, or legislative proceedings as described at 42 U.S.C.
290dd-2(c).
* * * * *
0
7. Amend Sec. 2.12 by:
0
a. Revising paragraphs (a)(1) introductory text, (a)(1)(ii), and
(a)(2);
0
b. Revising paragraph (b)(1);
0
c. Revising paragraphs (c)(2), (c)(3) introductory text, (c)(4), (c)(5)
introductory text, and (c)(6);
0
d. Revising paragraphs (d)(1) and (2); and
0
e. Revising paragraphs (e)(3), (e)(4) introductory text, and (e)(4)(i).
The revisions read as follows:
Sec. 2.12 Applicability.
(a) * * *
(1) Restrictions on use and disclosure. The restrictions on use and
disclosure in the regulations in this part apply to any records which:
* * * * *
(ii) Contain substance use disorder information obtained by a
federally assisted substance use disorder program after March 20, 1972
(part 2 program), or contain alcohol use disorder information obtained
by a federally assisted alcohol use disorder or substance use disorder
program after May 13, 1974 (part 2 program); or if obtained before the
pertinent date, is maintained by a part 2 program after that date as
part of an ongoing treatment episode which extends past that date; for
the purpose of treating a substance use disorder, making a diagnosis
for that treatment, or making a referral for that treatment.
(2) Restriction on use or disclosure. The restriction on use or
disclosure of information to initiate or substantiate any criminal
charges against a patient or to conduct any criminal investigation of a
patient (42 U.S.C. 290dd-2(c)) applies to any information, whether or
not recorded, which is substance use disorder information obtained by a
federally assisted substance use disorder program after March 20, 1972
(part 2 program), or is alcohol use disorder information obtained by a
federally assisted alcohol use disorder or substance use disorder
program after May 13, 1974 (part 2 program); or if obtained before the
pertinent date, is maintained by a part 2 program after that date as
part of an ongoing treatment episode which extends past that date; for
the purpose of treating a substance use disorder, making a diagnosis
for the treatment, or making a referral for the treatment.
(b) * * *
(1) It is conducted in whole or in part, whether directly or by
contract or otherwise by any department or agency of the United States
(but see paragraphs (c)(1) and (2) of this section relating to the
Department of Veterans Affairs and the Uniformed Services);
* * * * *
(c) * * *
(2) Uniformed Services. The regulations in this part apply to any
information described in paragraph (a) of this section which was
obtained by any component of the Uniformed Services during a period
when the patient was subject to the Uniform Code of Military Justice
except:
(i) Any interchange of that information within the Uniformed
Services and within those components of the Department of Veterans
Affairs furnishing health care to veterans; and
(ii) Any interchange of that information between such components
and the Uniformed Services.
(3) Communication within a part 2 program or between a part 2
program and an entity having direct administrative control over that
part 2 program. The restrictions on use and disclosure in the
regulations in this part do not apply to communications of information
between or among personnel having a need for the information in
connection with their duties that arise out of the provision of
diagnosis, treatment, or referral for treatment of patients with
substance use disorders if the communications are:
* * * * *
(4) Qualified service organizations. The restrictions on use and
disclosure in the regulations in this part do not apply to the
communications between a part 2 program and a qualified service
organization of information needed by the qualified service
organization to provide services to or on behalf of the program.
(5) Crimes on part 2 program premises or against part 2 program
personnel. The restrictions on use and disclosure in the regulations in
this part do not apply to communications from part 2 program personnel
to law enforcement agencies or officials which:
* * * * *
(6) Reports of suspected child abuse and neglect. The restrictions
on use and disclosure in the regulations in this part do not apply to
the reporting under state law of incidents of suspected child abuse and
neglect to the appropriate state or local authorities. However, the
restrictions continue to apply to the original substance use disorder
patient records maintained by the part 2 program including their use
and disclosure for civil or criminal proceedings which may arise out of
the report of suspected child abuse and neglect.
(d) * * *
(1) Restriction on use and disclosure of records. The restriction
on the use and disclosure of any record subject to the regulations in
this part to initiate or substantiate criminal charges against a
patient or to conduct any criminal investigation of a patient, or to
use in any civil, criminal, administrative, or legislative proceedings
against a patient, applies to any person who obtains the
[[Page 12621]]
record from a part 2 program, covered entity, business associate,
intermediary, or other lawful holder, regardless of the status of the
person obtaining the record or whether the record was obtained in
accordance with subpart E of this part. This restriction on use and
disclosure bars, among other things, the introduction into evidence of
a record or testimony in any criminal prosecution or civil action
before a Federal or state court, reliance on the record or testimony to
inform any decision or otherwise be taken into account in any
proceeding before a Federal, state, or local agency, the use of such
record or testimony by any Federal, state, or local agency for a law
enforcement purpose or to conduct any law enforcement investigation,
and the use of such record or testimony in any application for a
warrant, absent patient consent or a court order in accordance with
subpart E of this part. Records obtained by undercover agents or
informants, Sec. 2.17, or through patient access, Sec. 2.23, are
subject to the restrictions on uses and disclosures.
(2) Restrictions on uses and disclosures--(i) Third-party payers,
administrative entities, and others. The restrictions on use and
disclosure in the regulations in this part apply to:
(A) Third-party payers, as defined in this part, with regard to
records disclosed to them by part 2 programs or under Sec.
2.31(a)(4)(i);
(B) Persons having direct administrative control over part 2
programs with regard to information that is subject to the regulations
in this part communicated to them by the part 2 program under paragraph
(c)(3) of this section; and
(C) Persons who receive records directly from a part 2 program,
covered entity, business associate, intermediary, or other lawful
holder of patient identifying information and who are notified of the
prohibition on redisclosure in accordance with Sec. 2.32. A part 2
program, covered entity, or business associate that receives records
based on a single consent for all treatment, payment, and health care
operations is not required to segregate or segment such records.
(ii) Documentation of SUD treatment by providers who are not part 2
programs. Notwithstanding paragraph (d)(2)(i)(C) of this section, a
treating provider who is not subject to this part may record
information about a SUD and its treatment that identifies a patient.
This is permitted and does not constitute a record that has been
redisclosed under this part. The act of recording information about a
SUD and its treatment does not by itself render a medical record which
is created by a treating provider who is not subject to this part,
subject to the restrictions of this part.
* * * * *
(e) * * *
(3) Information to which restrictions are applicable. Whether a
restriction applies to the use or disclosure of a record affects the
type of records which may be disclosed. The restrictions on use and
disclosure apply to any records which would identify a specified
patient as having or having had a substance use disorder. The
restriction on use and disclosure of records to bring a civil action or
criminal charges against a patient in any civil, criminal,
administrative, or legislative proceedings applies to any records
obtained by the part 2 program for the purpose of diagnosis, treatment,
or referral for treatment of patients with substance use disorders.
(Restrictions on use and disclosure apply to recipients of records as
specified under paragraph (d) of this section.)
(4) How type of diagnosis affects coverage. These regulations cover
any record reflecting a diagnosis identifying a patient as having or
having had a substance use disorder which is initially prepared by a
part 2 program in connection with the treatment or referral for
treatment of a patient with a substance use disorder. A diagnosis
prepared by a part 2 program for the purpose of treatment or referral
for treatment, but which is not so used, is covered by the regulations
in this part. The following are not covered by the regulations in this
part:
(i) Diagnosis which is made on behalf of and at the request of a
law enforcement agency or official or a court of competent jurisdiction
solely for the purpose of providing evidence; or
* * * * *
0
8. Amend Sec. 2.13 by:
0
a. Revising paragraphs (a), (b), and (c)(1); and
0
b. Removing paragraph (d).
The revisions read as follows:
Sec. 2.13 Confidentiality restrictions and safeguards.
(a) General. The patient records subject to the regulations in this
part may be used or disclosed only as permitted by the regulations in
this part and may not otherwise be used or disclosed in any civil,
criminal, administrative, or legislative proceedings conducted by any
Federal, state, or local authority. Any use or disclosure made under
the regulations in this part must be limited to that information which
is necessary to carry out the purpose of the use or disclosure.
(b) Unconditional compliance required. The restrictions on use and
disclosure in the regulations in this part apply whether or not the
part 2 program or other lawful holder of the patient identifying
information believes that the person seeking the information already
has it, has other means of obtaining it, is a law enforcement agency or
official or other government official, has obtained a subpoena, or
asserts any other justification for a use or disclosure which is not
permitted by the regulations in this part.
(c) * * *
(1) The presence of an identified patient in a health care facility
or component of a health care facility that is publicly identified as a
place where only substance use disorder diagnosis, treatment, or
referral for treatment is provided may be acknowledged only if the
patient's written consent is obtained in accordance with subpart C of
this part or if an authorizing court order is entered in accordance
with subpart E of this part. The regulations permit acknowledgment of
the presence of an identified patient in a health care facility or part
of a health care facility if the health care facility is not publicly
identified as only a substance use disorder diagnosis, treatment, or
referral for treatment facility, and if the acknowledgment does not
reveal that the patient has a substance use disorder.
* * * * *
0
9. Amend Sec. 2.14 by revising paragraphs (a), (b)(1), (b)(2)
introductory text, (b)(2)(ii), and (c) to read as follows:
Sec. 2.14 Minor patients.
(a) State law not requiring parental consent to treatment. If a
minor patient acting alone has the legal capacity under the applicable
state law to apply for and obtain substance use disorder treatment, any
written consent for use or disclosure authorized under subpart C of
this part may be given only by the minor patient. This restriction
includes, but is not limited to, any disclosure of patient identifying
information to the parent or guardian of a minor patient for the
purpose of obtaining financial reimbursement. The regulations in this
paragraph (a) do not prohibit a part 2 program from refusing to provide
treatment until the minor patient consents to a use or disclosure that
is necessary to obtain reimbursement, but refusal to provide treatment
may be prohibited under a state or local law requiring the program to
furnish the service irrespective of ability to pay.
(b) * * *
(1) Where state law requires consent of a parent, guardian, or
other person for
[[Page 12622]]
a minor to obtain treatment for a substance use disorder, any written
consent for use or disclosure authorized under subpart C of this part
must be given by both the minor and their parent, guardian, or other
person authorized under state law to act on the minor's behalf.
(2) Where state law requires parental consent to treatment, the
fact of a minor's application for treatment may be communicated to the
minor's parent, guardian, or other person authorized under state law to
act on the minor's behalf only if:
* * * * *
(ii) The minor lacks the capacity to make a rational choice
regarding such consent as determined by the part 2 program director
under paragraph (c) of this section.
(c) Minor applicant for services lacks capacity for rational
choice. Facts relevant to reducing a substantial threat to the life or
physical well-being of the minor applicant or any other person may be
disclosed to the parent, guardian, or other person authorized under
state law to act on the minor's behalf if the part 2 program director
determines that:
(1) A minor applicant for services lacks capacity because of
extreme youth or mental or physical condition to make a rational
decision on whether to consent to a disclosure under subpart C of this
part to their parent, guardian, or other person authorized under state
law to act on the minor's behalf; and
(2) The minor applicant's situation poses a substantial threat to
the life or physical well-being of the minor applicant or any other
person which may be reduced by communicating relevant facts to the
minor's parent, guardian, or other person authorized under state law to
act on the minor's behalf.
0
10. Amend Sec. 2.15 by revising the section heading and paragraphs (a)
and (b)(2) to read as follows:
Sec. 2.15 Patients who lack capacity and deceased patients.
(a) Adult patients who lack capacity to make health care
decisions--(1) Adjudication by a court. In the case of a patient who
has been adjudicated as lacking the capacity, for any reason other than
insufficient age, to make their own health care decisions, any consent
which is required under the regulations in this part may be given by
the personal representative.
(2) No adjudication by a court. In the case of a patient, other
than a minor or one who has been adjudicated as lacking the capacity to
make health care decisions, that for any period suffers from a medical
condition that prevents knowing or effective action on their own
behalf, the part 2 program director may exercise the right of the
patient to consent to a use or disclosure under subpart C of this part
for the sole purpose of obtaining payment for services from a third-
party payer or health plan.
(b) * * *
(2) Consent by personal representative. Any other use or disclosure
of information identifying a deceased patient as having a substance use
disorder is subject to the regulations in this part. If a written
consent to the use or disclosure is required, that consent may be given
by the personal representative.
0
11. Revise Sec. 2.16 to read as follows:
Sec. 2.16 Security for records and notification of breaches.
(a) The part 2 program or other lawful holder of patient
identifying information must have in place formal policies and
procedures to reasonably protect against unauthorized uses and
disclosures of patient identifying information and to protect against
reasonably anticipated threats or hazards to the security of patient
identifying information.
(1) Requirements for formal policies and procedures. These policies
and procedures must address all of the following:
(i) Paper records, including:
(A) Transferring and removing such records;
(B) Destroying such records, including sanitizing the hard copy
media associated with the paper printouts, to render the patient
identifying information non-retrievable;
(C) Maintaining such records in a secure room, locked file cabinet,
safe, or other similar container, or storage facility when not in use;
(D) Using and accessing workstations, secure rooms, locked file
cabinets, safes, or other similar containers, and storage facilities
that use or store such information; and
(E) Rendering patient identifying information de-identified in
accordance with the requirements of 45 CFR 164.514(b) such that there
is no reasonable basis to believe that the information can be used to
identify a particular patient.
(ii) Electronic records, including:
(A) Creating, receiving, maintaining, and transmitting such
records;
(B) Destroying such records, including sanitizing the electronic
media on which such records are stored, to render the patient
identifying information non-retrievable;
(C) Using and accessing electronic records or other electronic
media containing patient identifying information; and
(D) Rendering the patient identifying information de-identified in
accordance with the requirements of 45 CFR 164.514(b) such that there
is no reasonable basis to believe that the information can be used to
identify a patient.
(2) Exception for certain lawful holders. Family, friends, and
other informal caregivers who are lawful holders as defined in this
part are not required to comply with paragraph (a) of this section.
(b) The provisions of 45 CFR part 160 and subpart D of 45 CFR part
164 shall apply to part 2 programs with respect to breaches of
unsecured records in the same manner as those provisions apply to a
covered entity with respect to breaches of unsecured protected health
information.
0
12. Amend Sec. 2.17 by revising paragraph (b) to read as follows:
Sec. 2.17 Undercover agents and informants.
* * * * *
(b) Restriction on use and disclosure of information. No
information obtained by an undercover agent or informant, whether or
not that undercover agent or informant is placed in a part 2 program
pursuant to an authorizing court order, may be used or disclosed to
criminally investigate or prosecute any patient.
0
13. Amend Sec. 2.19 by:
0
a. Revising paragraphs (a)(1) and (2);
0
b. Adding paragraph (a)(3);
0
c. Revising paragraphs (b)(1) introductory text, (b)(1)(i) introductory
text, (b)(1)(i)(A), and (b)(2).
The addition and revisions read as follows:
Sec. 2.19 Disposition of records by discontinued programs.
(a) * * *
(1) The patient who is the subject of the records gives written
consent (meeting the requirements of Sec. 2.31) to a transfer of the
records to the acquiring program or to any other program designated in
the consent (the manner of obtaining this consent must minimize the
likelihood of a disclosure of patient identifying information to a
third party);
(2) There is a legal requirement that the records be kept for a
period specified by law which does not expire until after the
discontinuation or acquisition of the part 2 program; or
(3) The part 2 program is transferred, retroceded, or reassumed
pursuant to the Indian Self-Determination and Education Assistance Act
(ISDEAA), 25 U.S.C. 5301 et seq., and its
[[Page 12623]]
implementing regulations in 25 CFR part 900.
(b) * * *
(1) Records in non-electronic (e.g., paper) form must be:
(i) Sealed in envelopes or other containers labeled as follows:
``Records of [insert name of program] required to be maintained under
[insert citation to statute, regulation, court order or other legal
authority requiring that records be kept] until a date not later than
[insert appropriate date]''.
(A) All hard copy media from which the paper records were produced,
such as printer and facsimile ribbons, drums, etc., must be sanitized
to render the data non-retrievable.
* * * * *
(2) All of the following requirements apply to records in
electronic form:
(i) Records must be:
(A) Transferred to a portable electronic device with implemented
encryption to encrypt the data at rest so that there is a low
probability of assigning meaning without the use of a confidential
process or key and implemented access controls for the confidential
process or key; or
(B) Transferred, along with a backup copy, to separate electronic
media, so that both the records and the backup copy have implemented
encryption to encrypt the data at rest so that there is a low
probability of assigning meaning without the use of a confidential
process or key and implemented access controls for the confidential
process or key.
(ii) Within one year of the discontinuation or acquisition of the
program, all electronic media on which the patient records or patient
identifying information resided prior to being transferred to the
device specified in paragraph (b)(2)(i)(A) of this section or the
original and backup electronic media specified in paragraph
(b)(2)(i)(B) of this section, including email and other electronic
communications, must be sanitized to render the patient identifying
information non-retrievable in a manner consistent with the
discontinued program's or acquiring program's policies and procedures
established under Sec. 2.16.
(iii) The portable electronic device or the original and backup
electronic media must be:
(A) Sealed in a container along with any equipment needed to read
or access the information, and labeled as follows: ``Records of [insert
name of program] required to be maintained under [insert citation to
statute, regulation, court order or other legal authority requiring
that records be kept] until a date not later than [insert appropriate
date];'' and
(B) Held under the restrictions of the regulations in this part by
a responsible person who must store the container in a manner that will
protect the information (e.g., climate-controlled environment).
(iv) The responsible person must be included on the access control
list and be provided a means for decrypting the data. The responsible
person must store the decryption tools on a device or at a location
separate from the data they are used to encrypt or decrypt.
(v) As soon as practicable after the end of the required retention
period specified on the label, the portable electronic device or the
original and backup electronic media must be sanitized to render the
patient identifying information non-retrievable consistent with the
policies established under Sec. 2.16.
0
14. Revise Sec. 2.20 to read as follows:
Sec. 2.20 Relationship to state laws.
The statute authorizing the regulations in this part (42 U.S.C.
290dd-2) does not preempt the field of law which they cover to the
exclusion of all state laws in that field. If a use or disclosure
permitted under the regulations in this part is prohibited under state
law, neither the regulations in this part nor the authorizing statute
may be construed to authorize any violation of that state law. However,
no state law may either authorize or compel any use or disclosure
prohibited by the regulations in this part.
0
15. Amend Sec. 2.21 by revising paragraph (b) to read as follows:
Sec. 2.21 Relationship to federal statutes protecting research
subjects against compulsory disclosure of their identity.
* * * * *
(b) Effect of concurrent coverage. The regulations in this part
restrict the use and disclosure of information about patients, while
administrative action taken under the research privilege statutes and
implementing regulations in paragraph (a) of this section protects a
person engaged in applicable research from being compelled to disclose
any identifying characteristics of the individuals who are the subjects
of that research. The issuance under subpart E of this part of a court
order authorizing a disclosure of information about a patient does not
affect an exercise of authority under these research privilege
statutes.
0
16. Revise Sec. 2.22 to read as follows:
Sec. 2.22 Notice to patients of Federal confidentiality requirements.
(a) Notice required. At the time of admission to a part 2 program
or, in the case that a patient does not have capacity upon admission to
understand their medical status, as soon thereafter as the patient
attains such capacity, each part 2 program shall inform the patient
that Federal law protects the confidentiality of substance use disorder
patient records.
(b) Content of notice. In addition to the communication required in
paragraph (a) of this section, a part 2 program shall provide notice,
written in plain language, of the program's legal duties and privacy
practices, as specified in this paragraph (b).
(1) Required elements. The notice must include the following
content:
(i) Header. The notice must contain the following statement as a
header or otherwise prominently displayed.
Notice of Privacy Practices of [Name of Part 2 Program]
This notice describes:
HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
YOUR RIGHTS WITH RESPECT TO YOUR HEALTH INFORMATION
HOW TO FILE A COMPLAINT CONCERNING A VIOLATION OF THE
PRIVACY OR SECURITY OF YOUR HEALTH INFORMATION, OR OF YOUR RIGHTS
CONCERNING YOUR INFORMATION
YOU HAVE A RIGHT TO A COPY OF THIS NOTICE (IN PAPER OR ELECTRONIC
FORM) AND TO DISCUSS IT WITH [ENTER NAME OR TITLE] AT [PHONE AND EMAIL]
IF YOU HAVE ANY QUESTIONS.
(ii) Uses and disclosures. The notice must contain:
(A) A description of each of the purposes for which the part 2
program is permitted or required by this part to use or disclose
records without the patient's written consent.
(B) If a use or disclosure for any purpose described in paragraph
(b)(1)(ii)(A) of this section is prohibited or materially limited by
other applicable law, the description of such use or disclosure must
reflect the more stringent law.
(C) For each purpose described in accordance with paragraphs
(b)(1)(ii)(A) and (B) of this section, the description must include
sufficient detail to place the patient on notice of the uses and
disclosures that are permitted or required by this part and other
applicable law.
(D) A description, including at least one example, of the types of
uses and disclosures that require written consent under this part.
(E) A statement that a patient may provide a single consent for all
future
[[Page 12624]]
uses or disclosures for treatment, payment, and health care operations
purposes.
(F) A statement that the part 2 program will make uses and
disclosures not described in the notice only with the patient's written
consent.
(G) A statement that the patient may revoke written consent as
provided by Sec. Sec. 2.31 and 2.35.
(H) A statement that includes the following information:
(1) Records, or testimony relaying the content of such records,
shall not be used or disclosed in any civil, administrative, criminal,
or legislative proceedings against the patient unless based on specific
written consent or a court order;
(2) Records shall only be used or disclosed based on a court order
after notice and an opportunity to be heard is provided to the patient
or the holder of the record, where required by 42 U.S.C. 290dd-2 and
this part; and
(3) A court order authorizing use or disclosure must be accompanied
by a subpoena or other similar legal mandate compelling disclosure
before the record is used or disclosed.
(iii) Separate statements for certain uses or disclosures. If the
part 2 program intends to engage in any of the following activities,
the description required by paragraph (b)(1)(ii)(D) of this section
must include a separate statement as follows:
(A) Records that are disclosed to a part 2 program, covered entity,
or business associate pursuant to the patient's written consent for
treatment, payment, and health care operations may be further disclosed
by that part 2 program, covered entity, or business associate, without
the patient's written consent, to the extent the HIPAA regulations
permit such disclosure.
(B) A part 2 program may use or disclose records to fundraise for
the benefit of the part 2 program only if the patient is first provided
with a clear and conspicuous opportunity to elect not to receive
fundraising communications.
(iv) Patient rights. The notice must contain a statement of the
patient's rights with respect to their records and a brief description
of how the patient may exercise these rights, as follows:
(A) Right to request restrictions of disclosures made with prior
consent for purposes of treatment, payment, and health care operations,
as provided in Sec. 2.26.
(B) Right to request and obtain restrictions of disclosures of
records under this part to the patient's health plan for those services
for which the patient has paid in full, in the same manner as 45 CFR
164.522 applies to disclosures of protected health information.
(C) Right to an accounting of disclosures of electronic records
under this part for the past 3 years, as provided in Sec. 2.25, and a
right to an accounting of disclosures that meets the requirements of 45
CFR 164.528(a)(2) and (b) through (d) for all other disclosures made
with consent.
(D) Right to a list of disclosures by an intermediary for the past
3 years as provided in Sec. 2.24.
(E) Right to obtain a paper or electronic copy of the notice from
the part 2 program upon request.
(F) Right to discuss the notice with a designated contact person or
office identified by the part 2 program pursuant to paragraph
(b)(1)(vii) of this section.
(G) Right to elect not to receive fundraising communications.
(v) Part 2 program's duties. The notice must contain:
(A) A statement that the part 2 program is required by law to
maintain the privacy of records, to provide patients with notice of its
legal duties and privacy practices with respect to records, and to
notify affected patients following a breach of unsecured records;
(B) A statement that the part 2 program is required to abide by the
terms of the notice currently in effect; and
(C) For the part 2 program to apply a change in a privacy practice
that is described in the notice to records that the part 2 program
created or received prior to issuing a revised notice, a statement that
it reserves the right to change the terms of its notice and to make the
new notice provisions effective for records that it maintains. The
statement must also describe how it will provide patients with a
revised notice.
(vi) Complaints. The notice must contain a statement that patients
may complain to the part 2 program and to the Secretary if they believe
their privacy rights have been violated, a brief description of how the
patient may file a complaint with the program, and a statement that the
patient will not be retaliated against for filing a complaint.
(vii) Contact. The notice must contain the name, or title,
telephone number, and email address of a person or office to contact
for further information about the notice.
(viii) Effective date. The notice must contain the date on which
the notice is first in effect, which may not be earlier than the date
on which the notice is printed or otherwise published.
(2) Optional elements. (i) In addition to the content required by
paragraph (b)(1) of this section, if a part 2 program elects to limit
the uses or disclosures that it is permitted to make under this part,
the part 2 program may describe its more limited uses or disclosures in
its notice, provided that the part 2 program may not include in its
notice a limitation affecting its right to make a use or disclosure
that is required by law or permitted to be made for emergency
treatment.
(ii) For the part 2 program to apply a change in its more limited
uses and disclosures to records created or received prior to issuing a
revised notice, the notice must include the statements required by
paragraph (b)(1)(v)(C) of this section.
(3) Revisions to the notice. The part 2 program must promptly
revise and distribute its notice whenever there is a material change to
the uses or disclosures, the patient's rights, the part 2 program's
legal duties, or other privacy practices stated in the notice. Except
when required by law, a material change to any term of the notice may
not be implemented prior to the effective date of the notice in which
such material change is reflected.
(c) Implementation specifications: Provision of notice. A part 2
program must make the notice required by this section available upon
request to any person and to any patient; and
(1) A part 2 program must provide the notice:
(i) No later than the date of the first service delivery, including
service delivered electronically, to such patient after the compliance
date for the part 2 program; or
(ii) In an emergency treatment situation, as soon as reasonably
practicable after the emergency treatment situation.
(2) If the part 2 program maintains a physical service delivery
site:
(i) Have the notice available at the service delivery site for
patients to request to take with them; and
(ii) Post the notice in a clear and prominent location where it is
reasonable to expect patients seeking service from the part 2 program
to be able to read the notice in a manner that does not identify the
patient as receiving treatment or services for substance use disorder;
and
(iii) Whenever the notice is revised, make the notice available
upon request on or after the effective date of the revision and
promptly comply with the requirements of paragraph (c)(2)(ii) of this
section, if applicable.
(3) Specific requirements for electronic notice include all the
following:
[[Page 12625]]
(i) A part 2 program that maintains a website that provides
information about the part 2 program's customer services or benefits
must prominently post its notice on the website and make the notice
available electronically through the website.
(ii) A part 2 program may provide the notice required by this
section to a patient by email, if the patient agrees to electronic
notice and such agreement has not been withdrawn. If the part 2 program
knows that the email transmission has failed, a paper copy of the
notice must be provided to the patient. Provision of electronic notice
by the part 2 program will satisfy the provision requirements of this
paragraph (c) when timely made in accordance with paragraph (c)(1) or
(2) of this section.
(iii) For purposes of paragraph (c)(2)(i) of this section, if the
first service delivery to an individual is delivered electronically,
the part 2 program must provide electronic notice automatically and
contemporaneously in response to the individual's first request for
service. The requirements in paragraph (c)(2)(ii) of this section apply
to electronic notice.
(iv) The patient who is the recipient of electronic notice retains
the right to obtain a paper copy of the notice from a part 2 program
upon request.
0
17. Amend Sec. 2.23 by revising the section heading and paragraph (b)
to read as follows:
Sec. 2.23 Patient access and restrictions on use and disclosure.
* * * * *
(b) Restriction on use and disclosure of information. Information
obtained by patient access to their record is subject to the
restriction on use and disclosure of records to initiate or
substantiate any criminal charges against the patient or to conduct any
criminal investigation of the patient as provided for under Sec.
2.12(d)(1).
0
18. Add Sec. 2.24 to subpart B to read as follows:
Sec. 2.24 Requirements for intermediaries.
Upon request, an intermediary must provide to patients who have
consented to the disclosure of their records using a general
designation, pursuant to Sec. 2.31(a)(4)(ii)(B), a list of persons to
which their records have been disclosed pursuant to the general
designation.
(a) Under this section, patient requests:
(1) Must be made in writing; and
(2) Are limited to disclosures made within the past 3 years.
(b) Under this section, the entity named on the consent form that
discloses information pursuant to a patient's general designation (the
entity that serves as an intermediary) must:
(1) Respond in 30 or fewer days of receipt of the written request;
and
(2) Provide, for each disclosure, the name(s) of the entity(ies) to
which the disclosure was made, the date of the disclosure, and a brief
description of the patient identifying information disclosed.
0
19. Add Sec. 2.25 to subpart B to read as follows:
Sec. 2.25 Accounting of disclosures.
(a) General rule. Subject to the limitations in paragraph (b) of
this section, a part 2 program must provide to a patient, upon request,
an accounting of all disclosures made with consent under Sec. 2.31 in
the 3 years prior to the date of the request (or a shorter time period
chosen by the patient). The accounting of disclosures must meet the
requirements of 45 CFR 164.528(a)(2) and (b) through (d).
(b) Accounting of disclosures for treatment, payment, and health
care operations. (1) A part 2 program must provide a patient with an
accounting of disclosures of records for treatment, payment, and health
care operations only where such disclosures are made through an
electronic health record.
(2) A patient has a right to receive an accounting of disclosures
described in paragraph (b)(1) of this section during only the 3 years
prior to the date on which the accounting is requested.
0
20. Add Sec. 2.26 to subpart B to read as follows:
Sec. 2.26 Right to request privacy protection for records.
(a)(1) A part 2 program must permit a patient to request that the
part 2 program restrict uses or disclosures of records about the
patient to carry out treatment, payment, or health care operations,
including when the patient has signed written consent for such
disclosures.
(2) Except as provided in paragraph (a)(6) of this section, a part
2 program is not required to agree to a restriction.
(3) A part 2 program that agrees to a restriction under paragraph
(a)(1) of this section may not use or disclose records in violation of
such restriction, except that, if the patient who requested the
restriction is in need of emergency treatment and the restricted record
is needed to provide the emergency treatment, the part 2 program may
use the restricted record, or may disclose information derived from the
record to a health care provider, to provide such treatment to the
patient.
(4) If information from a restricted record is disclosed to a
health care provider for emergency treatment under paragraph (a)(3) of
this section, the part 2 program must request that such health care
provider not further use or disclose the information.
(5) A restriction agreed to by a part 2 program under paragraph (a)
of this section is not effective under this subpart to prevent uses or
disclosures required by law or permitted by this part for purposes
other than treatment, payment, and health care operations.
(6) A part 2 program must agree to the request of a patient to
restrict disclosure of records about the patient to a health plan if:
(i) The disclosure is for the purpose of carrying out payment or
health care operations and is not otherwise required by law; and
(ii) The record pertains solely to a health care item or service
for which the patient, or person other than the health plan on behalf
of the patient, has paid the part 2 program in full.
(b) A part 2 program may terminate a restriction, if one of the
following applies:
(1) The patient agrees to or requests the termination in writing.
(2) The patient orally agrees to the termination and the oral
agreement is documented.
(3) The part 2 program informs the patient that it is terminating
its agreement to a restriction, except that such termination is:
(i) Not effective for records restricted under paragraph (a)(6) of
this section; and
(ii) Only effective with respect to records created or received
after it has so informed the patient.
0
21. Revise the heading of subpart C to read as follows:
Subpart C--Uses and Disclosures With Patient Consent
* * * * *
0
22. Amend Sec. 2.31 by:
0
a. Revising paragraphs (a) introductory text and (a)(2) through (8);
0
b. Adding paragraph (a)(10);
0
c. Redesignating paragraph (b) as paragraph (c);
0
d. Adding a new paragraph (b);
0
e. Revising newly redesignated paragraph (c); and
0
f. Adding paragraph (d).
The revisions and additions read as follows:
Sec. 2.31 Consent requirements.
(a) Required elements for written consent. A written consent to a
use or disclosure under the regulations in this
[[Page 12626]]
part may be paper or electronic and must include:
* * * * *
(2) The name or other specific identification of the person(s), or
class of persons, authorized to make the requested use or disclosure.
(3) A description of the information to be used or disclosed that
identifies the information in a specific and meaningful fashion.
(4)(i) General requirement for designating recipients. The name(s)
of the person(s), or class of persons, to which a disclosure is to be
made (``recipient(s)''). For a single consent for all future uses and
disclosures for treatment, payment, and health care operations, the
recipient may be described as ``my treating providers, health plans,
third-party payers, and people helping to operate this program'' or a
similar statement.
(ii) Special instructions for intermediaries. Notwithstanding
paragraph (a)(4)(i) of this section, if the recipient entity is an
intermediary, a written consent must include the name(s) of the
intermediary(ies) and:
(A) The name(s) of the member participants of the intermediary; or
(B) A general designation of a participant(s) or class of
participants, which must be limited to a participant(s) who has a
treating provider relationship with the patient whose information is
being used or disclosed.
(iii) Special instructions when designating certain recipients. If
the recipient is a covered entity or business associate to whom a
record (or information contained in a record) is disclosed for purposes
of treatment, payment, or health care operations, a written consent
must include the statement that the patient's record (or information
contained in the record) may be redisclosed in accordance with the
permissions contained in the HIPAA regulations, except for uses and
disclosures for civil, criminal, administrative, and legislative
proceedings against the patient.
(5) A description of each purpose of the requested use or
disclosure.
(i) The statement ``at the request of the patient'' is a sufficient
description of the purpose when a patient initiates the consent and
does not, or elects not to, provide a statement of the purpose.
(ii) The statement, ``for treatment, payment, and health care
operations'' is a sufficient description of the purpose when a patient
provides consent once for all such future uses or disclosures for those
purposes.
(iii) If a part 2 program intends to use or disclose records to
fundraise on its own behalf, a statement about the patient's right to
elect not to receive any fundraising communications.
(6) The patient's right to revoke the consent in writing, except to
the extent that the part 2 program or other lawful holder of patient
identifying information that is permitted to make the disclosure has
already acted in reliance on it, and how the patient may revoke
consent.
(7) An expiration date or an expiration event that relates to the
individual patient or the purpose of the use or disclosure. The
statement ``end of the treatment,'' ``none,'' or similar language is
sufficient if the consent is for a use or disclosure for treatment,
payment, or health care operations. The statement ``end of the research
study'' or similar language is sufficient if the consent is for a use
or disclosure for research, including for the creation and maintenance
of a research database or research repository.
(8) The signature of the patient and, when required for a patient
who is a minor, the signature of a person authorized to give consent
under Sec. 2.14; or, when required for a patient who has been
adjudicated as lacking the capacity to make their own health care
decisions or is deceased, the signature of a person authorized to sign
under Sec. 2.15. Electronic signatures are permitted to the extent
that they are not prohibited by any applicable law.
* * * * *
(10) A patient's written consent to use or disclose records for
treatment, payment, or health care operations must include all of the
following statements:
(i) The potential for the records used or disclosed pursuant to the
consent to be subject to redisclosure by the recipient and no longer
protected by this part.
(ii) The consequences to the patient of a refusal to sign the
consent.
(b) Consent required: SUD counseling notes. (1) Notwithstanding any
provision of this subpart, a part 2 program must obtain consent for any
use or disclosure of SUD counseling notes, except:
(i) To carry out the following treatment, payment, or health care
operations:
(A) Use by the originator of the SUD counseling notes for
treatment;
(B) Use or disclosure by the part 2 program for its own training
programs in which students, trainees, or practitioners in SUD treatment
or mental health learn under supervision to practice or improve their
skills in group, joint, family, or individual SUD counseling; or
(C) Use or disclosure by the part 2 program to defend itself in a
legal action or other proceeding brought by the patient;
(ii) A use or disclosure that is required by Sec. 2.2(b) or
permitted by Sec. 2.15(b); Sec. 2.53 with respect to the oversight of
the originator of the SUD counseling notes; Sec. 2.63(a); Sec. 2.64.
(2) A written consent for a use or disclosure of SUD counseling
notes may only be combined with another written consent for a use or
disclosure of SUD counseling notes.
(3) A part 2 program may not condition the provision to a patient
of treatment, payment, enrollment in a health plan, or eligibility for
benefits on the provision of a written consent for a use or disclosure
of SUD counseling notes.
(c) Expired, deficient, or false consent. A disclosure may not be
made on the basis of a consent which:
(1) Has expired;
(2) On its face substantially fails to conform to any of the
requirements set forth in paragraph (a) of this section;
(3) Is known to have been revoked; or
(4) Is known, or through reasonable diligence could be known, by
the person holding the records to be materially false.
(d) Consent for use and disclosure of records in civil, criminal,
administrative, or legislative proceedings. Patient consent for use and
disclosure of records (or testimony relaying information contained in a
record) in a civil, criminal, administrative, or legislative
investigation or proceeding cannot be combined with a consent to use
and disclose a record for any other purpose.
0
23. Revise Sec. 2.32 to read as follows:
Sec. 2.32 Notice and copy of consent to accompany disclosure.
(a) Each disclosure made with the patient's written consent must be
accompanied by one of the following written statements (i.e., paragraph
(a)(1) or (2) of this section):
(1) Statement 1.
This record which has been disclosed to you is protected by Federal
confidentiality rules (42 CFR part 2). These rules prohibit you from
using or disclosing this record, or testimony that describes the
information contained in this record, in any civil, criminal,
administrative, or legislative proceedings by any Federal, State, or
local authority, against the patient, unless authorized by the consent
of the patient, except as provided at 42 CFR 2.12(c)(5) or as
authorized by a court in accordance with 42 CFR 2.64 or 2.65. In
addition, the Federal rules prohibit you
[[Page 12627]]
from making any other use or disclosure of this record unless at least
one of the following applies:
(i) Further use or disclosure is expressly permitted by the written
consent of the individual whose information is being disclosed in this
record or as otherwise permitted by 42 CFR part 2.
(ii) You are a covered entity or business associate and have
received the record for treatment, payment, or health care operations,
or
(iii) You have received the record from a covered entity or
business associate as permitted by 45 CFR part 164, subparts A and E.
A general authorization for the release of medical or other
information is NOT sufficient to meet the required elements of written
consent to further use or redisclose the record (see 42 CFR 2.31).
(2) Statement 2. ``42 CFR part 2 prohibits unauthorized use or
disclosure of these records.''
(b) Each disclosure made with the patient's written consent must be
accompanied by a copy of the consent or a clear explanation of the
scope of the consent provided.
0
24. Revise Sec. 2.33 to read as follows:
Sec. 2.33 Uses and disclosures permitted with written consent.
(a) If a patient consents to a use or disclosure of their records
consistent with Sec. 2.31, the following uses and disclosures are
permitted, as applicable:
(1) A part 2 program may use and disclose those records in
accordance with that consent to any person or category of persons
identified or generally designated in the consent, except that
disclosures to central registries and in connection with criminal
justice referrals must meet the requirements of Sec. Sec. 2.34 and
2.35, respectively.
(2) When the consent provided is a single consent for all future
uses and disclosures for treatment, payment, and health care
operations, a part 2 program, covered entity, or business associate may
use and disclose those records for treatment, payment, and health care
operations as permitted by the HIPAA regulations, until such time as
the patient revokes such consent in writing.
(b) If a patient consents to a use or disclosure of their records
consistent with Sec. 2.31, the recipient may further disclose such
records as provided in subpart E of this part, and as follows:
(1) When disclosed for treatment, payment, and health care
operations activities to a covered entity or business associate, such
recipient may further disclose those records in accordance with the
HIPAA regulations, except for uses and disclosures for civil, criminal,
administrative, and legislative proceedings against the patient.
(2) When disclosed with consent given once for all future
treatment, payment, and health care operations activities to a part 2
program that is not a covered entity or business associate, the
recipient may further disclose those records consistent with the
consent.
(3) When disclosed for payment or health care operations activities
to a lawful holder that is not a covered entity or business associate,
the recipient may further disclose those records as may be necessary
for its contractors, subcontractors, or legal representatives to carry
out the payment or health care operations specified in the consent on
behalf of such lawful holders.
(c) Lawful holders, other than covered entities and business
associates, who wish to redisclose patient identifying information
pursuant to paragraph (b)(3) of this section must have in place a
written contract or comparable legal instrument with the contractor or
voluntary legal representative, which provides that the contractor,
subcontractor, or voluntary legal representative is fully bound by the
provisions of this part upon receipt of the patient identifying
information. In making any such redisclosures, the lawful holder must
furnish such recipients with the notice required under Sec. 2.32;
require such recipients to implement appropriate safeguards to prevent
unauthorized uses and disclosures; and require such recipients to
report any unauthorized uses, disclosures, or breaches of patient
identifying information to the lawful holder. The lawful holder may
only redisclose information to the contractor or subcontractor or
voluntary legal representative that is necessary for the contractor,
subcontractor, or voluntary legal representative to perform its duties
under the contract or comparable legal instrument. Contracts may not
permit a contractor, subcontractor, or voluntary legal representative
to redisclose information to a third party unless that third party is a
contract agent of the contractor or subcontractor, helping them provide
services described in the contract, and only as long as the agent only
further discloses the information back to the contractor or lawful
holder from which the information originated.
0
25. Amend Sec. 2.34 by revising the section heading and paragraph (b)
to read as follows:
Sec. 2.34 Uses and Disclosures to prevent multiple enrollments.
* * * * *
(b) Use of information in records limited to prevention of multiple
enrollments. A central registry and any withdrawal management or
maintenance treatment program to which information is disclosed to
prevent multiple enrollments may not use or redisclose patient
identifying information for any purpose other than the prevention of
multiple enrollments or to ensure appropriate coordinated care with a
treating provider that is not a part 2 program unless authorized by a
court order under subpart E of this part.
* * * * *
0
26. Amend Sec. 2.35 by revising paragraphs (a) introductory text,
(a)(1), (b)(3), and (d) to read as follows:
Sec. 2.35 Disclosures to elements of the criminal justice system
which have referred patients.
(a) Consent for criminal justice referrals. A part 2 program may
disclose information from a record about a patient to those persons
within the criminal justice system who have made participation in the
part 2 program a condition of the disposition of any criminal
proceedings against the patient or of the patient's parole or other
release from custody if:
(1) The disclosure is made only to those persons within the
criminal justice system who have a need for the information in
connection with their duty to monitor the patient's progress (e.g., a
prosecuting attorney who is withholding charges against the patient, a
court granting pretrial or post-trial release, probation or parole
officers responsible for supervision of the patient); and
* * * * *
(b) * * *
(3) Such other factors as the part 2 program, the patient, and the
person(s) within the criminal justice system who will receive the
disclosure consider pertinent.
* * * * *
(d) Restrictions on use and redisclosure. Any persons within the
criminal justice system who receive patient information under this
section may use and redisclose it only to carry out official duties
with regard to the patient's conditional release or other action in
connection with which the consent was given.
0
27. Revise the heading of subpart D to read as follows:
Subpart D--Uses and Disclosures Without Patient Consent
* * * * *
[[Page 12628]]
0
28. Amend Sec. 2.51 by revising paragraph (c)(2) to read as follows:
Sec. 2.51 Medical emergencies.
* * * * *
(c) * * *
(2) The name of the person making the disclosure;
* * * * *
0
29. Amend Sec. 2.52 by:
0
a. Revising the section heading and paragraphs (a) introductory text,
(a)(1) introductory text, (a)(1)(i), (a)(2), (b) introductory text,
(b)(2) and (3), and (c)(1) introductory text;
0
b. Adding paragraph (c)(1)(iii); and
0
c. Removing the second paragraph (c)(2).
The revisions and addition read as follows:
Sec. 2.52 Scientific research.
(a) Use and disclosure of patient identifying information.
Notwithstanding other provisions of this part, including paragraph
(b)(2) of this section, patient identifying information may be used or
disclosed for the purposes of the recipient conducting scientific
research if:
(1) The person designated as director or managing director, or
person otherwise vested with authority to act as chief executive
officer or their designee, of a part 2 program or other lawful holder
of data under this part, makes a determination that the recipient of
the patient identifying information is:
(i) A HIPAA covered entity or business associate that has obtained
and documented authorization from the patient, or a waiver or
alteration of authorization, consistent with 45 CFR 164.508 or
164.512(i), as applicable;
* * * * *
(2) The part 2 program or other lawful holder of data under this
part is a HIPAA covered entity or business associate, and the use or
disclosure is made in accordance with the requirements at 45 CFR
164.512(i).
* * * * *
(b) Requirements for researchers. Any person conducting scientific
research using patient identifying information obtained under paragraph
(a) of this section:
* * * * *
(2) Must not redisclose patient identifying information except back
to the person from whom that patient identifying information was
obtained or as permitted under paragraph (c) of this section.
(3) May include data under this part in research reports only in
aggregate form in which patient identifying information has been de-
identified in accordance with the requirements of 45 CFR 164.514(b)
such that there is no reasonable basis to believe that the information
can be used to identify a patient.
* * * * *
(c) * * *
(1) Researchers. Any person conducting scientific research using
patient identifying information obtained under paragraph (a) of this
section that requests linkages to data sets from a data repository(ies)
holding patient identifying information must:
* * * * *
(iii) Ensure that patient identifying information is not
redisclosed for data linkage purposes other than as provided in this
paragraph (c).
* * * * *
0
30. Amend Sec. 2.53 by:
0
a. Revising the section heading and paragraphs (a) introductory text,
(a)(1)(ii), (b) introductory text, (b)(1)(iii), (b)(2)(ii), (c)(1)
introductory text, (c)(1)(i), (e)(1) introductory text, (e)(1)(iii),
(e)(5) and (6), and (f) heading; and
0
b. Adding paragraph (h).
The revisions and addition read as follows:
Sec. 2.53 Management audits, financial audits, and program
evaluation.
(a) Records not copied or removed. If patient records are not
downloaded, copied or removed from the premises of a part 2 program or
other lawful holder, or forwarded electronically to another electronic
system or device, patient identifying information, as defined in Sec.
2.11, may be disclosed in the course of a review of records on the
premises of a part 2 program or other lawful holder to any person who
agrees in writing to comply with the limitations on use and
redisclosure in paragraph (f) of this section and who:
(1) * * *
(ii) Any person which provides financial assistance to the part 2
program or other lawful holder, which is a third-party payer or health
plan covering patients in the part 2 program, or which is a quality
improvement organization (QIO) performing a QIO review, or the
contractors, subcontractors, or legal representatives of such person or
quality improvement organization; or
* * * * *
(b) Copying, removing, downloading, or forwarding patient records.
Records containing patient identifying information, as defined in Sec.
2.11, may be copied or removed from the premises of a part 2 program or
other lawful holder or downloaded or forwarded to another electronic
system or device from the part 2 program's or other lawful holder's
electronic records by any person who:
(1) * * *
(iii) Comply with the limitations on use and disclosure in
paragraph (f) of this section; and
(2) * * *
(ii) Any person which provides financial assistance to the part 2
program or other lawful holder, which is a third-party payer or health
plan covering patients in the part 2 program, or which is a quality
improvement organization performing a QIO review, or the contractors,
subcontractors, or legal representatives of such person or quality
improvement organization; or
* * * * *
(c) * * *
(1) Activities undertaken by a Federal, state, or local
governmental agency, or a third-party payer or health plan, in order
to:
(i) Identify actions the agency or third-party payer or health plan
can make, such as changes to its policies or procedures, to improve
care and outcomes for patients with substance use disorders who are
treated by part 2 programs;
* * * * *
(e) * * *
(1) Patient identifying information, as defined in Sec. 2.11, may
be disclosed under paragraph (e) of this section to any person for the
purpose of conducting a Medicare, Medicaid, or CHIP audit or
evaluation, including an audit or evaluation necessary to meet the
requirements for a Centers for Medicare & Medicaid Services (CMS)-
regulated accountable care organization (CMS-regulated ACO) or similar
CMS-regulated organization (including a CMS-regulated Qualified Entity
(QE)), if the person agrees in writing to comply with the following:
* * * * *
(iii) Comply with the limitations on use and disclosure in
paragraph (f) of this section.
* * * * *
(5) If a disclosure to a person is authorized under this section
for a Medicare, Medicaid, or CHIP audit or evaluation, including a
civil investigation or administrative remedy, as those terms are used
in paragraph (e)(2) of this section, the person may further use or
disclose the patient identifying information that is received for such
purposes to its contractor(s), subcontractor(s), or legal
representative(s), to carry out the audit or evaluation, and a quality
improvement organization which
[[Page 12629]]
obtains such information under paragraph (a) or (b) of this section may
use or disclose the information to that person (or, to such person's
contractors, subcontractors, or legal representatives, but only for the
purposes of this section).
(6) The provisions of this paragraph (e) do not authorize the part
2 program, the Federal, state, or local government agency, or any other
person to use or disclose patient identifying information obtained
during the audit or evaluation for any purposes other than those
necessary to complete the audit or evaluation as specified in this
paragraph (e).
(f) Limitations on use and disclosure. * * *
(h) Disclosures for health care operations. With respect to
activities described in paragraphs (c) and (d) of this section, a part
2 program, covered entity, or business associate may disclose records
in accordance with a consent that includes health care operations, and
the recipient may redisclose such records as permitted under the HIPAA
regulations if the recipient is a covered entity or business associate.
0
31. Add Sec. 2.54 to subpart D to read as follows:
Sec. 2.54 Disclosures for public health.
A part 2 program may disclose records for public health purposes
without patient consent so long as:
(a) The disclosure is made to a public health authority as defined
in this part; and
(b) The content of the information from the record disclosed has
been de-identified in accordance with the requirements of 45 CFR
164.514(b) such that there is no reasonable basis to believe that the
information can be used to identify a patient.
0
32. Revise the heading of subpart E to read as follows:
Subpart E--Court Orders Authorizing Use and Disclosure
* * * * *
0
33. Revise Sec. 2.61 to read as follows:
Sec. 2.61 Legal effect of order.
(a) Effect. An order of a court of competent jurisdiction entered
under this subpart is a unique kind of court order. Its only purpose is
to authorize a use or disclosure of patient information which would
otherwise be prohibited by 42 U.S.C. 290dd-2 and the regulations in
this part. Such an order does not compel use or disclosure. A subpoena
or a similar legal mandate must be issued to compel use or disclosure.
This mandate may be entered at the same time as and accompany an
authorizing court order entered under the regulations in this part.
(b) Examples. (1) A person holding records subject to the
regulations in this part receives a subpoena for those records. The
person may not use or disclose the records in response to the subpoena
unless a court of competent jurisdiction enters an authorizing order
under the regulations in this part.
(2) An authorizing court order is entered under the regulations in
this part, but the person holding the records does not want to make the
use or disclosure. If there is no subpoena or other compulsory process
or a subpoena for the records has expired or been quashed, that person
may refuse to make the use or disclosure. Upon the entry of a valid
subpoena or other compulsory process the person holding the records
must use or disclose, unless there is a valid legal defense to the
process other than the confidentiality restrictions of the regulations
in this part.
0
34. Revise Sec. 2.62 to read as follows:
Sec. 2.62 Order not applicable to records disclosed without consent
to researchers, auditors, and evaluators.
A court order under the regulations in this part may not authorize
persons who meet the criteria specified in Sec. Sec. 2.52(a)(1)(i)
through (iii) and 2.53, who have received patient identifying
information without consent for the purpose of conducting research,
audit, or evaluation, to disclose that information or use it to conduct
any criminal investigation or prosecution of a patient. However, a
court order under Sec. 2.66 may authorize use and disclosure of
records to investigate or prosecute such persons who are holding the
records.
0
35. Amend Sec. 2.63 by revising paragraph (a)(3) to read as follows:
Sec. 2.63 Confidential communications.
(a) * * *
(3) The disclosure is in connection with a civil, criminal,
administrative, or legislative proceeding in which the patient offers
testimony or other evidence pertaining to the content of the
confidential communications.
* * * * *
0
36. Amend Sec. 2.64 by revising the section heading and paragraphs
(a), (b) introductory text, (d)(2), and (e) to read as follows:
Sec. 2.64 Procedures and criteria for orders authorizing uses and
disclosures for noncriminal purposes.
(a) Application. An order authorizing the use or disclosure of
patient records or testimony relaying the information contained in the
records for purposes other than criminal investigation or prosecution
may be applied for by any person having a legally recognized interest
in the use or disclosure which is sought in the course of a civil,
administrative, or legislative proceeding. The application may be filed
separately or as part of a pending civil action in which the applicant
asserts that the patient records or testimony relaying the information
contained in the records are needed to provide evidence. An application
must use a fictitious name, such as John Doe, to refer to any patient
and may not contain or otherwise disclose any patient identifying
information unless the patient is the applicant or has given written
consent (meeting the requirements of the regulations in this part) to
disclosure or the court has ordered the record of the proceeding sealed
from public scrutiny.
(b) Notice. A court order under this section is only valid when the
patient and the person holding the records from whom disclosure is
sought have received:
* * * * *
(d) * * *
(2) The public interest and need for the use or disclosure outweigh
the potential injury to the patient, the physician-patient relationship
and the treatment services.
(e) Content of order. An order authorizing a use or disclosure
must:
(1) Limit use or disclosure to only those parts of the patient's
record, or testimony relaying those parts of the patient's record,
which are essential to fulfill the objective of the order;
(2) Limit use or disclosure to those persons whose need for
information is the basis for the order; and
(3) Include such other measures as are necessary to limit use or
disclosure for the protection of the patient, the physician-patient
relationship and the treatment services; for example, sealing from
public scrutiny the record of any proceeding for which use or
disclosure of a patient's record, or testimony relaying the contents of
the record, has been ordered.
0
37. Amend Sec. 2.65 by revising the section heading and paragraphs
(a), (b) introductory text, (d) introductory text, (d)(2), and (e) to
read as follows:
[[Page 12630]]
Sec. 2.65 Procedures and criteria for orders authorizing use and
disclosure of records to criminally investigate or prosecute patients.
(a) Application. An order authorizing the use or disclosure of
patient records, or testimony relaying the information contained in
those records, to investigate or prosecute a patient in connection with
a criminal proceeding may be applied for by the person holding the
records or by any law enforcement or prosecutorial official who is
responsible for conducting investigative or prosecutorial activities
with respect to the enforcement of criminal laws, including
administrative and legislative criminal proceedings. The application
may be filed separately, as part of an application for a subpoena or
other compulsory process, or in a pending criminal action. An
application must use a fictitious name such as John Doe, to refer to
any patient and may not contain or otherwise use or disclose patient
identifying information unless the court has ordered the record of the
proceeding sealed from public scrutiny.
(b) Notice and hearing. Unless an order under Sec. 2.66 is sought
in addition to an order under this section, an order under this section
is valid only when the person holding the records has received:
* * * * *
(d) Criteria. A court may authorize the use and disclosure of
patient records, or testimony relaying the information contained in
those records, for the purpose of conducting a criminal investigation
or prosecution of a patient only if the court finds that all of the
following criteria are met:
* * * * *
(2) There is a reasonable likelihood that the records or testimony
will disclose information of substantial value in the investigation or
prosecution.
* * * * *
(e) Content of order. Any order authorizing a use or disclosure of
patient records subject to this part, or testimony relaying the
information contained in those records, under this section must:
(1) Limit use and disclosure to those parts of the patient's
record, or testimony relaying the information contained in those
records, which are essential to fulfill the objective of the order;
(2) Limit disclosure to those law enforcement and prosecutorial
officials who are responsible for, or are conducting, the investigation
or prosecution, and limit their use of the records or testimony to
investigation and prosecution of the extremely serious crime or
suspected crime specified in the application; and
(3) Include such other measures as are necessary to limit use and
disclosure to the fulfillment of only that public interest and need
found by the court.
0
38. Amend Sec. 2.66 by
0
a. Revising the section heading and paragraph (a)(1);
0
b. Adding paragraph (a)(3);
0
c. Revising paragraphs (b), (c), and (d).
The revisions and addition read as follows:
Sec. 2.66 Procedures and criteria for orders authorizing use and
disclosure of records to investigate or prosecute a part 2 program or
the person holding the records.
(a) * * *
(1) An order authorizing the use or disclosure of patient records
subject to this part to investigate or prosecute a part 2 program or
the person holding the records (or employees or agents of that part 2
program or person holding the records) in connection with a criminal or
administrative matter may be applied for by any investigative agency
having jurisdiction over the program's or person's activities.
* * * * *
(3) Upon discovering in good faith that it received records under
this part in the course of investigating or prosecuting a part 2
program or the person holding the records (or employees or agents of
that part 2 program or person holding the records), an investigative
agency must do the following:
(i) Secure the records in accordance with Sec. 2.16; and
(ii) Immediately cease using and disclosing the records until the
investigative agency obtains a court order consistent with paragraph
(c) of this section authorizing the use and disclosure of the records
and any records later obtained. The application for the court order
must occur within a reasonable period of time, but not more than 120
days after discovering it received records under this part; or
(iii) If the agency does not seek a court order in accordance with
paragraph (a)(3)(ii) of this section, the agency must either return the
records to the part 2 program or person holding the records, if it is
legally permissible to do so, within a reasonable period of time, but
not more than 120 days after discovering it received records under this
part; or
(iv) If the agency does not seek a court order or return the
records, the agency must destroy the records in a manner that renders
the patient identifying information non-retrievable, within a
reasonable period of time, but not more than 120 days after discovering
it received records under this part.
(v) If the agency's application for a court order is rejected by
the court and no longer subject to appeal, the agency must return the
records to the part 2 program or person holding the records, if it is
legally permissible to do so, or destroy the records immediately after
notice from the court.
(b) Notice not required. An application under this section may, in
the discretion of the court, be granted without notice. Although no
express notice is required to the part 2 program, to the person holding
the records, or to any patient whose records are to be disclosed, upon
implementation of an order so granted any of those persons must be
afforded an opportunity to seek revocation or amendment of that order,
limited to the presentation of evidence on the statutory and regulatory
criteria for the issuance of the court order in accordance with
paragraph (c) of this section. If a court finds that individualized
contact is impractical under the circumstances, patients may be
informed of the opportunity through a substitute form of notice that
the court determines is reasonably calculated to reach the patients,
such as conspicuous notice in major print or broadcast media in
geographic areas where the affected patients likely reside.
(c) Requirements for order. An order under this section must be
entered in accordance with, and comply with the requirements of Sec.
2.64(e). In addition, an order under this section may be entered only
if the court determines that good cause exists. To make such good cause
determination, the court must find that:
(1) Other ways of obtaining the information are not available,
would not be effective, or would yield incomplete information;
(2) The public interest and need for the use or disclosure outweigh
the potential injury to the patient, the physician-patient
relationship, and the treatment services; and
(3) For an application being submitted pursuant to paragraph
(a)(3)(ii) of this section, the investigative agency has satisfied the
conditions at Sec. 2.3(b). Information from records obtained in
violation of this part, including Sec. 2.12(d), cannot be used in an
application for a court order to obtain such records.
(d) Limitations on use and disclosure of patient identifying
information. (1) An order entered under this section must require the
deletion or removal of patient identifying information from any
documents or oral testimony made available to the public.
[[Page 12631]]
(2) No information obtained under this section may be used or
disclosed to conduct any investigation or prosecution of a patient in
connection with a criminal matter, or be used or disclosed as the basis
for an application for an order under Sec. 2.65.
0
39. Amend Sec. 2.67 by revising paragraphs (a), (c), (d)(3), and (e)
to read as follows:
Sec. 2.67 Orders authorizing the use of undercover agents and
informants to investigate employees or agents of a part 2 program in
connection with a criminal matter.
(a) Application. A court order authorizing the placement of an
undercover agent or informant in a part 2 program as an employee or
patient may be applied for by any investigative agency which has reason
to believe that employees or agents of the part 2 program are engaged
in criminal misconduct.
* * * * *
(c) Criteria. An order under this section may be entered only if
the court determines that good cause exists. To make such good cause
determination, the court must find all of the following:
(1) There is reason to believe that an employee or agent of the
part 2 program is engaged in criminal activity;
(2) Other ways of obtaining evidence of the suspected criminal
activity are not available, would not be effective, or would yield
incomplete evidence;
(3) The public interest and need for the placement of an undercover
agent or informant in the part 2 program outweigh the potential injury
to patients of the part 2 program, physician-patient relationships, and
the treatment services; and
(4) For an application submitted after the placement of an
undercover agent or informant has already occurred, that the
investigative agency has satisfied the conditions at Sec. 2.3(b) and
only discovered that a court order was necessary after such placement
occurred. Information from records obtained in violation of this part,
including Sec. 2.12(d), cannot be used in an application for a court
order to obtain such records.
(d) * * *
(3) Prohibit the undercover agent or informant from using or
disclosing any patient identifying information obtained from the
placement except as necessary to investigate or prosecute employees or
agents of the part 2 program in connection with the suspected criminal
activity; and
* * * * *
(e) Limitation on use and disclosure of information. No information
obtained by an undercover agent or informant placed in a part 2 program
under this section may be used or disclosed to investigate or prosecute
any patient in connection with a criminal matter or as the basis for an
application for an order under Sec. 2.65.
0
40. Add Sec. 2.68 to subpart E to read as follows:
Sec. 2.68 Report to the Secretary.
(a) Any investigative agency covered by this part shall report to
the Secretary, not later than 60 days after the end of each calendar
year, to the extent applicable and practicable, on:
(1) The number of applications made under Sec. Sec. 2.66(a)(3)(ii)
and 2.67(c)(4) during the calendar year;
(2) The number of instances in which such applications were denied,
due to findings by the court of violations of this part during the
calendar year; and
(3) The number of instances in which records under this part were
returned or destroyed following unknowing receipt without a court
order, in compliance with Sec. 2.66(a)(3)(iii), (iv), or (v),
respectively during the calendar year.
(b) [Reserved]
Xavier Becerra,
Secretary, Department of Health and Human Services.
[FR Doc. 2024-02544 Filed 2-8-24; 11:15 am]
BILLING CODE 4153-01-P